Skip to main content
CVE-2026-28298 MEDIUM This Month

SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting (XSS) vulnerability that permits authenticated high-privilege users to inject malicious scripts into the application, resulting in unintended script execution when other users access affected pages. The vulnerability requires high privilege level and user interaction to exploit, limiting real-world attack surface; no public exploit code or active exploitation has been identified at the time of analysis.

XSS Solarwinds Observability Self Hosted
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-4833 LOW POC Monitor

Uncontrolled recursion in the Markdown Handler component of Orc discount up to version 3.0.1.2 causes denial of service through malformed deeply-nested blockquote inputs, affecting local users who process untrusted markdown files. Public exploit code exists for this vulnerability, and no patch is currently available. The issue requires local access and low privileges to trigger but can crash the application.

Denial Of Service Discount
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-55266 MEDIUM This Month

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user sessions and perform unauthorized transactions without requiring valid credentials. The vulnerability exploits improper session management to allow an attacker to force a victim to use a predetermined session identifier, then leverage that session for fraudulent activity. This is a network-accessible flaw requiring user interaction (e.g., clicking a malicious link) but no prior authentication. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Aftermarket Dpc
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-33729 MEDIUM PATCH This Month

OpenFGA's condition-based caching mechanism can generate identical cache keys for different authorization check requests, allowing attackers to bypass access controls by triggering cache reuse of previously evaluated decisions. This affects deployments with relations that evaluate conditions and have caching enabled. Organizations should upgrade to OpenFGA v1.13.1 to remediate the cache poisoning vulnerability.

Information Disclosure Suse
NVD GitHub
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-33542 MEDIUM PATCH GHSA This Month

Incus versions prior to 6.23.0 fail to validate image fingerprints when downloading from simplestreams servers, enabling attackers with local privileges to poison the image cache and potentially cause other tenants to execute attacker-controlled container or virtual machine images instead of legitimate ones. The vulnerability requires local authentication and specific conditions but carries high integrity impact in multi-tenant environments; no active exploitation has been confirmed.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2025-55267 MEDIUM This Month

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434) that enables authenticated remote attackers to upload and execute arbitrary scripts on the affected server, potentially achieving full system compromise. The attack requires user interaction and low-privilege authentication but carries high integrity impact. No public exploit code or active exploitation has been confirmed; however, the vulnerability's straightforward exploitation mechanics and authenticated attack vector make it a moderate-priority issue for organizations deploying this software.

File Upload Aftermarket Dpc
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-0967 MEDIUM PATCH This Month

libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-28503 MEDIUM PATCH This Month

Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger synchronization operations on Sync configurations belonging to other organizational spaces, exposing the ability to initiate Dropbox, Nextcloud, or local imports outside the attacker's own space and access resulting sync logs. The vulnerability stems from missing space validation in the `SyncViewSet.query_synced_folder()` API endpoint, enabling horizontal privilege escalation across multi-tenant deployments. No public exploit code has been identified at the time of analysis.

Authentication Bypass Recipes
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-23398 MEDIUM PATCH This Month

Linux kernel ICMP tag validation routines fail to check for NULL protocol handler pointers before dereferencing them, causing kernel panics in softirq context when processing fragmentation-needed errors with unregistered protocol numbers and ip_no_pmtu_disc hardened mode enabled. The vulnerability affects multiple Linux kernel versions across stable branches (6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc5), with an EPSS score of 0.02% (7th percentile) indicating low real-world exploitation probability. No public exploit code or active exploitation has been confirmed; the fix requires adding a NULL pointer check in icmp_tag_validation() before accessing icmp_strict_tag_validation.

Linux Denial Of Service Null Pointer Dereference Canonical
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23396 MEDIUM PATCH This Month

Linux kernel mac80211 mesh networking crashes on NULL pointer dereference when processing Channel Switch Announcement (CSA) action frames lacking Mesh Configuration IE, allowing adjacent WiFi attackers to trigger kernel panic (DoS) via crafted frames. Affects multiple stable kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5 and earlier); EPSS exploitation probability is 0.02% (low), no public exploit identified, and upstream fixes are available across all affected release branches.

Linux Denial Of Service Null Pointer Dereference Canonical Red Hat
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27828 MEDIUM PATCH This Month

EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_chargerImpl::handle_session_setup function that crashes the EVSE process when session setup commands are issued after ISO15118 initialization failure. Remote attackers with MQTT access can trigger this denial of service condition by sending a crafted session_setup command, causing the process to reference freed memory (v2g_ctx). A vendor-released patch is available in version 2026.02.0.

Use After Free Denial Of Service Memory Corruption Everest Core
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-27816 MEDIUM PATCH This Month

EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, where variable-length MQTT command payloads are copied into a fixed-size 6-element array without bounds checking. When schema validation is disabled by default, oversized payloads trigger memory corruption that can crash the EV charging service or corrupt adjacent EVSE (Electric Vehicle Supply Equipment) state, affecting the integrity and availability of EV charging infrastructure. No public exploit code has been identified at the time of analysis, but the vulnerability is patched in version 2026.02.0.

Buffer Overflow Memory Corruption Everest Core
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-27815 MEDIUM PATCH This Month

Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corrupt EVSE state or crash the charging process by sending oversized MQTT command payloads that bypass disabled schema validation. The ISO15118_chargerImpl::handle_session_setup function copies variable-length payment_options lists into a fixed 2-element array without bounds checking, exposing a CWE-787 buffer overflow vulnerability with availability and integrity impact. No public exploit code has been identified at time of analysis.

Buffer Overflow Memory Corruption Everest Core
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4897 MEDIUM PATCH This Month

Polkit's polkit-agent-helper-1 setuid binary fails to bound input length on stdin, allowing local authenticated users to trigger out-of-memory conditions and deny system availability. An attacker with local login privileges can supply excessively long input to exhaust memory resources, causing a system-wide denial of service. No public exploit code or active exploitation has been confirmed at the time of analysis.

Denial Of Service Polkit Openshift Container Platform Enterprise Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-55264 MEDIUM This Month

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Session Fixation Aftermarket Dpc
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-34071 MEDIUM This Month

Stirling-PDF version 2.7.3 fails to sanitize HTML content from email bodies in the /api/v1/convert/eml/pdf endpoint when the downloadHtml=true parameter is set, allowing unauthenticated remote attackers to inject and execute arbitrary JavaScript code. An attacker can craft a malicious email that, when processed by a Stirling-PDF user through the 'Download HTML intermediate file' feature, executes JavaScript in the user's browser context with access to local data and session tokens. Proof-of-concept code has been demonstrated, and the vendor released version 2.8.0 to address the vulnerability.

XSS Stirling Pdf
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4335 MEDIUM This Month

The ShortPixel Image Optimizer WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 6.4.3, affecting the getEditorPopup() function and media-popup.php template. Authenticated attackers with Author-level permissions can inject arbitrary JavaScript into attachment post titles via the REST API, which executes when administrators open the ShortPixel AI editor popup for the poisoned attachment. This vulnerability has a CVSS score of 5.4 (moderate severity) and requires user interaction from a higher-privileged administrator to trigger, limiting its immediate exploitation scope but still presenting a meaningful privilege escalation risk in multi-author WordPress environments.

WordPress PHP XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33742 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.

XSS Invoiceninja
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21724 MEDIUM PATCH This Month

Grafana OSS provisioning contact points API fails to enforce the alert.notifications.receivers.protected:write permission, allowing users with the Editor role to modify protected webhook URLs and bypass intended authorization controls. This affects Grafana OSS versions 11.6.9 through 11.6.14, 12.1.5 through 12.1.10, 12.2.2 through 12.2.8, and 12.3.1 through 12.3.6. Authenticated Editor-level users can exploit this to reconfigure webhook destinations, potentially redirecting alert notifications to attacker-controlled endpoints. No public exploit identified at time of analysis.

Grafana Authentication Bypass
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4274 MEDIUM PATCH This Month

Mattermost versions 11.2.x through 11.2.2, 10.11.x through 10.11.10, 11.4.0, and 11.3.x through 11.3.1 fail to properly restrict team-level access during remote cluster membership synchronization, allowing a malicious remote cluster to grant users access to entire private teams rather than limiting access to only shared channels. An authenticated attacker controlling a federated remote cluster can send crafted membership sync messages to trigger unintended team membership assignment, resulting in unauthorized access to private team resources. The EPSS score of 0.03% (percentile 7%) indicates low real-world exploitation probability, and no public exploit code has been identified at time of analysis.

Mattermost Privilege Escalation Debian
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34051 MEDIUM This Month

OpenEMR versions prior to 8.0.0.3 contain an improper access control vulnerability in the Import/Export functionality that allows authenticated users to bypass UI restrictions and perform unauthorized import and export operations through direct request manipulation. An attacker with valid credentials can extract bulk patient data, access sensitive health records, or modify system data despite not having explicit permissions for these actions. The vulnerability requires valid authentication (PR:L in CVSS) but enables significant data exfiltration and integrity violations once access is obtained.

Authentication Bypass Openemr
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33887 MEDIUM PATCH This Month

Statamic CMS versions prior to 5.73.16 and 6.7.2 fail to enforce collection-level permissions on entry revision endpoints, allowing authenticated control panel users to view revisions and field data across any collection with revisions enabled regardless of their assigned permissions. The vulnerability also permits unauthenticated revision creation that snapshots existing content without modifying published entries. This represents a medium-severity authorization bypass affecting authenticated attackers with control panel access, with no public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33726 MEDIUM PATCH This Month

Cilium Network Policy enforcement is bypassed for traffic from pods to L7 Services with local backends on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled, allowing authenticated local attackers to circumvent ingress network policies and access restricted services. This affects Cilium v1.19.0-v1.19.1, v1.18.0-v1.18.7, and all versions prior to v1.17.13, with the most common vulnerable deployment being Amazon EKS with Cilium ENI mode. Vendor-released patches are available (v1.19.2, v1.18.8, v1.17.14), and no public exploit code has been identified at the time of analysis.

Microsoft Kubernetes Authentication Bypass Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4281 MEDIUM This Month

The FormLift for Infusionsoft Web Forms WordPress plugin contains a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to hijack the site's Infusionsoft OAuth connection. Affected versions through 7.5.21 fail to validate user authentication on critical OAuth handler methods, enabling attackers to intercept temporary OAuth credentials and inject arbitrary OAuth tokens and app domains via the update_option() function. This is a network-accessible, low-complexity vulnerability with no required privileges; while the CVSS score is moderate (5.3), the real-world impact is integrity compromise of the CRM integration layer, potentially affecting customer data flows and automation.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-33763 MEDIUM PATCH This Month

AVideo password verification API endpoint allows unauthenticated attackers to brute-force video access passwords at network speed with no rate limiting, enabling compromise of password-protected video content across the platform. The vulnerable endpoint pkg:composer/wwbn_avideo returns a boolean confirmation for any password guess without authentication, CAPTCHA, or throttling mechanisms, combined with plaintext password storage and loose equality comparison that further weakens defenses. Publicly available exploit code exists demonstrating rapid password enumeration against any video ID.

PHP Information Disclosure Oracle
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33761 MEDIUM PATCH This Month

Unauthenticated information disclosure in AVideo Scheduler plugin exposes internal infrastructure details, admin-composed email campaigns, and user targeting mappings through three unprotected list.json.php endpoints. Remote attackers without authentication can retrieve all scheduled task callbacks with internal URLs and parameters, complete email message bodies, and user-to-email relationships by issuing simple GET requests. A public proof-of-concept exists demonstrating the vulnerability; patch availability has been confirmed by the vendor.

PHP Information Disclosure SSRF
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33759 MEDIUM PATCH This Month

AVideo playlist video enumeration allows unauthenticated attackers to bypass authorization checks and directly access video contents from private playlists including watch_later and favorite lists via the playlistsVideos.json.php endpoint. Sequential playlist IDs enable trivial enumeration of all users' private viewing habits, favorites, and unlisted custom playlists without authentication. A publicly available proof-of-concept exists demonstrating the vulnerability, which affects WWBN AVideo via Composer package wwbn_avideo.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33766 MEDIUM PATCH This Month

PHP applications using the affected functions fail to re-validate redirect targets during HTTP requests, allowing attackers to bypass SSRF protections by chaining a legitimate public URL with a redirect to internal resources. An attacker can exploit this weakness in endpoints that fetch remote content after initial URL validation, potentially gaining access to private IP ranges and internal services. A patch is available.

SSRF PHP Microsoft
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-33537 MEDIUM PATCH This Month

Incomplete IP validation in Lychee's SSRF protection mechanism allows authenticated users to bypass all four security configuration settings by leveraging loopback and link-local addresses, enabling access to internal services. The vulnerability affects Lychee versions prior to 7.5.1 and requires prior authentication but carries low confidentiality impact. No public exploit code or active exploitation has been identified at time of analysis, though the attack vector is network-accessible and requires minimal complexity.

SSRF Lychee
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-0748 MEDIUM This Month

The Drupal 7 Internationalization (i18n) module's i18n_node submodule allows authenticated users holding both 'Translate content' and 'Administer content translations' permissions to bypass access controls and view unpublished node titles and IDs through the translation user interface and autocomplete functionality. Affected versions range from 7.x-1.0 through 7.x-1.35. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Internationalization I18N I18N Node Submodule
NVD HeroDevs VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-29055 MEDIUM PATCH This Month

Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive information such as GPS coordinates, timestamps, and camera details to all users viewing shared recipes. This information disclosure vulnerability affects any user uploading recipe photos, particularly those using modern smartphones that default to WebP format. The vulnerability is fixed in version 2.6.0.

Information Disclosure Recipes
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3526 MEDIUM PATCH This Month

Forceful browsing attacks in Drupal File Access Fix (deprecated) versions below 1.2.0 allow unauthenticated remote attackers to bypass file access controls and retrieve unauthorized files through direct path enumeration. The vulnerability stems from incorrect authorization validation in the deprecated module (cpe:2.3:a:drupal:file_access_fix_(deprecated):*:*:*:*:*:*:*:*), affecting all versions from 0.0.0 through 1.1.x. No public exploit code or active exploitation has been identified at time of analysis, but the deprecated status and widespread use of Drupal installations increase real-world risk exposure.

Authentication Bypass File Access Fix Deprecated
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3525 MEDIUM PATCH This Month

Forceful browsing via incorrect authorization in Drupal File Access Fix (deprecated) module versions prior to 1.2.0 allows unauthenticated remote attackers to access files without proper access control checks. The vulnerability stems from CWE-863 (Incorrect Authorization) and affects all versions from 0.0.0 through 1.2.0. No public exploit code or active exploitation has been confirmed at the time of analysis, but the straightforward nature of authorization bypass attacks in file access contexts presents moderate real-world risk to installations still running deprecated versions of this module.

Authentication Bypass File Access Fix Deprecated
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27813 MEDIUM PATCH This Month

EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memory corruption, triggered by EV plug-in/unplug events and authorization flows (RFID, RemoteStart, OCPP). Unauthenticated physical attackers with high complexity can exploit this to leak sensitive information or cause denial of service on affected charging infrastructure. No public exploit identified at time of analysis.

Information Disclosure Memory Corruption Use After Free Everest Core
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33015 MEDIUM PATCH This Month

EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by a Charging Station Management System (CSMS) by toggling the EV's Battery Control Box (BCB), causing the EVSE to return to PrepareCharging state and restart charging sessions. This circumvents billing, operational, and safety controls enforced by remote stop functionality. A proof-of-concept exists and the vulnerability has been patched in version 2026.02.0, though the attack requires physical proximity to the charging equipment (CVSS attack vector: Physical).

Authentication Bypass Everest Core
NVD GitHub VulDB
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-33014 MEDIUM PATCH This Month

EVerest-core prior to version 2026.02.0 fails to properly terminate EV charging transactions during remote stop operations due to a delayed authorization response that incorrectly restores the authorized flag to true, allowing transactions to remain open even after a PowerOff event triggers stop_transaction(). This authentication bypass affects EV charging infrastructure and enables continued power delivery after an operator-initiated remote stop command. A proof-of-concept exists but no public confirmation of active exploitation has been identified.

Authentication Bypass Everest Core
NVD GitHub VulDB
CVSS 3.1
5.2
EPSS
0.0%
CVE-2025-41027 MEDIUM PATCH This Month

GDTaller allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through reflected cross-site scripting (XSS) via the 'site' parameter in app_recuperarclave.php. The vulnerability affects all versions of GDTaller (version 0 and beyond) and has been assigned a CVSS 4.0 base score of 5.1 with limited scope impact. A vendor patch is available from INCIBE, and exploitation requires user interaction (UI:A) but presents moderate risk due to the network-accessible attack surface and low technical complexity.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-41026 MEDIUM PATCH This Month

GDTaller is vulnerable to reflected cross-site scripting (XSS) in the app_login.php file, specifically through the 'site' parameter, allowing unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability affects GDTaller versions prior to an unspecified patch release and carries a CVSS 5.1 score reflecting low immediate confidentiality impact but limited scope and user interaction requirement. A vendor patch is available from INCIBE, though no public exploit code has been identified at time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4346 MEDIUM PATCH This Month

Cleartext credential storage in TP-Link TL-WR850N v3 flash memory combined with weak serial interface authentication enables attackers with physical access to extract administrative and Wi-Fi credentials, leading to full device compromise and unauthorized network access. The vulnerability is addressed by a vendor patch, and exploitation requires physical proximity to the device's serial port with no public exploit code identified at time of analysis.

Authentication Bypass Tl Wr850N V3
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-33536 MEDIUM PATCH This Month

Stack buffer overflow in ImageMagick and Magick.NET due to incorrect pointer arithmetic on certain platforms allows local attackers to write one byte past allocated stack boundaries, causing denial of service. ImageMagick versions prior to 7.1.2-18 and 6.9.13-43, along with multiple Magick.NET NuGet packages, are affected. The vulnerability requires local access and specific platform conditions, but succeeds without user interaction.

Buffer Overflow Stack Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-29044 MEDIUM PATCH This Month

EVerest EV charging software before version 2026.02.0 fails to properly stop charging transactions when authorization withdrawal occurs before the TransactionStarted event, allowing attackers with high privileges to bypass deauthorization through precise timing and maintain unauthorized charging sessions. The vulnerability stems from incomplete StopTransaction handling in the Charging state, affecting IoT and Everest Core deployments with no currently available patch.

Authentication Bypass Everest Core
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-3113 MEDIUM PATCH This Month

Mattermost bulk export functionality fails to apply proper file permissions, allowing unprivileged local users on affected servers to read sensitive exported data. Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 are vulnerable (CVE-2026-3113, MMSA-2026-00593). An authenticated local attacker with login credentials can access bulk export files created by other users, leading to unauthorized information disclosure of potentially sensitive team and channel communications. No public exploit code has been identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog, though the vulnerability's automatable nature and low attack complexity warrant prompt patching.

Information Disclosure Mattermost
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-33531 MEDIUM PATCH This Month

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the `encode_svg_image()`, `asset()`, and `uploaded_image()` functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.

Path Traversal SQLi Inventree
NVD GitHub
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-3116 MEDIUM This Month

Mattermost Plugins versions 11.4 and earlier fail to validate incoming request sizes on webhook endpoints, allowing authenticated attackers to trigger denial of service by sending oversized requests. The vulnerability affects multiple Mattermost release branches (10.x, 11.0.x, 11.1.x, 11.3.x) and has been assigned CVSS 4.9 (medium severity) with no public exploit identified at time of analysis. While exploitability requires high-privilege authentication and manual intervention, the lack of request size enforcement on webhooks represents a fundamental input validation gap that could disrupt service availability in production environments.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-2389 MEDIUM PATCH This Month

Stored Cross-Site Scripting in Complianz - GDPR/CCPA Cookie Consent plugin versions up to 7.4.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into WordPress pages via the `revert_divs_to_summary` function, which improperly converts HTML entities to unescaped characters without subsequent sanitization. The vulnerability requires both the Classic Editor plugin and authenticated user privileges, limiting exposure to internal threats. No public exploit identified at time of analysis, and CISA KEV status is not confirmed.

WordPress XSS
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-33738 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Lychee photo-management application versions prior to 7.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript through unsanitized photo description fields rendered in publicly accessible RSS, Atom, and JSON feed endpoints. The vulnerability stems from use of Blade's unescaped output syntax ({!! !!}) in feed templates, enabling malicious descriptions to inject executable scripts that execute in the context of any RSS reader or client consuming the feed.

XSS Lychee
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-33732 MEDIUM PATCH This Month

srvx's FastURL pathname parser on Node.js can be bypassed to circumvent route-based middleware (authentication guards, rate limiters) when absolute URIs with non-standard schemes are sent in raw HTTP requests. An attacker sending a crafted request like `GET file://hehe?/internal/run HTTP/1.1` can cause the router to match a different pathname than what downstream middleware sees after a deoptimization occurs, allowing access to protected endpoints. This affects srvx versions prior to 0.11.13, requires direct HTTP request capability (not browser-accessible), and has a CVSS score of 4.8 with medium complexity attack requirements. No public exploit identified at time of analysis.

Node.js Authentication Bypass
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-33916 MEDIUM PATCH This Month

Handlebars template engine fails to guard prototype-chain access when resolving partial templates, allowing unauthenticated remote attackers to inject unescaped HTML and JavaScript through prototype pollution. When Object.prototype is polluted with a string value matching a partial name referenced in a template, the malicious string is rendered without HTML escaping, resulting in reflected or stored XSS. Exploitation requires a separate prototype pollution vulnerability in the target application (such as via qs or minimist libraries) combined with knowledge of partial names used in templates; publicly available proof-of-concept code demonstrates the attack. The vulnerability affects npm package handlebars (pkg:npm/handlebars) across multiple versions and is distinct from earlier prototype-access issues CVE-2021-23369 and CVE-2021-23383.

XSS Red Hat
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-33711 MEDIUM PATCH This Month

Incus versions prior to 6.23.0 allow local authenticated attackers to manipulate temporary screenshot files via predictable /tmp paths and symlink attacks, potentially truncating and altering permissions of arbitrary files on systems with disabled symlink protection (rare), leading to denial of service or local privilege escalation. The vulnerability requires local access and authenticated user privileges but is particularly dangerous on systems without kernel-level symlink protections enabled. An exploit proof-of-concept exists, and the vendor has released patched version 6.23.0 to address the issue.

Linux Privilege Escalation Denial Of Service Red Hat Suse
NVD GitHub
CVSS 4.0
4.7
EPSS
0.0%
CVE-2026-33653 MEDIUM PATCH This Month

Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.

XSS File Upload Uploady
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
Prev Page 5 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy