THREAT ALERT

EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. | EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | ACT NOW CVE-2025-14558 7.2 The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH] | EMERGENCY CVE-2026-20131 10.0 Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic. | EMERGENCY CVE-2026-27971 9.8 RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available. | ACT NOW CVE-2026-21385 7.8 A Qualcomm chipset vulnerability (CVE-2026-21385) causes memory corruption through improper integer handling during memory allocation, enabling local privilege escalation to kernel level. KEV-listed and patched, this vulnerability affects Qualcomm-based mobile devices and embedded systems, potentially impacting billions of Android devices globally. | ACT NOW CVE-2026-22719 8.1 VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment. | EMERGENCY CVE-2026-20127 10.0 Cisco Catalyst SD-WAN Controller and Manager contain a critical authentication bypass (CVE-2026-20127, CVSS 10.0) in the peering authentication mechanism that allows unauthenticated remote attackers to obtain full administrative privileges. The vulnerability exists because peering authentication does not properly validate credentials, enabling any attacker with network access to take over the SD-WAN management plane and control the entire WAN fabric. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — March 23, 2026

188 CVEs tracked today. 20 Critical, 70 High, 84 Medium, 14 Low.

CVE-2026-33634 CRITICAL CVSS 9.4
Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories.

Information Disclosure
CVE-2026-3055 CRITICAL CVSS 9.3
An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management.

Information Disclosure Citrix Buffer Overflow
CVE-2026-33716 CRITICAL CVSS 9.4
WWBN AVideo versions up to and including 26.0 contain an authentication bypass vulnerability in the standalone live stream control endpoint. The endpoint accepts a user-supplied 'streamerURL' parameter that redirects token verification to an attacker-controlled server, allowing complete bypass of authentication without any user interaction. With a CVSS score of 9.4, an attacker gains unauthenticated control over any live stream including the ability to drop publishers, manipulate recordings, and probe stream existence.

PHP Authentication Bypass
CVE-2026-33202 CRITICAL CVSS 9.1
Rails Active Storage's DiskService#delete_prefixed method fails to escape glob metacharacters when passing blob keys to Dir.glob, allowing attackers to delete unintended files from the storage directory if blob keys contain attacker-controlled input or custom-generated keys with glob metacharacters. This affects Ruby on Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1, and while no CVSS score or EPSS data is currently available, the vulnerability represents a significant integrity and availability risk as it enables arbitrary file deletion on the server filesystem.

Information Disclosure
CVE-2026-33195 CRITICAL CVSS 9.8
Active Storage's DiskService component in Ruby on Rails contains a path traversal vulnerability (CWE-22) that fails to validate resolved filesystem paths remain within the storage root directory. Applications passing untrusted user input as blob keys are vulnerable to arbitrary file read, write, or deletion operations on the server. Patches are available in Rails versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, with no current evidence of active exploitation or public proof-of-concept code.

Path Traversal
CVE-2026-32968 CRITICAL CVSS 9.8
This is a critical OS command injection vulnerability in the com_mb24sysapi module of several MB Connect Line and Helmholz industrial remote access products. An unauthenticated remote attacker can execute arbitrary OS commands without any user interaction, leading to complete system compromise. This is a variant of CVE-2020-10383, suggesting similar attack patterns may be applicable, and the 9.8 CVSS score reflects the severe nature of network-accessible, authentication-free remote code execution in industrial control system components.

Command Injection
CVE-2026-32913 CRITICAL CVSS 9.3
OpenClaw versions prior to 2026.3.7 contain a critical header validation flaw in the fetchWithSsrFGuard function that leaks sensitive authorization headers (including X-Api-Key and Private-Token) across cross-origin redirects. An attacker can exploit this remotely without authentication by triggering HTTP redirects to attacker-controlled domains, intercepting credentials intended for legitimate services. With a CVSS score of 9.3 and network-accessible attack vector requiring low complexity, this represents a significant information disclosure risk, though no active exploitation (KEV) or public POC has been reported at this time.

Information Disclosure
CVE-2026-30849 CRITICAL CVSS 9.3
MantisBT versions prior to 2.28.1 contain an authentication bypass vulnerability in the SOAP API caused by improper type checking on the password parameter when running on MySQL family databases. An attacker who knows a victim's username can log in to the SOAP API without knowing the correct password and execute any API function available to that account. While a CVE CVSS score is not yet assigned, the vulnerability is patched in version 2.28.1, and disabling the SOAP API reduces but does not eliminate the risk.

Authentication Bypass
CVE-2026-4681 CRITICAL CVSS 9.3
A critical remote code execution vulnerability exists in PTC Windchill PDMLink and PTC FlexPLM products due to unsafe deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on affected systems. The vulnerability affects multiple versions of both products spanning from version 11.0 through 13.1.3.0 for Windchill and 11.0 through 13.0.3.0 for FlexPLM. An attacker can craft malicious serialized objects that, when deserialized by the vulnerable application, trigger code execution with the privileges of the Windchill or FlexPLM service account.

RCE Deserialization Windchill Pdmlink Flexplm
CVE-2026-4606 CRITICAL CVSS 10.0
GV Edge Recording Manager (ERM) v2.3.1 improperly executes application components with SYSTEM-level privileges, allowing any local user to escalate privileges and gain full control of the operating system. The vulnerability stems from the Windows service running under the LocalSystem account and spawning child processes with elevated privileges, particularly when file dialogs are invoked during operations like data import. This is a local privilege escalation vulnerability with high real-world risk due to the ease of exploitation and the severity of the impact.

Privilege Escalation Microsoft Gv Edge Recording Manager Windows
CVE-2026-4599 CRITICAL CVSS 9.1
The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functions that allows attackers to recover private DSA keys through nonce bias exploitation. Versions 7.0.0 through 11.1.0 are affected. A proof-of-concept is publicly available (referenced in GitHub Gist), demonstrating the attack feasibility, and the vulnerability requires no authentication or user interaction for remote exploitation.

Information Disclosure
CVE-2026-4585 CRITICAL CVSS 9.8
A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0, specifically in the ImportSystemConfiguration.jsp file's Configuration Handler. Attackers can remotely execute arbitrary operating system commands without authentication by manipulating the 'File' parameter. A public proof-of-concept exploit has been disclosed and is available, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.

Command Injection
CVE-2026-4404 CRITICAL CVSS 9.4
GoHarbor Harbor versions 2.15.0 and earlier contain hardcoded default credentials that allow unauthenticated attackers to gain administrative access to the web UI using the default username 'admin' and password 'Harbor12345'. This vulnerability enables complete compromise of the container registry, including image manipulation, deletion, and unauthorized access to stored artifacts. The issue has been documented in GitHub issues and pull requests within the Harbor project, indicating active awareness and remediation efforts by the development team.

Information Disclosure
CVE-2026-4001 CRITICAL CVSS 9.8
The Woocommerce Custom Product Addons Pro plugin for WordPress contains a critical remote code execution vulnerability caused by unsafe use of PHP's eval() function when processing custom pricing formulas. All versions up to and including 5.4.1 are affected, allowing unauthenticated attackers to execute arbitrary PHP code on the server by submitting malicious input to WCPA text fields configured with custom pricing formulas. With a CVSS score of 9.8, this represents a maximum severity issue requiring immediate attention, though EPSS and KEV status data are not provided in the available intelligence.

Code Injection WordPress PHP RCE
CVE-2026-3587 CRITICAL CVSS 10.0
A hidden function in the CLI prompt of multiple WAGO industrial and lean managed switches allows unauthenticated remote attackers to escape the restricted interface and gain root access to the underlying Linux operating system. This results in complete device compromise with a maximum CVSS score of 10.0. The vulnerability affects over a dozen WAGO switch models used in industrial automation environments, and was disclosed by CERT@VDE.

Information Disclosure
CVE-2026-2298 CRITICAL CVSS 9.4
An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.

Code Injection
CVE-2026-0898 CRITICAL CVSS 9.0
An arbitrary file-write vulnerability exists in Pega Browser Extension (PBE) affecting Pega Robot Studio developers using versions 22.1 or R25 who automate Google Chrome and Microsoft Edge browsers. A threat actor can craft a malicious website that, when visited by a developer during interrogation mode in Robot Studio, executes arbitrary file-write operations on the developer's system. This vulnerability does not affect end-user Robot Runtime deployments, limiting its blast radius to development environments.

Google RCE Microsoft Pega Robot Studio Chrome
CVE-2025-60949 CRITICAL CVSS 9.3
Census CSWeb 8.0.1 contains an information disclosure vulnerability where the app/config endpoint is reachable via HTTP without authentication in certain deployments, allowing remote attackers to retrieve sensitive configuration data including secrets. This vulnerability has a CVSS score of 9.1 (Critical) and affects Census CSWeb versions prior to 8.1.0 alpha. A public proof-of-concept exploit is available on GitHub (https://github.com/hx381/cspro-exploits), significantly increasing the risk of active exploitation.

Information Disclosure
CVE-2025-41008 CRITICAL CVSS 9.3
A SQL injection vulnerability exists in Sinturno that allows unauthenticated or low-privileged attackers to execute arbitrary SQL commands through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, updating, and deletion of database objects. The vulnerability was reported by INCIBE and affects all versions of Sinturno; no CVSS score, EPSS data, or KEV status has been published, but the ability to perform CRUD operations on databases represents critical severity regardless of formal scoring.

PHP SQLi Sinturno
CVE-2025-41007 CRITICAL CVSS 9.3
A SQL injection vulnerability exists in Cuantis that allows unauthenticated attackers to execute arbitrary SQL commands through the 'search' parameter in the '/search.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, modification, and deletion of database contents. A patch is available from the vendor, and exploitation requires only network access to the affected application with no special privileges or user interaction.

PHP SQLi Cuantis
CVE-2026-33723 HIGH CVSS 7.1
WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.

PHP Information Disclosure SQLi
CVE-2026-33719 HIGH CVSS 8.6
WWBN AVideo video platform up to and including version 26.0 contains an authentication bypass vulnerability in the CDN plugin that allows unauthenticated remote attackers to completely modify CDN configuration settings including storage credentials and authentication keys. The vulnerability stems from the CDN plugin's default empty string authentication key, which causes validation checks to be bypassed entirely when the plugin is enabled but not properly configured. The CVSS score of 8.6 reflects high integrity impact with network-based exploitation requiring no privileges or user interaction.

PHP Authentication Bypass
CVE-2026-33717 HIGH CVSS 8.8
WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. With a CVSS score of 8.8, this represents a high-severity remote code execution risk for authenticated users.

PHP File Upload
CVE-2026-33681 HIGH CVSS 7.2
WWBN AVideo, an open source video platform, contains a critical path traversal vulnerability in the pluginRunDatabaseScript.json.php endpoint that allows authenticated administrators to execute arbitrary SQL queries against the application database. Versions up to and including 26.0 are affected. The vulnerability can also be exploited via CSRF attacks against authenticated admin sessions, enabling unauthenticated attackers to achieve remote code execution or complete database compromise.

Path Traversal PHP CSRF
CVE-2026-33651 HIGH CVSS 8.1
SQL injection in WWBN AVideo up to version 26.0 allows authenticated users to extract arbitrary database contents through time-based blind SQL injection via the remindMe.json.php endpoint. The vulnerability stems from insufficient input sanitization of the live_schedule_id parameter, which is concatenated directly into a SQL LIKE clause despite partial validation in intermediate functions. No patch is currently available.

PHP SQLi
CVE-2026-33650 HIGH CVSS 7.6
Privilege escalation in WWBN AVideo up to version 26.0 allows users with "Videos Moderator" permissions to gain full video management capabilities, including transferring ownership and deleting any video, by exploiting inconsistent authorization checks between the video editing and deletion endpoints. An authenticated attacker can chain an ownership transfer with deletion operations to compromise videos outside their legitimate scope. A patch is available in commit 838e16818c793779406ecbf34ebaeba9830e33f8.

PHP Authentication Bypass
CVE-2026-33649 HIGH CVSS 8.1
A Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo open source video platform versions up to and including 26.0 allows unauthenticated attackers to escalate privileges to near-admin access by tricking an administrator into visiting a malicious page. The vulnerability exists in the setPermission.json.php endpoint which accepts state-changing operations via GET requests without CSRF token validation, compounded by the application's explicit SameSite=None cookie setting. No patched version is currently available, and with a CVSS score of 8.1 (High), this represents a significant risk for installations with administrative users who browse external content.

PHP CSRF
CVE-2026-33648 HIGH CVSS 8.8
WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.

Command Injection
CVE-2026-33647 HIGH CVSS 8.8
WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability in the ImageGallery::saveFile() method that allows authenticated attackers to upload polyglot files (JPEG with embedded PHP code) and achieve Remote Code Execution. The vulnerability exploits a mismatch between MIME type validation (which checks file content) and filename extension handling (which trusts user input), allowing attackers to bypass security controls and execute arbitrary code on the server. A patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, and the issue has been publicly disclosed via GitHub Security Advisory GHSA-wxjw-phj6-g75w.

PHP RCE File Upload
CVE-2026-33548 HIGH CVSS 8.6
MantisBT version 2.28.0 contains a stored cross-site scripting (XSS) vulnerability in the Timeline view of my_view_page.php where tag names are improperly escaped when retrieved from the History table, allowing attackers to inject arbitrary HTML and potentially execute JavaScript if Content Security Policy permits. This affects users viewing issues with renamed or deleted tags, and version 2.28.1 contains the patch. No CVSS score or EPSS data is currently available, but the vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries moderate to high risk in environments without strict CSP enforcement.

PHP XSS
CVE-2026-33517 HIGH CVSS 8.6
MantisBT version 2.28.0 contains a Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the tag deletion confirmation dialog (tag_delete.php) due to improper HTML escaping of tag names in the confirmation message. An authenticated attacker can inject malicious HTML and JavaScript code that executes in the browser of any user viewing the confirmation page, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability was patched in version 2.28.1, and proof-of-concept information is available via the GitHub security advisory and associated commit references.

PHP XSS
CVE-2026-33513 HIGH CVSS 8.6
WWBN AVideo versions up to and including 26.0 contain an unauthenticated path traversal vulnerability in the locale API endpoint that allows arbitrary PHP file inclusion under the web root. Attackers can achieve confirmed file disclosure and code execution by including existing PHP files, with potential escalation to full remote code execution if they can upload or control PHP files elsewhere in the application tree. The vulnerability has a CVSS score of 8.6 and requires no authentication or user interaction to exploit, though no patch is currently available and there is no evidence of active exploitation in KEV data.

Path Traversal PHP RCE
CVE-2026-33512 HIGH CVSS 7.5
WWBN AVideo versions up to and including 26.0 contain an unauthenticated API endpoint that allows arbitrary decryption of ciphertext. Attackers can exploit the decryptString action in the API plugin without authentication to decrypt publicly-issued ciphertext (such as from view/url2Embed.json.php), allowing recovery of protected tokens and metadata. The CVSS score of 7.5 reflects high confidentiality impact with network accessibility and no authentication required.

PHP Authentication Bypass
CVE-2026-33430 HIGH CVSS 7.3
Microsoft Briefcase Windows MSI installers with per-machine scope create directories that inherit parent permissions insecurely, allowing authenticated local users to modify or replace application binaries. An attacker with low privileges can exploit this misconfiguration to inject malicious code that executes with administrator rights when launched. A patch is available addressing the vulnerable WXS file template generation.

Information Disclosure Microsoft
CVE-2026-33176 HIGH CVSS 7.5
Rails ActiveSupport number helpers contain a denial of service vulnerability where strings with scientific notation (e.g., '1e10000') are improperly converted and expanded into extremely large decimal representations, causing excessive memory allocation and CPU consumption during string formatting. The vulnerability affects ActiveSupport across multiple Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1. An attacker can exploit this by providing maliciously crafted scientific notation strings to trigger resource exhaustion and deny service to legitimate users.

Denial Of Service
CVE-2026-33174 HIGH CVSS 7.5
Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.

Information Disclosure
CVE-2026-33046 HIGH CVSS 8.8
A LaTeX injection vulnerability in Indico (event management platform) allows authenticated attackers to read local files or execute arbitrary code on the server when server-side LaTeX rendering is enabled via XELATEX_PATH configuration. The vulnerability stems from TeXLive weaknesses and insufficient sanitization of LaTeX input, permitting specially-crafted snippets to bypass security controls. Patches are available in version 3.3.12, and there is no evidence of active exploitation (not in CISA KEV), though multiple proof-of-concept patches indicate the vulnerability has been thoroughly analyzed.

Path Traversal
CVE-2026-32969 HIGH CVSS 7.5
A pre-authentication blind SQL injection vulnerability exists in the userinfo endpoint's authentication method, allowing unauthenticated remote attackers to extract sensitive data from backend databases without any credentials. Affected products include MB Connect Line's mbCONNECT24 and mymbCONNECT24 industrial remote access solutions, as well as Helmholz's myREX24v2 and myREX24v2.virtual platforms used in industrial automation environments. With a CVSS score of 7.5 and complete loss of confidentiality, this represents a significant risk to industrial control systems, though no active exploitation (KEV) or public POC has been reported yet.

SQLi
CVE-2026-32910 HIGH CVSS 7.3
OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. With a CVSS score of 7.3 and requiring local access with low privileges and user interaction, this represents a significant privilege escalation and integrity bypass risk in environments using OpenClaw's execution approval mechanisms.

Authentication Bypass
CVE-2026-32908 HIGH CVSS 7.0
OpenClaw 2026.1.21 through 2026.2.18 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism. Local authenticated users with low privileges can execute arbitrary commands when spawn failures trigger shell fallback with cmd.exe, exploiting workflow-controlled parameters. A patch is available from the vendor, and while no KEV or EPSS data indicates active exploitation at this time, the vulnerability has a CVSS score of 7.0 (High).

Command Injection Microsoft Windows
CVE-2026-32907 HIGH CVSS 7.8
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in the Windows scheduled task script generation component. Attackers with low-level local privileges and control over service script generation values can inject cmd metacharacters into the gateway.cmd arguments to execute arbitrary commands with high impact to confidentiality, integrity, and availability. There is no indication of active exploitation (not in CISA KEV), but a patch commit is publicly available which may facilitate proof-of-concept development.

Microsoft Command Injection Windows
CVE-2026-32902 HIGH CVSS 8.3
OpenClaw contains a server-side request forgery (SSRF) vulnerability in its web search citation redirect resolution mechanism that allows unauthenticated remote attackers to trigger requests to internal network destinations from the OpenClaw gateway host. OpenClaw versions prior to 2026.3.1 are affected. Attackers who can influence citation redirect targets can exploit this to access private network resources, with a CVSS score of 8.3 indicating high severity with low complexity and no privileges required.

SSRF
CVE-2026-32845 HIGH CVSS 8.4
cgltf versions 1.15 and earlier are vulnerable to integer overflow in sparse accessor validation that enables local attackers to craft malicious glTF/GLB files triggering heap buffer over-reads. Exploitation causes denial of service through application crashes and may leak sensitive memory contents. No patch is currently available for this high-severity vulnerability (CVSS 8.4).

Denial Of Service Integer Overflow
CVE-2026-32300 HIGH CVSS 8.1
Improper authorization in the My Page profile update feature allows authenticated attackers to modify arbitrary user profiles and passwords, potentially leading to account takeover. Affected versions include 1.x through 1.41.0 and 2.x through 2.41.0; patches are available in versions 1.41.1 and 2.41.1. Exploitation requires valid authentication but no additional privileges or user interaction.

Authentication Bypass
CVE-2026-32299 HIGH CVSS 7.5
Insufficient authorization checks in the page content retrieval feature (versions 1.x <= 1.41.0 and 2.x <= 2.41.1) allow unauthenticated attackers to access non-public page contents and attachments. An attacker can retrieve sensitive information from restricted pages without proper credentials. Users must upgrade to version 1.41.1 or 2.41.1 to remediate this vulnerability.

Authentication Bypass
CVE-2026-32278 HIGH CVSS 8.2
A Stored Cross-Site Scripting (XSS) vulnerability exists in the file field component of the Form Plugin within Connect-CMS. The vulnerability affects Connect-CMS versions 1.41.0 and earlier in the 1.x series, and versions 2.41.0 and earlier in the 2.x series. If exploited, an attacker can inject malicious scripts that execute in an administrator's browser, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The vulnerability has been patched and a fix is available from the vendor.

XSS File Upload
CVE-2026-32277 HIGH CVSS 8.7
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Cabinet Plugin list view of Connect CMS, affecting versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0. An authenticated attacker can execute arbitrary JavaScript in victim browsers by manipulating how saved names are rendered, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability carries a CVSS score of 8.7 (High) and patches are available, with no evidence of active exploitation or public proof-of-concept at this time.

XSS
CVE-2026-32276 HIGH CVSS 8.8
An authenticated code injection vulnerability exists in the Code Study Plugin component of OpenSource Workshop Connect-CMS that allows authenticated users to execute arbitrary code on the server. Both the 1.x series (versions up to 1.41.0) and 2.x series (versions up to 2.41.0) are affected. With a CVSS score of 8.8 (High severity), this vulnerability enables remote code execution and information disclosure with low attack complexity and no user interaction required.

RCE Information Disclosure Code Injection
CVE-2026-32066 HIGH CVSS 7.5
OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and lack of authentication requirements, though no evidence of active exploitation (KEV) or public proof-of-concept has been identified at this time.

Denial Of Service
CVE-2026-31851 HIGH CVSS 7.7
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 lacks rate limiting and account lockout mechanisms on its authentication interface, enabling attackers to conduct brute-force attacks against user credentials without operational resistance. This vulnerability affects the Nebula 300+ device family as confirmed through CPE matching. An attacker with network access to the authentication interface can enumerate valid accounts and attempt unlimited password guesses, potentially compromising administrative or user-level access to the device.

Information Disclosure
CVE-2026-31849 HIGH CVSS 7.2
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw affecting the Nexxt Solutions Nebula 300+ device firmware through version 12.01.01.37, where state-changing administrative endpoints lack proper CSRF protections. An attacker can trick an authenticated administrator into submitting malicious requests that modify critical device settings, including security configurations, without the administrator's knowledge or consent. No CVSS score or EPSS data is currently available, and the vulnerability has not been confirmed as actively exploited in the wild, though the lack of CSRF protections on administrative functions represents a significant trust boundary violation.

CSRF
CVE-2026-31848 HIGH CVSS 8.7
The Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 contains an authentication bypass vulnerability where administrative credentials are stored in the ecos_pw cookie using reversible Base64 encoding with a static suffix, allowing attackers who obtain this cookie to forge valid administrative sessions and gain unauthorized device access. The vulnerability affects a network appliance product line and represents a critical authentication control failure. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown; however, the reversible encoding mechanism and static suffix suggest this is likely highly exploitable in practice.

Authentication Bypass
CVE-2026-31847 HIGH CVSS 8.5
A hidden functionality vulnerability exists in the /goform/setSysTools endpoint of Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37, allowing unauthenticated remote attackers to enable a Telnet service that exposes a privileged diagnostic management interface. This significantly expands the attack surface and enables further device compromise through an unencrypted network protocol. No CVSS score, EPSS data, or KEV status is currently available, but the severity is elevated given the remote nature of exploitation and the direct access to privileged diagnostic functions.

Information Disclosure
CVE-2026-31846 HIGH CVSS 7.1
An unauthenticated credential disclosure vulnerability exists in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware (including Tenda F3 v2.0 rebranded variants) through version 12.01.01.37, allowing adjacent network attackers to retrieve the Base64-encoded administrator password without authentication. The recovered credentials enable full device authentication and privilege escalation, facilitating further compromise when combined with other firmware weaknesses. No active KEV listing or public POC availability is currently documented, though the CVSS 6.5 score reflects the significant confidentiality impact despite network-adjacency requirement.

Authentication Bypass
CVE-2026-26829 HIGH CVSS 7.5
A NULL pointer dereference vulnerability exists in the safe_atou64 function within owntone-server (src/misc.c) that allows remote attackers to cause a Denial of Service by sending crafted HTTP requests to the affected server. The vulnerability affects owntone-server through at least commit c4d57aa, and a public proof-of-concept exploit is available on GitHub, indicating active research and potential exploitation risk.

Denial Of Service Null Pointer Dereference Suse
CVE-2026-26828 HIGH CVSS 7.5
A NULL pointer dereference vulnerability exists in the daap_reply_playlists function within owntone-server's DAAP request handler (src/httpd_daap.c) that allows remote attackers to trigger a denial of service condition by sending a specially crafted DAAP protocol request. The vulnerability affects owntone-server at commit 3d1652d and potentially earlier versions. An attacker can remotely crash the server without authentication by exploiting improper input validation in the playlist reply handler, resulting in service unavailability.

Denial Of Service Null Pointer Dereference Suse
CVE-2026-26209 HIGH CVSS 7.5
The cbor2 Python library, which implements CBOR serialization, suffers from uncontrolled recursion when decoding deeply nested CBOR structures, allowing remote attackers to trigger Denial of Service by sending crafted payloads containing approximately 100,000 nested arrays. All versions prior to 5.9.0 are affected, including both the pure Python implementation and the C extension. Attackers can crash worker processes in web servers (Gunicorn, Uvicorn) and task queues (Celery) with small malicious packets under 100KB, causing complete service outages through repeated worker crashes.

Python Denial Of Service Redhat Suse
CVE-2026-25075 HIGH CVSS 8.7
Unauthenticated remote attackers can crash strongSwan versions 4.5.0 through 6.0.4 via integer underflow in the EAP-TTLS AVP parser during IKEv2 authentication by sending malformed AVP packets with invalid length fields. Public exploit code exists for this denial of service vulnerability, which triggers memory corruption in the charon daemon with no available patch. Organizations running affected strongSwan versions are vulnerable to service disruption without authentication or user interaction required.

Denial Of Service Integer Overflow Suse
CVE-2026-24516 HIGH CVSS 8.8
A critical command injection vulnerability exists in DigitalOcean Droplet Agent through version 1.3.2, where the troubleshooting actioner component processes metadata from the metadata service endpoint without adequate input validation, allowing attackers who can control metadata responses to inject and execute arbitrary OS commands with root privileges. An attacker can trigger the vulnerability by sending a TCP packet with specific sequence numbers to the SSH port, causing the agent to fetch and execute malicious commands from the metadata service, potentially leading to complete system compromise, data exfiltration, and lateral movement across cloud infrastructure. A public proof-of-concept exists at https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE, indicating active research and potential exploitation risk.

Command Injection Privilege Escalation RCE Code Injection Suse
CVE-2026-23882 HIGH CVSS 7.2
Blinko versions prior to 1.8.4 allow authenticated high-privilege users to execute arbitrary commands through the MCP server creation function during connection testing, resulting in complete system compromise. An attacker with administrative credentials can inject malicious commands that execute with application privileges, achieving remote code execution. No patch is currently available for affected deployments.

Command Injection
CVE-2026-23555 HIGH CVSS 7.1
Xenstored on Ubuntu and Debian crashes when a guest VM submits a Xenstore command with an illegal node path "/local/domain/", causing a denial of service to that hypervisor component. An unprivileged guest can trigger this crash via a forced assert() statement, or if the service is built without debugging symbols, cause xenstored to consume excessive CPU resources while becoming unresponsive to further requests. No patch is currently available for this vulnerability.

Denial Of Service
CVE-2026-23554 HIGH CVSS 7.8
This vulnerability in Intel EPT (Extended Page Tables) paging code within Xen allows information disclosure through a use-after-free condition in cached EPT state management. When paging structures are freed before cached EPT state is flushed, stale entries can persist in the EPT cache pointing to memory ranges outside the guest's intended ownership, enabling unauthorized memory access. Xen across multiple versions is affected, with Ubuntu tracking the issue at medium priority across 7 releases and Debian across 7 releases, making this a widespread concern for virtualization infrastructure.

Information Disclosure Intel
CVE-2026-23482 HIGH CVSS 7.5
Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in its file server endpoint that fails to validate permissions on the temp/ directory and does not filter path traversal sequences (CWE-22). Attackers can exploit this to read arbitrary files on the server, and when scheduled backup tasks are enabled, can access backup files containing all user notes and authentication tokens. The vulnerability affects all versions prior to 1.8.4 and has been patched in the released version 1.8.4.

Path Traversal
CVE-2026-23480 HIGH CVSS 8.8
Blinko versions prior to 1.8.4 contain a critical privilege escalation vulnerability in the upsertUser endpoint that allows any authenticated user to modify other users' passwords and escalate to superadmin privileges. The vulnerability stems from three distinct authorization and input validation flaws: missing superAdminAuthMiddleware enforcement, optional password verification, and absent ownership checks. An attacker with valid credentials can directly execute account takeover and administrative privilege escalation with no additional exploits required.

Privilege Escalation
CVE-2026-22173 HIGH CVSS 7.4
OpenClaw, an open-source game engine component, contains a command injection vulnerability in its Windows Scheduled Task script generation mechanism. Versions prior to 2026.2.18 write environment variables unquoted to gateway.cmd files, allowing attackers to inject shell metacharacters that break out of assignment context and execute arbitrary commands when the scheduled task runs. This vulnerability has a CVSS score of 7.4 (High) with local attack vector and high attack complexity, and a patch is currently available from the vendor.

Command Injection Microsoft Windows
CVE-2026-4645 HIGH CVSS 7.5
The antchfx/xpath component in Debian is vulnerable to denial of service when processing specially crafted Boolean XPath expressions, which trigger an infinite loop in the logicalQuery.Select function consuming 100% CPU resources. Unauthenticated remote attackers can exploit this over the network without user interaction to disable affected systems. No patch is currently available.

Denial Of Service Debian
CVE-2026-4613 HIGH CVSS 7.3
SQL injection in SourceCodester E-Commerce Site 1.0 through the Search parameter in /products.php enables unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk.

SQLi PHP
CVE-2026-4612 HIGH CVSS 7.3
SQL injection in the Free Hotel Reservation System 1.0 admin panel allows unauthenticated remote attackers to manipulate the account_id parameter and execute arbitrary SQL queries with potential for data theft, modification, and system disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
CVE-2026-4611 HIGH CVSS 8.6
This vulnerability is an OS command injection flaw in the setLanCfg function of TOTOLINK X6000R routers running firmware versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. An authenticated attacker with high privileges can execute arbitrary operating system commands by manipulating the Hostname parameter in /usr/sbin/shttpd, potentially leading to complete device compromise. The vulnerability was disclosed via VulDB submission with proof-of-concept information available through reference ID 352475, though no active exploitation (KEV listing) has been reported.

Command Injection
CVE-2026-4602 HIGH CVSS 7.5
The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature verification by exploiting incorrect handling of negative exponents in modular exponentiation operations. This affects all versions prior to 11.1.1 of the jsrsasign package, enabling remote attackers without authentication to compromise cryptographic signature validation. A proof-of-concept exploit exists as indicated by the CVSS exploitability metric and public GitHub references demonstrating the attack technique.

Information Disclosure
CVE-2026-4601 HIGH CVSS 8.7
A cryptographic vulnerability in the jsrsasign JavaScript library allows attackers to recover DSA private keys through invalid signatures. Versions before 11.1.1 fail to validate and retry when DSA signature parameters r or s become zero during the signing process, enabling mathematical recovery of the private key from the malformed signature. A proof-of-concept exploit is available (https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586), and the CVSS score of 8.7 with Proof-of-concept Exploitation status indicates active research interest.

Information Disclosure
CVE-2026-4600 HIGH CVSS 7.4
A cryptographic signature verification vulnerability exists in the jsrsasign JavaScript library before version 11.1.1 that allows attackers to forge DSA signatures and X.509 certificates. The vulnerability affects DSA domain-parameter validation in KJUR.crypto.DSA.setPublic, enabling complete bypass of signature verification by supplying malicious domain parameters (g=1, y=1, r=1). A proof-of-concept exploit is publicly available (CVSS:3.1 E:P rating) demonstrating active exploitation feasibility, though the attack complexity is rated high and no KEV listing indicates limited widespread exploitation to date.

Information Disclosure Jwt Attack
CVE-2026-4598 HIGH CVSS 7.5
The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allows remote attackers to permanently hang application processes through specially crafted zero or negative input values. All versions of jsrsasign prior to 11.1.1 are affected by this high-severity denial-of-service condition. A proof-of-concept exploit exists demonstrating the vulnerability, and the CVSS score of 7.5 reflects the ease of exploitation (network-accessible, low complexity, no authentication required).

Denial Of Service
CVE-2026-4594 HIGH CVSS 7.3
SQL injection in Erupt up to version 1.13.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through the sort.field parameter in the HQL query builder. Public exploit code exists for this vulnerability, and no patch is currently available. Affected Java applications using vulnerable versions of Erupt are at risk of data exfiltration and manipulation.

SQLi Java
CVE-2026-4567 HIGH CVSS 8.9
Stack-based buffer overflow in Tenda A15 router firmware version 15.13.07.13 allows unauthenticated remote attackers to achieve complete system compromise through a malicious file upload to the UploadCfg function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network with trivial complexity.

Buffer Overflow Tenda Stack Overflow
CVE-2026-4566 HIGH CVSS 8.8
Stack-based buffer overflow in Belkin F9K1122 firmware version 1.00.33 allows authenticated remote attackers to achieve complete system compromise through manipulation of the webpage parameter in the formWISP5G function. Public exploit code exists for this vulnerability and the vendor has not provided patches or responded to disclosure attempts. An attacker with network access can execute arbitrary code with full system privileges (confidentiality, integrity, and availability impact).

Buffer Overflow Stack Overflow
CVE-2026-4565 HIGH CVSS 7.4
Buffer overflow in Tenda AC21 firmware version 16.03.08.16 allows authenticated remote attackers to achieve complete system compromise through crafted QoS configuration requests to the SetNetControlList endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can execute arbitrary code with full system privileges (confidentiality, integrity, and availability impact).

Buffer Overflow Tenda
CVE-2026-4368 HIGH CVSS 7.7
Citrix NetScaler ADC and Gateway instances configured for SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers are vulnerable to a race condition that enables authenticated attackers to hijack other users' sessions. An attacker with valid credentials can exploit timing-dependent conditions to cause session mixup between concurrent users, potentially gaining unauthorized access to sensitive resources or impersonating other authenticated users. No patch is currently available for this high-severity vulnerability.

Citrix Race Condition Session Fixation Authentication Bypass Adc
CVE-2026-4306 HIGH CVSS 7.5
The WP Job Portal plugin for WordPress contains an unauthenticated SQL injection vulnerability in the 'radius' parameter affecting all versions up to and including 2.4.8. Unauthenticated remote attackers can exploit this flaw to extract sensitive information from the database, including user credentials, personal data, and other confidential information stored in WordPress tables. The vulnerability has a CVSS score of 7.5 indicating high severity with no authentication required for exploitation.

WordPress SQLi
CVE-2026-4021 HIGH CVSS 8.1
The Contest Gallery plugin for WordPress contains an authentication bypass vulnerability that allows unaattacked attackers to take over administrator accounts and gain complete site control. All versions up to and including 28.1.5 are affected when the non-default RegMailOptional=1 setting is enabled. The vulnerability exploits MySQL type coercion by registering with specially crafted email addresses to overwrite admin activation keys, then using an unauthenticated login endpoint to authenticate as the target user. With a CVSS score of 8.1 and high attack complexity (AC:H), this represents a critical risk for sites using the vulnerable configuration.

WordPress PHP Authentication Bypass
CVE-2026-3533 HIGH CVSS 8.8
The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration.

Apache WordPress PHP File Upload RCE
CVE-2026-1958 HIGH CVSS 8.7
Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.

Hardcoded Credentials Authentication Bypass Information Disclosure RCE Ftp
CVE-2025-60947 HIGH CVSS 8.7
Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability allowing authenticated remote attackers to upload malicious files and achieve remote code execution. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing the risk of exploitation. The vulnerability affects the Census CSWeb data dissemination platform used for hosting census and survey data online.

RCE File Upload
CVE-2025-60946 HIGH CVSS 8.7
Census CSWeb 8.0.1 contains a path traversal vulnerability (CWE-22) allowing authenticated remote attackers to access arbitrary files outside intended directories through unvalidated file path input. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing exploitation risk. With a CVSS score of 8.8 and low attack complexity requiring only low-level privileges, this poses a critical threat to organizations running the affected version.

Path Traversal
CVE-2025-15606 HIGH CVSS 7.1
A Denial-of-Service vulnerability exists in the httpd component of TP-Link TD-W8961N v4.0 routers, caused by improper input sanitization (CWE-20) that allows attackers to craft malicious requests triggering httpd service crashes. The vulnerability enables service interruption and network unavailability for affected users. Although no CVSS score or EPSS metric is publicly available, a vendor patch is already available, indicating acknowledgment of the issue's severity and exploitability.

TP-Link Denial Of Service
CVE-2025-15605 HIGH CVSS 8.5
A hardcoded cryptographic key in the configuration mechanism of TP-Link Archer NX series routers (NX200, NX210, NX500, NX600) allows authenticated attackers to decrypt, modify, and re-encrypt device configuration files, compromising both confidentiality and integrity of router settings. This vulnerability affects multiple hardware versions across all four product lines, with patches now available from the vendor. While no public exploit code or active KEV status has been reported, the authenticated attack requirement and widespread deployment of these consumer routers present moderate real-world risk.

TP-Link Information Disclosure
CVE-2025-15519 HIGH CVSS 8.5
A command injection vulnerability exists in the modem-management administrative CLI of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) due to improper input handling in CLI commands. An authenticated attacker with administrative privileges can inject crafted input into vulnerable CLI parameters to execute arbitrary operating system commands, compromising the confidentiality, integrity, and availability of the device. A patch is available from TP-Link, and no public exploit or active exploitation has been confirmed at this time.

TP-Link Command Injection
CVE-2025-15518 HIGH CVSS 8.5
A command injection vulnerability exists in the wireless-control administrative CLI command of TP-Link Archer NX series routers (models NX200, NX210, NX500, and NX600) due to improper input handling that allows crafted input to be executed as part of operating system commands. An authenticated attacker with administrative privileges can exploit this vulnerability to execute arbitrary commands on the device, compromising confidentiality, integrity, and availability. Patches are available from the vendor for all affected models and versions.

TP-Link Command Injection
CVE-2025-15517 HIGH CVSS 8.6
A missing authentication check in the HTTP server of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) allows unauthenticated attackers to access privileged CGI endpoints intended for authenticated administrators. An attacker can perform critical operations including firmware upload and configuration changes without providing valid credentials, effectively gaining administrative control over the device. A vendor patch is available, and this vulnerability represents a direct authentication bypass with severe real-world exploitation potential.

TP-Link Authentication Bypass
CVE-2025-10679 HIGH CVSS 7.3
The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

WordPress PHP RCE Information Disclosure Code Injection
CVE-2026-33690 MEDIUM CVSS 5.3
WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. The vulnerability carries a CVSS score of 5.3 (medium severity) with low attack complexity, and a patch is available via commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c, though no public exploit code or KEV designation has been confirmed at this time.

PHP Authentication Bypass
CVE-2026-33688 MEDIUM CVSS 5.3
WWBN AVideo versions up to and including 26.0 contain an information disclosure vulnerability in the password recovery endpoint (objects/userRecoverPass.php) that allows unauthenticated attackers to enumerate valid usernames and determine account status (active, inactive, or banned) without solving any captcha. The vulnerability exists because user existence and account status validation occurs before captcha verification, enabling attackers to distinguish three different JSON error responses at scale. No evidence of active exploitation in the wild has been reported, but a patch is available in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157.

PHP Information Disclosure
CVE-2026-33685 MEDIUM CVSS 5.3
WWBN AVideo versions up to 26.0 expose advertising analytics data through an unauthenticated JSON API endpoint that lacks access controls, allowing attackers to retrieve sensitive information including video titles, user identifiers, channel names, and ad campaign performance metrics. While the HTML and CSV export functions properly enforce admin authentication, the JSON variant was left unprotected, enabling unauthorized data disclosure with no authentication required. A patch is available in commit daca4ffb1ce19643eecaa044362c41ac2ce45dde.

Authentication Bypass PHP
CVE-2026-33683 MEDIUM CVSS 5.4
WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A patch is available via commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, and the vulnerability has been formally disclosed through GitHub Security Advisory GHSA-ghx5-7jjg-q2j7.

XSS
CVE-2026-33486 MEDIUM CVSS 6.8
This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.

PHP SSRF Microsoft Privilege Escalation
CVE-2026-33290 MEDIUM CVSS 4.3
WPGraphQL prior to version 2.10.0 allows authenticated low-privileged users to bypass comment moderation controls and self-approve their own comments without possessing the moderate_comments capability. The vulnerability exploits owner-based authorization logic in the updateComment mutation, enabling non-moderator users to transition comment status to APPROVE, HOLD, SPAM, or TRASH states directly. A proof-of-concept demonstrating this authorization bypass in WPGraphQL 2.9.1 has been published, and while the EPSS score of 0.03% indicates low statistical likelihood of exploitation, the attack vector is network-based with low complexity and requires only low-level user privileges (including custom roles with zero capabilities).

WordPress PHP Privilege Escalation Wp Graphql Docker
CVE-2026-33173 MEDIUM CVSS 5.3
Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.

Information Disclosure
CVE-2026-33170 MEDIUM CVSS 6.1
SafeBuffer's string formatting operator (%) in Ruby fails to preserve HTML safety flags when processing untrusted input, allowing attackers to inject malicious scripts that bypass ERB auto-escaping protections. An attacker can exploit this by providing crafted arguments to the % operator on a mutated SafeBuffer, causing the resulting string to be incorrectly marked as safe and potentially leading to cross-site scripting (XSS) attacks. A patch is available for affected applications.

XSS
CVE-2026-33169 MEDIUM CVSS 5.3
A regular expression denial of service (ReDoS) vulnerability exists in Rails ActiveSupport's NumberToDelimitedConverter, which uses gsub! with an inefficient regex pattern to insert thousands delimiters into numeric strings. An attacker can craft excessively long digit strings that cause quadratic time complexity, leading to CPU exhaustion and denial of service. Patches are available from the Rails project for versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, and the vulnerability is tagged as a denial of service issue affecting the activesupport gem.

Denial Of Service
CVE-2026-32912 MEDIUM CVSS 5.8
OpenClaw versions 2026.2.26 through 2026.3.0 contain a current working directory (CWD) injection vulnerability in the Windows wrapper resolution mechanism for .cmd and .bat files, allowing attackers with local access to manipulate CWD and achieve command execution with integrity compromise. An attacker with local privileges can alter the working directory to inject malicious wrapper scripts that execute instead of legitimate ones, bypassing command execution controls. The vulnerability requires local access and moderate complexity but enables high-integrity impact; no active KEV or widespread exploitation has been reported, but proof-of-concept details are documented in vendor security advisories.

Code Injection Microsoft Windows
CVE-2026-32911 MEDIUM CVSS 6.4
Synology OpenClaw versions prior to 2026.2.24 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail to enforce access controls. Authenticated attackers with Synology sender privileges can exploit this flaw to send unauthorized messages through downstream agents and tools. A patch is available.

Authentication Bypass Synology
CVE-2026-32904 MEDIUM CVSS 4.6
OpenClaw before version 2026.2.26 contains an authorization bypass vulnerability in group allowlist policy evaluation that improperly accepts sender identities from DM pairing-store approvals. Attackers with low privileges can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized access to restricted groups. The vulnerability carries a moderate CVSS score of 4.6 with user interaction required, and patches are available from the vendor.

Authentication Bypass
CVE-2026-32903 MEDIUM CVSS 6.1
OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.

Information Disclosure
CVE-2026-32901 MEDIUM CVSS 6.7
OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.

Information Disclosure
CVE-2026-32900 MEDIUM CVSS 6.4
OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.

Authentication Bypass
CVE-2026-32879 MEDIUM CVSS 4.9
A logic flaw in New API's universal secure verification flow allows authenticated users with registered passkeys to bypass WebAuthn assertion completion, effectively circumventing step-up authentication for privileged actions. This affects New API versions 0.10.0 and later, enabling authenticated attackers with passkey enrollment to access sensitive functionality without completing proper cryptographic verification. No patched versions are currently available, making this an unresolved authentication bypass affecting all current deployments.

Authentication Bypass
CVE-2026-32852 MEDIUM CVSS 5.1
MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the StartDate parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject malicious code through a crafted URL. A public proof-of-concept exploit is available, and a patch has been released by the vendor, making this a moderate-to-high priority issue for organizations running affected versions.

XSS
CVE-2026-32851 MEDIUM CVSS 5.1
MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the Attendees parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to craft malicious URLs that compromise user sessions and steal sensitive data. A public proof-of-concept exploit is available, increasing the practical risk to deployed MailEnable installations.

XSS
CVE-2026-32850 MEDIUM CVSS 5.1
MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL targeting the ManageShares.aspx form. The SelectedIndex parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject and execute malicious code. A publicly available proof-of-concept exploit exists, and a patch has been released by the vendor.

XSS
CVE-2026-32279 MEDIUM CVSS 6.8
A Server-Side Request Forgery (SSRF) vulnerability exists in the external page migration feature of the Page Management Plugin (Connect CMS), allowing authenticated attackers with page management screen access to make the server perform requests to internal destinations and disclose sensitive information. The vulnerability affects Connect CMS versions 1.x through 1.41.0 and 2.x through 2.41.0, with patches available in versions 1.41.1 and 2.41.1 respectively. With a CVSS score of 6.8 and moderate attack complexity requiring high privileges, this represents a real but bounded risk primarily to organizations running older plugin versions with administrative users who may be compromised or malicious.

SSRF Information Disclosure
CVE-2026-32047 MEDIUM CVSS 5.8
OpenClaw before version 2026.2.22 contains a critical allowlist bypass vulnerability in the system.run function that allows authenticated local attackers to execute arbitrary commands by circumventing security controls. An attacker with local access and low privileges can inject shell line-continuation sequences and command substitution syntax within double quotes to fold malicious payloads into executable subcommands, effectively bypassing the intended command allowlist. This vulnerability enables privilege escalation and arbitrary code execution on affected systems.

Authentication Bypass
CVE-2026-32012 MEDIUM CVSS 4.8
OpenClaw before version 2026.2.25 fails to implement durable replay state validation for Nextcloud Talk webhook events, allowing attackers to capture and replay previously valid signed webhook requests to cause duplicate processing. This affects all versions of OpenClaw prior to the patched release, and an attacker with network access can exploit this vulnerability without authentication or user interaction to trigger integrity and availability impacts such as duplicate message processing or resource exhaustion.

Information Disclosure Nextcloud
CVE-2026-31850 MEDIUM CVSS 6.8
The Nexxt Solutions Nebula 300+ wireless router stores sensitive administrative credentials and WiFi pre-shared keys in plaintext within exported configuration backup files, enabling information disclosure through CWE-256 (Plaintext Storage of Password). This vulnerability affects firmware versions through 12.01.01.37 and allows an attacker who gains access to a backup file to immediately obtain full administrative and wireless network access without requiring cryptographic attacks. No CVSS score, EPSS data, or active KEV designation is currently available, but the plaintext credential exposure represents a critical risk for any environment relying on configuration backups.

Information Disclosure
CVE-2026-30886 MEDIUM CVSS 6.5
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.

Google Authentication Bypass
CVE-2026-30007 MEDIUM CVSS 6.2
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.

Information Disclosure Memory Corruption Use After Free
CVE-2026-30006 MEDIUM CVSS 6.2
XnSoft NConvert version 7.230 contains a stack buffer overflow vulnerability triggered by specially crafted TIFF files, allowing an attacker to overwrite stack memory and potentially execute arbitrary code or cause denial of service. The vulnerability affects the image conversion functionality of NConvert, a widely-used command-line image conversion tool. A proof-of-concept exploit has been documented on GitHub (PassMoon/Nconvert_Vul), indicating public awareness and potential active exploitation risk.

Buffer Overflow
CVE-2026-29111 MEDIUM CVSS 5.5
systemd (PID 1) contains a denial-of-service vulnerability triggered by malformed IPC API calls from unprivileged users that causes the service manager to assert and freeze. On versions v249 and earlier, the same vulnerability manifests as stack buffer overwriting with attacker-controlled data, potentially enabling code execution; versions v250 and newer include a safety check that converts this to a non-exploitable assertion failure. The vulnerability affects systemd versions v239 through v259 (with patched versions 260-rc1, 259.2, 258.5, and 257.11 available), impacting all Linux distributions using affected systemd builds including multiple Ubuntu releases tracked at medium priority.

Privilege Escalation
CVE-2026-28809 MEDIUM CVSS 6.3
A SSRF vulnerability (CVSS 6.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.

XXE SSRF Kubernetes
CVE-2026-28483 MEDIUM CVSS 5.8
OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. A patch is available from the vendor, and this vulnerability requires local access with user-level privileges to exploit, making it a moderate-severity concern for systems where untrusted users can extract archives.

Information Disclosure
CVE-2026-28455 MEDIUM CVSS 5.8
OpenClaw before version 2026.2.22 contains an allowlist bypass vulnerability in its system.run exec analysis functionality that fails to properly unwrap environment variable and shell-dispatch wrapper chains. Attackers with local access and limited privileges can exploit this to route command execution through wrapper binaries such as env or bash, allowing them to smuggle payloads past the intended allowlist restrictions. This vulnerability enables privilege escalation and integrity compromise on affected systems.

Authentication Bypass
CVE-2026-27646 MEDIUM CVSS 5.8
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn slash-command that allows authorized sandboxed users to initialize host-side ACP runtime and bypass sandbox restrictions. An attacker with low privileges and sandboxed chat access can invoke the vulnerable command to cross from isolated chat context into unrestricted host-side ACP session initialization when ACP is enabled, potentially escalating their capabilities beyond intended boundaries. The vulnerability has been assigned a CVSS score of 5.3 (medium severity) with a published patch available from the vendor.

Authentication Bypass
CVE-2026-27131 MEDIUM CVSS 5.5
The Sprig Plugin for Craft CMS contains an information disclosure vulnerability that allows authenticated admin users and those with explicit Sprig Playground access to expose sensitive configuration data including security keys and credentials, as well as invoke the hashData() signing function. Affected versions include 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, with patches released in versions 2.15.2 and 3.15.2 that disable the Sprig Playground by default when devMode is disabled. This is not currently tracked as an actively exploited vulnerability in public KEV databases, though proof-of-concept code may exist in the referenced GitHub security advisory and commits.

Information Disclosure
CVE-2026-23488 MEDIUM CVSS 5.3
Blinko, an AI-powered card note-taking application, contains an authentication bypass vulnerability in its comment management endpoints that allows unauthenticated attackers to create and view comments on any note, including private notes that have not been publicly shared. Versions prior to 1.8.4 are vulnerable, and a patch has been released and is available via the official GitHub repository. The vulnerability has a CVSS 4.0 score of 6.9 with a network attack vector requiring no privileges or user interaction, making it trivial to exploit.

Authentication Bypass
CVE-2026-23487 MEDIUM CVSS 6.5
An Insecure Direct Object Reference (IDOR) vulnerability in Blinko versions prior to 1.8.4 allows authenticated attackers to leak the superadmin token through the user.detail endpoint by manipulating user identifiers. This authentication bypass vulnerability has a CVSS score of 6.0 and affects the Blinko AI-powered note-taking application. A patch is available in version 1.8.4, and proof-of-concept information is available via the official GitHub security advisory.

Authentication Bypass
CVE-2026-23486 MEDIUM CVSS 5.3
A publicly accessible endpoint in Blinko prior to version 1.8.4 discloses sensitive user information including usernames, roles, and account creation dates without requiring authentication, allowing unauthenticated attackers to enumerate all user accounts. This information disclosure vulnerability (CWE-200) affects Blinko versions below 1.8.4 and has been patched in the latest release. The vulnerability is remotely exploitable over the network with minimal attack complexity and no privilege requirements, making it a significant privacy and enumeration risk for deployed instances.

Information Disclosure
CVE-2026-23485 MEDIUM CVSS 5.3
Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in the filePath parameter that allows unauthenticated remote attackers to enumerate file existence on the server through differential error responses. Versions prior to 1.8.4 are affected, and an attacker can leverage this vulnerability to discover sensitive files and directories without authentication or user interaction. The vulnerability has been patched in version 1.8.4, and exploit code or proof-of-concept demonstrations are available via the GitHub security advisory.

Path Traversal
CVE-2026-23484 MEDIUM CVSS 6.5
Blinko versions 1.8.3 and earlier allow authenticated users to write arbitrary files to the filesystem through an unvalidated fileName parameter, exploiting a path traversal weakness. The vulnerability requires only basic user authentication and can be leveraged to place malicious files anywhere on the server, potentially leading to remote code execution or system compromise. No patch is currently available.

Path Traversal
CVE-2026-23483 MEDIUM CVSS 5.3
Blinko versions 1.8.3 and earlier contain a path traversal vulnerability in the plugin file server endpoint that fails to validate whether requested file paths remain within the plugins directory, enabling unauthenticated remote attackers to read arbitrary files. The vulnerability has a CVSS score of 5.3 and currently lacks a publicly available patch.

Path Traversal
CVE-2026-23481 MEDIUM CVSS 6.5
Blinko, an AI-powered card note-taking application, contains an authenticated arbitrary file write vulnerability in the saveAdditionalDevFile function that allows attackers to write files to arbitrary locations on the system via path traversal. This vulnerability affects all versions prior to 1.8.4 and requires authentication to exploit. An attacker with valid credentials can abuse this flaw to overwrite critical application files, inject malicious code, or achieve remote code execution depending on file permissions and system configuration.

Path Traversal
CVE-2026-4647 MEDIUM CVSS 6.1
A specially crafted XCOFF object file can trigger an out-of-bounds memory read in the GNU Binutils BFD library due to improper validation of relocation type values. This affects Red Hat Enterprise Linux versions 6 through 10 and Red Hat OpenShift Container Platform 4, potentially allowing local attackers with user interaction to crash affected tools or disclose sensitive memory contents. While not currently listed in CISA KEV as actively exploited, the vulnerability is tracked across Red Hat, Sourceware, and Bugzilla with upstream references indicating visibility and likely patch development.

Information Disclosure Buffer Overflow
CVE-2026-4628 MEDIUM CVSS 4.3
Keycloak's User-Managed Access endpoint fails to properly enforce access control on PUT operations, permitting authenticated attackers to modify protected resources despite the allowRemoteResourceManagement restriction being disabled. This access control bypass affects data integrity and impacts any organization using Keycloak for identity and access management. The vulnerability requires valid credentials to exploit and currently has no available patch.

Authentication Bypass
CVE-2026-4603 MEDIUM CVSS 5.9
jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by improper parsing of JWK moduli that decode to zero. An attacker can supply a malicious JWK to force RSA verify and encryption operations to produce deterministic zero outputs while suppressing invalid key errors, leading to cryptographic bypass and information disclosure. A proof-of-concept exists and the vulnerability has moderate real-world risk due to its low attack complexity and local attack vector.

Information Disclosure
CVE-2026-4597 MEDIUM CVSS 6.3
SQL injection in the Stream Proxy Query Handler component of wvp-GB28181-pro up to version 2.7.4 allows authenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The affected Java application processes unsanitized input in the selectAll function without proper parameterized queries.

SQLi Java
CVE-2026-4596 MEDIUM CVSS 5.1
A stored or reflected cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0, specifically in the /lawyers.php file where the first_Name parameter is inadequately sanitized. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. A public proof-of-concept exploit is available, and exploitation requires only low complexity with user interaction (UI:R), though the attack vector is network-accessible and does not require high privileges.

PHP XSS
CVE-2026-4593 MEDIUM CVSS 6.3
SQL injection in Erupt's MCP Tool Interface allows authenticated attackers to manipulate database queries through the EruptDataQuery component, potentially exposing or modifying sensitive data. The vulnerability affects Java-based Erupt deployments version 1.13.3 and has public exploit code available. No patch is currently available from the vendor, who has not responded to disclosure efforts.

Java SQLi
CVE-2026-4592 MEDIUM CVSS 5.6
Improper authentication in the two-factor authentication verification function of Kalcaddle Kodbox 1.64 allows remote attackers to bypass login controls with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected users should implement network-level access controls while awaiting a vendor update.

PHP Authentication Bypass
CVE-2026-4591 MEDIUM CVSS 4.7
The fileThumb endpoint in Kodbox 1.64 contains an OS command injection vulnerability in the checkBin function that allows authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with high-level privileges can leverage this to achieve remote code execution on affected systems.

PHP Command Injection
CVE-2026-4589 MEDIUM CVSS 6.3
Server-side request forgery in Kodbox 1.64's fileGet endpoint allows authenticated attackers to manipulate the path parameter in the PathDriverUrl function, enabling arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to users with valid credentials, though successful exploitation could facilitate further network reconnaissance or attacks against internal systems.

PHP SSRF
CVE-2026-4586 MEDIUM CVSS 6.3
An unrestricted file upload vulnerability exists in CodePhiliaX Chat2DB versions up to 0.3.7 in the JDBC Driver Upload functionality, allowing authenticated attackers to upload arbitrary files to the server. The vulnerability affects the JdbcDriverController.java component and has a CVSS score of 6.3 (medium severity) with a public proof-of-concept exploit available, though the vendor has not responded to disclosure attempts.

Java File Upload
CVE-2026-4583 MEDIUM CVSS 5.0
This vulnerability is an authentication bypass in the Bluetooth Handler component of Shenzhen HCC Technology MPOS M6 PLUS version 1V.31-N, exploitable via capture-replay attacks. An unauthenticated attacker on the local network can manipulate Bluetooth communications to bypass authentication mechanisms and gain unauthorized access with high attack complexity. A proof-of-concept exploit is publicly available on GitHub, and the vendor has not responded to disclosure attempts, leaving affected systems without an official patch.

Authentication Bypass
CVE-2026-4582 MEDIUM CVSS 5.0
Unauthenticated Bluetooth access in the Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N allows attackers on the local network to manipulate the device's Bluetooth functionality, compromising confidentiality and integrity. Public exploit code exists for this vulnerability, though exploitation requires complex local network positioning and timing. No patch is currently available from the vendor.

Authentication Bypass
CVE-2026-4581 MEDIUM CVSS 6.9
SQL injection in Simple Laundry System 1.0's /checklogin.php parameter handler allows unauthenticated remote attackers to manipulate the Username field and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected PHP installations vulnerable to data theft and unauthorized access.

SQLi PHP
CVE-2026-4580 MEDIUM CVSS 6.9
SQL injection in Simple Laundry System 1.0's /checkupdatestatus.php parameter handler allows unauthenticated remote attackers to manipulate the serviceId argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available, creating immediate risk for affected deployments.

SQLi PHP
CVE-2026-4579 MEDIUM CVSS 6.9
SQL injection in Simple Laundry System 1.0 through the serviceId parameter in /viewdetail.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can exploit this to read or modify sensitive database information.

SQLi PHP
CVE-2026-4574 MEDIUM CVSS 6.3
SQL injection in SourceCodester Simple E-learning System 1.0's user profile update functionality allows authenticated remote attackers to manipulate the firstName parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read or modify sensitive database information. No patch is currently available.

SQLi
CVE-2026-4573 MEDIUM CVSS 6.3
SQL injection in SourceCodester Simple E-learning System 1.0 allows authenticated attackers to manipulate the post_id parameter in the delete_post.php endpoint, enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
CVE-2026-4572 MEDIUM CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
CVE-2026-4571 MEDIUM CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.

SQLi PHP
CVE-2026-4570 MEDIUM CVSS 5.3
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.

SQLi PHP
CVE-2026-4569 MEDIUM CVSS 5.3
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.

SQLi PHP
CVE-2026-4568 MEDIUM CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
CVE-2026-4564 MEDIUM CVSS 4.7
A code injection vulnerability exists in yangzongzhuan RuoYi versions up to 4.8.2 within the Quartz Job Handler component, specifically in the /monitor/job/ endpoint where the invokeTarget parameter is improperly sanitized. An authenticated attacker with high privileges can remotely inject and execute arbitrary code on the affected system. A proof-of-concept has been publicly disclosed on GitHub (M0onc/RuoYi-Quartz-RCE), and the vendor has not responded to early disclosure notifications, increasing the real-world exploitation risk despite the moderate CVSS score of 4.7.

Information Disclosure
CVE-2026-4563 MEDIUM CVSS 4.3
An authorization bypass vulnerability exists in MacCMS up to version 2025.1000.4052 within the Member Order Detail Interface component, specifically in the order_info function of application/index/controller/User.php. An authenticated attacker can manipulate the order_id parameter to access order information belonging to other users, disclosing sensitive data. A public proof-of-concept exploit is available, elevating the risk of active exploitation despite the moderate CVSS 4.3 score.

PHP Authentication Bypass
CVE-2026-4066 MEDIUM CVSS 4.3
The Smart Custom Fields WordPress plugin contains an authorization bypass vulnerability in the relational_posts_search() AJAX function that allows authenticated contributors and above to access private and draft posts from other authors. Affected versions through 5.0.6 fail to perform per-post capability checks, instead relying only on a generic edit_posts check, enabling unauthorized information disclosure of sensitive post content. With a CVSS score of 4.3 and low attack complexity requiring only network access and contributor-level credentials, this vulnerability poses a moderate risk to multi-author WordPress installations.

Authentication Bypass WordPress
CVE-2026-4056 MEDIUM CVSS 5.4
The User Registration & Membership plugin for WordPress contains an insufficient capability check vulnerability in its Content Access Rules REST API endpoints, allowing authenticated contributors and above to bypass intended administrative restrictions. Versions 5.0.1 through 5.1.4 are affected, enabling attackers to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access. The vulnerability has a CVSS score of 5.4 with low attack complexity and low privilege requirements, making it readily exploitable by any authenticated user with contributor-level access or higher.

Authentication Bypass WordPress
CVE-2026-3635 MEDIUM CVSS 6.1
Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. This vulnerability affects applications relying on these headers for security decisions and has a CVSS score of 6.1 with adjacent attack vector and high complexity, indicating moderate real-world exploitability.

CSRF
CVE-2026-3225 MEDIUM CVSS 4.3
The LearnPress WordPress LMS Plugin contains a missing capability check vulnerability in the delete_question_answer() function that allows authenticated attackers with Subscriber-level privileges to delete quiz answer options without authorization. Affected versions include 4.3.2.8 and earlier; the vulnerability was patched in version 4.3.3. While the CVSS score is moderate (4.3), the attack requires only low-privilege authentication and no user interaction, making it practical for any authenticated site user to exploit.

Authentication Bypass WordPress
CVE-2026-2412 MEDIUM CVSS 6.5
The Quiz and Survey Master (QSM) WordPress plugin versions up to 10.3.5 contains a SQL injection vulnerability in the 'merged_question' parameter that allows authenticated attackers with Contributor-level access or higher to extract sensitive database information. The vulnerability exists because the plugin uses sanitize_text_field() which does not prevent SQL metacharacters from being injected into an SQL IN() clause, and the resulting query is not properly parameterized using $wpdb->prepare() or integer casting. With a CVSS score of 6.5 and network-based attack vector requiring only low privileges, this represents a moderate but real threat to WordPress installations using this plugin.

WordPress SQLi
CVE-2026-1969 MEDIUM CVSS 5.3
The trx_addons WordPress plugin before version 2.38.5 contains an arbitrary file upload vulnerability in an AJAX action that fails to properly validate file types, allowing unauthenticated attackers to upload malicious files. This vulnerability represents an incomplete remediation of the previously disclosed CVE-2024-13448, meaning the original patch was insufficient. A public proof-of-concept exploit is available, and the vulnerability can lead to remote code execution or information disclosure depending on server configuration and file placement.

WordPress File Upload
CVE-2026-1940 MEDIUM CVSS 5.1
A security vulnerability in An incomplete fix for CVE-2024-47778 (CVSS 5.1) that allows an out-of-bounds read. Remediation should follow standard vulnerability management procedures.

Buffer Overflow Information Disclosure Redhat Suse
CVE-2025-60948 MEDIUM CVSS 5.1
Census CSWeb 8.0.1 contains a stored cross-site scripting (XSS) vulnerability in user-supplied fields that allows authenticated attackers to inject and persist malicious JavaScript code, which executes when victims access affected pages in their browsers. The vulnerability affects CSWeb versions prior to 8.1.0 alpha, and a public proof-of-concept exploit is available on GitHub, increasing real-world exploitation risk. While the CVSS score of 4.6 reflects moderate severity, the combination of authenticated access requirement, user interaction dependency, and published exploit code suggests this poses a meaningful but contained threat to Census CSWeb deployments.

XSS
CVE-2025-52204 MEDIUM CVSS 6.1
A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x where the customer.pl endpoint improperly handles the OTRSCustomerInterface parameter, allowing attackers to inject and execute arbitrary JavaScript in the context of victim browsers. This affects Znuny ITSM versions in the 6.5.x release line, and a proof-of-concept exploit has been publicly disclosed on GitHub, indicating active awareness and potential exploitation capability in the threat landscape.

XSS
CVE-2025-13997 MEDIUM CVSS 5.3
King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.

WordPress Information Disclosure Google PHP
CVE-2025-10736 MEDIUM CVSS 6.5
The ReviewX plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function that allows unauthenticated attackers to bypass authentication checks and access protected REST API endpoints. Affected versions through 2.2.10 permit unauthorized extraction and modification of user data and plugin configuration, posing a direct threat to WooCommerce installations relying on this review management solution. With a CVSS score of 6.5 and network-based attack vector requiring no user interaction or privileges, this vulnerability presents a moderate-to-significant risk for any WordPress site using the affected plugin.

WordPress Authentication Bypass Google PHP
CVE-2025-10734 MEDIUM CVSS 5.3
The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.

WordPress Information Disclosure Google PHP
CVE-2025-10731 MEDIUM CVSS 5.3
The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.

WordPress Information Disclosure Authentication Bypass Google PHP
CVE-2025-6229 MEDIUM CVSS 6.4
The Sina Extension for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Fancy Text Widget and Countdown Widget that allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into pages through insufficiently sanitized DOM attributes. When users visit pages containing the malicious widgets, the injected scripts execute in their browsers, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.7.0, with a CVSS score of 6.4 indicating medium severity, though the impact is amplified by the stored nature of the XSS and the broad audience of WordPress sites using this popular page builder extension.

WordPress XSS PHP
CVE-2024-51226 MEDIUM CVSS 6.1
A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP
CVE-2024-51225 MEDIUM CVSS 4.8
A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
CVE-2024-51224 MEDIUM CVSS 4.8
Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
CVE-2024-51223 MEDIUM CVSS 4.8
A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
CVE-2024-51222 MEDIUM CVSS 4.8
A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
CVE-2024-46879 MEDIUM CVSS 5.4
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
CVE-2024-46878 MEDIUM CVSS 5.4
A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
CVE-2026-33168 LOW
A cross-site scripting (XSS) vulnerability exists in Ruby on Rails Action View tag helpers when blank strings are used as HTML attribute names, allowing attribute escaping to be bypassed and producing malformed HTML. Applications that permit users to specify custom HTML attributes are vulnerable, potentially enabling attackers to inject arbitrary JavaScript that executes in users' browsers. Patches are available from the Rails vendor across multiple affected versions (7.2.3.1, 8.0.4.1, and 8.1.2.1), and remediation should be prioritized for user-facing Rails applications accepting custom attribute inputs.

Ruby XSS
CVE-2026-33167 LOW
A Cross-Site Scripting (XSS) vulnerability exists in Ruby on Rails' debug exceptions page due to improper HTML escaping of exception messages. This affects Rails applications running in development mode with detailed exception pages enabled (config.consider_all_requests_local = true, which is the default), allowing an attacker to inject arbitrary HTML and JavaScript that executes in the context of the debug page. While this primarily impacts development environments, applications with development configurations exposed to untrusted network access or those reusing development settings in production could face real exploitation risk.

XSS Denial Of Service
CVE-2026-32909 LOW CVSS 3.6
OpenClaw before version 2026.2.19 contains a command injection vulnerability in the tools.exec.safeBins function that allows local attackers with limited privileges to bypass stdin-only execution restrictions through specially crafted sort output flags (sort -o) or recursive grep flags (grep -R). An authenticated attacker can exploit this to perform arbitrary file writes or reads, circumventing the intended safe-bin execution model that restricts command capabilities. A patch is available from the vendor, and this vulnerability has been documented by VulnCheck with supporting technical details.

Command Injection
CVE-2026-27183 LOW CVSS 2.1
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability that allows local attackers with limited privileges to execute arbitrary shell commands by circumventing security approval controls. The vulnerability exploits a depth-boundary mismatch between the approval classifier and execution planner, permitting exactly four transparent dispatch wrappers (such as repeated env invocations) to bypass the security=allowlist approval requirement. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the CVSS 4.5 score and publicly available patch indicate this is a real but lower-priority vulnerability with moderate real-world risk depending on deployment context.

Authentication Bypass
CVE-2026-4633 LOW CVSS 3.7
Keycloak contains an information disclosure vulnerability in the identity-first login flow when Organizations are enabled, where differential error messages allow remote attackers to enumerate valid user accounts without authentication. The vulnerability affects Red Hat Build of Keycloak across multiple versions, and while the CVSS score is low (3.7), the attack requires only network access with no user interaction. This user enumeration flaw could facilitate credential stuffing, phishing, or social engineering campaigns by confirming the existence of target accounts.

Information Disclosure
CVE-2026-4595 LOW CVSS 2.4
A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s6.php file, where the sname parameter fails to properly sanitize user input. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially compromising admin accounts or exfiltrating sensitive exam data. A public proof-of-concept is available on GitHub, and while the CVSS score is low at 2.4, the vulnerability requires high privileges and user interaction to exploit, limiting real-world impact.

XSS PHP
CVE-2026-4590 LOW CVSS 3.1
A cross-site request forgery (CSRF) vulnerability exists in Kalcaddle Kodbox 1.64 affecting the loginSubmit API endpoint within the OAuth bind controller. An unauthenticated remote attacker can manipulate the 'third' parameter to forge requests that modify application state, though the attack requires user interaction and high complexity. A public proof-of-concept exploit has been released, and the vendor has not responded to early disclosure notifications.

CSRF PHP
CVE-2026-4588 LOW CVSS 3.7
Kalcaddle Kodbox 1.64 contains a cryptographic key hardcoding vulnerability in the Site-level API key Handler component (shareSafeGroup function in shareOut.class.php), where manipulation of the 'sk' parameter exploits the use of a hard-coded cryptographic key. This allows unauthenticated remote attackers to disclose sensitive information with low complexity, though the attack itself requires high complexity execution. A public proof-of-concept is available, and the vendor has not responded to early disclosure.

PHP Information Disclosure
CVE-2026-4587 LOW CVSS 3.7
HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.

PHP Information Disclosure
CVE-2026-4584 LOW CVSS 3.1
The Shenzhen HCC Technology MPOS M6 PLUS device running firmware version 1V.31-N contains a cleartext transmission vulnerability in its Cardholder Data Handler component that allows attackers on the local network to intercept sensitive information. An attacker with network access can manipulate the affected component to force transmission of cardholder data in cleartext, compromising payment card information. A publicly available proof-of-concept exists on GitHub, and the vulnerability has a CVSS score of 3.1 (low severity) due to high attack complexity requirements, though the exploitation difficulty rating suggests real-world risk depends heavily on network proximity and attacker capabilities.

Information Disclosure
CVE-2026-4578 LOW CVSS 2.4
A cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s3.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts through this parameter to perform actions in the context of other users' browsers. A public proof-of-concept is available, making this vulnerability actively exploitable despite its low CVSS score of 2.4.

XSS PHP
CVE-2026-4577 LOW CVSS 2.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s4.php endpoint, where the 'sname' parameter is not properly sanitized before output. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or administrative action abuse. A public proof-of-concept exploit is available, increasing real-world risk despite the low CVSS score of 2.4.

XSS PHP
CVE-2026-4576 LOW CVSS 2.4
A Stored or Reflected Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s5.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript code through this parameter, which will execute in the context of other users' browsers when they interact with the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has a low CVSS score of 2.4 due to high privilege requirements and user interaction dependency, but the public disclosure increases practical exploitation likelihood.

PHP XSS
CVE-2026-4575 LOW CVSS 2.4
A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s2.php endpoint where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the browser of other users who view the affected page, potentially leading to session hijacking, credential theft, or administrative action manipulation. A public proof-of-concept exploit is available on GitHub, and the vulnerability carries a low CVSS score of 2.4 due to requiring high privileges and user interaction, but the published exploit status indicates active reconnaissance and potential targeted exploitation.

XSS PHP

Today's Vulnerabilities Vulnerabilities