227 CVEs tracked today. 36 Critical, 108 High, 75 Medium, 8 Low.
-
CVE-2026-2417
CRITICAL
CVSS 9.3
Unauthenticated remote code execution in Pharos Controls Mosaic Show Controller firmware 2.15.3 enables attackers to bypass authentication and execute arbitrary commands with root privileges without user interaction. This critical vulnerability affects all instances exposed to network access with no available patch. The extremely low EPSS score suggests limited real-world exploitation despite the severe technical impact.
Authentication Bypass
-
CVE-2026-33475
CRITICAL
CVSS 9.1
An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.
RCE
Command Injection
Docker
-
CVE-2026-33340
CRITICAL
CVSS 9.1
A critical Server-Side Request Forgery (SSRF) vulnerability exists in the LoLLMs WEBUI application, allowing unauthenticated remote attackers to force the server to make arbitrary GET requests through the `/api/proxy` endpoint. All known existing versions of lollms-webui are affected, and as of publication, no patched version is available. Attackers can exploit this to access internal services, scan local networks, or exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.
SSRF
Authentication Bypass
-
CVE-2026-4755
CRITICAL
CVSS 9.8
A critical input validation vulnerability (CWE-20) exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 that allows unauthenticated remote attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability was reported by GovTech CSG and has a CVSS score of 9.8, indicating network-accessible exploitation with no privileges or user interaction required. A patch is available from the vendor via GitHub pull request #193.
Google
Information Disclosure
Android
-
CVE-2026-4753
CRITICAL
CVSS 9.1
RetroDebugger versions before 0.64.72 contain an out-of-bounds read vulnerability that allows remote attackers to cause denial of service and potentially disclose sensitive information without authentication or user interaction. The network-accessible vulnerability has a CVSS score of 9.1 and a patch is available.
Buffer Overflow
Information Disclosure
-
CVE-2026-4750
CRITICAL
CVSS 9.1
Out-of-bounds read in woof before version 15.3.0 allows remote attackers to trigger information disclosure and denial of service without authentication or user interaction. This critical vulnerability affects Debian systems and can be exploited over the network to leak sensitive data or crash the application. A patch is available and should be applied immediately.
Buffer Overflow
Debian
Information Disclosure
-
CVE-2026-4746
CRITICAL
CVSS 10.0
Out-of-bounds write vulnerability in Proton versions before 1.6.16 allows remote attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability resides in the inflate.C module within the base/poco/Foundation components and can be exploited over the network without authentication or user interaction. A patch is available to remediate this critical flaw.
Buffer Overflow
Proton
-
CVE-2026-4745
CRITICAL
CVSS 10.0
A code injection vulnerability exists in dendibakh perf-ninja's Lua modules (specifically in ldo.C within labs/misc/pgo), allowing improper control of code generation that can lead to remote code execution. The vulnerability affects all versions of perf-ninja as indicated by the CPE specification. An attacker can exploit this flaw to inject and execute arbitrary code, with a vendor patch now available to remediate the issue.
Code Injection
RCE
Perf Ninja
-
CVE-2026-4744
CRITICAL
CVSS 9.3
Out-of-bounds read vulnerability in Notepad3's Oniguruma regex engine (regcomp.C) allows local attackers with user interaction to trigger memory disclosure or potential code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions before 6.25.714.1 and has a critical CVSS score of 9.3. A patch is available and users should update immediately.
Buffer Overflow
Information Disclosure
Notepad3
-
CVE-2026-4739
CRITICAL
CVSS 9.4
Integer overflow in the Expat XML parser module within InsightSoftwareConsortium ITK before version 2.7.1 allows remote attackers to cause denial of service or potentially execute arbitrary code through specially crafted XML input. The vulnerability affects all users of vulnerable ITK versions and requires only network access and user interaction to exploit. A patch is available in ITK 2.7.1 and later.
Buffer Overflow
Itk
-
CVE-2026-4738
CRITICAL
CVSS 9.4
A buffer overflow vulnerability in GDAL versions before 3.11.0 within the zlib infback9 module allows remote attackers to achieve arbitrary code execution or cause denial of service through specially crafted compressed data. The vulnerability requires user interaction to trigger but has a network attack vector with no authentication needed. A patch is available and should be applied immediately to affected GDAL installations.
Buffer Overflow
Gdal
-
CVE-2026-4734
CRITICAL
CVSS 9.4
A buffer overflow vulnerability in Modizer before v4.3 allows remote attackers to execute arbitrary code with high privileges by sending specially crafted input that bypasses memory boundary restrictions in the IMAP module. The network-accessible flaw requires minimal user interaction and affects the integrated libopenmpt curl library. A patch is available and should be applied immediately given the critical severity and confirmed attack vector.
Buffer Overflow
Denial Of Service
Modizer
-
CVE-2026-4729
CRITICAL
CVSS 9.8
Multiple memory safety bugs in Firefox 148 and Thunderbird 148 allow attackers to trigger memory corruption with potential for arbitrary code execution. Firefox versions prior to 149 are vulnerable, as confirmed by Mozilla security advisories. The vulnerability requires no user interaction beyond normal browsing and represents a critical elevation risk due to the presume-exploitable nature of the underlying memory corruption issues.
Mozilla
RCE
Buffer Overflow
Firefox
Thunderbird
-
CVE-2026-4725
CRITICAL
CVSS 10.0
Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.
Information Disclosure
Memory Corruption
Mozilla
Use After Free
Firefox
-
CVE-2026-4724
CRITICAL
CVSS 9.1
An undefined behavior vulnerability exists in the Firefox Audio/Video component that could lead to information disclosure. This affects all Firefox versions prior to 149. While specific exploitation details are limited due to missing CVSS and CWE data, the vulnerability's classification as information disclosure suggests an attacker could potentially access sensitive audio or video processing data or bypass security boundaries within the multimedia subsystem.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4723
CRITICAL
CVSS 9.8
Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.
Information Disclosure
Memory Corruption
Mozilla
Use After Free
Firefox
-
CVE-2026-4721
CRITICAL
CVSS 9.8
Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented.
Mozilla
RCE
Buffer Overflow
Firefox
Thunderbird
-
CVE-2026-4720
CRITICAL
CVSS 9.8
Multiple memory safety bugs affecting Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR allow remote attackers to achieve arbitrary code execution through memory corruption vulnerabilities. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are confirmed affected, with evidence suggesting these memory corruption issues could be exploited under sufficient effort. The vulnerability class encompasses buffer overflow and memory safety defects that demonstrate exploitation potential, though no active public exploitation has been documented at this time.
Mozilla
RCE
Buffer Overflow
Firefox
Thunderbird
-
CVE-2026-4717
CRITICAL
CVSS 9.8
Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available.
Mozilla
Privilege Escalation
Firefox
-
CVE-2026-4716
CRITICAL
CVSS 9.1
Mozilla Firefox versions below 149 and Firefox ESR below 140.9 contain memory safety flaws in the JavaScript Engine that enable remote code execution and denial of service attacks without user interaction or special privileges. An unauthenticated attacker can exploit improper boundary condition handling and uninitialized memory to achieve high-impact confidentiality violations and system availability disruption. No patch is currently available.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4715
CRITICAL
CVSS 9.1
An uninitialized memory vulnerability exists in Firefox and Firefox ESR's Graphics Canvas2D component that can lead to information disclosure. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. An attacker can exploit this by crafting malicious Canvas2D operations to read uninitialized memory contents from the graphics rendering pipeline, potentially exposing sensitive data from the browser process.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4711
CRITICAL
CVSS 9.8
A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.
Information Disclosure
Memory Corruption
Mozilla
Use After Free
Firefox
-
CVE-2026-4710
CRITICAL
CVSS 9.8
An incorrect boundary conditions vulnerability exists in Firefox and Firefox ESR's Audio/Video component that enables information disclosure attacks. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. Attackers can exploit improper boundary validation in audio/video processing to leak sensitive information from the browser process.
Mozilla
Buffer Overflow
Firefox
-
CVE-2026-4705
CRITICAL
CVSS 9.8
An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially enabling information disclosure attacks. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. While specific exploitation mechanics are not fully detailed in available public sources, the vulnerability is classified as an information disclosure issue that could allow attackers to extract sensitive data through malformed WebRTC signaling messages.
Information Disclosure
Mozilla
Firefox
-
CVE-2026-4702
CRITICAL
CVSS 9.8
A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.
Mozilla
Memory Corruption
Information Disclosure
Firefox
-
CVE-2026-4701
CRITICAL
CVSS 9.8
Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.
Mozilla
Use After Free
Memory Corruption
Information Disclosure
Firefox
-
CVE-2026-4700
CRITICAL
CVSS 9.8
This vulnerability is a mitigation bypass in Firefox's HTTP networking component that allows attackers to circumvent existing security controls. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected, enabling attackers to bypass authentication or other HTTP-level protections. While specific CVSS and EPSS scores are not provided, the mitigation bypass classification and Mozilla's issuance of security advisories indicate this requires prompt patching.
Mozilla
Authentication Bypass
Firefox
-
CVE-2026-4698
CRITICAL
CVSS 9.8
A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security.
Mozilla
Memory Corruption
Information Disclosure
Firefox
-
CVE-2026-4696
CRITICAL
CVSS 9.8
Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available.
Information Disclosure
Memory Corruption
Mozilla
Use After Free
Firefox
-
CVE-2026-4692
CRITICAL
CVSS 10.0
A sandbox escape vulnerability exists in Firefox's Responsive Design Mode component that allows attackers to break out of the browser's security sandbox and access sensitive information. This affects Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9. An attacker can exploit this vulnerability to disclose information by circumventing the sandbox restrictions that normally isolate web content from the browser's privileged context.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4691
CRITICAL
CVSS 9.8
Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available.
Information Disclosure
Memory Corruption
Mozilla
Use After Free
Firefox
-
CVE-2026-4689
CRITICAL
CVSS 10.0
A sandbox escape vulnerability exists in Firefox's XPCOM component due to incorrect boundary conditions and integer overflow, allowing attackers to bypass security sandboxing mechanisms. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw to escape the browser sandbox and potentially execute arbitrary code with elevated privileges on the affected system.
Mozilla
Buffer Overflow
Firefox
-
CVE-2026-4688
CRITICAL
CVSS 10.0
Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users.
Information Disclosure
Memory Corruption
Mozilla
Use After Free
Firefox
-
CVE-2026-4283
CRITICAL
CVSS 9.1
The WP DSGVO Tools (GDPR) plugin for WordPress contains an authentication bypass vulnerability that allows unauthenticated attackers to permanently destroy any non-administrator user account. Attackers can trigger immediate and irreversible account anonymization (randomizing passwords, overwriting usernames/emails, stripping roles, anonymizing comments, and wiping sensitive metadata) by submitting a victim's email address with a publicly available nonce. All versions up to and including 3.1.38 are affected, with a CVSS score of 9.1 indicating critical severity.
WordPress
Authentication Bypass
-
CVE-2025-71275
CRITICAL
CVSS 9.3
A critical unauthenticated remote code execution vulnerability exists in Zimbra Collaboration Suite PostJournal service version 8.8.15, allowing attackers to execute arbitrary system commands via SMTP injection through improper sanitization of the RCPT TO parameter using shell expansion syntax. A publicly available proof-of-concept exploit exists (PacketStorm), significantly increasing exploitation risk. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this represents an immediate threat to exposed Zimbra installations.
RCE
Command Injection
-
CVE-2025-33244
CRITICAL
CVSS 9.0
NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.
Information Disclosure
RCE
Deserialization
Denial Of Service
Nvidia
-
CVE-2026-33856
HIGH
CVSS 7.5
Memory leaks in MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11 allow remote attackers to cause denial of service by exhausting available memory without authentication. The vulnerability stems from improper memory management that fails to release resources after use, potentially crashing applications or rendering devices unresponsive.
Google
Information Disclosure
Android
-
CVE-2026-33854
HIGH
CVSS 8.8
Memory corruption through out-of-bounds write in Android-ImageMagick7 before version 7.1.2-10 enables remote code execution when a user processes a malicious image file. An attacker can exploit this vulnerability over the network without authentication to achieve complete system compromise including data theft, modification, and denial of service. A patch is available for affected Android devices running vulnerable versions of the ImageMagick library.
Google
Buffer Overflow
Memory Corruption
Android
-
CVE-2026-33852
HIGH
CVSS 7.5
This vulnerability is a memory leak (CWE-401) in Android-ImageMagick7, a port of ImageMagick for Android, that allows remote attackers to cause denial of service by exhausting memory resources. The issue affects all versions of MolotovCherry Android-ImageMagick7 prior to version 7.1.2-11. With a CVSS score of 7.5 and a network-based attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), attackers can remotely trigger high-impact availability disruption, though there is no current evidence of active exploitation or public proof-of-concept.
Google
Information Disclosure
Android
-
CVE-2026-33851
HIGH
CVSS 7.8
Buffer overflow in doslib versions prior to 20250729 allows local attackers with user interaction to achieve full system compromise including code execution, data theft, and denial of service. The vulnerability requires local access and user interaction to trigger, but once exploited grants complete control over affected systems.
Buffer Overflow
-
CVE-2026-33850
HIGH
CVSS 7.8
WujekFoliarz DualSenseY-v2 versions prior to 54 contain an out-of-bounds write vulnerability that allows local attackers with user interaction to achieve arbitrary code execution with full system compromise. The CVSS 7.8 rating reflects the high impact on confidentiality, integrity, and availability through memory corruption exploitation. A patch is available for affected users to mitigate this local privilege escalation risk.
Buffer Overflow
Memory Corruption
-
CVE-2026-33849
HIGH
CVSS 8.8
RapidVMS before PR#96 contains a buffer overflow vulnerability that allows unauthenticated remote attackers to achieve code execution, data theft, or system compromise with minimal user interaction. The flaw stems from improper memory bounds checking and carries a high CVSS score of 8.8 with network-based attack vectors. A patch is available to address this critical memory safety issue.
Buffer Overflow
-
CVE-2026-33848
HIGH
CVSS 8.8
RapidVMS before patch PR#96 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code without authentication or user interaction. The high CVSS score (8.8) reflects the critical nature of this network-accessible flaw affecting confidentiality, integrity, and availability of affected systems. A patch is available and should be prioritized immediately given the severe exploitation potential.
Buffer Overflow
-
CVE-2026-33847
HIGH
CVSS 7.8
This is a memory buffer boundary restriction vulnerability (buffer overflow) in LinkingVision RapidVMS that allows an attacker with local access to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions of RapidVMS prior to PR#96 and has been patched by the vendor via GitHub pull request #98. While the CVSS score is 7.8 (high severity), the local attack vector and required user interaction reduce the immediate remote exploitation risk, and there is no evidence of active exploitation or public proof-of-concept at this time.
Buffer Overflow
-
CVE-2026-33680
HIGH
CVSS 7.5
Vikunja, an open-source self-hosted task management platform, contains an authorization bypass vulnerability that allows attackers with read-only link share access to escalate privileges to full admin access. The ReadAllWeb handler fails to enforce proper access controls when listing link shares, exposing secret hashes for higher-privilege shares. Versions prior to 2.2.2 are affected, and a patch is available in version 2.2.2.
Authentication Bypass
-
CVE-2026-33678
HIGH
CVSS 8.1
Vikunja, an open-source self-hosted task management platform, contains an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to access or delete attachments belonging to other users' tasks. The vulnerability affects all versions prior to 2.2.1, enabling attackers to enumerate and download attachments by combining their own valid task ID with sequential attachment IDs. With a CVSS score of 8.1 (High severity), this represents a significant confidentiality and integrity risk, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported.
Authentication Bypass
-
CVE-2026-33668
HIGH
CVSS 7.1
Vikunja versions 0.18.0 through 2.2.0 contain an authentication bypass vulnerability where disabled or locked user accounts can continue accessing the system through alternative authentication mechanisms. The vulnerability affects the go-vikunja/vikunja product across all matching versions, allowing attackers with knowledge of valid but disabled account credentials to maintain API access, CalDAV synchronization, and OpenID Connect sessions despite administrative account lockdown. While no CVSS score or EPSS data is available from official sources, the vulnerability represents a critical authorization control failure (CWE-285) with high real-world impact in multi-tenant or regulated environments where account disabling is a primary access revocation mechanism.
Authentication Bypass
-
CVE-2026-33627
HIGH
CVSS 7.1
Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55 expose sensitive authentication credentials to authenticated users via the GET /users/me endpoint, including MFA TOTP secrets and recovery codes that should be sanitized. An attacker who obtains a valid user session token can extract these MFA secrets to bypass multi-factor authentication indefinitely and gain unauthorized access to accounts. No CVSS score or EPSS data is currently available, but the vulnerability has confirmed patches available in stable and alpha releases.
Node.js
Information Disclosure
-
CVE-2026-33554
HIGH
CVSS 7.5
FreeIPMI versions before 1.16.17 contain exploitable buffer overflow vulnerabilities in the ipmi-oem command's response message handling for three vendor-specific subcommands: Dell's get-last-post-code, Supermicro's extra-firmware-info, and Wistron's read-proprietary-string. An attacker who can intercept or control IPMI server responses could trigger these buffer overflows to achieve arbitrary code execution on systems running vulnerable versions of FreeIPMI. No CVSS score, EPSS data, or public exploitation confirmation is currently available, but the vulnerabilities are documented in Savannah bug reports with clear technical details.
Debian
Buffer Overflow
Dell
Stack Overflow
-
CVE-2026-33539
HIGH
CVSS 8.6
Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.
Privilege Escalation
Node.js
PostgreSQL
SQLi
-
CVE-2026-33538
HIGH
CVSS 8.7
An unauthenticated denial-of-service vulnerability exists in Parse Server versions prior to 8.6.58 and 9.6.0-alpha.52, where attackers can submit authentication requests with arbitrary, unconfigured provider names to trigger expensive unindexed database queries. Each malicious request causes a full collection scan on the user database, and since these requests can be parallelized, an attacker can rapidly exhaust database resources and degrade service availability. The vulnerability requires no authentication or special privileges, making it trivial to exploit at scale, and patches are available in the referenced versions.
Node.js
Denial Of Service
-
CVE-2026-33511
HIGH
CVSS 8.8
pyLoad versions 0.4.20 through 0.5.0b3.dev96 contain an authentication bypass vulnerability in the ClickNLoad feature's local_check decorator that allows remote attackers to spoof the HTTP Host header and access localhost-restricted endpoints without authentication. This vulnerability enables unauthenticated remote users to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code with the privileges of the pyLoad process. The vulnerability has been patched in version 0.5.0b3.dev97, and exploitation appears feasible given the straightforward nature of HTTP header manipulation.
Python
Authentication Bypass
-
CVE-2026-33407
HIGH
CVSS 8.3
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in the endpoints/logos/search.php endpoint prior to version 4.7.0. The vulnerability allows unauthenticated attackers to hijack HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling them to redirect outbound requests to arbitrary domains by manipulating DNS resolution through user-supplied search terms. This attack requires no special privileges and can be executed remotely over the network, making it a significant risk for exposed Wallos instances.
SSRF
PHP
-
CVE-2026-33401
HIGH
CVSS 7.1
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
SSRF
Microsoft
Ollama
AI / ML
-
CVE-2026-33399
HIGH
CVSS 7.7
An incomplete Server-Side Request Forgery (SSRF) mitigation in Wallos, a self-hostable subscription tracker, allows authenticated attackers to bypass security controls and force the application to make requests to internal or private IP addresses. Wallos versions prior to 4.7.0 are affected. The vulnerability occurs because SSRF validation was added to test notification endpoints but not the corresponding save endpoints, enabling attackers to store malicious URLs that execute without validation when the cron job runs. No active exploitation (KEV) or public POC is currently documented.
SSRF
PHP
-
CVE-2026-33330
HIGH
CVSS 7.1
A broken access control vulnerability in FileRise's ONLYOFFICE integration allows authenticated users with read-only permissions to overwrite files with malicious content by forging ONLYOFFICE save callbacks using legitimately obtained signed callbackUrls. FileRise versions prior to 3.10.0 are affected. There is no evidence of active exploitation (not in CISA KEV), but proof-of-concept details are available through the GitHub Security Advisory GHSA-6c3j-f4x4-36m3.
Authentication Bypass
-
CVE-2026-33329
HIGH
CVSS 8.1
FileRise, a self-hosted web file manager and WebDAV server, contains a path traversal vulnerability in its Resumable.js chunked upload handler where the resumableIdentifier parameter is concatenated into filesystem paths without sanitization. Authenticated users with upload permissions can exploit this to write files to arbitrary directories, delete arbitrary directories, and probe filesystem structure. No evidence of active exploitation (not in CISA KEV) or public POC availability has been reported at this time.
Path Traversal
-
CVE-2026-33307
HIGH
CVSS 7.5
Mod_gnutls, a TLS module for Apache HTTPD, contains a stack-based buffer overflow vulnerability in its client certificate verification code. Versions prior to 0.12.3 and 0.13.0 fail to validate the length of client-provided certificate chains before writing pointers to a fixed-size array, typically causing segmentation faults (denial of service) and theoretically enabling stack corruption. Only configurations explicitly requiring client certificate verification are affected; default configurations using 'GnuTLSClientVerify ignore' are not vulnerable.
Apache
Buffer Overflow
Stack Overflow
-
CVE-2026-33298
HIGH
CVSS 7.8
Remote code execution in llama.cpp prior to commit b7824 is possible through a crafted GGUF file that exploits an integer overflow in the `ggml_nbytes` function, causing heap buffer overflow during tensor processing. An attacker can bypass memory validation by specifying tensor dimensions that cause the size calculation to underflow dramatically, allowing memory corruption and potential code execution. The vulnerability affects Debian and other systems running vulnerable versions of llama.cpp, with no patch currently available.
Debian
RCE
Buffer Overflow
Heap Overflow
-
CVE-2026-33250
HIGH
CVSS 7.5
Freeciv21, an open-source turn-based strategy game, contains a stack overflow vulnerability that allows remote attackers to crash servers or client applications through specially-crafted network packets. All versions prior to 3.1.1 are affected, with exploitation requiring no authentication and leaving no useful logs by default. While there is no evidence of active exploitation (not in CISA KEV) or public proof-of-concept code, Debian has issued security advisory DSA-6173-1 indicating distribution-level concern.
Denial Of Service
Debian
-
CVE-2026-33247
HIGH
CVSS 7.4
A credential exposure vulnerability exists in NATS.io nats-server where static authentication credentials passed via command-line arguments are disclosed through the monitoring port's /debug/vars endpoint without redaction. NATS.io nats-server versions prior to 2.12.6 and 2.11.15 are affected. An attacker with network access to the monitoring port can retrieve plaintext credentials and gain unauthorized access to the messaging system, though this requires the uncommon configuration of both using command-line credentials and enabling monitoring.
Information Disclosure
-
CVE-2026-33218
HIGH
CVSS 7.5
A pre-authentication vulnerability in NATS.io nats-server allows unauthenticated attackers to crash the server by sending a specially crafted malformed message to the leafnode port. All versions of nats-server prior to v2.12.6 and v2.11.15 are affected. This is a high-severity denial-of-service vulnerability with a CVSS score of 7.5, exploitable over the network without authentication, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.
Denial Of Service
-
CVE-2026-33217
HIGH
CVSS 7.1
An access control list (ACL) bypass vulnerability exists in NATS.io nats-server that allows authenticated MQTT clients to bypass subject-based authorization controls. Affected versions include all nats-server releases before v2.12.6 and v2.11.15. When ACLs are configured to restrict access to message subjects, these controls are not enforced within the $MQTT.> namespace, enabling low-privileged MQTT users to publish or subscribe to subjects they should not have access to.
Authentication Bypass
-
CVE-2026-33216
HIGH
CVSS 8.6
NATS.io nats-server versions prior to v2.12.6 and v2.11.15 expose MQTT user passwords through unsecured monitoring endpoints. The vulnerability incorrectly classifies MQTT passwords as non-authenticating identity statements (JWT), causing them to leak via monitoring APIs accessible over the network without authentication. With a CVSS score of 8.6 and network-based attack vector requiring no privileges, this poses significant risk to credential confidentiality in MQTT deployments, though no active exploitation (KEV) or public proof-of-concept is currently documented.
Information Disclosure
-
CVE-2026-33157
HIGH
CVSS 8.6
A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.
PHP
RCE
-
CVE-2026-32647
HIGH
CVSS 8.5
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).
Nginx
Buffer Overflow
RCE
Information Disclosure
-
CVE-2026-30932
HIGH
CVSS 8.6
Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.
PHP
Information Disclosure
-
CVE-2026-30653
HIGH
CVSS 7.5
Free5GC versions 4.2.0 and earlier are vulnerable to denial of service attacks through improper handling of authentication failures in the AMF component, allowing unauthenticated remote attackers to crash the service. The vulnerability requires no user interaction and can be exploited over the network, potentially disrupting 5G core network operations. No patch is currently available.
Denial Of Service
-
CVE-2026-29839
HIGH
CVSS 8.8
DedeCMS v5.7.118 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /sys_task_add.php endpoint that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An attacker can craft a malicious webpage or email that, when visited by an authenticated DedeCMS administrator, will execute unwanted administrative tasks such as adding or modifying system tasks. While no CVSS score, EPSS data, or active KEV listing is currently available, a public proof-of-concept exists on GitHub demonstrating the vulnerability's exploitability.
PHP
CSRF
-
CVE-2026-29785
HIGH
CVSS 7.5
NATS server with leafnode clustering enabled is vulnerable to a denial-of-service crash triggered by remote attackers who exploit null pointer dereference in the compression negotiation handler prior to authentication. Any attacker capable of connecting to a leafnode-configured NATS server can trigger a server panic, causing service disruption. A patch is available to remediate this high-severity vulnerability.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-27784
HIGH
CVSS 8.5
Integer overflow in NGINX 32-bit builds with the ngx_http_mp4_module allows local attackers to corrupt or overwrite worker process memory via specially crafted MP4 files, leading to denial of service. The vulnerability requires the mp4 directive to be enabled in the configuration and an attacker's ability to trigger MP4 file processing. No patch is currently available for affected deployments.
Nginx
Integer Overflow
Information Disclosure
Redhat
Suse
-
CVE-2026-27654
HIGH
CVSS 8.8
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.
Nginx
Buffer Overflow
Heap Overflow
Redhat
Suse
-
CVE-2026-27651
HIGH
CVSS 8.7
NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authentication is configured with retry-enabled backend servers. This denial of service vulnerability affects NGINX Plus and NGINX Open Source with no patch currently available, allowing unauthenticated remote attackers to terminate worker processes and degrade service availability.
Nginx
Denial Of Service
Null Pointer Dereference
Redhat
Suse
-
CVE-2026-24159
HIGH
CVSS 7.8
NVIDIA NeMo Framework contains an insecure deserialization vulnerability (CWE-502) that allows authenticated local attackers to execute arbitrary code. The vulnerability affects NVIDIA NeMo Framework installations and can lead to code execution, privilege escalation, information disclosure, and data tampering. According to CISA's SSVC framework, there is currently no evidence of active exploitation in the wild, and the attack is not automatable, though technical impact is rated as total.
RCE
Information Disclosure
Nvidia
Deserialization
-
CVE-2026-24158
HIGH
CVSS 7.5
NVIDIA Triton Inference Server contains a denial of service vulnerability in its HTTP endpoint that can be exploited by sending large compressed payloads. The vulnerability has a CVSS score of 7.5 (High) and is exploitable remotely without authentication or user interaction. There is no evidence of active exploitation (not in CISA KEV), and no public proof-of-concept has been identified at this time.
Denial Of Service
Nvidia
-
CVE-2026-24157
HIGH
CVSS 7.8
NVIDIA NeMo Framework contains a remote code execution vulnerability in its checkpoint loading mechanism caused by insecure deserialization (CWE-502). Attackers with local access and low privileges can exploit this to achieve code execution, privilege escalation, information disclosure, and data tampering with high impact on confidentiality, integrity, and availability. According to SSVC framework, there is currently no observed exploitation in the wild, though the technical impact is rated as total.
RCE
Information Disclosure
Nvidia
Deserialization
-
CVE-2026-24152
HIGH
CVSS 7.8
NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading mechanism that allows remote code execution when a user loads a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. The attack requires local access and low privileges but no user interaction once the malicious file is loaded.
RCE
Information Disclosure
Nvidia
Deserialization
-
CVE-2026-24151
HIGH
CVSS 7.8
NVIDIA Megatron-LM contains an insecure deserialization vulnerability (CWE-502) during model inferencing that allows remote code execution when a user loads a maliciously crafted input file. This vulnerability has a CVSS score of 7.8 and requires local access with low privileges but no user interaction, enabling attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability affects NVIDIA's large language model training framework widely used in AI research and production environments.
RCE
Information Disclosure
Nvidia
Deserialization
-
CVE-2026-24150
HIGH
CVSS 7.8
NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading functionality that allows remote code execution when a user is tricked into loading a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. There is no current indication of active exploitation in CISA's KEV catalog, and EPSS data was not provided in the intelligence sources.
RCE
Information Disclosure
Nvidia
Deserialization
-
CVE-2026-24141
HIGH
CVSS 7.8
NVIDIA Model Optimizer for Windows and Linux contains an unsafe deserialization vulnerability in its ONNX quantization feature that allows attackers to execute arbitrary code by providing a malicious input file. Users who process untrusted ONNX model files are at risk of complete system compromise, including code execution, privilege escalation, data tampering, and information disclosure. There is no current evidence of active exploitation (not in CISA KEV) or public proof-of-concept availability.
Information Disclosure
RCE
Deserialization
Microsoft
Nvidia
-
CVE-2026-23921
HIGH
CVSS 8.7
A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.
PHP
SQLi
Suse
-
CVE-2026-23920
HIGH
CVSS 7.7
Authenticated users can bypass regex-based input validation in command injection action scripts by injecting newline characters that exploit multiline mode anchors, allowing shell command execution. This vulnerability affects systems using administrator-configured validation patterns with ^ and $ anchors, enabling authenticated attackers to achieve arbitrary command execution. No patch is currently available.
Command Injection
Suse
-
CVE-2026-23919
HIGH
CVSS 7.1
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
Information Disclosure
Suse
-
CVE-2026-22739
HIGH
CVSS 8.6
Spring Cloud Config Server contains a path traversal vulnerability when using the native file system backend, allowing unauthenticated remote attackers to access arbitrary files outside configured search directories by manipulating the profile parameter in requests. This affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2. With a CVSS score of 8.6 indicating high confidentiality impact with some integrity and availability impact, and network-based attack vector requiring no authentication, this represents a significant information disclosure risk for exposed Config Server instances.
Java
Path Traversal
-
CVE-2026-22559
HIGH
CVSS 8.8
Ubiquiti UniFi Network Server versions 10.1.85 and earlier are vulnerable to account takeover through improper input validation when users click malicious links in social engineering attacks. An attacker can gain unauthorized account access with high impact on confidentiality, integrity, and availability. Users should upgrade to version 10.1.89 or later to remediate this vulnerability.
Ubiquiti
Authentication Bypass
-
CVE-2026-4775
HIGH
CVSS 7.8
A signed integer overflow vulnerability exists in the libtiff library's putcontig8bitYCbCr44tile function that leads to out-of-bounds heap writes through incorrect memory pointer calculations. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 are confirmed affected. An attacker can exploit this by tricking a user into opening a specially crafted TIFF file, potentially achieving arbitrary code execution or causing application crashes.
Debian
Integer Overflow
Denial Of Service
RCE
-
CVE-2026-4756
HIGH
CVSS 7.8
Memory corruption through out-of-bounds writes in Android-ImageMagick7 prior to version 7.1.2-11 enables local attackers to achieve arbitrary code execution with user interaction. The vulnerability affects Google's implementation of ImageMagick and carries a CVSS score of 7.8, indicating high severity with complete confidentiality, integrity, and availability impact. A patch is available for affected users.
Buffer Overflow
Google
Memory Corruption
Android
-
CVE-2026-4741
HIGH
CVSS 8.6
Path traversal in JoyConDroid through version 1.0.93 allows unauthenticated remote attackers to access arbitrary files on affected systems through improper pathname validation in the UnzipUtil module. An attacker can exploit this vulnerability to read sensitive data and potentially modify files, achieving high integrity and availability impact. A patch is available for this high-severity vulnerability affecting Java and Joycondroid users.
Java
Path Traversal
File Upload
Joycondroid
-
CVE-2026-4737
HIGH
CVSS 7.3
A Use After Free vulnerability exists in the No-Chicken Echo-Mate SDK, specifically within the kernel memory management modules (rmap.C file), that can lead to denial of service and memory corruption. This vulnerability affects Echo-Mate versions prior to V250329 and has been reported by GovTech CSG. An attacker exploiting this flaw could trigger a crash or potentially achieve code execution through memory corruption, though the specific attack vector complexity remains dependent on the exposure of the affected kernel module.
Use After Free
Denial Of Service
Linux Kernel
Echo Mate
-
CVE-2026-4736
HIGH
CVSS 7.3
Improper handling of values in the netfilter modules of Echo-Mate SDK versions before V250329 allows local attackers with low privileges to achieve high-impact confidentiality, integrity, and availability violations through manipulation of nf_tables, nft_byteorder, or nft_meta components. The vulnerability requires local access and specific conditions to exploit but poses significant risk to system security with confirmed patch availability.
Linux
Linux Kernel
Echo Mate
-
CVE-2026-4735
HIGH
CVSS 8.7
A deserialization of untrusted data vulnerability exists in DTStack chunjun versions prior to 1.16.1, specifically in the GsonUtil.java module within chunjun-core. An attacker can exploit this CWE-502 flaw to execute arbitrary code by crafting malicious serialized objects that are processed during deserialization. The vulnerability is reportedly patched as of version 1.16.1, with a patch available from the vendor via GitHub pull request #1939.
Deserialization
Java
Chunjun
-
CVE-2026-4732
HIGH
CVSS 8.4
Out-of-bounds read in Furnace before version 0.7 allows local attackers to read sensitive memory contents through a crafted FLAC file processed by the modified libsndfile module. This vulnerability could enable information disclosure or potentially facilitate further exploitation of the audio processing application.
Buffer Overflow
Furnace
-
CVE-2026-4731
HIGH
CVSS 8.5
Integer overflow in ART's rtengine dcraw.C module before version 1.25.12 allows local attackers with user interaction to achieve high-impact compromise of confidentiality, integrity, and availability. This vulnerability requires local access and user interaction to trigger, making it exploitable primarily through malicious image files or project files opened by victims.
Buffer Overflow
Art
-
CVE-2026-4727
HIGH
CVSS 7.5
Mozilla NSS Libraries contain a denial-of-service vulnerability affecting Firefox versions below 149 that allows unauthenticated remote attackers to crash affected systems without requiring user interaction. The flaw stems from improper resource handling and currently lacks an available patch. Given the high CVSS score of 7.5 and network-based attack vector, this poses significant availability risk to Mozilla Firefox users.
Mozilla
Denial Of Service
Firefox
-
CVE-2026-4726
HIGH
CVSS 7.5
Firefox versions below 149 are vulnerable to a resource exhaustion attack through malformed XML processing that an unauthenticated attacker can trigger remotely without user interaction. This denial-of-service vulnerability allows attackers to crash affected Firefox instances or degrade performance. No patch is currently available for this vulnerability.
Mozilla
Denial Of Service
Firefox
-
CVE-2026-4722
HIGH
CVSS 8.8
Firefox versions prior to 149 contain a privilege escalation vulnerability in the IPC component that allows remote attackers to escalate privileges through user interaction on affected systems. An attacker can exploit this flaw to gain elevated system access and potentially execute arbitrary code with higher privileges. No patch is currently available for this high-severity vulnerability affecting Mozilla and Debian users.
Mozilla
Privilege Escalation
Debian
Firefox
-
CVE-2026-4719
HIGH
CVSS 7.5
A boundary condition vulnerability exists in Firefox's Graphics Text component that allows information disclosure through incorrect memory handling during text rendering operations. This affects Firefox versions below 149 and Firefox ESR versions below 140.9, potentially enabling attackers to read sensitive data from adjacent memory regions. No active exploitation in the wild has been confirmed, but the vulnerability warrants prompt patching given its information disclosure impact.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4718
HIGH
CVSS 8.1
An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially leading to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this through WebRTC signaling interactions to disclose sensitive information, though specific exploitation details remain limited in public disclosures.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4714
HIGH
CVSS 7.5
An incorrect boundary condition vulnerability exists in the Audio/Video component of Mozilla Firefox and Firefox ESR, allowing potential information disclosure through improper memory handling. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker may exploit this vulnerability to leak sensitive information from the browser process memory by triggering specific audio or video processing operations, though active exploitation status is not confirmed at this time.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4713
HIGH
CVSS 7.5
An incorrect boundary condition vulnerability exists in the Graphics component of Mozilla Firefox and Firefox ESR, allowing information disclosure through improper memory access. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. An attacker can exploit this vulnerability to read sensitive information from memory by triggering the boundary condition in graphics processing operations.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4712
HIGH
CVSS 7.5
An information disclosure vulnerability exists in the Widget: Cocoa component of Mozilla Firefox and Firefox ESR, allowing attackers to access sensitive information through the affected rendering engine. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are vulnerable. The vulnerability permits unauthorized information leakage, though the specific attack mechanism and data exposure scope require analysis of the referenced Mozilla security advisories.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4709
HIGH
CVSS 7.5
A boundary condition vulnerability exists in Firefox's Audio/Video GMP (Gecko Media Plugin) component that enables information disclosure to attackers. This flaw affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in media processing to disclose sensitive information from the affected browser process.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4708
HIGH
CVSS 7.5
A boundary condition error in Firefox's Graphics component allows information disclosure through improper memory access validation. This vulnerability affects Firefox versions below 149 and Firefox ESR versions below 140.9, enabling attackers to read sensitive memory contents from the graphics processing context. While no CVSS score or EPSS data is currently available, the vulnerability is documented across multiple Mozilla security advisories indicating active awareness by the vendor.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4707
HIGH
CVSS 7.5
A boundary condition vulnerability exists in Mozilla Firefox's Graphics Canvas2D component that enables information disclosure attacks. The vulnerability affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit incorrect boundary condition handling in Canvas2D operations to read sensitive data from memory, potentially disclosing user information or browser-internal data through a web-based attack vector.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4706
HIGH
CVSS 7.5
This vulnerability involves incorrect boundary conditions in the Firefox Graphics Canvas2D component that can lead to information disclosure. The vulnerability affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34, and Firefox ESR versions prior to 140.9. An attacker can exploit this flaw to access sensitive memory information through specially crafted Canvas2D operations, potentially exposing user data or system information.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4704
HIGH
CVSS 7.5
Mozilla Firefox versions prior to 149 and Firefox ESR prior to 140.9 are vulnerable to denial-of-service attacks through the WebRTC signaling component, which an unauthenticated remote attacker can exploit without user interaction to crash affected browsers. The vulnerability stems from improper resource handling and currently has no available patch, leaving users of affected versions at risk of service disruption.
Mozilla
Denial Of Service
Firefox
-
CVE-2026-4699
HIGH
CVSS 7.5
A boundary condition vulnerability exists in Firefox's Layout: Text and Fonts component that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR versions below 115.34, and Firefox ESR versions below 140.9. An attacker could exploit incorrect boundary handling in text and font rendering to potentially disclose sensitive information from memory, though specific exploitation details and active exploitation status are not publicly documented in the available intelligence.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4697
HIGH
CVSS 7.5
A boundary condition vulnerability exists in Firefox and Firefox ESR's Audio/Video Web Codecs component that allows information disclosure. The vulnerability affects Firefox versions prior to 149 and Firefox ESR versions prior to 140.9. An attacker can exploit this flaw to disclose sensitive information, potentially leveraging web-based attack vectors without requiring elevated privileges.
Mozilla
Information Disclosure
Firefox
-
CVE-2026-4695
HIGH
CVSS 7.5
A boundary condition vulnerability exists in Firefox's Audio/Video Web Codecs component that allows information disclosure to attackers. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. An attacker can exploit incorrect boundary condition handling in codec processing to read sensitive memory contents or application state.
Information Disclosure
Mozilla
Firefox
-
CVE-2026-4694
HIGH
CVSS 7.5
A boundary condition vulnerability combined with an integer overflow flaw exists in the Graphics component of Mozilla Firefox, affecting Firefox versions prior to 149, Firefox ESR versions prior to 115.34, and Firefox ESR versions prior to 140.9. This vulnerability could allow an attacker to trigger a buffer overflow through specially crafted graphics data, potentially leading to memory corruption and arbitrary code execution. While no CVSS score or EPSS data is currently available, the Mozilla security advisories confirm the vulnerability affects multiple product lines across different release channels.
Mozilla
Integer Overflow
Buffer Overflow
Firefox
-
CVE-2026-4693
HIGH
CVSS 7.5
An incorrect boundary condition vulnerability exists in the Audio/Video playback component of Mozilla Firefox, affecting Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. This flaw enables information disclosure through improper memory boundary handling during media playback operations. While specific exploit details and CVSS metrics are not publicly disclosed, the vulnerability is categorized as an information disclosure issue affecting all three Firefox release channels.
Information Disclosure
Mozilla
Firefox
-
CVE-2026-4690
HIGH
CVSS 8.6
A sandbox escape vulnerability exists in Mozilla Firefox due to incorrect boundary conditions and integer overflow within the XPCOM component, allowing attackers to break out of the browser's security sandbox and potentially execute arbitrary code with elevated privileges. Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9 are affected. An attacker capable of triggering the integer overflow in XPCOM can exploit the boundary condition flaw to escape the sandbox, potentially leading to full system compromise depending on browser privilege level and operating system context.
Buffer Overflow
Mozilla
Integer Overflow
Firefox
-
CVE-2026-4687
HIGH
CVSS 8.6
A sandbox escape vulnerability exists in Firefox's Telemetry component due to incorrect boundary condition handling, allowing attackers to potentially break out of the browser sandbox and access system resources or sensitive data. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. The vulnerability enables information disclosure and potentially arbitrary code execution by circumventing the sandbox isolation mechanism that normally restricts browser processes.
Information Disclosure
Mozilla
Firefox
-
CVE-2026-4686
HIGH
CVSS 7.5
An incorrect boundary condition vulnerability exists in Firefox's Graphics Canvas2D component that can lead to information disclosure. This affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34, and Firefox ESR versions prior to 140.9. An attacker can exploit this boundary condition issue to disclose sensitive information through crafted Canvas2D operations, though no active exploitation or public proof-of-concept has been reported at this time.
Information Disclosure
Mozilla
Firefox
-
CVE-2026-4685
HIGH
CVSS 7.5
This vulnerability involves incorrect boundary conditions in Firefox's Graphics Canvas2D component that enables information disclosure. Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9 are affected. An attacker can leverage improper boundary validation in Canvas2D operations to read sensitive information from memory that should not be accessible through normal web content restrictions.
Information Disclosure
Mozilla
Firefox
-
CVE-2026-4684
HIGH
CVSS 7.5
Mozilla Firefox's WebRender graphics component contains a race condition and use-after-free vulnerability that enables remote code execution when a user visits a malicious webpage. The flaw affects Firefox versions prior to 149, Firefox ESR versions before 115.34 and 140.9, and requires user interaction to trigger. No patch is currently available for this high-severity issue.
Mozilla
Race Condition
Information Disclosure
Debian
Firefox
-
CVE-2026-4680
HIGH
CVSS 8.8
Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.
Google
RCE
Use After Free
Debian
Memory Corruption
-
CVE-2026-4679
HIGH
CVSS 8.8
Out-of-bounds memory write in Google Chrome's font handling prior to version 146.0.7680.165 enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can exploit an integer overflow vulnerability to achieve complete system compromise with high integrity and confidentiality impact. Patches are available for Chrome and affected Debian systems.
Google
Buffer Overflow
Debian
Chrome
-
CVE-2026-4678
HIGH
CVSS 8.8
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
Google
RCE
Use After Free
Debian
Memory Corruption
-
CVE-2026-4677
HIGH
CVSS 8.8
This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.
Debian
Google
Buffer Overflow
Information Disclosure
Chrome
-
CVE-2026-4676
HIGH
CVSS 8.8
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
Debian
Google
Use After Free
Denial Of Service
Memory Corruption
-
CVE-2026-4675
HIGH
CVSS 8.8
Google Chrome's WebGL implementation contains a heap buffer overflow that enables remote attackers to read arbitrary memory by serving a specially crafted HTML page to users prior to version 146.0.7680.165. This network-based vulnerability requires only user interaction and affects Chrome on all platforms, granting attackers access to sensitive data in the browser's memory. A patch is available and should be applied immediately given the high severity and potential for exploitation.
Debian
Google
Heap Overflow
Buffer Overflow
Chrome
-
CVE-2026-4674
HIGH
CVSS 8.8
Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.
Debian
Google
Buffer Overflow
Information Disclosure
Chrome
-
CVE-2026-4673
HIGH
CVSS 8.8
Unauthenticated remote attackers can exploit a heap buffer overflow in Google Chrome's WebAudio component (versions prior to 146.0.7680.165) by hosting malicious HTML pages that trigger out-of-bounds memory writes. This vulnerability enables arbitrary code execution with full system compromise potential. A patch is available from Google and Debian.
Debian
Google
Buffer Overflow
Heap Overflow
Chrome
-
CVE-2026-4662
HIGH
CVSS 7.5
The JetEngine plugin for WordPress contains a SQL injection vulnerability in the listing_load_more AJAX action that allows unauthenticated attackers to extract sensitive database information. All versions up to and including 3.8.6.1 are affected. The vulnerability exists on sites using JetEngine Listing Grid with Load More functionality enabled and SQL Query Builder queries, with a CVSS score of 7.5 indicating high severity for confidentiality impact.
WordPress
SQLi
-
CVE-2026-4640
HIGH
CVSS 7.5
Vitals ESP, a software product developed by Galaxy Software Services, contains a Missing Authentication vulnerability that allows unauthenticated remote attackers to execute certain functions and obtain sensitive information. The vulnerability has a CVSS score of 7.5 (High) with network-based attack vector requiring no privileges or user interaction, resulting in high confidentiality impact. This issue was reported by Taiwan CERT (twcert) and is classified as an Authentication Bypass vulnerability.
Authentication Bypass
-
CVE-2026-4639
HIGH
CVSS 8.8
Vitals ESP, a healthcare software product developed by Galaxy Software Services, contains an incorrect authorization vulnerability that allows authenticated remote attackers with low-level privileges to escalate their access and perform administrative functions. The vulnerability has a CVSS score of 8.8 (High), indicating network-based exploitation with low attack complexity requiring only low-level authentication. No KEV listing or EPSS data is currently available, though Taiwan CERT (TWCERT) has published advisories on this issue.
Authentication Bypass
-
CVE-2026-4632
HIGH
CVSS 7.3
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the Name parameter in /sms/user/index.php?view=add, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.
PHP
SQLi
-
CVE-2026-4627
HIGH
CVSS 7.2
An OS command injection vulnerability exists in D-Link DIR-825 and DIR-825R routers running firmware versions 1.0.5 and 4.5.1 respectively. The flaw resides in the handler_update_system_time function within the libdeuteron_modules.so library of the NTP Service component, allowing authenticated attackers with high privileges to execute arbitrary operating system commands remotely. These products are end-of-life and no longer supported by D-Link, meaning no patches will be released.
D-Link
Command Injection
-
CVE-2026-4625
HIGH
CVSS 7.3
SourceCodester Online Admission System 1.0 contains a SQL injection vulnerability in the /programmes.php file's program parameter that allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to potentially read, modify, or delete sensitive admission system data.
SQLi
PHP
-
CVE-2026-4624
HIGH
CVSS 7.3
SQL injection in SourceCodester Online Library Management System 1.0 allows unauthenticated remote attackers to manipulate the searchField parameter in /home.php, enabling data exfiltration, modification, and potential service disruption. Public exploit code exists for this vulnerability, and no patch is currently available.
SQLi
PHP
-
CVE-2026-4623
HIGH
CVSS 7.3
A Server-Side Request Forgery (SSRF) vulnerability exists in DefaultFuction Jeson-Customer-Relationship-Management-System affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides in the /api/System.php file where the 'url' parameter can be manipulated to force the server to make arbitrary requests. A publicly disclosed proof-of-concept exploit is available on GitHub, and patches have been released by the vendor.
PHP
SSRF
-
CVE-2026-4617
HIGH
CVSS 7.3
SourceCodester Patients Waiting Area Queue Management System 1.0 contains an improper authorization flaw in the ValidateToken function of the Patient Check-In Module that allows unauthenticated remote attackers to bypass access controls. Public exploit code is available for this vulnerability, and no patch has been released. The attack requires no user interaction and could enable unauthorized access to patient check-in functionality.
PHP
Authentication Bypass
-
CVE-2026-4615
HIGH
CVSS 7.3
SQL injection in SourceCodester Online Catering Reservation 1.0 via the rcode parameter in /search.php allows unauthenticated remote attackers to manipulate database queries with no user interaction required. The vulnerability enables attackers to read, modify, or delete sensitive data, and public exploit code is readily available. PHP-based deployments of this catering reservation system are actively targeted due to the ease of exploitation and lack of available patches.
PHP
SQLi
-
CVE-2026-4371
HIGH
CVSS 7.4
Thunderbird's mail parser fails to validate string length parameters, allowing a compromised mail server to trigger out-of-bounds memory reads through malformed email content. Affected users running versions prior to 149 and 140.9 could experience application crashes or disclosure of sensitive data from process memory. The vulnerability requires network access but no user interaction, though no patch is currently available.
Mozilla
Buffer Overflow
Information Disclosure
Thunderbird
-
CVE-2026-3912
HIGH
CVSS 8.7
This is an injection vulnerability affecting TIBCO ActiveMatrix BusinessWorks and Enterprise Administrator due to insufficient validation and sanitization of user-supplied input. The vulnerability allows attackers to disclose sensitive information including local files and host system details, and may enable manipulation of application behavior. No CVSS score, EPSS data, or active exploitation reports are currently available, but the vendor has issued a security advisory indicating patches are available.
Information Disclosure
-
CVE-2026-3509
HIGH
CVSS 7.5
A format string vulnerability exists in the Audit Log component of CODESYS Control runtime system that allows unauthenticated remote attackers to inject malicious format specifiers into log messages. This affects numerous CODESYS Control products across multiple platforms including Windows, Linux, embedded systems (BeagleBone, Raspberry Pi, PFC100/200), and industrial controllers (Beckhoff CX, WAGO Touch Panels). Exploitation can lead to denial-of-service conditions by crashing the runtime system, with a CVSS score of 7.5 indicating high availability impact.
Information Disclosure
-
CVE-2026-1995
HIGH
CVSS 7.8
IDrive's id_service.exe process, which runs with SYSTEM-level privileges on Windows systems, is vulnerable to privilege escalation and arbitrary code execution due to insecure file handling. The vulnerability affects IDrive Cloud Backup Client for Windows across multiple versions, as the elevated service process reads UTF16-LE encoded configuration files from C:\ProgramData\IDrive\ that are writable by standard unprivileged users. An attacker with local user access can modify these files to inject arbitrary executable paths, causing id_service.exe to execute malicious code with SYSTEM privileges, resulting in complete system compromise. While CVSS and EPSS scores are not available, this represents a critical local privilege escalation vector with trivial exploitability due to the file write permissions on the ProgramData directory.
RCE
-
CVE-2025-64998
HIGH
CVSS 7.3
Checkmk exposes its session signing secret in configurations synchronized between remote and central sites, allowing a remote site administrator to forge valid session cookies and hijack user sessions on the central monitoring instance. This vulnerability affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and all 2.2.0 releases when configuration synchronization is enabled. An attacker with administrative privileges on a remote Checkmk site can leverage this exposure to impersonate any user, including central site administrators, potentially gaining complete control over the monitoring infrastructure.
Checkmk
Information Disclosure
Authentication Bypass
Session Fixation
-
CVE-2025-41660
HIGH
CVSS 8.8
A vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot application, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects numerous CODESYS Control variants across multiple platforms including Linux, Windows, embedded systems, and industrial controllers. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privileges, this represents a significant threat to industrial control systems and automation environments.
RCE
-
CVE-2025-33254
HIGH
CVSS 7.5
NVIDIA Triton Inference Server contains a race condition vulnerability (CWE-362) that allows unauthenticated remote attackers to corrupt internal server state, resulting in a denial of service. The vulnerability affects NVIDIA Triton Inference Server across multiple versions and can be exploited over the network with low attack complexity requiring no privileges or user interaction. With a CVSS score of 7.5 (High) and an EPSS score not provided, this represents a significant availability risk for organizations running AI/ML inference workloads.
Denial Of Service
Nvidia
Race Condition
-
CVE-2025-33248
HIGH
CVSS 7.8
NVIDIA Megatron-LM contains a critical unsafe deserialization vulnerability (CWE-502) in its hybrid conversion script that allows remote code execution when a user loads a maliciously crafted file. The vulnerability affects NVIDIA Megatron-LM installations and enables attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. With a CVSS score of 7.8 and local attack vector requiring low privileges and no user interaction, this represents a significant risk for organizations using this large language model training framework.
RCE
Deserialization
Information Disclosure
Nvidia
-
CVE-2025-33247
HIGH
CVSS 7.8
NVIDIA Megatron LM contains an insecure deserialization vulnerability (CWE-502) in its quantization configuration loading mechanism that enables remote code execution. Attackers with local access and low privileges can exploit this flaw to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability has a CVSS score of 7.8 and affects all versions of NVIDIA Megatron LM based on available CPE data.
RCE
Information Disclosure
Nvidia
Deserialization
-
CVE-2025-33238
HIGH
CVSS 7.5
NVIDIA Triton Inference Server's Sagemaker HTTP server contains a race condition vulnerability that allows unauthenticated remote attackers to trigger an exception, resulting in denial of service. The vulnerability affects NVIDIA Triton Inference Server deployments using the Sagemaker HTTP server component and can be exploited over the network without authentication or user interaction. There is no indication of active exploitation (not in CISA KEV), and EPSS data was not provided, but the CVSS score of 7.5 (High) reflects the ease of exploitation.
Denial Of Service
Nvidia
Race Condition
-
CVE-2026-33855
MEDIUM
CVSS 5.5
Android-ImageMagick7 versions prior to 7.1.2-11 are vulnerable to integer overflow that allows local attackers with user interaction to cause a denial of service condition. The vulnerability requires local access and user interaction to trigger, making it a lower-risk but still exploitable flaw in image processing operations. A patch is available for affected installations.
Integer Overflow
Buffer Overflow
Google
Android
-
CVE-2026-33853
MEDIUM
CVSS 5.5
A NULL pointer dereference vulnerability exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-10 that allows local attackers with user interaction to trigger a denial of service condition by crashing the application. The vulnerability affects the Android-ImageMagick7 library (CWE-476) and requires local access and user interaction to exploit, resulting in high availability impact but no confidentiality or integrity compromise. A patch is available from the vendor via GitHub pull request #183.
Null Pointer Dereference
Denial Of Service
Google
Android
-
CVE-2026-33768
MEDIUM
CVSS 6.5
The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vulnerability that allows attackers to bypass platform-level security restrictions by manipulating the x-astro-path header and x_astro_path query parameter. Any remote attacker without authentication can rewrite internal request paths to access restricted endpoints such as /admin/*, with the attack preserving the original HTTP method and request body, enabling POST, PUT, and DELETE operations against protected resources. The vulnerability has been patched in version 10.0.2, and proof-of-concept code is available via the referenced GitHub security advisory and pull request.
Authentication Bypass
-
CVE-2026-33700
MEDIUM
CVSS 6.9
Vikunja prior to version 2.2.1 contains an authorization bypass vulnerability in the DELETE /api/v1/projects/:project/shares/:share endpoint that fails to verify link share ownership. An attacker with administrative access to any project can delete link shares from arbitrary other projects by combining their own project ID with a target share ID, effectively allowing cross-project share manipulation. This is a privilege escalation and denial-of-service vector affecting self-hosted Vikunja deployments where multiple projects exist.
Authentication Bypass
-
CVE-2026-33679
MEDIUM
CVSS 6.4
Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the avatar image download functionality that fails to implement proper protections when fetching user profile pictures from OpenID Connect provider URLs. An authenticated attacker can exploit this by controlling their OIDC profile picture URL to force the Vikunja server to make arbitrary HTTP GET requests to internal networks or cloud metadata endpoints, potentially disclosing sensitive information. The vulnerability has a CVSS score of 6.4 (medium severity) and is patched in version 2.2.1.
SSRF
-
CVE-2026-33677
MEDIUM
CVSS 6.5
Vikunja prior to version 2.2.1 exposes webhook BasicAuth credentials in plaintext through the GET /api/v1/projects/:project/webhooks API endpoint to any user with read access to a project. While HMAC secrets are properly masked, the BasicAuth username and password fields added in a later migration lack equivalent protection, allowing read-only collaborators to steal credentials intended for authenticating webhook requests to external systems. This is a confirmed information disclosure vulnerability with a CVSS 6.5 score reflecting moderate real-world risk due to the requirement for authenticated project access.
Information Disclosure
-
CVE-2026-33676
MEDIUM
CVSS 6.5
Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the `related_tasks` field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.
Authentication Bypass
-
CVE-2026-33675
MEDIUM
CVSS 6.4
Vikunja prior to version 2.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in its migration helper functions that lack HTTP request validation. An authenticated attacker can exploit this by triggering a Todoist or Trello migration, which causes the Vikunja server to fetch arbitrary URLs specified in attachment metadata from third-party APIs, potentially exposing internal network resources and returning their contents as task attachments. The vulnerability requires low privilege (authenticated user) and carries a CVSS score of 6.4 with moderate confidentiality and availability impact across network boundaries.
SSRF
-
CVE-2026-33638
MEDIUM
CVSS 5.3
The Ech0 application exposes an unauthenticated API endpoint GET /api/allusers that returns a complete list of user records including usernames, email addresses, and account metadata without requiring authentication. This allows remote attackers to enumerate all system users and gather profile information for reconnaissance and targeted attacks. A working proof-of-concept exists demonstrating the vulnerability, and a patch is available in version 4.2.0.
Information Disclosure
Authentication Bypass
-
CVE-2026-33635
MEDIUM
CVSS 4.3
The Ruby icalendar library versions prior to the patched commit fail to sanitize carriage return and line feed characters in URI property values, allowing attackers to inject arbitrary ICS calendar lines through CRLF injection. Applications that generate .ics files from untrusted metadata are affected, enabling attackers to add malicious calendar properties such as attendees, URLs, or alarms that downstream calendar clients will process as legitimate event data. A proof-of-concept demonstrating the vulnerability is publicly available, and a patch is available from the vendor.
RCE
-
CVE-2026-33628
MEDIUM
CVSS 5.4
Invoice Ninja v5.13.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in invoice line item descriptions that bypass the application's XSS denylist filter, allowing authenticated attackers to inject malicious JavaScript that executes when invoices are viewed in PDF preview or the client portal. Any authenticated user can create or modify invoices to inject payloads such as `<img src=x onerror=alert(document.cookie)>`, and victims viewing the invoice-including clients with lower privilege levels-will have the payload execute in their browser context, enabling session hijacking, account takeover, and data exfiltration. A patch is available in v5.13.4 via the vendor's GitHub repository.
XSS
-
CVE-2026-33623
MEDIUM
CVSS 6.7
A command injection vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Google
RCE
Command Injection
Path Traversal
Microsoft
-
CVE-2026-33622
MEDIUM
CVSS 6.1
PinchTab versions 0.8.3 through 0.8.5 contain a security-policy bypass that allows arbitrary JavaScript execution through the POST /wait endpoint's fn mode, even when the security.allowEvaluate setting is explicitly disabled. While the /evaluate endpoint correctly enforces the allowEvaluate guard, the /wait endpoint fails to apply the same policy check before evaluating caller-supplied JavaScript expressions, enabling authenticated users with an API token to execute arbitrary code in browser tab contexts despite the operator's intention to disable JavaScript evaluation. A proof-of-concept demonstrating this bypass has been published by the vendor, showing that side effects can be introduced in page state and confirmed through subsequent requests.
Authentication Bypass
RCE
Code Injection
-
CVE-2026-33621
MEDIUM
CVSS 4.8
CVE-2026-33621 is a security vulnerability (CVSS 4.8). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Authentication Bypass
-
CVE-2026-33620
MEDIUM
CVSS 4.3
PinchTab versions 0.7.8 through 0.8.3 accept API authentication tokens via URL query parameters (?token=...) in addition to the Authorization header, creating an unsafe credential transport pattern that exposes tokens through intermediary logs, browser history, shell history, and clipboard history. While this is not a direct authentication bypass-an attacker must obtain the token from a secondary source-the vulnerability is compounded by first-party dashboard setup flows that generate and consume tokenized URLs, increasing practical exposure likelihood. The issue was resolved in version 0.8.4 by removing query-string token authentication entirely and enforcing header-based authentication.
Authentication Bypass
-
CVE-2026-33619
MEDIUM
CVSS 4.1
PinchTab v0.8.3 contains a server-side request forgery vulnerability in its optional webhook scheduler that allows authenticated attackers to trigger outbound HTTP POST requests to arbitrary destinations, including internal and non-public IP ranges. The vulnerability exists because the webhook delivery path validates only the URL scheme (http/https) without rejecting loopback, private, or link-local addresses, and the HTTP client follows redirects without re-validation. A proof-of-concept is publicly available demonstrating blind SSRF capability; however, practical exploitation requires either administrative API token access in token-protected deployments or a tokenless configuration, and the scheduler must be explicitly enabled (it is disabled by default).
SSRF
-
CVE-2026-33545
MEDIUM
CVSS 5.3
A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
SQLi
Denial Of Service
Information Disclosure
Python
Apple
-
CVE-2026-33528
MEDIUM
CVSS 6.5
GoDoxy versions prior to 0.27.5 contain a path traversal vulnerability in the `/api/v1/file/content` API endpoint that allows authenticated attackers to read and write arbitrary files outside the intended `config/` directory. An attacker with valid credentials can exploit this vulnerability to access sensitive files including TLS private keys, OAuth refresh tokens, and system certificates by manipulating the `filename` query parameter with `../` sequences. A proof-of-concept has been published demonstrating successful extraction of private keys, and the vulnerability carries a CVSS 6.5 score with active patch availability.
Path Traversal
Information Disclosure
-
CVE-2026-33527
MEDIUM
CVSS 5.3
An authenticated user can manipulate server-generated session fields (expiresAt and createdWith) when updating their own session via the Parse Server REST API, allowing them to extend or indefinitely prolong their session validity and bypass the server's configured session lifetime policies. This authentication bypass affects Parse Server (npm:parse-server) on both version 8 and 9 branches, enabling a low-complexity attack that requires only valid user credentials. No public exploit or active exploitation in the wild has been documented, but patches are available from the vendor.
Authentication Bypass
-
CVE-2026-33417
MEDIUM
CVSS 6.5
Wallos, an open-source self-hostable subscription tracker, contains an authentication bypass vulnerability in its password reset mechanism where reset tokens never expire. Versions prior to 4.7.2 are affected, allowing attackers who intercept a password reset link to use it indefinitely days, weeks, or months after generation. An attacker exploiting this vulnerability can gain unauthorized account access and potentially modify subscription data, though the CVSS score of 6.5 reflects moderate real-world risk due to the required interception precondition.
Information Disclosure
-
CVE-2026-33412
MEDIUM
CVSS 5.6
Vim versions prior to 9.2.0202 contain a command injection vulnerability in the glob() function on Unix-like systems that allows local attackers with limited privileges to execute arbitrary shell commands by embedding newline characters in glob patterns. The vulnerability's impact depends on the user's shell configuration setting, and while it requires local access and user interaction, it can result in unauthorized code execution with the privileges of the Vim process.
Command Injection
-
CVE-2026-33400
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability exists in Wallos versions prior to 4.7.0 within the payment method rename endpoint that allows authenticated users to inject arbitrary JavaScript code. When any user visits the Settings, Subscriptions, or Statistics pages, the injected malicious script executes in their browser context. This vulnerability is compounded by the wallos_login authentication cookie lacking the HttpOnly flag, enabling attackers to steal session tokens and achieve full account compromise through session hijacking.
XSS
-
CVE-2026-33345
MEDIUM
CVSS 6.5
Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that allows any authenticated employee to access private projects they are not members of by directly querying the GET /api/v1/organizations/{org}/projects/{project} endpoint with a project UUID. The vulnerability stems from inconsistent authorization scope application between the index() and show() methods, enabling confidentiality breach of sensitive project data. A security patch is available in version 0.11.6 and the vulnerability has been disclosed via GitHub Security Advisory GHSA-354j-rx28-jjxm.
Authentication Bypass
-
CVE-2026-33336
MEDIUM
CVSS 6.5
Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.
RCE
Node.js
Code Injection
Information Disclosure
XSS
-
CVE-2026-33335
MEDIUM
CVSS 6.4
The Vikunja Desktop Electron application fails to validate or allowlist URI schemes before passing URLs from window.open() calls to shell.openExternal(), allowing attackers to invoke arbitrary local applications, open files, or trigger custom protocol handlers. Vikunja versions 0.21.0 through 2.1.x are affected, with the vulnerability patched in version 2.2.0. An attacker who can inject links with target="_blank" into user-generated content can exploit this to execute malicious actions on the victim's operating system without user awareness or explicit consent.
Information Disclosure
-
CVE-2026-33334
MEDIUM
CVSS 6.5
The Vikunja Desktop Electron wrapper enables Node.js integration in the renderer process without proper context isolation or sandboxing, allowing any cross-site scripting vulnerability in the web frontend to escalate directly to remote code execution on the victim's machine. Vikunja versions 0.21.0 through 2.1.x are affected, as confirmed by CPE cpe:2.3:a:go-vikunja:vikunja. An attacker exploiting an XSS flaw gains full access to Node.js APIs and the underlying operating system, making this a critical privilege escalation from web-based XSS to system-level RCE.
XSS
RCE
Node.js
Code Injection
-
CVE-2026-33308
MEDIUM
CVSS 6.8
Mod_gnutls versions prior to 0.13.0 fail to validate the Extended Key Usage (EKU) extension during client certificate verification, allowing an attacker with a valid certificate issued for a different purpose to improperly authenticate for TLS client certificate-based access. Only Apache HTTPD servers configured to use client certificate authentication (via GnuTLSClientVerify settings other than 'ignore') are affected. The vulnerability enables unauthorized information disclosure through certificate misuse, with a CVSS score of 6.8 reflecting high confidentiality impact but requiring non-trivial attack complexity.
Apache
Information Disclosure
-
CVE-2026-33249
MEDIUM
CVSS 4.3
A valid NATS client using message tracing headers can be exploited to send trace messages to arbitrary subjects, bypassing publish permission controls. This affects NATS Server versions prior to 2.12.6 and 2.11.15, allowing authenticated clients to violate authorization policies. While the injected payload is limited to valid trace messages rather than arbitrary content, the capability to publish to unauthorized subjects represents an integrity violation and potential information disclosure risk.
Authentication Bypass
-
CVE-2026-33248
MEDIUM
CVSS 4.2
NATS.io nats-server contains an authentication bypass vulnerability in its mTLS client identity verification when using the verify_and_map feature to derive NATS identities from TLS client certificate Subject DN patterns. An authenticated attacker with a valid certificate from a trusted CA can exploit certain RDN (Relative Distinguished Name) patterns to bypass intended identity mapping controls, potentially gaining unauthorized access to message queues. The vulnerability requires both a valid certificate and specific DN construction patterns, making it a low-probability but credible threat for sophisticated deployments; no public POC or active exploitation has been documented, and the CVSS score of 4.2 reflects the high attack complexity and privilege requirement.
Authentication Bypass
-
CVE-2026-33246
MEDIUM
CVSS 6.4
NATS-server versions prior to v2.12.6 or v2.11.15 are vulnerable to authentication bypass through spoofed Nats-Request-Info headers in leafnode connections. An attacker with low privileges and network access can craft malicious messages with forged identity claims that propagate through untrusted leafnode connections, allowing clients that rely on this header for trust decisions to be deceived about message origins. This affects downstream NATS clients making security decisions based on the header, potentially compromising confidentiality and integrity of message-based applications.
Authentication Bypass
-
CVE-2026-33223
MEDIUM
CVSS 6.4
NATS-server versions prior to v2.12.6 or v2.11.15 contain an authentication bypass vulnerability where the Nats-Request-Info message header, intended to guarantee request identity, is not fully stripped from inbound client messages. An attacker with valid credentials to any regular client interface can spoof their identity to downstream services that rely on this header for authorization decisions, potentially leading to unauthorized access or impersonation. While no confirmed active exploitation or public proof-of-concept is documented, the low attack complexity and low privilege requirements (any authenticated user) combined with the CVSS 6.4 score indicate moderate real-world risk, particularly in environments where message header-based identity verification is critical.
Authentication Bypass
-
CVE-2026-33222
MEDIUM
CVSS 4.9
NATS JetStream before v2.11.15 and v2.12.6 allows authenticated users with admin API access to bypass stream-level restore restrictions and restore backups to unauthorized streams, enabling unauthorized data manipulation. An attacker with JetStream admin credentials can exploit this privilege escalation vulnerability to access or modify streams they should not have permission to alter. No patch is currently available, requiring administrators to temporarily revoke JetStream restore permissions as a mitigation.
Authentication Bypass
-
CVE-2026-33219
MEDIUM
CVSS 5.3
NATS.io nats-server WebSockets service is vulnerable to unbounded memory consumption when malicious unauthenticated clients connect and transmit large amounts of data. This denial-of-service vulnerability affects versions before v2.12.6 or v2.11.15 and has a moderate CVSS score of 5.3 (CWE-770: Allocation of Resources Without Limits or Throttling). Unlike the related CVE-2026-27571 compression bomb variant, this attack requires significant client-side bandwidth rather than algorithmic compression exploitation.
Denial Of Service
-
CVE-2026-33215
MEDIUM
CVSS 6.5
NATS-Server versions prior to 2.11.15 and 2.12.5 contain an authentication bypass vulnerability in the MQTT client interface that allows attackers to hijack sessions and messages through malicious MQTT Client ID manipulation. The vulnerability affects all versions of nats-server using the affected version ranges and has a CVSS score of 6.5 (medium-high severity) due to the combination of high confidentiality impact and low availability impact. No known public exploits or active exploitation in the wild has been confirmed, but the authentication bypass nature (CWE-287) and patch availability indicate this is a practical, exploitable issue that requires immediate attention for organizations running affected versions.
Authentication Bypass
-
CVE-2026-33162
MEDIUM
CVSS 4.9
An authorization bypass vulnerability exists in Craft CMS that allows authenticated control panel users with minimal accessCp permission to move entries across sections without possessing the required saveEntries:{sectionUid} permissions for either source or destination sections. The vulnerability affects Craft CMS versions prior to 5.9.14 and results from missing authorization enforcement in the POST /actions/entries/move-to-section endpoint, enabling low-privileged users to perform unauthorized content modifications that violate integrity controls and potentially disrupt editorial workflows and content routing. A patch is available from the vendor.
Authentication Bypass
-
CVE-2026-33159
MEDIUM
CVSS 6.9
Unauthenticated guests can access Config Sync updater endpoints to retrieve signed state data and execute privileged state-changing actions such as YAML regeneration and application without authentication. This vulnerability in ConfigSyncController stems from insufficient access controls on the base updater interface, allowing attackers to reuse captured signed data in subsequent requests to modify system configuration. A patch is available to address this authentication bypass.
Authentication Bypass
-
CVE-2026-33158
MEDIUM
CVSS 4.9
An authenticated Insecure Direct Object Reference (IDOR) vulnerability in Craft CMS allows low-privileged users to read private asset content by calling the assets/edit-image endpoint with an arbitrary assetId parameter they are not authorized to view. The endpoint fails to enforce per-asset authorization checks before returning image bytes or preview redirects, enabling unauthorized disclosure of sensitive files. A patch is available from the vendor for affected versions (Craft CMS 4.17.8 and 5.9.14), and the vulnerability affects all Craft CMS installations where private assets exist and low-privileged authenticated users have access.
Authentication Bypass
-
CVE-2026-32948
MEDIUM
CVSS 6.7
sbt on Windows is vulnerable to command injection through unvalidated URI fragments in VCS dependency declarations. When resolving git, mercurial, or subversion repositories, sbt passes user-controlled branch, tag, or revision parameters directly to cmd.exe without sanitization, allowing attackers to inject arbitrary Windows commands via special characters like &, |, and ; that cmd /c interprets as command separators. An attacker who controls a dependency URI in a project's build.sbt file can execute arbitrary commands with the privileges of the user running sbt. A proof-of-concept exists demonstrating execution of calc.exe, and patches are available from the vendor for sbt versions 1.12.7 and later.
Microsoft
Command Injection
Windows
-
CVE-2026-32854
MEDIUM
CVSS 6.3
LibVNCServer versions 0.9.15 and earlier contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpd.c that allow remote attackers to cause denial of service by sending specially crafted HTTP requests. The vulnerability affects systems with both httpd and proxy features enabled, and while no CVSS score or EPSS data is currently available, the presence of a public patch and vendor advisory indicates this is a recognized security issue requiring prompt attention.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-32853
MEDIUM
CVSS 6.9
LibVNCServer versions 0.9.15 and earlier contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows malicious VNC servers to disclose sensitive information or crash client applications. The vulnerability affects any application linking against the vulnerable LibVNCServer library, with exploitation requiring a malicious VNC server that manipulates subrectangle header counts to trigger improper bounds checking in the HandleUltraZipBPP() function. A patch is available from the vendor (commit 009008e), and no active exploitation or public proof-of-concept has been reported as of the intelligence sources reviewed.
Buffer Overflow
Information Disclosure
-
CVE-2026-30662
MEDIUM
CVSS 6.5
ConcreteCMS version 9.4.7 contains a memory exhaustion vulnerability in the File Manager's download functionality that allows authenticated attackers to trigger a Denial of Service condition. The vulnerability exists in the 'download' method of 'concrete/controllers/backend/file.php', where improper memory management during zip archive creation using ZipArchive::addFromString combined with file_get_contents loads entire file contents into PHP memory without streaming or size validation. An attacker with valid authentication credentials can exploit this by requesting bulk downloads of large files, exhausting available PHP memory and causing the PHP-FPM process to crash with a SIGSEGV signal, rendering the web application unavailable with HTTP 500 errors.
PHP
Denial Of Service
-
CVE-2026-30661
MEDIUM
CVSS 6.1
iCMS v8.0.0 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the User Management component's index.html file, where the regip and loginip parameters fail to properly sanitize user input before rendering in the HTML response. Remote attackers can exploit this vulnerability without authentication to execute arbitrary JavaScript in the context of victim browsers, potentially leading to session hijacking, credential theft, or malware distribution. A proof-of-concept has been publicly disclosed by the researcher, increasing real-world exploitation risk.
XSS
-
CVE-2026-30655
MEDIUM
CVSS 6.5
SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.
SQLi
PHP
Authentication Bypass
-
CVE-2026-29840
MEDIUM
CVSS 5.4
JiZhiCMS v2.5.6 and earlier contains a stored cross-site scripting (XSS) vulnerability in the user release function that allows authenticated attackers to inject malicious scripts through improper HTML sanitization. The vulnerability exists because the application filters <script> tags but fails to recursively remove dangerous event handlers (such as onerror) from other HTML elements like <img> tags, enabling persistent XSS attacks. A proof-of-concept has been published on GitHub, and while no CVSS score or EPSS data is currently available, the low barrier to exploitation (authenticated access via POST parameter) and persistent nature of the attack present meaningful risk to affected installations.
PHP
XSS
-
CVE-2026-29772
MEDIUM
CVSS 5.9
Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST handler that allows unauthenticated remote attackers to exhaust server memory and cause denial of service. The vulnerability affects all Astro SSR applications using the Node standalone adapter, regardless of whether Server Islands functionality is actually used, because the request body is parsed before route validation occurs. An attacker can craft a payload containing many small JSON objects to achieve approximately 15x memory amplification, crashing the process with a single malicious request.
Denial Of Service
-
CVE-2026-28755
MEDIUM
CVSS 5.3
NGINX Plus and NGINX Open Source contain an authentication bypass vulnerability in the ngx_stream_ssl_module where revoked certificates are incorrectly accepted during TLS handshakes despite OCSP checking. When ssl_verify_client and ssl_ocsp are both enabled, the module fails to properly enforce certificate revocation status, allowing clients with revoked certificates to establish connections. This affects both commercial NGINX Plus and open-source NGINX deployments with a CVSS score of 5.4 (Medium), representing a localized confidentiality and integrity impact requiring authenticated attackers.
Nginx
Authentication Bypass
Redhat
Suse
-
CVE-2026-28753
MEDIUM
CVSS 6.3
NGINX Plus and NGINX Open Source contain an improper handling vulnerability in the ngx_mail_smtp_module that allows DNS response injection through malformed CRLF sequences. An attacker controlling a DNS server can inject arbitrary headers into SMTP upstream requests, potentially manipulating mail routing and message content. With a CVSS score of 3.7 and low attack complexity, this represents an integrity issue rather than a critical exploitability threat, though it requires network-level DNS control.
Nginx
Code Injection
Redhat
Suse
-
CVE-2026-23924
MEDIUM
CVSS 6.1
The Zabbix Agent 2 Docker plugin contains an argument injection vulnerability in the 'docker.container_info' parameter handler that fails to properly sanitize user-supplied input before forwarding requests to the Docker daemon. An authenticated attacker who can invoke Agent 2 can exploit this flaw to read arbitrary files from running Docker containers by injecting malicious parameters through the Docker archive API, potentially exposing sensitive application data, credentials, and configuration files. While no CVSS score or EPSS data is currently available, and no indication of active exploitation in the wild has been reported, this represents a direct path to container escape and lateral movement for attackers with agent-level access.
Docker
Code Injection
-
CVE-2026-23923
MEDIUM
CVSS 6.9
An unauthenticated remote code execution vulnerability exists in Zabbix's Frontend 'validate' action that permits blind instantiation of arbitrary PHP classes without authentication. The vulnerability affects Zabbix products across multiple versions as indicated by the CPE wildcard notation, and while the immediate impact appears limited by environment-specific constraints, successful exploitation could lead to information disclosure or arbitrary code execution depending on available PHP classes in the deployment context. No CVSS score, EPSS data, or KEV status is currently published, but the attack vector is unauthenticated and likely has low complexity, suggesting meaningful real-world risk.
PHP
Information Disclosure
Suse
-
CVE-2026-21790
MEDIUM
CVSS 6.3
HCL Traveler contains a weak default HTTP header validation vulnerability (CWE-346) that allows authenticated attackers to bypass additional authentication checks and gain unauthorized access to sensitive functionality. The vulnerability affects HCL Traveler across multiple versions and requires only network access and valid credentials to exploit. While the CVSS score is moderate (6.3) and no active exploitation in the wild has been documented in KEV databases, the authentication bypass nature of this issue presents a real risk to organizations relying on Traveler for secure communications.
Authentication Bypass
-
CVE-2026-21783
MEDIUM
CVSS 4.3
HCL Traveler contains a sensitive information disclosure vulnerability where error messages expose internal system details including file paths, tokens, credentials, and stack traces. This affects all versions of HCL Traveler as indicated by the CPE string, and requires authenticated access (PR:L) to exploit but can be leveraged by low-privilege users to reconnaissance the application architecture for follow-up attacks. With a CVSS score of 4.3 and confidentiality impact rated as LOW, this is a moderate information disclosure issue that lowers the bar for subsequent targeted attacks rather than directly compromising systems.
Information Disclosure
-
CVE-2026-4781
MEDIUM
CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in update_purchase.php, enabling unauthorized database queries and potential data exfiltration. Public exploit code exists for this vulnerability, and no patch is currently available.
PHP
SQLi
-
CVE-2026-4780
MEDIUM
CVSS 5.3
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the update_out_standing.php file's sid parameter that allows authenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based deployments and has a CVSS score of 5.3.
SQLi
PHP
-
CVE-2026-4779
MEDIUM
CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in update_customer_details.php allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations using PHP-based deployments of this system should restrict access to the vulnerable component until a fix is released.
PHP
SQLi
-
CVE-2026-4778
MEDIUM
CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the sid parameter in update_category.php. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with valid credentials can leverage this weakness to compromise database integrity and extract sensitive information.
PHP
SQLi
-
CVE-2026-4777
MEDIUM
CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0's view_supplier.php POST parameter handler allows authenticated attackers to execute arbitrary SQL queries through the searchtxt parameter. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability affects PHP-based installations and currently lacks an available patch.
PHP
SQLi
-
CVE-2026-4754
MEDIUM
CVSS 6.1
This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability (CWE-79) in Android-ImageMagick7 versions before 7.1.2-11 that allows attackers to inject malicious scripts through crafted image inputs or related user-controlled data. Attackers with network access and no authentication required can exploit this vulnerability to execute arbitrary JavaScript in the context of affected applications, leading to session hijacking, credential theft, or malware distribution. The vulnerability has a CVSS score of 6.1 (Medium) with cross-site scope, and a patch is available from the vendor, though no confirmed active exploitation in KEV or public proof-of-concept code has been widely documented.
XSS
Google
Android
-
CVE-2026-4752
MEDIUM
CVSS 6.4
A Use After Free (UAF) vulnerability exists in No-Chicken Echo-Mate prior to version V250329, allowing an attacker with high privileges to cause memory corruption that may lead to information disclosure, data integrity violations, or denial of service. The vulnerability is classified as CWE-416 and carries a CVSS score of 6.4; a security patch is available from the vendor via GitHub pull request.
Use After Free
Denial Of Service
Memory Corruption
-
CVE-2026-4751
MEDIUM
CVSS 5.3
A NULL pointer dereference vulnerability exists in tmate versions prior to 2.4.0, allowing unauthenticated remote attackers to cause a denial of service condition by crashing the application. The vulnerability has a CVSS score of 5.3 (medium severity) with low attack complexity and no privilege requirements, making it readily exploitable over the network. A patch is available from the vendor, and this issue does not compromise confidentiality or integrity-only availability.
Denial Of Service
Debian
Null Pointer Dereference
-
CVE-2026-4749
MEDIUM
CVSS 6.5
An information disclosure vulnerability exists in albfan miraclecast before version 1.0 that allows unauthenticated attackers on an adjacent network to access sensitive information. The vulnerability affects miraclecast across all versions prior to v1.0 via an unspecified mechanism (CWE-noinfo). While the CVSS score is 6.5 (medium-high), the attack vector is adjacent network (AV:A) rather than network-wide, and no active exploitation in the wild or known public proof-of-concept has been reported at this time.
Information Disclosure
Debian
-
CVE-2026-4743
MEDIUM
CVSS 5.2
ncmdump versions before 1.4.0 contain a null pointer dereference vulnerability in the cJSON.cpp module that allows local attackers to cause a denial of service through application crash. An attacker with local access and user interaction can trigger this vulnerability to disable the affected ncmdump utility. A patch is available for affected users.
Denial Of Service
Ncmdump
-
CVE-2026-4733
MEDIUM
CVSS 5.3
ixray-1.6-stcop before version 1.3 contains an Exposure of Sensitive Information vulnerability (CWE-200) that allows unauthenticated remote attackers to access unauthorized data. The vulnerability has a CVSS score of 5.3 with low attack complexity and no user interaction required, making it accessible over the network. While the vulnerability does not impact confidentiality or integrity according to the CVSS vector, the availability impact warrants immediate patching.
Information Disclosure
-
CVE-2026-4728
MEDIUM
CVSS 6.5
A spoofing vulnerability exists in Firefox's Privacy: Anti-Tracking component that allows attackers to deceive users or bypass security mechanisms through fraudulent representation. Firefox versions prior to 149 are affected. While specific exploit details are limited in available intelligence, the spoofing nature suggests attackers could impersonate legitimate content or services, potentially leading to credential theft, phishing success, or privacy compromise. No CVSS score, EPSS data, or confirmed KEV status is currently available, limiting real-time risk quantification.
Mozilla
Authentication Bypass
Firefox
-
CVE-2026-4649
MEDIUM
CVSS 5.3
Apache Artemis before version 2.52.0 contains an authentication bypass vulnerability (CVE-2026-27446) that allows attackers to read all messages exchanged via the broker and inject new messages. KNIME Business Hub, which embeds Apache Artemis, is affected across all versions, though exploitation requires an authenticated user with workflow execution privileges who can register a federated mirror without authenticating to the underlying Artemis instance. While no public exploit code has been disclosed and CVSS scoring is unavailable, the vulnerability represents a significant insider threat with direct impact on message confidentiality and integrity.
Authentication Bypass
Apache
Knime Business Hub
-
CVE-2026-4626
MEDIUM
CVSS 5.1
A stored cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0 within the /lawyer_booking.php file, where the Description parameter fails to sanitize user input before rendering. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vulnerability carries a CVSS score of 3.5 with evidence of public exploitation.
PHP
XSS
-
CVE-2026-4616
MEDIUM
CVSS 4.8
A cross-site scripting (XSS) vulnerability exists in bolo-blog version 2.6.4 in the Article Title Handler component at /console/article/, where the articleTitle parameter is not properly sanitized before being rendered. An authenticated attacker with high privileges can inject malicious JavaScript through the articleTitle argument, resulting in stored or reflected XSS that compromises the integrity of the application. A proof-of-concept exploit has been publicly released on GitHub, and the vendor has not yet responded to early disclosure notifications.
XSS
-
CVE-2026-4614
MEDIUM
CVSS 6.3
SQL injection in the Parameter Handler of itsourcecode sanitize or validate this input 1.0 allows authenticated remote attackers to manipulate the subject_code argument in /admin/subjects.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available.
PHP
SQLi
-
CVE-2026-4433
MEDIUM
CVSS 4.8
Tenable OT contains an SSH misconfiguration that permits unauthorized disclosure of socket, port, and service information through the ostunnel user account and improper GatewayPorts settings. This vulnerability affects Tenable Operation Technology across multiple versions and allows attackers to enumerate underlying system architecture and network configuration without requiring high privileges or complex exploitation. While no CVSS score, EPSS data, or confirmed active exploitation is publicly documented, the information disclosure nature of this vulnerability enables reconnaissance for subsequent targeted attacks.
Information Disclosure
-
CVE-2026-3889
MEDIUM
CVSS 6.5
A spoofing vulnerability exists in Mozilla Thunderbird that affects versions below 149 and below 140.9, allowing attackers to spoof email sources or identities. This vulnerability is classified as an information disclosure issue that could compromise email authentication and user trust. While specific CVSS and EPSS metrics are unavailable, the vulnerability warrants prompt patching as Mozilla has issued security advisories indicating active remediation efforts.
Information Disclosure
Mozilla
Thunderbird
-
CVE-2026-3260
MEDIUM
CVSS 5.9
A resource exhaustion vulnerability exists in Undertow where remote attackers can send HTTP GET requests with multipart/form-data content to trigger premature parsing and disk storage of request data, leading to Denial of Service when applications use parameter retrieval methods like getParameterMap(). The vulnerability affects multiple Red Hat products including Enterprise Linux 8, 9, and 10, JBoss Enterprise Application Platform 7 and 8, Red Hat Fuse 7, and several Apache Camel variants. An attacker with network access and no authentication can exhaust server disk resources with moderate attack complexity, causing service unavailability.
Denial Of Service
-
CVE-2026-3138
MEDIUM
CVSS 6.5
The Product Filter for WooCommerce by WBW plugin for WordPress (versions up to 3.1.2) contains a critical authentication bypass vulnerability that allows unauthenticated attackers to permanently delete all filter configurations by truncating the wp_wpf_filters database table. The vulnerability stems from the plugin's MVC framework registering unauthenticated AJAX handlers without capability checks, combined with a magic method that forwards calls to the model layer and a permission check that defaults to true. An attacker can exploit this with a single crafted AJAX request, resulting in complete data loss and service disruption for WooCommerce installations using this plugin.
WordPress
Authentication Bypass
-
CVE-2026-3079
MEDIUM
CVSS 6.5
The LearnDash LMS plugin for WordPress contains a blind time-based SQL injection vulnerability in the 'filters[orderby_order]' parameter of the 'learndash_propanel_template' AJAX action, affecting all versions up to and including 5.0.3. Authenticated attackers with Contributor-level access or higher can exploit insufficient input escaping and lack of prepared statements to extract sensitive database information through time-based SQL injection techniques. While the CVSS score of 6.5 reflects medium severity with high confidentiality impact, the requirement for authentication and low network complexity means this poses a real but contained risk, particularly in multi-user WordPress environments where contributor accounts are common.
WordPress
SQLi
-
CVE-2025-33242
MEDIUM
CVSS 5.9
This vulnerability in NVIDIA's B300 MCU (specifically the CX8 MCU component) allows privileged attackers with network access to modify unsupported hardware registries, potentially causing denial of service and data tampering. The flaw affects HGX and DGX B300 systems and requires high privileges and non-trivial attack complexity to exploit, though no public exploit code or active exploitation has been reported at this time. SSVC assessment indicates the vulnerability presents partial technical impact with no known automated exploitation capability.
Denial Of Service
Nvidia
-
CVE-2025-33216
MEDIUM
CVSS 6.8
NVIDIA SNAP-4 Container contains a buffer size calculation vulnerability in its configuration interface that allows an authenticated attacker on the same virtualized environment to trigger a denial of service condition. An attacker with local VM access and low-level privileges can send specially crafted configuration payloads that cause incorrect buffer size calculations, resulting in crashes of the SNAP storage service and loss of storage availability to the host. There is currently no evidence of active exploitation or public proof-of-concept code, and the SSVC framework indicates no known exploitation has occurred, though the vulnerability is automatable in principle.
Denial Of Service
Nvidia
-
CVE-2025-33215
MEDIUM
CVSS 6.8
NVIDIA SNAP-4 Container contains a use-of-out-of-range pointer offset vulnerability in the VIRTIO-BLK component that allows a malicious guest VM to trigger memory corruption and denial of service. The vulnerability affects NVIDIA SNAP-4 Container across all versions as indicated by the CPE string. A successful exploit results in denial of service to the DPA (Data Processing Appliance) and impacts storage availability to other VMs, though no code execution or information disclosure is possible. There is no evidence of active exploitation in the wild (KEV status indicates none), and the CVSS score of 6.8 reflects moderate severity with high availability impact but limited exploitability due to requiring adjacent network access and user privileges.
Denial Of Service
Nvidia
Memory Corruption
-
CVE-2026-33769
LOW
CVSS 2.9
Astro's remotePatterns path enforcement contains a logic flaw where wildcard matching for /* is unanchored, allowing attackers to bypass path restrictions and access unintended resources on allowed hosts. Versions 2.10.10 through 5.18.0 are affected, enabling information disclosure through server-side image optimization endpoints and other remote fetchers. The vulnerability has been patched in version 5.18.1, and while no public exploit code or active exploitation has been reported in KEV databases, the straightforward nature of the bypass makes this a moderate to high priority for affected deployments.
Information Disclosure
-
CVE-2026-33624
LOW
CVSS 2.1
Parse Server versions prior to 8.6.60 and 9.6.0-alpha.54 contain a race condition vulnerability that allows attackers to reuse single-use MFA recovery codes an unlimited number of times through concurrent login requests. An attacker with knowledge of a user's password and possession of one valid recovery code can bypass the intended single-use restriction by sending multiple authentication attempts simultaneously within milliseconds, effectively defeating the multi-factor authentication protection mechanism. This vulnerability is tracked as CWE-367 (TOCTOU race condition) and has been patched in the aforementioned versions with fixes available via pull requests 10275 and 10276.
Information Disclosure
Node.js
-
CVE-2026-33525
LOW
CVSS 0.5
A stored cross-site scripting (XSS) vulnerability exists in Authelia version 4.39.15 due to improper neutralization of the language cookie value when rendering HTML templates. This vulnerability only affects users who have deliberately disabled or modified the default Content Security Policy with unsafe directives (such as unsafe-inline scripts or arbitrary domain connections); default installations are completely protected. An attacker could potentially inject malicious JavaScript into the Authelia login page if multiple preconditions are met, including a secondary application vulnerability on the same domain, CSP misconfiguration, and the ability to manipulate cookies.
XSS
-
CVE-2026-33161
LOW
CVSS 1.3
An authorization bypass vulnerability in Craft CMS allows low-privileged authenticated users to extract private asset editing metadata, including focal point data, from assets they do not have permission to view. The vulnerability affects Craft CMS versions prior to 4.17.8 and 5.9.14, where the actionImageEditor endpoint fails to perform per-asset authorization checks before returning sensitive editor context. While no CVSS score or EPSS metric is currently published, this information disclosure vulnerability enables attackers to gain unauthorized insight into restricted asset configurations.
Information Disclosure
-
CVE-2026-33160
LOW
CVSS 2.7
An unauthenticated user can exploit the `/assets/generate-transform` endpoint in Craft CMS to generate valid transform URLs for private assets without authorization checks, allowing anonymous access to transformed image content that should be restricted. This authentication bypass affects Craft CMS versions prior to 4.17.8 and 5.9.14, enabling attackers to derive and view content from private assets through the publicly accessible transform endpoint. The vulnerability has a published patch and advisory available from the vendor.
Authentication Bypass
-
CVE-2026-32642
LOW
CVSS 2.3
An incorrect authorization vulnerability exists in Apache Artemis and Apache ActiveMQ Artemis where the OpenWire protocol fails to properly enforce permission checks when creating non-durable JMS topic subscriptions on non-existent addresses. A user with only 'createDurableQueue' permission but lacking 'createAddress' permission can bypass authorization controls to create temporary addresses that should be denied, circumventing the intended security model when address auto-creation is disabled. This authentication bypass persists until the OpenWire connection closes and the temporary address is cleaned up.
Apache
Authentication Bypass
-
CVE-2026-4742
LOW
CVSS 2.9
An HTTP Request/Response Smuggling vulnerability exists in visualfc liteide due to inconsistent interpretation of HTTP requests in the HTTP parser component (http_parser.C), classified under CWE-444. This affects liteide versions before x38.4, allowing attackers to exploit the qjsonrpc HTTP parser module to smuggle malicious requests. An attacker could leverage this vulnerability to perform request smuggling attacks, potentially leading to cache poisoning, session hijacking, or information disclosure depending on the deployment context and HTTP intermediaries involved.
Information Disclosure
Liteide
-
CVE-2025-11571
LOW
CVSS 2.1
A command injection vulnerability exists in Silicon Labs Simplicity Studio V5 and Simplicity Installer Tool for Simplicity Studio V6, where vulnerable endpoints accept user-controlled input through URLs in JSON format, enabling arbitrary command execution. An attacker on the same network can exploit this to execute system commands, though parameter passing is restricted. While CVSS scoring is unavailable, the vulnerability represents a significant local network threat to development environments using these tools.
Command Injection