Skip to main content
CVE-2026-29180 MEDIUM PATCH GHSA This Month

Fleet device management software versions prior to 4.81.1 contain a broken access control vulnerability in the host transfer API that allows authenticated team maintainers to transfer hosts from any team into their own team, circumventing team isolation boundaries and gaining full control over stolen hosts including root-level script execution capabilities. The vulnerability requires authenticated access (PR:L in CVSS vector) but presents high integrity impact due to the ability to execute privileged commands on managed endpoints. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass Suse
NVD GitHub
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-25100 MEDIUM This Month

Bludit up to version 3.18.2 allows authenticated users with content upload privileges to execute arbitrary JavaScript in victim browsers via stored XSS in SVG image uploads. An attacker with Author, Editor, or Administrator role can upload a malicious SVG file that executes when accessed by any unauthenticated visitor to the uploaded resource URL, compromising browser sessions and potentially enabling account takeover or sensitive data theft. No public exploit code has been identified at time of analysis, though the vendor was notified early and subsequently ceased coordination.

XSS Bludit
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-33869 MEDIUM PATCH This Month

Mastodon versions 4.5.x before 4.5.8 and 4.4.x before 4.4.15 allow unauthenticated attackers with prior knowledge of a quote to prevent its correct processing on a target server, resulting in limited integrity and availability impact. The vulnerability exploits timing and knowledge of ActivityPub quote structures to disrupt social content distribution. Patches are available in Mastodon 4.5.8 and 4.4.15; versions 4.3 and earlier are unaffected due to lack of quote support.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25101 MEDIUM PATCH This Month

Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.

Information Disclosure Session Fixation
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-33205 MEDIUM PATCH This Month

Server-Side Request Forgery in calibre's background-image endpoint allows remote attackers to perform blind GET requests to arbitrary URLs and exfiltrate sensitive information from the e-book sandbox prior to version 9.6.0. Calibre versions before 9.6.0 are affected, with vendor-released patch available at version 9.6.0 or later. No active exploitation or public exploit code has been confirmed at time of analysis.

SSRF Calibre
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-30689 MEDIUM This Month

Blog.Admin versions 8.0 and earlier expose sensitive administrator account information through an improper access control vulnerability in the getinfobytoken API endpoint. An attacker possessing a valid authentication token can bypass authorization checks to retrieve confidential administrator credentials and account details, potentially enabling lateral movement or privilege escalation attacks. No public exploit code or active exploitation has been confirmed at the time of analysis.

Information Disclosure Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-59031 MEDIUM PATCH This Month

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attackers to index unintended system files and contaminate full-text search indexes with sensitive content. Open-Xchange Dovecot Pro is affected. The vulnerability results in information disclosure (CWE-200) with a CVSS score of 4.3 and requires prior authentication; no public exploit identified at time of analysis.

Information Disclosure Ox Dovecot Pro
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28786 MEDIUM PATCH This Month

Open WebUI versions prior to 0.8.6 disclose the server's absolute DATA_DIR path to any authenticated non-admin user via unsanitized filename handling in the speech-to-text transcription endpoint, which returns FileNotFoundError messages in HTTP 400 responses. This information disclosure affects all default deployments and requires only user-level authentication to trigger. The vulnerability has been patched in version 0.8.6, and no public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Path Traversal Open Webui
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32187 MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.

Microsoft Google XSS
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-29071 LOW PATCH Monitor

Open WebUI versions prior to 0.8.6 allow authenticated users to read other users' private memories through an insufficiently restricted API endpoint at `/api/v1/retrieval/query/collection`, exposing sensitive user data stored within the self-hosted AI platform. The vulnerability requires valid authentication credentials and carries a CVSS score of 3.1 with low attack complexity, indicating limited real-world exploitability despite the information disclosure impact. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Open Webui
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-33879 LOW Monitor

The FLIP login page in versions 0.1.1 and prior lacks rate limiting and CAPTCHA protection, enabling unauthenticated remote attackers to conduct brute-force and credential-stuffing attacks against user accounts. The vulnerability affects the Federated Learning and Interoperability Platform, an open-source medical imaging AI training system where users are typically external to host organizations, amplifying the risk of credential reuse. While the CVSS score is low (2.7), the attack vector is network-based, requires no authentication or interaction, and directly enables unauthorized account access with potential integrity impact.

Information Disclosure Flip
NVD GitHub
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-4973 LOW Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Quiz System up to version 1.0 allows authenticated remote attackers to inject malicious scripts via the quiz_question parameter in endpoint/add-question.php, affecting users who view the injected quiz content. The vulnerability has CVSS 5.1 (low-to-moderate severity), requires user interaction to trigger, and public exploit code is available. An attacker with quiz management privileges can compromise quiz participants through JavaScript execution in their browsers.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4957 LOW Monitor

OpenBMB XAgent 1.0.0 exposes sensitive API credentials in log files through improper handling of the api_key argument in the FunctionHandler.handle_tool_call function, allowing remote authenticated attackers with high privileges to disclose confidential information. The vulnerability is classified as information disclosure (CWE-200) with a CVSS score of 5.1 and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.

Information Disclosure Xagent
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-34073 LOW PATCH Monitor

DNS name constraint validation bypass in cryptography library versions prior to 46.0.6 allows peer names to bypass X.509 name constraint checks during certificate validation. The vulnerability arises because name constraints were applied only to Subject Alternative Names (SANs) in child certificates but not to the peer name presented during validation, permitting a certificate for bar.example.com to validate against a wildcard leaf certificate (*.example.com) even when an excluded subtree constraint for bar.example.com existed in the parent certificate. Exploitation requires an uncommon X.509 topology not typically present in the Web PKI, and no public exploit code or active exploitation has been identified.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
1.7
EPSS
0.0%
CVE-2026-33284 LOW PATCH Monitor

GlobaLeaks whistleblowing platform versions prior to 5.0.89 contain insufficient input validation in the /api/support endpoint, permitting attackers to inject arbitrary URLs into support request emails sent to administrators. This can facilitate phishing attacks, credential harvesting, or social engineering by making malicious links appear to originate from legitimate support communications. Remote attackers without authentication can exploit this vulnerability to craft convincing fraudulent messages to site administrators.

Information Disclosure Globaleaks Whistleblowing Software
NVD GitHub
CVSS 4.0
1.2
EPSS
0.1%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy