260 CVEs tracked today. 17 Critical, 85 High, 141 Medium, 14 Low.
-
CVE-2026-33945
CRITICAL
CVSS 9.9
Path traversal in Incus system container manager allows authenticated remote attackers to write arbitrary files as root on the host via malformed systemd credential configuration keys. Affecting all versions before 6.23.0, this enables both privilege escalation from container to host and denial of service through critical file overwrites. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis. The CVSS 9.9 Critical rating reflects the severe impact of container escape, though the PR:L requirement and lack of active exploitation temper immediate urgency.
Path Traversal
Privilege Escalation
Denial Of Service
-
CVE-2026-33897
CRITICAL
CVSS 9.9
Incus system container and virtual machine manager versions prior to 6.23.0 allow authenticated users with instance access to read and write arbitrary files as root on the host system through exploitation of pongo2 template processing. The vulnerability (scored CVSS 10.0 critical) stems from a bypassed chroot isolation mechanism that was intended to confine template operations to instance filesystems but instead permits unrestricted host filesystem access. No public exploit identified at time of analysis, though the vulnerability is tagged as Server-Side Template Injection (SSTI) with a GitHub security advisory published.
Information Disclosure
Ssti
-
CVE-2026-33873
CRITICAL
CVSS 9.3
Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.
Python
RCE
Code Injection
Command Injection
-
CVE-2026-33867
CRITICAL
CVSS 9.1
AVideo, a popular open-source video platform, stores video access passwords in plaintext within the database, enabling attackers who gain read access through SQL injection, backup exposure, or misconfigured controls to harvest all protected video passwords without cracking. The vulnerability is tracked as CWE-312 (Cleartext Storage of Sensitive Information) and affects AVideo installations using the video password protection feature. A proof-of-concept demonstrating direct database extraction is documented in the GitHub advisory. Vendor patch is available via commit f2d68d2adbf73588ea61be2b781d93120a819e36, and no public exploit identified at time of analysis beyond the documented PoC.
PHP
SQLi
-
CVE-2026-33864
CRITICAL
Prototype pollution in convict npm package version 6.2.4 allows attackers to bypass previous security fixes and pollute Object.prototype through crafted input that manipulates String.prototype.startsWith. The vulnerability affects applications processing untrusted input via convict.set() and can lead to authentication bypass, denial of service, or remote code execution if polluted properties reach dangerous sinks like eval or child_process. A working proof-of-concept exploit demonstrating the bypass technique exists in the advisory.
Mozilla
Node.js
Prototype Pollution
RCE
Denial Of Service
-
CVE-2026-33863
CRITICAL
Prototype pollution in Mozilla's node-convict configuration library allows attackers to inject properties into Object.prototype via two unguarded code paths: config.load()/loadFile() methods that fail to filter forbidden keys during recursive merge operations, and schema initialization accepting constructor.prototype.* keys during default-value propagation. Applications using node-convict (pkg:npm/convict) that process untrusted configuration data face impacts ranging from authentication bypass to remote code execution depending on how polluted properties propagate through the application. This represents an incomplete fix for prior prototype pollution issues (GHSA-44fc-8fm5-q62h), with no public exploit identified at time of analysis.
Mozilla
Node.js
Prototype Pollution
RCE
Authentication Bypass
-
CVE-2026-33758
CRITICAL
CVSS 9.4
Cross-site scripting in OpenBao's OIDC/JWT authentication method allows theft of Web UI session tokens when roles are configured with callback_mode=direct. Attackers exploit the unsanitized error_description parameter on failed authentication pages to inject malicious scripts that execute in victims' browsers, granting access to authentication tokens. The vulnerability affects OpenBao installations prior to v2.5.2 and has no public exploit identified at time of analysis, though the technical implementation details are publicly documented in the vendor advisory.
XSS
-
CVE-2026-33757
CRITICAL
CVSS 9.6
OpenBao JWT/OIDC authentication with direct callback mode allows remote phishing attacks where attackers can hijack user sessions without confirmation prompts, affecting installations using the direct callback_mode configuration. The vulnerability stems from lack of user interaction requirements during authorization code flow authentication, enabling session fixation attacks where victims visiting attacker-controlled URLs automatically authenticate into the attacker's session. No public exploit identified at time of analysis, though the attack vector is network-based with low complexity requiring only user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). Vendor-released patch: version 2.5.2.
Information Disclosure
Session Fixation
-
CVE-2026-33728
CRITICAL
CVSS 9.3
Remote code execution is possible in DataDog's dd-trace-java agent versions prior to 1.60.3 when running on JDK 16 or earlier with exposed JMX/RMI ports. The vulnerability stems from unsafe deserialization in the RMI instrumentation's custom endpoint, allowing network-accessible attackers to execute arbitrary code if gadget-chain libraries exist on the classpath. Vendor-released patch: version 1.60.3. No public exploit identified at time of analysis, though the issue was responsibly disclosed through DataDog's bug bounty program by Mohamed Amine ait Ouchebou.
RCE
Java
Deserialization
-
CVE-2026-33640
CRITICAL
CVSS 9.1
Account takeover in Outline collaborative documentation service versions 0.86.0 through 1.5.x enables unauthenticated attackers to brute force Email OTP codes due to insufficient validation logic combined with rate limiter bypass. Attackers can submit unlimited OTP attempts within the code's validity window, compromising user accounts. CVSS 9.1 (Critical) severity reflects network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, though the authentication bypass mechanism is documented in GHSA-cwhc-53hw-qqx6.
Authentication Bypass
-
CVE-2026-33526
CRITICAL
CVSS 9.2
Squid versions prior to 7.5 contain a heap use-after-free vulnerability (CWE-416) in ICP (Internet Cache Protocol) traffic handling that enables remote attackers to reliably trigger denial of service against affected proxy services. The vulnerability affects any Squid deployment with ICP support explicitly enabled via non-zero icp_port configuration, and cannot be mitigated through access control rules alone. A patch is available in version 7.5, and the vulnerability has been confirmed across multiple Debian releases and SUSE distributions.
Denial Of Service
Use After Free
Memory Corruption
-
CVE-2026-33396
CRITICAL
CVSS 9.9
Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.
RCE
Node.js
Docker
Privilege Escalation
Code Injection
-
CVE-2026-33152
CRITICAL
CVSS 9.1
Tandoor Recipes versions prior to 2.6.0 allow unlimited brute-force password guessing attacks against any known username through API endpoints accepting BasicAuthentication headers. While Django AllAuth rate limiting protects the HTML login form (5 attempts per minute per IP), API endpoints completely bypass these controls, enabling high-speed credential stuffing with no account lockout. A proof-of-concept exploit exists and the attack is automatable per SSVC analysis, though no active exploitation is confirmed in CISA KEV.
Python
Information Disclosure
-
CVE-2026-30458
CRITICAL
CVSS 9.1
Daylight Studio FuelCMS v1.5.2 allows remote attackers to exfiltrate password reset tokens through a mail splitting attack, enabling account takeover without authentication. The vulnerability exploits improper handling of email headers during the password reset workflow, permitting attackers to intercept or redirect sensitive reset tokens to attacker-controlled addresses. No public exploit code or active exploitation has been independently confirmed at time of analysis.
Information Disclosure
-
CVE-2026-30457
CRITICAL
CVSS 9.8
Remote code execution in Daylight Studio FuelCMS v1.5.2 through the /parser/dwoo component enables unauthenticated attackers to execute arbitrary PHP code via specially crafted input. The vulnerability exploits insufficient input validation in the Dwoo template engine integration, allowing direct PHP code injection. Attack complexity appears low given the public references to exploitation techniques in the provided pentest-tools PDF, though no formal CVSS scoring or CISA KEV confirmation is available to assess real-world exploitation prevalence.
PHP
RCE
Code Injection
-
CVE-2026-4809
CRITICAL
CVSS 9.3
Remote code execution in plank/laravel-mediable PHP package through version 6.4.0 allows unauthenticated attackers to upload executable PHP files disguised with benign MIME types, achieving arbitrary code execution when files land in web-accessible directories. EPSS score of 0.39% (60th percentile) indicates low observed exploitation probability, though SSVC analysis confirms the vulnerability is automatable with total technical impact. No vendor-released patch identified at time of analysis despite coordinated disclosure attempts.
Laravel
PHP
File Upload
RCE
-
CVE-2026-3650
HIGH
CVSS 8.7
Malformed DICOM files with non-standard VR types trigger uncontrolled memory allocation in Grassroots DICOM (GDCM) library, enabling remote denial-of-service attacks without authentication. CISA ICS-CERT issued an ICSMA advisory (26-083-01) highlighting impacts to medical imaging systems that rely on GDCM for DICOM parsing. The vulnerability allows heap exhaustion from a single malicious file read operation, with CVSS 7.5 (High severity, network-accessible, no privileges required). No public exploit identified at time of analysis.
Information Disclosure
-
CVE-2026-0968
CRITICAL
CVSS 9.8
Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-34352
HIGH
CVSS 8.5
TigerVNC x0vncserver versions prior to 1.16.2 expose screen contents to unauthorized local users through incorrect file permissions in Image.cxx, enabling information disclosure, screen manipulation, or denial of service. The vulnerability has CVSS 8.5 (High) with local attack vector requiring no privileges or user interaction, and scope change indicating potential impact beyond the vulnerable component. No public exploit identified at time of analysis, though technical details are available via GitHub commit and mailing list disclosure.
Denial Of Service
-
CVE-2026-34055
HIGH
CVSS 8.1
OpenEMR contains an Insecure Direct Object Reference (IDOR) vulnerability in the patient notes functionality where authenticated users can modify or delete notes belonging to any patient without proper authorization checks. This affects OpenEMR versions prior to 8.0.0.3 and allows attackers with low-level privileges to access, modify, or delete sensitive medical records they should not have access to. The vulnerability has a CVSS score of 8.1 with high confidentiality and integrity impact, though there is no current evidence of active exploitation in the wild or public proof-of-concept code.
PHP
Authentication Bypass
-
CVE-2026-34053
HIGH
CVSS 7.1
OpenEMR versions prior to 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user, regardless of assigned role or privileges, to irreversibly delete critical medical data including procedure orders, answers, and specimens for any patient in the system. This is a severe integrity violation in a healthcare application handling protected health information. No evidence of active exploitation (not in CISA KEV) is currently available, though patches have been released.
PHP
Authentication Bypass
-
CVE-2026-33943
HIGH
CVSS 8.8
Remote code execution is possible in the happy-dom JavaScript DOM implementation (npm package) through injection of malicious JavaScript expressions in ES module export declarations. Attackers can bypass input sanitization by using template literal syntax (backticks) to execute arbitrary system commands when happy-dom processes untrusted HTML content with JavaScript evaluation enabled. The vulnerability affects happy-dom versions prior to 20.8.8, with a publicly available exploit code that demonstrates command execution via Node.js child_process module. CVSS score of 8.8 reflects network-based attack vector requiring user interaction, with complete confidentiality, integrity, and availability impact.
RCE
Code Injection
-
CVE-2026-33942
HIGH
CVSS 8.1
Saloon PHP library versions prior to 4.0.0 contain a PHP object injection vulnerability in the AccessTokenAuthenticator::unserialize() method, which unsafely deserializes OAuth token state using unserialize() with allowed_classes set to true. An attacker who can control the serialized token string-such as by overwriting a cached token file or injecting malicious data-can supply a crafted serialized gadget object that executes arbitrary code through PHP magic methods during deserialization. In environments with common dependencies like Monolog present, this vulnerability can be reliably chained to achieve remote code execution (RCE), making it a critical threat to any API integration or SDK built on vulnerable Saloon versions.
PHP
RCE
Deserialization
-
CVE-2026-33932
HIGH
CVSS 7.6
A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's CCDA document preview functionality that allows authenticated attackers to execute arbitrary JavaScript in clinician browser sessions. OpenEMR versions prior to 8.0.0.3 are affected. The vulnerability occurs because the XSL stylesheet fails to sanitize linkHtml attributes in CCDA documents, allowing javascript: URLs and event handlers to execute when documents are previewed.
XSS
-
CVE-2026-33906
HIGH
CVSS 7.2
GitHub repository ellanetworks/core (Go package github.com/ellanetworks/core) suffers from a privilege escalation flaw that allows NetworkManager role users to replace the production SQLite database through an improperly validated restore endpoint, enabling escalation to Admin privileges and access to user management, audit logs, debug endpoints, and operator identity configuration. The vulnerability requires high-privilege authenticated access (PR:H) over network (AV:N) with low attack complexity (AC:L), scored CVSS 7.2. No public exploit identified at time of analysis. Patch available in version 1.7.0 per vendor advisory.
Privilege Escalation
-
CVE-2026-33898
HIGH
CVSS 8.8
Authentication bypass in Incus webui (versions prior to 6.23.0) permits local or remote attackers to gain unauthorized access to the system container and virtual machine manager via an improperly validated authentication token. The vulnerability allows attackers who can reach the temporary localhost web server to escalate privileges to the level of the user running 'incus webui', enabling control over containers, virtual machines, and potentially underlying system resources. CVSS score of 8.8 (High) reflects network attack vector with low complexity requiring user interaction; no public exploit identified at time of analysis.
Authentication Bypass
Privilege Escalation
-
CVE-2026-33896
HIGH
CVSS 7.4
The node-forge npm library fails to enforce RFC 5280 basicConstraints validation in its verifyCertificateChain() function, allowing any leaf certificate without basicConstraints and keyUsage extensions to sign other certificates that node-forge accepts as valid. Attackers holding any valid leaf certificate (e.g., a standard TLS certificate) lacking these extensions can forge certificates for arbitrary domains, bypassing certificate chain validation in applications using node-forge for custom PKI implementations, S/MIME verification, or IoT device authentication. A complete proof-of-concept exploit is publicly available demonstrating successful chain verification bypass. CVSS score of 7.4 reflects network-accessible attack vector with high complexity but no authentication required.
Microsoft
Buffer Overflow
OpenSSL
-
CVE-2026-33895
HIGH
CVSS 7.5
The digitalbazaar/forge npm package accepts forged Ed25519 signatures due to missing scalar canonicalization checks, allowing authentication and authorization bypass in applications that rely on signature uniqueness. All versions since Ed25519 implementation are affected (confirmed through version 1.3.3), identified as pkg:npm/node-forge. Publicly available exploit code exists with a complete proof-of-concept demonstrating how attackers can create multiple valid signatures for the same message by adding the group order L to the scalar component S, bypassing deduplication, replay protection, and signed-object canonicalization checks. The vendor has released a patch via commit bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85.
Node.js
Canonical
OpenSSL
Authentication Bypass
Jwt Attack
-
CVE-2026-33894
HIGH
CVSS 7.5
Signature forgery in node-forge npm package (all versions through v1.3.3) allows remote attackers to bypass RSASSA PKCS#1 v1.5 signature verification for RSA keys using low public exponent (e=3). Attackers can construct Bleichenbacher-style forged signatures by injecting malicious ASN.1 content within DigestInfo structures and exploiting missing padding length validation, enabling authentication bypass in systems relying on forge for cryptographic verification. Proof-of-concept code demonstrates successful forgery against forge while OpenSSL correctly rejects the same signature. CVSS score 7.5 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis beyond the research POC.
Node.js
OpenSSL
Canonical
Information Disclosure
-
CVE-2026-33891
HIGH
CVSS 7.5
The node-forge cryptographic library for Node.js suffers from a complete Denial of Service condition when the BigInteger.modInverse() function receives zero as input, causing an infinite loop that consumes 100% CPU and blocks the event loop indefinitely. All versions of node-forge (npm package) are affected, impacting applications that process untrusted cryptographic parameters through DSA/ECDSA signature verification or custom modular arithmetic operations. CVSS 7.5 (High severity) reflects network-reachable, unauthenticated exploitation with no user interaction required. A working proof-of-concept exists demonstrating the vulnerability triggers within 5 seconds. Vendor patch is available via GitHub commit 9bb8d67b99d17e4ebb5fd7596cd699e11f25d023.
Node.js
Microsoft
Apple
Denial Of Service
-
CVE-2026-33872
HIGH
CVSS 7.1
Cross-user data leakage in elixir-nodejs library versions prior to 3.1.4 allows authenticated users to receive sensitive data belonging to other users through a race condition in the worker protocol's request-response handling. The lack of request-response correlation causes stale responses to be delivered to unrelated callers in high-throughput environments, potentially exposing PII, authentication tokens, or private records. No public exploit identified at time of analysis, though the vulnerability is documented in GitHub issue #100 with technical details publicly available.
Race Condition
Information Disclosure
-
CVE-2026-33871
HIGH
CVSS 8.7
Netty HTTP/2 servers can be rendered unresponsive by remote attackers flooding CONTINUATION frames with zero-byte payloads, bypassing existing header size limits and exhausting CPU resources. The affected package is io.netty:netty-codec-http2 (tracked via GitHub Security Advisory GHSA-w9fj-cfpg-grvv). Authentication requirements are not confirmed from available data. No public exploit identified at time of analysis, though the technical details provided in the advisory enable straightforward reproduction. The low bandwidth requirement for this CPU-based denial of service makes it highly practical for disrupting services at scale.
Java
Denial Of Service
-
CVE-2026-33870
HIGH
CVSS 7.5
CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Docker
RCE
Python
Request Smuggling
-
CVE-2026-33770
HIGH
CVSS 7.1
SQL injection in WWBN AVideo category management allows authenticated administrators to extract database contents including user credentials and private video metadata. The vulnerability resides in objects/category.php where user-supplied category title slugs are concatenated directly into SQL queries without parameterization. A working proof-of-concept demonstrates UNION-based injection to retrieve the users table. Upstream fix available via GitHub commit 994cc2b3d802b819e07e6088338e8bf4e484aae4, though no public exploit identified at time of analysis beyond the documented PoC.
PHP
SQLi
-
CVE-2026-33767
HIGH
CVSS 7.1
SQL injection in WWBN AVideo objects/like.php allows authenticated users to read and potentially modify the entire database by injecting malicious payloads into the videos_id parameter during like/dislike actions. The vulnerability affects pkg:composer/wwbn_avideo and arises from mixing parameterized queries with direct string concatenation. A proof-of-concept UNION-based injection exists demonstrating credential extraction. Upstream fix available (PR/commit); released patched version not independently confirmed.
PHP
SQLi
-
CVE-2026-33748
HIGH
CVSS 8.2
Moby BuildKit versions prior to v0.28.1 allow directory traversal attacks through maliciously crafted Git URL fragment subdir components, enabling attackers to access files outside the intended Git repository root during Docker builds. The path traversal is constrained to the same mounted filesystem but bypasses intended repository boundaries when processing Git URLs with subpath fragments. No public exploit identified at time of analysis, though exploitation requires only the ability to specify or influence Git URLs used in build contexts.
Docker
Path Traversal
-
CVE-2026-33747
HIGH
CVSS 8.4
BuildKit versions prior to 0.28.1 allow untrusted custom frontends to write arbitrary files outside the execution state directory through crafted API messages, enabling path traversal attacks. This affects users who specify custom frontends via #syntax directives or --build-arg BUILDKIT_SYNTAX parameters with untrusted images. The vulnerability carries a CVSS score of 8.4 with local attack vector requiring no privileges or user interaction, posing high risk to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Docker
Path Traversal
-
CVE-2026-33744
HIGH
CVSS 7.8
BentoML, a Python framework for ML model serving, contains a command injection vulnerability in the docker.system_packages configuration field of bentofile.yaml files. The vulnerability affects all versions supporting this feature (confirmed in version 1.4.36) and allows attackers to execute arbitrary commands during the Docker image build process (bentoml containerize). This is a high-severity supply chain risk with a CVSS score of 7.8, requiring user interaction to trigger but achieving full command execution as root during container builds.
Docker
Python
RCE
Code Injection
-
CVE-2026-33664
HIGH
CVSS 7.3
Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject arbitrary JavaScript through unsanitized Markdown rendering in flow metadata fields (description, input displayName/description). The malicious scripts execute automatically when other users view the flow in the web UI, requiring zero interaction for input.displayName fields. This vulnerability (CVSS 7.3) differs from CVE-2026-29082 and affects different components with lower interaction requirements. No public exploit identified at time of analysis, and patch availability remains unconfirmed per the advisory.
XSS
-
CVE-2026-33645
HIGH
CVSS 7.1
Fireshare version 1.5.1 allows authenticated remote attackers to write arbitrary files outside the intended upload directory through unsanitized path traversal in the chunked upload endpoint's checkSum parameter. The vulnerability enables attackers with valid credentials to write files to any location accessible to the Fireshare process, potentially compromising system integrity or enabling secondary attacks. No public exploit identified at time of analysis, though the vulnerability has been fixed in version 1.5.2 released by the vendor.
Path Traversal
-
CVE-2026-33636
HIGH
CVSS 7.6
Out-of-bounds read and write in libpng's ARM/AArch64 Neon-optimized palette expansion allows remote attackers to trigger memory corruption, information disclosure, and denial of service when processing malicious PNG files. libpng versions 1.6.36 through 1.6.55 are affected on ARM platforms with Neon optimization enabled. Version 1.6.56 contains the fix. No public exploit identified at time of analysis, with SSVC framework indicating no active exploitation, non-automatable attack vector, and partial technical impact.
Buffer Overflow
Information Disclosure
-
CVE-2026-33632
HIGH
CVSS 8.4
Local processes on macOS can bypass ClearanceKit per-process file access policies by leveraging two unmonitored file operation event types (ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE) in versions prior to 4.2.4. The vulnerability affects ClearanceKit's opfilter system extension, which is designed to intercept and enforce file-system access controls. With a CVSS score of 8.4 indicating high confidentiality and integrity impact, authenticated local attackers with low privileges can circumvent security policies. No public exploit identified at time of analysis, and a vendor-released patch is available in version 4.2.4.
Apple
Authentication Bypass
-
CVE-2026-33631
HIGH
CVSS 8.7
ClearanceKit 4.1 and earlier for macOS allows local authenticated users to completely bypass configured file access policies via seven unmonitored file operation event types. The opfilter Endpoint Security extension only intercepted ES_EVENT_TYPE_AUTH_OPEN events, enabling processes to perform rename, unlink, and five other file operations without policy enforcement or denial logging. Version 4.2 branch contains the fix via commit a3d1733. No public exploit identified at time of analysis, but exploitation requires only local access with low privileges (CVSS PR:L) and no special complexity.
Apple
Authentication Bypass
-
CVE-2026-33530
HIGH
CVSS 7.7
Authenticated attackers with low-level privileges can exfiltrate sensitive database information from InvenTree open source inventory management systems prior to version 1.2.6 by abusing unvalidated filter parameters in bulk operation API endpoints. The vulnerability enables blind boolean-based data extraction through Django ORM relationship traversal, achieving high confidentiality impact with changed scope per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (score 7.7). No public exploit identified at time of analysis, and vendor-released patches are available in versions 1.2.6 and 1.3.0.
Python
Information Disclosure
-
CVE-2026-33506
HIGH
CVSS 8.8
DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.
XSS
-
CVE-2026-33491
HIGH
CVSS 7.8
The Zen C compiler (versions prior to 0.4.4) crashes or enables arbitrary code execution when processing maliciously crafted .zc source files containing excessively long identifiers for structs, functions, or traits, triggering a stack-based buffer overflow (CWE-121). A proof-of-concept exploit exists per SSVC assessment, though attack complexity remains moderate as it requires local access and user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). Vendor-released patch: version 0.4.4.
Buffer Overflow
RCE
Stack Overflow
-
CVE-2026-33487
HIGH
CVSS 7.5
XML Digital Signature validation in the russellhaering/goxmldsig Go library can be bypassed due to a loop variable capture bug affecting versions prior to 1.6.0. Unauthenticated remote attackers can exploit this flaw to manipulate signature validation by crafting XML documents with multiple references in the SignedInfo block, causing the validator to use the wrong reference and accept invalid signatures. The CVSS score of 7.5 reflects high integrity impact with network attack vector and low complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), though no public exploit has been identified at time of analysis.
Jwt Attack
Information Disclosure
-
CVE-2026-33416
HIGH
CVSS 7.5
A security vulnerability in versions 1.2.1 (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Use After Free
Memory Corruption
Information Disclosure
-
CVE-2026-33201
HIGH
CVSS 7.0
The GREEN HOUSE CO., LTD. Digital Photo Frame GH-WDF10A contains active debug code that allows unauthenticated local attackers to read or write arbitrary files and execute commands with root privileges. This vulnerability affects all versions of the GH-WDF10A model and represents a critical local privilege escalation risk for any user with physical or network access to the device. While the CVSS score of 6.8 reflects medium severity due to the physical access requirement, the ability to achieve root code execution makes this a significant concern for device owners and enterprise deployments.
RCE
-
CVE-2026-33153
HIGH
CVSS 7.7
Tandoor Recipes application versions prior to 2.6.0 expose complete database schema and access control logic through an undocumented debug parameter in the Recipe API endpoint, allowing any authenticated user to extract raw SQL queries including table structures, JOIN relationships, WHERE conditions, and multi-tenant space identifiers even in production environments with DEBUG=False. A proof-of-concept exploit is available (SSVC exploitation status: poc). The CVSS 4.0 score of 7.7 reflects network-based exploitation with no attack complexity, and SSVC indicates the vulnerability is automatable with partial technical impact.
SQLi
Python
-
CVE-2026-33149
HIGH
CVSS 8.1
Tandoor Recipes versions through 2.5.3 permit Host header injection attacks that enable invite link poisoning, allowing authenticated administrators with high privileges to be social-engineered into sending system-generated invite tokens to attacker-controlled servers. The Django application's default ALLOWED_HOSTS='*' configuration fails to validate HTTP Host headers, which combined with request.build_absolute_uri() usage allows manipulation of all absolute URLs including invite emails, API pagination, and OpenAPI schemas. No public exploit identified at time of analysis; CVSS 8.1 reflects network-based attack requiring high privileges and user interaction with changed scope.
Python
Information Disclosure
-
CVE-2026-33009
HIGH
CVSS 8.2
Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attackers to trigger undefined behavior and potential memory corruption through unauthenticated MQTT messages. The data race condition in Charger::shared_context occurs when processing switch_three_phases_while_charging commands without proper locking, yielding CVSS 8.2 (High) with potential for availability disruption and data integrity impact. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication requirements (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).
Race Condition
Buffer Overflow
-
CVE-2026-32857
HIGH
CVSS 7.8
Firecrawl's Playwright scraping service through version 2.8.0 permits attackers to bypass SSRF protections and access internal network resources by exploiting a validation gap in redirect handling. Unauthenticated remote attackers can supply externally valid URLs that redirect to restricted internal endpoints, as network policy checks apply only to the initial request and not subsequent redirect destinations. With a CVSS score of 7.8 and high subsequent system confidentiality impact (SC:H), this represents a distinct post-redirect enforcement weakness separate from general redirect-based SSRF (CVE-2024-56800), though no public exploit is identified at time of analysis.
SSRF
-
CVE-2026-32846
HIGH
CVSS 8.7
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files including system configurations, environment files, and SSH private keys by bypassing media parsing validation functions. The vulnerability stems from incomplete path validation in isLikelyLocalPath() and isValidMedia() functions, with an allowBareFilename bypass permitting sandbox escape. Vendor-released patch available in commit 4797bbc (CVSS 8.7, no public exploit identified at time of analysis).
Path Traversal
-
CVE-2026-32748
HIGH
CVSS 8.7
Squid proxy versions prior to 7.5 contain use-after-free and premature resource release vulnerabilities in ICP (Internet Cache Protocol) traffic handling that enable reliable, repeatable denial of service attacks. Remote attackers can exploit these memory safety bugs to crash the Squid service by sending specially crafted ICP packets, affecting deployments that have explicitly enabled ICP support via non-zero icp_port configuration. While no CVSS score or EPSS value is currently published, the vulnerability is confirmed by vendor advisory and includes a public patch commit, indicating moderate to high real-world risk for affected deployments.
Denial Of Service
Ubuntu
Debian
Redhat
Suse
-
CVE-2026-32680
HIGH
CVSS 8.5
RATOC RAID Monitoring Manager for Windows contains an insecure directory permissions vulnerability when the installation folder is customized to a non-default location. The installer fails to properly set access control lists (ACLs) on custom installation directories, allowing non-administrative users to modify folder contents and execute arbitrary code with SYSTEM privileges. With a CVSS 4.0 score of 8.5, this represents a high-severity local privilege escalation vulnerability affecting Windows systems where this RAID management software is installed.
Microsoft
RCE
Privilege Escalation
Windows
-
CVE-2026-32287
HIGH
CVSS 7.5
The antchfx/xpath Go library prior to version 1.3.6 contains a denial-of-service vulnerability in the logicalQuery.Select function where Boolean XPath expressions that evaluate to true (such as '1=1' or 'true()') trigger an infinite loop, consuming 100% CPU resources. Remote attackers can exploit this via top-level XPath selectors without authentication, potentially disrupting any application that uses this library to process untrusted XPath queries. Upstream fix is available in commit afd4762cc342af56345a3fb4002a59281fcab494, with no public exploit code identified at time of analysis.
Denial Of Service
-
CVE-2026-32286
HIGH
CVSS 7.5
DataRow.Decode in github.com/jackc/pgproto3/v2 fails to validate field length parameters, allowing a malicious or compromised PostgreSQL server to send a DataRow message with a negative field length that triggers a slice bounds out of range panic in Go applications using this library. Affected applications experience denial of service through unexpected termination when connecting to an untrusted or compromised database server. No public exploit code or active exploitation has been confirmed; however, the attack requires only network access to a PostgreSQL endpoint that the vulnerable application connects to.
PostgreSQL
Information Disclosure
-
CVE-2026-32285
HIGH
CVSS 7.5
The jsonparser library for Go fails to validate slice offsets when processing malformed JSON, enabling remote denial of service through crafted input that triggers negative array indices and runtime panics. The GitHub buger/jsonparser project across all versions is affected. Attackers can send specially crafted JSON payloads to applications using vulnerable versions, causing immediate service termination without requiring authentication or user interaction.
Denial Of Service
-
CVE-2026-32284
HIGH
CVSS 7.5
Truncated msgpack fixext format data (codes 0xd4-0xd8) decoded by shamaton/msgpack library versions across v1, v2, and v3 fail to validate input buffer boundaries, triggering out-of-bounds memory reads and runtime panics that enable denial of service. Remote attackers can craft malformed msgpack payloads to crash applications using affected library versions without requiring authentication or user interaction.
Buffer Overflow
Denial Of Service
-
CVE-2026-30463
HIGH
CVSS 7.7
SQL injection in Daylight Studio FuelCMS v1.5.2 Login.php component allows remote attackers to execute arbitrary SQL queries against the application database. The vulnerability affects the authentication mechanism, potentially enabling account enumeration, credential bypass, or unauthorized data extraction. No public exploit code or active exploitation has been confirmed at this time, though the specific attack vector suggests direct manipulation of login form parameters.
PHP
SQLi
-
CVE-2026-28760
HIGH
CVSS 8.4
RATOC RAID Monitoring Manager for Windows contains a DLL hijacking vulnerability in its installer that loads DLLs from the current directory without proper path validation. If an attacker can place a malicious DLL in the directory where a user runs the installer, arbitrary code can be executed with administrator privileges. The vulnerability has a CVSS score of 8.4 with local attack vector requiring user interaction, and has been publicly disclosed through JPCERT coordination with vendor advisory available.
Microsoft
RCE
Windows
-
CVE-2026-28377
HIGH
CVSS 7.5
Grafana Tempo leaks S3 SSE-C encryption keys in plaintext through its /status/config endpoint, enabling unauthenticated remote attackers to retrieve encryption keys protecting trace data stored in AWS S3. The CVSS score of 7.5 reflects high confidentiality impact with network-accessible attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, though the attack path is straightforward given the information disclosure nature of the vulnerability.
Grafana
Authentication Bypass
Redhat
-
CVE-2026-27664
HIGH
CVSS 8.7
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).
Buffer Overflow
Memory Corruption
-
CVE-2026-27663
HIGH
CVSS 7.1
Remote denial-of-service in Siemens CPCI85 Central Processing/Communication and RTUM85 RTU Base (versions below V26.10) allows adjacent network attackers to exhaust system resources via high-volume requests, forcing device reset or reboot to restore parameterization functionality. No public exploit identified at time of analysis. CVSS 7.1 (High) with adjacent network access vector and no privileges required indicates moderate real-world risk for industrial environments where these RTU and control processing devices operate.
Denial Of Service
-
CVE-2026-26213
HIGH
CVSS 8.7
Unauthenticated remote code execution as root is possible in thingino-firmware through the WiFi captive portal CGI script due to command injection in query and POST parameter parsing. Attackers on the adjacent network (AV:A) can inject arbitrary commands through unsanitized HTTP parameter names, enabling full device takeover including root password reset and SSH key manipulation for persistent access. No public exploit is identified at time of analysis, though VulnCheck has published an advisory detailing the vulnerability mechanics.
RCE
Command Injection
-
CVE-2026-26074
HIGH
CVSS 7.0
Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to corrupt critical data structures when CSMS GetLog or UpdateFirmware requests coincide with EVSE fault events, potentially causing information disclosure, data integrity issues, and high availability impact. The vulnerability affects all versions prior to 2026.02.0, for which a vendor patch is available. SSVC analysis indicates no current exploitation, non-automatable attack surface, and partial technical impact. EPSS data not provided; no public exploit identified at time of analysis.
Race Condition
Information Disclosure
-
CVE-2026-26008
HIGH
CVSS 7.5
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unauthenticated attackers to crash the charging station software or corrupt memory by sending crafted UpdateAllowedEnergyTransferModes messages from a Charging Station Management System (CSMS). CVSS 7.5 severity reflects network-accessible denial of service with high availability impact. SSVC assessment indicates no current exploitation and non-automatable attack; no public exploit identified at time of analysis.
Buffer Overflow
Information Disclosure
-
CVE-2026-24068
HIGH
CVSS 8.8
Vienna Assistant 1.2.542 on macOS allows local privilege escalation through an unauthenticated XPC service endpoint that accepts connections from any process. The vulnerable VSL privileged helper service exposes functions to write arbitrary files to any location and execute arbitrary binaries with any arguments, enabling a low-privileged local user to gain root access. A proof-of-concept exploit exists per SSVC assessment, with an EPSS score of 0.02% indicating low observed exploitation probability in the wild.
Privilege Escalation
Authentication Bypass
-
CVE-2026-23995
HIGH
CVSS 8.4
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary code via overly long CAN interface names during initialization. The vulnerability (CWE-121) affects everest-core versions prior to 2026.02.0 with CVSS 8.4 (High severity). Proof-of-concept exploit code exists according to SSVC assessment, and the flaw triggers before privilege checks, enabling attack with no user privileges required. The vulnerability is tracked as EUVD-2026-16199 by ENISA.
Buffer Overflow
RCE
Stack Overflow
-
CVE-2026-22790
HIGH
CVSS 8.8
Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attackers to execute arbitrary code by sending malformed SLAC protocol frames. EVerest-core versions prior to 2026.02.0 are affected due to a stack buffer overflow in HomeplugMessage::setup_payload that trusts an attacker-controlled length parameter in release builds. SSVC analysis indicates proof-of-concept exploit code exists, though the vulnerability is not automatable and requires adjacent network access (CVSS 8.8, AV:A).
RCE
Buffer Overflow
Stack Overflow
-
CVE-2026-22593
HIGH
CVSS 8.4
Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certificate filenames of exactly 100 characters due to off-by-one boundary check error in IsoMux component. EVerest-core versions prior to 2026.02.0 are affected (CPE cpe:2.3:a:everest:everest-core). The vulnerability has a CVSS score of 8.4 with local attack vector and no privilege requirements (AV:L/PR:N), allowing unauthenticated local attackers to achieve code execution. No public exploit identified at time of analysis, though technical details are available in GitHub security advisory GHSA-cpqf-mcqc-783m.
Buffer Overflow
RCE
-
CVE-2026-4933
HIGH
CVSS 7.5
Unpublished Node Permissions module for Drupal versions prior to 1.7.0 contains an incorrect authorization vulnerability (CWE-863) that permits forceful browsing of unpublished nodes by bypassing access controls. Attackers can view content that should be restricted to specific user roles by directly accessing node URLs, circumventing the module's permission enforcement logic. No public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
-
CVE-2026-4926
HIGH
CVSS 7.5
The path-to-regexp library versions 8.0.0 through 8.3.0 suffer from catastrophic regular expression denial of service via exponential regex generation when route patterns contain multiple sequential optional groups in curly-brace syntax. Remote unauthenticated attackers can trigger resource exhaustion by submitting crafted route patterns, causing application-level denial of service with CVSS 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released version 8.4.0 to address the issue.
Denial Of Service
-
CVE-2026-4905
HIGH
CVSS 7.4
Remote authenticated attackers can execute arbitrary code on Tenda AC5 routers (firmware version 15.03.06.47) by exploiting a stack-based buffer overflow in the WPS configuration handler. The vulnerability resides in the formWifiWpsOOB function handling POST requests to /goform/WifiWpsOOB, where insufficient validation of the 'index' parameter allows memory corruption. A publicly available exploit code exists (CVSS 8.8, EPSS data not provided), enabling authenticated attackers with low-privilege access to achieve complete device compromise with high impact on confidentiality, integrity, and availability.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-4904
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 enables remote authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the formSetCfm function's handling of the funcpara1 parameter in POST requests to /goform/setcfm. A publicly available exploit exists with proof-of-concept code disclosed through VulDB and documented in detailed technical write-ups, significantly lowering the barrier to exploitation for threat actors targeting vulnerable devices.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-4903
HIGH
CVSS 7.4
Remote attackers with low-level credentials can execute arbitrary code on Tenda AC5 wireless routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the formQuickIndex function via a crafted PPPOEPassword parameter in POST requests to /goform/QuickIndex. Publicly available exploit code exists, including detailed proof-of-concept documentation published on Notion, elevating immediate risk for devices exposed to authenticated network users. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability with network-based attack vector and low complexity.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-4902
HIGH
CVSS 7.4
Remote attackers with low-level authentication can achieve full system compromise on Tenda AC5 routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the addressNat POST request handler. The fromAddressNat function fails to validate the 'page' parameter, enabling memory corruption that leads to high confidentiality, integrity, and availability impact (CVSS 8.8). Publicly available exploit code exists, significantly lowering the barrier to exploitation.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-4867
HIGH
CVSS 7.5
Catastrophic backtracking in path-to-regexp versions prior to 0.1.13 enables remote denial of service attacks through specially crafted URLs containing three or more parameters within a single route segment separated by non-period characters. The vulnerability stems from insufficient backtrack protection in regex generation for routes like /:a-:b-:c, allowing unauthenticated attackers to trigger exponential computation times. SSVC framework confirms the vulnerability is automatable with partial technical impact, though no public exploit is identified at time of analysis.
Denial Of Service
-
CVE-2026-4862
HIGH
CVSS 7.4
Buffer overflow in UTT HiPER 1250GW firmware versions up to 3.2.7-210907-180535 allows authenticated remote attackers to achieve code execution through a malformed GroupName parameter in the DNS filter configuration handler. Public exploit code exists for this vulnerability and no patch is currently available. Affected organizations should restrict network access to administrative interfaces until remediation is possible.
Buffer Overflow
-
CVE-2026-4861
HIGH
CVSS 7.4
Remote attackers can exploit a stack-based buffer overflow in the /cgi-bin/nas.cgi endpoint of Wavlink WL-NU516U1 by manipulating the Content-Length parameter to achieve unauthenticated remote code execution. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. Authentication is required to trigger the flaw, limiting exposure to authenticated users or those with network access to the device.
Buffer Overflow
Stack Overflow
-
CVE-2026-4840
HIGH
CVSS 7.4
A critical OS command injection vulnerability exists in the Diagnostic Tool Interface of Netcore Power 15AX routers up to firmware version 3.0.0.6938. An authenticated attacker with low-level privileges can remotely execute arbitrary operating system commands by manipulating the IpAddr parameter in the setTools function of /bin/netis.cgi. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.
Command Injection
-
CVE-2026-4747
HIGH
CVSS 8.8
Remote code execution in Stack Overflow's RPCSEC_GSS implementation results from a stack buffer overflow in packet signature validation that fails to properly bounds-check copied data. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to trigger kernel-level code execution on systems with kgssapi.ko loaded, or userspace code execution in applications running an RPC server with librpcgss_sec. No patch is currently available for this high-severity vulnerability.
Buffer Overflow
RCE
Stack Overflow
-
CVE-2026-4652
HIGH
CVSS 7.5
NVMe/TCP targets are vulnerable to unauthenticated denial of service when a remote attacker sends a CONNECT command with an invalid CNTLID, triggering a kernel panic on the exposed system. The vulnerability exploits a null pointer dereference that allows any network-accessible attacker to crash the target without authentication. No patch is currently available for this high-severity flaw.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-4484
HIGH
CVSS 8.8
The Masteriyo LMS plugin for WordPress contains a critical privilege escalation vulnerability that allows authenticated users with Student-level access or higher to elevate their privileges to administrator level. All versions up to and including 2.1.6 are affected. The vulnerability is exploitable over the network with low attack complexity and requires no user interaction, resulting in a critical CVSS score of 9.8, though the CVSS vector indicates no authentication required (PR:N) which conflicts with the description stating Student-level access is needed.
WordPress
Privilege Escalation
Authentication Bypass
-
CVE-2026-4329
HIGH
CVSS 7.2
The Blackhole for Bad Bots plugin for WordPress contains a Stored Cross-Site Scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the User-Agent HTTP header. All versions up to and including 3.8 are affected. The vulnerability stems from insufficient output escaping when displaying bot data in the admin interface, enabling arbitrary JavaScript execution when administrators view the Bad Bots log page.
WordPress
XSS
-
CVE-2026-4247
HIGH
CVSS 7.5
This vulnerability is a memory leak in FreeBSD's TCP stack where the tcp_respond() function fails to properly free allocated memory buffers (mbufs) when challenge ACKs are not sent in response to crafted packets. FreeBSD systems of all versions are affected. An attacker with network access (either on-path with an established connection or able to establish one, or via spoofed packets) can trigger this leak repeatedly by sending specially crafted packets that exceed rate limits, causing heap exhaustion and potential denial of service through resource depletion.
Information Disclosure
-
CVE-2026-3622
HIGH
CVSS 7.1
An out-of-bounds read vulnerability in the UPnP service of TP-Link TL-WR841N v14 routers enables adjacent network attackers to crash the UPnP daemon without authentication, resulting in denial of service. Affected devices include firmware versions prior to EN_0.9.1 4.19 Build 260303 and US_0.9.1.4.19 Build 260312. Vendor patches are available. No public exploit identified at time of analysis, with CVSS:4.0 scoring 7.1 (High) reflecting adjacent network access requirements and high availability impact.
Buffer Overflow
Information Disclosure
-
CVE-2026-3573
HIGH
CVSS 7.5
Drupal AI module versions 0.0.0 before 1.1.11 and 1.2.0 before 1.2.12 contain an incorrect authorization vulnerability (CWE-863) that enables resource injection attacks. The flaw allows attackers to bypass authorization controls and inject malicious resources, potentially gaining unauthorized access to AI-driven functionality or data within affected Drupal installations. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Authentication Bypass
-
CVE-2026-3328
HIGH
CVSS 7.2
The Frontend Admin by DynamiApps plugin for WordPress contains a PHP Object Injection vulnerability affecting all versions up to and including 3.28.31. Authenticated attackers with Editor-level privileges or higher can exploit unsafe deserialization of the 'post_content' field in admin_form posts to inject malicious PHP objects and achieve remote code execution through available POP chains. This represents a critical risk for WordPress sites using this plugin with elevated user accounts.
WordPress
PHP
RCE
Deserialization
-
CVE-2026-3108
HIGH
CVSS 8.0
Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-generated post content, enabling authenticated low-privilege attackers to inject malicious terminal control codes when administrators export or query messages. Exploitation allows screen manipulation, fake prompt injection, and clipboard hijacking against administrators running mmctl commands, potentially leading to secondary code execution if administrators are tricked into running injected commands. CISA SSVC framework indicates no current exploitation, non-automatable attack requiring high complexity and user interaction, but with total technical impact potential.
Information Disclosure
-
CVE-2026-2931
HIGH
CVSS 8.8
The Amelia Booking plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in versions up to and including 9.1.2 that allows authenticated attackers with customer-level permissions to bypass authorization controls and modify user passwords, including administrator accounts, potentially leading to complete site takeover. This vulnerability affects the pro version of the plugin available on CodeCanyon and carries a CVSS score of 8.8 (HIGH). No evidence of active exploitation (KEV) or public proof-of-concept is currently documented, but the vulnerability has been publicly disclosed by Wordfence.
WordPress
Privilege Escalation
-
CVE-2026-2511
HIGH
CVSS 7.5
Unauthenticated SQL injection in JS Help Desk WordPress plugin versions up to 3.0.4 allows remote attackers to extract sensitive database information via the multiformid parameter in the storeTickets() function. The vulnerability exploits improper use of esc_sql() without SQL quote encapsulation, enabling injection of additional SQL queries without requiring quote characters. CVSS scored 7.5 (High) with no public exploit identified at time of analysis and SSVC assessment indicates automatable exploitation with partial technical impact.
WordPress
SQLi
-
CVE-2026-2231
HIGH
CVSS 7.2
Unauthenticated attackers can inject malicious scripts into Fluent Booking plugin for WordPress versions up to 2.0.01, enabling Stored Cross-Site Scripting attacks that execute in victim browsers whenever injected pages are accessed. The vulnerability stems from insufficient input sanitization across multiple parameters in LocationService.php, Booking.php, and FrontEndHandler.php. With a CVSS score of 7.2 and network-based attack vector requiring no privileges, this represents a significant threat to WordPress sites using the affected booking plugin. No public exploit identified at time of analysis, and SSVC framework indicates no current exploitation with non-automatable attack profile.
WordPress
XSS
-
CVE-2026-1961
HIGH
CVSS 8.0
Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy implementation when users access VM VNC console functionality. An attacker controlling a malicious compute resource server can inject unsanitized hostname values into shell commands, compromising the Foreman server and potentially the entire managed infrastructure. A proof-of-concept exploit exists according to SSVC data, elevating real-world risk despite requiring low-privileged authentication and user interaction.
Command Injection
RCE
Redhat
-
CVE-2025-55263
HIGH
CVSS 7.3
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user interaction to extract sensitive secrets from source code or insecure repositories, resulting in high confidentiality compromise and complete denial of service. CVSS score 7.3 reflects network-accessible attack requiring low privileges and user interaction. No public exploit identified at time of analysis, with SSVC framework indicating no current exploitation and non-automatable attack characteristics.
Information Disclosure
Aftermarket Dpc
-
CVE-2025-55262
HIGH
CVSS 8.3
SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive database contents and potentially compromise data integrity and availability. The vulnerability carries a CVSS score of 8.3 with network-based attack vector requiring user interaction. No public exploit is identified at time of analysis, and SSVC assessment indicates no current exploitation with non-automatable attack characteristics.
SQLi
Aftermarket Dpc
-
CVE-2025-55261
HIGH
CVSS 8.1
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that can compromise application integrity and confidentiality. Unauthenticated attackers can leverage this access control flaw to manipulate and exfiltrate data with user interaction required (CVSS 8.1, AV:N/AC:L/PR:N/UI:R). No public exploit has been identified at time of analysis, with CISA SSVC rating the technical impact as partial and exploitation status as none.
Privilege Escalation
Aftermarket Dpc
-
CVE-2025-41368
HIGH
CVSS 8.7
Small HTTP Server 3.06.36 contains an unquoted service path vulnerability (CWE-428) allowing local authenticated attackers to execute arbitrary code with elevated privileges by placing malicious executables in higher-priority directories. Despite a CVSS 4.0 score of 8.7, real-world risk is significantly lower with only 0.02% EPSS probability (4th percentile) and no public exploit identified at time of analysis. INCIBE has reported this vulnerability with patches available from the vendor.
RCE
Authentication Bypass
-
CVE-2025-41359
HIGH
CVSS 8.5
Small HTTP Server 3.06.36 allows local attackers with low privileges to execute arbitrary code through an unquoted service path vulnerability in the http.exe service executable. By placing a malicious executable in a higher-priority directory along the unquoted path 'C:\Program Files (x86)\shttps_mg\http.exe service', attackers can achieve full system compromise with high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and CISA SSVC framework indicates no current exploitation, though technical impact is rated as total.
RCE
Authentication Bypass
-
CVE-2025-15101
HIGH
CVSS 8.5
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Web management interface of ASUS router models that allows an unauthenticated attacker to perform actions with the privileges of an authenticated administrator, potentially including arbitrary system command execution. The vulnerability affects ASUS router products across multiple versions due to insufficient CSRF token validation in the web interface. While no CVSS score or EPSS data is currently available, the ability to execute system commands on a network-critical device represents a critical severity threat.
CSRF
-
CVE-2025-12805
HIGH
CVSS 8.1
Red Hat OpenShift AI llama-stack-operator permits unauthorized cross-namespace access to Llama Stack service endpoints due to missing NetworkPolicy enforcement, enabling authenticated users in one namespace to view or modify sensitive data in another user's Llama Stack instances. CVSS 8.1 (High) reflects high confidentiality and integrity impact with low-privilege authenticated network access. No public exploit identified at time of analysis, though the authentication bypass weakness (CWE-653) is architecturally straightforward to leverage once cluster access is obtained.
Redhat
Authentication Bypass
Information Disclosure
-
CVE-2026-34071
MEDIUM
CVSS 5.4
Stirling-PDF version 2.7.3 fails to sanitize HTML content from email bodies in the /api/v1/convert/eml/pdf endpoint when the downloadHtml=true parameter is set, allowing unauthenticated remote attackers to inject and execute arbitrary JavaScript code. An attacker can craft a malicious email that, when processed by a Stirling-PDF user through the 'Download HTML intermediate file' feature, executes JavaScript in the user's browser context with access to local data and session tokens. Proof-of-concept code has been demonstrated, and the vendor released version 2.8.0 to address the vulnerability.
XSS
-
CVE-2026-34051
MEDIUM
CVSS 5.4
OpenEMR versions prior to 8.0.0.3 contain an improper access control vulnerability in the Import/Export functionality that allows authenticated users to bypass UI restrictions and perform unauthorized import and export operations through direct request manipulation. An attacker with valid credentials can extract bulk patient data, access sensitive health records, or modify system data despite not having explicit permissions for these actions. The vulnerability requires valid authentication (PR:L in CVSS) but enables significant data exfiltration and integrity violations once access is obtained.
Authentication Bypass
-
CVE-2026-33934
MEDIUM
CVSS 4.3
OpenEMR contains a missing authorization check in the signature retrieval endpoint (portal/sign/lib/show-signature.php) that allows any authenticated patient portal user to access the drawn signature images of arbitrary staff members by manipulating the POST parameter. Versions prior to 8.0.0.3 are affected, and while the companion write endpoint was previously hardened against this issue, the read endpoint was left vulnerable. This is a low-severity information disclosure vulnerability (CVSS 4.3) with limited real-world exploitability due to the requirement for prior authentication and the relatively low sensitivity of signature images compared to full medical records.
PHP
Authentication Bypass
-
CVE-2026-33933
MEDIUM
CVSS 6.1
A reflected cross-site scripting (XSS) vulnerability exists in the custom template editor of OpenEMR, a widely-deployed open-source electronic health records system. Attackers can craft malicious URLs that, when clicked by authenticated staff members, execute arbitrary JavaScript within their browser sessions and gain access to sensitive medical data and system functions; notably, the attacker does not require an OpenEMR account themselves. The vulnerability affects OpenEMR versions 7.0.2.1 through 8.0.0.2, and while there is no evidence of active exploitation in the wild or public proof-of-concept code, the moderate CVSS score of 6.1 combined with the user-interaction requirement and the context-sensitive nature of healthcare data makes this a meaningful priority for healthcare organizations.
XSS
-
CVE-2026-33916
MEDIUM
CVSS 4.7
Handlebars template engine fails to guard prototype-chain access when resolving partial templates, allowing unauthenticated remote attackers to inject unescaped HTML and JavaScript through prototype pollution. When Object.prototype is polluted with a string value matching a partial name referenced in a template, the malicious string is rendered without HTML escaping, resulting in reflected or stored XSS. Exploitation requires a separate prototype pollution vulnerability in the target application (such as via qs or minimist libraries) combined with knowledge of partial names used in templates; publicly available proof-of-concept code demonstrates the attack. The vulnerability affects npm package handlebars (pkg:npm/handlebars) across multiple versions and is distinct from earlier prototype-access issues CVE-2021-23369 and CVE-2021-23383.
XSS
-
CVE-2026-33907
MEDIUM
CVSS 6.5
Ella Core crashes when processing NAS Authentication Response and Authentication Failure messages with missing Information Elements, enabling unauthenticated attackers on the adjacent network to trigger denial of service affecting all connected subscribers. The vulnerability stems from a null pointer dereference in message handling logic (CWE-476) and carries a CVSS 6.5 score reflecting high availability impact with low attack complexity. Vendor-released patch available via GitHub release v1.7.0.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-33904
MEDIUM
CVSS 6.5
Ella Core's AMF control plane deadlocks in the SCTP notification handler when processing malformed or stale radio entries, allowing unauthenticated attackers with N2 interface access to hang the entire Access and Mobility Function until manual process restart, completely denying service to all subscribers. The vulnerability (CVSS 6.5, CWE-833 deadlock) stems from improper synchronization in radio cleanup logic combined with stale-entry scanning, and patches are available in version 1.7.0 and later.
Denial Of Service
-
CVE-2026-33903
MEDIUM
CVSS 6.5
Ella Core suffers a null pointer dereference vulnerability in its NGAP LocationReport message handler that causes the process to panic and crash, enabling unauthenticated network-adjacent attackers to trigger denial of service affecting all connected mobile subscribers. The vulnerability (CVE-2026-33903, CVSS 6.5) stems from missing input validation guards and has a vendor-released patch available in version 1.7.0; no public exploit code or active exploitation has been identified at time of analysis.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-33887
MEDIUM
CVSS 5.4
Statamic CMS versions prior to 5.73.16 and 6.7.2 fail to enforce collection-level permissions on entry revision endpoints, allowing authenticated control panel users to view revisions and field data across any collection with revisions enabled regardless of their assigned permissions. The vulnerability also permits unauthenticated revision creation that snapshots existing content without modifying published entries. This represents a medium-severity authorization bypass affecting authenticated attackers with control panel access, with no public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-33886
MEDIUM
CVSS 6.5
Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated control panel users with access to Antlers-enabled fields to read sensitive application configuration values through template variable injection, exposing secrets such as API keys and database credentials. The vulnerability requires low-privilege authenticated access and network connectivity to the control panel, with a CVSS score of 6.5 reflecting moderate real-world risk. No public exploit code or active exploitation has been identified at the time of analysis.
Information Disclosure
-
CVE-2026-33885
MEDIUM
CVSS 6.1
Statamic CMS versions prior to 5.73.16 and 6.7.2 contain an open redirect vulnerability in external URL detection logic that protects unauthenticated endpoints. Unauthenticated remote attackers can exploit insufficient redirect validation to bypass security controls and redirect users to attacker-controlled external URLs following form submissions or authentication workflows, potentially facilitating phishing, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
Open Redirect
-
CVE-2026-33884
MEDIUM
CVSS 4.3
Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated Control Panel users with live preview access to abuse live preview tokens to access restricted content beyond the token's intended scope. This is an authenticated privilege escalation affecting the Statamic CMS product (pkg:composer/statamic_cms) with a CVSS score of 4.3 and low complexity; no public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-33883
MEDIUM
CVSS 6.1
The user:reset_password_form template tag in Statamic CMS fails to escape user-supplied input before rendering it into HTML, enabling reflected cross-site scripting (XSS) attacks via crafted URLs. An unauthenticated remote attacker can exploit this by tricking a victim into clicking a malicious link, causing arbitrary JavaScript execution in the victim's browser with access to session tokens and sensitive page content. Vendor-released patches are available in versions 5.73.16 and 6.7.2.
XSS
-
CVE-2026-33882
MEDIUM
CVSS 6.5
Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated control panel users to extract sensitive user data including email addresses, encrypted passkey credentials, and encrypted two-factor authentication codes through manipulation of the markdown preview endpoint. The vulnerability stems from insufficient input validation (CWE-20) that permits attackers to retrieve data from arbitrary fieldtypes beyond the intended scope. With a CVSS score of 6.5 reflecting low attack complexity and high confidentiality impact, the threat is moderate but requires valid control panel authentication to exploit.
RCE
-
CVE-2026-33766
MEDIUM
CVSS 5.3
PHP applications using the affected functions fail to re-validate redirect targets during HTTP requests, allowing attackers to bypass SSRF protections by chaining a legitimate public URL with a redirect to internal resources. An attacker can exploit this weakness in endpoints that fetch remote content after initial URL validation, potentially gaining access to private IP ranges and internal services. A patch is available.
SSRF
PHP
Microsoft
-
CVE-2026-33764
MEDIUM
CVSS 4.3
The AVideo AI plugin's save.json.php endpoint fails to validate that AI-generated responses belong to the target video before applying them, allowing authenticated users to exfiltrate private video metadata and full transcriptions by referencing arbitrary AI response IDs. An attacker with canUseAI permission can steal AI-generated titles, descriptions, keywords, summaries, and complete transcription files from other users' private videos through a simple parameter manipulation attack, then apply this stolen content to their own video for reading. No public exploit is confirmed actively exploited, but proof-of-concept methodology is detailed in the advisory, making this a practical attack for any platform user with basic video ownership.
PHP
Authentication Bypass
-
CVE-2026-33763
MEDIUM
CVSS 5.3
AVideo password verification API endpoint allows unauthenticated attackers to brute-force video access passwords at network speed with no rate limiting, enabling compromise of password-protected video content across the platform. The vulnerable endpoint pkg:composer/wwbn_avideo returns a boolean confirmation for any password guess without authentication, CAPTCHA, or throttling mechanisms, combined with plaintext password storage and loose equality comparison that further weakens defenses. Publicly available exploit code exists demonstrating rapid password enumeration against any video ID.
PHP
Information Disclosure
Oracle
-
CVE-2026-33761
MEDIUM
CVSS 5.3
Unauthenticated information disclosure in AVideo Scheduler plugin exposes internal infrastructure details, admin-composed email campaigns, and user targeting mappings through three unprotected list.json.php endpoints. Remote attackers without authentication can retrieve all scheduled task callbacks with internal URLs and parameters, complete email message bodies, and user-to-email relationships by issuing simple GET requests. A public proof-of-concept exists demonstrating the vulnerability; patch availability has been confirmed by the vendor.
PHP
Information Disclosure
SSRF
-
CVE-2026-33759
MEDIUM
CVSS 5.3
AVideo playlist video enumeration allows unauthenticated attackers to bypass authorization checks and directly access video contents from private playlists including watch_later and favorite lists via the playlistsVideos.json.php endpoint. Sequential playlist IDs enable trivial enumeration of all users' private viewing habits, favorites, and unlisted custom playlists without authentication. A publicly available proof-of-concept exists demonstrating the vulnerability, which affects WWBN AVideo via Composer package wwbn_avideo.
PHP
Authentication Bypass
-
CVE-2026-33750
MEDIUM
CVSS 6.5
Brace-expansion library versions prior to 5.0.5 allow unauthenticated remote attackers to cause denial of service through resource exhaustion by supplying brace expansion patterns with zero step values (e.g., {1..2..0}), triggering an infinite loop that consumes gigabytes of memory and hangs the process for seconds. The vulnerability affects any application passing untrusted input to the expand() function, including glob/minimatch-based tools consuming CLI arguments or configuration files, and requires only 10 bytes of malicious input to trigger.
Denial Of Service
-
CVE-2026-33743
MEDIUM
CVSS 6.5
Denial of service in Incus prior to version 6.23.0 allows authenticated users with storage bucket access to crash the Incus daemon via specially crafted storage bucket backups, enabling repeated attacks to render the control plane API unavailable while leaving running workloads unaffected. The vulnerability requires local or remote authentication to the Incus system and has a CVSS score of 6.5 (medium severity) with high availability impact. Vendor-released patch available in version 6.23.0.
Denial Of Service
-
CVE-2026-33742
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.
XSS
-
CVE-2026-33738
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in Lychee photo-management application versions prior to 7.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript through unsanitized photo description fields rendered in publicly accessible RSS, Atom, and JSON feed endpoints. The vulnerability stems from use of Blade's unescaped output syntax ({!! !!}) in feed templates, enabling malicious descriptions to inject executable scripts that execute in the context of any RSS reader or client consuming the feed.
XSS
-
CVE-2026-33732
MEDIUM
CVSS 4.8
srvx's FastURL pathname parser on Node.js can be bypassed to circumvent route-based middleware (authentication guards, rate limiters) when absolute URIs with non-standard schemes are sent in raw HTTP requests. An attacker sending a crafted request like `GET file://hehe?/internal/run HTTP/1.1` can cause the router to match a different pathname than what downstream middleware sees after a deoptimization occurs, allowing access to protected endpoints. This affects srvx versions prior to 0.11.13, requires direct HTTP request capability (not browser-accessible), and has a CVSS score of 4.8 with medium complexity attack requirements. No public exploit identified at time of analysis.
Node.js
Authentication Bypass
-
CVE-2026-33729
MEDIUM
CVSS 5.8
OpenFGA's condition-based caching mechanism can generate identical cache keys for different authorization check requests, allowing attackers to bypass access controls by triggering cache reuse of previously evaluated decisions. This affects deployments with relations that evaluate conditions and have caching enabled. Organizations should upgrade to OpenFGA v1.13.1 to remediate the cache poisoning vulnerability.
Information Disclosure
-
CVE-2026-33726
MEDIUM
CVSS 5.4
Cilium Network Policy enforcement is bypassed for traffic from pods to L7 Services with local backends on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled, allowing authenticated local attackers to circumvent ingress network policies and access restricted services. This affects Cilium v1.19.0-v1.19.1, v1.18.0-v1.18.7, and all versions prior to v1.17.13, with the most common vulnerable deployment being Amazon EKS with Cilium ENI mode. Vendor-released patches are available (v1.19.2, v1.18.8, v1.17.14), and no public exploit code has been identified at the time of analysis.
Microsoft
Kubernetes
Authentication Bypass
-
CVE-2026-33711
MEDIUM
CVSS 4.7
Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.
Linux
Privilege Escalation
Denial Of Service
-
CVE-2026-33653
MEDIUM
CVSS 4.6
Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.
XSS
File Upload
-
CVE-2026-33542
MEDIUM
CVSS 5.7
Incus versions prior to 6.23.0 fail to validate image fingerprints when downloading from simplestreams servers, enabling attackers with local privileges to poison the image cache and potentially cause other tenants to execute attacker-controlled container or virtual machine images instead of legitimate ones. The vulnerability requires local authentication and specific conditions but carries high integrity impact in multi-tenant environments; no active exploitation has been confirmed.
Information Disclosure
-
CVE-2026-33541
MEDIUM
CVSS 6.5
TSPortal versions prior to 34 contain an uncontrolled resource creation vulnerability that allows authenticated attackers to generate arbitrary user database records through validation logic abuse, resulting in potential denial of service via uncontrolled database growth. The flaw exists in Miraheze's Trust and Safety management platform (cpe:2.3:a:miraheze:tsportal) and requires low-privilege authenticated access to exploit. Vendor-released patch available in version 34; no public exploit identified at time of analysis.
Denial Of Service
-
CVE-2026-33537
MEDIUM
CVSS 5.3
Incomplete IP validation in Lychee's SSRF protection mechanism allows authenticated users to bypass all four security configuration settings by leveraging loopback and link-local addresses, enabling access to internal services. The vulnerability affects Lychee versions prior to 7.5.1 and requires prior authentication but carries low confidentiality impact. No public exploit code or active exploitation has been identified at time of analysis, though the attack vector is network-accessible and requires minimal complexity.
SSRF
-
CVE-2026-33536
MEDIUM
CVSS 5.1
Stack buffer overflow in ImageMagick and Magick.NET due to incorrect pointer arithmetic on certain platforms allows local attackers to write one byte past allocated stack boundaries, causing denial of service. ImageMagick versions prior to 7.1.2-18 and 6.9.13-43, along with multiple Magick.NET NuGet packages, are affected. The vulnerability requires local access and specific platform conditions, but succeeds without user interaction.
Buffer Overflow
Stack Overflow
-
CVE-2026-33535
MEDIUM
CVSS 4.0
X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.
Buffer Overflow
Memory Corruption
-
CVE-2026-33531
MEDIUM
CVSS 4.9
InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the `encode_svg_image()`, `asset()`, and `uploaded_image()` functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.
Path Traversal
SQLi
-
CVE-2026-33515
MEDIUM
CVSS 6.9
Squid prior to version 7.5 contains an out-of-bounds read vulnerability in ICP (Internet Cache Protocol) traffic handling due to improper input validation, classified as CWE-125. Remote attackers can exploit this to leak small amounts of process memory potentially containing sensitive information by sending malformed ICP requests to deployments with explicitly enabled ICP support (non-zero icp_port configuration). The vulnerability affects all versions of Squid before 7.5, and while no CVSS score or EPSS data is currently available, the information disclosure impact and remote attack vector indicate moderate to significant risk for affected deployments.
Buffer Overflow
Information Disclosure
-
CVE-2026-33477
MEDIUM
CVSS 4.3
FileRise versions 2.3.7 through 3.10.0 suffer from improper access control in the file snippet endpoint, allowing authenticated users with read-only access to retrieve file content uploaded by other users in shared folders. An attacker with limited folder permissions can exploit this authorization bypass to view sensitive files beyond their intended access scope. The vulnerability affects FileRise running on PHP and is resolved in version 3.11.0.
PHP
File Upload
Authentication Bypass
-
CVE-2026-33470
MEDIUM
CVSS 6.5
Frigate network video recorder versions prior to 0.17.1 allow authenticated users with restricted camera access to enumerate and retrieve snapshots from unauthorized cameras through a two-step authorization bypass in the timeline and snapshot APIs. An attacker with low-privilege credentials limited to one camera can exploit missing validation in the snapshot-clean.webp endpoint to access video evidence from other cameras in the system, compromising the confidentiality of surveillance data across the entire installation. A proof-of-concept exists, though no confirmation of active exploitation in the wild has been reported.
Authentication Bypass
-
CVE-2026-33469
MEDIUM
CVSS 6.5
Broken access control in Frigate 0.17.0 allows authenticated non-admin users to retrieve the complete raw configuration file via the `/api/config/raw` endpoint, exposing camera credentials, RTMP stream passwords, MQTT secrets, and proxy authentication tokens that are intentionally redacted from the standard `/api/config` API. The vulnerability stems from inconsistent authorization enforcement between `/api/config/raw_paths` (admin-only) and `/api/config/raw` (authenticated-user-accessible), introduced during an admin-by-default API refactor. Patch version 0.17.1 is available; publicly available exploit code exists but the vulnerability is not confirmed as actively exploited in the wild.
Authentication Bypass
-
CVE-2026-33438
MEDIUM
CVSS 6.5
Stirling-PDF versions 2.1.5 through 2.5.1 are vulnerable to resource exhaustion denial of service through the watermark API endpoint, where authenticated users can supply extreme values for fontSize and widthSpacer parameters to crash the server. A proof-of-concept exists according to SSVC data, and the vendor has released patched version 2.5.2 to resolve the issue.
Denial Of Service
-
CVE-2026-33375
MEDIUM
CVSS 6.5
Grafana MSSQL data source plugin versions across multiple release branches contain a logic flaw enabling low-privileged Viewer users to bypass API restrictions and trigger catastrophic out-of-memory exhaustion, resulting in host container denial of service. The vulnerability affects Grafana OSS versions 11.6.0 through 12.4.0 across multiple patch branches (11.6.14+security-01, 12.1.10+security-01, 12.2.8+security-01, 12.3.6+security-01, and 12.4.2 or later) and requires only network access and valid low-privileged credentials to exploit; no public exploit code or active exploitation has been confirmed at time of analysis.
Grafana
Denial Of Service
-
CVE-2026-33148
MEDIUM
CVSS 6.5
Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL parameters into the USDA FoodData Central search endpoint through improper URL encoding of the query parameter, enabling API key override and server crashes via malformed requests. Publicly available exploit code exists, and a vendor-released patch is available in version 2.6.0.
Denial Of Service
-
CVE-2026-33015
MEDIUM
CVSS 5.2
EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by a Charging Station Management System (CSMS) by toggling the EV's Battery Control Box (BCB), causing the EVSE to return to PrepareCharging state and restart charging sessions. This circumvents billing, operational, and safety controls enforced by remote stop functionality. A proof-of-concept exists and the vulnerability has been patched in version 2026.02.0, though the attack requires physical proximity to the charging equipment (CVSS attack vector: Physical).
Authentication Bypass
-
CVE-2026-33014
MEDIUM
CVSS 5.2
EVerest-core prior to version 2026.02.0 fails to properly terminate EV charging transactions during remote stop operations due to a delayed authorization response that incorrectly restores the authorized flag to true, allowing transactions to remain open even after a PowerOff event triggers stop_transaction(). This authentication bypass affects EV charging infrastructure and enables continued power delivery after an operator-initiated remote stop command. A proof-of-concept exists but no public confirmation of active exploitation has been identified.
Authentication Bypass
-
CVE-2026-30162
MEDIUM
CVSS 6.1
Timo 2.0.3 contains a stored cross-site scripting (XSS) vulnerability in the title field that allows unauthenticated remote attackers to inject malicious scripts via crafted links, resulting in session hijacking, credential theft, or malware distribution to other users viewing affected content. Publicly available exploit code exists (referenced via GitHub issue), and the vulnerability is rated CVSS 6.1 with cross-site scope impact, though no evidence of active exploitation in the wild has been confirmed at the time of analysis.
XSS
-
CVE-2026-29976
MEDIUM
CVSS 6.2
The getradiotapfield() function in ZerBea hcxpcapngtool version 7.0.1-43-g2ee308e contains a buffer overflow vulnerability allowing local attackers to trigger a denial of service condition through memory corruption. While the vulnerability is classified as causing information disclosure in the description, the CVSS vector (C:N/I:N/A:H) indicates the primary impact is availability degradation rather than confidentiality compromise. No public exploit code or active exploitation has been identified at the time of analysis, though the local attack vector and lack of required privileges make exploitation feasible for any user with local system access.
Buffer Overflow
-
CVE-2026-29969
MEDIUM
CVSS 6.1
StaffWiki v7.0.1.19219 contains a reflected cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint that enables remote attackers to execute arbitrary JavaScript in a user's browser context through a crafted HTTP request. The vulnerability affects StaffWiki versions up to at least 7.0.1.19219, and publicly available exploit code has been disclosed via GitHub, though no active exploitation has been confirmed by CISA at the time of analysis.
XSS
-
CVE-2026-29934
MEDIUM
CVSS 6.1
Lightcms v2.0 contains a reflected cross-site scripting vulnerability in the /admin/menus component that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the HTTP referer header. The vulnerability requires user interaction (clicking a crafted link) to trigger exploitation. A proof-of-concept has been publicly disclosed on GitHub, though no evidence of active exploitation in the CISA Known Exploited Vulnerabilities catalog was identified. With a CVSS score of 6.1 and low attack complexity, this represents a moderate-severity risk requiring prompt patching.
XSS
-
CVE-2026-29933
MEDIUM
CVSS 6.1
YZMCMS v7.4 suffers from a reflected cross-site scripting (XSS) vulnerability in the /index/login.html component that permits attackers to execute arbitrary JavaScript in a user's browser by manipulating the referrer value in request headers. Remote attackers can exploit this to steal session credentials, perform actions on behalf of authenticated users, or redirect users to malicious sites without requiring prior authentication. No public exploit code or active exploitation has been independently confirmed at the time of analysis.
XSS
-
CVE-2026-29905
MEDIUM
CVSS 6.5
Kirby CMS versions through 5.1.4 allow authenticated editors to trigger a persistent denial of service by uploading malformed images that bypass getimagesize() validation, causing fatal TypeErrors during metadata or thumbnail processing. A proof-of-concept exists and the vulnerability is automatable post-authentication, though no CISA KEV confirmation is evident. The impact is availability degradation affecting CMS operations for all users.
PHP
Denial Of Service
-
CVE-2026-29055
MEDIUM
CVSS 5.3
Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive information such as GPS coordinates, timestamps, and camera details to all users viewing shared recipes. This information disclosure vulnerability affects any user uploading recipe photos, particularly those using modern smartphones that default to WebP format. The vulnerability is fixed in version 2.6.0.
Information Disclosure
-
CVE-2026-29044
MEDIUM
CVSS 5.0
EVerest EV charging software before version 2026.02.0 fails to properly stop charging transactions when authorization withdrawal occurs before the TransactionStarted event, allowing attackers with high privileges to bypass deauthorization through precise timing and maintain unauthorized charging sessions. The vulnerability stems from incomplete StopTransaction handling in the Charging state, affecting IoT and Everest Core deployments with no currently available patch.
Authentication Bypass
-
CVE-2026-28503
MEDIUM
CVSS 5.5
Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger synchronization operations on Sync configurations belonging to other organizational spaces, exposing the ability to initiate Dropbox, Nextcloud, or local imports outside the attacker's own space and access resulting sync logs. The vulnerability stems from missing space validation in the `SyncViewSet.query_synced_folder()` API endpoint, enabling horizontal privilege escalation across multi-tenant deployments. No public exploit code has been identified at the time of analysis.
Authentication Bypass
-
CVE-2026-28298
MEDIUM
CVSS 5.9
SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting (XSS) vulnerability that permits authenticated high-privilege users to inject malicious scripts into the application, resulting in unintended script execution when other users access affected pages. The vulnerability requires high privilege level and user interaction to exploit, limiting real-world attack surface; no public exploit code or active exploitation has been identified at the time of analysis.
XSS
-
CVE-2026-28297
MEDIUM
CVSS 6.1
SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into the application, resulting in unintended script execution within the security context of the affected system. The vulnerability requires administrative or high-privilege access and does not currently show evidence of active exploitation, though the ability to persist malicious payloads in stored data represents a significant insider threat. Affected organizations should prioritize patching to versions after 2026.1.1 to eliminate the XSS attack surface.
XSS
-
CVE-2026-27828
MEDIUM
CVSS 5.5
EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_chargerImpl::handle_session_setup function that crashes the EVSE process when session setup commands are issued after ISO15118 initialization failure. Remote attackers with MQTT access can trigger this denial of service condition by sending a crafted session_setup command, causing the process to reference freed memory (v2g_ctx). A vendor-released patch is available in version 2026.02.0.
Use After Free
Denial Of Service
Memory Corruption
-
CVE-2026-27816
MEDIUM
CVSS 5.5
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, where variable-length MQTT command payloads are copied into a fixed-size 6-element array without bounds checking. When schema validation is disabled by default, oversized payloads trigger memory corruption that can crash the EV charging service or corrupt adjacent EVSE (Electric Vehicle Supply Equipment) state, affecting the integrity and availability of EV charging infrastructure. No public exploit code has been identified at the time of analysis, but the vulnerability is patched in version 2026.02.0.
Buffer Overflow
Memory Corruption
-
CVE-2026-27815
MEDIUM
CVSS 5.5
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corrupt EVSE state or crash the charging process by sending oversized MQTT command payloads that bypass disabled schema validation. The ISO15118_chargerImpl::handle_session_setup function copies variable-length payment_options lists into a fixed 2-element array without bounds checking, exposing a CWE-787 buffer overflow vulnerability with availability and integrity impact. No public exploit code has been identified at time of analysis.
Buffer Overflow
Memory Corruption
-
CVE-2026-27814
MEDIUM
CVSS 4.2
Data race conditions in EVerest Core versions before 2026.02.0 allow concurrent access to charging state during phase switching operations, potentially causing integrity violations or service interruptions on affected EV charging systems. An attacker with adjacent network access can trigger the race condition by initiating phase switches during active charging sessions, exploiting the unsafe concurrent execution between the state machine and switching requests. No patch is currently available for this vulnerability.
Information Disclosure
Race Condition
-
CVE-2026-27813
MEDIUM
CVSS 5.3
EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memory corruption, triggered by EV plug-in/unplug events and authorization flows (RFID, RemoteStart, OCPP). Unauthenticated physical attackers with high complexity can exploit this to leak sensitive information or cause denial of service on affected charging infrastructure. No public exploit identified at time of analysis.
Information Disclosure
Memory Corruption
Use After Free
-
CVE-2026-26073
MEDIUM
CVSS 5.9
EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling triggered by concurrent powermeter public key updates and EV session/error events, resulting in heap corruption and potential denial of service. Unauthenticated remote attackers can exploit this via specially timed network events to crash the charging infrastructure, though successful exploitation requires precise timing due to high attack complexity. The vulnerability affects everest-core and has been patched in version 2026.02.0.
Heap Overflow
Buffer Overflow
-
CVE-2026-26072
MEDIUM
CVSS 4.2
EVerest EV charging software prior to version 2026.02.0 contains a race condition in concurrent map access that can corrupt internal data structures when EV state-of-charge updates coincide with power meter refreshes and session termination events. Local attackers with physical access to charging equipment can trigger this condition to cause denial of service by crashing the charging system. Patch availability is limited to version 2026.02.0 and later.
Race Condition
Information Disclosure
-
CVE-2026-26071
MEDIUM
CVSS 4.2
EVerest EV charging software versions before 2026.02.0 contain a race condition in std::string handling triggered by concurrent EVCCID updates and OCPP session events, potentially leading to heap-use-after-free and denial of service. Local attackers with physical access to the charging infrastructure can exploit this timing-dependent vulnerability to crash the charging service. A patch is available in version 2026.02.0 or later.
Race Condition
Information Disclosure
-
CVE-2026-26070
MEDIUM
CVSS 4.6
Concurrent access to std::map<std::optional> in EVerest-Core versions prior to 2026.02.0 causes a data race condition that can corrupt container state during simultaneous EV state-of-charge updates, power meter periodic updates, and session termination events, resulting in denial of service of the EV charging stack. EVerest-Core (cpe:2.3:a:everest:everest-core) is the affected product, with patched version 2026.02.0 available. No public exploit code has been identified at time of analysis, and this vulnerability is not confirmed actively exploited; however, the condition is readily triggerable through normal charging operations combining multiple concurrent data sources.
Race Condition
Information Disclosure
-
CVE-2026-21724
MEDIUM
CVSS 5.4
Grafana OSS provisioning contact points API fails to enforce the alert.notifications.receivers.protected:write permission, allowing users with the Editor role to modify protected webhook URLs and bypass intended authorization controls. This affects Grafana OSS versions 11.6.9 through 11.6.14, 12.1.5 through 12.1.10, 12.2.2 through 12.2.8, and 12.3.1 through 12.3.6. Authenticated Editor-level users can exploit this to reconfigure webhook destinations, potentially redirecting alert notifications to attacker-controlled endpoints. No public exploit identified at time of analysis.
Grafana
Authentication Bypass
Redhat
Suse
-
CVE-2026-4923
MEDIUM
CVSS 5.9
path-to-regexp versions prior to 8.4.0 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing multiple wildcard parameters combined with path parameters in specific configurations. Unauthenticated remote attackers can craft malicious path patterns containing multiple wildcards (not at the end) to trigger catastrophic regex backtracking, causing denial of service against applications using the affected library. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial Of Service
-
CVE-2026-4900
MEDIUM
CVSS 5.5
A security vulnerability in A weakness (CVSS 5.5). Risk factors: public PoC available.
Path Traversal
Information Disclosure
-
CVE-2026-4899
MEDIUM
CVSS 4.8
The code-projects Online Food Ordering System versions up to 1.0 contain a stored cross-site scripting (XSS) vulnerability in the /dbfood/food.php file via the cuisines parameter, allowing authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability carries a CVSS score of 2.4 (low severity) but has publicly available exploit code and confirmed documentation on GitHub, limiting its practical impact due to high privilege requirements and user interaction dependency. Remote exploitation is possible, but the attack requires an authenticated user with high-level administrative privileges and victim user interaction, substantially constraining real-world exploitation likelihood.
XSS
PHP
-
CVE-2026-4898
MEDIUM
CVSS 5.3
The Online Food Ordering System 1.0 by code-projects contains a reflected cross-site scripting (XSS) vulnerability in the Name parameter of /dbfood/contact.php that allows unauthenticated remote attackers to inject malicious scripts. The vulnerability has a publicly available proof-of-concept and affects all versions of the affected product line. While the CVSS score of 4.3 is moderate, the public availability of exploit code and minimal complexity of attack execution elevate practical risk for instances exposed to the internet.
XSS
PHP
-
CVE-2026-4897
MEDIUM
CVSS 5.5
Polkit's polkit-agent-helper-1 setuid binary fails to bound input length on stdin, allowing local authenticated users to trigger out-of-memory conditions and deny system availability. An attacker with local login privileges can supply excessively long input to exhaust memory resources, causing a system-wide denial of service. No public exploit code or active exploitation has been confirmed at the time of analysis.
Denial Of Service
-
CVE-2026-4887
MEDIUM
CVSS 6.1
GIMP's PCX file loader contains a heap buffer over-read vulnerability caused by an off-by-one error (CWE-193) that allows local attackers to trigger out-of-bounds memory disclosure and application crashes by opening specially crafted PCX images. Red Hat Enterprise Linux versions 6 through 9 are affected. The vulnerability requires user interaction to open a malicious file but carries a CVSS score of 6.1 with high availability impact; no public exploit code or active exploitation has been identified at the time of analysis.
Denial Of Service
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
-
CVE-2026-4877
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System version 1.0 allows remote unauthenticated attackers to inject malicious scripts via manipulation of the 'page' parameter in /index.php. The vulnerability has a CVSS v4.0 score of 5.3 with network accessibility and low integrity impact; publicly available exploit code exists, and CISA SSVC assessment confirms the flaw is exploitable and partially automatable, making it suitable for active compromise of application integrity and user sessions.
PHP
XSS
-
CVE-2026-4876
MEDIUM
CVSS 5.3
SQL injection in itsourcecode Free Hotel Reservation System 1.0 via the ID parameter in /admin/mod_amenities/index.php?view=editpic allows authenticated remote attackers to manipulate database queries and extract or modify sensitive data. The vulnerability requires valid administrator credentials to exploit (PR:L per CVSS 4.0 vector), affects confidentiality and integrity of database contents, and carries moderate real-world risk despite a CVSS score of 5.3 due to publicly available exploit code and low attack complexity. No vendor-released patch has been identified; the system appears to be unsupported or abandoned based on available advisory data.
SQLi
PHP
-
CVE-2026-4875
MEDIUM
CVSS 5.1
Free Hotel Reservation System 1.0 permits unrestricted file uploads via the image parameter in the /admin/mod_amenities/index.php?view=add endpoint, allowing remote attackers with high privileges to upload arbitrary files. The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) affects the amenities management module and has publicly available exploit code. With a CVSS v4.0 score of 5.1 and network-accessible attack vector requiring high administrative privileges, this poses a moderate risk primarily to authenticated administrators or systems where authentication has been compromised.
File Upload
PHP
-
CVE-2026-4860
MEDIUM
CVSS 6.9
A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.
Java
Redis
Deserialization
-
CVE-2026-4850
MEDIUM
CVSS 6.9
SQL injection in Simple Laundry System 1.0's /checkregisitem.php parameter handler allows unauthenticated remote attackers to manipulate the Long-arm-shirtVol argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available to remediate this issue.
SQLi
PHP
-
CVE-2026-4849
MEDIUM
CVSS 5.3
A reflected cross-site scripting (XSS) vulnerability exists in code-projects Simple Laundry System version 1.0 via the firstName parameter in the /modify.php file. An attacker can inject malicious JavaScript that executes in a victim's browser when they visit a crafted link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept is available on GitHub, and exploitation requires only user interaction (clicking a malicious link), making this a practical concern despite the moderate CVSS score of 5.3.
XSS
PHP
-
CVE-2026-4848
MEDIUM
CVSS 5.3
Muucmf 1.9.5.20260309 contains a cross-site scripting (XSS) vulnerability in the /admin/extend/list.html endpoint where the Name parameter is not properly sanitized, allowing remote attackers to inject malicious scripts. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
XSS
-
CVE-2026-4847
MEDIUM
CVSS 5.3
A reflected cross-site scripting (XSS) vulnerability exists in dameng100 muucmf version 1.9.5.20260309 within the /admin/config/list.html endpoint, where the Name parameter is not properly sanitized before being rendered in the response. An unauthenticated remote attacker can craft a malicious URL containing JavaScript code in the Name parameter to execute arbitrary scripts in a victim's browser context, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit has been published, and the vendor has not responded to early disclosure notifications, indicating no immediate patch is available.
XSS
-
CVE-2026-4846
MEDIUM
CVSS 5.3
A stored cross-site scripting (XSS) vulnerability exists in dameng100 muucmf version 1.9.5.20260309 and potentially earlier versions, affecting the autoReply.html administrative interface in the channel/admin.Account module. An unauthenticated attacker can inject malicious JavaScript through the 'keyword' parameter, which is reflected in the response without proper sanitization, allowing session hijacking, credential theft, or malware distribution to administrative users. A public proof-of-concept exploit is available, and the vendor has not responded to disclosure notifications, indicating no official patch is currently available.
XSS
-
CVE-2026-4845
MEDIUM
CVSS 5.3
A reflected cross-site scripting (XSS) vulnerability exists in Dameng100 MUUCMF version 1.9.5.20260309 within the Member management interface at /admin/Member/index.html. The vulnerability is triggered via an unsanitized Search parameter, allowing remote attackers to inject arbitrary JavaScript that executes in the context of an authenticated user's browser. A proof-of-concept exploit has been publicly disclosed, and the vendor has not responded to early disclosure attempts, leaving deployments unpatched.
XSS
-
CVE-2026-4844
MEDIUM
CVSS 6.9
SQL injection in the Admin Login Module of code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations should implement network-level controls or upgrade to a patched version once available.
SQLi
PHP
-
CVE-2026-4842
MEDIUM
CVSS 6.9
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the deptid parameter in the grades index page. Public exploit code is available for this vulnerability, and no patch is currently available. The attack requires only network access with no additional complexity or user interaction.
SQLi
PHP
-
CVE-2026-4841
MEDIUM
CVSS 6.9
SQL injection in code-projects Online Food Ordering System 1.0's Shopping Cart Module (cart.php) allows unauthenticated remote attackers to manipulate the del parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected PHP-based installations are at immediate risk of database compromise and data exfiltration.
SQLi
PHP
-
CVE-2026-4839
MEDIUM
CVSS 6.9
SQL injection in SourceCodester Food Ordering System 1.0 via the custom parameter in /purchase.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based installations of this food ordering platform.
PHP
SQLi
-
CVE-2026-4838
MEDIUM
CVSS 6.9
SQL injection in SourceCodester Malawi Online Market 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /display.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability remains unpatched and affects PHP-based deployments of this application.
SQLi
PHP
-
CVE-2026-4836
MEDIUM
CVSS 5.3
SQL injection in code-projects Accounting System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /my_account/delete.php. Public exploit code exists for this vulnerability, enabling potential unauthorized database access and manipulation. No patch is currently available.
SQLi
PHP
-
CVE-2026-4835
MEDIUM
CVSS 5.1
A stored cross-site scripting (XSS) vulnerability exists in code-projects Accounting System 1.0 within the customer management interface (/my_account/add_costumer.php), where the costumer_name parameter fails to properly sanitize user input. Attackers with low privileges and user interaction can inject malicious JavaScript that will execute in the browsers of other users viewing the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions within the accounting system. A public proof-of-concept exploit is available, significantly increasing the likelihood of real-world exploitation.
XSS
PHP
-
CVE-2026-4833
MEDIUM
CVSS 4.8
Uncontrolled recursion in the Markdown Handler component of Orc discount up to version 3.0.1.2 causes denial of service through malformed deeply-nested blockquote inputs, affecting local users who process untrusted markdown files. Public exploit code exists for this vulnerability, and no patch is currently available. The issue requires local access and low privileges to trigger but can crash the application.
Denial Of Service
-
CVE-2026-4831
MEDIUM
CVSS 6.3
Improper authentication in the password-protected share handler of Kalcaddle Kodbox 1.64 allows remote attackers to bypass access controls through manipulation of the authentication function, despite high attack complexity. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Authentication Bypass
PHP
-
CVE-2026-4830
MEDIUM
CVSS 6.3
An unrestricted file upload vulnerability exists in Kalcaddle Kodbox 1.64 within the Public Share Handler component's userShare.class.php file. This allows unauthenticated remote attackers to upload arbitrary files by manipulating the Add function, potentially leading to remote code execution and system compromise. A publicly available proof-of-concept exists, and the vendor has not responded to early disclosure attempts, increasing the likelihood of active exploitation.
File Upload
PHP
-
CVE-2026-4393
MEDIUM
CVSS 4.3
Drupal Automated Logout module contains a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects Automated Logout versions prior to 1.7.0 and versions 2.0.0 through 2.0.1, with patched versions available at 1.7.0 and 2.0.2 respectively. No public exploit code or active exploitation has been identified at the time of analysis.
CSRF
-
CVE-2026-4389
MEDIUM
CVSS 6.4
This is a Stored Cross-Site Scripting (XSS) vulnerability in the DSGVO Snippet for Leaflet Map and its Extensions WordPress plugin (all versions up to and including 3.1) that allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes (`unset`, `before`, `after`), enabling script execution whenever visitors access the compromised pages. With a CVSS score of 6.4 and attack complexity of low, this represents a moderate but real threat in WordPress environments where multiple content contributors exist.
WordPress
XSS
-
CVE-2026-4346
MEDIUM
CVSS 5.1
Cleartext credential storage in TP-Link TL-WR850N v3 flash memory combined with weak serial interface authentication enables attackers with physical access to extract administrative and Wi-Fi credentials, leading to full device compromise and unauthorized network access. The vulnerability is addressed by a vendor patch, and exploitation requires physical proximity to the device's serial port with no public exploit code identified at time of analysis.
Authentication Bypass
-
CVE-2026-4335
MEDIUM
CVSS 5.4
The ShortPixel Image Optimizer WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 6.4.3, affecting the getEditorPopup() function and media-popup.php template. Authenticated attackers with Author-level permissions can inject arbitrary JavaScript into attachment post titles via the REST API, which executes when administrators open the ShortPixel AI editor popup for the poisoned attachment. This vulnerability has a CVSS score of 5.4 (moderate severity) and requires user interaction from a higher-privileged administrator to trigger, limiting its immediate exploitation scope but still presenting a meaningful privilege escalation risk in multi-author WordPress environments.
WordPress
PHP
XSS
-
CVE-2026-4331
MEDIUM
CVSS 4.3
The Blog2Social plugin for WordPress contains an authorization flaw in the resetSocialMetaTags() function that allows authenticated attackers with Subscriber-level access to permanently delete all social media metadata from the site's post records. The vulnerability exists in all versions up to and including 8.8.2 and affects sites using the Blog2Social: Social Media Auto Post & Scheduler plugin, which is available via the WordPress plugin repository. Attackers can exploit this by crafting AJAX requests with a valid nonce that is broadly available due to the plugin granting the 'blog2social_access' capability to all user roles upon activation, resulting in complete data loss of social media scheduling information across all posts.
WordPress
Authentication Bypass
-
CVE-2026-4281
MEDIUM
CVSS 5.3
The FormLift for Infusionsoft Web Forms WordPress plugin contains a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to hijack the site's Infusionsoft OAuth connection. Affected versions through 7.5.21 fail to validate user authentication on critical OAuth handler methods, enabling attackers to intercept temporary OAuth credentials and inject arbitrary OAuth tokens and app domains via the update_option() function. This is a network-accessible, low-complexity vulnerability with no required privileges; while the CVSS score is moderate (5.3), the real-world impact is integrity compromise of the CRM integration layer, potentially affecting customer data flows and automation.
WordPress
Authentication Bypass
-
CVE-2026-4278
MEDIUM
CVSS 6.4
The Simple Download Counter WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'sdc_menu' shortcode due to insufficient input sanitization and output escaping of the 'text' and 'cat' attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into pages via these unescaped shortcode attributes, which will execute for all users visiting the affected pages. All versions up to and including 2.3 are vulnerable, with a CVSS score of 6.4 indicating moderate severity and the vulnerability requiring low attack complexity and only low privileges to exploit.
WordPress
XSS
-
CVE-2026-4274
MEDIUM
CVSS 5.4
Mattermost versions 11.2.x through 11.2.2, 10.11.x through 10.11.10, 11.4.0, and 11.3.x through 11.3.1 fail to properly restrict team-level access during remote cluster membership synchronization, allowing a malicious remote cluster to grant users access to entire private teams rather than limiting access to only shared channels. An authenticated attacker controlling a federated remote cluster can send crafted membership sync messages to trigger unintended team membership assignment, resulting in unauthorized access to private team resources. The EPSS score of 0.03% (percentile 7%) indicates low real-world exploitation probability, and no public exploit code has been identified at time of analysis.
Mattermost
Privilege Escalation
Debian
-
CVE-2026-4263
MEDIUM
CVSS 6.9
HiJiffy Chatbot contains an authorization bypass vulnerability in the /api/v1/webchat/message endpoint that allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'visitor' parameter. The vulnerability affects all versions of HiJiffy Chatbot (as indicated by the wildcard CPE) and has been reported by INCIBE. No public exploit code or active exploitation has been confirmed at the time of analysis.
Authentication Bypass
-
CVE-2026-4262
MEDIUM
CVSS 6.9
An incorrect authorization vulnerability in HiJiffy Chatbot allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'ID' parameter in the '/api/v1/download/<ID>/' endpoint. This is a classic authorization bypass enabling unauthorized access to sensitive conversation data. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability was reported by INCIBE and affects all versions of HiJiffy Chatbot. The exposure is direct and requires only network access to the affected API endpoint.
Authentication Bypass
-
CVE-2026-4075
MEDIUM
CVSS 6.4
The BWL Advanced FAQ Manager Lite WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'baf_sbox' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code through shortcode attributes (sbox_id, sbox_class, placeholder, highlight_color, highlight_bg, cont_ext_class) that will execute in the browsers of all users viewing the affected pages. The vulnerability affects all versions up to and including 1.1.1, and while no public exploit code or KEV designation is currently documented, the CVSS 6.4 score and straightforward nature of the flaw indicate moderate real-world risk.
WordPress
XSS
-
CVE-2026-3532
MEDIUM
CVSS 4.2
Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows privilege escalation through authentication bypass mechanisms. Authenticated or remote attackers can exploit case-sensitivity weaknesses in identity claim validation to assume elevated permissions within Drupal systems relying on this module for federated authentication. The vulnerability affects all versions from 0.0.0 through 1.5.0, and vendor-released patch version 1.5.0 is available.
Privilege Escalation
-
CVE-2026-3531
MEDIUM
CVSS 6.5
Drupal OpenID Connect / OAuth client versions before 1.5.0 contain an authentication bypass vulnerability that allows attackers to circumvent authentication mechanisms through an alternate path or channel. The vulnerability affects all versions from 0.0.0 through 1.4.x, enabling remote attackers to gain unauthorized access without proper credentials. No CVSS score, EPSS data, or confirmed active exploitation status is currently available; however, the vulnerability's authentication bypass nature and wide version range suggest significant real-world risk to Drupal installations relying on OpenID Connect or OAuth authentication.
Authentication Bypass
-
CVE-2026-3530
MEDIUM
CVSS 4.3
The Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 contains a Server-Side Request Forgery (SSRF) vulnerability that allows remote attackers to make arbitrary HTTP requests from the affected server. This vulnerability affects all installations running OpenID Connect / OAuth client versions 0.0.0 through 1.5.0, and attackers can leverage the SSRF to access internal services, retrieve sensitive metadata, or interact with backend systems not directly accessible from the internet. No public exploit code or active exploitation has been confirmed at the time of analysis, though the vulnerability affects a widely-deployed Drupal authentication module.
SSRF
-
CVE-2026-3529
MEDIUM
CVSS 6.1
Drupal Google Analytics GA4 module versions before 1.1.14 contain a cross-site scripting (XSS) vulnerability through improper input neutralization during web page generation, allowing attackers to inject and execute arbitrary JavaScript in user browsers. Remote attackers can craft malicious requests that persist within analytics data or configuration, affecting all users of sites running vulnerable versions. The vulnerability is documented in Drupal's security advisory SA-CONTRIB-2026-024 and has been assigned EUVD-2026-16383; no public exploit code or active exploitation has been confirmed at the time of this analysis.
XSS
Google
-
CVE-2026-3528
MEDIUM
CVSS 6.1
Cross-site scripting (XSS) in Drupal Calculation Fields module versions prior to 1.0.4 permits remote attackers to inject arbitrary JavaScript into dynamically generated web pages, enabling session hijacking, credential theft, and malware distribution against users viewing affected pages. The vulnerability stems from improper input neutralization during calculation field rendering, affecting all installations running Calculation Fields 0.0.0 through 1.0.3. No public exploit code or active exploitation has been confirmed at time of analysis.
XSS
-
CVE-2026-3527
MEDIUM
CVSS 6.5
Drupal AJAX Dashboard versions before 3.1.0 fail to enforce authentication on critical AJAX endpoints, allowing unauthenticated remote attackers to bypass access controls and invoke privileged dashboard functions. The vulnerability affects all versions from 0.0.0 through 3.1.0 (exclusive) and is categorized as a Missing Authentication for Critical Function (CWE-306). No public exploit code or active exploitation via CISA KEV has been confirmed at time of analysis, but the authentication bypass nature of this defect presents significant risk to installations relying on dashboard security.
Authentication Bypass
-
CVE-2026-3526
MEDIUM
CVSS 5.3
Forceful browsing attacks in Drupal File Access Fix (deprecated) versions below 1.2.0 allow unauthenticated remote attackers to bypass file access controls and retrieve unauthorized files through direct path enumeration. The vulnerability stems from incorrect authorization validation in the deprecated module (cpe:2.3:a:drupal:file_access_fix_(deprecated):*:*:*:*:*:*:*:*), affecting all versions from 0.0.0 through 1.1.x. No public exploit code or active exploitation has been identified at time of analysis, but the deprecated status and widespread use of Drupal installations increase real-world risk exposure.
Authentication Bypass
-
CVE-2026-3525
MEDIUM
CVSS 5.3
Forceful browsing via incorrect authorization in Drupal File Access Fix (deprecated) module versions prior to 1.2.0 allows unauthenticated remote attackers to access files without proper access control checks. The vulnerability stems from CWE-863 (Incorrect Authorization) and affects all versions from 0.0.0 through 1.2.0. No public exploit code or active exploitation has been confirmed at the time of analysis, but the straightforward nature of authorization bypass attacks in file access contexts presents moderate real-world risk to installations still running deprecated versions of this module.
Authentication Bypass
-
CVE-2026-3190
MEDIUM
CVSS 4.3
Keycloak's User-Managed Access (UMA) 2.0 Protection API fails to enforce role-based access control on the permission tickets endpoint, allowing any authenticated user with a resource server client token to enumerate all permission tickets regardless of authorization level. This information disclosure vulnerability affects Red Hat Build of Keycloak across multiple versions and requires valid authentication to exploit, posing a moderate risk to multi-tenant environments where ticket enumeration could expose sensitive access control data. No public exploit code has been identified at time of analysis.
Information Disclosure
-
CVE-2026-3121
MEDIUM
CVSS 6.5
Keycloak allows authenticated administrators with manage-clients permission to escalate privileges to manage-permissions level, enabling unauthorized control over roles, users, and administrative functions within a realm. Red Hat Build of Keycloak, JBoss Enterprise Application Platform 8, and Red Hat Single Sign-On 7 are affected when admin permissions are enabled at the realm level. The vulnerability requires high-privilege authentication but carries medium CVSS severity (6.5) due to confidentiality and integrity impact without availability compromise.
Privilege Escalation
-
CVE-2026-3116
MEDIUM
CVSS 4.9
Mattermost Plugins versions 11.4 and earlier fail to validate incoming request sizes on webhook endpoints, allowing authenticated attackers to trigger denial of service by sending oversized requests. The vulnerability affects multiple Mattermost release branches (10.x, 11.0.x, 11.1.x, 11.3.x) and has been assigned CVSS 4.9 (medium severity) with no public exploit identified at time of analysis. While exploitability requires high-privilege authentication and manual intervention, the lack of request size enforcement on webhooks represents a fundamental input validation gap that could disrupt service availability in production environments.
Denial Of Service
-
CVE-2026-3115
MEDIUM
CVSS 4.3
Mattermost versions 11.2.x through 11.4.x fail to enforce view restrictions on group member endpoints, allowing authenticated guest users to enumerate user IDs beyond their authorized visibility scope. This authorization bypass requires valid credentials but enables attackers to discover internal user information through the group retrieval API. No patch is currently available for affected versions.
Authentication Bypass
-
CVE-2026-3114
MEDIUM
CVSS 6.5
Mattermost server versions 10.11.x through 11.4.x fail to validate decompressed archive entry sizes during ZIP file extraction, allowing authenticated users with file upload permissions to trigger denial of service by uploading crafted zip bombs that exhaust server memory. The vulnerability affects Mattermost 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0, with CVSS 6.5 (medium) reflecting the requirement for prior authentication and limited scope (availability impact only). No public exploit identified at time of analysis, though the attack vector is network-accessible and requires low complexity once an attacker has valid upload credentials.
Denial Of Service
File Upload
-
CVE-2026-3113
MEDIUM
CVSS 5.0
Mattermost bulk export functionality fails to apply proper file permissions, allowing unprivileged local users on affected servers to read sensitive exported data. Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 are vulnerable (CVE-2026-3113, MMSA-2026-00593). An authenticated local attacker with login credentials can access bulk export files created by other users, leading to unauthorized information disclosure of potentially sensitive team and channel communications. No public exploit code has been identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog, though the vulnerability's automatable nature and low attack complexity warrant prompt patching.
Information Disclosure
-
CVE-2026-3112
MEDIUM
CVSS 6.8
Mattermost Advanced Logging configuration fails to properly validate file target paths, allowing authenticated system administrators to read arbitrary files from the host system during support packet generation. The vulnerability affects Mattermost versions 11.4.0 and earlier in the 11.4.x line, 11.3.1 and earlier in the 11.3.x line, 11.2.3 and earlier in the 11.2.x line, and 10.11.11 and earlier in the 10.11.x line. An authenticated administrator with access to Advanced Logging JSON configuration can craft a malicious configuration to traverse the filesystem and extract sensitive host files through the support packet mechanism. No public exploit code has been identified at time of analysis, though exploitation requires administrative privileges and is not automatable according to CISA SSVC assessment.
Path Traversal
-
CVE-2026-2436
MEDIUM
CVSS 6.5
libsoup's SoupServer contains a use-after-free vulnerability in the soup_server_disconnect() function that prematurely frees connection objects while TLS handshakes are pending, allowing remote unauthenticated attackers to trigger a server crash via denial of service when a handshake completes after memory deallocation. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Ubuntu and Debian distributions across multiple releases. No public exploit code or active exploitation has been confirmed at the time of analysis.
Denial Of Service
-
CVE-2026-2389
MEDIUM
CVSS 4.9
Stored Cross-Site Scripting in Complianz - GDPR/CCPA Cookie Consent plugin versions up to 7.4.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into WordPress pages via the `revert_divs_to_summary` function, which improperly converts HTML entities to unescaped characters without subsequent sanitization. The vulnerability requires both the Classic Editor plugin and authenticated user privileges, limiting exposure to internal threats. No public exploit identified at time of analysis, and CISA KEV status is not confirmed.
WordPress
XSS
-
CVE-2026-2272
MEDIUM
CVSS 4.3
A security vulnerability in A flaw (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
Buffer Overflow
Denial Of Service
Integer Overflow
-
CVE-2026-2100
MEDIUM
CVSS 5.3
p11-kit remote token handling fails to validate NULL derive mechanism parameters in C_DeriveKey operations, allowing unauthenticated remote attackers to trigger NULL pointer dereferences and undefined memory access in the RPC client layer. This denial-of-service vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with a CVSS score of 5.3 reflecting moderate availability impact. No public exploit identified at time of analysis.
IBM
Denial Of Service
Memory Corruption
-
CVE-2026-1986
MEDIUM
CVSS 6.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in FloristPress for Woo (BakkBone) plugin versions up to 7.8.2, where the 'noresults' parameter is insufficiently sanitized and escaped, allowing unauthenticated attackers to inject arbitrary JavaScript. An attacker can craft a malicious URL and trick users into clicking it, resulting in script execution within the victim's browser session with access to sensitive data and session tokens. The vulnerability requires user interaction (UI:R) but has a network attack vector with low complexity, and while no KEV or confirmed active exploitation data is available in the provided intelligence, Wordfence has documented the issue with references to vulnerable code locations.
WordPress
XSS
-
CVE-2026-1890
MEDIUM
CVSS 5.3
The LeadConnector WordPress plugin before version 3.0.22 contains an authorization bypass vulnerability in a REST API endpoint, allowing unauthenticated attackers to overwrite existing data without authentication. This vulnerability affects an unknown vendor's LeadConnector product and has a publicly available proof-of-concept exploit, making it actively exploitable. The vulnerability enables unauthorized data manipulation, which could compromise business data integrity and customer information stored within the plugin.
WordPress
Information Disclosure
-
CVE-2026-1556
MEDIUM
CVSS 6.9
Drupal File (Field) Paths module 7.x prior to 7.1.3 allows authenticated users to disclose other users' private files through filename-collision uploads that manipulate file URI processing, causing hook_node_insert() consumers such as email attachment modules to access incorrect file URIs and bypass access controls on sensitive files. The vulnerability affects the Drupal File (Field) Paths package as confirmed via CPE cpe:2.3:a:drupal:drupal_file_(field)_paths:*:*:*:*:*:*:*:*. No public exploit code or active exploitation data has been identified at the time of analysis.
Information Disclosure
Redhat
-
CVE-2026-1430
MEDIUM
CVSS 4.8
WP Lightbox 2 WordPress plugin before version 3.0.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its settings due to insufficient input sanitization and output escaping. High-privilege users, particularly administrators, can inject malicious JavaScript that persists in the database and executes in the browsers of other users, even in multisite installations where the unfiltered_html capability is restricted. A publicly available proof-of-concept demonstrates active exploitation potential, making this a practical threat in WordPress environments.
WordPress
XSS
-
CVE-2026-1206
MEDIUM
CVSS 4.3
The Elementor Website Builder plugin for WordPress contains an authorization bypass vulnerability in the is_allowed_to_read_template() function that incorrectly permits authenticated users with contributor-level privileges to read private and draft template content. Attackers can exploit this through the 'get_template_data' action of the 'elementor_ajax' endpoint by supplying a 'template_id' parameter, resulting in exposure of sensitive template information. The vulnerability affects all versions up to and including 3.35.7 with a CVSS score of 4.3 (low-to-moderate severity) and requires low-complexity exploitation with authenticated access.
WordPress
Information Disclosure
Authentication Bypass
-
CVE-2026-1032
MEDIUM
CVSS 4.3
Unauthenticated attackers can modify conditional menu assignments in the Conditional Menus WordPress plugin (versions up to 1.2.6) through cross-site request forgery attacks by exploiting missing nonce validation in the save_options function. An attacker can trick site administrators into clicking a malicious link to alter menu configurations without their knowledge. No patch is currently available for this vulnerability.
WordPress
CSRF
-
CVE-2026-0967
MEDIUM
CVSS 5.5
libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.
Denial Of Service
-
CVE-2026-0966
MEDIUM
CVSS 6.5
Improper handling of zero-length input in the libssh ssh_get_hexa() function enables remote denial of service against SSH daemons with GSSAPI authentication enabled and packet-level logging active (SSH_LOG_PACKET or higher verbosity). Unauthenticated remote attackers can trigger a per-connection daemon process crash by sending specially crafted GSSAPI authentication packets containing malformed OID data, affecting Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4. CVSS 6.5 (network-accessible, low complexity, partial integrity and availability impact); no public exploit code or active exploitation confirmed at time of analysis.
Information Disclosure
-
CVE-2026-0964
MEDIUM
CVSS 5.0
SCP client implementations across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to path traversal during file transfer, allowing a malicious SCP server to write files outside the designated working directory and potentially execute arbitrary code or modify system configuration. This vulnerability mirrors CVE-2019-6111 in OpenSSH; unauthenticated remote attackers can exploit it with high user interaction (the victim must initiate an SCP connection to a malicious server), resulting in confidentiality, integrity, and availability compromise. No public exploit code or active exploitation has been confirmed at the time of analysis.
Ssh
Path Traversal
-
CVE-2026-0748
MEDIUM
CVSS 5.3
The Drupal 7 Internationalization (i18n) module's i18n_node submodule allows authenticated users holding both 'Translate content' and 'Administer content translations' permissions to bypass access controls and view unpublished node titles and IDs through the translation user interface and autocomplete functionality. Affected versions range from 7.x-1.0 through 7.x-1.35. No public exploit code or active exploitation has been confirmed at the time of analysis.
Authentication Bypass
-
CVE-2025-55273
MEDIUM
CVSS 4.3
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers to inject and execute malicious external scripts, enabling DOM tampering and theft of session credentials without user interaction. Affected versions include Aftermarket DPC 1.0.0. No public exploit code or active exploitation has been identified at time of analysis, though the attack vector is network-accessible and requires only user interaction (rendering this a moderate-impact integrity threat rather than a critical one).
Information Disclosure
Aftermarket Dpc
-
CVE-2025-55269
MEDIUM
CVSS 4.2
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks and guess user credentials, potentially gaining unauthorized account access with low confidentiality and availability impact. The vulnerability requires user interaction and high attack complexity to exploit, but affects unauthenticated threat actors over the network. No public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
Aftermarket Dpc
-
CVE-2025-55268
MEDIUM
CVSS 4.3
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing resources, potentially causing denial of service to legitimate users. The vulnerability requires user interaction (UI:R per CVSS vector) and is remotely exploitable without authentication, resulting in partial availability impact. No public exploit code or active exploitation has been identified at time of analysis, though the low barrier to exploitation (AC:L) makes this a practical attack vector for resource exhaustion.
Denial Of Service
Aftermarket Dpc
-
CVE-2025-55267
MEDIUM
CVSS 5.7
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434) that enables authenticated remote attackers to upload and execute arbitrary scripts on the affected server, potentially achieving full system compromise. The attack requires user interaction and low-privilege authentication but carries high integrity impact. No public exploit code or active exploitation has been confirmed; however, the vulnerability's straightforward exploitation mechanics and authenticated attack vector make it a moderate-priority issue for organizations deploying this software.
File Upload
Aftermarket Dpc
-
CVE-2025-55266
MEDIUM
CVSS 5.9
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user sessions and perform unauthorized transactions without requiring valid credentials. The vulnerability exploits improper session management to allow an attacker to force a victim to use a predetermined session identifier, then leverage that session for fraudulent activity. This is a network-accessible flaw requiring user interaction (e.g., clicking a malicious link) but no prior authentication. No public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
Aftermarket Dpc
-
CVE-2025-55265
MEDIUM
CVSS 6.5
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read sensitive files from the system without user interaction beyond a single click, potentially enabling reconnaissance for follow-on attacks. The vulnerability carries a CVSS score of 6.5 (Medium) with high confidentiality impact but no integrity or availability consequences. No public exploit code or active exploitation has been reported at the time of analysis.
Information Disclosure
Aftermarket Dpc
-
CVE-2025-55264
MEDIUM
CVSS 5.5
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
Session Fixation
Aftermarket Dpc
-
CVE-2025-41027
MEDIUM
CVSS 5.1
GDTaller allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through reflected cross-site scripting (XSS) via the 'site' parameter in app_recuperarclave.php. The vulnerability affects all versions of GDTaller (version 0 and beyond) and has been assigned a CVSS 4.0 base score of 5.1 with limited scope impact. A vendor patch is available from INCIBE, and exploitation requires user interaction (UI:A) but presents moderate risk due to the network-accessible attack surface and low technical complexity.
XSS
PHP
-
CVE-2025-41026
MEDIUM
CVSS 5.1
GDTaller is vulnerable to reflected cross-site scripting (XSS) in the app_login.php file, specifically through the 'site' parameter, allowing unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability affects GDTaller versions prior to an unspecified patch release and carries a CVSS 5.1 score reflecting low immediate confidentiality impact but limited scope and user interaction requirement. A vendor patch is available from INCIBE, though no public exploit code has been identified at time of analysis.
XSS
PHP
-
CVE-2025-15488
MEDIUM
CVSS 6.5
The Responsive Plus WordPress plugin before version 3.4.3 contains an arbitrary shortcode execution vulnerability that allows unauthenticated attackers to execute malicious shortcodes through the update_responsive_woo_free_shipping_left_shortcode AJAX action. The vulnerability stems from improper validation of the content_rech_data parameter before processing it as a shortcode, effectively enabling remote code execution in the context of the WordPress installation. A public proof-of-concept exploit is available via WPScan, and this vulnerability poses an immediate threat to all unpatched installations of the affected plugin versions.
WordPress
RCE
PHP
-
CVE-2025-15433
MEDIUM
CVSS 6.8
The Shared Files WordPress plugin before version 1.7.58 contains a path traversal vulnerability that allows attackers with Contributor-level privileges or higher to download arbitrary files from the web server, including sensitive configuration files such as wp-config.php. A public proof-of-concept exploit is available, making this vulnerability actively exploitable in the wild. This represents a critical information disclosure risk affecting WordPress installations using affected versions of the plugin.
WordPress
PHP
Path Traversal
-
CVE-2026-33644
LOW
CVSS 2.3
DNS rebinding bypasses SSRF protection in Lychee photo-management tool versions prior to 7.5.2, allowing authenticated remote attackers to access restricted internal resources by providing domain names instead of IP addresses to the photo URL import feature. The vulnerability exploits a logic flaw in PhotoUrlRule.php where hostname validation only applies to IP addresses, leaving domain-based requests unvalidated. Vendor-released patch available (version 7.5.2); no public exploit identified at time of analysis.
SSRF
PHP
-
CVE-2026-33402
LOW
CVSS 1.3
Sakai Collaboration and Learning Environment versions 23.0-23.4 and 25.0-25.1 fail to sanitize group titles and descriptions, permitting stored cross-site scripting (XSS) attacks that execute in the browsers of users viewing affected group metadata. Authenticated users with group creation or modification privileges can inject malicious scripts that persist in the SAKAI_SITE_GROUP table and execute when other users access group information, compromising session security and enabling credential theft or unauthorized actions within the Sakai environment. Vendor-released patches are available in versions 23.5 and 25.2; no active exploitation has been reported, but the low CVSS score (1.3) reflects minimal baseline impact rather than true severity, given the requirement for user interaction (UI:P) and limited scope of harm (SC:L, SI:L) as documented in the CVSS:4.0 vector.
XSS
-
CVE-2026-23398
None
Linux kernel ICMP tag validation routines fail to check for NULL protocol handler pointers before dereferencing them, causing kernel panics in softirq context when processing fragmentation-needed errors with unregistered protocol numbers and ip_no_pmtu_disc hardened mode enabled. The vulnerability affects multiple Linux kernel versions across stable branches (6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc5), with an EPSS score of 0.02% (7th percentile) indicating low real-world exploitation probability. No public exploit code or active exploitation has been confirmed; the fix requires adding a NULL pointer check in icmp_tag_validation() before accessing icmp_strict_tag_validation.
Linux
Linux Kernel
Denial Of Service
Null Pointer Dereference
Debian
-
CVE-2026-23397
None
Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.
Linux Kernel
Linux
Denial Of Service
Null Pointer Dereference
Buffer Overflow
-
CVE-2026-23396
None
Linux kernel mac80211 mesh networking crashes on NULL pointer dereference when processing Channel Switch Announcement (CSA) action frames lacking Mesh Configuration IE, allowing adjacent WiFi attackers to trigger kernel panic (DoS) via crafted frames. Affects multiple stable kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5 and earlier); EPSS exploitation probability is 0.02% (low), no public exploit identified, and upstream fixes are available across all affected release branches.
Linux
Linux Kernel
Denial Of Service
Null Pointer Dereference
Debian
-
CVE-2026-4874
LOW
CVSS 3.1
A SSRF vulnerability in A flaw (CVSS 3.1) that allows the attacker. Remediation should follow standard vulnerability management procedures.
SSRF
Information Disclosure
-
CVE-2026-3109
LOW
CVSS 2.2
Mattermost Plugins versions 11.4 and earlier, including 10.11.11.0, fail to validate webhook request timestamps, enabling attackers with high privileges to replay webhook requests and corrupt Zoom meeting state within Mattermost deployments. The vulnerability carries a CVSS score of 2.2 with low attack complexity but requires high-privilege authentication; no public exploit has been identified at time of analysis, and CISA has not flagged this for active exploitation.
Information Disclosure
-
CVE-2026-2271
LOW
CVSS 3.3
GIMP's PSP file parser fails to validate 32-bit length values in the read_creator_block() function, allowing local attackers to trigger integer overflow and heap buffer overflow via specially crafted PSP image files, resulting in application-level denial of service. Red Hat Enterprise Linux versions 6-9, Ubuntu (7 releases), Debian (9 releases), and SUSE are affected. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability has been assigned ENISA EUVD ID EUVD-2026-16340 and tracked across major Linux distributions.
Buffer Overflow
Denial Of Service
Integer Overflow
-
CVE-2026-2239
LOW
CVSS 2.8
GIMP's PSD file parser crashes when processing specially crafted Photoshop documents due to improper null-termination in the fread_pascal_string function, allowing local authenticated users to trigger a denial of service. The vulnerability affects GIMP across Red Hat Enterprise Linux 7, 8, and 9, as well as multiple Debian and Ubuntu releases tracked by their respective security teams. While the CVSS score is low (2.8), the widespread distribution across major Linux vendors and confirmed advisory issuance from Red Hat, Debian, and SUSE indicates this merits coordinated patching despite limited exploitability constraints.
Buffer Overflow
Denial Of Service
-
CVE-2026-0965
LOW
CVSS 3.3
libssh attempts to open arbitrary files during configuration parsing, allowing local attackers with limited privileges to trigger a denial of service by forcing access to dangerous files such as block devices or large system files. The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Red Hat OpenShift Container Platform 4, and requires local access with low privileges to exploit. No public exploit code or active exploitation has been confirmed at the time of analysis.
Denial Of Service
-
CVE-2025-55277
LOW
CVSS 2.6
HCL Aftermarket DPC version 1.0.0 contains outdated or vulnerable dependencies (CWE-1104) that expose the application to known public exploits, enabling authenticated attackers with low privileges to obtain limited information disclosure. The vulnerability requires user interaction and carries a low CVSS score of 2.6, but represents a supply chain risk where publicly available exploits targeting the embedded libraries could be weaponized against deployments. No public exploit code has been independently confirmed, and CISA has not flagged this for active exploitation.
Information Disclosure
Aftermarket Dpc
-
CVE-2025-55276
LOW
CVSS 3.1
HCL Aftermarket DPC version 1.0.0 discloses internal IP addresses to unauthenticated remote attackers via a high-complexity attack vector requiring user interaction, enabling network reconnaissance but causing no direct confidentiality, integrity, or availability impact. No public exploit code has been identified; CISA has not flagged this vulnerability as actively exploited. While the CVSS score of 3.1 (low) reflects minimal immediate risk, the information disclosure enables attackers to map organizational network topology for follow-on attacks.
Information Disclosure
Aftermarket Dpc
-
CVE-2025-55275
LOW
CVSS 3.7
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated attackers with low privileges to hijack or impersonate administrator sessions through exploitation of improper concurrent session handling. The vulnerability requires user interaction and has moderate attack complexity, resulting in partial confidentiality and availability impact. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, indicating limited real-world exploitation pressure despite the administrative access implications.
Information Disclosure
Aftermarket Dpc
-
CVE-2025-55274
LOW
CVSS 2.6
HCL Aftermarket DPC version 1.0.0 contains a Cross-Origin Resource Sharing (CORS) misconfiguration that permits authenticated attackers with low privileges to access sensitive user information and potentially perform unauthorized actions on behalf of legitimate users through browser-based attacks. The vulnerability requires user interaction (such as social engineering to visit a malicious webpage) and operates within a single security context, limiting its scope to confidentiality impact with no integrity or availability consequences. No public exploit code has been identified at the time of analysis, and the low CVSS score of 2.6 reflects the high attack complexity and limited practical exploitability despite the theoretical risk of data exposure.
Information Disclosure
Authentication Bypass
Aftermarket Dpc
-
CVE-2025-55272
LOW
CVSS 3.1
HCL Aftermarket DPC discloses sensitive system and software version information through banner responses, enabling attackers to enumerate deployed instances and tailor version-specific exploits. Aftermarket DPC version 1.0.0 is confirmed affected. The vulnerability requires user interaction and high attack complexity but results in partial confidentiality loss; no public exploit has been identified at the time of analysis.
Information Disclosure
Aftermarket Dpc
-
CVE-2025-55271
LOW
CVSS 3.1
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or commands into HTTP responses, potentially leading to content spoofing or further exploitation depending on application response handling. The vulnerability affects Aftermarket DPC version 1.0.0 and requires user interaction to exploit. No public exploit identified at time of analysis, and exploitation is not currently automatable according to CISA SSVC assessment, resulting in a low real-world risk profile despite the injection vector.
Code Injection
Aftermarket Dpc
-
CVE-2025-55270
LOW
CVSS 3.5
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vectors including Cross-Site Scripting (XSS), SQL Injection, and Command Injection. Authenticated attackers can exploit this vulnerability to inject and execute arbitrary code within the application context. No public exploit code or active exploitation has been identified at time of analysis, and the moderate CVSS score of 3.5 reflects limited confidentiality impact with user interaction required.
XSS
SQLi
Command Injection
Aftermarket Dpc