Skip to main content
CVE-2019-25639 HIGH POC This Week

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25643 HIGH POC This Week

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25641 HIGH POC This Week

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25635 HIGH POC This Week

Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zeeways Matrimony Cms
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25636 HIGH POC This Week

Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25642 HIGH POC This Week

Unauthenticated SQL injection in Bootstrapy CMS allows remote attackers to extract sensitive database information or cause denial of service through multiple POST parameters in forum and contact modules. The vulnerability affects forum-thread.php (thread_id), contact-submit.php (subject), and post-new-submit.php (post-id) endpoints. Public exploit code exists via Exploit-DB #46590, though EPSS probability remains low at 0.06% (19th percentile), suggesting limited real-world exploitation despite ease of attack (AV:N/AC:L/PR:N). SSVC framework confirms proof-of-concept availability and automated exploitation potential with partial technical impact.

PHP SQLi Denial Of Service Bootstrap
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25640 HIGH POC This Week

SQL injection in Inout Article Base CMS allows remote unauthenticated attackers to extract sensitive database information or cause denial of service through malicious XOR-based and time-based SQL payloads injected via 'p' and 'u' parameters in GET requests to portalLogin.php. Public exploit code demonstrates the attack (Exploit-DB 46593), though EPSS scoring indicates low probability of widespread exploitation (0.06%, 19th percentile). No vendor patch has been identified, and the vendor website reference provides no security advisory, leaving deployments at continued risk.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25630 HIGH POC This Week

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP RCE File Upload
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2019-25647 HIGH POC This Week

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25627 HIGH POC This Week

FlexHEX 2.71 contains a local buffer overflow vulnerability in the Stream Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overflow. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE File Upload Flexhex
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-22739 HIGH POC PATCH This Week

Spring Cloud Config Server contains a path traversal vulnerability when using the native file system backend, allowing unauthenticated remote attackers to access arbitrary files outside configured search directories by manipulating the profile parameter in requests. This affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2. With a CVSS score of 8.6 indicating high confidentiality impact with some integrity and availability impact, and network-based attack vector requiring no authentication, this represents a significant information disclosure risk for exposed Config Server instances.

Java Path Traversal
NVD HeroDevs VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2019-25634 HIGH POC This Week

Local arbitrary code execution in 4mhz Base64 Decoder 1.1.2 occurs when the application processes a maliciously crafted input file, causing a stack-based buffer overflow that overwrites the Structured Exception Handler (SEH) chain. Publicly available exploit code exists (Exploit-DB 46625) demonstrating an SEH overwrite chained with a POP-POP-RET gadget and an egghunter payload to reach attacker-supplied shellcode. Despite CVSS 8.6 and a working PoC, EPSS is only 0.01% (2nd percentile), reflecting the niche Windows utility and local-only attack vector.

Buffer Overflow Memory Corruption RCE Base64 Decoder
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25633 HIGH POC This Week

AIDA64 Extreme 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input through the email. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Aida64 Extreme
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25631 HIGH POC This Week

AIDA64 Business 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH pointers with malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Aida64 Business
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25629 HIGH POC This Week

AIDA64 Extreme 5.99.4900 contains a structured exception handler buffer overflow vulnerability in the logging functionality that allows local attackers to execute arbitrary code by supplying a. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Aida64 Extreme
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25626 HIGH POC This Week

Local buffer overflow in River Past Cam Do 3.7.6's activation code field enables arbitrary code execution with SYSTEM privileges through specially crafted 608-byte input followed by shellcode and SEH chain overwrite. While exploitation requires local access and a publicly available exploit exists (Exploit-DB 46670), EPSS score of 0.01% indicates minimal real-world exploitation activity. The vulnerability affects a legacy multimedia application with no confirmed vendor patch, making it primarily relevant for environments still running this discontinued software.

Buffer Overflow RCE File Upload River Past Cam Do
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25637 HIGH POC This Week

X-NetStat Pro 5.63 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the EIP register through a 264-byte buffer overflow. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Netstat Pro
NVD Exploit-DB VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2019-25638 HIGH POC This Week

Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-41660 HIGH PATCH This Week

A vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot application, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects numerous CODESYS Control variants across multiple platforms including Linux, Windows, embedded systems, and industrial controllers. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privileges, this represents a significant threat to industrial control systems and automation environments.

RCE Codesys Control Rte Sl Codesys Control Rte For Beckhoff Cx Sl Codesys Control Win Sl Codesys Hmi Sl +12
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-4680 HIGH PATCH This Week

Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.

Google RCE Use After Free Debian Memory Corruption +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4678 HIGH PATCH This Week

Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.

Google RCE Use After Free Debian Memory Corruption +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22559 HIGH PATCH This Week

Ubiquiti UniFi Network Server versions 10.1.85 and earlier are vulnerable to account takeover through improper input validation when users click malicious links in social engineering attacks. An attacker can gain unauthorized account access with high impact on confidentiality, integrity, and availability. Users should upgrade to version 10.1.89 or later to remediate this vulnerability.

Ubiquiti Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4679 HIGH PATCH This Week

Out-of-bounds memory write in Google Chrome's font handling prior to version 146.0.7680.165 enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can exploit an integer overflow vulnerability to achieve complete system compromise with high integrity and confidentiality impact. Patches are available for Chrome and affected Debian systems.

Google Buffer Overflow Debian Chrome Red Hat +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4676 HIGH PATCH This Week

Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.

Debian Google Use After Free Denial Of Service Memory Corruption +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4674 HIGH PATCH This Week

Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.

Debian Google Buffer Overflow Information Disclosure Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4677 HIGH PATCH This Week

This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.

Debian Google Buffer Overflow Information Disclosure Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4675 HIGH PATCH This Week

Google Chrome's WebGL implementation contains a heap buffer overflow that enables remote attackers to read arbitrary memory by serving a specially crafted HTML page to users prior to version 146.0.7680.165. This network-based vulnerability requires only user interaction and affects Chrome on all platforms, granting attackers access to sensitive data in the browser's memory. A patch is available and should be applied immediately given the high severity and potential for exploitation.

Debian Google Heap Overflow Buffer Overflow Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4673 HIGH PATCH This Week

Unauthenticated remote attackers can exploit a heap buffer overflow in Google Chrome's WebAudio component (versions prior to 146.0.7680.165) by hosting malicious HTML pages that trigger out-of-bounds memory writes. This vulnerability enables arbitrary code execution with full system compromise potential. A patch is available from Google and Debian.

Debian Google Buffer Overflow Heap Overflow Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33511 HIGH PATCH This Week

pyLoad versions 0.4.20 through 0.5.0b3.dev96 contain an authentication bypass vulnerability in the ClickNLoad feature's local_check decorator that allows remote attackers to spoof the HTTP Host header and access localhost-restricted endpoints without authentication. This vulnerability enables unauthenticated remote users to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code with the privileges of the pyLoad process. The vulnerability has been patched in version 0.5.0b3.dev97, and exploitation appears feasible given the straightforward nature of HTTP header manipulation.

Python Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-33854 HIGH PATCH This Week

Memory corruption through out-of-bounds write in Android-ImageMagick7 before version 7.1.2-10 enables remote code execution when a user processes a malicious image file. An attacker can exploit this vulnerability over the network without authentication to achieve complete system compromise including data theft, modification, and denial of service. A patch is available for affected Android devices running vulnerable versions of the ImageMagick library.

Google Buffer Overflow Memory Corruption Android
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33849 HIGH PATCH This Week

RapidVMS before PR#96 contains a buffer overflow vulnerability that allows unauthenticated remote attackers to achieve code execution, data theft, or system compromise with minimal user interaction. The flaw stems from improper memory bounds checking and carries a high CVSS score of 8.8 with network-based attack vectors. A patch is available to address this critical memory safety issue.

Buffer Overflow Rapidvms
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33848 HIGH PATCH This Week

RapidVMS before patch PR#96 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code without authentication or user interaction. The high CVSS score (8.8) reflects the critical nature of this network-accessible flaw affecting confidentiality, integrity, and availability of affected systems. A patch is available and should be prioritized immediately given the severe exploitation potential.

Buffer Overflow Rapidvms
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27654 HIGH PATCH This Week

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.

Nginx Buffer Overflow Heap Overflow Nginx Open Source Nginx Plus
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-29839 HIGH This Week

DedeCMS v5.7.118 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /sys_task_add.php endpoint that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An attacker can craft a malicious webpage or email that, when visited by an authenticated DedeCMS administrator, will execute unwanted administrative tasks such as adding or modifying system tasks. While no CVSS score, EPSS data, or active KEV listing is currently available, a public proof-of-concept exists on GitHub demonstrating the vulnerability's exploitability.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4722 HIGH PATCH This Week

Firefox versions prior to 149 contain a privilege escalation vulnerability in the IPC component that allows remote attackers to escalate privileges through user interaction on affected systems. An attacker can exploit this flaw to gain elevated system access and potentially execute arbitrary code with higher privileges. No patch is currently available for this high-severity vulnerability affecting Mozilla and Debian users.

Mozilla Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33538 HIGH PATCH This Week

An unauthenticated denial-of-service vulnerability exists in Parse Server versions prior to 8.6.58 and 9.6.0-alpha.52, where attackers can submit authentication requests with arbitrary, unconfigured provider names to trigger expensive unindexed database queries. Each malicious request causes a full collection scan on the user database, and since these requests can be parallelized, an attacker can rapidly exhaust database resources and degrade service availability. The vulnerability requires no authentication or special privileges, making it trivial to exploit at scale, and patches are available in the referenced versions.

Node.js Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-4639 HIGH This Week

Vitals ESP, a healthcare software product developed by Galaxy Software Services, contains an incorrect authorization vulnerability that allows authenticated remote attackers with low-level privileges to escalate their access and perform administrative functions. The vulnerability has a CVSS score of 8.8 (High), indicating network-based exploitation with low attack complexity requiring only low-level authentication. No KEV listing or EPSS data is currently available, though Taiwan CERT (TWCERT) has published advisories on this issue.

Authentication Bypass Vitals Esp
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-4640 HIGH This Week

Vitals ESP, a software product developed by Galaxy Software Services, contains a Missing Authentication vulnerability that allows unauthenticated remote attackers to execute certain functions and obtain sensitive information. The vulnerability has a CVSS score of 7.5 (High) with network-based attack vector requiring no privileges or user interaction, resulting in high confidentiality impact. This issue was reported by Taiwan CERT (twcert) and is classified as an Authentication Bypass vulnerability.

Authentication Bypass Vitals Esp
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-4735 HIGH PATCH This Week

A deserialization of untrusted data vulnerability exists in DTStack chunjun versions prior to 1.16.1, specifically in the GsonUtil.java module within chunjun-core. An attacker can exploit this CWE-502 flaw to execute arbitrary code by crafting malicious serialized objects that are processed during deserialization. The vulnerability is reportedly patched as of version 1.16.1, with a patch available from the vendor via GitHub pull request #1939.

Deserialization Java
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-27651 HIGH PATCH This Week

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authentication is configured with retry-enabled backend servers. This denial of service vulnerability affects NGINX Plus and NGINX Open Source with no patch currently available, allowing unauthenticated remote attackers to terminate worker processes and degrade service availability.

Nginx Denial Of Service Null Pointer Dereference Nginx Open Source Nginx Plus
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-23921 HIGH PATCH This Week

A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.

PHP SQLi Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-3912 HIGH This Week

This is an injection vulnerability affecting TIBCO ActiveMatrix BusinessWorks and Enterprise Administrator due to insufficient validation and sanitization of user-supplied input. The vulnerability allows attackers to disclose sensitive information including local files and host system details, and may enable manipulation of application behavior. No CVSS score, EPSS data, or active exploitation reports are currently available, but the vendor has issued a security advisory indicating patches are available.

Information Disclosure Activematrix Businessworks Enterprise Administrator
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-4627 HIGH This Week

An OS command injection vulnerability exists in D-Link DIR-825 and DIR-825R routers running firmware versions 1.0.5 and 4.5.1 respectively. The flaw resides in the handler_update_system_time function within the libdeuteron_modules.so library of the NTP Service component, allowing authenticated attackers with high privileges to execute arbitrary operating system commands remotely. These products are end-of-life and no longer supported by D-Link, meaning no patches will be released.

D-Link Command Injection
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-33539 HIGH PATCH This Week

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

Privilege Escalation Node.js PostgreSQL SQLi
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-4741 HIGH PATCH This Week

Path traversal in JoyConDroid through version 1.0.93 allows unauthenticated remote attackers to access arbitrary files on affected systems through improper pathname validation in the UnzipUtil module. An attacker can exploit this vulnerability to read sensitive data and potentially modify files, achieving high integrity and availability impact. A patch is available for this high-severity vulnerability affecting Java and Joycondroid users.

Java Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-30932 HIGH PATCH GHSA This Week

Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33157 HIGH PATCH This Week

A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.

PHP RCE
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-4687 HIGH PATCH This Week

A sandbox escape vulnerability exists in Firefox's Telemetry component due to incorrect boundary condition handling, allowing attackers to potentially break out of the browser sandbox and access system resources or sensitive data. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. The vulnerability enables information disclosure and potentially arbitrary code execution by circumventing the sandbox isolation mechanism that normally restricts browser processes.

Information Disclosure Mozilla Firefox Esr
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-4690 HIGH PATCH This Week

A sandbox escape vulnerability exists in Mozilla Firefox due to incorrect boundary conditions and integer overflow within the XPCOM component, allowing attackers to break out of the browser's security sandbox and potentially execute arbitrary code with elevated privileges. Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9 are affected. An attacker capable of triggering the integer overflow in XPCOM can exploit the boundary condition flaw to escape the sandbox, potentially leading to full system compromise depending on browser privilege level and operating system context.

Buffer Overflow Mozilla Integer Overflow Firefox Esr
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-4731 HIGH PATCH This Week

Integer overflow in ART's rtengine dcraw.C module before version 1.25.12 allows local attackers with user interaction to achieve high-impact compromise of confidentiality, integrity, and availability. This vulnerability requires local access and user interaction to trigger, making it exploitable primarily through malicious image files or project files opened by victims.

Buffer Overflow Integer Overflow Art
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy