THREAT ALERT

EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. | EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | ACT NOW CVE-2025-14558 7.2 The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH] | EMERGENCY CVE-2026-20131 10.0 Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic. | EMERGENCY CVE-2026-27971 9.8 RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available. | ACT NOW CVE-2026-21385 7.8 A Qualcomm chipset vulnerability (CVE-2026-21385) causes memory corruption through improper integer handling during memory allocation, enabling local privilege escalation to kernel level. KEV-listed and patched, this vulnerability affects Qualcomm-based mobile devices and embedded systems, potentially impacting billions of Android devices globally. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — March 28, 2026

31 CVEs tracked today. 2 Critical, 3 High, 24 Medium, 1 Low.

CVE-2026-3256 CRITICAL CVSS 9.8
HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.

Information Disclosure
CVE-2025-15604 CRITICAL CVSS 9.8
Amon2 for Perl versions before 6.17 use cryptographically weak random number generation for security-critical functions including session IDs, cookie signing secrets, and CSRF tokens. Versions 6.06-6.16 fall back to SHA-1 hashes seeded with predictable inputs (process ID from a small set, guessable epoch time, and the unsuitable built-in rand() function) when /dev/urandom is unavailable; versions before 6.06 relied entirely on built-in rand(). No CVSS vector or EPSS data is available, and no public exploit code or active exploitation has been confirmed, but the weakness directly undermines session security and CSRF protection in affected applications.

CSRF
CVE-2026-4987 HIGH CVSS 7.5
Payment amount bypass in Brainstorm Force SureForms WordPress plugin (all versions ≤2.5.2) allows unauthenticated remote attackers to create underpriced payment and subscription intents by manipulating the form_id parameter to 0, circumventing configured payment validation. CVSS 7.5 (High) with network-accessible attack vector and low complexity. EPSS data not provided; no public exploit identified at time of analysis. This represents a direct financial fraud risk for e-commerce and donation sites using the affected plugin.

WordPress Authentication Bypass
CVE-2026-1679 HIGH CVSS 7.3
Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memory through oversized socket send operations. The vulnerability enables privilege escalation and denial of service via heap corruption, with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward for users with socket API access. CVSS 7.3 reflects moderate-high severity constrained by local-only access requiring low-level privileges.

Buffer Overflow
CVE-2025-12886 HIGH CVSS 7.2
Server-Side Request Forgery (SSRF) in Oxygen Theme for WordPress versions up to 6.0.8 allows unauthenticated remote attackers to make arbitrary HTTP requests from the web server via the vulnerable laborator_calc_route AJAX action. This vulnerability is confirmed exploitable without authentication (CVSS PR:N) and enables attackers to query or modify internal services behind firewalls, exfiltrate cloud metadata (AWS/Azure credentials), or scan internal networks. No public exploit identified at time of analysis, though the unauthenticated attack vector and low complexity (AC:L) suggest straightforward exploitation.

WordPress SSRF
CVE-2026-5019 MEDIUM CVSS 6.9
SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in all-orders.php. The vulnerability has a publicly available exploit and requires no authentication or user interaction (CVSS 7.3, AV:N/AC:L/PR:N). No vendor-released patch identified at time of analysis, representing elevated risk for installations of this PHP-based food ordering application.

PHP SQLi
CVE-2026-5018 MEDIUM CVSS 6.9
SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'Name' parameter in register-router.php. The vulnerability permits unauthorized database access with confirmed publicly available exploit code (EPSS and CVSS both indicate medium-severity risk). Attack complexity is low with no user interaction required, enabling automated exploitation. No vendor-released patch identified at time of analysis, and exploitation requires no authentication (CVSS PR:N).

PHP SQLi
CVE-2026-5017 MEDIUM CVSS 6.9
SQL injection in Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in /all-tickets.php. The vulnerability is trivially exploitable with low attack complexity and requires no user interaction. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP SQLi
CVE-2026-5016 MEDIUM CVSS 6.9
Server-Side Request Forgery (SSRF) in elecV2P versions up to 3.8.3 allows unauthenticated remote attackers to manipulate internal or external HTTP requests via the eAxios function in the /mock URL handler. The vulnerability enables unauthorized access to internal resources, data exfiltration from confidential endpoints, and potential lateral movement within internal networks. Publicly available exploit code exists (GitHub issue #202), significantly lowering the barrier to exploitation. EPSS data not provided, but the combination of network-accessible attack vector, low complexity, no authentication requirement, and public POC represents elevated real-world risk. Vendor has not responded to early disclosure.

SSRF
CVE-2026-5015 MEDIUM CVSS 5.3
Reflected cross-site scripting (XSS) in elecV2P up to version 3.8.3 allows remote attackers to inject malicious scripts via the filename parameter in the /logs endpoint, requiring user interaction to execute. The vulnerability has publicly available exploit code and affects all versions through 3.8.3, with no vendor patch released despite early notification through issue reporting.

XSS
CVE-2026-5014 MEDIUM CVSS 5.5
Path traversal in elecV2P's wildcard handler allows unauthenticated remote attackers to read files outside intended directories via improper path validation in the /log/ endpoint, affecting versions up to 3.8.3. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 reflecting limited confidentiality impact. The vendor has not responded to early disclosure despite issue notification.

Path Traversal
CVE-2026-5013 MEDIUM CVSS 5.5
Path traversal in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to read arbitrary files via manipulation of the URL argument in the /store/:key endpoint's path.join function. The vulnerability has a CVSS score of 5.5 with low confidentiality impact, publicly available exploit code exists, and the vendor has not responded to early notification through an issue report.

Path Traversal
CVE-2026-5012 MEDIUM CVSS 6.9
Operating system command injection in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to execute arbitrary commands through the pm2run function in the /rpc endpoint. The vulnerability has a CVSS score of 6.9 with publicly available exploit code, though the vendor has not yet responded to early notification of the issue. This represents a moderate-to-high risk for exposed elecV2P instances due to the combination of remote exploitability, low attack complexity, and confirmed public exploit availability.

Command Injection
CVE-2026-5011 MEDIUM CVSS 5.3
Remote code execution in elecV2P up to version 3.8.3 allows authenticated attackers to inject arbitrary code via manipulation of the rawcode argument in the runJSFile function of the /webhook JSON Parser endpoint. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure notifications, making this an active security concern for deployed instances.

Code Injection RCE
CVE-2026-5007 MEDIUM CVSS 4.8
OS command injection in kazuph mcp-docs-rag through version 0.5.0 allows local attackers with limited privileges to execute arbitrary commands via the cloneRepository function in src/index.ts. The vulnerability affects the add_git_repository and add_text_file components, with publicly available exploit code demonstrating the attack. No vendor patch has been released despite early notification through a GitHub issue.

Command Injection
CVE-2026-5002 MEDIUM CVSS 6.9
Prompt injection in PromtEngineer localGPT allows unauthenticated remote attackers to manipulate LLM behavior via crafted inputs to the _route_using_overviews function. Publicly available exploit code exists (GitHub). The vulnerability affects all versions up to commit 4d41c7d17, with CVSS 7.3 indicating moderate confidentiality, integrity, and availability impact. EPSS data not available, but the combination of network-accessible attack vector, low complexity (AC:L), no authentication requirement (PR:N), and public POC elevates real-world risk for installations exposed to untrusted input.

Information Disclosure
CVE-2026-5001 MEDIUM CVSS 6.9
Unrestricted file upload in PromtEngineer localGPT allows remote attackers to upload arbitrary files via the do_POST function in backend/server.py, enabling potential remote code execution or system compromise. The vulnerability affects all versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054, impacts unauthenticated remote users, and publicly available exploit code exists. The vendor has not responded to early disclosure attempts, leaving the product unpatched.

File Upload
CVE-2026-5000 MEDIUM CVSS 6.9
Authentication bypass in PromtEngineer localGPT affects the LocalGPTHandler API endpoint in backend/server.py, allowing unauthenticated remote attackers to access protected functionality with low confidentiality, integrity, and availability impact. The vulnerability stems from improper validation of the BaseHTTPRequestHandler argument, enabling attackers to manipulate request handling without credentials. No public exploit code or active exploitation has been confirmed, though the vendor has not responded to disclosure efforts.

Authentication Bypass
CVE-2026-4999 MEDIUM CVSS 5.3
Path traversal in z-9527 admin's file upload function allows authenticated remote attackers to manipulate the fileType parameter in /server/utils/upload.js to access files outside the intended directory, potentially leading to information disclosure or file overwrite. The vulnerability affects all versions up to commit 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2, with publicly available exploit code documented and a CVSS score of 5.3 (low confidentiality, integrity, and availability impact). The vendor has not responded to early disclosure notification.

Path Traversal
CVE-2026-4998 MEDIUM CVSS 6.9
Code injection in Sinaptik AI PandasAI versions up to 3.0.0 allows unauthenticated remote attackers to execute arbitrary code via the CodeExecutor.execute function in the Chat Message Handler component. CVSS 7.3 (High) with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists (POC on GitHub Gist). EPSS data not provided, but the combination of unauthenticated remote execution and public exploit significantly elevates real-world risk. Vendor non-responsive to coordinated disclosure.

Code Injection RCE
CVE-2026-4997 MEDIUM CVSS 5.5
Path traversal in Sinaptik AI PandasAI up to version 3.0.0 allows remote unauthenticated attackers to read arbitrary files by manipulating the is_sql_query_safe function in the SQL sanitizer module. The vulnerability has a CVSS score of 5.3 (low-to-medium severity) with public exploit code available, though active exploitation has not been confirmed by CISA. The vendor did not respond to early disclosure notification.

Path Traversal
CVE-2026-4996 MEDIUM CVSS 6.9
SQL injection in Sinaptik AI PandasAI versions up to 0.1.4 allows unauthenticated remote attackers to manipulate database operations through the pandasai-lancedb extension. Six functions (delete_question_and_answers, delete_docs, update_question_answer, update_docs, get_relevant_question_answers_by_id, get_relevant_docs_by_id) in lancedb.py are vulnerable to SQL injection attacks. Publicly available exploit code exists (CVSS 7.3, EPSS data not provided). The vendor has not responded to disclosure attempts.

SQLi
CVE-2026-4995 MEDIUM CVSS 5.1
Stored cross-site scripting (XSS) in wandb OpenUI up to version 1.0 via the Window Message Event Handler in frontend/public/annotator/index.html allows authenticated remote attackers to inject malicious scripts with user interaction. The vulnerability has a low CVSS score (3.5) due to authentication and user-interaction requirements, but publicly available exploit code exists and the vendor has not responded to early disclosure notifications.

XSS
CVE-2026-4994 MEDIUM CVSS 5.1
Information disclosure in wandb OpenUI up to version 1.0/3.5-turb allows authenticated local network attackers to expose sensitive information through error messages in the APIStatusError handler by manipulating the key argument. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification. Attack complexity is low and requires only local network access and low-level privileges.

Information Disclosure
CVE-2026-2595 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in Quads Ads Manager for Google AdSense plugin for WordPress up to version 2.0.98.1 allows authenticated attackers with Contributor-level or higher permissions to inject malicious scripts into ad metadata fields that execute in the browsers of all site visitors, potentially enabling session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for authenticated access and user interaction (page visit), but the stored nature and broad audience impact elevate real-world risk. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Google
CVE-2026-2442 MEDIUM CVSS 5.3
CRLF injection in Page Builder: Pagelayer WordPress plugin up to version 2.0.7 allows unauthenticated attackers to inject arbitrary email headers (Bcc, Cc, etc.) through contact form fields. The vulnerability exploits unsafe placeholder substitution in email headers without CR/LF sanitization, enabling email header spoofing and potential abuse of form email delivery systems. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Code Injection
CVE-2026-1307 MEDIUM CVSS 6.5
Ninja Forms plugin for WordPress versions up to 3.14.1 exposes authorization tokens via an insecure callback function in blocks/bootstrap.php, allowing authenticated Contributor-level users and above to access form submission data from arbitrary forms without proper authorization. The vulnerability enables sensitive information disclosure affecting all WordPress installations using the affected plugin versions, with no active exploitation confirmed at time of analysis.

WordPress PHP Information Disclosure
CVE-2025-15445 MEDIUM CVSS 5.4
Restaurant Cafeteria WordPress theme through version 0.4.6 allows authenticated subscribers to execute arbitrary PHP code and modify site configuration through unprotected admin-ajax actions lacking nonce and capability checks. An attacker with subscriber-level access can install malicious plugins from attacker-controlled URLs or import demo content that overwrites critical site settings, pages, menus, and theme configuration. Publicly available exploit code exists for this vulnerability.

WordPress PHP RCE Authentication Bypass
CVE-2025-9497 MEDIUM CVSS 5.5
Microchip Time Provider 4100 contains hard-coded credentials used for software update decryption, allowing malicious actors to craft and deploy unauthorized firmware updates without detection. Versions prior to 2.5.0 are affected. An attacker with local or network access to the device can leverage these credentials to bypass authentication controls during the manual software update process, potentially gaining full control of the time synchronization infrastructure.

Authentication Bypass
CVE-2026-23399 None
Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.

Linux Linux Kernel Memory Corruption Suse Debian
CVE-2026-4993 LOW CVSS 1.9
Wandb OpenUI up to version 1.0 contains hard-coded credentials exposure in backend/openui/config.py where the LITELLM_MASTER_KEY argument is improperly handled, allowing local authenticated users with low privileges to read sensitive authentication material. The vulnerability has a low CVSS score (3.3) due to local-only attack vector and low impact scope, but publicly available exploit code exists and vendor contact has been unsuccessful, increasing practical risk for deployed instances.

Authentication Bypass

Today's Vulnerabilities Vulnerabilities