Skip to main content
CVE-2026-4993 LOW POC Monitor

Wandb OpenUI up to version 1.0 contains hard-coded credentials exposure in backend/openui/config.py where the LITELLM_MASTER_KEY argument is improperly handled, allowing local authenticated users with low privileges to read sensitive authentication material. The vulnerability has a low CVSS score (3.3) due to local-only attack vector and low impact scope, but publicly available exploit code exists and vendor contact has been unsuccessful, increasing practical risk for deployed instances.

Authentication Bypass Openui
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-23399 MEDIUM PATCH This Month

Memory leak in Linux kernel nf_tables nft_dynset module allows local denial of service through failed stateful expression cloning during dynamic set operations. When the second stateful expression clone fails under GFP_ATOMIC memory allocation, the first expression is not properly released, accumulating percpu memory allocations that exhaust kernel memory. This affects all Linux kernel versions until patched, with exploitation requiring local system access to trigger the nf_tables dynamic set evaluation code path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9497 MEDIUM PATCH This Month

Microchip Time Provider 4100 contains hard-coded credentials used for software update decryption, allowing malicious actors to craft and deploy unauthorized firmware updates without detection. Versions prior to 2.5.0 are affected. An attacker with local or network access to the device can leverage these credentials to bypass authentication controls during the manual software update process, potentially gaining full control of the time synchronization infrastructure.

Authentication Bypass Time Provider 4100
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2595 MEDIUM This Month

Stored cross-site scripting (XSS) in Quads Ads Manager for Google AdSense plugin for WordPress up to version 2.0.98.1 allows authenticated attackers with Contributor-level or higher permissions to inject malicious scripts into ad metadata fields that execute in the browsers of all site visitors, potentially enabling session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for authenticated access and user interaction (page visit), but the stored nature and broad audience impact elevate real-world risk. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Google
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2442 MEDIUM This Month

CRLF injection in Page Builder: Pagelayer WordPress plugin up to version 2.0.7 allows unauthenticated attackers to inject arbitrary email headers (Bcc, Cc, etc.) through contact form fields. The vulnerability exploits unsafe placeholder substitution in email headers without CR/LF sanitization, enabling email header spoofing and potential abuse of form email delivery systems. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Code Injection
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy