Skip to main content
CVE-2026-32985 CRITICAL POC Emergency

Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. This is a critical severity issue with network-based attack vector requiring no privileges or user interaction, and a proof-of-concept has been published by VulnCheck.

PHP Authentication Bypass RCE File Upload
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-33478 CRITICAL POC PATCH GHSA Act Now

A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.

RCE Command Injection PHP
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
3.0%
CVE-2026-3584 CRITICAL POC Act Now

The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction.

WordPress RCE Code Injection
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-21992 CRITICAL POC NEWS Act Now

A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources.

Oracle Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25192 CRITICAL CISA Emergency

CTEK Chargeportal's OCPP WebSocket endpoints accept unauthenticated connections, allowing remote attackers to impersonate charging stations by connecting with known or discovered station identifiers and issuing fraudulent OCPP commands to the backend infrastructure. This authentication bypass enables complete control over charging operations, data manipulation, and privilege escalation across the charging network. CISA ICS-CERT issued advisory ICSA-26-078-06 for this industrial control system vulnerability. EPSS score of 0.13% (33rd percentile) indicates relatively low predicted exploitation likelihood despite critical CVSS 9.3 severity, though SSVC assessment confirms the vulnerability is fully automatable with total technical impact.

Authentication Bypass Privilege Escalation Chargeportal
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-29796 CRITICAL CISA Emergency

Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.

Authentication Bypass Privilege Escalation Eparking Fi
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-24060 CRITICAL CISA Emergency

This vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext without encryption. An attacker positioned on the network can sniff sensitive service information including File Start Position, File Data, and proprietary PLC update formats using tools like Wireshark, enabling both information disclosure and potential integrity attacks through modification of intercepted traffic. With a CVSS score of 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this represents a significant exposure for building automation systems.

Information Disclosure Webctrl Premium Server
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-33494 CRITICAL PATCH Act Now

Ory Oathkeeper, an identity and access proxy, contains an authorization bypass vulnerability via HTTP path traversal that allows attackers to access protected resources without authentication. The vulnerability affects Ory Oathkeeper installations where the software uses un-normalized paths for rule matching, enabling requests like '/public/../admin/secrets' to bypass authentication requirements. With a CVSS score of 10.0 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe authentication bypass, though no current EPSS score or KEV listing indicates limited evidence of active exploitation at this time.

Path Traversal Nginx Suse
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-32938 CRITICAL PATCH Act Now

SiYuan personal knowledge management system versions 3.6.0 and below contain a path traversal vulnerability that allows authenticated attackers to exfiltrate arbitrary readable files from the system. An attacker with low-level privileges can exploit the /api/lute/html2BlockDOM endpoint to copy sensitive files to the workspace assets directory via malicious file:// links in pasted HTML, then retrieve them through the authenticated GET /assets/ endpoint. This is a critical vulnerability with a CVSS score of 9.9 due to its potential for high confidentiality impact and scope change, though no active exploitation (KEV) or public proof-of-concept has been documented.

Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-22172 CRITICAL PATCH Act Now

OpenClaw contains an authorization bypass vulnerability in its WebSocket connection handling that allows authenticated users with low-privilege shared-token or password credentials to falsely declare elevated administrative scopes without proper server-side validation. Attackers with basic authentication can escalate privileges to operator.admin level and execute administrative gateway operations. With a CVSS score of 9.9 (Critical) and low attack complexity, this represents a severe privilege escalation risk, though no KEV listing or EPSS data is currently available to confirm active exploitation.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-33502 CRITICAL PATCH Act Now

An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit.

SSRF PHP RCE Apache Nginx
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
3.0%
CVE-2026-4038 CRITICAL Act Now

The Aimogen Pro plugin for WordPress contains an arbitrary function call vulnerability allowing unauthenticated attackers to execute privileged WordPress functions without authorization. All versions up to and including 2.7.5 are affected, enabling attackers to modify critical site settings such as changing the default user registration role to administrator, then registering as an admin to gain full site control. This is a critical authentication bypass with privilege escalation rated 9.8 CVSS, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

WordPress Privilege Escalation Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32945 CRITICAL PATCH Act Now

Heap overflow in PJSIP 2.16 and earlier DNS parser allows unauthenticated remote attackers to achieve code execution with no user interaction required. The vulnerability affects only applications explicitly configured with a built-in nameserver; users relying on OS resolvers or external resolver implementations are unaffected. No patch is currently available, but mitigation is possible by disabling DNS resolution or switching to an external resolver.

Buffer Overflow Heap Overflow Pjsip
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2024-44722 CRITICAL Act Now

SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-32890 CRITICAL PATCH Act Now

A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. The vulnerability affects Anchorr versions 1.4.1 and below, with a critical CVSS score of 9.6 indicating network-based exploitation with low complexity and no authentication required.

XSS Anchorr
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-21732 CRITICAL Act Now

GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.

Buffer Overflow Memory Corruption Graphics Ddk
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-22898 CRITICAL PATCH Act Now

QVR Pro contains a missing authentication vulnerability (CWE-306) that allows remote attackers to access critical functions without proper credential validation, potentially gaining unauthorized system access. All versions prior to QVR Pro 2.7.4.14 are affected. This authentication bypass vulnerability enables unauthenticated remote exploitation of a surveillance management platform, representing a direct threat to organizations relying on QVR Pro for video recording and system administration.

Authentication Bypass Qvr Pro
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-32940 CRITICAL PATCH Act Now

SiYuan personal knowledge management system contains a cross-site scripting (XSS) vulnerability in versions 3.6.0 and below. An unauthenticated attacker can exploit the /api/icon/getDynamicIcon endpoint by crafting a malicious URL that bypasses SVG sanitization filters, allowing arbitrary JavaScript execution when a victim clicks an injected link within the rendered SVG. The CVSS score of 9.3 indicates critical severity, though exploitation requires user interaction (clicking a malicious link) and the attack complexity is low.

XSS Suse
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33136 CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint affecting versions 3.6.6 and below. An attacker can inject arbitrary JavaScript or HTML into the sccd GET parameter, which is reflected without sanitization when the msg parameter equals 'success', enabling session hijacking, credential theft, and malicious actions in the context of victim users. The vulnerability has a critical CVSS score of 9.3 with changed scope, indicating potential impact beyond the vulnerable component.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33134 CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33135 CRITICAL PATCH Act Now

A Reflected Cross-Site Scripting (XSS) vulnerability exists in WeGIA, a web manager for charitable institutions. Versions 3.6.6 and below are affected through the novo_memorandoo.php endpoint, where an attacker can inject arbitrary JavaScript via the sccs GET parameter without sanitization. This allows execution of malicious scripts in victims' browsers when they click a crafted link, with a critical CVSS score of 9.3 due to cross-site scripting scope and high confidentiality and integrity impact.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33024 CRITICAL PATCH Act Now

AVideo, a video-sharing platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 8.0 affecting the public thumbnail endpoints getImage.php and getImageMP4.php. Unauthenticated attackers can exploit insufficient URL validation to force the server to make requests to internal network resources including cloud metadata endpoints (AWS EC2 169.254.169.254), localhost, and private IP ranges. The vulnerability has a CVSS 4.0 score of 9.3 with network attack vector requiring no privileges or user interaction, though there is no evidence of active exploitation or public proof-of-concept at this time.

SSRF PHP
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-32817 CRITICAL PATCH Act Now

Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.

CSRF PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33419 CRITICAL PATCH Act Now

MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects.

Microsoft Docker Information Disclosure Apple Nginx +1
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-33286 CRITICAL PATCH Act Now

A critical arbitrary method execution vulnerability affects Graphiti's JSONAPI write functionality, allowing attackers to invoke any public method on underlying model instances, classes, or associations through crafted JSONAPI payloads. Applications using Graphiti (a Ruby gem for building JSON:API compliant APIs) that expose write endpoints to untrusted users are affected, particularly versions prior to 1.10.2. The vulnerability scores CVSS 9.1 (Critical) with network-based exploitation requiring no authentication or user interaction, enabling both high integrity and availability impacts.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32891 CRITICAL PATCH Act Now

A stored cross-site scripting (XSS) vulnerability in Anchorr Discord bot versions 1.4.1 and below allows authenticated Jellyseerr users to execute arbitrary JavaScript in admin browser sessions. The XSS payload can exfiltrate the full application configuration including session tokens and API keys for integrated services (Jellyfin, Jellyseerr, Discord), enabling complete account takeover across all connected platforms without requiring admin credentials. This vulnerability is tagged as XSS in ENISA's database (EUVD-2026-13503) with a CVSS score of 9.0, though no EPSS score, KEV listing, or public POC availability is reported in the provided data.

XSS Anchorr
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy