Skip to main content
CVE-2025-62845 MEDIUM PATCH This Month

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter devices, allowing local attackers with administrator privileges to cause unexpected behavior through injection of unfiltered control sequences. The vulnerability has been patched in QuRouter version 2.6.3.009 and later. While no CVSS score, EPSS probability, or KEV/POC data are currently published, the requirement for local administrator access significantly limits exploitation scope in typical deployments.

Information Disclosure Qurouter
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-23277 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-33165 MEDIUM PATCH This Month

A remote code execution vulnerability in libde265 (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

Memory Corruption Buffer Overflow Libde265
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32810 MEDIUM This Month

Halloy, an IRC application written in Rust, fails to properly restrict file permissions on its configuration directory and files on *nix and macOS systems prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, resulting in world-readable access to plaintext credentials. Any local user on an affected system can read sensitive authentication data stored in config.toml or referenced password files, leading to credential compromise. While no CVSS score or EPSS data is currently available, the vulnerability represents a direct information disclosure risk with low exploitation complexity.

Information Disclosure Apple macOS Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-33291 MEDIUM This Month

A broken access control vulnerability in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows moderators to create Zendesk support tickets for topics they lack permission to view, bypassing intended access restrictions. This affects all Discourse forums utilizing the Zendesk plugin integration. The vulnerability is classified as CWE-863 (Incorrect Authorization) and has no publicly disclosed active exploitation or proof-of-concept code, though patches are available from the vendor.

Authentication Bypass Discourse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33312 MEDIUM PATCH This Month

A permission-check bypass vulnerability exists in Vikunja versions 0.20.2 through 2.1.x where the DELETE /api/v1/projects/:project/background endpoint incorrectly validates CanRead permissions instead of CanUpdate permissions, allowing read-only project members to permanently delete a project's background image. This affects the go-vikunja:vikunja product family, and the vulnerability has been patched in version 2.2.0 as documented in the GitHub security advisory GHSA-564f-wx8x-878h.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4438 MEDIUM PATCH This Month

The GNU C Library (glibc) versions 2.34 through 2.43 contain a vulnerability in the gethostbyaddr and gethostbyaddr_r functions that can return invalid DNS hostnames violating DNS specification requirements when using a configured nsswitch.conf with the DNS backend. This affects any application or system service relying on reverse DNS lookups through glibc, potentially leading to information disclosure or incorrect hostname resolution. While no CVSS score, EPSS probability, or active exploitation status has been publicly assigned, the vulnerability represents a data integrity issue in a foundational system library affecting millions of Linux systems.

Information Disclosure Glibc
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33411 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in Discourse's solved posts stream feature where unsanitized topic titles can be persisted and executed in the browser context of authenticated users. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, allowing authenticated attackers to inject malicious JavaScript that executes in the browsers of other users viewing the affected topics. While the CVSS score of 5.4 reflects moderate severity with low impact scope and no availability impact, the attack requires user interaction indirectly through viewing a crafted topic title, making real-world exploitation limited to scenarios where attackers have post creation privileges.

XSS Discourse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33500 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability exists in AVideo's comment markdown processing, where the fix for a prior XSS issue (CVE-2026-27568) inadvertently disabled Parsedown's safe mode while implementing incomplete custom sanitization. An attacker with comment posting privileges can inject malicious JavaScript via markdown link syntax (e.g., `[text](javascript:alert(1))`) that executes in the browser context of any user viewing the comment, enabling session hijacking and account takeover. A working proof-of-concept exists and the vulnerability affects all versions of WWBN AVideo using the vulnerable ParsedownSafeWithLinks class (pkg:composer/wwbn_avideo).

PHP XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33251 MEDIUM This Month

An authorization bypass vulnerability in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows authenticated users to accept or unaccept solutions in hidden Solved topics without proper authorization checks. The vulnerability affects the open-source Discourse discussion platform and permits users with valid credentials to manipulate solution status across topics they should not have access to, resulting in information disclosure and integrity violations. This is a low-to-moderate severity issue with a CVSS score of 5.4 that requires prior authentication but carries exploitation risk in multi-tenant or federated Discourse installations.

Authentication Bypass Discourse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-63260 MEDIUM This Month

SyncFusion versions up to 30.1.37 contain stored Cross-Site Scripting (XSS) vulnerabilities in two distinct UI components: the Document-Editor reply-to-comment field and the Chat-UI chat message field. An attacker can inject malicious JavaScript payloads through these fields, which are then stored and executed in the browsers of other users who view the affected content, potentially enabling session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, but proof-of-concept exploitation details are documented in the pentest-tools reference (PTT-2025-023-Multiple-Stored-XSS.pdf).

XSS N A
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33372 MEDIUM This Month

Zimbra Collaboration Server 10.0 and 10.1 accept CSRF tokens from request bodies instead of enforcing header-based validation, allowing attackers to perform unauthorized actions by deceiving authenticated users into submitting malicious requests. This CSRF bypass affects webmail users and could enable account compromise or sensitive data modification without user awareness. No patch is currently available.

CSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32881 MEDIUM This Month

ewe, a Gleam web server, contains an authentication bypass vulnerability in versions 0.6.0 through 3.0.4 that exploits improper handling of chunked transfer encoding trailer headers. An unauthenticated remote attacker can declare sensitive HTTP headers in the Trailer field and append them after the final chunk to overwrite legitimate values set by reverse proxies, enabling them to forge authentication credentials, hijack sessions, bypass rate limiting, or spoof proxy-trust headers. The vulnerability has been patched in version 3.0.5, and while not currently listed in CISA's KEV catalog, the CVSS score of 5.3 reflects medium severity with integrity impact.

Authentication Bypass Ewe
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-33501 MEDIUM PATCH This Month

An unauthenticated information disclosure vulnerability exists in the AVideo Permissions plugin endpoint `list.json.php`, which exposes the complete permission matrix mapping user groups to installed plugins without any authentication check. The vulnerability affects AVideo instances with the Permissions plugin enabled and allows unauthenticated attackers to enumerate all user groups, plugins, and their permission assignments-information that significantly aids targeted privilege escalation attacks. A proof-of-concept curl command exists, and this represents a clear authentication bypass in a sensitive administrative endpoint.

PHP Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-29794 MEDIUM PATCH This Month

Vikunja API fails to properly validate the source IP address for rate-limiting unauthenticated endpoints, allowing attackers to bypass rate limits by spoofing the X-Forwarded-For or X-Real-IP headers. This affects Vikunja API (pkg:go/code.vikunja.io_api) and enables unlimited brute-force attacks against login endpoints and other unauthenticated routes. A functional proof-of-concept has been published demonstrating the bypass mechanism, making this vulnerability readily exploitable without authentication or user interaction.

Docker RCE Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-33425 MEDIUM This Month

An information disclosure vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows unauthenticated attackers to enumerate private group membership by observing directory result changes when manipulating the exclude_groups parameter. This enables attackers to determine whether specific users are members of private groups without authentication, representing a direct privacy violation. The vulnerability does not appear to be actively exploited in the wild (no KEV status indicated), but patches are available from the vendor.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-31805 MEDIUM PATCH This Month

A remote code execution vulnerability in Discourse (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3550 MEDIUM This Month

The RockPress WordPress plugin (versions up to 1.0.17) contains a Missing Authorization vulnerability in five AJAX actions that allows authenticated users with Subscriber-level privileges to trigger privileged operations intended for administrators. The vulnerability stems from a combination of missing capability checks (current_user_can() calls) in AJAX handlers and exposure of an admin nonce to all authenticated users via an unconditionally enqueued script. Attackers can extract the nonce from the HTML source and use it to trigger resource-intensive imports, reset import data, check service connectivity, and read import status information without administrative privileges.

WordPress PHP Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33481 MEDIUM PATCH This Month

Syft versions before v1.42.3 fail to properly clean up temporary files when temporary storage becomes exhausted during archive scanning, allowing an attacker to trigger a denial of service by exhausting the system's temporary storage through highly compressed or large artifacts. This affects all users of Syft who scan untrusted or adversarially-crafted archives, as the vulnerability requires no authentication and can be triggered remotely through the normal scanning interface. The vulnerability has been patched in v1.42.3 and no active exploitation has been reported in the wild, though the attack vector is straightforward and does not require special privileges.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3567 MEDIUM This Month

A security vulnerability in for WordPress is vulnerable to unauthorized access in all (CVSS 5.3) that allows any authenticated user. Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31381 MEDIUM This Month

Gainsight Assist contains an information disclosure vulnerability where user email addresses (PII) are exposed in base64-encoded format within the OAuth callback URL's state parameter. This affects all versions of Gainsight Assist and allows unauthenticated remote attackers to extract sensitive personal information with no user interaction required. The vulnerability has a CVSS score of 5.3 (moderate) with confirmed disclosure via Rapid7, and patch availability has been documented in vendor advisories.

Information Disclosure Gainsight Assist
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-46598 MEDIUM This Month

Bitcoin Core versions through 29.0 contain a denial of service vulnerability that can be triggered by a specially crafted transaction. An attacker with network access can send a malicious transaction to cause the affected Bitcoin Core node to become unresponsive or crash, disrupting normal operation of the node. No CVSS score, EPSS data, or active exploitation in the wild has been disclosed, but the vulnerability has been formally disclosed by the Bitcoin Core project.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32844 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in XinLiangCoder's php_api_doc application through commit 1ce5bbf, specifically in the list_method.php file where the 'f' GET parameter is output directly to the page without sanitization. Remote attackers can inject arbitrary JavaScript code by crafting malicious URLs, enabling session hijacking, credential theft, and malware distribution within the application context. No CVSS score, EPSS data, or KEV status are currently available, but the vulnerability is confirmed with a proof-of-concept reference available via VulnCheck advisory.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32828 MEDIUM PATCH This Month

Kargo versions 1.4.0-1.6.3, 1.7.0-1.7.8, 1.8.0-1.8.11, and 1.9.0-1.9.4 contain a Server-Side Request Forgery vulnerability in http and http-download promotion steps that allows authenticated attackers to access cloud instance metadata endpoints and exfiltrate sensitive credentials like IAM keys. An attacker with permissions to create or modify Stages or Promotion resources can exploit this by crafting malicious manifests with full control over request headers and methods, bypassing cloud provider SSRF protections. Currently, no patch is available for this vulnerability.

SSRF Information Disclosure Suse
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-33126 MEDIUM PATCH This Month

Frigate versions prior to 0.16.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the /ffprobe endpoint that accepts arbitrary user-controlled URLs without proper validation. An authenticated attacker can leverage this endpoint to make HTTP requests to internal network resources, cloud metadata services (such as AWS IMDSv1), or perform reconnaissance activities like port scanning against systems accessible from the Frigate server. The vulnerability requires low privileges (authenticated user) and has a network attack vector with low complexity, making it moderately exploitable in environments where Frigate is exposed to untrusted users.

SSRF Frigate
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-3474 MEDIUM This Month

The EmailKit - Email Customizer for WooCommerce & WP WordPress plugin contains a path traversal vulnerability in the TemplateData class that allows authenticated administrators to read arbitrary files from the server via the 'emailkit-editor-template' REST API parameter. An attacker with Administrator privileges can exploit this flaw to access sensitive files such as wp-config.php or /etc/passwd by supplying directory traversal sequences, with the retrieved file contents stored as post metadata and retrievable through the fetch-data REST API endpoint. The vulnerability affects all versions up to and including 1.6.3, and while it requires high-level administrative access and has a moderate CVSS score of 4.9, it represents a critical information disclosure risk in multi-user WordPress environments.

WordPress PHP Path Traversal
NVD VulDB
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-30889 MEDIUM PATCH This Month

A moderator authorization bypass vulnerability in Discourse allows authenticated moderators to access post metadata they should not have permission to view due to insufficient authorization checks. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, with patched versions now available. While the CVSS score of 5.3 indicates moderate severity and the attack requires authenticated access with moderator privileges, this represents a meaningful confidentiality risk in multi-tenant forum environments where metadata isolation between moderation scopes is critical.

Authentication Bypass Discourse
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-3577 MEDIUM This Month

The Keep Backup Daily WordPress plugin versions up to 2.1.2 contain a Stored Cross-Site Scripting (XSS) vulnerability in the backup title alias functionality due to insufficient input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript via the `val` parameter in the `update_kbd_bkup_alias` AJAX action, which executes when other administrators view the backup list page. With a CVSS score of 4.4 and moderate real-world risk due to high privilege requirements, this vulnerability requires administrator-level access to exploit but can compromise other administrator sessions.

WordPress XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2432 MEDIUM This Month

CM Custom Reports - Flexible reporting to track what matters most plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in admin settings that allows authenticated administrators to inject arbitrary web scripts. The vulnerability affects all versions up to and including 1.2.7 and is caused by insufficient input sanitization and output escaping in the GraphModule.php file. While the CVSS score of 4.4 is moderate, exploitation is restricted to high-privilege authenticated attackers on multi-site WordPress installations or where unfiltered_html has been disabled, making real-world exploitability dependent on specific WordPress configurations.

WordPress XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-33071 MEDIUM PATCH This Month

FileRise, a self-hosted web file manager and WebDAV server, contains an unrestricted file upload vulnerability in its WebDAV endpoint that bypasses filename validation controls present in the regular upload path, allowing authenticated attackers to upload executable file types such as .phtml, .php5, and .htaccess. In non-default Apache configurations lacking LocationMatch protection, this enables remote code execution on the underlying web server. The vulnerability affects FileRise versions prior to 3.8.0 and has been patched; no public exploit code or active KEV listing is currently confirmed, but the presence of a GitHub security advisory indicates vendor acknowledgment of the threat.

PHP RCE Apache File Upload
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-33315 MEDIUM PATCH This Month

The Vikunja todo application contains an authentication bypass vulnerability in its CalDAV endpoint that allows attackers to circumvent two-factor authentication (2FA) protections by using basic HTTP authentication. An attacker with valid username and password credentials can access CalDAV endpoints without providing a TOTP token, gaining unauthorized access to protected project information including names, descriptions, and task details. A proof-of-concept exploit has been publicly documented, and patches are available from the vendor.

Authentication Bypass Docker Suse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-30580 MEDIUM This Month

File Thingie version 2.5.7 contains a directory traversal vulnerability in its 'create folder from URL' functionality that allows unauthenticated attackers to read arbitrary files from the target system. An attacker can exploit this path traversal flaw by crafting malicious input to the folder creation feature, bypassing directory restrictions and accessing sensitive files outside the intended application directory. Proof-of-concept code is available in public repositories, and while CVSS and EPSS scores are not published, the vulnerability enables direct unauthorized information disclosure.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-32114 MEDIUM PATCH This Month

An Insecure Direct Object Reference (IDOR) vulnerability in Discourse allows any authenticated user to access restricted metadata about AI personas, features, and LLM models by directly referencing their identifiers, exposing sensitive information including credit allocations and usage statistics. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, and requires only low-privilege access (any logged-in user account) over the network. While the CVSS score of 5.3 indicates low confidentiality impact with no integrity or availability impact, this represents a clear information disclosure risk that could enable unauthorized tracking of AI resource consumption and usage patterns.

Authentication Bypass Discourse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-31869 MEDIUM PATCH This Month

Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contains an information disclosure vulnerability in the ComposerController#mentions endpoint that reveals hidden group membership to any authenticated user capable of messaging the group. An attacker can exploit this by supplying hidden-membership group names and probing arbitrary usernames to infer membership based on whether the user_reasons field returns 'private', effectively bypassing group member-visibility controls designed to protect sensitive group information. This vulnerability is not known to be actively exploited in the wild (KEV status unknown), carries a moderate CVSS score of 5.3 reflecting low confidentiality impact with low attack complexity, and requires prior authentication.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4453 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Dawn component on macOS versions prior to 146.0.7680.153 results from an integer overflow vulnerability that can be triggered through a malicious HTML page. An unauthenticated attacker can exploit this to access sensitive information from other origins without user interaction beyond viewing the crafted page. Patches are available for Chrome, Ubuntu, and Debian.

Google Information Disclosure Ubuntu Debian Chrome +2
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33313 MEDIUM PATCH This Month

An authenticated user in Vikunja can read any task comment by its ID without proper authorization checks, regardless of whether they have access to the task that comment belongs to. The vulnerability exists in the `GET /api/v1/tasks/{taskID}/comments/{commentID}` endpoint, which validates access against the attacker-controlled task ID in the URL but then loads the comment by ID alone, bypassing task ownership verification. Any authenticated attacker with read access to at least one task can enumerate and retrieve comments from arbitrary tasks and private projects, leading to unauthorized information disclosure.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4136 MEDIUM This Month

The Membership Plugin - Restrict Content for WordPress contains an unvalidated redirect vulnerability in the 'rcp_redirect' parameter that allows unauthenticated attackers to redirect users to arbitrary external sites via password reset emails. Affected versions include all releases up to and including 3.2.24. This vulnerability has a CVSS score of 4.3 (low-to-moderate severity) and requires user interaction, limiting its immediate exploitation impact but creating a viable phishing vector for credential harvesting or malware distribution.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33371 MEDIUM This Month

An XML External Entity (XXE) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Exchange Web Services (EWS) SOAP interface due to improper XML input handling. An authenticated attacker can submit crafted XML payloads to an XML parser with external entity resolution enabled, potentially disclosing sensitive local files from the server. No CVSS score, EPSS data, or known exploitation-in-the-wild status is currently available, though the vulnerability has been documented in Zimbra's security advisory system.

XXE Microsoft
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33369 MEDIUM This Month

An LDAP injection vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Mailbox SOAP service's FolderAction operation. An authenticated attacker can exploit this issue by sending a crafted SOAP request containing malicious LDAP filter syntax to bypass input validation and retrieve sensitive directory attributes from the LDAP backend. This vulnerability enables information disclosure of directory data that should be access-controlled.

Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32310 MEDIUM This Month

Cryptomator versions 1.6.0 through 1.19.0 contain a path traversal vulnerability in vault configuration parsing where the masterkeyfile loader resolves an unverified keyId parameter as a filesystem path before integrity checks are performed. An attacker with the ability to supply a malicious vault configuration can exploit this to trigger arbitrary file existence checks, including UNC paths on Windows that can initiate outbound SMB connections before the user even enters a passphrase, potentially leading to information disclosure about local file structure and network exposure. The vulnerability has been patched in version 1.19.1, and while no active KEV exploitation has been reported, the low attack complexity and the ability to chain this with social engineering (malicious vault sharing) makes it a moderate practical risk.

Hashicorp Microsoft Path Traversal Windows
NVD GitHub VulDB
CVSS 3.1
4.1
EPSS
0.0%
CVE-2025-62844 MEDIUM PATCH This Month

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.

Information Disclosure Qurouter
NVD VulDB
CVSS 4.0
4.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy