Skip to main content
CVE-2026-5027 HIGH POC This Week

Arbitrary file write vulnerability in an API endpoint (POST /api/v2/files) enables authenticated remote attackers to overwrite critical system files or place malicious executables in startup directories through unvalidated filename parameters containing path traversal sequences. The vulnerability carries a CVSS score of 8.8 (High) with network-accessible attack vector requiring low-level privileges and no user interaction. No public exploit identified at time of analysis, though the straightforward nature of path traversal exploitation increases risk. Research disclosed by Tenable Security Research (TRA-2026-26).

Path Traversal
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30531 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to inject arbitrary SQL commands through the unvalidated 'name' parameter in the save_category action of Actions.php. The vulnerability affects the application's category management functionality and enables data exfiltration, modification, or deletion. Publicly available exploit code exists demonstrating the vulnerability, increasing practical exploitation risk despite authentication requirement.

SQLi PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30529 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to execute arbitrary SQL commands via the username parameter in Actions.php (save_user action), due to improper input sanitization. Publicly available exploit code exists demonstrating this vulnerability. While CVSS and EPSS scores are unavailable, the authenticated requirement and public POC availability indicate moderate real-world risk for deployments with user account access.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30534 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to manipulate database queries through the 'id' parameter in admin/manage_category.php, enabling unauthorized data extraction, modification, or deletion. The vulnerability affects the administrative interface and has publicly available exploit code, presenting immediate risk to deployed instances of this e-commerce platform.

PHP SQLi
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-34040 HIGH POC PATCH GHSA This Week

Authorization bypass in Docker Engine (moby) allows API clients to evade AuthZ plugin policy decisions by issuing requests whose body is not forwarded to the plugin, causing it to approve operations it would otherwise deny. This is an incomplete-fix regression of CVE-2024-41110 affecting deployments that rely on AuthZ plugins inspecting request bodies; publicly available exploit code exists but EPSS is 0.01% and SSVC exploitation status is 'none'.

Docker Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30575 HIGH POC This Week

Inventory depletion in SourceCodester Pharmacy Product Management System 1.0 allows remote attackers to corrupt stock records by submitting negative values through the add-stock.php 'txtqty' parameter, causing the system to decrease inventory instead of increasing it and enabling denial of service via stock exhaustion. Publicly available exploit code exists demonstrating this business logic flaw, and the affected product lacks CVSS severity quantification despite the demonstrated impact on system integrity and availability.

PHP Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30576 HIGH POC This Week

Pharmacy Product Management System 1.0 fails to validate financial input parameters in the add-stock.php file, permitting attackers to submit negative values for product prices and total costs. This business logic vulnerability corrupts financial records and allows manipulation of inventory asset valuations and procurement cost tracking. Publicly available exploit code exists; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation frequency.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30574 HIGH POC This Week

SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4976 HIGH POC This Week

Buffer overflow in Totolink LR350 router firmware 9.3.5u.6369_B20220309 allows remote authenticated attackers to execute arbitrary code via crafted SSID input to the setWiFiGuestCfg function in /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit code and affects the web management interface. CVSS 7.4 (High) with low attack complexity indicates significant risk, though exploitation requires low-privilege authentication (PR:L). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Buffer Overflow Lr350
NVD VulDB
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-4961 HIGH POC This Week

Remote attackers with low-level authentication can execute arbitrary code on Tenda AC6 routers running firmware version 15.03.05.16 by exploiting a stack-based buffer overflow in the formQuickIndex function via crafted PPPOEPassword parameters in POST requests to /goform/QuickIndex. Publicly available exploit code exists, demonstrating practical exploitation of this critical vulnerability with CVSS 8.8 (High severity, network-accessible, low complexity). The vulnerability is tracked as CWE-121 and poses immediate risk to exposed devices.

Tenda Buffer Overflow Stack Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4960 HIGH POC This Week

Stack-based buffer overflow in Tenda AC6 router firmware version 15.03.05.16 enables authenticated remote attackers to achieve code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromWizardHandle function handling POST requests to /goform/WizardHandle, exploitable by manipulating WANT/WANS parameters. Publicly available exploit code exists, demonstrating the attack technique via a detailed proof-of-concept published on Notion. With a CVSS score of 8.8 and low attack complexity, this represents a significant risk to affected devices despite requiring low-privilege authentication.

Tenda Buffer Overflow Stack Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4906 HIGH POC This Week

Remote attackers with low-level authentication can trigger stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 via the WizardHandle POST request handler, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists, as confirmed by multiple references including a detailed proof-of-concept document on Notion. The CVSS score of 8.8 reflects network-based attack vector with low complexity and no user interaction required, while the temporal score indicates proof-of-concept exploitation capability.

Tenda Buffer Overflow Stack Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-33765 HIGH PATCH This Week

Remote code execution with root privileges in Pi-hole Admin Interface versions prior to 6.0 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability stems from unsanitized user input in the 'webtheme' parameter being concatenated directly into sudo-privileged exec() calls in savesettings.php. With CVSS 8.9 (Critical), network-accessible attack vector, and low complexity, this represents a severe compromise risk for Pi-hole deployments exposed to untrusted networks. Proof-of-concept code exists (CVSS E:P metric indicates exploitation proof available).

PHP Command Injection
NVD GitHub
CVSS 4.0
8.9
EPSS
0.6%
CVE-2026-33890 HIGH PATCH This Week

MyTube versions prior to 1.8.71 allow unauthenticated remote attackers to register arbitrary passkeys and obtain full administrator access without any existing credentials. The vulnerability stems from exposed passkey registration endpoints that lack authentication checks and automatically grant admin tokens to any successfully registered passkey, enabling complete application compromise. Vendor-released patch version 1.8.71 addresses this flaw.

Authentication Bypass Mytube
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-33654 HIGH PATCH This Week

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

RCE Code Injection Nanobot
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-33991 HIGH PATCH This Week

SQL injection in WeGIA charitable institution management software allows authenticated remote attackers to execute arbitrary database queries with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe use of extract($_REQUEST) combined with unsanitized SQL concatenation in the tag deletion module (deletar_tag.php), affecting all versions prior to 3.6.7. No public exploit identified at time of analysis, with EPSS probability data not available for this recent CVE.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27893 HIGH PATCH This Week

Remote code execution is possible in vLLM inference and serving engine versions 0.10.1 through 0.17.x due to hardcoded trust_remote_code=True settings in two model implementation files that override users' explicit --trust-remote-code=False security configuration. Attackers can exploit this by hosting malicious model repositories that execute arbitrary code when loaded by vLLM, even when users have intentionally disabled remote code trust for security. Version 0.18.0 patches this vulnerability, with no public exploit identified at time of analysis and a CVSS score of 8.8 requiring user interaction to trigger.

RCE Vllm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33755 HIGH PATCH This Week

Authenticated SQL injection in Group-Office's JMAP Contact/query endpoint allows any user with basic addressbook permissions to extract database contents, including active session tokens, enabling full account takeover of any user including System Administrators. Affects Group-Office versions before 6.8.158, 25.0.92, and 26.0.17. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit or active exploitation confirmed. Despite 8.8 CVSS score, real-world risk depends heavily on whether attackers can obtain valid low-privilege credentials first.

SQLi Microsoft
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25099 HIGH POC PATCH This Week

Remote code execution in Bludit CMS versions prior to 3.18.4 allows authenticated attackers holding valid API tokens to upload and execute arbitrary files through the API plugin's unrestricted file upload mechanism. The vulnerability has a CVSS 4.0 score of 8.7 with network attack vector and low complexity, requires authenticated access (PR:L), and was reported by CERT-PL. No public exploit identified at time of analysis, though the technical details are publicly disclosed.

RCE File Upload Bludit
NVD GitHub Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-34046 HIGH PATCH This Week

{flow_id} endpoints. The vulnerability affects both the langflow and langflow-base Python packages, enabling attackers with valid credentials to exfiltrate sensitive data (including plaintext API keys embedded in flows), tamper with AI agent logic, or destroy other users' workflows. A vendor-released patch (PR #8956) is available. No public exploit code identified at time of analysis, though the vulnerability is straightforward to exploit given the clear description and patch differential in the advisory.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32678 HIGH This Week

BUFFALO Wi-Fi router products allow unauthenticated remote attackers to bypass authentication mechanisms and modify critical configuration settings without valid credentials. This CWE-288 authentication bypass vulnerability affects BUFFALO Wi-Fi router product lines (CVSS 7.5, High severity) and enables complete compromise of device integrity. No public exploit identified at time of analysis, though the network-accessible attack surface and low complexity (AV:N/AC:L/PR:N) increase exposure risk for internet-facing devices.

Authentication Bypass Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-26061 HIGH PATCH GHSA This Week

Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class.

Privilege Escalation Information Disclosure Authentication Bypass Nginx Denial Of Service +1
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32669 HIGH This Week

BUFFALO Wi-Fi router products allow remote code execution through a code injection vulnerability requiring user interaction. An unauthenticated attacker (CVSS PR:N) can execute arbitrary code on affected devices with high impact to confidentiality, integrity, and availability (CVSS 8.8). The vulnerability was disclosed through JVN and BUFFALO's official advisory, with no public exploit identified at time of analysis.

RCE Code Injection Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-27650 HIGH This Week

Remote OS command injection in BUFFALO Wi-Fi router products allows unauthenticated attackers to execute arbitrary operating system commands with user interaction required. The vulnerability affects multiple BUFFALO Wi-Fi router models as confirmed by CPE designation and carries a CVSS score of 8.8 (High severity). While attack complexity is low and no privileges are required, successful exploitation depends on user interaction, reducing immediate attack surface. No public exploit identified at time of analysis, and exploitation probability metrics are not available in provided intelligence.

Command Injection Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-33280 HIGH This Week

BUFFALO Wi-Fi router products contain hidden debugging functionality that permits authenticated attackers with high-level privileges to execute arbitrary operating system commands remotely. The vulnerability affects an unspecified range of BUFFALO's router lineup and carries a CVSS score of 7.2, requiring high privileges (PR:H) but low attack complexity over the network. No public exploit identified at time of analysis, and EPSS data is not provided in available intelligence.

Information Disclosure Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-33955 HIGH PATCH This Week

Cross-site scripting in Notesnook Web/Desktop versions prior to 3.3.11 escalates to remote code execution when combined with the application's backup restore feature. The vulnerability triggers when attacker-controlled note headers render through unsafe `dangerouslySetInnerHTML` in the history comparison viewer, exploiting Electron's `nodeIntegration: true` and `contextIsolation: false` configuration to execute arbitrary code on victim systems. Attack requires local access and user interaction (CVSS AV:L/UI:R), but no authentication (PR:N). Vendor-released patch available in version 3.3.11; no public exploit or active exploitation confirmed at time of analysis.

RCE XSS Notesnook Web Desktop
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-22742 HIGH PATCH GHSA This Week

Server-Side Request Forgery in Spring AI Bedrock Converse module enables unauthenticated remote attackers to force the application server to issue HTTP requests to arbitrary internal or external destinations by supplying malicious media URLs in multimodal messages. Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 are affected. The vulnerability carries a CVSS score of 8.6 with high confidentiality impact and changed scope, indicating potential access to internal network resources. No public exploit identified at time of analysis.

Java SSRF
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-33953 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass IP-based blocklist protections and access internal-only resources through hostname resolution. Attackers with low-privilege accounts can leverage this to probe internal network services, exfiltrate sensitive data from internal APIs, or pivot to otherwise unreachable infrastructure. CVSS 8.5 (High) with cross-scope impact reflects the potential for lateral movement beyond the application boundary. No active exploitation confirmed (CISA KEV: not listed), but the vulnerability class (CWE-918 SSRF) is commonly exploited when accessible to authenticated users. Patch available in version 2.5.3.

SSRF Linkace
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-31943 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in LibreChat versions prior to 0.8.3 allows authenticated users to bypass IP validation and force the application server to make HTTP requests to internal network resources. The vulnerability stems from improper validation of IPv4-mapped IPv6 addresses in hex-normalized form, enabling access to cloud metadata services (AWS 169.254.169.254), loopback addresses, and RFC1918 private networks. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the specific bypass technique (hex-normalized IPv4-mapped IPv6) is well-documented in SSRF research.

SSRF Librechat
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-13478 HIGH This Week

OpenText Identity Manager versions up to 25.2 (v4.10.1) suffer from insecure cache handling that permits remote authenticated users to retrieve another user's session data, resulting in unauthorized information disclosure. An attacker with valid credentials can exploit this cache misconfiguration on both Windows and Linux deployments to access sensitive session information belonging to other authenticated users, compromising confidentiality of user sessions and potentially enabling lateral movement or privilege escalation attacks.

Information Disclosure Microsoft
NVD
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-33980 HIGH PATCH GHSA This Week

KQL injection in adx-mcp-server Python package allows authenticated attackers to execute arbitrary Kusto queries against Azure Data Explorer clusters. Three MCP tool handlers (get_table_schema, sample_table_data, get_table_details) unsafely interpolate the table_name parameter into query strings via f-strings, enabling data exfiltration from arbitrary tables, execution of management commands, and potential table drops. Vendor-released patch available (commit 0abe0ee). No public exploit identified at time of analysis, though proof-of-concept code exists in the security advisory demonstrating injection via comment-based bypass and newline-separated commands. Affects adx-mcp-server ≤ commit 48b2933.

Microsoft RCE Nosql Injection Python
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-15617 HIGH This Week

GitHub Actions workflow artifacts in Wazuh version 4.12.0 expose GITHUB_TOKEN credentials that unauthenticated network attackers can extract and use within a limited time window to push malicious commits or alter release tags in the project repository. The vulnerability carries a CVSS 4.0 score of 8.3 with high integrity impact and low availability impact. No public exploit identified at time of analysis, though the vulnerability is classified under authentication bypass tags by VulnCheck.

Authentication Bypass Wazuh
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-33981 HIGH PATCH GHSA This Week

changedetection.io versions up to 0.54.6 leak all server environment variables including password hashes, proxy credentials, and API keys via unrestricted jq filter expressions. Attackers with API access (default: no authentication required) can extract SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed to the container by creating a watch with 'jqraw:env' as the include filter. Vendor-released patch available in version 0.54.7. No active exploitation confirmed (not in CISA KEV), but a detailed proof-of-concept exists in the GitHub advisory demonstrating full environment variable extraction in three API calls.

Docker Python Information Disclosure
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-24031 HIGH PATCH This Week

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up to 2.4.0) lets remote attackers log in as any user when an administrator has cleared the auth_username_chars setting. The flaw is a CWE-89 SQL injection in the SQL-backed authentication driver: with input character filtering disabled, attacker-controlled username data reaches the SQL auth query unsanitized, enabling both full authentication bypass and account enumeration. Reported by OX and tracked as EUVD-2026-16561; no public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none while assessing technical impact as total.

SQLi Ox Dovecot Pro
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-34042 HIGH PATCH GHSA This Week

Unauthenticated remote cache poisoning in nektos/act (GitHub Actions local runner) enables arbitrary code execution by exposing the built-in actions/cache server on all network interfaces without authentication. Attackers who can reach the cache server-including from the public internet if exposed-can inject malicious cache entries with predictable keys, leading to remote code execution within Docker containers running GitHub Actions workflows. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor-released patch available in act v0.2.86.

Docker RCE Authentication Bypass Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-33946 HIGH PATCH GHSA This Week

Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).

Session Fixation Python Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-34375 HIGH GHSA This Week

Reflected cross-site scripting (XSS) in WWBN AVideo versions up to 26.0 enables credential theft through unsanitized request parameter echoed into JavaScript context. Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript and exfiltrate the victim's username and password hash directly exposed in the vulnerable code block. CVSS score of 8.2 reflects high confidentiality impact; no public exploit identified at time of analysis.

XSS PHP
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-4984 HIGH This Week

Unauthenticated credential theft in Botpress Twilio integration allows remote attackers to capture plaintext Twilio account credentials (accountSID and authToken) via forged webhook requests. The webhook handler fails to validate X-Twilio-Signature headers and can be tricked into making HTTP requests to attacker-controlled servers with embedded credentials in Authorization headers, enabling full Twilio account compromise. CVSS score of 8.2 reflects high confidentiality impact with low attack complexity and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

Information Disclosure Botpress
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33206 HIGH PATCH This Week

Calibre versions prior to 9.6.0 allow remote attackers to exfiltrate arbitrary files from the host system through a combination of path traversal in image handling during file conversion and unauthenticated server-side request forgery in the ebook reader web view's background-image endpoint. An attacker can craft a malicious markdown or text-based file that references files outside the intended directory, then retrieve those files through the unprotected background-image handler without authentication, enabling complete file system disclosure on systems running vulnerable Calibre instances.

Path Traversal SSRF Authentication Bypass Calibre
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-33941 HIGH PATCH GHSA This Week

The Handlebars npm package precompiler (bin/handlebars) allows arbitrary JavaScript injection through unsanitized string concatenation in four distinct code paths: template filenames, namespace option (-n), CommonJS path option (-c), and AMD path option (-h). Attackers who can control template filenames or CLI arguments can inject code that executes when the generated JavaScript bundle is loaded in Node.js or browser environments. Publicly available exploit code exists with multiple proof-of-concept vectors demonstrated, including file system manipulation via require('fs'). CVSS 8.3 reflects local attack vector requiring low privileges and user interaction, with changed scope allowing high confidentiality, integrity, and availability impact.

XSS Node.js Amd
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33979 HIGH PATCH GHSA This Week

express-xss-sanitizer versions 2.0.1 and earlier silently ignore restrictive sanitization configurations when developers explicitly set empty allowedTags or allowedAttributes arrays, instead defaulting to permissive HTML allowlists that can enable XSS attacks. The CVSS score of 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-accessible, unauthenticated exploitation with high integrity impact. A public proof-of-concept demonstrating the configuration bypass exists in the GitHub security advisory, showing how input intended to be stripped of all HTML instead preserves anchor tags with href attributes and paragraph elements. No EPSS score or CISA KEV status was provided in the intelligence data.

XSS
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33938 HIGH PATCH This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by exploiting the @partial-block mechanism when combined with vulnerable helper functions. The attack overwrites @partial-block with a malicious Handlebars AST that is dynamically compiled and executed during template rendering. A working proof-of-concept exists demonstrating exploitation via the commonly-used handlebars-helpers package. Vendor-released patch is available in Handlebars version 4.7.9.

RCE Node.js Code Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-33940 HIGH PATCH GHSA This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated network attackers to execute arbitrary server-side commands by exploiting dynamic partial resolution logic. Affected versions include all releases prior to v4.7.9. Attack requires the adversary to control context data passed to templates that use dynamic partial lookups. A proof-of-concept exploit demonstrates arbitrary code execution and is publicly documented. CVSS score of 8.1 reflects high complexity due to the need for specific template patterns and attacker-controlled context values.

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33989 HIGH PATCH GHSA This Week

Path traversal in @mobilenext/mobile-mcp npm package allows remote attackers to write arbitrary files on the host system through unvalidated file path parameters. The mobile_save_screenshot and mobile_start_screen_recording tools accept user-controlled saveTo and output parameters that are passed directly to Node.js filesystem operations without sanitization, enabling attackers to overwrite critical system files (e.g., ~/.bashrc, ~/.ssh/authorized_keys) via prompt injection attacks. Affects versions prior to 0.0.49. Publicly available exploit code exists (functional Python PoC provided in disclosure). EPSS data not available, but the combination of network attack vector, low complexity (CVSS AC:L), and weaponized exploit code warrants immediate patching for systems running this MCP server.

Node.js Path Traversal
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33997 HIGH PATCH This Week

Plugin privilege validation bypass in Moby/Docker Engine prior to 29.3.1 (and Moby v2 before 2.0.0-beta.8) allows a malicious plugin to be installed with a privilege set that differs from what the user approved during 'docker plugin install'. The off-by-one in the daemon's comparison loop skips the first sorted privilege entry, and plugins requesting exactly one privilege bypass comparison entirely, potentially granting sensitive capabilities such as broad device access. No public exploit identified at time of analysis, EPSS is 0.01%, and SSVC marks exploitation as none but technical impact as total.

Docker Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4248 HIGH This Week

A information disclosure vulnerability in for WordPress is vulnerable to Sensitive Information Exposure in all (CVSS 8.0). High severity vulnerability requiring prompt remediation.

WordPress Information Disclosure Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-33874 HIGH PATCH This Week

Remote code execution in gematik Authenticator (macOS) versions 4.12.0 through 4.15.x enables malicious file-triggered command injection when victims open crafted documents. This CWE-78 OS command injection flaw requires no authentication but depends on user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). No public exploit identified at time of analysis, though EPSS data not available. The authenticator serves German digital health applications, making this a high-impact target for healthcare sector attacks.

RCE Command Injection App Authenticator
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-27309 HIGH This Week

Arbitrary code execution in Adobe Substance3D Stager 3.1.7 and earlier allows local attackers to execute malicious code with user privileges through specially crafted files. Exploitation requires social engineering to trick users into opening weaponized Stager project files. No public exploit identified at time of analysis, though the use-after-free vulnerability class is well-understood and exploitable. CVSS 7.8 (High) reflects significant impact if exploited, though local attack vector and user interaction requirement reduce immediate risk compared to remotely exploitable flaws.

RCE Use After Free Memory Corruption Denial Of Service Substance3D Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34172 HIGH PATCH GHSA This Week

Remote code execution in giskard-agents Python library (versions ≤0.3.3 and 1.0.x alpha) allows attackers to execute arbitrary system commands when user-controlled strings are passed to the ChatWorkflow.chat() method. The vulnerability stems from unsandboxed Jinja2 template rendering that enables class traversal exploitation via Python's object introspection. Patched in versions 0.3.4 (stable) and 1.0.2b1 (pre-release). Public exploit code exists demonstrating full RCE via Jinja2 object traversal to os.popen(). No active exploitation confirmed at time of analysis, though the straightforward attack vector and clear POC make this a critical priority for affected deployments.

Python RCE Ssti
NVD GitHub
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-33935 HIGH PATCH This Week

MyTube prior to version 1.8.72 permits unauthenticated attackers to trigger indefinite account lockouts affecting both administrator and visitor authentication by exploiting a shared, globally-scoped login attempt counter across three publicly accessible password verification endpoints. An attacker can repeatedly send invalid authentication requests to any endpoint, progressively increasing a 24-hour cooldown lockout duration that applies to all endpoints simultaneously, effectively denying legitimate users password-based authentication until the patch is deployed. No public exploit code or active in-the-wild exploitation has been confirmed, but the attack requires no privileges and can be automated trivially.

Denial Of Service Mytube
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy