Skip to main content
CVE-2026-33046 HIGH PATCH This Week

A LaTeX injection vulnerability in Indico (event management platform) allows authenticated attackers to read local files or execute arbitrary code on the server when server-side LaTeX rendering is enabled via XELATEX_PATH configuration. The vulnerability stems from TeXLive weaknesses and insufficient sanitization of LaTeX input, permitting specially-crafted snippets to bypass security controls. Patches are available in version 3.3.12, and there is no evidence of active exploitation (not in CISA KEV), though multiple proof-of-concept patches indicate the vulnerability has been thoroughly analyzed.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32276 HIGH PATCH This Week

An authenticated code injection vulnerability exists in the Code Study Plugin component of OpenSource Workshop Connect-CMS that allows authenticated users to execute arbitrary code on the server. Both the 1.x series (versions up to 1.41.0) and 2.x series (versions up to 2.41.0) are affected. With a CVSS score of 8.8 (High severity), this vulnerability enables remote code execution and information disclosure with low attack complexity and no user interaction required.

RCE Information Disclosure Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33717 HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. With a CVSS score of 8.8, this represents a high-severity remote code execution risk for authenticated users.

PHP File Upload
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4601 HIGH PATCH GHSA This Week

Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with zero r or s values during the signing process. The library fails to validate or retry these malformed signatures, allowing attackers to algebraically solve for the private key x from the emitted signature. Publicly available exploit code exists demonstrating the key recovery technique (EPSS: 0.02%, percentile 5%), though no confirmed active exploitation. Vendor-released patch: version 11.1.1.

Information Disclosure Jsrsasign
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-23480 HIGH PATCH This Week

Blinko versions prior to 1.8.4 contain a critical privilege escalation vulnerability in the upsertUser endpoint that allows any authenticated user to modify other users' passwords and escalate to superadmin privileges. The vulnerability stems from three distinct authorization and input validation flaws: missing superAdminAuthMiddleware enforcement, optional password verification, and absent ownership checks. An attacker with valid credentials can directly execute account takeover and administrative privilege escalation with no additional exploits required.

Privilege Escalation Blinko
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4611 HIGH This Week

This vulnerability is an OS command injection flaw in the setLanCfg function of TOTOLINK X6000R routers running firmware versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. An authenticated attacker with high privileges can execute arbitrary operating system commands by manipulating the Hostname parameter in /usr/sbin/shttpd, potentially leading to complete device compromise. The vulnerability was disclosed via VulDB submission with proof-of-concept information available through reference ID 352475, though no active exploitation (KEV listing) has been reported.

Command Injection X6000R
NVD VulDB
CVSS 4.0
8.6
EPSS
0.7%
CVE-2026-1958 HIGH PATCH This Week

Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.

Authentication Bypass Klinikaxp Insertino Klinikaxp
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-32277 HIGH PATCH This Week

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Cabinet Plugin list view of Connect CMS, affecting versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0. An authenticated attacker can execute arbitrary JavaScript in victim browsers by manipulating how saved names are rendered, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability carries a CVSS score of 8.7 (High) and patches are available, with no evidence of active exploitation or public proof-of-concept at this time.

XSS
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-31848 HIGH This Week

The Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 contains an authentication bypass vulnerability where administrative credentials are stored in the ecos_pw cookie using reversible Base64 encoding with a static suffix, allowing attackers who obtain this cookie to forge valid administrative sessions and gain unauthorized device access. The vulnerability affects a network appliance product line and represents a critical authentication control failure. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown; however, the reversible encoding mechanism and static suffix suggest this is likely highly exploitable in practice.

Authentication Bypass Nebula 300
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33513 HIGH This Week

WWBN AVideo versions up to and including 26.0 contain an unauthenticated path traversal vulnerability in the locale API endpoint that allows arbitrary PHP file inclusion under the web root. Attackers can achieve confirmed file disclosure and code execution by including existing PHP files, with potential escalation to full remote code execution if they can upload or control PHP files elsewhere in the application tree. The vulnerability has a CVSS score of 8.6 and requires no authentication or user interaction to exploit, though no patch is currently available and there is no evidence of active exploitation in KEV data.

Path Traversal PHP RCE
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-33719 HIGH This Week

WWBN AVideo video platform up to and including version 26.0 contains an authentication bypass vulnerability in the CDN plugin that allows unauthenticated remote attackers to completely modify CDN configuration settings including storage credentials and authentication keys. The vulnerability stems from the CDN plugin's default empty string authentication key, which causes validation checks to be bypassed entirely when the plugin is enabled but not properly configured. The CVSS score of 8.6 reflects high integrity impact with network-based exploitation requiring no privileges or user interaction.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-33548 HIGH PATCH This Week

MantisBT version 2.28.0 contains a stored cross-site scripting (XSS) vulnerability in the Timeline view of my_view_page.php where tag names are improperly escaped when retrieved from the History table, allowing attackers to inject arbitrary HTML and potentially execute JavaScript if Content Security Policy permits. This affects users viewing issues with renamed or deleted tags, and version 2.28.1 contains the patch. No CVSS score or EPSS data is currently available, but the vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries moderate to high risk in environments without strict CSP enforcement.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-33517 HIGH PATCH This Week

MantisBT version 2.28.0 contains a Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the tag deletion confirmation dialog (tag_delete.php) due to improper HTML escaping of tag names in the confirmation message. An authenticated attacker can inject malicious HTML and JavaScript code that executes in the browser of any user viewing the confirmation page, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability was patched in version 2.28.1, and proof-of-concept information is available via the GitHub security advisory and associated commit references.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-15517 HIGH PATCH NEWS This Week

A missing authentication check in the HTTP server of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) allows unauthenticated attackers to access privileged CGI endpoints intended for authenticated administrators. An attacker can perform critical operations including firmware upload and configuration changes without providing valid credentials, effectively gaining administrative control over the device. A vendor patch is available, and this vulnerability represents a direct authentication bypass with severe real-world exploitation potential.

TP-Link Authentication Bypass
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-15519 HIGH PATCH NEWS This Week

A command injection vulnerability exists in the modem-management administrative CLI of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) due to improper input handling in CLI commands. An authenticated attacker with administrative privileges can inject crafted input into vulnerable CLI parameters to execute arbitrary operating system commands, compromising the confidentiality, integrity, and availability of the device. A patch is available from TP-Link, and no public exploit or active exploitation has been confirmed at this time.

TP-Link Command Injection
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-15518 HIGH PATCH NEWS This Week

A command injection vulnerability exists in the wireless-control administrative CLI command of TP-Link Archer NX series routers (models NX200, NX210, NX500, and NX600) due to improper input handling that allows crafted input to be executed as part of operating system commands. An authenticated attacker with administrative privileges can exploit this vulnerability to execute arbitrary commands on the device, compromising confidentiality, integrity, and availability. Patches are available from the vendor for all affected models and versions.

TP-Link Command Injection
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-31847 HIGH This Week

A hidden functionality vulnerability exists in the /goform/setSysTools endpoint of Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37, allowing unauthenticated remote attackers to enable a Telnet service that exposes a privileged diagnostic management interface. This significantly expands the attack surface and enables further device compromise through an unencrypted network protocol. No CVSS score, EPSS data, or KEV status is currently available, but the severity is elevated given the remote nature of exploitation and the direct access to privileged diagnostic functions.

Information Disclosure Nebula 300
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-15605 HIGH PATCH NEWS This Week

A hardcoded cryptographic key in the configuration mechanism of TP-Link Archer NX series routers (NX200, NX210, NX500, NX600) allows authenticated attackers to decrypt, modify, and re-encrypt device configuration files, compromising both confidentiality and integrity of router settings. This vulnerability affects multiple hardware versions across all four product lines, with patches now available from the vendor. While no public exploit code or active KEV status has been reported, the authenticated attack requirement and widespread deployment of these consumer routers present moderate real-world risk.

TP-Link Information Disclosure
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32902 HIGH PATCH This Week

OpenClaw contains a server-side request forgery (SSRF) vulnerability in its web search citation redirect resolution mechanism that allows unauthenticated remote attackers to trigger requests to internal network destinations from the OpenClaw gateway host. OpenClaw versions prior to 2026.3.1 are affected. Attackers who can influence citation redirect targets can exploit this to access private network resources, with a CVSS score of 8.3 indicating high severity with low complexity and no privileges required.

SSRF Openclaw
NVD GitHub
CVSS 3.1
8.3
CVE-2026-32278 HIGH PATCH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the file field component of the Form Plugin within Connect-CMS. The vulnerability affects Connect-CMS versions 1.41.0 and earlier in the 1.x series, and versions 2.41.0 and earlier in the 2.x series. If exploited, an attacker can inject malicious scripts that execute in an administrator's browser, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The vulnerability has been patched and a fix is available from the vendor.

XSS File Upload
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-4021 HIGH This Week

The Contest Gallery plugin for WordPress contains an authentication bypass vulnerability that allows unaattacked attackers to take over administrator accounts and gain complete site control. All versions up to and including 28.1.5 are affected when the non-default RegMailOptional=1 setting is enabled. The vulnerability exploits MySQL type coercion by registering with specially crafted email addresses to overwrite admin activation keys, then using an unauthenticated login endpoint to authenticate as the target user. With a CVSS score of 8.1 and high attack complexity (AC:H), this represents a critical risk for sites using the vulnerable configuration.

WordPress PHP Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-32300 HIGH PATCH This Week

Improper authorization in the My Page profile update feature allows authenticated attackers to modify arbitrary user profiles and passwords, potentially leading to account takeover. Affected versions include 1.x through 1.41.0 and 2.x through 2.41.0; patches are available in versions 1.41.1 and 2.41.1. Exploitation requires valid authentication but no additional privileges or user interaction.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33651 HIGH This Week

SQL injection in WWBN AVideo up to version 26.0 allows authenticated users to extract arbitrary database contents through time-based blind SQL injection via the remindMe.json.php endpoint. The vulnerability stems from insufficient input sanitization of the live_schedule_id parameter, which is concatenated directly into a SQL LIKE clause despite partial validation in intermediate functions. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33649 HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo open source video platform versions up to and including 26.0 allows unauthenticated attackers to escalate privileges to near-admin access by tricking an administrator into visiting a malicious page. The vulnerability exists in the setPermission.json.php endpoint which accepts state-changing operations via GET requests without CSRF token validation, compounded by the application's explicit SameSite=None cookie setting. No patched version is currently available, and with a CVSS score of 8.1 (High), this represents a significant risk for installations with administrative users who browse external content.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4600 HIGH PATCH GHSA This Week

Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 certificates by supplying malicious domain parameters (g=1, y=1, r=1) that cause verification functions to incorrectly validate any message hash. This actively undermines authentication and integrity checks in applications using the library for JWT validation, certificate verification, or digital signatures. EPSS score is negligible (0.01%) despite proof-of-concept availability, and CISA SSVC classifies this as requiring proof-of-concept but not automatable, indicating targeted exploitation risk rather than widespread scanning.

Information Disclosure Jwt Attack Jsrsasign
NVD GitHub VulDB
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-33195 HIGH PATCH GHSA This Week

Active Storage's DiskService component in Ruby on Rails contains a path traversal vulnerability (CWE-22) that fails to validate resolved filesystem paths remain within the storage root directory. Applications passing untrusted user input as blob keys are vulnerable to arbitrary file read, write, or deletion operations on the server. Patches are available in Rails versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, with no current evidence of active exploitation or public proof-of-concept code.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.0
EPSS
0.0%
CVE-2026-23554 HIGH PATCH This Week

This vulnerability in Intel EPT (Extended Page Tables) paging code within Xen allows information disclosure through a use-after-free condition in cached EPT state management. When paging structures are freed before cached EPT state is flushed, stale entries can persist in the EPT cache pointing to memory ranges outside the guest's intended ownership, enabling unauthorized memory access. Xen across multiple versions is affected, with Ubuntu tracking the issue at medium priority across 7 releases and Debian across 7 releases, making this a widespread concern for virtualization infrastructure.

Information Disclosure Intel
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32907 HIGH PATCH This Week

OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in the Windows scheduled task script generation component. Attackers with low-level local privileges and control over service script generation values can inject cmd metacharacters into the gateway.cmd arguments to execute arbitrary commands with high impact to confidentiality, integrity, and availability. There is no indication of active exploitation (not in CISA KEV), but a patch commit is publicly available which may facilitate proof-of-concept development.

Microsoft Command Injection Windows
NVD GitHub
CVSS 3.1
7.8
CVE-2026-4598 HIGH PATCH GHSA This Week

The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allows remote attackers to permanently hang application processes through specially crafted zero or negative input values. All versions of jsrsasign prior to 11.1.1 are affected by this high-severity denial-of-service condition. A proof-of-concept exploit exists demonstrating the vulnerability, and the CVSS score of 7.5 reflects the ease of exploitation (network-accessible, low complexity, no authentication required).

Denial Of Service Jsrsasign
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-4602 HIGH PATCH GHSA This Week

The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature verification by exploiting incorrect handling of negative exponents in modular exponentiation operations. This affects all versions prior to 11.1.1 of the jsrsasign package, enabling remote attackers without authentication to compromise cryptographic signature validation. A proof-of-concept exploit exists as indicated by the CVSS exploitability metric and public GitHub references demonstrating the attack technique.

Information Disclosure Jsrsasign
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-31851 HIGH This Week

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 lacks rate limiting and account lockout mechanisms on its authentication interface, enabling attackers to conduct brute-force attacks against user credentials without operational resistance. This vulnerability affects the Nebula 300+ device family as confirmed through CPE matching. An attacker with network access to the authentication interface can enumerate valid accounts and attempt unlimited password guesses, potentially compromising administrative or user-level access to the device.

Information Disclosure Nebula 300
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-4368 HIGH NEWS This Week

Citrix NetScaler ADC and Gateway instances configured for SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers are vulnerable to a race condition that enables authenticated attackers to hijack other users' sessions. An attacker with valid credentials can exploit timing-dependent conditions to cause session mixup between concurrent users, potentially gaining unauthorized access to sensitive resources or impersonating other authenticated users. No patch is currently available for this high-severity vulnerability.

Citrix Race Condition Information Disclosure
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-33650 HIGH This Week

Privilege escalation in WWBN AVideo up to version 26.0 allows users with "Videos Moderator" permissions to gain full video management capabilities, including transferring ownership and deleting any video, by exploiting inconsistent authorization checks between the video editing and deletion endpoints. An authenticated attacker can chain an ownership transfer with deletion operations to compromise videos outside their legitimate scope. A patch is available in commit 838e16818c793779406ecbf34ebaeba9830e33f8.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-4645 HIGH PATCH This Week

The antchfx/xpath component in Debian is vulnerable to denial of service when processing specially crafted Boolean XPath expressions, which trigger an infinite loop in the logicalQuery.Select function consuming 100% CPU resources. Unauthenticated remote attackers can exploit this over the network without user interaction to disable affected systems. No patch is currently available.

Denial Of Service Debian Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32969 HIGH This Week

A pre-authentication blind SQL injection vulnerability exists in the userinfo endpoint's authentication method, allowing unauthenticated remote attackers to extract sensitive data from backend databases without any credentials. Affected products include MB Connect Line's mbCONNECT24 and mymbCONNECT24 industrial remote access solutions, as well as Helmholz's myREX24v2 and myREX24v2.virtual platforms used in industrial automation environments. With a CVSS score of 7.5 and complete loss of confidentiality, this represents a significant risk to industrial control systems, though no active exploitation (KEV) or public POC has been reported yet.

SQLi Mb Connect Line Mbconnect24 Mymbconnect24 Myrex24V2 Myrex24V2 Virtual
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4306 HIGH This Week

The WP Job Portal plugin for WordPress contains an unauthenticated SQL injection vulnerability in the 'radius' parameter affecting all versions up to and including 2.4.8. Unauthenticated remote attackers can exploit this flaw to extract sensitive information from the database, including user credentials, personal data, and other confidential information stored in WordPress tables. The vulnerability has a CVSS score of 7.5 indicating high severity with no authentication required for exploitation.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26209 HIGH PATCH This Week

The cbor2 Python library, which implements CBOR serialization, suffers from uncontrolled recursion when decoding deeply nested CBOR structures, allowing remote attackers to trigger Denial of Service by sending crafted payloads containing approximately 100,000 nested arrays. All versions prior to 5.9.0 are affected, including both the pure Python implementation and the C extension. Attackers can crash worker processes in web servers (Gunicorn, Uvicorn) and task queues (Celery) with small malicious packets under 100KB, causing complete service outages through repeated worker crashes.

Python Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.0
7.5
EPSS
0.0%
CVE-2026-26828 HIGH This Week

A NULL pointer dereference vulnerability exists in the daap_reply_playlists function within owntone-server's DAAP request handler (src/httpd_daap.c) that allows remote attackers to trigger a denial of service condition by sending a specially crafted DAAP protocol request. The vulnerability affects owntone-server at commit 3d1652d and potentially earlier versions. An attacker can remotely crash the server without authentication by exploiting improper input validation in the playlist reply handler, resulting in service unavailability.

Denial Of Service Null Pointer Dereference
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33512 HIGH This Week

WWBN AVideo versions up to and including 26.0 contain an unauthenticated API endpoint that allows arbitrary decryption of ciphertext. Attackers can exploit the decryptString action in the API plugin without authentication to decrypt publicly-issued ciphertext (such as from view/url2Embed.json.php), allowing recovery of protected tokens and metadata. The CVSS score of 7.5 reflects high confidentiality impact with network accessibility and no authentication required.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32299 HIGH PATCH This Week

Insufficient authorization checks in the page content retrieval feature (versions 1.x <= 1.41.0 and 2.x <= 2.41.1) allow unauthenticated attackers to access non-public page contents and attachments. An attacker can retrieve sensitive information from restricted pages without proper credentials. Users must upgrade to version 1.41.1 or 2.41.1 to remediate this vulnerability.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33176 HIGH PATCH This Week

Rails ActiveSupport number helpers contain a denial of service vulnerability where strings with scientific notation (e.g., '1e10000') are improperly converted and expanded into extremely large decimal representations, causing excessive memory allocation and CPU consumption during string formatting. The vulnerability affects ActiveSupport across multiple Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1. An attacker can exploit this by providing maliciously crafted scientific notation strings to trigger resource exhaustion and deny service to legitimate users.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33174 HIGH PATCH This Week

Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32066 HIGH PATCH This Week

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and lack of authentication requirements, though no evidence of active exploitation (KEV) or public proof-of-concept has been identified at this time.

Denial Of Service Openclaw
NVD GitHub
CVSS 3.1
7.5
CVE-2026-22173 HIGH PATCH This Week

OpenClaw, an open-source game engine component, contains a command injection vulnerability in its Windows Scheduled Task script generation mechanism. Versions prior to 2026.2.18 write environment variables unquoted to gateway.cmd files, allowing attackers to inject shell metacharacters that break out of assignment context and execute arbitrary commands when the scheduled task runs. This vulnerability has a CVSS score of 7.4 (High) with local attack vector and high attack complexity, and a patch is currently available from the vendor.

Command Injection Microsoft Windows
NVD GitHub
CVSS 3.1
7.4
CVE-2025-10679 HIGH This Week

The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

WordPress PHP RCE Information Disclosure Code Injection +1
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-33430 HIGH PATCH GHSA This Week

BeeWare Briefcase Windows MSI installer templates (versions <0.3.26, <0.4.0, <0.4.1) create installation directories with insecure inherited permissions when installed per-machine. Low-privilege authenticated local users can replace application binaries, achieving privilege escalation when an administrator later executes the modified binary. Vendor-released patches available for 0.3.26, 0.4.0, and 0.4.1. EPSS score of 0.01% indicates minimal observed exploitation attempts; no KEV listing or public POC identified.

Information Disclosure Microsoft
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-32910 HIGH PATCH This Week

OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. With a CVSS score of 7.3 and requiring local access with low privileges and user interaction, this represents a significant privilege escalation and integrity bypass risk in environments using OpenClaw's execution approval mechanisms.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
7.3
CVE-2026-31849 HIGH This Week

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw affecting the Nexxt Solutions Nebula 300+ device firmware through version 12.01.01.37, where state-changing administrative endpoints lack proper CSRF protections. An attacker can trick an authenticated administrator into submitting malicious requests that modify critical device settings, including security configurations, without the administrator's knowledge or consent. No CVSS score or EPSS data is currently available, and the vulnerability has not been confirmed as actively exploited in the wild, though the lack of CSRF protections on administrative functions represents a significant trust boundary violation.

CSRF Nebula 300
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-23882 HIGH PATCH This Week

Blinko versions prior to 1.8.4 allow authenticated high-privilege users to execute arbitrary commands through the MCP server creation function during connection testing, resulting in complete system compromise. An attacker with administrative credentials can inject malicious commands that execute with application privileges, achieving remote code execution. No patch is currently available for affected deployments.

Command Injection Blinko
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33681 HIGH This Week

WWBN AVideo, an open source video platform, contains a critical path traversal vulnerability in the pluginRunDatabaseScript.json.php endpoint that allows authenticated administrators to execute arbitrary SQL queries against the application database. Versions up to and including 26.0 are affected. The vulnerability can also be exploited via CSRF attacks against authenticated admin sessions, enabling unauthenticated attackers to achieve remote code execution or complete database compromise.

Path Traversal PHP CSRF
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy