Skip to main content
CVE-2026-25099 HIGH POC PATCH This Week

Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. No public exploit identified at time of analysis, though the technical details are publicly disclosed.

RCE File Upload Bludit
NVD GitHub Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-34046 HIGH PATCH This Week

{flow_id} endpoints. The vulnerability affects both the langflow and langflow-base Python packages, enabling attackers with valid credentials to exfiltrate sensitive data (including plaintext API keys embedded in flows), tamper with AI agent logic, or destroy other users' workflows. A vendor-released patch (PR #8956) is available. No public exploit code identified at time of analysis, though the vulnerability is straightforward to exploit given the clear description and patch differential in the advisory.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32678 HIGH This Week

BUFFALO Wi-Fi router products allow unauthenticated remote attackers to bypass authentication mechanisms and modify critical configuration settings without valid credentials. This CWE-288 authentication bypass vulnerability affects BUFFALO Wi-Fi router product lines (CVSS 7.5, High severity) and enables complete compromise of device integrity. No public exploit identified at time of analysis, though the network-accessible attack surface and low complexity (AV:N/AC:L/PR:N) increase exposure risk for internet-facing devices.

Authentication Bypass Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-26061 HIGH PATCH GHSA This Week

Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class.

Privilege Escalation Information Disclosure Authentication Bypass Nginx Denial Of Service +1
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32669 HIGH This Week

BUFFALO Wi-Fi router products allow remote code execution through a code injection vulnerability requiring user interaction. An unauthenticated attacker (CVSS PR:N) can execute arbitrary code on affected devices with high impact to confidentiality, integrity, and availability (CVSS 8.8). The vulnerability was disclosed through JVN and BUFFALO's official advisory, with no public exploit identified at time of analysis.

RCE Code Injection Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-27650 HIGH This Week

Remote OS command injection in BUFFALO Wi-Fi router products allows unauthenticated attackers to execute arbitrary operating system commands with user interaction required. The vulnerability affects multiple BUFFALO Wi-Fi router models as confirmed by CPE designation and carries a CVSS score of 8.8 (High severity). While attack complexity is low and no privileges are required, successful exploitation depends on user interaction, reducing immediate attack surface. No public exploit identified at time of analysis, and exploitation probability metrics are not available in provided intelligence.

Command Injection Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-33280 HIGH This Week

BUFFALO Wi-Fi router products contain hidden debugging functionality that permits authenticated attackers with high-level privileges to execute arbitrary operating system commands remotely. The vulnerability affects an unspecified range of BUFFALO's router lineup and carries a CVSS score of 7.2, requiring high privileges (PR:H) but low attack complexity over the network. No public exploit identified at time of analysis, and EPSS data is not provided in available intelligence.

Information Disclosure Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-33955 HIGH PATCH This Week

Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe `dangerouslySetInnerHTML` in the history comparison viewer, exploiting Electron's `nodeIntegration: true` and `contextIsolation: false` configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.

RCE XSS Notesnook Web Desktop
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-22742 HIGH PATCH GHSA This Week

Server-Side Request Forgery in Spring AI Bedrock Converse module enables unauthenticated remote attackers to force the application server to issue HTTP requests to arbitrary internal or external destinations by supplying malicious media URLs in multimodal messages. Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 are affected. The vulnerability carries a CVSS score of 8.6 with high confidentiality impact and changed scope, indicating potential access to internal network resources. No public exploit identified at time of analysis.

Java SSRF
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-33953 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass IP-based blocklist protections and access internal-only resources through hostname resolution. Attackers with low-privilege accounts can leverage this to probe internal network services, exfiltrate sensitive data from internal APIs, or pivot to otherwise unreachable infrastructure. CVSS 8.5 (High) with cross-scope impact reflects the potential for lateral movement beyond the application boundary. No active exploitation confirmed (CISA KEV: not listed), but the vulnerability class (CWE-918 SSRF) is commonly exploited when accessible to authenticated users. Patch available in version 2.5.3.

SSRF Linkace
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-31943 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in LibreChat versions prior to 0.8.3 allows authenticated users to bypass IP validation and force the application server to make HTTP requests to internal network resources. The vulnerability stems from improper validation of IPv4-mapped IPv6 addresses in hex-normalized form, enabling access to cloud metadata services (AWS 169.254.169.254), loopback addresses, and RFC1918 private networks. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the specific bypass technique (hex-normalized IPv4-mapped IPv6) is well-documented in SSRF research.

SSRF Librechat
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-13478 HIGH This Week

OpenText Identity Manager versions up to 25.2 (v4.10.1) suffer from insecure cache handling that permits remote authenticated users to retrieve another user's session data, resulting in unauthorized information disclosure. An attacker with valid credentials can exploit this cache misconfiguration on both Windows and Linux deployments to access sensitive session information belonging to other authenticated users, compromising confidentiality of user sessions and potentially enabling lateral movement or privilege escalation attacks.

Information Disclosure Microsoft
NVD
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-33868 MEDIUM POC PATCH This Month

Mastodon prior to versions 4.5.8, 4.4.15, and 4.3.21 contains an unauthenticated Open Redirect vulnerability in the `/web/*` route that allows remote attackers to redirect users to arbitrary external domains via specially URL-encoded path segments. An attacker can exploit this to conduct phishing attacks or steal OAuth credentials by crafting malicious links that bypass Rails path normalization through URL-encoded slashes (%2F). No public exploit code or active exploitation has been confirmed at time of analysis.

Open Redirect
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-33980 HIGH PATCH GHSA This Week

KQL injection in adx-mcp-server Python package allows authenticated attackers to execute arbitrary Kusto queries against Azure Data Explorer clusters. Three MCP tool handlers (get_table_schema, sample_table_data, get_table_details) unsafely interpolate the table_name parameter into query strings via f-strings, enabling data exfiltration from arbitrary tables, execution of management commands, and potential table drops. Vendor-released patch available (commit 0abe0ee). No public exploit identified at time of analysis, though proof-of-concept code exists in the security advisory demonstrating injection via comment-based bypass and newline-separated commands. Affects adx-mcp-server ≤ commit 48b2933.

Microsoft RCE Nosql Injection Python
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-15617 HIGH This Week

GitHub Actions workflow artifacts in Wazuh version 4.12.0 expose GITHUB_TOKEN credentials that unauthenticated network attackers can extract and use within a limited time window to push malicious commits or alter release tags in the project repository. The vulnerability carries a CVSS 4.0 score of 8.3 with high integrity impact and low availability impact. No public exploit identified at time of analysis, though the vulnerability is classified under authentication bypass tags by VulnCheck.

Authentication Bypass Wazuh
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-33981 HIGH PATCH GHSA This Week

changedetection.io versions up to 0.54.6 leak all server environment variables including password hashes, proxy credentials, and API keys via unrestricted jq filter expressions. Attackers with API access (default: no authentication required) can extract SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed to the container by creating a watch with 'jqraw:env' as the include filter. Vendor-released patch available in version 0.54.7. No active exploitation confirmed (not in CISA KEV), but a detailed proof-of-concept exists in the GitHub advisory demonstrating full environment variable extraction in three API calls.

Docker Python Information Disclosure
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-24031 HIGH PATCH This Week

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up to 2.4.0) lets remote attackers log in as any user when an administrator has cleared the auth_username_chars setting. The flaw is a CWE-89 SQL injection in the SQL-backed authentication driver: with input character filtering disabled, attacker-controlled username data reaches the SQL auth query unsanitized, enabling both full authentication bypass and account enumeration. Reported by OX and tracked as EUVD-2026-16561; no public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none while assessing technical impact as total.

SQLi Ox Dovecot Pro
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-34042 HIGH PATCH GHSA This Week

Unauthenticated remote cache poisoning in nektos/act (GitHub Actions local runner) enables arbitrary code execution by exposing the built-in actions/cache server on all network interfaces without authentication. Attackers who can reach the cache server-including from the public internet if exposed-can inject malicious cache entries with predictable keys, leading to remote code execution within Docker containers running GitHub Actions workflows. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor-released patch available in act v0.2.86.

Docker RCE Authentication Bypass Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-33946 HIGH PATCH GHSA This Week

Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).

Session Fixation Python Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-34375 HIGH GHSA This Week

Reflected cross-site scripting (XSS) in WWBN AVideo versions up to 26.0 enables credential theft through unsanitized request parameter echoed into JavaScript context. Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript and exfiltrate the victim's username and password hash directly exposed in the vulnerable code block. CVSS score of 8.2 reflects high confidentiality impact; no public exploit identified at time of analysis.

XSS PHP
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-4984 HIGH This Week

Unauthenticated credential theft in Botpress Twilio integration allows remote attackers to capture plaintext Twilio account credentials (accountSID and authToken) via forged webhook requests. The webhook handler fails to validate X-Twilio-Signature headers and can be tricked into making HTTP requests to attacker-controlled servers with embedded credentials in Authorization headers, enabling full Twilio account compromise. CVSS score of 8.2 reflects high confidentiality impact with low attack complexity and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

Information Disclosure Botpress
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33206 HIGH PATCH This Week

Calibre versions prior to 9.6.0 allow remote attackers to exfiltrate arbitrary files from the host system through a combination of path traversal in image handling during file conversion and unauthenticated server-side request forgery in the ebook reader web view's background-image endpoint. An attacker can craft a malicious markdown or text-based file that references files outside the intended directory, then retrieve those files through the unprotected background-image handler without authentication, enabling complete file system disclosure on systems running vulnerable Calibre instances.

Path Traversal SSRF Authentication Bypass Calibre
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-33941 HIGH PATCH GHSA This Week

The Handlebars npm package precompiler (bin/handlebars) allows arbitrary JavaScript injection through unsanitized string concatenation in four distinct code paths: template filenames, namespace option (-n), CommonJS path option (-c), and AMD path option (-h). Attackers who can control template filenames or CLI arguments can inject code that executes when the generated JavaScript bundle is loaded in Node.js or browser environments. Publicly available exploit code exists with multiple proof-of-concept vectors demonstrated, including file system manipulation via require('fs'). CVSS 8.3 reflects local attack vector requiring low privileges and user interaction, with changed scope allowing high confidentiality, integrity, and availability impact.

XSS Node.js Amd
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33979 HIGH PATCH GHSA This Week

express-xss-sanitizer versions 2.0.1 and earlier silently ignore restrictive sanitization configurations when developers explicitly set empty allowedTags or allowedAttributes arrays, instead defaulting to permissive HTML allowlists that can enable XSS attacks. The CVSS score of 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-accessible, unauthenticated exploitation with high integrity impact. A public proof-of-concept demonstrating the configuration bypass exists in the GitHub security advisory, showing how input intended to be stripped of all HTML instead preserves anchor tags with href attributes and paragraph elements. No EPSS score or CISA KEV status was provided in the intelligence data.

XSS
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33938 HIGH PATCH This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by exploiting the @partial-block mechanism when combined with vulnerable helper functions. The attack overwrites @partial-block with a malicious Handlebars AST that is dynamically compiled and executed during template rendering. A working proof-of-concept exists demonstrating exploitation via the commonly-used handlebars-helpers package. Vendor-released patch is available in Handlebars version 4.7.9.

RCE Node.js Code Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-33940 HIGH PATCH GHSA This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated network attackers to execute arbitrary server-side commands by exploiting dynamic partial resolution logic. Affected versions include all releases prior to v4.7.9. Attack requires the adversary to control context data passed to templates that use dynamic partial lookups. A proof-of-concept exploit demonstrates arbitrary code execution and is publicly documented. CVSS score of 8.1 reflects high complexity due to the need for specific template patterns and attacker-controlled context values.

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33989 HIGH PATCH GHSA This Week

Path traversal in @mobilenext/mobile-mcp npm package allows remote attackers to write arbitrary files on the host system through unvalidated file path parameters. The mobile_save_screenshot and mobile_start_screen_recording tools accept user-controlled saveTo and output parameters that are passed directly to Node.js filesystem operations without sanitization, enabling attackers to overwrite critical system files (e.g., ~/.bashrc, ~/.ssh/authorized_keys) via prompt injection attacks. Affects versions prior to 0.0.49. Publicly available exploit code exists (functional Python PoC provided in disclosure). EPSS data not available, but the combination of network attack vector, low complexity (CVSS AC:L), and weaponized exploit code warrants immediate patching for systems running this MCP server.

Node.js Path Traversal
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33997 HIGH PATCH This Week

Plugin privilege validation bypass in Moby/Docker Engine prior to 29.3.1 (and Moby v2 before 2.0.0-beta.8) allows a malicious plugin to be installed with a privilege set that differs from what the user approved during 'docker plugin install'. The off-by-one in the daemon's comparison loop skips the first sorted privilege entry, and plugins requesting exactly one privilege bypass comparison entirely, potentially granting sensitive capabilities such as broad device access. No public exploit identified at time of analysis, EPSS is 0.01%, and SSVC marks exploitation as none but technical impact as total.

Docker Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4248 HIGH This Week

A information disclosure vulnerability in for WordPress is vulnerable to Sensitive Information Exposure in all (CVSS 8.0). High severity vulnerability requiring prompt remediation.

WordPress Information Disclosure Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-33874 HIGH PATCH This Week

Remote code execution in gematik Authenticator (macOS) versions 4.12.0 through 4.15.x enables malicious file-triggered command injection when victims open crafted documents. This CWE-78 OS command injection flaw requires no authentication but depends on user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). No public exploit identified at time of analysis, though EPSS data not available. The authenticator serves German digital health applications, making this a high-impact target for healthcare sector attacks.

RCE Command Injection App Authenticator
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-27309 HIGH This Week

Arbitrary code execution in Adobe Substance3D Stager 3.1.7 and earlier allows local attackers to execute malicious code with user privileges through specially crafted files. Exploitation requires social engineering to trick users into opening weaponized Stager project files. No public exploit identified at time of analysis, though the use-after-free vulnerability class is well-understood and exploitable. CVSS 7.8 (High) reflects significant impact if exploited, though local attack vector and user interaction requirement reduce immediate risk compared to remotely exploitable flaws.

RCE Use After Free Memory Corruption Denial Of Service Substance3D Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34172 HIGH PATCH GHSA This Week

Remote code execution in giskard-agents Python library (versions ≤0.3.3 and 1.0.x alpha) allows attackers to execute arbitrary system commands when user-controlled strings are passed to the ChatWorkflow.chat() method. The vulnerability stems from unsandboxed Jinja2 template rendering that enables class traversal exploitation via Python's object introspection. Patched in versions 0.3.4 (stable) and 1.0.2b1 (pre-release). Public exploit code exists demonstrating full RCE via Jinja2 object traversal to os.popen(). No active exploitation confirmed at time of analysis, though the straightforward attack vector and clear POC make this a critical priority for affected deployments.

Python RCE Ssti
NVD GitHub
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-33935 HIGH PATCH This Week

MyTube prior to version 1.8.72 permits unauthenticated attackers to trigger indefinite account lockouts affecting both administrator and visitor authentication by exploiting a shared, globally-scoped login attempt counter across three publicly accessible password verification endpoints. An attacker can repeatedly send invalid authentication requests to any endpoint, progressively increasing a 24-hour cooldown lockout duration that applies to all endpoints simultaneously, effectively denying legitimate users password-based authentication until the patch is deployed. No public exploit code or active in-the-wild exploitation has been confirmed, but the attack requires no privileges and can be automated trivially.

Denial Of Service Mytube
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-27860 LOW POC PATCH Monitor

Open-Xchange Dovecot Pro contains an LDAP filter injection vulnerability in its authentication module that allows remote unauthenticated attackers to inject arbitrary LDAP filters when the auth_username_chars configuration parameter is left empty, potentially enabling authentication bypass and reconnaissance of LDAP directory structures. The vulnerability carries a low CVSS score of 3.7 due to high attack complexity requirements, and no public exploit code has been identified at the time of analysis.

LDAP Authentication Bypass Code Injection
NVD VulDB GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-34041 HIGH PATCH GHSA This Week

Command injection in nektos/act (GitHub Actions local runner) allows attackers to execute arbitrary code by embedding deprecated workflow commands in untrusted input. Act versions prior to 0.2.86 unconditionally process ::set-env:: and ::add-path:: commands that GitHub Actions disabled in 2020, enabling PATH hijacking and environment variable injection when workflows echo PR titles, branch names, or commit messages. Publicly available exploit code exists with working proof-of-concept demonstrating NODE_OPTIONS and LD_PRELOAD injection vectors. This creates a critical supply chain risk where workflows safe on GitHub Actions become exploitable when developers test them locally with act.

Docker Command Injection Ubuntu RCE Node.js +2
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-31945 HIGH PATCH This Week

Server-side request forgery in LibreChat 0.8.2-rc2 through 0.8.2 allows authenticated users to access internal network resources via incomplete DNS validation bypass. Despite a prior SSRF patch, the current hostname validation fails to check if DNS resolution points to private IP addresses, enabling attackers to reach internal RAG APIs and cloud metadata endpoints. CVSS 7.7 with network-based attack vector and low complexity. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV). Patch released in version 0.8.3-rc1.

SSRF Librechat
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2019-25652 HIGH PATCH This Week

UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate...

Information Disclosure Ubiquiti
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-34070 HIGH PATCH GHSA This Week

A path traversal vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Python Path Traversal Docker Kubernetes Microsoft
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32241 HIGH PATCH GHSA This Week

Command injection in Flannel's experimental Extension backend allows authenticated Kubernetes users with node annotation privileges to execute arbitrary commands as root on all flannel nodes in the cluster. This affects Flannel versions prior to 0.28.2 using the Extension backend; other backends (vxlan, wireguard) are unaffected. No public exploit identified at time of analysis, but CVSS 7.5 reflects high impact once node annotation access is achieved. EPSS data not available for this recent CVE (2026 designation appears to be error; actual 2025 advisory).

Kubernetes Command Injection Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30637 HIGH This Week

OTCMS versions 7.66 and earlier contain an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /admin/read.php endpoint's AnnounContent parameter, enabling remote attackers to craft arbitrary HTTP requests targeting internal services or external systems without requiring credentials. The vulnerability is documented in public security research; however, no CVSS score, EPSS probability, or confirmed active exploitation status is available from CISA KEV data at this time.

SSRF PHP
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59032 HIGH PATCH This Week

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using literal format, enabling unauthenticated remote attackers to repeatedly crash the service and deny availability to legitimate users (CVSS 7.5, High availability impact). The vulnerability affects OX Dovecot Pro installations with ManageSieve enabled. No public exploit identified at time of analysis, and EPSS data was not provided in available intelligence.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27858 HIGH PATCH This Week

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attackers sending crafted messages. The vulnerability enables remote denial of service against the managesieve protocol without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), with a CVSS score of 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released a security advisory with remediation guidance.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29871 HIGH This Week

Unauthenticated remote attackers can read arbitrary files from servers running the awesome-llm-apps Beifong AI News and Podcast Agent backend by exploiting a path traversal vulnerability in the stream-audio endpoint (routers/podcast_router.py, function stream_audio). The endpoint concatenates user-controlled path parameters directly into filesystem paths without validation, allowing attackers to traverse directory structures and disclose sensitive configuration files, credentials, and other confidential data. No public exploit code or active exploitation has been independently confirmed at the time of this analysis.

Path Traversal Awesome Llm Apps
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22743 HIGH PATCH GHSA This Week

Cypher injection in Spring AI Neo4j vector store (versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3) allows unauthenticated remote attackers to access confidential data stored in Neo4j databases. The vulnerability exists in Neo4jVectorFilterExpressionConverter where user-controlled filter expression keys are embedded into Cypher property accessors without proper backtick escaping, enabling attackers to break out of the intended property context and execute arbitrary Cypher queries. CVSS score of 7.5 reflects high confidentiality impact with network accessibility and low attack complexity, though no public exploit has been identified at time of analysis.

Java SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27857 HIGH PATCH This Week

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticated network attacker exhaust process memory by sending NOOP commands containing thousands of nested parentheses. Each such command consumes roughly 1 MB, and by withholding the terminating line-feed the attacker keeps the allocation alive; ~1000 concurrent connections from even a single source IP can pin around 1 GB, breaching the process VSZ limit and killing the service along with its proxied connections. There is no public exploit identified at time of analysis (EPSS 0.04%, percentile 12; CISA SSVC exploitation=none), but the vector is trivial and a vendor patch is available.

Denial Of Service Ox Dovecot Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33939 HIGH PATCH GHSA This Week

{{*n}}), enabling single-request denial-of-service attacks against applications that accept user-supplied templates. The vulnerability affects the npm package handlebars (pkg:npm/handlebars) and has CVSS score 7.5 (AV:N/AC:L/PR:N/UI:N). A functional proof-of-concept demonstrating the crash exists in the public advisory, confirming exploit code is publicly available. No active exploitation (CISA KEV) has been reported at time of analysis.

Denial Of Service Node.js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34226 HIGH PATCH GHSA This Week

Cookie leakage in Happy DOM JavaScript library (all versions prior to 20.8.9) allows remote attackers to steal authentication cookies across origins when fetch() is invoked with credentials:include. The vulnerability stems from the library incorrectly attaching cookies from the current page origin (window.location) rather than the request target URL, enabling cross-origin cookie exfiltration. EPSS data not available, but exploitation requires no authentication (PR:N) with low complexity (AC:L), making this readily exploitable. Upstream fix available (PR/commit); released patched version not independently confirmed.

Information Disclosure Happy Dom
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22744 HIGH PATCH GHSA This Week

Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).

Java Redis Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27880 HIGH PATCH This Week

Grafana's OpenFeature feature toggle evaluation endpoint can be forced into an out-of-memory condition by submitting unbounded values, enabling remote denial-of-service attacks against the monitoring platform. The vulnerability is network-accessible, requires no authentication (CVSS AV:N/AC:L/PR:N), and has been assigned a CVSS score of 7.5 with high availability impact. No public exploit identified at time of analysis, and authentication requirements confirm unauthenticated access per the CVSS vector PR:N.

Buffer Overflow Memory Corruption Grafana
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27877 HIGH PATCH This Week

Sensitive credential disclosure in Grafana (versions in the 9.3.0-11.6.x, 12.0.x-12.4.x lines) exposes the stored passwords of all direct (non-proxied) data sources whenever the public dashboards feature is enabled, even for data sources never referenced by any dashboard. Reported by Grafana with a vendor patch available, the flaw lets unauthenticated viewers of a public dashboard harvest backend data-source credentials (CVSS 7.5, C:H). There is no public exploit identified at time of analysis, and EPSS is very low (0.01%) with CISA SSVC rating exploitation as none.

Information Disclosure Grafana
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy