Skip to main content
CVE-2026-27649 MEDIUM CISA This Month

A session management vulnerability in CTEK ChargePortal's WebSocket backend allows attackers to hijack charging station sessions by connecting with the same predictable session identifier used by legitimate stations. This enables authentication bypass, interception of backend commands intended for legitimate charging stations, and denial-of-service through session flooding. The vulnerability affects CTEK ChargePortal with a CVSS score of 7.3 and is documented in ICS-CERT advisory ICSA-26-078-06, though no active exploitation (KEV) or public POC has been reported.

Authentication Bypass Chargeportal
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-32950 HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33289 HIGH This Week

An LDAP injection vulnerability in SuiteCRM's authentication flow allows attackers to manipulate LDAP queries by injecting control characters into user-supplied input, potentially leading to authentication bypass or information disclosure. The vulnerability affects SuiteCRM versions prior to 7.15.1 and 8.9.3, which are open-source CRM systems widely deployed in enterprise environments. While no active exploitation has been reported (not in CISA KEV), the network-exploitable nature and potential for authentication bypass makes this a serious concern for organizations using affected versions.

Authentication Bypass Information Disclosure LDAP Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33479 HIGH This Week

The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33288 HIGH This Week

SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.

Privilege Escalation SQLi Suitecrm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33507 HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF Command Injection Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4451 HIGH PATCH This Week

A renderer process sandbox escape vulnerability exists in Google Chrome prior to version 146.0.7680.153 due to insufficient input validation in the Navigation component. An attacker who has already compromised the renderer process can exploit this via a crafted HTML page to escape the sandbox and gain elevated privileges on the host system. A patch is available from Google, and the vulnerability is tracked in the EUVD database with High severity classification.

Google Information Disclosure Ubuntu Debian Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33124 HIGH PATCH This Week

{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. This vulnerability has not been reported as actively exploited in the wild (KEV status unknown), but the straightforward nature of the attack and the common exposure vectors for JWT tokens make this a practical threat requiring immediate patching.

XSS Authentication Bypass Frigate
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4447 HIGH PATCH This Week

A sandbox escape vulnerability exists in Google Chrome's V8 JavaScript engine prior to version 146.0.7680.153, allowing remote attackers to execute arbitrary code within the Chrome sandbox through a crafted HTML page. This is a High severity issue affecting millions of Chrome users across Windows, macOS, and Linux platforms. The vulnerability is triggered via web-based attack vector (HTML page delivery) and does not require user interaction beyond visiting a malicious website.

RCE Google
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4464 HIGH PATCH This Week

Heap corruption in Google Chrome's ANGLE graphics library prior to version 146.0.7680.153 can be triggered remotely through a malicious HTML page, potentially enabling arbitrary code execution on affected systems. The vulnerability stems from an integer overflow condition that requires only user interaction with a crafted webpage, affecting Chrome users across Windows, macOS, and Linux platforms. A patch is available and security professionals should prioritize updating to the latest Chrome version to mitigate this high-severity risk.

Google Buffer Overflow Ubuntu Debian Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4462 HIGH PATCH This Week

An out of bounds read vulnerability exists in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153, allowing remote attackers to read memory outside intended buffer boundaries via a specially crafted HTML page. This vulnerability (CWE-125) has been classified as High severity by the Chromium security team and enables information disclosure attacks without requiring user interaction beyond visiting a malicious webpage. A vendor patch is available, and the vulnerability affects 9 Debian releases, indicating widespread downstream impact across Linux distributions.

Google Buffer Overflow Information Disclosure Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4461 HIGH PATCH This Week

Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 enables remote code execution when users visit malicious websites, affecting Chrome, Ubuntu, and Debian systems. An unauthenticated attacker can craft a specially designed HTML page to trigger memory corruption and achieve complete system compromise without user interaction beyond visiting the page. A patch is available for immediate deployment.

Google Information Disclosure Ubuntu Debian Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4460 HIGH PATCH This Week

Memory disclosure in Google Chrome's Skia rendering engine prior to version 146.0.7680.153 enables unauthenticated attackers to read out-of-bounds memory contents by tricking users into visiting malicious web pages. Affected users across Chrome, Ubuntu, and Debian distributions face potential information leakage including sensitive data from process memory. A patch is available for immediate deployment.

Google Buffer Overflow Information Disclosure Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4457 HIGH PATCH This Week

Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.

Google Memory Corruption Information Disclosure Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4456 HIGH PATCH This Week

A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.

Denial Of Service Google Memory Corruption Use After Free Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4454 HIGH PATCH This Week

Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4452 HIGH PATCH This Week

Heap corruption in Google Chrome's ANGLE graphics library on Windows versions prior to 146.0.7680.153 can be triggered through integer overflow when processing maliciously crafted HTML pages. An unauthenticated remote attacker can exploit this vulnerability by deceiving users into visiting a malicious website, potentially achieving arbitrary code execution. A patch is available across affected platforms including Google Chrome, Microsoft Edge, and various Linux distributions.

Google Microsoft Buffer Overflow Ubuntu Debian +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4450 HIGH PATCH This Week

Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.

Google Memory Corruption Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4449 HIGH PATCH This Week

Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4441 HIGH PATCH This Week

Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4459 HIGH PATCH This Week

Heap corruption in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered through out-of-bounds memory access when processing malicious HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing the page. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available across all platforms.

Google Information Disclosure Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4455 HIGH PATCH This Week

Heap buffer overflow in PDFium within Google Chrome versions prior to 146.0.7680.153 enables remote attackers to corrupt heap memory and potentially achieve code execution by delivering a malicious PDF file. The vulnerability requires user interaction to open the crafted PDF but no authentication or special privileges. Patches are available for affected Google Chrome, Ubuntu, and Debian systems.

Google Buffer Overflow Heap Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4448 HIGH PATCH This Week

Heap buffer overflow in Google Chrome's ANGLE graphics library (versions prior to 146.0.7680.153) enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through malicious HTML pages requiring only user interaction. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available and should be applied immediately given the high severity and attack accessibility.

Google Heap Overflow Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4446 HIGH PATCH This Week

Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4445 HIGH PATCH This Week

Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4442 HIGH PATCH This Week

Google Chrome versions prior to 146.0.7680.153 contain a heap buffer overflow in CSS parsing that enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can trigger heap memory corruption through a crafted webpage, potentially achieving arbitrary code execution with user privileges. A patch is available and should be applied immediately to all affected systems.

Google Heap Overflow Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4440 HIGH PATCH This Week

This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.

Google Buffer Overflow Memory Corruption Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4439 HIGH PATCH This Week

Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.

Google Buffer Overflow Memory Corruption Ubuntu Debian +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4443 HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered remotely through malicious HTML, requiring only user interaction. An attacker can craft a weaponized webpage to break out of the Chrome sandbox and execute arbitrary code on affected systems. This high-severity vulnerability impacts Chrome, Ubuntu, and Debian users, with patches now available.

Google Heap Overflow RCE Buffer Overflow Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33025 HIGH PATCH This Week

Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4463 HIGH PATCH This Week

Heap buffer overflow in Google Chrome's WebRTC component (versions prior to 146.0.7680.153) enables remote code execution when users visit a malicious webpage, requiring only user interaction to trigger the vulnerability. An attacker can exploit this heap corruption to execute arbitrary code with the privileges of the affected browser process. A patch is available for Chrome and affected Linux distributions including Ubuntu and Debian.

Google Heap Overflow Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4444 HIGH PATCH This Week

Stack buffer overflow in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to corrupt stack memory and achieve code execution through maliciously crafted HTML pages. The vulnerability affects Chrome, and potentially downstream products including Chromium-based browsers, requiring only user interaction and no authentication. A patch is available across affected platforms including Ubuntu and Debian.

Google Buffer Overflow Stack Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33075 HIGH This Week

FastGPT versions 4.14.8.3 and below contain a critical arbitrary code execution vulnerability in the fastgpt-preview-image.yml GitHub Actions workflow that allows external contributors to execute malicious code and exfiltrate repository secrets. The vulnerability stems from unsafe use of pull_request_target with attacker-controlled Dockerfile builds that are pushed to the production container registry, enabling both direct compromise and supply chain attacks. No patch was available at the time of public disclosure, making this an unpatched remote code execution affecting the AI Agent building platform across affected versions.

RCE Docker
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32888 HIGH This Week

Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-67260 HIGH This Week

A file upload vulnerability exists in multiple Terrapack software components from ASTER TEC / ASTER S.p.A. that permits remote code execution when attackers upload malicious files. The affected products include Terrapack TkWebCoreNG version 1.0.20200914, Terrapack TKServerCGI version 2.5.4.150, and Terrapack TpkWebGIS Client version 1.0.0. Proof-of-concept code is available in public repositories, and the vulnerability enables arbitrary code execution on affected systems.

RCE File Upload N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4458 HIGH PATCH This Week

Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33413 HIGH PATCH This Week

This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.

Kubernetes Denial Of Service Authentication Bypass Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-33331 HIGH PATCH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the orpc OpenAPI documentation generation functionality, affecting the @orpc/openapi npm package. Attackers who can control OpenAPI specification fields (such as info.description) can inject malicious JavaScript that executes when users view the generated API documentation. A working proof-of-concept exists demonstrating payload injection through specification metadata fields, and while CVSS scores this at 8.2 (High), the network-accessible attack vector with no privileges required increases real-world risk.

XSS
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
3.0%
CVE-2026-33498 HIGH PATCH GHSA This Week

Parse Server is vulnerable to a permanent denial-of-service attack that bypasses the previous CVE-2026-32944 fix. An unauthenticated attacker can send a specially crafted HTTP request containing deeply nested query structures with logical operators to permanently hang the Parse Server process, requiring manual restart. This affects parse-server npm package installations, and patches are available from the vendor.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-32309 HIGH PATCH This Week

Cryptomator's Hub-based unlock flow contains a protocol downgrade vulnerability that allows the application to communicate with Hub endpoints over plaintext HTTP instead of enforcing HTTPS. Cryptomator versions prior to 1.19.1 are affected, exposing OAuth bearer tokens, key-loading traffic, and endpoint-level trust decisions to network interception and tampering by active attackers. This is a verified GitHub security advisory with patches available in version 1.19.1, though no EPSS score or KEV listing indicates limited evidence of active exploitation.

Information Disclosure Hashicorp
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33480 HIGH This Week

AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.

SSRF PHP Microsoft Redis
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-32710 HIGH PATCH This Week

Authenticated users can trigger a heap overflow in MariaDB 11.4 (before 11.4.10) and 11.8 (before 11.8.6) through the JSON_SCHEMA_VALID() function, causing denial of service and potentially remote code execution under specific memory layout conditions. The vulnerability requires valid database credentials and affects server availability and integrity across scope boundaries. No patch is currently available for vulnerable versions.

RCE Buffer Overflow Heap Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-28204 MEDIUM CISA This Month

Authentication identifiers for electric vehicle charging stations are publicly exposed through web-based mapping platforms, allowing unauthenticated network-based access to sensitive authentication data. The vulnerability affects CTEK ChargePortal and enables attackers to obtain charging station credentials without requiring any privileges or user interaction. This information disclosure can lead to unauthorized access to charging infrastructure and potential manipulation of charging sessions.

Information Disclosure Chargeportal
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31926 MEDIUM CISA This Month

A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.

Information Disclosure Eparking Fi
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22897 HIGH PATCH This Week

Remote command execution in QuNetSwitch versions prior to 2.0.4.0415 allows unauthenticated attackers to execute arbitrary system commands over the network with no user interaction required. The vulnerability stems from improper input validation in command processing functions, enabling complete system compromise. No patch is currently available for affected versions.

Command Injection Qunetswitch
NVD VulDB
CVSS 4.0
8.1
EPSS
1.1%
CVE-2026-33508 HIGH PATCH GHSA This Week

Parse Server's LiveQuery component fails to enforce query depth limits on WebSocket subscription requests, allowing attackers to send deeply nested logical operators that trigger excessive recursion and CPU consumption. This affects Parse Server deployments where the LiveQuery WebSocket endpoint is accessible to untrusted clients (pkg:npm/parse-server). A patch is available from the vendor with no known workarounds, and while no EPSS score or KEV listing is present, the availability of proof-of-concept code in the patch references suggests exploitation details are publicly documented.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-22733 HIGH PATCH This Week

This is an authentication bypass vulnerability in Spring Boot applications using Spring Security with Actuator endpoints. When an authenticated application endpoint is declared under the CloudFoundry Actuator path, attackers can bypass authentication requirements and gain unauthorized access to protected resources. The vulnerability affects multiple versions of Spring Security from 2.7.0 through 4.0.3 and carries a high CVSS score of 8.2, though no active exploitation or proof-of-concept has been reported.

Authentication Bypass Java
NVD VulDB HeroDevs
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32829 HIGH PATCH This Week

Information disclosure in lz4_flex compression library versions 0.11.5 and below and 0.12.0 allows attackers to read sensitive data from uninitialized memory or previous decompression operations through crafted LZ4 input that triggers out-of-bounds reads in the block-based decompression API. The vulnerability affects Ubuntu and Debian systems using vulnerable versions of lz4_flex, particularly when the safe-decode feature is disabled. No patch is currently available, leaving affected systems exposed to potential exposure of cryptographic keys and other sensitive data.

Information Disclosure Lz4 Flex
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-33072 HIGH PATCH This Week

FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. No evidence of active exploitation (not in CISA KEV) is currently available, though the vulnerability is straightforward to exploit given the hardcoded nature of the default key.

File Upload Authentication Bypass Filerise
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32935 HIGH PATCH This Week

phpseclib versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a padding oracle timing attack when using AES in CBC mode, allowing attackers to decrypt sensitive data through cryptanalysis of response timing differences. This information disclosure vulnerability affects any PHP application using the vulnerable phpseclib library for AES-CBC encryption. Although no CVSS score, EPSS data, or confirmed active exploitation (KEV status) are currently available, the presence of a verified fix and security advisory indicates this is a legitimate cryptographic weakness requiring attention.

PHP Oracle Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy