THREAT ALERT

ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. | EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | ACT NOW CVE-2025-14558 7.2 The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH] | EMERGENCY CVE-2026-20131 10.0 Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic. | EMERGENCY CVE-2026-27971 9.8 RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available. | ACT NOW CVE-2026-21385 7.8 A Qualcomm chipset vulnerability (CVE-2026-21385) causes memory corruption through improper integer handling during memory allocation, enabling local privilege escalation to kernel level. KEV-listed and patched, this vulnerability affects Qualcomm-based mobile devices and embedded systems, potentially impacting billions of Android devices globally. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — March 30, 2026

146 CVEs tracked today. 24 Critical, 46 High, 63 Medium, 13 Low.

CVE-2026-34714 CRITICAL CVSS 9.2
Remote code execution in Vim versions before 9.2.0272 executes arbitrary commands immediately upon opening a malicious file through %{expr} injection in tabpanel components lacking the P_MLE flag. This unauthenticated local attack requires no user interaction beyond opening the file, with CVSS 9.2 (Critical) reflecting scope change and high confidentiality/integrity impact. Vendor-released patch available in version 9.2.0272.

RCE Command Injection
CVE-2026-34558 CRITICAL CVSS 9.1
Stored Cross-Site Scripting in CI4MS methods management allows authenticated users to inject malicious JavaScript into administrative interfaces and global navigation, affecting all users including administrators. The vulnerability affects CI4MS versions before 0.31.0.0 with a CVSS score of 9.1 due to scope change (C) enabling privilege escalation. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not provided for risk probability assessment.

XSS
CVE-2026-34557 CRITICAL CVSS 9.1
Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). Vendor-released patch version 0.31.0.0 addresses the input sanitization and output encoding failures. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE.

XSS
CVE-2026-34361 CRITICAL CVSS 9.3
Server-Side Request Forgery (SSRF) in HAPI FHIR Validator HTTP service leaks authentication credentials for configured FHIR package registries to attacker-controlled domains. The unauthenticated `/loadIG` endpoint accepts arbitrary URLs, and a flawed `startsWith()` prefix matching logic in credential provider causes Bearer tokens, Basic auth, and API keys to be sent to domains like `packages.fhir.org.attacker.com` when legitimate servers like `packages.fhir.org` are configured. No public exploit identified at time of analysis, but EPSS score and detailed proof-of-concept in advisory indicate high weaponization potential. CVSS 9.3 (Critical) reflects scope change — stolen credentials compromise external FHIR registries and clinical data repositories beyond the vulnerable validator.

Java SSRF
CVE-2026-34156 CRITICAL CVSS 9.9
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated low-privilege attackers to escape Node.js vm sandbox and execute arbitrary commands as root inside Docker containers. The vulnerability exploits exposed WritableWorkerStdio stream objects in the sandbox console to traverse the prototype chain, access the host-realm Function constructor, load unrestricted Node.js modules (child_process), and spawn system commands. Confirmed exploited with reverse shell access, database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD), and arbitrary filesystem operations. EPSS data not available; public exploit code exists with detailed proof-of-concept demonstrating root shell access in nocobase/nocobase:latest Docker image. Critical 10.0 CVSS score reflects network-exploitable, low-complexity attack with complete confidentiality, integrity, and availability impact plus scope change (container escape implications).

Node.js RCE Docker Debian
CVE-2026-33032 CRITICAL CVSS 9.8
Remote unauthenticated nginx service takeover in nginx-ui's MCP integration allows network attackers to create, modify, or delete nginx configuration files and trigger automatic reloads without authentication. The /mcp_message endpoint lacks authentication middleware while exposing the same MCP tool handlers as the protected /mcp endpoint, and the IP whitelist defaults to empty (allow-all). Attackers can inject malicious server blocks to intercept credentials, exfiltrate backend topology, or crash nginx with invalid configs. CVSS 9.8 (Critical) with network attack vector, no authentication required, and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though detailed proof-of-concept HTTP request provided in advisory.

Nginx Authentication Bypass Information Disclosure
CVE-2026-33026 CRITICAL CVSS 9.4
Remote authenticated attackers can achieve arbitrary command execution on nginx-ui v2.3.3 servers by manipulating encrypted backup archives during restoration. The vulnerability stems from a circular trust model where backup integrity metadata is encrypted using the same AES key provided to clients, allowing attackers to decrypt backups, inject malicious configuration (including command execution directives), recompute valid hashes, and re-encrypt the archive. The restore process accepts tampered backups despite hash verification warnings. Publicly available exploit code exists with detailed proof-of-concept demonstrating configuration injection leading to arbitrary command execution. Vendor-released patch available in nginx-ui v2.3.4. This represents a regression from GHSA-g9w5-qffc-6762, which addressed backup access control but not the underlying cryptographic design flaw.

Nginx Authentication Bypass Docker
CVE-2026-31946 CRITICAL CVSS 9.8
Authentication bypass in OpenOlat e-learning platform versions 10.5.4 through 20.2.4 allows remote unauthenticated attackers to forge authentication tokens due to missing JWT signature verification in OpenID Connect implementation. The platform accepts JWTs without cryptographic validation, enabling attackers to impersonate any user by crafting tokens with arbitrary claims. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the complete absence of signature verification.

Authentication Bypass
CVE-2026-30562 CRITICAL CVSS 9.3
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web script or HTML via the unvalidated 'msg' parameter in add_stock.php. The vulnerability is publicly demonstrated with available proof-of-concept code, enabling attackers to execute malicious scripts in users' browsers without requiring authentication or special privileges.

XSS PHP
CVE-2026-30313 CRITICAL CVSS 9.8
Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding newline characters in command payloads, forcing automatic approval and sequential execution of arbitrary OS commands via PowerShell without user interaction.

Command Injection RCE Code Injection
CVE-2026-30308 CRITICAL CVSS 9.8
HAI Build Code Generator's automatic command execution feature can be bypassed through prompt injection attacks, allowing unauthenticated remote code execution by misleading the AI model into misclassifying malicious commands as safe. The vulnerability exploits a fundamental design flaw in the model's safety classification logic, where attackers can wrap destructive commands in generic templates to bypass the user approval requirement that should be triggered for potentially dangerous operations.

RCE Code Injection
CVE-2026-30307 CRITICAL CVSS 9.8
Remote code execution in Roo Code's command auto-approval module allows unauthenticated attackers to bypass the whitelist security mechanism via shell command substitution in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(...) and backtick syntax, enabling an attacker to inject malicious commands (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS scoring, KEV status, or official patch information is currently available.

RCE Command Injection Code Injection
CVE-2026-30306 CRITICAL CVSS 9.8
SakaDev's automatic terminal command execution feature can be bypassed via prompt injection attacks, allowing unauthenticated remote attackers to execute arbitrary commands without user approval by wrapping malicious commands in templates that mislead the underlying language model into misclassifying destructive operations as safe. The vulnerability exploits a design flaw in the model-based safety classification mechanism rather than a traditional code defect, affecting the extension across all versions where the 'Execute safe commands' option is enabled.

RCE Code Injection
CVE-2026-30305 CRITICAL CVSS 9.8
Remote code execution in Syntx's command auto-approval module allows unauthenticated attackers to bypass whitelist security via shell command substitution syntax in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(…) and backtick command substitution patterns, enabling an attacker to inject malicious commands within seemingly benign git operations (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS score or KEV status data available; no public exploit code confirmed at time of analysis.

Command Injection RCE Code Injection
CVE-2026-5128 CRITICAL CVSS 10.0
ArthurFiorette steam-trader 2.1.1 exposes complete Steam account credentials through an unauthenticated API endpoint, enabling account takeover. Attackers can retrieve usernames, passwords, identity secrets, shared secrets, and session tokens via the /users endpoint without authentication (CVSS:3.1 AV:N/AC:L/PR:N). This critical vulnerability (CVSS 10.0) allows generation of valid Steam Guard 2FA codes and complete account hijacking. EPSS data unavailable, no CISA KEV listing, and critically: no patch exists as the repository is archived and unmaintained. Authentication bypass and information disclosure tags confirm trivial exploitation requiring only network access.

Information Disclosure Authentication Bypass
CVE-2026-5121 CRITICAL CVSS 9.8
Integer overflow in libarchive's zisofs block pointer allocation on 32-bit systems allows remote code execution when processing specially crafted ISO9660 images. A remote attacker can provide a malicious ISO file that triggers a heap buffer overflow, potentially achieving arbitrary code execution on affected systems. Red Hat Enterprise Linux versions 6-10 and Red Hat OpenShift Container Platform 4 are affected; no public exploit identified at time of analysis, though an upstream fix is available via GitHub PR.

RCE Integer Overflow Buffer Overflow
CVE-2026-4789 CRITICAL CVSS 9.8
Kyverno versions 1.16.0 and later contain a server-side request forgery vulnerability in unrestricted CEL HTTP functions that allow attackers to make arbitrary HTTP requests from the Kyverno controller, potentially accessing internal services and metadata endpoints. The vulnerability affects Kubernetes clusters running vulnerable Kyverno versions with policies utilizing CEL-based HTTP operations, with no CVSS or EPSS data currently available to quantify severity.

SSRF
CVE-2026-4415 CRITICAL CVSS 9.2
Remote code execution and privilege escalation in Gigabyte Control Center allows unauthenticated network attackers to write arbitrary files to any system location when the pairing feature is enabled. This path traversal vulnerability (CWE-23) requires high attack complexity but needs no user interaction. No public exploit identified at time of analysis, though the technical details disclosed by Taiwan CERT provide sufficient information for exploitation development. CVSS 8.1 (High) reflects significant impact across confidentiality, integrity, and availability.

RCE Privilege Escalation
CVE-2026-4257 CRITICAL CVSS 9.8
Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis.

WordPress PHP RCE Code Injection
CVE-2026-3502 HIGH CVSS 7.8
Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk.

RCE
CVE-2026-2287 CRITICAL CVSS 9.8
CrewAI fails to validate Docker runtime availability during execution and silently reverts to an insecure sandbox mode, enabling remote code execution. Affected versions prior to the patch rely on Docker for isolation; when Docker becomes unavailable or is misconfigured, the fallback mechanism does not enforce adequate sandboxing constraints, allowing attackers to execute arbitrary commands within the application context. No CVSS score or official CVE details are available at this time, though the vulnerability has been reported to CERT and carries high practical risk due to the automatic unsafe fallback behavior.

Docker RCE Code Injection
CVE-2026-2286 CRITICAL CVSS 9.8
Server-side request forgery in CrewAI's RAG search tools allows remote attackers to access internal and cloud services by injecting malicious URLs at runtime without proper validation. The vulnerability affects CrewAI's content acquisition mechanisms, enabling unauthorized data exfiltration from internal networks and cloud-hosted resources. No CVSS score, active exploitation status, or patch information is currently available in public sources.

SSRF
CVE-2026-2275 CRITICAL CVSS 9.6
Remote code execution in CrewAI's CodeInterpreter tool occurs when Docker connectivity fails and the system falls back to SandboxPython, allowing unauthenticated remote attackers to execute arbitrary C functions and achieve code execution. The vulnerability affects systems relying on CrewAI's code execution capabilities where Docker is unavailable or unreachable, creating a dangerous fallback condition that bypasses intended sandboxing protections.

Docker RCE
CVE-2025-15379 CRITICAL CVSS 10.0
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply malicious artifacts via the `env_manager=LOCAL` parameter. The `_install_model_dependencies_to_env()` function unsafely interpolates dependency specifications from `python_env.yaml` directly into shell commands without sanitization. With CVSS 10.0 (network-accessible, no authentication, no complexity) and publicly available exploit code exists (reported via Huntr bug bounty, patched in 3.8.2), this represents an immediate critical risk for organizations using MLflow model serving infrastructure. EPSS data not available, but exploitation scenario is straightforward for adversaries with model deployment access.

Command Injection Redhat
CVE-2025-15036 CRITICAL CVSS 9.6
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitrary files and potentially escape sandbox isolation via malicious archive uploads. The vulnerability affects the `extract_archive_to_dir` function which fails to validate tar member paths during extraction. Exploitation requires user interaction (CVSS UI:R) but needs no authentication (PR:N). EPSS data not provided, but no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Public exploit code exists via Huntr bounty disclosure.

Path Traversal Redhat
CVE-2026-34472 HIGH CVSS 7.1
Unauthenticated credential disclosure in ZTE ZXHN H188A routers (versions V6.0.10P2_TE and V6.0.10P3N3_TE) allows local network attackers to retrieve sensitive credentials including default administrator passwords, WLAN PSK, and PPPoE credentials via the wizard interface, with some cases enabling unauthenticated configuration changes. No CVSS or EPSS data is available, and KEV status is unconfirmed; however, a publicly available technical analysis exists on GitHub indicating detailed exploitation methodology.

Information Disclosure Zte
CVE-2026-34377 HIGH CVSS 8.4
Zebra cryptocurrency nodes prior to version 4.3.0 can be forced into consensus split by malicious miners who craft blocks containing V5 transactions with matching txids but invalid authorization data. The vulnerability stems from a cache lookup that used ZIP-244 txid (which excludes authorization data) to bypass full verification, allowing nodes to accept blocks with invalid signatures. While this does not enable invalid transaction acceptance, it isolates vulnerable nodes from the Zcash network, creating fork conditions exploitable for service disruption and potential double-spend scenarios against partitioned nodes. No public exploit code or CISA KEV listing exists, but the technical complexity is low for actors with mining capabilities. Affected products are zebrad and zebra-consensus Rust packages supporting Network Upgrade 5 (V5 transactions). Vendor-released patch: Zebra 4.3.0.

Information Disclosure Jwt Attack
CVE-2026-34363 HIGH CVSS 8.2
Parse Server LiveQuery leaks protected fields and authentication data across concurrent subscribers due to shared mutable object state. When multiple clients subscribe to the same class, race conditions in the sensitive data filter allow one subscriber's field filtering to affect other subscribers, exposing data that should remain protected or delivering incomplete objects to authorized clients. Deployments using LiveQuery with protected fields or afterEvent triggers face unauthorized information disclosure. Vendor-released patches are available for Parse Server 8 and 9. No public exploit identified at time of analysis, though the vulnerability is straightforward to trigger in affected configurations.

Information Disclosure Race Condition
CVE-2026-34359 HIGH CVSS 7.4
Authentication credential theft in HAPI FHIR Core library allows network attackers to intercept Bearer tokens, Basic auth credentials, and API keys through malicious URL prefix matching. The vulnerable `ManagedWebAccessUtils.getServer()` method uses unsafe `String.startsWith()` checks without host boundary validation, causing credentials configured for `http://tx.fhir.org` to be dispatched to attacker-controlled domains like `http://tx.fhir.org.attacker.com` when HTTP redirects occur. Affects Maven packages `ca.uhn.hapi.fhir:org.hl7.fhir.core` and `ca.uhn.hapi.fhir:org.hl7.fhir.utilities`. CVSS 7.4 (High) reflects network attack vector with high attack complexity requiring redirect manipulation. EPSS data not available; no confirmed active exploitation (CISA KEV), but detailed proof-of-concept code demonstrates the exploit chain through both SimpleHTTPClient and OkHttp redirect paths.

Java Information Disclosure
CVE-2026-34219 HIGH CVSS 8.2
Unchecked arithmetic in Rust libp2p-gossipsub heartbeat processing allows remote unauthenticated denial of service via crafted PRUNE control messages. Network-reachable Gossipsub peers can crash vulnerable nodes by sending PRUNE messages with near-maximum backoff values (~i64::MAX), triggering an instant overflow panic during subsequent heartbeat cycles (43-74 seconds later). This is a distinct vulnerability from CVE-2026-33040, affecting a different code path in expiry handling rather than initial insertion. Reported by Ethereum Foundation security team; no public exploit identified at time of analysis, but attack vector is straightforward for any peer capable of establishing libp2p sessions.

Denial Of Service Integer Overflow
CVE-2026-33987 HIGH CVSS 7.1
Heap buffer overflow in FreeRDP's persistent bitmap cache handling allows local attackers to corrupt memory integrity and crash the RDP client. Affecting all versions prior to 3.24.2, the vulnerability (CWE-122) occurs when memory reallocation fails but the buffer size variable is prematurely updated, creating a size/pointer mismatch. EPSS data not available, but marked medium priority by Ubuntu. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub Security Advisory.

Heap Overflow Buffer Overflow
CVE-2026-33986 HIGH CVSS 7.5
Heap buffer overflow in FreeRDP's H.264 YUV decoder (versions before 3.24.2) allows remote attackers to potentially achieve code execution via specially crafted RDP sessions. The vulnerability stems from premature dimension updates in yuv_ensure_buffer() that persist when memory reallocation fails, creating exploitable memory corruption conditions. Attack requires user interaction (connecting to malicious RDP server) and moderate complexity (CVSS AC:H). No public exploit identified at time of analysis, though CVSS 7.5 HIGH score reflects potential for complete system compromise (C:H/I:H/A:H).

Heap Overflow Buffer Overflow
CVE-2026-33984 HIGH CVSS 7.5
Heap buffer overflow in FreeRDP's CLEAR codec implementation allows remote attackers to execute arbitrary code when processing malicious RDP server responses. Affects all FreeRDP versions prior to 3.24.2. Attack requires high complexity and user interaction (victim must connect to attacker-controlled RDP server), but no authentication is required. CVSS 7.5 reflects the network-accessible attack vector with potential for complete system compromise. No public exploit identified at time of analysis, though technical details are publicly disclosed via GitHub security advisory.

Heap Overflow Buffer Overflow
CVE-2026-33982 HIGH CVSS 7.1
Heap-buffer-overflow in FreeRDP's winpr_aligned_offset_recalloc() function allows local attackers with no privileges but requiring user interaction to trigger high-severity information disclosure and denial of service in versions prior to 3.24.2. The vulnerability involves a READ operation at 24 bytes before heap allocation boundaries (CWE-125: Out-of-bounds Read). Vendor-released patch version 3.24.2 available via GitHub commit a48dbde2c8. EPSS data not provided; no public exploit identified at time of analysis. Affects all FreeRDP installations below 3.24.2, tracked across 7 Debian releases.

Information Disclosure Buffer Overflow
CVE-2026-33949 HIGH CVSS 8.1
Path traversal in TinaCMS GraphQL (@tinacms/graphql) enables unauthenticated remote attackers to write and overwrite arbitrary files within the project root, including critical configuration files like package.json and build scripts. The vulnerability stems from platform-specific path validation failures that treat backslash characters differently on Unix-based systems, allowing traversal sequences like 'x\..\..\..\package.json' to bypass security checks. With a CVSS score of 8.1 and publicly available exploit code demonstrating the attack, this represents a critical security risk for TinaCMS deployments, particularly those exposed to untrusted networks. No CISA KEV listing exists, but the proof-of-concept demonstrates clear exploitation paths to arbitrary code execution via build script modification.

Path Traversal RCE Microsoft
CVE-2026-33643 HIGH CVSS 7.4
SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the mysqlColumnAsInsert function located in plugins/mysql/lib/column.go. The vulnerability affects the MySQL plugin component and enables attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. Public proof-of-concept code is available, and CVSS/EPSS data are not yet assigned by NVD.

SQLi
CVE-2026-33641 HIGH CVSS 7.8
Command injection in Glances Python monitoring tool allows local authenticated users to execute arbitrary system commands via malicious configuration files. Attackers with write access to Glances configuration files can embed shell commands in backtick-enclosed strings that execute automatically during config parsing with the privileges of the Glances process. In environments where Glances runs as a system service with elevated privileges, this enables privilege escalation from low-privileged user to root. CVSS 7.8 (High) with local attack vector requiring low privileges. Public exploit code exists in the advisory. EPSS data not available, not listed in CISA KEV.

Python Command Injection Privilege Escalation
CVE-2026-33533 HIGH CVSS 7.1
Cross-origin data exfiltration in Glances XML-RPC server (glances -s) allows any website to steal complete system monitoring data including hostname, OS details, process lists with command-line arguments, and network configuration through CORS misconfiguration. The server sends Access-Control-Allow-Origin: * on all responses and processes XML-RPC POST requests with Content-Type: text/plain without validation, bypassing browser CORS preflight checks. Default deployments run unauthenticated, making all network-accessible instances immediately exploitable. No public exploit identified at time of analysis, though detailed proof-of-concept code is included in the advisory.

Cors Misconfiguration Python Buffer Overflow
CVE-2026-33373 HIGH CVSS 8.8
Cross-Site Request Forgery in Zimbra Collaboration Server 10.0 and 10.1 allows remote attackers to perform sensitive account actions such as disabling two-factor authentication by inducing authenticated users to submit crafted requests, exploiting insufficient CSRF protection on authentication tokens issued during account state transitions like password changes or 2FA enablement. No public exploit code has been identified at time of analysis, and patch availability has been confirmed in vendor advisories for versions 10.0.18 and 10.1.13.

CSRF
CVE-2026-33030 HIGH CVSS 8.8
Insecure Direct Object Reference (IDOR) in nginx-ui up to v2.3.3 allows authenticated low-privilege users to access, modify, and delete any resource across all user accounts, including plaintext DNS provider API tokens (Cloudflare, AWS Route53, Alibaba Cloud) and ACME private keys. The application's base Model struct lacks user_id fields, and all resource endpoints query by ID without ownership verification. CVSS 8.8 reflects scope change to external services—stolen Cloudflare tokens enable DNS hijacking and fraudulent certificate issuance. No public exploit identified at time of analysis, but trivial to execute via standard HTTP requests. Vendor-released patch: v2.3.4.

Nginx Information Disclosure Command Injection Docker
CVE-2026-33028 HIGH CVSS 7.1
Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.

Race Condition Denial Of Service RCE Nginx Docker
CVE-2026-32877 HIGH CVSS 8.2
Heap over-read in Botan C++ cryptography library versions 2.3.0 through 3.10.x allows remote, unauthenticated attackers to trigger crashes or undefined behavior during SM2 decryption. The vulnerability stems from insufficient length validation of authentication code (C3) values in SM2 ciphertexts, enabling reads of up to 31 bytes beyond allocated heap memory. With CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) and EPSS data not provided, this represents a remotely exploitable memory safety issue in a cryptographic primitive. No public exploit identified at time of analysis. Patched in version 3.11.0.

Information Disclosure Buffer Overflow
CVE-2026-32275 HIGH CVSS 7.4
Cross-site scripting (XSS) in Tautulli 1.3.10 through 2.16.x allows remote attackers to inject malicious scripts via unsanitized JSONP callback parameters, enabling API key theft from authenticated users who click crafted links. The vulnerability requires social engineering (UI:A in CVSS) and affects the Plex monitoring tool's web interface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though the attack complexity is rated high (AC:H) suggesting practical exploitation requires specific conditions. GitHub security advisory indicates vendor-patched release available.

Python XSS
CVE-2026-31831 HIGH CVSS 8.7
Path traversal in Tautulli's /newsletter/image/images API endpoint allows unauthenticated remote attackers to read arbitrary files from the server filesystem. Tautulli, a Python-based monitoring tool for Plex Media Server, is affected in all versions prior to 2.17.0. The vulnerability carries a CVSS 4.0 score of 8.7 with network attack vector, low complexity, and no authentication required (PR:N), enabling trivial exploitation for sensitive information disclosure. No active exploitation confirmed at time of analysis, though the unauthenticated nature and public disclosure significantly elevate real-world risk.

Python Path Traversal
CVE-2026-30077 HIGH CVSS 7.5
OpenAirInterface AMF version 2.2.0 crashes during message decoding when processing specific malformed input sequences, enabling a denial of service condition. A remote attacker can trigger a consistent crash by sending specially crafted hex-encoded packets (example: 80 00 00 0E 00 00 01 00 0F 80 02 02 40 00 58 00 01 88) to the AMF component. No public exploit code has been identified, but the crash is reproducible with known input patterns.

Denial Of Service
CVE-2026-29954 HIGH CVSS 7.6
KubePlus 4.1.4 allows server-side request forgery (SSRF) and arbitrary HTTP header injection through improperly validated chartURL fields in ResourceComposition resources. The mutating webhook and kubeconfiggenerator components concatenate user-supplied chartURL values directly into wget command invocations without proper escaping, enabling attackers to inject wget options such as --header to forge HTTP requests or exfiltrate sensitive data. No patch version information is currently available, and exploitation status remains unconfirmed from authoritative sources.

SSRF
CVE-2026-29953 HIGH CVSS 7.4
SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.

SQLi PostgreSQL
CVE-2026-29925 HIGH CVSS 7.7
Invoice Ninja versions 5.12.46 and 5.12.48 contain a Server-Side Request Forgery (SSRF) vulnerability in the CheckDatabaseRequest.php component that allows remote attackers to perform unauthorized requests to internal or external systems. The vulnerability affects the setup and database configuration functionality, potentially enabling attackers to access internal services, probe private networks, or interact with restricted resources from the server's perspective.

PHP SSRF
CVE-2026-29924 HIGH CVSS 7.6
Grav CMS versions 1.7.x and earlier allow XML External Entity (XXE) injection through SVG file uploads in the administrative panel and File Manager plugin, potentially enabling remote code execution or information disclosure to authenticated administrators. No CVSS score, CVSS vector, or CWE classification has been assigned; exploitation status and patch availability cannot be confirmed from available data.

XXE File Upload
CVE-2026-29872 HIGH CVSS 8.2
Cross-session credential leakage in awesome-llm-apps Streamlit-based GitHub MCP Agent allows unauthenticated users to retrieve previously stored API tokens and secrets from process-wide environment variables, compromising GitHub Personal Access Tokens and LLM API keys across concurrent session boundaries. The vulnerability stems from improper session isolation in a multi-user Streamlit application that persists credentials in os.environ without clearing them between user sessions, enabling attackers to escalate privileges and access private resources without authentication.

Python Information Disclosure Authentication Bypass
CVE-2026-28505 HIGH CVSS 7.5
Remote code execution in Tautulli (Python-based Plex Media Server monitoring tool) versions prior to 2.17.0 allows authenticated administrators to bypass sandbox restrictions in notification templates via lambda expressions, enabling arbitrary Python code execution. The vulnerability exploits a flaw in the str_eval() sandbox implementation that only inspects outer code object names (co_names) while nested lambda code objects store attribute accesses in co_consts, evading security checks. CVSS 7.5 with high attack complexity and high privilege requirement (PR:H) indicates limited real-world risk scope, with no public exploit identified at time of analysis.

Python Code Injection RCE
CVE-2026-28228 HIGH CVSS 8.8
Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.

Java Tomcat Ssti Code Injection
CVE-2026-27018 HIGH CVSS 8.8
Gotenberg PDF conversion service versions 8.1.0-8.28.x allow unauthenticated arbitrary file disclosure through case-variant URI scheme bypass. A previous CVE-2024-21527 patch implemented a case-sensitive deny-list regex (^file:(?!//\/tmp/).*) to block file:// access, but attackers can bypass it using FILE://, File://, or other mixed-case variants. Chromium normalizes schemes to lowercase after the deny-list check, enabling reads of /etc/passwd, credentials, environment variables, and other container filesystem contents via both the URL conversion endpoint and HTML iframes. GHSA-jjwv-57xh-xr6r confirms patches in commits 06b2b2e and 8625a4e, with fixed release v8.29.0. No KEV listing or public exploit code identified at time of analysis, but proof-of-concept steps in the advisory enable trivial reproduction.

Path Traversal Information Disclosure Docker Google Suse
CVE-2026-21710 HIGH CVSS 7.5
Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).

Node.js Denial Of Service Redhat
CVE-2026-5156 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formQuickIndex function's handling of the mit_linktype parameter in the /goform/QuickIndex endpoint. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. With a CVSS score of 8.8 and low attack complexity requiring only low-privilege authentication, this represents a critical risk to deployed Tenda CH22 devices, though CISA KEV status is not confirmed.

Tenda Buffer Overflow Stack Overflow
CVE-2026-5155 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda CH22 router (version 1.0.0.1) allows authenticated remote attackers to achieve code execution or denial of service via the wanmode parameter in the /goform/AdvSetWan endpoint. Public exploit code exists (GitHub POC), significantly lowering exploitation barriers. CVSS 7.4 reflects network-accessible attack requiring only low-privilege authentication, with high impact to confidentiality, integrity, and availability.

Tenda Buffer Overflow Stack Overflow
CVE-2026-5154 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda CH22 router (versions 1.0.0.1 and 1.If) allows authenticated remote attackers to achieve code execution via crafted 'funcname' parameter to the /goform/setcfm endpoint. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier. CVSS 7.4 with low attack complexity and authenticated remote vector indicates moderate risk for targeted attacks against devices with compromised credentials.

Tenda Buffer Overflow Stack Overflow
CVE-2026-5152 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the formCreateFileName function. The vulnerability resides in the /goform/createFileName endpoint where insufficient input validation of the 'fileNameMit' parameter enables memory corruption. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. While requiring low-privilege authentication (PR:L), the attack complexity is low (AC:L) and can be executed remotely over the network.

Tenda Buffer Overflow Stack Overflow
CVE-2026-5130 HIGH CVSS 8.8
Unauthenticated privilege escalation in Debugger & Troubleshooter WordPress plugin (versions ≤1.3.2) allows remote attackers to gain administrator access by manipulating a cookie value. Attackers can set the wp_debug_troubleshoot_simulate_user cookie to any user ID without cryptographic validation, bypassing all authentication and authorization checks to immediately impersonate administrators. No public exploit code confirmed at time of analysis, though the attack mechanism is straightforward requiring only cookie manipulation. CVSS 8.8 with network-based attack vector and low complexity indicates significant real-world risk for unpatched installations. Vendor-released patch in version 1.4.0 implements cryptographic token validation.

WordPress Privilege Escalation
CVE-2026-4416 HIGH CVSS 8.5
Insecure deserialization in Gigabyte Control Center's Performance Library component allows authenticated local users to escalate privileges to SYSTEM by sending crafted serialized payloads to the EasyTune Engine service. Affecting Gigabyte Performance Library across versions, this CWE-502 flaw enables low-privileged users to gain complete control of the Windows system. EPSS data not available; no public exploit identified at time of analysis, though the local attack vector and low complexity (CVSS:3.1/AV:L/AC:L/PR:L) suggest exploitation is technically straightforward for attackers with initial local access.

Deserialization Privilege Escalation
CVE-2026-4315 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) in WatchGuard Fireware OS WebUI allows remote attackers to trigger a denial-of-service condition against the Web UI by tricking an authenticated administrator into visiting a malicious webpage. This affects Fireware OS versions 11.8 through 11.12.4+541730, 12.0 through 12.11.8, and 2025.1 through 2026.1.2. The CVSS v4.0 score of 7.1 reflects high availability impact (VA:H) with no user authentication required (PR:N) but requiring user interaction (UI:P). No public exploit identified at time of analysis, though the attack complexity is low and the CSRF nature makes weaponization straightforward for adversaries targeting firewall administrators.

CSRF
CVE-2026-4266 HIGH CVSS 8.4
Insecure deserialization in WatchGuard Fireware OS enables local code execution as the portald user when combined with a filesystem write primitive. Affects Fireware OS versions 12.1 through 12.11.8 and 2025.1 through 2026.1.2 on platforms supporting Access Portal (excludes T-15/T-35 models). CVSS 8.4 severity reflects high impact but requires prior high-privilege local access and an existing write vulnerability to exploit. No public exploit identified at time of analysis, with EPSS data unavailable for risk probability assessment.

Deserialization RCE
CVE-2026-4046 HIGH CVSS 7.5
Remote denial of service in GNU C Library (glibc) 2.43 and earlier allows unauthenticated remote attackers to crash applications via malformed input during character set conversion from IBM1390 or IBM1399 encodings. The vulnerability triggers an assertion failure in the iconv() function with high attack reliability (CVSS 7.5, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Proof-of-concept code exists and CISA SSVC assessment confirms the issue is automatable with partial technical impact, making this a practical denial-of-service vector for any networked application processing untrusted character encoding conversions.

Denial Of Service
CVE-2026-3991 HIGH CVSS 7.8
Elevation of privilege in Symantec Data Loss Prevention Windows Endpoint allows authenticated local users to gain SYSTEM-level access and compromise protected resources. Affects all versions prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15. CVSS 7.8 (High) reflects the local attack vector but complete system compromise upon successful exploitation. No public exploit identified at time of analysis, though the CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) classification suggests potential DLL hijacking or similar trust boundary violations.

Information Disclosure Microsoft
CVE-2026-3945 HIGH CVSS 8.7
Remote denial of service in tinyproxy versions through 1.11.3 allows unauthenticated attackers to exhaust all proxy worker connections via malformed HTTP chunked transfer encoding. An integer overflow in chunk size parsing (using strtol() without ERANGE validation) enables attackers to send LONG_MAX values that bypass size checks and trigger arithmetic overflow during chunklen+2 calculations. This forces the proxy to attempt reading unbounded request body data, holding worker slots indefinitely until all connections are exhausted and new clients are rejected. Upstream fix available (commits bb7edc4, 969852c) but latest stable release 1.11.3 remains unpatched. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) and requires no authentication (PR:N).

Integer Overflow Denial Of Service Suse Debian
CVE-2026-3321 HIGH CVSS 8.7
Unauthenticated attackers can bypass authorization controls in On24 Q&A Chat to enumerate event IDs and retrieve complete question-and-answer histories through the console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/ endpoint. This exposure leaks sensitive data including user identifiers, private URLs, messages, and internal references that should be restricted to authenticated users. The compromised information can facilitate reconnaissance for lateral movement, system exploitation, or unauthorized access to connected applications.

Authentication Bypass
CVE-2026-3124 HIGH CVSS 7.5
Insecure Direct Object Reference in WP Download Monitor plugin (≤5.1.7) enables unauthenticated attackers to complete arbitrary pending orders by manipulating PayPal transaction tokens, allowing theft of paid digital goods. Attackers can pay minimal amounts for low-cost items and use those payment tokens to finalize high-value orders, effectively bypassing payment validation. CVSS 7.5 (High) reflects network-based attack with no authentication required. No public exploit identified at time of analysis, though the attack mechanism is clearly documented in vendor advisories.

WordPress Authentication Bypass
CVE-2026-2370 HIGH CVSS 8.1
Improper authorization in GitLab CE/EE Jira Connect integration allows authenticated users with minimal workspace permissions to steal installation credentials and impersonate the GitLab application. Affects versions 14.3 through 18.8.6, 18.9.0-18.9.2, and 18.10.0. Vendor-released patches available in versions 18.8.7, 18.9.3, and 18.10.1. High CVSS score (8.1) reflects significant confidentiality and integrity impact with low attack complexity. No public exploit identified at time of analysis, though detailed disclosure exists via HackerOne report.

Gitlab Information Disclosure Atlassian Debian Redhat
CVE-2026-2328 HIGH CVSS 7.5
Path traversal in WAGO Device Sphere and Solution Builder allows unauthenticated remote attackers to access backend components and expose sensitive information. The vulnerability stems from insufficient input validation (CWE-790), enabling attackers to bypass intended access boundaries with low complexity over network vectors. CVSS 7.5 (High) reflects significant confidentiality impact. EPSS data unavailable; no public exploit identified at time of analysis, and CISA KEV status not confirmed.

Path Traversal
CVE-2026-2285 HIGH CVSS 7.5
CrewAI's JSON loader tool fails to validate file paths before reading, allowing arbitrary local file access that exposes sensitive server files to attackers with network access to the application. The vulnerability enables information disclosure without authentication, affecting all versions of CrewAI that include the vulnerable JSON loader component. No active exploitation has been confirmed, but the straightforward nature of the attack (unsanitized file path input) makes this a practical concern for production deployments.

Information Disclosure
CVE-2026-34373 MEDIUM CVSS 5.3
Parse Server's GraphQL API endpoint bypasses the configured allowOrigin CORS restriction, allowing cross-origin requests from any website while the REST API correctly enforces the policy. This authentication bypass affects Parse Server instances where operators have configured origin restrictions to limit API access, enabling attackers from arbitrary websites to interact with the GraphQL endpoint without respecting these security controls. The vulnerability has been patched in Parse Server 8 and 9 via upstream fixes, and no public exploit code or active exploitation has been confirmed.

Authentication Bypass
CVE-2026-34372 MEDIUM CVSS 5.3
Information disclosure in Sulu admin API allows users with any Sulu Admin role to access contact sub-entities without explicit contact permissions, bypassing authorization controls. Affects Sulu versions prior to 2.6.22 and 3.0.x prior to 3.0.5. No CVSS or EPSS data available; no active exploitation confirmed, but the vulnerability enables unauthorized data exposure through a widely-accessible admin interface.

Information Disclosure
CVE-2026-34360 MEDIUM CVSS 5.8
Server-side request forgery (SSRF) in FHIR Validator HTTP service allows unauthenticated remote attackers to probe internal network services and cloud metadata endpoints via the /loadIG endpoint, which accepts arbitrary URLs without hostname or domain validation. The vulnerability defaults to allowing all outbound requests, and redirect following bypasses even configured domain restrictions. With the explore=true default setting, each request amplifies reconnaissance capability through multiple outbound HTTP calls, enabling blind network topology mapping and metadata service access.

SSRF Java Microsoft
CVE-2026-34237 MEDIUM CVSS 6.1
Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.

Java Cors Misconfiguration Information Disclosure Python
CVE-2026-34231 MEDIUM CVSS 6.1
Cross-site scripting (XSS) in the slippers Django package's {% attrs %} template tag allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript by passing untrusted context variables containing quote characters and event handler attributes. The vulnerability affects templates that pass user-supplied or database-derived values to {% attrs %} without prior escaping. Vendor-released patch version 0.6.3 is available.

Python XSS
CVE-2026-34165 MEDIUM CVSS 5.0
Maliciously crafted `.idx` files in go-git v5 cause asymmetric memory consumption leading to Denial of Service through integer overflow vulnerabilities. Exploitation requires local write access to the `.git` directory, limiting attack surface to scenarios where an attacker has already compromised repository access or can inject files into a shared repository. No public exploit code or active exploitation has been confirmed; however, the low CVSS complexity and requirement for only low-privilege local access make this a moderate operational concern for development environments and CI/CD systems that process untrusted repositories.

Denial Of Service Integer Overflow
CVE-2026-33995 MEDIUM CVSS 5.3
FreeRDP prior to version 3.24.2 contains a double-free vulnerability in Kerberos authentication handling that crashes FreeRDP clients during NLA connection teardown following failed authentication attempts on systems with Kerberos configured. The vulnerability affects all versions before 3.24.2 across multiple Linux distributions (Debian, Ubuntu) and requires network access but no authentication credentials, presenting a denial-of-service vector against RDP clients in enterprise environments using Kerberos or Kerberos U2U authentication. No public exploit code has been identified, and the impact is limited to availability (denial of service) rather than confidentiality or integrity.

Denial Of Service
CVE-2026-33990 MEDIUM CVSS 6.8
Server-side request forgery in Docker Model Runner allows unprivileged containers or malicious OCI registries to make arbitrary GET requests to internal services by exploiting unvalidated realm URLs in the OCI registry token exchange flow. Affected versions prior to 1.1.25 (Docker Desktop prior to 4.67.0) permit attackers to access host-local services and reflect response bodies back to the caller, potentially exfiltrating sensitive data from internal endpoints. No public exploit code or active exploitation has been reported at time of analysis.

Docker SSRF Microsoft
CVE-2026-33985 MEDIUM CVSS 5.9
FreeRDP versions prior to 3.24.2 leak sensitive heap data to the screen during pixel rendering in remote desktop sessions, allowing unauthenticated remote attackers to obtain confidential information through a man-in-the-middle position or compromised RDP server. The vulnerability requires user interaction (UI:R) and involves out-of-bounds memory read (CWE-125), with CVSS 5.9 reflecting moderate confidentiality impact and low availability degradation. No public exploit code or active exploitation has been confirmed at time of analysis.

Information Disclosure Buffer Overflow
CVE-2026-33983 MEDIUM CVSS 6.5
FreeRDP versions prior to 3.24.2 contain an integer overflow vulnerability in the progressive_decompress_tile_upgrade() function that allows unauthenticated remote attackers to cause a denial of service through CPU exhaustion. When processing malformed Remote Desktop Protocol (RDP) streams, a wrapped integer value (247) is incorrectly used as a bit-shift exponent, triggering undefined behavior and creating an approximately 80 billion iteration loop that consumes CPU resources. The vulnerability requires user interaction (UI:R) to trigger, and no public exploit code has been identified at the time of analysis.

Integer Overflow Information Disclosure
CVE-2026-33977 MEDIUM CVSS 6.9
Denial of service in FreeRDP prior to version 3.24.2 allows remote attackers to crash the client via a malicious RDP server sending IMA ADPCM audio data with an invalid step index value (≥89). The unvalidated network-supplied index causes an out-of-bounds access into an 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort. This affects all FreeRDP clients with audio redirection enabled (the default configuration), requiring user interaction to establish an RDP connection but no authentication. No public exploit code identified at time of analysis.

Denial Of Service
CVE-2026-33952 MEDIUM CVSS 6.0
FreeRDP clients before version 3.24.2 crash with SIGABRT when connecting through a malicious RDP Gateway due to an unvalidated auth_length field triggering a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(). This pre-authentication denial of service affects all FreeRDP clients using RPC-over-HTTP gateway transport, regardless of user authentication status. The vulnerability has been patched in version 3.24.2.

Denial Of Service
CVE-2026-33029 MEDIUM CVSS 6.9
Authenticated denial of service in nginx-ui 2.3.3 and earlier allows any user with settings access to submit a negative integer for the logrotate.interval parameter, triggering an infinite loop in the backend that exhausts CPU resources and renders the web interface unresponsive. Vendor-released patch available in v2.3.4. No public exploit code identified beyond proof-of-concept documentation; not confirmed as actively exploited.

Nginx Denial Of Service Docker
CVE-2026-33027 MEDIUM CVSS 6.9
Authenticated users in nginx-ui v2.3.3 and earlier can delete the entire `/etc/nginx` configuration directory via path traversal using double-encoded sequences (..%252F), causing immediate Nginx service failure and denial of service. The vulnerability exploits improper URL canonicalization combined with unsafe recursive deletion logic that resolves malicious paths to the base configuration directory instead of rejecting them.

Nginx Path Traversal Denial Of Service Docker
CVE-2026-32884 MEDIUM CVSS 5.9
Botan cryptography library versions prior to 3.11.0 fail to properly validate X.509 certificate DNS name constraints due to case-sensitive comparison of the Common Name field, allowing attackers to present certificates with mixed-case Common Names that bypass name constraint restrictions and potentially establish unauthorized secure connections to restricted domains.

Information Disclosure
CVE-2026-32883 MEDIUM CVSS 5.9
Botan cryptography library versions 3.0.0 through 3.10.x fail to verify OCSP response signatures during X.509 certificate path validation, allowing attackers to forge certificate status responses and potentially bypass revocation checks. This integrity bypass affects any application using Botan for TLS or certificate validation and requires network positioning but not authentication. The vulnerability was patched in version 3.11.0.

Information Disclosure Jwt Attack
CVE-2026-32794 MEDIUM CVSS 4.8
Improper certificate validation in Apache Airflow Provider for Databricks versions 1.10.0 through 1.11.x allows unauthenticated attackers to intercept and manipulate traffic between Airflow and Databricks backends via man-in-the-middle attacks, potentially exfiltrating credentials and sensitive workflow data. The provider did not validate SSL/TLS certificates when establishing connections to Databricks, creating a critical trust boundary weakness. Vendor-released patch available in version 1.12.0; no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Apache
CVE-2026-31804 MEDIUM CVSS 4.0
Server-Side Request Forgery (SSRF) in Tautulli prior to version 2.17.0 allows remote attackers to forge outbound HTTP requests from the Plex Media Server process via the unauthenticated /pms_image_proxy endpoint, potentially exposing internal services on RFC-1918 address space and enabling reconnaissance or attacks against systems accessible from the Plex server's network context.

Python SSRF
CVE-2026-31799 MEDIUM CVSS 4.9
SQL injection in Tautulli's /api/v2?cmd=get_home_stats endpoint allows authenticated administrators to exfiltrate sensitive data from the SQLite database via boolean-blind SQL inference. Affected versions include 2.14.2-2.16.x for the 'before' and 'after' parameters, and 2.1.0-beta-2.16.x for 'section_id' and 'user_id' parameters. The vulnerability requires possession of the admin API key and results in confidentiality compromise without code execution. Patch is available in version 2.17.0.

Python Code Injection
CVE-2026-30566 MEDIUM CVSS 6.1
Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML via the unvalidated "limit" parameter in view_customers.php, affecting unauthenticated users who click malicious links. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS score is available to quantify severity.

XSS PHP
CVE-2026-30565 MEDIUM CVSS 6.1
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'limit' parameter in view_supplier.php due to insufficient input sanitization. The vulnerability is accessible without authentication via crafted URLs, and publicly available exploit code exists demonstrating the attack vector.

XSS PHP
CVE-2026-30564 MEDIUM CVSS 6.1
Reflected Cross-Site Scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary web scripts or HTML through the 'limit' parameter in view_payments.php due to insufficient input sanitization. Publicly available exploit code exists, enabling attackers to craft malicious URLs that execute JavaScript in victims' browsers when visited, potentially leading to session hijacking, credential theft, or defacement.

XSS PHP
CVE-2026-30563 MEDIUM CVSS 6.1
Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated attackers to inject malicious scripts via the unvalidated website parameter in update_details.php, which are persisted in the database and executed whenever the store details page is accessed by any user. Publicly available exploit code exists, though the vulnerability requires prior authentication and affects primarily self-hosted instances of this open-source inventory management application.

XSS PHP
CVE-2026-30561 MEDIUM CVSS 6.1
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_purchase.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. The vulnerability has publicly available exploit code but lacks CVSS scoring and is not confirmed as actively exploited.

XSS PHP
CVE-2026-30560 MEDIUM CVSS 6.1
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_supplier.php, enabling session hijacking, credential theft, or malware distribution without authentication. The vulnerability has publicly available proof-of-concept code demonstrating the attack vector.

XSS PHP
CVE-2026-30559 MEDIUM CVSS 6.1
Reflected XSS in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the msg parameter in add_sales.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists.

XSS PHP
CVE-2026-30558 MEDIUM CVSS 6.1
Reflected cross-site scripting in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_customer.php, enabling session hijacking, credential theft, or malware distribution via crafted URLs. Publicly available exploit code exists demonstrating the vulnerability.

XSS PHP
CVE-2026-30557 MEDIUM CVSS 6.1
Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'msg' parameter in add_category.php, enabling session hijacking, credential theft, or malware distribution via malicious URLs. Publicly available exploit code exists, increasing real-world attack likelihood despite the absence of formal CVSS scoring or CVE severity data.

XSS PHP
CVE-2026-30556 MEDIUM CVSS 6.1
Reflected cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through the 'msg' parameter in index.php. Publicly available proof-of-concept code exists, enabling attackers to craft malicious URLs that execute scripts in victim browsers when clicked. No CVSS vector or patch information is available; the vulnerability appears limited in scope to a single PHP parameter.

XSS PHP
CVE-2026-30082 MEDIUM CVSS 6.1
Stored cross-site scripting (XSS) vulnerabilities in IngEstate Server v11.14.0 allow remote attackers to execute arbitrary web scripts or HTML by injecting malicious payloads into the About application, What's news, or Release note parameters within the Software Package List edit feature. The vulnerabilities affect the stored XSS class, meaning injected payloads persist and execute for all users accessing the affected page. Public exploit code is available on GitHub, and the vendor (IngEstate/Ingenico) has not released a confirmed patched version as of this analysis.

XSS
CVE-2026-29909 MEDIUM CVSS 5.3
Unauthenticated directory enumeration in MRCMS V3.1.2 allows remote attackers to list and discover directory contents through the /admin/file/list.do endpoint without credentials. The vulnerability stems from missing authentication controls and input validation in the file management module, enabling information disclosure that can facilitate reconnaissance for follow-on attacks.

Information Disclosure
CVE-2026-29597 MEDIUM CVSS 6.5
Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS version 10.7.1 permits authenticated users with editor privileges to access sensitive files through crafted requests, resulting in information disclosure. This vulnerability requires valid editor-level credentials and direct knowledge of the vulnerable endpoint, limiting but not eliminating real-world risk. No active exploitation or public proof-of-concept code has been independently confirmed at this time.

Authentication Bypass
CVE-2026-27599 MEDIUM CVSS 4.7
Stored DOM-based cross-site scripting (XSS) in CI4 CMS-ERP Mail Settings allows authenticated administrators to inject arbitrary JavaScript via unsanitized configuration fields (Mail Server, Port, Email Address, Password, Protocol, TLS settings), with payloads executing immediately on the same settings page upon save. Attack requires high-privilege access (PR:H) but enables full account takeover and platform compromise. Publicly available proof-of-concept video demonstrates attribute breakout technique.

XSS PHP Privilege Escalation CSRF
CVE-2026-27508 MEDIUM CVSS 5.1
Reflected cross-site scripting (XSS) in Smoothwall Express versions before 3.1 Update 13 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers by crafting malicious URLs with javascript: schemes and delivering them through the unsanitized /redirect.cgi endpoint. The vulnerability requires user interaction (clicking a malicious link) and results in limited scope impact affecting user confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis.

XSS
CVE-2026-26352 MEDIUM CVSS 5.1
Stored cross-site scripting in Smoothwall Express prior to version 3.1 Update 13 allows authenticated attackers to inject arbitrary JavaScript through the VPN_IP parameter in /cgi-bin/vpnmain.cgi, which executes when other users view affected VPN configuration pages. The vulnerability requires user interaction (page view) and authenticated access, limiting immediate risk but enabling persistent session hijacking or credential theft against administrative users. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS
CVE-2026-25704 MEDIUM CVSS 5.8
Cosmic-greeter before PR #426 contains a privilege dropping race condition vulnerability (CWE-271) that allows local attackers to regain dropped privileges through TOCTOU timing manipulation during privilege validation checks. The vulnerability affects the Pop!_OS greeter application and could enable privilege escalation to perform actions with elevated permissions that should have been restricted.

Information Disclosure Suse
CVE-2026-25627 MEDIUM CVSS 6.5
NanoMQ MQTT Broker versions prior to 0.24.8 can be remotely crashed via MQTT-over-WebSocket by sending a packet with a maliciously inflated Remaining Length field in the fixed header while providing a shorter actual payload, triggering an out-of-bounds read that causes denial of service. Authenticated attackers can exploit this condition over the WebSocket listener with low attack complexity. Vendor-released patch available in version 0.24.8.

Buffer Overflow Information Disclosure
CVE-2026-21717 MEDIUM CVSS 5.9
Denial of service in Node.js 20.x, 22.x, 24.x, and 25.x via predictable hash collisions in V8's string hashing mechanism allows unauthenticated remote attackers to degrade process performance by crafting requests with specially-crafted JSON payloads that trigger collision cascades in the internal string table. CVSS 5.9 (moderate severity, high attack complexity). No public exploit code or active exploitation confirmed at time of analysis.

Node.js Information Disclosure Redhat
CVE-2026-21714 MEDIUM CVSS 5.3
Memory leak in Node.js HTTP/2 servers allows remote unauthenticated attackers to exhaust server memory by sending crafted WINDOW_UPDATE frames on stream 0 that exceed the maximum flow control window value. Affected versions include Node.js 20, 22, 24, and 25. While the server correctly responds with a GOAWAY frame, the Http2Session object fails to be cleaned up, leading to denial of service through resource exhaustion. No public exploit code identified at time of analysis.

Node.js Information Disclosure Redhat
CVE-2026-21713 MEDIUM CVSS 5.9
Node.js versions 20.x, 22.x, 24.x, and 25.x use non-constant-time comparison for HMAC signature verification, allowing remote attackers to infer valid HMAC values through timing oracle attacks. The vulnerability leaks information proportional to matching bytes and requires high-resolution timing measurement capability, making exploitation feasible in controlled network conditions. CVSS 5.9 (confidentiality impact only); no public exploit identified at time of analysis.

Node.js Information Disclosure Oracle Redhat
CVE-2026-21712 MEDIUM CVSS 5.7
Denial of service in Node.js url.format() function allows authenticated remote attackers to crash Node.js processes by supplying malformed internationalized domain names (IDNs) with invalid characters, triggering an assertion failure in native code. CVSS 5.7 (medium severity) with EPSS exploitation probability not independently confirmed. No public exploit code or CISA KEV status identified at time of analysis, but the simplicity of triggering the crash via a standard library function poses moderate real-world risk to production Node.js applications handling untrusted URL input.

Node.js Denial Of Service Redhat
CVE-2026-21711 MEDIUM CVSS 5.3
Unix Domain Socket operations in Node.js 25.x bypass permission model enforcement, allowing local processes to create IPC endpoints and communicate with other processes when run with --permission flag but without --allow-net. An authenticated local attacker can establish inter-process communication channels that circumvent the intended network isolation boundary, resulting in information disclosure and potential privilege escalation within the same host. No public exploit code identified at time of analysis, though the vulnerability affects an experimental permission enforcement feature.

Node.js Authentication Bypass Redhat
CVE-2026-5170 MEDIUM CVSS 6.0
Denial of service in MongoDB Server allows authenticated users with limited cluster privileges to crash a mongod process during replica set to sharded cluster promotion, causing potential primary failure. Affects MongoDB 8.2 before 8.2.2, 8.0.18+, and 7.0.31+. No public exploit code or active exploitation confirmed; CVSS 5.3 reflects the narrow attack window and authentication requirement.

Denial Of Service
CVE-2026-5165 MEDIUM CVSS 6.7
VirtIO Block device driver in virtio-win fails to properly release memory during device reset, enabling a use-after-free vulnerability that allows high-privileged local attackers to corrupt kernel memory and cause system instability or denial of service. Affected versions span Red Hat Enterprise Linux 8, 9, and 10; no public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available via GitHub PR.

Information Disclosure
CVE-2026-5164 MEDIUM CVSS 6.7
Buffer overflow in virtio-win's RhelDoUnMap() function allows local privileged users to trigger a denial of service by supplying an excessive number of descriptors during unmap operations, causing system crashes. Affects Red Hat Enterprise Linux 8, 9, and 10 across multiple architectures. The vulnerability requires high-level privilege (PR:H) but offers no confidentiality or integrity protections beyond the immediate DoS impact, with a CVSS score of 6.7 reflecting the local attack requirement and high-privilege barrier.

Buffer Overflow Denial Of Service
CVE-2026-5157 MEDIUM CVSS 5.3
Reflected cross-site scripting (XSS) in code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the cust_id parameter in /form/order.php, exploitable through user interaction (UI required). Publicly available exploit code exists; the vulnerability carries CVSS 4.3 (low severity) but poses reputational and user session hijacking risks typical of XSS attacks in e-commerce contexts.

XSS PHP
CVE-2026-5153 MEDIUM CVSS 5.3
Command injection in Tenda CH22 1.0.0.1 via the FormWriteFacMac function allows authenticated remote attackers to execute arbitrary commands by manipulating the mac parameter in the /goform/WriteFacMac endpoint. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 and requires low-privilege authentication to trigger.

Tenda Command Injection
CVE-2026-5150 MEDIUM CVSS 6.9
Remote SQL injection in code-projects Accounting System 1.0 allows unauthenticated attackers to execute arbitrary SQL queries via the cos_id parameter in the /viewin_costumer.php file. The vulnerability has a CVSS score of 6.9 with a public exploit available, enabling attackers to read sensitive data from the database with minimal attack complexity. This is a network-accessible PHP application flaw affecting confidentiality with confirmed public disclosure.

SQLi PHP
CVE-2026-5148 MEDIUM CVSS 5.1
SQL injection in YunaiV yudao-cloud up to version 2026.01 allows authenticated remote attackers to execute arbitrary SQL queries via the toMail parameter in the /admin-api/system/mail-log/page endpoint, enabling data exfiltration and potential database manipulation. The vulnerability carries a CVSS score of 5.1 with moderate confidentiality and integrity impact. Public exploit code is available, and the vendor has not responded to early disclosure efforts, leaving organizations dependent on self-patching or workarounds.

SQLi
CVE-2026-5147 MEDIUM CVSS 6.9
Remote SQL injection in YunaiV yudao-cloud up to version 2026.01 allows unauthenticated attackers to execute arbitrary SQL queries via the Website parameter in the /admin-api/system/tenant/get-by-website endpoint. The vulnerability has a CVSS score of 6.9 with public exploit code available, enabling remote compromise of database confidentiality and integrity without authentication or user interaction. The vendor has not responded to early disclosure notification.

SQLi
CVE-2026-5126 MEDIUM CVSS 5.3
Server-side request forgery in SourceCodester RSS Feed Parser 1.0 via the file_get_contents function allows authenticated remote attackers to perform arbitrary HTTP requests from the vulnerable server. The vulnerability has a CVSS score of 5.3 with low impact across confidentiality, integrity, and availability, and publicly available exploit code exists.

SSRF
CVE-2026-5125 MEDIUM CVSS 4.8
OS command injection in raine consult-llm-mcp up to version 2.5.3 allows local authenticated users to execute arbitrary system commands via manipulation of git_diff.base_ref or git_diff.files arguments passed to child_process.execSync in src/server.ts. The vulnerability requires local access and valid credentials (privilege level L), has a CVSS score of 5.3 with medium impact on confidentiality, integrity, and availability, and publicly available exploit code exists. Vendor-released patch addresses the issue in version 2.5.4.

Command Injection
CVE-2026-5124 MEDIUM CVSS 6.3
Improper access controls in osrg GoBGP up to version 4.3.0 allow remote attackers to bypass authentication via manipulation of the BGP Header Handler's DecodeFromBytes function. The vulnerability affects the BGP packet parsing mechanism and enables unauthorized modifications to BGP protocol state without requiring authentication. With a CVSS score of 3.7 and high attack complexity, exploitation is difficult but possible over the network; no public exploit code or active exploitation has been confirmed.

Authentication Bypass
CVE-2026-5123 MEDIUM CVSS 6.3
Denial of service in osrg GoBGP up to version 4.3.0 via off-by-one error in the DecodeFromBytes function allows remote, unauthenticated attackers to crash the BGP daemon through manipulation of packet data, resulting in availability impact. The vulnerability requires high attack complexity and has difficult exploitability; no public exploit code or active exploitation is currently confirmed, though a patch is available from the vendor.

Information Disclosure
CVE-2026-5122 MEDIUM CVSS 6.3
Improper access control in osrg GoBGP up to 4.3.0 allows remote attackers to manipulate the domainNameLen parameter in BGP OPEN Message processing, resulting in integrity compromise through the DecodeFromBytes function. The vulnerability requires high attack complexity and has low real-world risk despite network-accessible attack vector; no public exploit code or confirmed active exploitation has been identified. A vendor patch is available via upstream commit 2b09db390a3d455808363c53e409afe6b1b86d2d.

Authentication Bypass
CVE-2026-5119 MEDIUM CVSS 5.9
Libsoup transmits sensitive session cookies in cleartext within HTTP CONNECT requests when establishing HTTPS tunnels through configured HTTP proxies, allowing network-positioned attackers or malicious proxies to intercept and hijack user sessions. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and carries a CVSS 5.9 score with high confidentiality impact; no public exploit code or confirmed active exploitation has been identified at the time of analysis.

Information Disclosure
CVE-2026-5106 MEDIUM CVSS 4.8
Reflected cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_fst.php, affecting user sessions with administrator privileges. The vulnerability requires user interaction (UI:R) and carries a low CVSS score of 2.4 due to the requirement for prior administrative authentication (PR:H), but publicly available exploit code exists and may be actively used. The attack vector is network-based (AV:N) with low complexity (AC:L), creating an insider threat scenario where compromised or malicious administrators can deface content or steal session tokens of other administrators.

XSS PHP
CVE-2026-5105 MEDIUM CVSS 5.3
Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via manipulation of the pptpPassThru parameter in the setVpnPassCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, making this an actionable threat for affected deployments.

Command Injection
CVE-2026-5104 MEDIUM CVSS 5.3
Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via a crafted ip parameter in the setStaticRoute function of /cgi-bin/cstecgi.cgi. The vulnerability carries a CVSS score of 6.3 (medium severity) with public exploit code available, enabling potential compromise of router configuration and data integrity.

Command Injection
CVE-2026-5103 MEDIUM CVSS 5.3
Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the enable parameter in the setUPnPCfg function at /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the vulnerability has a CVSS score of 6.3 with confirmed proof-of-concept demonstrated on GitHub.

Command Injection
CVE-2026-5102 MEDIUM CVSS 5.3
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary system commands via the qos_up_bw parameter in the setSmartQosCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (medium severity) with low attack complexity, and publicly available exploit code exists, though no active exploitation via CISA KEV has been confirmed at time of analysis.

Command Injection
CVE-2026-1612 MEDIUM CVSS 6.9
Hard-coded AWS credentials in AL-KO Robolinho Update Software allow unauthenticated attackers to directly access AL-KO's AWS S3 bucket with read permissions and potentially escalated privileges beyond the application's intended access model. Version 8.0.21.0610 is confirmed vulnerable; the full affected version range is unknown due to lack of vendor cooperation. No public exploit code or active exploitation has been reported, but the credentials are trivially extractable from the application binary.

Authentication Bypass
CVE-2025-3716 MEDIUM CVSS 5.3
ESET Protect (on-premises) allows user enumeration through response timing analysis, enabling remote attackers to determine whether specific usernames exist in the system without authentication. This information disclosure vulnerability (CWE-204) exploits timing differences in authentication responses to distinguish valid users from invalid ones, potentially facilitating targeted attacks against known accounts.

Information Disclosure
CVE-2026-33762 LOW CVSS 2.8
Denial-of-service vulnerability in go-git v5 and earlier versions allows local attackers with write access to the repository to craft a malicious Git index file (format version 4) that triggers an out-of-bounds slice operation during parsing, causing application panic and process termination. The vulnerability requires local disk write access to the .git directory and user interaction (file opening), making it a low-severity but exploitable DoS vector for applications that do not gracefully handle panics. Patch versions v5.17.1 and v6 are available.

Buffer Overflow
CVE-2026-32696 LOW CVSS 3.1
Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.

Null Pointer Dereference Denial Of Service
CVE-2026-28528 LOW CVSS 2.1
Out-of-bounds read in BlueKitchen BTstack AVRCP Browsing Target GET_FOLDER_ITEMS handler allows paired Bluetooth Classic attackers to cause denial of service and corrupt attribute bitmap state through insufficient bounds validation on the attr_id parameter. Attack requires proximity (Bluetooth range) and an established pairing relationship. CVSS score of 2.1 reflects limited impact (no confidentiality loss, minor integrity and availability degradation) despite low attack complexity; no active exploitation reported at time of analysis.

Buffer Overflow Information Disclosure
CVE-2026-28527 LOW CVSS 2.1
BlueKitchen BTstack contains an out-of-bounds read vulnerability in AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby Bluetooth Classic attackers with a paired connection to trigger information disclosure and potential denial of service. The vulnerability requires an attacker within Bluetooth range to establish a paired connection and send specially crafted VENDOR_DEPENDENT responses, resulting in reads beyond packet boundaries. No public exploit code or active exploitation has been identified; vendor-released patch v1.8.1 is available.

Buffer Overflow Information Disclosure
CVE-2026-28526 LOW CVSS 2.1
BlueKitchen BTstack AVRCP Controller handlers read beyond buffer boundaries when processing specially crafted VENDOR_DEPENDENT responses, allowing nearby Bluetooth Classic attackers with a paired connection to trigger an out-of-bounds read that may crash resource-constrained devices. The vulnerability affects all versions prior to v1.8.1, has a CVSS score of 2.1 (very low severity) due to limited availability impact and requirement for paired connection plus user interaction, and no public exploit code or active exploitation has been identified.

Buffer Overflow Information Disclosure
CVE-2026-21716 LOW CVSS 3.3
Node.js Permission Model bypass in FileHandle.chmod() and FileHandle.chown() promise-based methods allows local authenticated users with restricted --allow-fs-write to modify file permissions and ownership on already-open file descriptors, circumventing intended write restrictions. The vulnerability affects Node.js 20.x, 22.x, 24.x, and 25.x when running under the --permission flag; the callback-based equivalents (fs.fchmod, fs.fchown) were correctly patched in CVE-2024-36137, but the promises API was incompletely fixed. CVSS 3.3 with low real-world impact due to local-only attack vector and requirement for pre-existing file access.

Authentication Bypass
CVE-2026-21715 LOW CVSS 3.3
Node.js Permission Model enforcement in versions 20.x, 22.x, 24.x, and 25.x fails to validate read permissions for fs.realpathSync.native(), allowing local authenticated processes running under --permission with restricted --allow-fs-read to enumerate filesystem paths, check file existence, and resolve symlink targets outside permitted directories. This information disclosure vulnerability bypasses sandbox restrictions intentionally configured by administrators and affects multiple stable and current Node.js release series.

Node.js Information Disclosure
CVE-2026-5107 LOW CVSS 2.3
Remote improper access control in FRRouting FRR up to version 10.5.1 allows authenticated remote attackers to bypass authorization checks in the EVPN Type-2 Route Handler (process_type2_route function), potentially leading to integrity and availability impacts. The vulnerability requires high attack complexity and authenticated access (PR:L), limiting immediate exploitation risk. An upstream fix (commit 7676cad65114aa23adde583d91d9d29e2debd045) is available; no public exploit code or active CISA KEV designation identified at time of analysis.

Authentication Bypass Debian Suse Redhat
CVE-2025-66215 LOW CVSS 3.8
Stack-buffer overflow in OpenSC's card-oberthur module (versions prior to 0.27.0) allows local attackers with physical access to trigger memory corruption via specially crafted APDU responses from a malicious USB device or smart card, potentially causing denial of service or limited information disclosure. The attack requires the user or administrator to actively use a token during the compromise window, and the vulnerability has been patched in version 0.27.0. No public exploit code or active exploitation has been confirmed at the time of analysis.

Buffer Overflow Stack Overflow
CVE-2025-66038 LOW CVSS 3.9
OpenSC before version 0.27.0 contains an out-of-bounds buffer read vulnerability in the sc_compacttlv_find_tag function that can return pointers beyond the allocated buffer bounds, leading to potential memory corruption when downstream code dereferences the returned pointer. The vulnerability affects OpenSC when processing untrusted compact-TLV data from smart cards or files, where a maliciously crafted single-byte element can claim a length exceeding the remaining buffer size without validation. While the CVSS score of 3.9 reflects the physical attack vector requirement (smartcard interaction) and high attack complexity, the memory corruption potential poses a notable risk in environments where OpenSC processes untrusted card data.

Buffer Overflow
CVE-2025-66037 LOW CVSS 3.9
Out-of-bounds heap read in OpenSC prior to version 0.27.0 allows local attackers with physical access to smart card interfaces to trigger information disclosure and potential denial of service via crafted X.509/SPKI input to the pkcs15_reader function. The vulnerability stems from sc_pkcs15_pubkey_from_spki_fields() allocating a zero-length buffer and reading one byte beyond its bounds. No public exploit code or active exploitation has been identified; patch is available in version 0.27.0.

Information Disclosure Buffer Overflow
CVE-2025-49010 LOW CVSS 3.8
Stack buffer overflow in OpenSC's GET RESPONSE handler prior to version 0.27.0 allows local attackers with physical access to trigger memory corruption via specially crafted smart card or USB device responses to APDUs. The vulnerability requires user interaction and physical proximity, limiting its practical exploitability; however, it could enable local privilege escalation or information disclosure when an authorized user or administrator actively uses a token. No public exploit code or active exploitation has been confirmed.

Buffer Overflow Stack Overflow
CVE-2025-7741 LOW CVSS 2.1
Hardcoded password vulnerability in Yokogawa CENTUM VP allows authentication bypass for the PROG system account across versions R5.01.00-R5.04.20, R6.01.00-R6.12.00, and R7.01.00. An attacker who obtains the hardcoded credential and has direct access to the Human Interface Station (HIS) running CTM authentication mode can log in as PROG; however, real-world risk is constrained because PROG defaults to S1 (OFFUSER) permission level, and exploitation requires pre-existing HIS access. No public exploit code or active CISA KEV status identified at time of analysis.

Authentication Bypass

Today's Vulnerabilities Vulnerabilities