Skip to main content
CVE-2026-23536 HIGH This Week

The Feast Feature Server contains a path traversal vulnerability in its `/read-document` endpoint that allows unauthenticated remote attackers to read arbitrary files accessible to the server process, including sensitive system files, application configurations, and credentials. Red Hat OpenShift AI (RHOAI) deployments are confirmed affected across multiple versions. The vulnerability is rated 7.5 (High) with network-based exploitation requiring no authentication or user interaction, though no active exploitation (KEV) or public proof-of-concept is currently documented.

Path Traversal Red Hat Openshift Ai Rhoai
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33509 HIGH PATCH This Week

Remote code execution in Python allows authenticated users with SETTINGS permission to modify the reconnect.script configuration parameter without restriction, which is then passed unsanitized to subprocess.run() enabling arbitrary command execution. The vulnerability exists due to insufficient input validation in the set_config_value() API endpoint, which only restricts the general.storage_folder setting while leaving other security-critical options like reconnect.script unprotected. An attacker with non-admin SETTINGS privileges can exploit this to achieve full system compromise on the affected Python installation.

Python RCE Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32701 HIGH PATCH This Week

Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. The vulnerability has a CVSS score of 7.5 (High severity) with network-based exploitation requiring no authentication or user interaction, and a patch is available in version 1.19.2.

Memory Corruption Denial Of Service Qwik
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33427 HIGH This Week

Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization page spoofing vulnerability that allows unauthenticated attackers to inject attacker-controlled domains into legitimate Discourse authorization pages, enabling social engineering attacks. This CWE-862 (Missing Authorization) class vulnerability affects all affected Discourse installations and requires no authentication or special privileges to exploit. No active exploitation in the wild (KEV status) has been reported, but the attack surface is broad given Discourse's widespread use as an open-source discussion platform.

Authentication Bypass Discourse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33418 HIGH PATCH This Week

A regex-based bypass vulnerability in the @dicebear/converter npm package allows attackers to circumvent SVG dimension sanitization by injecting decoy <svg tags in XML constructs. Applications using @dicebear/converter on Node.js to process untrusted SVG input are vulnerable to denial of service through unbounded memory allocation when rendering malformed SVGs. The CVSS score of 7.5 reflects the high availability impact with network-accessible attack vector requiring no authentication or user interaction.

Denial Of Service Node.js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33164 HIGH PATCH This Week

A malformed H.265 PPS (Picture Parameter Set) NAL unit in libde265 prior to version 1.0.17 triggers a segmentation fault in the pic_parameter_set::set_derived_values() function, causing denial of service. Any application using affected versions of libde265 to decode H.265 video streams is vulnerable to crash via specially crafted video files or streams. The vulnerability has been patched in version 1.0.17, and a GitHub security advisory documents the issue.

Buffer Overflow Heap Overflow Libde265
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33069 HIGH PATCH This Week

PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() function that allows attackers to read 1-2 bytes of adjacent heap memory when processing SIP messages with multipart bodies or SDP content. The vulnerability affects all applications using PJSIP to process incoming SIP messages, as the flaw does not require authentication or user interaction and can be triggered remotely over the network. While the CVSS score of 6.9 reflects moderate severity with low confidentiality impact, the low attack complexity and remote exploitability make this a practical concern for SIP-based communication systems.

Buffer Overflow Information Disclosure Pjproject
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32933 HIGH PATCH This Week

AutoMapper, a widely-used convention-based object-object mapper for .NET applications, contains a stack exhaustion vulnerability that allows remote attackers to crash applications via deeply nested object graphs. Versions prior to 15.1.1 and 16.1.1 are affected. An unauthenticated attacker can trigger a StackOverflowException by sending specially crafted nested objects, causing immediate application termination with high availability impact (CVSS 7.5).

Denial Of Service Automapper
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32949 HIGH PATCH This Week

A Server-Side Request Forgery (SSRF) vulnerability in SQLBot, an intelligent data query system based on large language models and RAG, allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. SQLBot versions prior to 1.7.0 are affected, with the vulnerability exploitable through the /api/v1/datasource/check endpoint by configuring a malicious MySQL data source that triggers a LOAD DATA LOCAL INFILE attack during connection verification. The CVSS score of 8.7 with network-based attack vector and no privileges required indicates critical severity, though no KEV listing or EPSS data suggests exploitation in the wild has not yet been widely observed.

SSRF Sqlbot
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32873 HIGH GHSA This Week

The ewe Gleam web server contains an infinite loop vulnerability in the handle_trailers function that permanently wedges the BEAM process at 100% CPU when processing rejected trailer headers in chunked HTTP requests. Versions 0.8.0 through 3.0.4 are affected, and any unauthenticated remote attacker can exploit this before application code executes, making mitigation at the application level impossible. The vulnerability is patched in version 3.0.5, and while no active exploitation (KEV) or EPSS score is reported, the low attack complexity and network accessibility make this a readily exploitable denial-of-service condition.

Denial Of Service Ewe
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4437 HIGH PATCH This Week

A DNS response parsing vulnerability exists in the GNU C Library (glibc) versions 2.34 through 2.43 affecting the gethostbyaddr and gethostbyaddr_r functions. When a malicious or compromised DNS server returns a crafted response that violates the DNS specification, the library may incorrectly treat non-answer sections (such as authority or additional sections) as valid answers, leading to buffer overflow and information disclosure. The vulnerability is classified as a read buffer over-read (CWE-125) and does not currently have a published CVSS score, EPSS metric, or confirmed KEV status, though the underlying mechanism suggests moderate real-world risk in environments with untrusted or attacker-controlled DNS infrastructure.

Information Disclosure Buffer Overflow Glibc
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-46597 HIGH This Week

Bitcoin Core versions 0.13.0 through 29.x contain an integer overflow vulnerability that could allow attackers to trigger unexpected behavior or crashes in affected nodes. This vulnerability affects a wide range of Bitcoin Core deployments spanning multiple major versions. While specific exploitation details remain limited due to the disclosure date and incomplete CVSS scoring, the integer overflow classification suggests potential for denial of service or memory corruption under specific conditions.

Integer Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33488 HIGH This Week

The LoginControl plugin for AVideo contains a critical cryptographic weakness in its PGP-based 2FA implementation, generating 512-bit RSA keys that can be factored on commodity hardware within hours using publicly available tools. Attackers who obtain a user's public key can derive the complete private key and decrypt authentication challenges, completely bypassing the second factor protection. A proof-of-concept demonstrating key factoring and challenge decryption is included in the advisory, and unauthenticated endpoints allow anonymous CPU-intensive key generation for denial-of-service attacks.

PHP Denial Of Service Python
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-2378 HIGH PATCH This Week

ArcSearch for Android versions prior to 1.12.7 contains an address bar spoofing vulnerability that allows attackers to display a different domain in the browser's address bar than the actual content being rendered. Users of ArcSearch for Android prior to version 1.12.7 are affected, and an attacker can craft malicious web content that, after user interaction, deceives users into believing they are visiting a legitimate domain while viewing attacker-controlled content. There is no indication of active exploitation in KEV data, and EPSS data is not provided.

XSS Google
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-4475 HIGH This Week

Hard-coded credentials in YI Home Camera 2 firmware 2.1.1_20171024151200 allow adjacent network attackers to gain complete device control without authentication. The vulnerability exists in the /home/web/ipc file component and enables full compromise of confidentiality, integrity, and availability. Public exploit code exists (SSVC: poc) and vendor Yi Technology did not respond to responsible disclosure, leaving devices unpatched. EPSS score is low (0.02%, 5th percentile) despite total technical impact, suggesting limited widespread exploitation but significant risk for exposed IoT camera deployments on shared networks.

Authentication Bypass
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-32887 HIGH PATCH This Week

Node.js applications using Effect library versions 3.19.15 and earlier with @effect/rpc 0.72.1 and @effect/platform 0.94.2 are vulnerable to context confusion due to improper AsyncLocalStorage handling in the MixedScheduler, allowing attackers to access sensitive data from other concurrent requests through race conditions. An attacker can exploit the batching mechanism to read or modify context belonging to different requests processed in the same microtask cycle, potentially leading to data leakage between users in multi-tenant environments. No patch is currently available.

Node.js Race Condition Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-15607 HIGH PATCH This Week

A command injection vulnerability exists in TP-Link AX53 v1 devices within the mscd debug functionality that allows authenticated attackers to execute arbitrary commands with full device control. The vulnerability stems from insufficient input validation on log redirection parameters, which can be abused to concatenate unvalidated file content into shell commands. A vendor patch is available, and this represents a critical control-plane compromise vector for affected router devices.

Command Injection Ax53 V1
NVD VulDB
CVSS 4.0
7.3
EPSS
0.5%
CVE-2026-33492 HIGH GHSA This Week

AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-62846 HIGH PATCH This Week

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

SQLi Qurouter
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-33147 HIGH This Week

Stack-based buffer overflow in GMT versions 6.6.0 and earlier allows local attackers to crash the application or execute arbitrary code by supplying an excessively long dataset identifier to vulnerable functions like gmt_remote_dataset_id. The vulnerability affects command-line processing of geographic data and currently lacks a public patch, leaving all affected GMT installations exposed to local exploitation.

Stack Overflow Buffer Overflow RCE Gmt
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-3368 HIGH This Week

The Injection Guard plugin for WordPress versions up to 1.2.9 contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the admin log interface. The flaw stems from insufficient sanitization of query parameter names, which are logged and later rendered without proper output escaping when administrators view the plugin's log page. This enables arbitrary script execution in the context of an authenticated administrator's browser session, potentially leading to account compromise or further malicious actions.

WordPress PHP XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-29109 HIGH This Week

Unsafe deserialization in SuiteCRM versions up to 8.9.2 allows authenticated administrators to execute arbitrary system commands on the server through the SavedSearch filter processing component. The vulnerability stems from improper handling of unserialized data in the FilterDefinitionProvider.php file, which fails to restrict instantiable classes when processing user-controlled input from the database. SuiteCRM 8.9.3 and later versions contain the fix.

PHP Deserialization
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33133 HIGH PATCH This Week

WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.

SQLi Wegia
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33504 HIGH PATCH This Week

Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.

SQLi OpenSSL Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-55988 HIGH PATCH This Week

A path traversal vulnerability in the component /Controllers/RestController.php of DreamFactory Core (CVSS 7.2) that allows attackers. High severity vulnerability requiring prompt remediation.

PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33503 HIGH PATCH This Week

Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.

SQLi OpenSSL Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33505 HIGH PATCH This Week

Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. The CVSS score of 7.2 reflects high privileges required (PR:H), though the actual risk is elevated when default secrets remain unchanged in production deployments.

SQLi OpenSSL Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33493 HIGH This Week

The AVideo platform contains a path traversal vulnerability in the objects/import.json.php endpoint that allows authenticated users with upload permissions to bypass directory restrictions and access any MP4 file on the filesystem. Attackers can steal private videos from other users, read adjacent text/HTML files containing video metadata, and delete video files if writable by the web server. A detailed proof-of-concept is publicly available in the GitHub security advisory, and the vulnerability affects all instances where authenticated users have upload permissions, which is the default configuration.

Path Traversal PHP
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-32954 HIGH PATCH This Week

A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.

SQLi Erpnext
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2024-32537 HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Flash Video Player
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33421 HIGH PATCH GHSA This Week

Parse Server's LiveQuery WebSocket interface contains an authorization bypass vulnerability that allows any authenticated user to subscribe to real-time object updates regardless of Class-Level Permission pointer field restrictions. Affected products include the parse-server npm package, where authenticated attackers can receive real-time updates for all objects in classes that should be restricted by readUserFields and pointerFields CLP settings, bypassing intended access controls that are correctly enforced in the REST API. No public proof-of-concept or active exploitation (KEV) has been reported at this time.

Information Disclosure Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-4519 HIGH PATCH This Week

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-line options rather than URLs, potentially leading to unintended command execution or information disclosure. This affects all CPython versions using the vulnerable webbrowser module. An attacker can craft a malicious URL containing leading dashes (e.g., '-P' or '--profile') that, when passed to webbrowser.open(), may trigger browser-specific behavior such as loading alternate profiles or executing browser commands, resulting in information disclosure or other security impacts.

Information Disclosure Cpython
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy