262 CVEs tracked today. 32 Critical, 102 High, 108 Medium, 14 Low.
-
CVE-2026-34953
CRITICAL
CVSS 9.1
Authentication bypass in PraisonAI MCP server (Python package praisonai) allows remote, unauthenticated attackers to execute arbitrary agents, workflows, and file operations with zero authentication. The OAuthManager.validate_token() method incorrectly returns True for any token when its internal token store is empty (default state), treating all HTTP requests with arbitrary Bearer tokens as authenticated. This grants full access to 50+ registered tools including praisonai.agent.run, praisonai.workflow.run, and container file read/write operations. The server binds to 0.0.0.0 by default with no API key requirement. Public exploit code exists (PoC in GitHub advisory). CVSS 9.1 Critical with network attack vector, low complexity, and no privileges required. EPSS and KEV data not available at time of analysis; no public exploit identified at time of analysis beyond the published PoC.
Authentication Bypass
Python
-
CVE-2026-34952
CRITICAL
CVSS 9.1
Missing authentication in PraisonAI Gateway 4.5.87 allows remote unauthenticated attackers to hijack AI agent infrastructure via exposed WebSocket endpoints and topology enumeration. The `/ws` WebSocket endpoint and `/info` REST endpoint accept connections without token validation, enabling arbitrary message injection to registered agents and their tool sets. While the GatewayConfig includes an auth_token field, the implementation never enforces it. Publicly available exploit code exists with concrete proof-of-concept demonstrating unauthenticated connection and agent enumeration. EPSS data not available for this recent CVE, but the network-accessible attack vector (AV:N), low complexity (AC:L), and zero authentication requirement (PR:N) combined with working POC code create immediate risk for exposed instances.
Authentication Bypass
Python
-
CVE-2026-34938
CRITICAL
CVSS 10.0
Critical sandbox escape in praisonaiagents Python library allows remote unauthenticated attackers to execute arbitrary OS commands by exploiting a type-checking flaw in the _safe_getattr wrapper. The vulnerability affects pkg:pip/praisonaiagents and carries a maximum CVSS 10.0 score with network attack vector, no authentication required, and changed scope impact. Deployments using default autonomous modes (PRAISONAI_AUTO_APPROVE=true) execute attacker code silently without human confirmation, enabling indirect prompt injection attacks against AI agent pipelines. Publicly available exploit code exists with working proof-of-concept demonstrating full OS command execution via subprocess.Popen access.
Python
Command Injection
-
CVE-2026-34935
CRITICAL
CVSS 9.8
Arbitrary OS command execution in PraisonAI (Python package) versions prior to 4.5.69 allows remote unauthenticated attackers to execute commands as the process user via the unsanitized `--mcp` CLI argument. The vulnerability stems from passing user-controlled input directly to `shlex.split()` and `anyio.open_process()` without validation. CVSS 9.8 (Critical). Vendor-released patch available in version 4.5.69 (commit 47bff65). No public exploit code independently confirmed beyond the GitHub advisory PoC, and not listed in CISA KEV at time of analysis.
Command Injection
Python
-
CVE-2026-34934
CRITICAL
CVSS 9.8
SQL injection in PraisonAI's thread listing function allows unauthenticated remote attackers to execute arbitrary SQL queries and achieve complete database compromise. The vulnerability exists in sql_alchemy.py where thread IDs stored via update_thread are concatenated into raw SQL queries using f-strings without sanitization. Attackers inject malicious SQL through thread_id parameters, which execute when get_all_user_threads loads the thread list. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No public exploit confirmed beyond the GitHub security advisory POC, though EPSS data unavailable. Immediate patching required for all PraisonAI Python package installations.
Python
SQLi
Information Disclosure
-
CVE-2026-34875
CRITICAL
CVSS 9.8
Buffer overflow in Mbed TLS public key export functionality for Finite Field Diffie-Hellman (FFDH) keys affects versions through 3.6.5 and TF-PSA-Crypto 1.0.0. An attacker can trigger a memory corruption condition during FFDH public key export operations, potentially enabling code execution or denial of service depending on memory layout and application context. No public exploit code or active exploitation has been confirmed at time of analysis.
Buffer Overflow
-
CVE-2026-34873
CRITICAL
CVSS 9.1
Mbed TLS versions 3.5.0 through 4.0.0 allow client impersonation during TLS 1.3 session resumption, enabling an attacker to assume the identity of a legitimate client when reestablishing a previously negotiated session. The vulnerability affects the session resumption mechanism in TLS 1.3 and permits information disclosure; no CVSS score or exploit status data is currently available from public sources.
Authentication Bypass
-
CVE-2026-34872
CRITICAL
CVSS 9.1
Finite-field Diffie-Hellman (FFDH) in Mbed TLS 3.5.x, 3.6.0 through 3.6.5, and TF-PSA-Crypto 1.0 lacks contributory behavior due to improper validation of peer-supplied parameters, allowing an attacker to restrict the shared secret to a small set of predictable values. While the vulnerability does not directly impact TLS (which does not depend on contributory behavior), it poses a significant risk to protocols that do rely on this property, including those where an active network attacker or malicious peer can exploit the weakness. No CVSS score or public exploit code has been assigned at the time of analysis.
Information Disclosure
Jwt Attack
-
CVE-2026-34751
CRITICAL
CVSS 9.1
Account takeover via password reset flow in Payload CMS versions prior to 3.79.1 allows unauthenticated remote attackers to perform actions on behalf of users who initiate password recovery. The vulnerability stems from insufficient input validation and URL construction (CWE-472: External Control of Assumed-Immutable Web Parameter), enabling attackers to intercept or manipulate the password reset process without authentication. Affects all auth-enabled collections using built-in forgot-password functionality. CVSS 9.1 (Critical) with network-accessible, low-complexity exploitation requiring no privileges. EPSS data not available; no public exploit identified at time of analysis, but the GitHub security advisory provides detailed technical context increasing weaponization risk.
Information Disclosure
-
CVE-2026-34571
CRITICAL
CVSS 9.9
Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).
XSS
Privilege Escalation
-
CVE-2026-34569
CRITICAL
CVSS 9.9
Stored cross-site scripting in CI4MS blog category management allows authenticated users to inject malicious JavaScript that executes across multiple application contexts including public blog pages and administrative interfaces. Affecting all versions prior to 0.31.0.0, attackers with low-privilege authenticated access can achieve scope change with high impact to confidentiality, integrity, and availability (CVSS 9.9). Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation is straightforward given low attack complexity.
XSS
-
CVE-2026-34568
CRITICAL
CVSS 9.1
Stored cross-site scripting in CI4MS blog module allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers across multiple application views. The vulnerability affects all versions prior to 0.31.0.0 and stems from insufficient input sanitization when creating or editing blog posts combined with unsafe output rendering. Attack requires low-privilege authentication (PR:L) but has scope change (S:C), enabling session hijacking and credential theft across user contexts. Vendor-released patch available in version 0.31.0.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.
XSS
-
CVE-2026-34567
CRITICAL
CVSS 9.1
Stored cross-site scripting in CI4MS (CodeIgniter 4 CMS) allows authenticated users with blog post management privileges to inject malicious JavaScript through unsanitized category fields, affecting all users who view blog posts containing the poisoned categories. The vulnerability is confirmed patched in version 0.31.0.0. With CVSS 9.1 (Critical) due to scope change and high confidentiality impact, and low attack complexity requiring only low-privilege authentication, this represents significant risk in multi-user CMS environments despite no confirmed active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
XSS
-
CVE-2026-34566
CRITICAL
CVSS 9.1
Stored cross-site scripting (XSS) in CI4MS page management functionality allows authenticated attackers to inject malicious JavaScript that executes in both administrative contexts and public-facing pages. Affecting CI4MS versions prior to 0.31.0.0, this vulnerability requires low-privilege authentication (PR:L) but enables scope change (S:C) with network-based remote exploitation (AV:N) and low attack complexity (AC:L). Vendor-released patch version 0.31.0.0 addresses the input sanitization failures. No public exploit identified at time of analysis; CVSS 9.1 reflects the scope change and cross-context impact enabling privilege escalation and potential administrator session compromise.
XSS
-
CVE-2026-34565
CRITICAL
CVSS 9.1
Stored cross-site scripting (XSS) in CI4MS menu management allows authenticated users with low privileges to inject malicious scripts that execute in administrator and public user contexts. Affecting CI4MS versions prior to 0.31.0.0, attackers can exploit insufficient input sanitization when adding Posts to navigation menus, achieving cross-scope code execution (CVSS scope changed) with potential for session hijacking and administrative account compromise. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
XSS
-
CVE-2026-34564
CRITICAL
CVSS 9.1
Stored cross-site scripting in CI4MS menu management allows authenticated attackers to inject malicious scripts that execute in administrative and public contexts with changed scope impact. Affecting all CI4MS versions prior to 0.31.0.0, attackers with low-level privileges can exploit inadequate input sanitization in the Pages-to-navigation-menu workflow to persistently embed DOM-based XSS payloads. CVSS 9.1 (Critical) with scope change (S:C) indicates privilege escalation potential across trust boundaries. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though exploitation probability exists given low attack complexity (AC:L) and no user interaction requirement (UI:N).
XSS
-
CVE-2026-34563
CRITICAL
CVSS 9.1
Stored blind cross-site scripting in CI4MS backup management allows authenticated attackers to inject malicious JavaScript payloads via SQL-backed backup filenames, achieving scope change with high confidentiality impact and low integrity/availability impact. The vulnerability exploits insufficient input sanitization during backup upload processing and unsafe output rendering in administrative views. Vendor-released patch available in version 0.31.0.0. CVSS 9.1 (Critical) with network attack vector, low complexity, and low privilege requirement. No public exploit identified at time of analysis, though EPSS data unavailable for this recently disclosed GitHub-sourced CVE.
XSS
-
CVE-2026-34560
CRITICAL
CVSS 9.1
Blind stored XSS in CI4MS CMS log viewer allows authenticated attackers to execute JavaScript in administrator sessions when reviewing application logs. Affects CI4MS versions prior to 0.31.0.0. The vulnerability enables low-privilege authenticated users to inject malicious payloads that persist in logs and execute when administrators access the logs interface (CVSS 9.1, Critical). EPSS data not available; no public exploit identified at time of analysis, though the attack technique is well-documented in XSS literature.
XSS
-
CVE-2026-34559
CRITICAL
CVSS 9.1
Stored cross-site scripting in CI4MS blog tag management (versions prior to 0.31.0.0) allows authenticated attackers to inject malicious JavaScript through unsanitized tag name fields, achieving code execution in victim browsers with scope change (CVSS 9.1, S:C). The payload persists server-side and executes on public tag pages and administrative interfaces, enabling session hijacking, credential theft, and administrative account compromise. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users with tag creation privileges.
XSS
-
CVE-2026-34456
CRITICAL
CVSS 9.1
Account takeover via OAuth email auto-linking affects Reviactyl game server management panel versions 26.2.0-beta.1 through 26.2.0-beta.4, allowing unauthenticated remote attackers to gain full access to victim accounts by registering social OAuth accounts (Google, GitHub, Discord) with matching email addresses. The CVSS 9.1 (Critical) score reflects network-based exploitation requiring no authentication, low complexity, and high confidentiality/integrity impact. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward and publicly documented in GitHub advisory GHSA-8mcf-rp68-xhfg. Vendor-released patch: version 26.2.0-beta.5.
Authentication Bypass
Google
-
CVE-2026-34159
CRITICAL
CVSS 9.8
Remote code execution in llama.cpp RPC backend allows unauthenticated attackers with TCP access to achieve arbitrary memory read/write and full ASLR bypass. The vulnerability stems from missing bounds validation in deserialize_tensor() when processing GRAPH_COMPUTE messages with zero-valued buffer fields. Attackers can leverage pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE operations to reliably exploit this flaw. Fixed in version b8492 (commit 39bf0d3c). CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No public exploit identified at time of analysis, though the detailed advisory provides sufficient technical context for weaponization.
RCE
Buffer Overflow
-
CVE-2026-31027
CRITICAL
CVSS 9.8
Buffer overflow in TOTOlink A3600R v5.9c.4959 setAppEasyWizardConfig interface allows remote code execution or denial of service via unvalidated rootSsid parameter in /lib/cste_modules/app.so. The vulnerability affects a Wi-Fi router's configuration endpoint and enables unauthenticated attackers to trigger memory corruption with potential for arbitrary code execution. No CVSS vector or patch status was available at time of analysis.
Buffer Overflow
RCE
Denial Of Service
-
CVE-2026-30643
CRITICAL
CVSS 9.8
Remote code execution in DedeCMS 5.7.118 allows unauthenticated attackers to execute arbitrary code through crafted setup tag values during module upload operations. The vulnerability exploits insufficient input validation in the module upload functionality, enabling direct code injection. No CVSS score, EPSS data, or KEV confirmation is available; however, the presence of a public proof-of-concept demonstrates practical exploitability.
RCE
Code Injection
-
CVE-2026-29014
CRITICAL
CVSS 9.3
MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.
PHP
RCE
Code Injection
-
CVE-2026-20160
CRITICAL
CVSS 9.8
Remote code execution in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root privileges via an exposed internal service API. The vulnerability stems from unintentional exposure of an internal service that accepts crafted API requests, enabling full system compromise. With a CVSS score of 9.8 and complete attack vector accessibility over the network requiring no authentication or user interaction, this represents a critical security exposure for organizations using SSM On-Prem for Cisco software license management, though no public exploit identified at time of analysis.
Cisco
Information Disclosure
-
CVE-2026-20093
CRITICAL
CVSS 9.8
Authentication bypass in Cisco Integrated Management Controller (IMC) allows unauthenticated remote attackers to gain administrative access by exploiting improper password change request handling. Affected products include Cisco Enterprise NFV Infrastructure Software, Unified Computing System (Standalone), and UCS E-Series Software. The attacker can alter any user's password, including Admin accounts, and take full control of the management interface. CVSS 9.8 (Critical) with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, though EPSS data not available for comprehensive risk assessment.
Cisco
Authentication Bypass
-
CVE-2026-5290
CRITICAL
CVSS 9.6
Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later.
Google
Use After Free
Denial Of Service
Memory Corruption
Debian
-
CVE-2026-5289
CRITICAL
CVSS 9.6
Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor.
Google
Use After Free
Denial Of Service
Memory Corruption
Debian
-
CVE-2026-5288
CRITICAL
CVSS 9.6
Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium.
Google
Use After Free
Denial Of Service
Memory Corruption
Debian
-
CVE-2026-5281
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-4370
CRITICAL
CVSS 10.0
Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows complete data exfiltration and manipulation through missing TLS certificate validation on Dqlite database endpoints. The controller's database cluster accepts unauthorized node joins from any network-accessible attacker, granting full read/write access to all stored credentials, configurations, and orchestration data. With CVSS 10.0 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a critical authentication bypass in infrastructure-as-code environments. No public exploit identified at time of analysis, though exploitation requires only network access to the Dqlite port without authentication complexity.
Information Disclosure
-
CVE-2025-71279
CRITICAL
CVSS 9.3
Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unauthenticated attackers to bypass security controls protecting passkey-enabled user accounts. No public exploit identified at time of analysis, though EPSS data not available. The vulnerability affects a critical authentication mechanism (WebAuthn/passkeys), representing a high-severity threat to forum platforms relying on this modern authentication method.
Authentication Bypass
-
CVE-2025-15484
CRITICAL
CVSS 9.1
Order Notification for WooCommerce WordPress plugin versions before 3.6.3 disable WooCommerce's authentication and permission checks, allowing unauthenticated remote attackers to read and modify all store data including products, coupons, orders, and customer information. This critical authorization bypass affects all WordPress installations using the vulnerable plugin without version restriction, and no public exploit code availability or active exploitation status has been confirmed at time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-35099
HIGH
CVSS 7.4
Local privilege escalation to SYSTEM via race condition in Lakeside SysTrack Agent 11 (versions prior to 11.2.1.28) allows unauthenticated local attackers to gain complete system control through timing-dependent exploitation. EPSS risk assessment and KEV status not available at time of analysis; no public exploit identified at time of analysis. Attack complexity is rated high, requiring precise timing manipulation of concurrent operations.
Privilege Escalation
Race Condition
-
CVE-2026-35093
HIGH
CVSS 8.8
Local privilege escalation in libinput allows authenticated users to execute arbitrary code within graphical compositor contexts by placing malicious Lua bytecode in system or user configuration directories. The vulnerability achieves scope change (CVSS:S:C) with high impact across confidentiality, integrity, and availability (8.8 CVSS), enabling attackers to monitor keyboard input including passwords and sensitive data. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.
RCE
Code Injection
-
CVE-2026-35092
HIGH
CVSS 7.5
Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.
Denial Of Service
Integer Overflow
-
CVE-2026-35091
HIGH
CVSS 8.2
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.
Denial Of Service
Buffer Overflow
-
CVE-2026-35056
HIGH
CVSS 8.6
Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). No public exploit identified at time of analysis, though VulnCheck published technical analysis. This represents a supply-chain or insider-threat risk where compromised admin credentials or malicious insiders could achieve complete server compromise.
RCE
Code Injection
-
CVE-2026-35000
HIGH
CVSS 7.1
Local filesystem disclosure in ChangeDetection.io <0.54.7 allows authenticated remote attackers to read arbitrary files via incomplete XPath 3.0/3.1 function blocklist bypass. The SafeXPath3Parser implementation fails to block dangerous file-access functions like json-doc(), enabling sensitive data exfiltration. EPSS data unavailable; no public exploit identified at time of analysis. SSVC assessment indicates partial technical impact with non-automatable exploitation requiring authentication.
Information Disclosure
-
CVE-2026-34955
HIGH
CVSS 8.8
Command injection in PraisonAI's SubprocessSandbox allows authenticated local users to bypass all sandbox modes (BASIC, STRICT, NETWORK_ISOLATED) and execute arbitrary OS commands. The vulnerability stems from shell=True usage combined with inadequate blocklist filtering that omits 'sh' and 'bash' executables, enabling trivial escape via 'sh -c' wrapper. CVSS 8.8 (High) reflects scope change and complete CIA triad compromise. No active exploitation confirmed (not in CISA KEV), but GitHub advisory includes working proof-of-concept code. EPSS data not available for this recent CVE. Critical for deployments using PraisonAI's sandbox feature with untrusted agent code or exposed to prompt injection attacks.
Command Injection
Python
-
CVE-2026-34954
HIGH
CVSS 8.6
Server-Side Request Forgery (SSRF) in praisonaiagents allows unauthenticated remote attackers to access internal network resources and cloud metadata services. The FileTools.download_file() function passes user-controlled URLs directly to httpx.stream() with redirect following enabled, bypassing network boundaries. On AWS EC2 instances with IMDSv1, attackers can retrieve IAM credentials from the metadata service (169.254.169.254) and write them to disk. Exploitation requires no authentication (PR:N) and can be triggered via indirect prompt injection. EPSS data not available for this recent CVE, but publicly available exploit code exists in the GitHub advisory with a working proof-of-concept demonstrating credential theft on cloud infrastructure.
SSRF
Python
-
CVE-2026-34940
HIGH
CVSS 8.7
Command injection in KubeAI Ollama model controller allows Kubernetes users with Model CRD write permissions to execute arbitrary shell commands inside model server pods. The vulnerability stems from unsanitized URL components (model ref and query parameters) being interpolated into bash startup probe scripts. With CVSS 8.7 (AV:N/AC:L/PR:H/UI:N/S:C), this represents a significant privilege escalation risk in multi-tenant clusters where Model creation is delegated to non-admin users. No public exploit identified at time of analysis, though detailed proof-of-concept payloads are documented in the GitHub advisory.
Golang
Kubernetes
RCE
Command Injection
-
CVE-2026-34937
HIGH
CVSS 7.8
Command injection in PraisonAI's run_python() function allows authenticated local attackers to execute arbitrary operating system commands with the privileges of the application process. The vulnerability stems from incomplete input sanitization that fails to escape shell metacharacters ($() and backticks) before passing user-controlled code to subprocess.run() with shell=True. Attackers with low-privilege local access can exploit this to achieve full system compromise (confidentiality, integrity, and availability impact rated High). Proof-of-concept code demonstrates successful command injection via the praisonaiagents Python package. No active exploitation confirmed via CISA KEV at time of analysis, but publicly available exploit code exists in the GitHub security advisory.
Python
Command Injection
-
CVE-2026-34936
HIGH
CVSS 7.7
Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credentials via IMDSv1 (169.254.169.254) or reach internal services like Redis, Elasticsearch, and Kubernetes APIs within cloud VPCs. Public exploit code exists demonstrating localhost and metadata service access. EPSS data not available, not listed in CISA KEV.
SSRF
Elastic
Redis
Kubernetes
Python
-
CVE-2026-34874
HIGH
CVSS 7.5
NULL pointer dereference in Mbed TLS distinguished name (X.509) parsing allows remote attackers to trigger a denial of service by writing to address 0, affecting Mbed TLS versions 3.6.5 and earlier, and 4.0.0. The vulnerability is reachable during X.509 certificate processing and does not require authentication. No public exploit code or active exploitation has been confirmed at the time of analysis.
Null Pointer Dereference
Denial Of Service
-
CVE-2026-34828
HIGH
CVSS 7.1
Session fixation in listmonk v6.0.0 allows authenticated sessions to persist after password reset or password change, enabling attackers with stolen session cookies to maintain account access despite credential recovery by the victim. Authenticated remote attackers (PR:L) can exploit this to retain high confidentiality impact access. No public exploit code identified at time of analysis, though the vulnerability is trivially reproducible per the detailed proof-of-concept. EPSS data not available; vulnerability confirmed in production release v6.0.0 via GitHub Security Advisory.
Authentication Bypass
XSS
-
CVE-2026-34825
HIGH
CVSS 8.5
SQL injection in NocoBase plugin-workflow-sql through version 2.0.8 allows authenticated workflow users to execute arbitrary database queries. The vulnerable SQLInstruction class performs unparameterized string substitution of template variables (e.g., {{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.
SQLi
Docker
Debian
PostgreSQL
-
CVE-2026-34783
HIGH
CVSS 8.1
Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profiles, or web server directories. Vendor-released patch available via commit 160ebad6bd50f153453e120f6d909f5b83322917. CVSS 8.1 (High) reflects network attack vector with low complexity requiring user interaction. No public exploit identified at time of analysis beyond the proof-of-concept in the GitHub advisory, and not listed in CISA KEV.
Path Traversal
RCE
Privilege Escalation
PHP
Python
-
CVE-2026-34752
HIGH
CVSS 8.7
Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.
Denial Of Service
Python
-
CVE-2026-34748
HIGH
CVSS 8.7
Stored Cross-Site Scripting (XSS) in Payload CMS versions prior to 3.78.0 allows authenticated users with write permissions to inject malicious scripts into content that execute in other users' browsers when viewed in the admin panel. The vulnerability requires low privilege access (PR:L) and user interaction (UI:R), enabling attackers to compromise admin accounts with high confidentiality and integrity impact due to scope change (S:C). CVSS score of 8.7 reflects the elevated risk from privileged position abuse. No public exploit identified at time of analysis, though the technical details are publicly documented in GitHub Security Advisory GHSA-mmxc-95ch-2j7c.
XSS
-
CVE-2026-34747
HIGH
CVSS 8.5
SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. No public exploit identified at time of analysis. EPSS risk data not available, but the CVSS score of 8.5 with scope change (S:C) indicates potential for significant impact beyond the vulnerable component.
SQLi
-
CVE-2026-34746
HIGH
CVSS 7.7
Server-Side Request Forgery in Payload CMS versions prior to 3.79.1 allows authenticated users with upload permissions to force the server to make HTTP requests to arbitrary URLs, potentially exposing internal network resources and sensitive data. The vulnerability affects the upload functionality and enables information disclosure with high confidentiality impact. CVSS score of 7.7 reflects network-accessible attack vector with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the vulnerability requires only basic authenticated access to upload-enabled collections.
SSRF
-
CVE-2026-34742
HIGH
CVSS 7.6
DNS rebinding attacks can bypass same-origin policy in Model Context Protocol (MCP) Go SDK versions prior to 1.4.0, enabling malicious websites to send unauthorized requests to localhost HTTP servers. Affects servers using StreamableHTTPHandler or SSEHandler when run without authentication on localhost. No public exploit identified at time of analysis, though the attack technique (DNS rebinding) is well-documented. CVSS scoring unavailable, but real-world risk is constrained to non-recommended configurations lacking authentication.
Authentication Bypass
-
CVE-2026-34728
HIGH
CVSS 8.7
Path traversal and CSRF vulnerability in phpMyFAQ's MediaBrowserController enables remote deletion of critical server files. Authenticated admin accounts can be exploited via CSRF to delete arbitrary files including database configurations, .htaccess files, and application code. GitHub advisory confirms the vulnerability with POC demonstration. Attack requires low-privilege authentication (PR:L) but succeeds with minimal user interaction (UI:R), achieving high integrity and availability impact with scope change (S:C). No public exploit identified at time of analysis beyond the disclosed POC, and patch availability not confirmed from available data.
PHP
Path Traversal
CSRF
Apache
-
CVE-2026-34725
HIGH
CVSS 8.2
Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web deployments face session hijacking and credential theft. EPSS data not available; vendor patch released via GitHub commit a7d2ed1. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept demonstrates both XSS and RCE paths.
XSS
RCE
PostgreSQL
-
CVE-2026-34604
HIGH
CVSS 7.1
Path traversal via symlink/junction bypass in @tinacms/graphql FilesystemBridge allows authenticated remote attackers with low privileges to read, write, and delete arbitrary files outside the configured content root. The vulnerability exploits a realpath canonicalization gap where path validation checks lexical string paths but filesystem operations follow symlink targets. Attack complexity is high (CVSS AC:H) as it requires pre-existing symlinks/junctions within the content tree or the ability to create them. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation. Vendor-released patch available via commit f124eabaca10dac9a4d765c9e4135813c4830955.
Path Traversal
Microsoft
Canonical
-
CVE-2026-34603
HIGH
CVSS 7.1
TinaCMS CLI media handlers can be bypassed via symlink/junction traversal, allowing authenticated low-privilege attackers to list, write, and delete files outside the configured media root directory. The vulnerability exists in @tinacms/cli's dev server media routes despite recent path-traversal hardening, because validation performs only lexical string checks without resolving symlink targets. Attack complexity is high (requires pre-existing symlink under media root), but impact is significant with confirmed read/write primitives. Vendor patch available via GitHub commit f124eaba. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond researcher's local Windows junction proof-of-concept.
Path Traversal
Microsoft
Canonical
-
CVE-2026-34601
HIGH
CVSS 7.5
XML injection in xmldom's CDATA serialization allows remote attackers to inject arbitrary markup into generated XML documents without authentication. The vulnerability affects both the legacy xmldom package and @xmldom/xmldom when applications embed untrusted input into CDATA sections. Attackers can break out of CDATA context by including the sequence ]]> in user-controlled strings, causing downstream XML consumers to parse injected elements as legitimate markup. Vendor-released patches are available in versions 0.8.12 and 0.9.9. EPSS data not provided; no confirmed active exploitation (CISA KEV status: not listed). Public proof-of-concept code exists in the GitHub security advisory.
Code Injection
Mozilla
-
CVE-2026-34598
HIGH
CVSS 7.1
Stored cross-site scripting (XSS) in YesWiki allows unauthenticated attackers to inject malicious JavaScript through form title fields, achieving persistent code execution in browsers of all users viewing affected pages. The vulnerability requires no authentication and affects the BazaR form component, with publicly available exploit code demonstrating injection via the 'Name of the event' and 'Description' fields. Successful exploitation enables session hijacking, credential theft, and arbitrary actions in victim contexts including administrative users.
XSS
-
CVE-2026-34593
HIGH
CVSS 8.2
BEAM VM atom table exhaustion in Ash Framework's Module type allows remote denial-of-service against Elixir applications. The ash package (all versions prior to v3.22.0) unconditionally creates Erlang atoms from user-supplied strings in Ash.Type.Module.cast_input/2 before validation, enabling attackers to crash the entire VM by submitting ~1 million unique 'Elixir.*' strings to any API endpoint with :module-typed attributes. Vendor patch released in commit 7031103 (v3.22.0). No public exploit identified at time of analysis, though the advisory provides detailed proof-of-concept code demonstrating trivial exploitation via repeated API requests.
Denial Of Service
-
CVE-2026-34591
HIGH
CVSS 7.1
Path traversal in Poetry's wheel installer (versions prior to 2.3.3) allows malicious Python packages to write arbitrary files outside the installation directory during package installation. Attackers can craft wheel files containing ../ directory traversal sequences that bypass containment checks, enabling file overwrite with Poetry process privileges. This directly threatens CI/CD pipelines and developer workstations installing untrusted packages from PyPI or private repositories. No active exploitation confirmed at time of analysis, but a functional proof-of-concept is publicly documented in the GitHub advisory.
Path Traversal
-
CVE-2026-34581
HIGH
CVSS 8.1
Authentication bypass in goshs (Go Simple HTTP Server) allows unauthenticated attackers to execute arbitrary system commands via WebSocket connections by exploiting a logic flaw in the BasicAuthMiddleware's share token validation. The middleware processes share tokens before credential checks, and attackers can combine a legitimate share token (intended for single-file downloads) with WebSocket query parameters to gain full CLI access. Confirmed actively exploited (CISA KEV). Public proof-of-concept code demonstrates remote command execution retrieving /etc/passwd. EPSS score indicates elevated exploitation probability given the simplicity of the attack chain.
Authentication Bypass
Python
-
CVE-2026-34572
HIGH
CVSS 8.8
Session fixation vulnerability in CI4MS (CodeIgniter 4 CMS) allows deactivated user accounts to maintain indefinite access through active sessions. Authenticated attackers whose accounts have been administratively disabled retain full high-privilege access (confidentiality, integrity, availability impact) until manual logout, bypassing intended access controls. Affects all versions prior to 0.31.0.0. EPSS data not available; no public exploit identified at time of analysis. CVSS 8.8 (High) reflects significant post-compromise persistence risk in enterprise CMS deployments with role-based access control.
Authentication Bypass
-
CVE-2026-34570
HIGH
CVSS 8.8
Session persistence in CI4MS (CodeIgniter 4 CMS skeleton) allows deleted user accounts to retain full system access indefinitely through active sessions until manual logout. Affects all versions prior to 0.31.0.0. The authentication bypass enables unauthorized access to protected resources with high confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (CVSS 10.0 Critical). No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward to abuse by maintaining an active session before account deletion.
Authentication Bypass
-
CVE-2026-34545
HIGH
CVSS 8.4
Heap buffer overflow in OpenEXR 3.4.0 through 3.4.6 allows remote code execution when processing maliciously crafted EXR image files with HTJ2K compression and specific channel width configurations. The vulnerability enables controlled heap overwrites of 2-4 bytes per iteration beyond allocated buffer boundaries, exploitable through user interaction with weaponized .exr files. Attack vector is local (AV:L) requiring user action (UI:A) but no privileges (PR:N), with CVSS 8.4 severity. Vendor-released patch available in version 3.4.7. No public exploit identified at time of analysis, though the precise technical details in the security advisory lower exploitation complexity for capable adversaries.
Buffer Overflow
RCE
Heap Overflow
-
CVE-2026-34544
HIGH
CVSS 8.4
Out-of-bounds heap write in OpenEXR 3.4.0-3.4.7 allows local attackers to crash applications or corrupt memory when processing malicious B44/B44A compressed EXR files. Attack requires user interaction to open a crafted image file. Patched in version 3.4.8. CVSS 8.4 (High) reflects local attack vector with no privileges required but mandatory user action. No confirmed active exploitation or public POC identified at time of analysis, though proof-of-concept development is feasible given the detailed GitHub advisory and commit.
Buffer Overflow
Integer Overflow
-
CVE-2026-34543
HIGH
CVSS 8.7
Heap memory disclosure in OpenEXR 3.4.0 through 3.4.7 allows remote attackers to extract sensitive information through decoded pixel data when processing malicious EXR image files. The vulnerability requires no authentication (PR:N) or user interaction (UI:N), triggering automatically during file parsing under default configurations. With CVSS 8.7 and high confidentiality impact (VC:H), this represents significant risk for applications processing untrusted EXR files. No public exploit identified at time of analysis, though the low attack complexity (AC:L) suggests straightforward exploitation once attack methods are documented.
Information Disclosure
-
CVE-2026-34524
HIGH
CVSS 8.3
Path traversal in SillyTavern's chat API allows authenticated attackers to read and delete sensitive configuration files (secrets.json, settings.json) outside the intended chats directory by exploiting insufficient input validation on the avatar_url parameter. The vulnerability (CVSS 8.3) permits traversal using '..' segments due to a regex validator that only blocks '/' and NUL bytes. Publicly available exploit code exists with working proof-of-concept commands provided in the GitHub advisory. EPSS data not available, but the straightforward exploitation path (AV:N/AC:L/PR:L) and availability of working POC code present significant risk for multi-user or internet-facing SillyTavern deployments. Vendor-released patch available in version 1.17.0.
Path Traversal
CSRF
-
CVE-2026-34522
HIGH
CVSS 8.1
Authenticated path traversal in SillyTavern's chat import API enables authenticated users to write arbitrary files outside intended directories. Attackers exploit unsanitized 'character_name' parameters in /api/chats/import (versions prior to 1.17.0) to inject traversal sequences (e.g., '../../../../tmp/malicious'), causing file writes to arbitrary filesystem locations accessible to the service account. With CVSS 8.1 (AV:N/AC:L/PR:L), this requires low-privilege authentication but no user interaction, delivering high integrity and availability impact through disk abuse and malicious file placement. Vendor patch available in version 1.17.0. No CISA KEV listing or public exploit identified at time of analysis, though detailed proof-of-concept exists in the security advisory.
CSRF
Path Traversal
-
CVE-2026-34455
HIGH
CVSS 8.7
SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.
SQLi
PostgreSQL
-
CVE-2026-34445
HIGH
CVSS 8.6
Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.
Python
Microsoft
Information Disclosure
-
CVE-2026-34430
HIGH
CVSS 8.6
Sandbox escape in ByteDance Deer-Flow (pre-commit 92c7a20) enables remote attackers to execute arbitrary commands on the host system by exploiting incomplete shell semantics validation in bash tool handling. Attackers bypass regex-based input filters using directory traversal and relative paths to break sandbox isolation, read/modify host files, and invoke subprocesses with shell interpretation. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, though detailed technical advisory exists.
Authentication Bypass
-
CVE-2026-34376
HIGH
CVSS 7.5
Unauthorized access to password-protected PDFs in PdfDing versions prior to 1.7.0 allows unauthenticated remote attackers to bypass shared-link password verification and retrieve confidential documents via direct file-serving endpoint calls. The vulnerability (CWE-863: Incorrect Authorization) has CVSS 7.5 (High) severity with network attack vector requiring no privileges or user interaction. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Publicly available exploit code exists via GitHub commit demonstrating the bypass mechanism. Vendor-released patch available in version 1.7.0.
Authentication Bypass
-
CVE-2026-34236
HIGH
CVSS 8.2
Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.
PHP
Information Disclosure
-
CVE-2026-34222
HIGH
CVSS 7.7
Broken access control in Open WebUI allows authenticated users to access tool values across tenant boundaries, exposing sensitive information from other users' AI tool configurations. The vulnerability affects self-hosted Open WebUI instances prior to version 0.8.11. With CVSS 7.7 (High) and network-accessible attack vector requiring only low-privilege authentication, this represents a significant confidentiality breach in multi-tenant deployments. No public exploit identified at time of analysis, with EPSS data not yet available for this recent CVE.
Authentication Bypass
-
CVE-2026-34072
HIGH
CVSS 8.3
Authentication bypass in CronMaster versions prior to 2.2.0 allows adjacent network attackers to gain unauthorized administrative access without credentials. When session validation requests fail, the middleware incorrectly treats invalid session cookies as authenticated, enabling execution of privileged Next.js Server Actions and access to protected administrative pages. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation complexity is low once network access is achieved.
Authentication Bypass
-
CVE-2026-33544
HIGH
CVSS 7.7
Authentication bypass via OAuth token race condition in tinyauth allows concurrent attackers to hijack user sessions and gain unauthorized access to victim accounts. The vulnerability affects tinyauth v5.0.4 and earlier versions where singleton OAuth service instances share mutable PKCE verifier and access token fields across all concurrent requests. When two users authenticate simultaneously with the same OAuth provider (GitHub, Google, or generic OAuth), the second request overwrites the first user's token, causing the first user to receive a session with the second user's identity and access privileges. Go race detector confirms 99.9% exploit success rate (9,985/10,000 iterations) in concurrent scenarios. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept demonstrates reliable session hijacking with publicly available exploit methodology. EPSS data not available for this recent CVE.
Race Condition
Authentication Bypass
Microsoft
-
CVE-2026-32929
HIGH
CVSS 8.4
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to disclose sensitive information and potentially achieve code execution when processing maliciously crafted V7 files. The vulnerability resides in the VS6ComFile!get_macro_mem_COM function and requires user interaction to open a weaponized file. No public exploit identified at time of analysis, though the local attack vector and file format parsing nature make this a realistic social engineering target for industrial control system environments.
Information Disclosure
Buffer Overflow
-
CVE-2026-32928
HIGH
CVSS 8.4
Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code execution when processing malicious V7 project files. Local attackers can exploit this via social engineering to deliver weaponized files requiring user interaction to open. CVSS 8.4 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with EPSS data unavailable for this newly-assigned CVE. Japanese vulnerability coordination (JPCERT/JVN) indicates regional industrial control system exposure.
Buffer Overflow
RCE
Stack Overflow
-
CVE-2026-32927
HIGH
CVSS 8.4
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to extract sensitive memory contents and potentially achieve code execution by opening a malicious V7 project file. The vulnerability requires user interaction (opening a crafted file) but no authentication, with an EPSS probability requiring assessment. No public exploit identified at time of analysis, though JPCERT coordination suggests industrial targeting potential.
Information Disclosure
Buffer Overflow
-
CVE-2026-32926
HIGH
CVSS 8.4
Out-of-bounds read in Fuji Electric V-SFT industrial HMI software (versions ≤6.2.10.0) enables local attackers to disclose sensitive information and potentially achieve code execution when victims open maliciously crafted V7 project files. The vulnerability resides in the VS6ComFile!load_link_inf function during V7 file parsing. CVSS 8.4 reflects high confidentiality and integrity impact with low attack complexity requiring user interaction. No public exploit identified at time of analysis, though JPCERT coordination suggests targeted industrial sector awareness.
Information Disclosure
Buffer Overflow
-
CVE-2026-32925
HIGH
CVSS 8.4
Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arbitrary code execution when opening a maliciously crafted V7 project file. An attacker must convince a user to open a weaponized file, requiring no authentication but user interaction. EPSS data not available; no public exploit identified at time of analysis, though the specific function (CV7BaseMap::WriteV7DataToRom) and vulnerability class (stack overflow) provide sufficient technical detail for skilled attackers to develop exploits.
RCE
Buffer Overflow
Stack Overflow
-
CVE-2026-30573
HIGH
CVSS 7.5
Pharmacy Product Management System 1.0 accepts negative price and total cost values in sales transactions due to insufficient input validation in add-sales.php, enabling attackers to manipulate financial records, corrupt sales reports, and cause financial loss. The vulnerability allows unauthenticated or low-privilege users to submit arbitrary negative values that bypass business logic controls. Publicly available exploit code exists demonstrating this business logic flaw.
Information Disclosure
PHP
-
CVE-2026-30292
HIGH
CVSS 8.4
Arbitrary file overwrite in Docudepot PDF Reader v1.0.34 enables attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information exposure. The vulnerability affects the mobile PDF viewer application across Android platforms. No public exploit code or active exploitation has been confirmed at time of analysis, though the severity of potential impact (RCE) warrants immediate investigation and patching.
RCE
Information Disclosure
-
CVE-2026-30291
HIGH
CVSS 8.4
Arbitrary file overwrite in Ora Tools PDF Reader & Editor APP v4.3.5 enables attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information exposure. The vulnerability affects the Android application and has been publicly disclosed; however, CVSS scoring, CISA KEV status, and vendor patch availability have not been independently confirmed at time of analysis.
Information Disclosure
RCE
-
CVE-2026-30289
HIGH
CVSS 8.4
Tinybeans Private Family Album App v5.9.5-prod contains an arbitrary file overwrite vulnerability in its file import process that enables remote attackers to overwrite critical internal files, resulting in arbitrary code execution or information disclosure. No CVSS score, EPSS data, or KEV status is available for this vulnerability, and no public exploit code has been independently confirmed at the time of analysis.
RCE
Information Disclosure
-
CVE-2026-30287
HIGH
CVSS 8.4
Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 contains an arbitrary file overwrite vulnerability in its file import process that permits attackers to overwrite critical internal files, resulting in remote code execution or information disclosure. The vulnerability affects a mobile application distributed via Google Play Store. No CVSS score, active exploitation status, or patch information is currently available from vendor sources.
Information Disclosure
RCE
-
CVE-2026-30273
HIGH
CVSS 7.3
SQL injection in pandas-ai v3.0.0 allows remote code execution through the pandasai.agent.base._execute_sql_query component, enabling attackers to manipulate SQL queries and potentially access, modify, or exfiltrate database contents. No CVSS score, EPSS data, or KEV status is available; however, the vulnerability affects a widely-used data analysis library and publicly available proof-of-concept code exists, elevating real-world risk despite incomplete severity metrics.
SQLi
-
CVE-2026-29782
HIGH
CVSS 7.2
Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires initial admin credentials to inject malicious serialized objects via SQL injection, then triggers via anonymous GET request. Vendor-released patch available in v2.10.2. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though detailed proof-of-concept included in advisory with working Python exploit scripts.
PHP
Deserialization
Docker
Denial Of Service
Google
-
CVE-2026-28805
HIGH
CVSS 8.8
Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working proof-of-concept code demonstrating 10-second SLEEP delays and successful extraction of admin username, bcrypt password hashes, and MySQL version. Vendor-released patches are available in version 2.10.2 via commits 50b9089 and 679c40f. No public exploit identified at time of analysis beyond researcher PoC, with CVSS 8.8 (High) reflecting network accessibility, low complexity, and complete confidentiality/integrity/availability impact.
PHP
SQLi
Denial Of Service
Information Disclosure
XSS
-
CVE-2026-25835
HIGH
CVSS 7.7
Mbed TLS before version 3.6.6 and TF-PSA-Crypto before version 1.1.0 contain a PRNG seed misuse vulnerability that enables information disclosure. An attacker who gains access to a seeded PRNG instance can potentially predict or replicate pseudo-random number generation, compromising cryptographic material confidentiality. The vulnerability affects cryptographic libraries used in embedded systems and IoT devices, with confirmed availability of vendor security advisories but no CVSS score assigned at time of analysis.
Information Disclosure
Suse
-
CVE-2026-25833
HIGH
CVSS 7.5
Buffer overflow in Mbed TLS versions 3.5.0 through 3.6.5 allows remote attackers to cause a denial of service or potentially execute arbitrary code via crafted input to the x509_inet_pton_ipv6() function used in X.509 certificate parsing. The vulnerability is fixed in Mbed TLS 3.6.6 and 4.1.0. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Buffer Overflow
Stack Overflow
Suse
-
CVE-2026-23899
HIGH
CVSS 8.6
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and access protected API functionality without valid credentials. Joomla! CMS versions prior to the patched release are affected. The vulnerability stems from inadequate validation of user permissions before processing webservice requests, enabling remote unauthenticated attackers to interact with restricted endpoints that should require administrative or elevated privileges.
Authentication Bypass
-
CVE-2026-23898
HIGH
CVSS 8.6
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote attackers to delete files on affected servers due to insufficient input validation. The vulnerability affects all versions of Joomla! CMS through the update component and carries moderate-to-high real-world risk because file deletion can compromise system integrity, availability, and potentially enable privilege escalation or secondary attacks when combined with other weaknesses.
Information Disclosure
-
CVE-2026-23411
HIGH
CVSS 7.8
Race condition in Linux kernel AppArmor subsystem allows use-after-free of i_private data when filesystem callback functions access inode structures after reference counting errors. The vulnerability occurs because AppArmor releases references to private data after removing filesystem entries, but inodes can persist beyond that point and trigger filesystem callbacks that access freed memory. This affects AppArmor security policy enforcement and could lead to information disclosure or denial of service through carefully timed filesystem operations. No active exploitation has been confirmed, and the issue is addressed through upstream kernel fixes.
Linux
Information Disclosure
Redhat
-
CVE-2026-23410
HIGH
CVSS 7.8
Use-after-free in Linux kernel AppArmor subsystem allows local attackers to cause denial of service or potentially execute code by racing the opening of rawdata profile files against profile removal, triggering access to freed memory in the aa_loaddata structure. The vulnerability exploits an unrefcounted rawdata inode design where concurrent VFS and profile destruction operations create a window for dangling pointer dereference during seq_rawdata_open(). No public exploit code or active exploitation has been identified; the fix involves implementing a double refcount scheme to properly manage rawdata lifecycle.
Linux
Denial Of Service
Redhat
-
CVE-2026-23408
HIGH
CVSS 7.8
Double free vulnerability in Linux kernel AppArmor subsystem allows local attackers to cause denial of service or information disclosure by triggering memory corruption during namespace profile replacement. The flaw occurs in aa_replace_profiles() when ns_name is transferred from ent->ns_name without nulling the source pointer, resulting in the same memory region being freed twice. This is a memory corruption issue with kernel-level impact affecting all Linux distributions running vulnerable kernel versions.
Linux
Information Disclosure
Redhat
-
CVE-2026-23407
HIGH
CVSS 7.8
Out-of-bounds read and write in Linux kernel AppArmor verify_dfa() function allows local attackers to trigger memory corruption via malformed DFA profiles with invalid DEFAULT_TABLE entries. The vulnerability exists because bounds validation is skipped during differential encoding chain traversal, permitting an attacker with CAP_MAC_ADMIN or write access to /sys/kernel/security/apparmor/policy to craft a malicious policy that causes slab-out-of-bounds access. No public exploit code or active exploitation has been identified; patch is available in upstream kernel.
Linux
Buffer Overflow
Debian
Redhat
-
CVE-2026-23406
HIGH
CVSS 7.8
Out-of-bounds read in Linux kernel AppArmor DFA matching allows local attackers to cause memory corruption via malformed input to apparmor_file_open, triggered when the match_char() macro's character parameter is evaluated multiple times during differential encoding chain traversal, causing pointer advancement past buffer boundaries. The vulnerability manifests as a slab-out-of-bounds read detected by KASAN during file open operations and affects all Linux distributions shipping the vulnerable kernel code. No active exploitation in the wild has been confirmed, but the memory corruption vector creates denial-of-service and potential privilege escalation risk for local attackers.
Linux
Buffer Overflow
Debian
Redhat
-
CVE-2026-22768
HIGH
CVSS 7.3
Incorrect permission assignment in Dell AppSync 4.6.0 enables local privilege escalation to high-impact system access. Authenticated attackers with low-privilege local access can exploit misconfigured resource permissions to elevate privileges, achieving full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis. Dell has released security advisory DSA-2026-163 addressing this vulnerability. EPSS data unavailable; CVSS 7.3 reflects significant local threat requiring user interaction.
Dell
Information Disclosure
-
CVE-2026-22767
HIGH
CVSS 7.3
UNIX symbolic link following in Dell AppSync 4.6.0 allows local authenticated attackers with low privileges to tamper with information and potentially escalate impact to high integrity and availability compromise. CVSS 7.3 (High) with low attack complexity. No public exploit identified at time of analysis. EPSS data not available, but local-only access requirement significantly reduces real-world attack surface compared to remotely exploitable vulnerabilities.
Dell
Information Disclosure
-
CVE-2026-20155
HIGH
CVSS 8.0
Improper authorization in Cisco EPNM's REST API allows authenticated low-privilege attackers to access active user session data, including administrative credentials, enabling full device compromise. The vulnerability (CWE-862: Missing Authorization) affects the web management interface with CVSS 8.0 severity. Authentication is required (PR:L) but exploitation complexity is low once authenticated. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE identifier.
Cisco
Authentication Bypass
-
CVE-2026-20151
HIGH
CVSS 7.3
Privilege escalation in Cisco Smart Software Manager On-Prem (SSM On-Prem) web interface allows authenticated remote attackers with System User role to gain administrative access by intercepting session credentials from status messages. CVSS 7.3 (High severity) with network attack vector, low complexity, and requires low privileges plus user interaction. No public exploit code or active exploitation confirmed at time of analysis (EPSS data not provided).
Cisco
Information Disclosure
-
CVE-2026-20094
HIGH
CVSS 8.8
Command injection in Cisco Integrated Management Controller (IMC) web interface allows authenticated attackers with read-only privileges to execute arbitrary commands as root. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only low-privilege authentication, with no public exploit identified at time of analysis. EPSS data not provided; CVE-2026 prefix suggests future disclosure.
Cisco
Command Injection
-
CVE-2026-5292
HIGH
CVSS 8.8
Out-of-bounds read in WebCodecs component of Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via specially crafted HTML pages. The vulnerability affects all Chrome versions below the patched release and requires only HTML delivery (no authentication); exploitation could disclose sensitive data from the browser process memory, though the Chromium project assessed this as Medium severity.
Google
Information Disclosure
Buffer Overflow
Debian
Suse
-
CVE-2026-5287
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-5286
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-5285
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in WebGL allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is marked as High severity by Chromium security and a vendor-released patch is available.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-5284
HIGH
CVSS 7.5
Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-5282
HIGH
CVSS 8.1
Out-of-bounds read in WebCodecs functionality in Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger. No public exploit code or active exploitation has been confirmed at time of analysis.
Google
Information Disclosure
Buffer Overflow
Debian
Redhat
-
CVE-2026-5280
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-5279
HIGH
CVSS 8.8
Remote code execution in Google Chrome prior to version 146.0.7680.178 exploits object corruption in the V8 JavaScript engine, allowing attackers to execute arbitrary code within the Chrome sandbox via a specially crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries a High Chromium security severity rating.
Google
RCE
Buffer Overflow
-
CVE-2026-5278
HIGH
CVSS 8.8
Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-5277
HIGH
CVSS 7.5
Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.
Google
Buffer Overflow
Microsoft
Debian
Redhat
-
CVE-2026-5275
HIGH
CVSS 8.8
Remote code execution in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome on macOS prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code by crafting a malicious HTML page that triggers a heap buffer overflow. This vulnerability affects all Chrome versions below the patched release and poses an immediate risk to macOS users who visit compromised or malicious websites.
Google
Heap Overflow
RCE
Buffer Overflow
Debian
-
CVE-2026-5274
HIGH
CVSS 8.8
Integer overflow in Google Chrome's Codecs component prior to version 146.0.7680.178 enables remote code execution and arbitrary memory read/write operations when a user visits a malicious HTML page. The vulnerability affects all versions before the patch release and requires no user interaction beyond visiting a crafted webpage. Chromium security team classified this as High severity; no public exploit code or active exploitation has been confirmed at the time of analysis.
Google
RCE
Debian
Redhat
Suse
-
CVE-2026-5272
HIGH
CVSS 8.8
Remote code execution via heap buffer overflow in Google Chrome's GPU component affects all versions prior to 146.0.7680.178, allowing attackers to execute arbitrary code by crafting malicious HTML pages. The vulnerability requires only a remote attacker with no special privileges or user authentication; users need only visit a compromised or attacker-controlled website. No CVSS score was assigned by NVD, though Chromium classified it as High severity. Patch availability confirmed from vendor.
Google
Heap Overflow
RCE
Buffer Overflow
Debian
-
CVE-2026-4947
HIGH
CVSS 7.1
Insecure direct object reference (IDOR) in Foxit eSign's invitation acceptance workflow allows authenticated users to manipulate object identifiers and forge document signatures. By exploiting insufficient authorization checks during signing invitation processing, attackers with low-level authentication can access unauthorized resources and inject fraudulent signatures into documents, undermining the integrity and legal validity of electronic signing processes. EPSS and KEV data not available; no public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-4924
HIGH
CVSS 8.2
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.
Authentication Bypass
-
CVE-2026-4828
HIGH
CVSS 8.2
Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentication through improper validation of OAuth login requests, enabling account takeover without second-factor verification. CISA KEV status and exploit availability not confirmed at time of analysis.
Authentication Bypass
-
CVE-2026-4748
HIGH
CVSS 7.5
Packet filter (pf) rule hash calculation regression in FreeBSD causes rules with address range syntax (x.x.x.x - y.y.y.y) differing only in address ranges to be silently dropped as duplicates, loading only the first rule and potentially causing unexpected packet filtering behavior including unintended blocking or allowing of traffic. The regression affects pf's duplicate detection mechanism but does not impact rules using CIDR notation (address/mask-bits syntax). Only the first of multiple such rules is loaded, creating a silent configuration failure with no warning to administrators.
Information Disclosure
-
CVE-2026-4374
HIGH
CVSS 8.8
RTI Connext Professional (versions unspecified) contains an improper restriction of XML external entity (XXE) reference vulnerability affecting Routing Service, Observability Collector, Recording Service, Queueing Service, and Cloud Discovery Service. Remote attackers can exploit this to achieve serialized data external linking and data serialization bypass, potentially leading to information disclosure or denial of service. CVSS vector and score are not available; exploitation status and POC availability cannot be confirmed from provided data.
XXE
-
CVE-2026-4101
HIGH
CVSS 8.1
Authentication bypass in IBM Verify Identity Access and IBM Security Verify Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both container and non-container deployments) allows remote attackers to gain unauthorized access under specific high-load conditions without authentication. The vulnerability carries an EPSS score indicating moderate exploitation probability, with vendor patch available but no confirmed active exploitation or public proof-of-concept at time of analysis. Attack complexity is rated high (AC:H), suggesting exploitation requires specific timing or environmental conditions related to load stress.
IBM
Authentication Bypass
-
CVE-2026-3987
HIGH
CVSS 8.6
Remote code execution in WatchGuard Fireware OS versions 12.6.1 through 12.11.8 and 2025.1 through 2026.1.2 allows privileged authenticated attackers to execute arbitrary code with elevated system privileges via path traversal in the Web UI. The vulnerability requires high-level administrative access (CVSS PR:H) but presents a direct RCE path once authenticated. WatchGuard self-reported this issue with an official advisory available. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Path Traversal
RCE
-
CVE-2026-3877
HIGH
CVSS 7.3
Reflected cross-site scripting in VertiGIS FM dashboard search functionality allows authenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs. The vulnerability affects VertiGIS FM across versions and requires user interaction (victim clicking a crafted link), but provides no authentication bypass-victims must already be logged into the application. CVSS score is not available; exploitation requires victim interaction and authentication context.
XSS
-
CVE-2026-3780
HIGH
CVSS 7.3
Installer privilege escalation in Foxit PDF Reader and Foxit PDF Editor allows local authenticated users to execute arbitrary code with elevated system privileges via DLL search path manipulation. The installer's failure to use absolute paths for system executables enables attackers to plant malicious DLLs in user-writable directories that take precedence during installation, exploiting the trusted installer's elevated permissions. EPSS data not available; no public exploit identified at time of analysis; not listed in CISA KEV.
Privilege Escalation
-
CVE-2026-3779
HIGH
CVSS 7.8
Use-after-free in Foxit PDF Reader and Editor allows arbitrary code execution when processing maliciously crafted PDF documents containing list box calculation arrays. The vulnerability (CVSS 7.8) occurs when stale references to deleted or re-created page/form objects persist in calculation logic, enabling local attackers to execute code with user privileges when victims open weaponized PDFs. No public exploit identified at time of analysis, though the memory corruption primitive is well-understood by exploit developers.
Use After Free
RCE
Memory Corruption
-
CVE-2026-3775
HIGH
CVSS 7.8
DLL search path hijacking in Foxit PDF Editor and Foxit PDF Reader update services enables local privilege escalation to SYSTEM. Low-privileged authenticated users can plant malicious libraries in writable directories that are resolved during update checks, achieving arbitrary code execution with elevated privileges. CVSS 7.8 (High) with low attack complexity. No public exploit identified at time of analysis, EPSS data not provided.
Privilege Escalation
RCE
-
CVE-2026-1345
HIGH
CVSS 7.3
Command injection vulnerability in IBM Security Verify Access and IBM Verify Identity Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both containerized and non-containerized deployments) allows remote unauthenticated attackers to execute arbitrary commands with lower user privileges. The vulnerability stems from improper validation of user-supplied input (CWE-78). With CVSS 7.3 and network-accessible attack vector requiring no authentication or user interaction, this represents a significant exposure for internet-facing identity and access management infrastructure. No public exploit identified at time of analysis, though EPSS data not provided. Vendor patch available per IBM advisory.
IBM
Command Injection
-
CVE-2026-0522
HIGH
CVSS 7.4
Local file inclusion in VertiGIS FM's upload/download mechanism allows authenticated attackers to read arbitrary server files by manipulating file paths during upload, with potential for remote code execution if web.config is obtained and NTLM-relay attacks via UNC path resolution. VertiGIS FM version 10.5.00119 and earlier are affected, and the vulnerability requires valid application credentials to exploit.
RCE
-
CVE-2025-71282
HIGH
CVSS 8.7
XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by open_basedir PHP restrictions, enabling remote unauthenticated attackers to map internal directory structures. This information disclosure vulnerability (CWE-209) affects XenForo installations and has been addressed in version 2.3.7 with vendor-confirmed security fixes. No public exploit code or active exploitation is identified at time of analysis, though the unauthenticated remote attack vector and low complexity make reconnaissance straightforward for targeted attacks.
Information Disclosure
-
CVE-2025-71281
HIGH
CVSS 8.7
Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.
Code Injection
RCE
-
CVE-2025-71278
HIGH
CVSS 8.7
OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to request and obtain unauthorized scopes, escalating access beyond intended authorization levels. This authentication bypass flaw (CWE-863) enables malicious OAuth2 clients to gain elevated privileges to user data and platform functions. CVSS 8.7 (High) reflects the network-accessible attack vector with low complexity, though requires low-level privileges (authenticated OAuth client). No public exploit identified at time of analysis, with EPSS data unavailable for recent CVE.
Authentication Bypass
-
CVE-2025-13855
HIGH
CVSS 7.6
SQL injection in IBM Storage Protect Server 8.2.0 and Storage Protect Plus Server allows authenticated remote attackers to execute arbitrary SQL commands against the back-end database, enabling unauthorized data access, modification, or deletion. The vulnerability requires low attack complexity and low-level privileges (CVSS 7.6, PR:L), making it exploitable by any authenticated user. No public exploit identified at time of analysis, though SQL injection techniques are well-documented. EPSS data not provided, but SQL injection vulnerabilities historically see moderate exploitation rates when authentication barriers are low.
IBM
SQLi
-
CVE-2026-35057
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious scripts through crafted structured text mentions in profile posts, which are executed when other users view the affected content. The vulnerability has a CVSS score of 5.1 with low attack complexity and requires user interaction (viewing the malicious post), making it a moderate-risk concern for XenForo communities. Publicly available exploit code has been identified, and vendor patches have been released.
XSS
-
CVE-2026-35055
MEDIUM
CVSS 5.1
Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious scripts that execute in the context of other users' browsers when interacting with post content displayed via lightbox. Versions before 2.3.9 and 2.2.18 are affected. The vulnerability requires user interaction (clicking or hovering on lightbox elements) and has limited scope, affecting only session integrity and information disclosure rather than system availability or confidentiality of sensitive data.
XSS
-
CVE-2026-35054
MEDIUM
CVSS 5.1
Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts through BB code that persist in the application and execute when other users view the affected content. The vulnerability requires user interaction (viewing the malicious post) and authenticated access to create content, limiting its scope but enabling account compromise and session hijacking of affected users.
XSS
-
CVE-2026-34999
MEDIUM
CVSS 6.9
OpenViking versions 0.2.5 through 0.2.13 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality via POST requests to /bot/v1/chat and /bot/v1/chat/stream endpoints, enabling direct interaction with the upstream bot backend without valid credentials. The vulnerability has a moderate CVSS score of 6.9 due to network accessibility and low confidentiality impact, with public fix availability as of version 0.2.14 reducing immediate risk for patched deployments.
Authentication Bypass
-
CVE-2026-34974
MEDIUM
CVSS 5.4
Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.
PHP
XSS
Privilege Escalation
Google
-
CVE-2026-34973
MEDIUM
CVSS 6.9
Information disclosure in phpMyFAQ allows unauthenticated attackers to enumerate custom page content by injecting SQL LIKE wildcards (`%` and `_`) into the search term, bypassing intended search filters. The `searchCustomPages()` method in `Search.php` uses `real_escape_string()` which does not escape LIKE metacharacters, enabling an attacker to craft queries like `_%_` that match all records regardless of intended search scope. This vulnerability has no authentication requirement and affects the publicly accessible search functionality.
PHP
Information Disclosure
Nosql Injection
-
CVE-2026-34939
MEDIUM
CVSS 6.5
Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.
Python
Denial Of Service
-
CVE-2026-34889
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in Ultimate Addons for WPBakery Page Builder versions before 3.21.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in other users' browsers with user interaction. The vulnerability affects WordPress sites using this plugin and could enable session hijacking, credential theft, or malware distribution through page builder interfaces.
XSS
-
CVE-2026-34871
MEDIUM
CVSS 6.7
Mbed TLS 3.x before 3.6.6, 4.x before 4.1.0, and TF-PSA-Crypto before 1.1.0 contain a predictable seed vulnerability in their pseudo-random number generator (PRNG) implementation that compromises the cryptographic strength of generated random values. Attackers with knowledge of the seed initialization mechanism can predict PRNG output, enabling them to forge cryptographic material, decrypt communications, or impersonate legitimate parties. No active exploitation has been confirmed, but the information disclosure nature of this vulnerability affects all applications relying on these libraries for cryptographic operations.
Information Disclosure
-
CVE-2026-34761
MEDIUM
CVSS 5.8
Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-34750
MEDIUM
CVSS 6.5
Path traversal in Payload CMS storage adapter client-upload signed-URL endpoints (S3, GCS, Azure, R2) prior to version 3.78.0 allows authenticated attackers to escape intended storage locations via unsanitized filenames, enabling arbitrary file writes to cloud storage buckets. The vulnerability requires user authentication and affects all four cloud storage integrations across the Payload CMS ecosystem.
Path Traversal
Microsoft
-
CVE-2026-34749
MEDIUM
CVSS 5.4
Payload CMS versions prior to 3.79.1 contain a cross-site request forgery (CSRF) vulnerability in the authentication flow that allows attackers to bypass configured CSRF protections and perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction (clicking a malicious link) but affects all unauthenticated network-accessible instances. No public exploit code or active exploitation has been identified at the time of analysis.
CSRF
-
CVE-2026-34730
MEDIUM
CVSS 5.5
Copier's `_external_data` feature allows malicious templates to read arbitrary files outside the destination directory via path traversal (e.g., `../secret.yml`) or absolute paths (e.g., `/tmp/secret.yml`), exposing YAML-parsed contents in rendered output without requiring the `--UNSAFE` flag. This affects all versions of the Copier package and poses a risk when running untrusted templates, as attackers can disclose sensitive files accessible to the user running Copier.
Python
Path Traversal
-
CVE-2026-34729
MEDIUM
CVSS 6.1
Stored cross-site scripting (XSS) in phpMyFAQ allows authenticated administrators to inject unquoted or single-quoted event handler attributes that bypass the content sanitization pipeline, resulting in arbitrary JavaScript execution for all FAQ page visitors. The vulnerability exists in the removeAttributes() regex filter (line 174 of Filter.php) which only matches double-quoted HTML attributes, allowing payloads like <img src=x onerror=alert(1)> to persist and execute in the browser when the FAQ is rendered with the |raw Twig filter. Despite requiring administrator privileges to create the malicious FAQ, the XSS executes for all unauthenticated and authenticated users viewing the public FAQ page, enabling session hijacking, credential theft, and malware distribution.
PHP
XSS
CSRF
-
CVE-2026-34726
MEDIUM
CVSS 4.4
Path traversal in Copier's _subdirectory setting allows template escape without --UNSAFE flag. A malicious or compromised template can use parent-directory traversal sequences (e.g., `_subdirectory: ..`) to render files from outside the intended template directory, enabling unauthorized file access during template instantiation. CVSS 4.4 (low-to-moderate severity); no public exploit code or active exploitation confirmed at time of analysis.
Path Traversal
Python
-
CVE-2026-34715
MEDIUM
CVSS 5.3
HTTP response splitting in ewe's encode_headers function allows remote attackers to inject arbitrary HTTP response headers and content by embedding CRLF sequences in user-controlled response header values, enabling cache poisoning and cross-site scripting attacks. The vulnerability affects ewe versions that do not validate outgoing response header keys and values, despite implementing equivalent validation for incoming request headers. A proof-of-concept demonstrates injection of custom headers through a redirect URL parameter passed directly to the Location header without sanitization.
XSS
-
CVE-2026-34562
MEDIUM
CVSS 4.7
Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts via unencoded System Settings - Company Information fields, which are later rendered to other users without proper output encoding. The vulnerability requires administrative privileges to exploit but poses a real risk in multi-user deployments where admin accounts may be compromised or where trust boundaries exist between administrative roles.
XSS
-
CVE-2026-34561
MEDIUM
CVSS 4.7
Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts through unvalidated System Settings - Social Media Management configuration fields. The vulnerability stores attacker-controlled input server-side and renders it without proper output encoding, enabling script execution in the context of the application. This is a stored XSS vulnerability with limited real-world impact due to high-privilege prerequisite (PR:H), though it undermines the integrity and confidentiality of the CMS for downstream users viewing the affected settings.
XSS
-
CVE-2026-34526
MEDIUM
CVSS 5.0
Server-side request forgery in SillyTavern's search endpoint allows authenticated users to bypass hostname validation and force the server to fetch from internal hosts on default ports (80/443) using alternative hostname representations. The vulnerability exists in v1.16.0 and earlier because the IPv4 validation regex only matches literal dotted-quad notation (e.g., 127.0.0.1), failing to block localhost, IPv6 loopback ([::1]), or DNS names resolving to internal addresses. The port restriction limits severity compared to fully unrestricted SSRF, but the full response body is returned to the attacker, enabling information disclosure. Patch available in v1.17.0.
SSRF
CSRF
-
CVE-2026-34525
MEDIUM
CVSS 6.3
AIOHTTP prior to version 3.13.4 allows multiple Host headers in HTTP requests, enabling information disclosure through header injection attacks. An unauthenticated remote attacker can exploit this by crafting malicious requests with duplicate Host headers to potentially bypass security controls or extract sensitive information from affected applications. The vulnerability has been patched in version 3.13.4, and no public exploit code or active exploitation has been identified at the time of analysis.
Python
Information Disclosure
-
CVE-2026-34523
MEDIUM
CVSS 5.3
Unauthenticated path traversal in SillyTavern static file route handlers allows remote attackers to enumerate filesystem structure by distinguishing 404 (file does not exist) from 403 (file exists but blocked) responses when submitting percent-encoded directory traversal sequences. The vulnerability affects versions prior to 1.17.0 and impacts multiple static file endpoints (/characters/*, /user/files/*, /assets/*, /user/images/*, /backgrounds/*, /User%20Avatars/*), disclosing whether arbitrary files exist on the server filesystem without authentication. File contents are not exposed due to the send module's root directory enforcement, limiting impact to information disclosure, but the fix is available and should be applied immediately.
Path Traversal
-
CVE-2026-34516
MEDIUM
CVSS 6.6
Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.
Python
Denial Of Service
-
CVE-2026-34515
MEDIUM
CVSS 6.6
AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.
Python
Information Disclosure
Microsoft
-
CVE-2026-34510
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style network paths without proper local-path validation, allowing unauthenticated remote attackers to bypass access restrictions and read local files. With a CVSS score of 6.9 and network-based attack vector requiring no user interaction, this vulnerability presents moderate risk to systems processing untrusted media content. No public exploit code or active exploitation has been confirmed at the time of analysis.
Path Traversal
Microsoft
-
CVE-2026-34447
MEDIUM
CVSS 5.5
ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files outside the model directory through symlink traversal during external data loading, requiring user interaction to load a malicious model file. The vulnerability has a CVSS score of 5.5 (medium severity) and is classified as information disclosure with confirmed patch availability in version 1.21.0.
Information Disclosure
Microsoft
-
CVE-2026-34446
MEDIUM
CVSS 4.7
ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files by exploiting a hardlink-based path traversal vulnerability in onnx.load(). The vulnerability bypasses existing symlink protections because hardlinks appear as regular files to filesystem checks. An attacker with local file system access can craft a malicious ONNX model file using hardlinks to access sensitive data outside the intended directory, requiring user interaction to load the crafted model. No public exploit code has been identified; EPSS score of 4.7 indicates low exploitation probability despite moderate CVSS impact.
Path Traversal
Microsoft
-
CVE-2026-34397
MEDIUM
CVSS 6.3
Local privilege escalation in Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 allows authenticated users to assume privileged group membership when their Azure Entra ID-mapped CN or short name collides with system group names (sudo, wheel, docker, adm, etc.). The NSS module resolves the collision to the attacker's fake primary group, potentially granting group-level privileges if the system uses NSS for authorization decisions. CVSS 6.3 (medium); no public exploit identified at time of analysis.
Microsoft
Privilege Escalation
Docker
-
CVE-2026-33978
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in Notesnook mobile versions prior to 3.3.17 allows remote attackers to execute arbitrary JavaScript in the share editor WebView by injecting malicious HTML through unescaped clip metadata (title, subject, or link-preview data). When a victim opens the Notesnook share flow and selects Web clip, the attacker's payload executes with access to local context and user data. No public exploit code or active exploitation has been confirmed, though the vulnerability requires user interaction to trigger.
XSS
Apple
Google
-
CVE-2026-30526
MEDIUM
CVSS 6.1
Reflected cross-site scripting in SourceCodester Zoo Management System v1.0 login page allows remote attackers to inject arbitrary JavaScript or HTML via the msg parameter without authentication. The vulnerable parameter reflects user input directly to the browser without HTML encoding, enabling credential theft, session hijacking, or malware distribution through crafted URLs. Publicly available proof-of-concept code exists, increasing real-world exploitation risk.
XSS
-
CVE-2026-30523
MEDIUM
CVSS 6.5
SourceCodester Loan Management System v1.0 accepts negative integer values for loan plan duration due to insufficient input validation on the months parameter, allowing attackers to create loan plans with invalid negative durations that may cause unexpected system behavior or financial miscalculations. Publicly available exploit code exists, though real-world impact depends on downstream business logic that consumes these invalid loan plans.
Information Disclosure
-
CVE-2026-30522
MEDIUM
CVSS 6.5
SourceCodester Loan Management System v1.0 allows authenticated administrators to submit negative penalty rates for loan overdue payments by bypassing client-side validation through direct HTTP POST manipulation, enabling financial fraud through reversed penalty calculations that benefit borrowers instead of lenders. The vulnerability requires authenticated access but no CVSS score, EPSS probability, or formal patch status is available; however, publicly available exploit code confirms the vulnerability's technical feasibility.
Authentication Bypass
-
CVE-2026-29598
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) vulnerabilities in DDSN Interactive Acora CMS v10.7.1 allow unauthenticated attackers to inject malicious scripts via the submit_add_user.asp endpoint's First Name and Last Name parameters, enabling arbitrary JavaScript execution in the context of victim browsers. Public proof-of-concept code is available on GitHub; no patch information or CVSS/EPSS quantification is currently available.
XSS
-
CVE-2026-28265
MEDIUM
CVSS 4.4
Path traversal vulnerability in Dell PowerStore Service user allows low-privileged local attackers to modify arbitrary system files through improper input validation. The vulnerability affects multiple PowerStore models (500T through 9200T) and requires local access with low-privilege credentials; CVSS 4.4 reflects the local attack vector and limited integrity impact, though the ability to modify system files poses moderate operational risk for storage appliance integrity.
Path Traversal
-
CVE-2026-27101
MEDIUM
CVSS 4.7
Path traversal vulnerability in Dell Secure Connect Gateway (SCG) versions 5.28.00.xx through 5.32.00.xx allows high-privileged attackers on the management network to bypass directory restrictions and achieve remote code execution. With a CVSS score of 4.7 and requiring high privilege level access, this vulnerability poses moderate risk to organizations running vulnerable SCG versions but is limited by the need for administrative-level attacker access within the management network. No public exploit code or active exploitation has been confirmed at time of analysis.
Dell
Path Traversal
-
CVE-2026-25834
MEDIUM
CVSS 6.5
Mbed TLS versions 3.3.0 through 3.6.5 and 4.0.0 are vulnerable to algorithm downgrade attacks via signature algorithm injection, allowing attackers to force the use of weaker cryptographic algorithms during TLS handshakes. This information disclosure vulnerability affects all applications using the affected Mbed TLS library versions and could enable attackers to compromise the confidentiality of encrypted communications by downgrading to algorithms with known weaknesses.
Information Disclosure
Redhat
Suse
-
CVE-2026-25601
MEDIUM
CVSS 6.4
Hardcoded cryptographic key in Metronik MEPIS RM's Mx.Web.ComponentModel.dll component allows privileged database users to decrypt stored domain passwords and gain unauthorized access to ICS/OT environments. The vulnerability affects all versions of MEPIS RM where password storage is enabled; exploitation requires high-level privileges to access the application database, and no public exploit code has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-24096
MEDIUM
CVSS 5.3
Insufficient permission validation in Checkmk REST API Quick Setup endpoints allows low-privileged authenticated users to perform unauthorized administrative actions or access sensitive information in versions 2.5.0 beta before 2.5.0b2 and 2.4.0 before 2.4.0p25. The vulnerability stems from missing authorization checks that fail to enforce role-based access control on multiple API endpoints, enabling privilege escalation within the monitoring platform.
Information Disclosure
-
CVE-2026-22815
MEDIUM
CVSS 6.9
Memory exhaustion in aiohttp's header and trailer handling allows remote attackers to cause denial of service by sending attacker-controlled HTTP requests or responses with uncapped header/trailer values. The vulnerability affects aiohttp Python library across affected versions, enabling attackers to exhaust application memory without authentication. A mitigation is available via reverse proxy configuration, and upstream patch has been released.
Denial Of Service
Redhat
Suse
-
CVE-2026-21632
MEDIUM
CVSS 5.9
Joomla CMS fails to properly escape article titles in output, enabling stored cross-site scripting (XSS) attacks across multiple locations. Attackers with article creation or editing privileges can inject malicious scripts into article titles that execute in the browsers of site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability affects all Joomla CMS versions and requires administrative action to remediate.
XSS
-
CVE-2026-21631
MEDIUM
CVSS 5.9
Cross-site scripting (XSS) in Joomla CMS multilingual associations component allows unauthenticated remote attackers to inject malicious scripts via unescaped output in the comparison view. The vulnerability affects all versions of Joomla CMS and stems from improper output encoding in the com_associations component. No CVSS score is available; however, the CWE-79 classification confirms reflected or stored XSS capability.
XSS
-
CVE-2026-21630
MEDIUM
CVSS 6.9
SQL injection in Joomla CMS articles webservice endpoint allows remote attackers to execute arbitrary SQL queries through improperly constructed ORDER BY clauses, affecting all versions of Joomla CMS. The vulnerability exists in the com_content component's webservice endpoint and permits unauthenticated query manipulation. No CVSS score or patch version information is available at time of analysis, limiting severity quantification.
SQLi
-
CVE-2026-21629
MEDIUM
CVSS 6.3
Joomla CMS fails to enforce authenticated user checks on the AJAX component in the administrative area, allowing potential authentication bypass and unauthorized access to sensitive functionality. Third-party developers expecting default access controls may expose administrative features to unauthenticated or unauthorized users. No CVSS score or public exploit code has been identified, but the vulnerability affects all Joomla CMS versions and requires immediate review of custom AJAX implementations that rely on implicit authentication enforcement.
Authentication Bypass
-
CVE-2026-20174
MEDIUM
CVSS 4.9
Cisco Nexus Dashboard Insights metadata update feature allows authenticated administrators to write arbitrary files to the system with root privileges through path traversal in insufficiently validated metadata files. An attacker with valid administrative credentials can craft and manually upload a malicious metadata file to achieve arbitrary file write access to the underlying operating system. This vulnerability affects Cisco Nexus Dashboard and Nexus Dashboard Insights deployments, particularly those using manual metadata uploads in air-gap environments. CVSS score of 4.9 reflects the requirement for high-privilege authentication, though the integrity impact is rated as high given the ability to write files as root.
Cisco
Path Traversal
-
CVE-2026-20097
MEDIUM
CVSS 6.5
Cisco IMC web-based management interface allows authenticated administrators to execute arbitrary code as root through improper input validation in HTTP requests. The vulnerability affects Cisco Unified Computing System (standalone) and requires admin-level credentials and network access; successful exploitation grants attacker root-level code execution on the underlying operating system. No public exploit code or active exploitation has been identified at time of analysis.
Cisco
RCE
Memory Corruption
Buffer Overflow
-
CVE-2026-20096
MEDIUM
CVSS 6.5
Command injection in Cisco IMC web management interface allows authenticated admin-level attackers to execute arbitrary commands as root through improper input validation. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series platforms. No public exploit code or active exploitation confirmed at time of analysis, but the high-privileged context and root-level impact necessitate swift patching.
Cisco
Command Injection
-
CVE-2026-20095
MEDIUM
CVSS 6.5
Command injection in Cisco IMC web-based management interface allows authenticated remote attackers with admin-level privileges to execute arbitrary commands as root. The vulnerability stems from improper input validation in the web interface, enabling attackers to inject crafted commands that execute on the underlying operating system with elevated privileges. While the CVSS score is 6.5 (Medium), Cisco assigned a High Security Impact Rating due to the root-level code execution capability and potential for post-compromise lateral movement or system takeover.
Cisco
Command Injection
-
CVE-2026-20090
MEDIUM
CVSS 4.8
Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code executed in users' browsers via insufficient input validation. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (Standalone), and Cisco UCS E-Series Software. Requires administrative privileges and user interaction (clicking a crafted link), resulting in session hijacking, credential theft, or unauthorized access to sensitive browser-based information. No public exploit code identified at time of analysis.
XSS
Cisco
-
CVE-2026-20089
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject persistent malicious scripts that execute in other users' browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series. No public exploit code or active exploitation confirmed; patch availability not independently verified from provided data.
Cisco
XSS
-
CVE-2026-20088
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject malicious script code that executes in the browsers of other users accessing the interface. An attacker with administrative credentials can exploit insufficient input validation by crafting a malicious link and tricking a user into clicking it, enabling arbitrary script execution or theft of sensitive browser-based information. No public exploit code or active exploitation has been identified at time of analysis.
Cisco
XSS
-
CVE-2026-20087
MEDIUM
CVSS 4.8
Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code via insufficient input validation. Attackers with admin privileges can craft malicious links that execute JavaScript in the browsers of other users accessing the interface, potentially compromising session security, stealing credentials, or accessing sensitive information. No public exploit code or active exploitation has been confirmed; the vulnerability requires administrator privileges and user interaction to trigger.
Cisco
XSS
-
CVE-2026-20085
MEDIUM
CVSS 6.1
Reflected XSS in Cisco IMC web management interface allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (standalone), and UCS E-Series Software. Exploitation requires user interaction (clicking a malicious link) but could lead to session hijacking, credential theft, or malware delivery to privileged administrators managing critical infrastructure.
Cisco
XSS
-
CVE-2026-20042
MEDIUM
CVSS 6.5
Cisco Nexus Dashboard configuration backup feature allows authenticated administrators to extract sensitive authentication credentials from encrypted backup files, enabling subsequent unauthorized access to internal APIs and arbitrary root-level command execution on the underlying operating system. The vulnerability requires possession of both a valid backup file and its encryption password, limiting exploitation to administrators or attackers with backup file access. CVSS 6.5 reflects the high-privilege requirement (PR:H) despite high confidentiality and integrity impact; no public exploit or active exploitation has been identified.
Cisco
Information Disclosure
-
CVE-2026-20041
MEDIUM
CVSS 6.1
Server-side request forgery in Cisco Nexus Dashboard and Nexus Dashboard Insights allows unauthenticated remote attackers to conduct SSRF attacks by tricking authenticated users into clicking malicious links, enabling arbitrary network requests from the affected device and potential execution of arbitrary script code or access to sensitive browser data. CVSS 6.1 with no public exploit or active exploitation confirmed at time of analysis.
Cisco
SSRF
-
CVE-2026-5314
MEDIUM
CVSS 5.3
Out-of-bounds read in Nothings stb library up to version 1.26 allows remote attackers to trigger information disclosure via a crafted TTF file processed by the stbtt_InitFont_internal function in stb_truetype.h. Exploitation requires user interaction (opening a malicious font file) and publicly available exploit code exists; however, the vendor has not responded to early disclosure notification.
Information Disclosure
Buffer Overflow
-
CVE-2026-5313
MEDIUM
CVSS 5.3
Denial of service vulnerability in Nothings stb image library (stb_image.h) affecting GIF decoder function stbi__gif_load_next allows remote attackers to trigger application crashes through specially crafted GIF files. The vulnerability impacts stb versions up to 2.30, requires user interaction to open a malicious GIF, and has publicly available exploit code with no vendor patch available despite early disclosure.
Denial Of Service
-
CVE-2026-5312
MEDIUM
CVSS 5.5
Improper access controls in D-Link network-attached storage devices (DNS-120 through DNS-1550-04, firmware versions up to 20260205) allow remote unauthenticated attackers to manipulate disk management functions via the /cgi-bin/dsk_mgr.cgi endpoint, resulting in availability impact. Publicly available exploit code exists and the vulnerability has moderate real-world exploitability (CVSS 5.5, EPSS probability indicated by E:P vector), requiring no authentication or user interaction for remote attack.
D-Link
Authentication Bypass
-
CVE-2026-5311
MEDIUM
CVSS 5.5
Improper access controls in D-Link DNS and DNR series NAS devices allow unauthenticated remote attackers to manipulate the cmd argument in the Webdav_Access_List function via /cgi-bin/file_center.cgi, resulting in information disclosure with CVSS 5.5. Public exploit code is available, placing affected devices at immediate risk of unauthorized data access.
D-Link
Information Disclosure
-
CVE-2026-5291
MEDIUM
CVSS 6.5
Information disclosure in Google Chrome's WebGL implementation prior to version 146.0.7680.178 allows remote attackers to extract potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger memory disclosure via WebGL rendering.
Google
Information Disclosure
Debian
Redhat
Suse
-
CVE-2026-5283
MEDIUM
CVSS 6.5
Information disclosure in ANGLE (graphics abstraction layer) within Google Chrome prior to version 146.0.7680.178 enables remote attackers to leak cross-origin data through crafted HTML pages. The vulnerability affects all Chrome versions before the patched release and requires only network access and user interaction (visiting a malicious page), posing a moderate real-world risk to users who may inadvertently access attacker-controlled content.
Google
Authentication Bypass
Debian
Redhat
Suse
-
CVE-2026-5276
MEDIUM
CVSS 6.5
Information disclosure in Google Chrome's WebUSB implementation prior to version 146.0.7680.178 allows remote attackers to extract sensitive data from process memory by delivering a crafted HTML page, exploiting insufficient policy enforcement in the WebUSB API. The vulnerability affects all Chrome versions before 146.0.7680.178 across all platforms. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Google
Information Disclosure
Debian
Redhat
Suse
-
CVE-2026-5273
MEDIUM
CVSS 6.3
Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.
Google
Use After Free
RCE
Memory Corruption
Denial Of Service
-
CVE-2026-5271
MEDIUM
CVSS 5.6
pymanager allows local attackers to shadow legitimate Python modules by placing malicious modules in the current working directory, leading to arbitrary code execution when the application imports standard library or third-party modules. The vulnerability affects pymanager due to insecure sys.path manipulation that includes the current working directory with high priority, enabling privilege escalation or information disclosure depending on the affected module and execution context. No public exploit code has been identified, but the local attack vector with low complexity makes this a practical risk in shared or untrusted execution environments.
Information Disclosure
-
CVE-2026-5261
MEDIUM
CVSS 6.9
Unrestricted file upload in Shandong Hoteam InforCenter PLM versions up to 8.3.8 allows remote unauthenticated attackers to upload arbitrary files via the uploadFileToIIS function in /Base/BaseHandler.ashx, with a CVSS score of 6.9 and publicly available exploit code. The vendor did not respond to early disclosure notification, leaving all affected versions unpatched and at active risk.
File Upload
-
CVE-2026-5259
MEDIUM
CVSS 5.3
Server-side request forgery in AutohomeCorp frostmourne up to version 1.0 allows authenticated remote attackers to manipulate the Alarm Preview component via an unknown function in AlarmController.java, enabling arbitrary HTTP requests from the vulnerable server with potential to access internal resources, leak sensitive data, or interact with backend systems. Publicly available exploit code exists; CVSS 6.3 reflects moderate severity with low attack complexity and limited impact scope.
SSRF
Java
-
CVE-2026-5258
MEDIUM
CVSS 6.9
Path traversal in Sanster IOPaint 1.5.3 File Manager allows unauthenticated remote attackers to read, write, or delete arbitrary files via manipulated filename parameters in the _get_file function. EPSS data unavailable, but publicly available exploit code exists. Attack requires no authentication or user interaction (CVSS AV:N/PR:N/UI:N). Vendor did not respond to coordinated disclosure; patch status unknown at time of analysis.
Path Traversal
-
CVE-2026-5257
MEDIUM
CVSS 6.9
SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the userid parameter in /delstaffinfo.php, enabling arbitrary SQL query execution with limited data confidentiality and integrity impact. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.9.
SQLi
PHP
-
CVE-2026-5256
MEDIUM
CVSS 6.9
SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the firstName parameter in /modify.php, enabling arbitrary database queries and potential data exfiltration or modification. The vulnerability affects the Parameter Handler component through CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Publicly available exploit code exists, and the CVSS 6.9 score reflects moderate impact with low attack complexity and no authentication requirement.
SQLi
PHP
-
CVE-2026-5255
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the userid parameter in /delstaffinfo.php, with public exploit code available. The vulnerability requires user interaction (clicking a crafted link) and has low confidentiality impact but can enable session hijacking, credential theft, or malware distribution.
XSS
PHP
-
CVE-2026-5254
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in welovemedia FFmate up to version 2.0.15 allows authenticated remote attackers to inject malicious scripts via the Webhook Handler component's AppJsonTreeView.vue file. The vulnerability requires user interaction to trigger payload execution and has been publicly disclosed with exploit code available on GitHub. The vendor has not responded to early disclosure notifications, leaving users without an official patch.
XSS
-
CVE-2026-5253
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in bufanyun HotGo 1.0/2.0 allows authenticated remote attackers to inject malicious scripts via the editNotice endpoint in the MessageList.vue component, affecting the application's message handling functionality. The vulnerability requires user interaction (UI:R) to execute but has publicly available exploit code and a low CVSS score (3.5) due to limited attack complexity and minimal impact scope. The vendor has not responded to early disclosure attempts.
XSS
-
CVE-2026-5252
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in z-9527 admin 1.0 and 2.0 allows authenticated remote attackers to inject malicious scripts via the Message Create Endpoint (/server/routes/message.js), affecting message content with user interaction required. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected installations without an official patch.
XSS
-
CVE-2026-5251
MEDIUM
CVSS 5.3
Privilege escalation in z-9527 admin 1.0/2.0 allows authenticated users to manipulate the isAdmin parameter in the User Update Endpoint (/server/routes/user.js) to gain administrative privileges through dynamically-determined object attributes. The vulnerability requires network access and valid credentials (PR:L per CVSS vector) but no user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving all versions in the 1.x and 2.x branches unpatched.
Information Disclosure
-
CVE-2026-5249
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in GouguCMS 4.08.18 allows authenticated remote attackers to inject malicious scripts via the value.content parameter in the Record Endpoint (\gougucms-master\app\admin\view\user\record.html), which are executed in the context of other users' browsers. The vulnerability has a publicly available exploit and affects user record management functionality with low CVSS score (3.5) due to requirement for user interaction and authenticated access, though the vendor has not responded to disclosure.
XSS
-
CVE-2026-5248
MEDIUM
CVSS 5.3
Authenticated remote code execution via mass assignment in GougoCMS 4.08.18 User Registration Handler allows attackers with valid credentials to manipulate the 'level' parameter during registration, exploiting dynamically-determined object attributes to escalate privileges or modify sensitive user properties. The vulnerability affects the reg_submit function in Login.php and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.
PHP
Information Disclosure
-
CVE-2026-5240
MEDIUM
CVSS 5.3
Stored cross-site scripting (XSS) in code-projects BloodBank Managing System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the statename parameter in /admin_state.php, affecting user sessions and administrative functions with user interaction required. The vulnerability carries a CVSS score of 5.3 (medium severity) with low integrity impact, and publicly available exploit code exists according to disclosed documentation.
XSS
PHP
-
CVE-2026-5238
MEDIUM
CVSS 6.9
SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /view_employee.php. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, enabling potential data extraction, modification, or authentication bypass without requiring user interaction.
SQLi
PHP
-
CVE-2026-5175
MEDIUM
CVSS 5.0
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated attackers to delete their own MFA factors via crafted API requests, reducing account protection to password-only authentication. This vulnerability enables account security degradation without proper authorization checks, potentially compromising accounts that rely on multi-factor authentication as a secondary defense.
Authentication Bypass
-
CVE-2026-4989
MEDIUM
CVSS 4.3
Server-side request forgery (SSRF) in Devolutions Server gateway health check feature allows low-privileged authenticated users to bypass input validation and trigger arbitrary requests, potentially disclosing sensitive information from internal systems or network resources. Affected versions are 2026.1.1-2026.1.11 and 2025.3.1-2025.3.17. No public exploit code or active exploitation has been confirmed at time of analysis.
SSRF
Information Disclosure
-
CVE-2026-4927
MEDIUM
CVSS 6.5
Devolutions Server versions 2026.1.6 through 2026.1.11 expose sensitive one-time password (OTP) keys in the MFA feature, allowing authenticated users with user management privileges to retrieve other users' OTP secrets via API requests. This information disclosure vulnerability enables account takeover by attackers who obtain valid credentials with user management roles, as OTP keys are sufficient to generate valid authentication codes and bypass multi-factor authentication protections.
Information Disclosure
-
CVE-2026-4925
MEDIUM
CVSS 5.0
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated users to bypass administrator-enforced MFA restrictions and remove their own multi-factor authentication via a crafted request. This authentication bypass undermines security policies designed to enforce MFA compliance, enabling threat actors with valid credentials to disable a critical security control and potentially maintain persistent access without secondary authentication verification. No public exploit code or active exploitation has been confirmed at time of analysis.
Authentication Bypass
-
CVE-2026-4829
MEDIUM
CVSS 5.4
Improper session code validation in Devolutions Server 2026.1.11 and earlier allows authenticated users to escalate privileges and impersonate other users, including administrators, by reusing session codes from external OAuth authentication flows. This authentication bypass affects all versions up to and including 2026.1.11 and requires an attacker to have valid credentials to exploit the vulnerability. No public exploit code or active exploitation has been confirmed at the time of analysis.
Authentication Bypass
-
CVE-2026-4820
MEDIUM
CVSS 4.3
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.
IBM
Information Disclosure
-
CVE-2026-4668
MEDIUM
CVSS 6.5
SQL injection in Booking for Appointments and Events Calendar - Amelia WordPress plugin (versions up to 2.1.2) allows authenticated Manager-level users to extract sensitive database information via the `sort` parameter in the payments listing endpoint. The vulnerability exists because the sort field is interpolated directly into an ORDER BY clause without sanitization, bypassing PDO prepared statement protections which do not cover column names. GET requests also bypass Amelia's nonce validation, enabling time-based blind SQL injection attacks by authenticated users with Manager access or higher.
WordPress
PHP
SQLi
-
CVE-2026-4364
MEDIUM
CVSS 5.4
IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.
IBM
XSS
-
CVE-2026-3831
MEDIUM
CVSS 4.3
Authenticated attackers with Contributor-level access or above can extract all form submissions from the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions up to 1.4.9) via a missing capability check in the entries_shortcode() function, exposing names, emails, phone numbers, and other sensitive form data. The vulnerability requires existing WordPress user credentials but no administrative privileges, making it accessible to low-privileged users who may be granted contributor roles during normal site operations. No public exploit code or active exploitation has been confirmed at the time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-3778
MEDIUM
CVSS 6.2
Foxit PDF Editor and PDF Reader are vulnerable to denial of service via uncontrolled recursion in maliciously crafted PDF documents containing cyclic object references in pages and annotations. When such documents are processed by APIs performing deep object traversal (such as SOAP handlers), the applications exhaust stack memory and crash. The vulnerability requires only local access and no user interaction beyond opening a malicious PDF, making it a practical attack vector for local denial of service.
Denial Of Service
-
CVE-2026-3777
MEDIUM
CVSS 5.5
Use-after-free in Foxit PDF Editor and Foxit PDF Reader allows local attackers to achieve arbitrary code execution by crafting malicious JavaScript that manipulates document zoom and page state, causing stale view cache pointers to be dereferenced after the underlying view object is destroyed. The vulnerability requires user interaction (opening a crafted PDF) and local access, with a CVSS score of 5.5 reflecting denial-of-service impact, though the underlying memory corruption (CWE-416) and RCE tags indicate higher real-world severity under exploitation.
Use After Free
RCE
Memory Corruption
-
CVE-2026-3776
MEDIUM
CVSS 5.5
Denial of service in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application by opening a crafted PDF containing a stamp annotation with missing appearance (AP) data. The vulnerability stems from insufficient validation before dereferencing annotation objects, triggering a null pointer exception. No public exploit code has been identified, and patch availability has not been confirmed from available advisory data.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-3774
MEDIUM
CVSS 4.7
Foxit PDF Editor allows PDF JavaScript and document actions (WillPrint/DidPrint) to modify form fields, annotations, and optional content groups immediately before or after redaction, encryption, or printing, potentially causing sensitive content to remain visible or unencrypted despite user expectations. The vulnerability affects all versions of Foxit PDF Editor and requires local access with user interaction (opening a malicious PDF). CVSS score is 4.7 with high confidentiality impact; no public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis.
Information Disclosure
-
CVE-2026-2862
MEDIUM
CVSS 5.3
Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.
IBM
Information Disclosure
Request Smuggling
-
CVE-2026-2696
MEDIUM
CVSS 5.3
Export All URLs WordPress plugin before version 5.1 exposes private post URLs and sensitive data through predictably named CSV export files stored in the publicly accessible wp-content/uploads/ directory, allowing unauthenticated attackers to enumerate and retrieve these files via brute-force attacks against a simple 6-digit filename pattern.
WordPress
Information Disclosure
-
CVE-2026-2394
MEDIUM
CVSS 6.3
Buffer over-read vulnerability in RTI Connext Professional Core Libraries allows unauthenticated remote attackers to read beyond allocated buffer boundaries, potentially leaking sensitive data. Affected versions span multiple major release lines: 7.4.0-7.6.x, 7.0.0-7.3.0.x, 6.1.0-6.1.x, 6.0.0-6.0.x, 5.3.0-5.3.x, and 4.3x-5.2.x. The CVSS 6.3 score reflects low confidentiality impact with network-based attack surface; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
Buffer Overflow
-
CVE-2026-2265
MEDIUM
CVSS 6.5
Remote code execution in Replicator npm package version 1.0.5 allows unauthenticated attackers to execute arbitrary code by supplying malicious serialized objects that the library deserializes without validation. Applications using Replicator to process untrusted input are vulnerable to immediate compromise; no public exploit code availability or active exploitation status is confirmed at time of analysis, but the unauthenticated attack vector and ease of object deserialization attacks suggest practical exploitability.
Node.js
RCE
-
CVE-2026-1879
MEDIUM
CVSS 5.3
Unrestricted file upload in Harvard IQSS Dataverse versions up to 6.8 allows authenticated users to bypass theme customization controls via manipulation of the uploadLogo parameter in /ThemeAndWidgets.xhtml, enabling arbitrary file upload with low confidentiality, integrity, and availability impact. The vulnerability is publicly exploitable with proof-of-concept code available; CVSS 5.3 reflects the authenticated attack vector and limited scope, though the ease of exploitation (Attack Complexity Low, Exploitation proven) combined with public POC increases practical risk. Vendor released patched version 6.10 and responded swiftly to early disclosure.
File Upload
Authentication Bypass
-
CVE-2026-1491
MEDIUM
CVSS 5.3
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
IBM
Information Disclosure
Request Smuggling
-
CVE-2026-0932
MEDIUM
CVSS 6.9
Blind server-side request forgery in M-Files Server before version 26.3 allows unauthenticated remote attackers to force the server to send HTTP GET requests to arbitrary URLs through legacy connection methods in document co-authoring features. This vulnerability enables attackers to probe internal networks, access internal services, or trigger downstream attacks without requiring authentication, with a CVSS score of 6.9 reflecting moderate real-world impact.
SSRF
-
CVE-2025-71280
MEDIUM
CVSS 6.9
XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account pages on shared systems. Local users with access to a shared machine or browser can retrieve cached account data belonging to other users who previously accessed XenForo, enabling unauthorized information disclosure without authentication. No public exploit code or active exploitation has been identified; remediation requires upgrading to XenForo 2.3.7 or later.
Information Disclosure
-
CVE-2025-67807
MEDIUM
CVSS 4.7
Sage DPW 2025_06_004 and earlier versions enable username enumeration through differential login responses, allowing remote attackers to discover valid user accounts without authentication. The vulnerability affects all versions before 2021_06_000, though on-premise administrators in newer versions can disable this behavior through configuration options.
Information Disclosure
-
CVE-2025-67805
MEDIUM
CVSS 5.9
Unauthenticated access to diagnostic endpoints in Sage DPW 2025_06_004 Database Monitor feature discloses sensitive information including password hashes and database table names when non-default configuration is enabled. The vulnerability affects only installations with this feature explicitly enabled (disabled by default); Sage DPW Cloud is not vulnerable. This configuration was forcibly disabled in version 2025_06_003, indicating a prior history of this issue. EPSS score of 5.9 reflects moderate exploitation probability despite unauthenticated network accessibility.
Authentication Bypass
-
CVE-2025-66486
MEDIUM
CVSS 4.8
HTML injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated remote attackers with high privileges to inject malicious HTML that executes in victim browsers within the hosting site's security context, requiring user interaction to view the injected content. CVSS 4.8 indicates low overall severity; patch is available from IBM.
IBM
XSS
-
CVE-2025-66485
MEDIUM
CVSS 5.4
HTTP header injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated attackers to conduct cross-site scripting, cache poisoning, and session hijacking attacks via improper validation of HOST headers. The vulnerability requires authenticated access and carries a CVSS score of 5.4 with moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed.
IBM
XSS
-
CVE-2025-66484
MEDIUM
CVSS 5.5
Stored cross-site scripting in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated high-privilege users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser sessions. CVSS 5.5 reflects the requirement for elevated privileges but global scope impact; no public exploit or active exploitation confirmed.
IBM
XSS
-
CVE-2025-66483
MEDIUM
CVSS 6.3
IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.
IBM
Information Disclosure
-
CVE-2025-66442
MEDIUM
CVSS 5.1
Compiler-induced timing side channel in Mbed TLS through 4.0.0 and TF-PSA-Crypto through 1.0.0 allows information disclosure of RSA private keys and CBC/ECB-decrypted plaintext when LLVM's select-optimize feature is enabled during compilation. The vulnerability arises from compiler optimization that violates constant-time implementation guarantees, potentially exposing cryptographic material to timing analysis attacks despite developers' explicit use of constant-time code patterns.
Information Disclosure
Redhat
-
CVE-2025-36375
MEDIUM
CVSS 6.5
IBM DataPower Gateway versions 10.5.0.0-10.5.0.20, 10.6.0.0-10.6.0.8, and 10.6.1.0-10.6.5.0 are vulnerable to cross-site request forgery (CSRF) that allows unauthenticated remote attackers to execute unauthorized actions on behalf of trusted users with user interaction. The vulnerability carries a CVSS score of 6.5 with medium real-world risk due to the requirement for user interaction and the integrity-only impact.
IBM
CSRF
-
CVE-2025-36373
MEDIUM
CVSS 4.1
IBM DataPower Gateway versions 10.6CD (10.6.1.0-10.6.5.0), 10.5.0 (10.5.0.0-10.5.0.20), and 10.6.0 (10.6.0.0-10.6.0.8) disclose sensitive system information from other domains to authenticated administrative users due to improper access control. The vulnerability requires high-privilege administrative access over the network and results in confidentiality impact only; no public exploit code or active exploitation has been confirmed. CVSS 4.1 reflects low real-world risk due to authentication requirement, though patch availability limits exposure window.
IBM
Information Disclosure
-
CVE-2025-13916
MEDIUM
CVSS 5.9
IBM Aspera Shares versions 1.9.9 through 1.11.0 implements insufficient cryptographic strength that permits remote attackers without authentication to decrypt sensitive information. The vulnerability stems from use of weaker-than-expected cryptographic algorithms, allowing confidentiality breach of data protected by the application. A vendor patch is available.
Information Disclosure
IBM
-
CVE-2025-13535
MEDIUM
CVSS 6.4
King Addons for Elementor plugin versions up to 51.1.38 contain multiple DOM-Based Stored Cross-Site Scripting vulnerabilities affecting authenticated Contributor+ users. The plugin improperly escapes user input in JavaScript inline event handlers and uses unsafe DOM manipulation methods in widget settings, allowing attackers with Contributor-level access to inject arbitrary JavaScript that executes when pages are accessed or previewed in the Elementor editor. A partial patch was released in version 5.1.51, though the version numbering discrepancy suggests incomplete remediation across all vulnerable code paths.
XSS
WordPress
-
CVE-2026-35094
LOW
CVSS 3.3
Libinput versions prior to 1.26.0 contain a dangling pointer vulnerability in Lua plugin garbage collection that allows local authenticated attackers to read sensitive data from system logs, requiring the ability to deploy malicious Lua plugin files to system directories and Lua plugin support to be enabled in the compositor. The vulnerability has a CVSS score of 3.3 (low severity) with confirmed patch availability, and poses minimal real-world risk due to high prerequisites including local file write access and plugin enablement.
Information Disclosure
-
CVE-2026-34969
LOW
CVSS 2.3
Nhost auth service exposes OAuth refresh tokens in redirect URL query parameters, allowing access to browser history, server logs, and proxy logs on owned infrastructure. While refresh tokens are single-use and leak vectors are primarily confined to developer-controlled systems, the vulnerability violates RFC 6749 token transport requirements and enables session hijacking if logs are accessed before the token is legitimately consumed. All OAuth providers (GitHub, Google, Apple) are affected equally through the same vulnerable callback handler.
Information Disclosure
Apple
Microsoft
Google
-
CVE-2026-34762
LOW
CVSS 2.7
Ella Networks Core API fails to validate matching IMSI identifiers between URL path and JSON request body in the PUT /api/v1/subscriber/{imsi} endpoint, allowing authenticated NetworkManagers to modify any subscriber's QoS policy while spoofing audit trail entries. This authentication-required vulnerability (PR:H per CVSS) creates forensic evasion-the audit log attributes changes to fabricated or unrelated subscriber identifiers, preventing post-incident investigation of the actual affected subscriber. CVSS 2.7 reflects the limited scope (no confidentiality impact, low integrity impact, no availability impact), though the audit trail manipulation represents meaningful security degradation for compliance and incident response.
Information Disclosure
-
CVE-2026-34520
LOW
CVSS 2.7
AIOHTTP's C parser accepts null bytes and control characters in HTTP response headers prior to version 3.13.4, allowing remote attackers to inject malformed headers that bypass validation and cause information disclosure. This vulnerability affects all versions before 3.13.4 and has been patched upstream; exploitation requires no authentication or user interaction but results in limited integrity impact to response headers rather than confidentiality breach.
Python
Information Disclosure
-
CVE-2026-34519
LOW
CVSS 2.7
Header injection in AIOHTTP prior to version 3.13.4 allows remote attackers to inject arbitrary HTTP headers or conduct similar exploits by controlling the reason parameter when creating a Response object. The vulnerability has low real-world impact (CVSS 2.7, EPSS not available) and requires the attacker to control application-level input that directly influences the reason parameter; no public exploit code or active exploitation has been identified. A vendor-released patch is available in version 3.13.4.
Python
Code Injection
-
CVE-2026-34518
LOW
CVSS 2.7
AIOHTTP prior to version 3.13.4 leaks sensitive authentication credentials across origin boundaries during HTTP redirects by failing to drop Cookie and Proxy-Authorization headers while inconsistently removing the Authorization header. This information disclosure vulnerability affects all Python applications using vulnerable AIOHTTP versions when following cross-origin redirects, potentially exposing session tokens and proxy credentials to untrusted origins. No public exploit code or active exploitation has been identified, and the EPSS score of 2.7 indicates low exploitation probability despite the low CVSS score reflecting confidentiality impact.
Python
Information Disclosure
-
CVE-2026-34517
LOW
CVSS 2.7
Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.
Python
Denial Of Service
-
CVE-2026-34514
LOW
CVSS 2.7
Header injection in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to inject arbitrary headers by controlling the content_type parameter, potentially enabling HTTP response splitting or cache poisoning attacks. The vulnerability has a low CVSS score (2.7) reflecting limited integrity impact, but affects all versions before the patched release 3.13.4.
Python
Code Injection
-
CVE-2026-34513
LOW
CVSS 2.7
Unbounded DNS cache in AIOHTTP prior to version 3.13.4 allows remote attackers to cause denial of service through excessive memory consumption. An attacker can trigger repeated DNS lookups with unique hostnames to grow the in-memory cache without bounds, eventually exhausting available system memory. AIOHTTP 3.13.4 and later include a patch that implements cache limits. This is a network-accessible vulnerability requiring no authentication or user interaction, but exploitation requires deliberate attack traffic and does not result in data compromise or system takeover.
Python
Denial Of Service
-
CVE-2026-23409
None
AppArmor differential encoding verification in the Linux kernel contains logic errors that permit infinite loops to be created through abuse of the verification chain mechanism. Two distinct bugs in the verification routine-conflation of checked states with currently-checked states, and incorrect loop iterator comparison-allow malformed differential encoding chains to bypass security checks. This enables potential information disclosure or policy circumvention on systems relying on AppArmor mandatory access control. The vulnerability affects Linux kernel versions prior to fixes applied across multiple stable branches via kernel commits.
Linux
Linux Kernel
Authentication Bypass
Suse
Debian
-
CVE-2026-23405
None
Linux kernel AppArmor policy namespace implementation allows arbitrary nesting and creation of policy namespaces without enforcing depth limits, enabling local attackers to exhaust system resources through unbounded namespace proliferation. The vulnerability affects AppArmor in the Linux kernel across multiple stable branches. This is a denial-of-service vulnerability requiring local access, with fixes available across stable kernel versions.
Linux
Linux Kernel
Denial Of Service
Suse
Debian
-
CVE-2026-23404
None
Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.
Linux
Linux Kernel
Denial Of Service
Suse
Debian
-
CVE-2026-23403
None
Memory leak in Linux kernel AppArmor module verify_header function causes namespace string allocation leaks during multiple profile unpacking and breaks namespace consistency checking. The vulnerable code incorrectly resets the namespace pointer to NULL on every function call, discarding previously allocated namespace strings and preventing proper namespace comparison across profile iterations. This affects Linux kernel versions with the vulnerable AppArmor implementation prior to upstream fixes applied across stable branches.
Linux
Linux Kernel
Memory Corruption
Suse
Debian
-
CVE-2026-23402
None
Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.
Linux
Linux Kernel
Memory Corruption
Suse
Debian
-
CVE-2026-23401
None
Linux kernel KVM x86/MMU incorrectly installs emulated MMIO shadow page table entries (SPTEs) without first zapping existing shadow-present SPTEs when host userspace modifies guest page tables outside KVM's scope, causing kernel warnings and potential memory consistency issues. The vulnerability affects KVM on x86 systems running vulnerable kernel versions and can be triggered by a local attacker with ability to manipulate guest memory or run guest VMs, though the practical impact beyond kernel instability remains limited.
Linux
Linux Kernel
Kvm
Memory Corruption
Suse
-
CVE-2026-5310
LOW
CVSS 2.0
Iperius Backup versions up to 8.7.2 use a hard-coded cryptographic key for IperiusAccounts.ini file encryption, allowing local authenticated attackers with low privileges to decrypt stored credentials and extract sensitive account information. The vulnerability requires high attack complexity and local access, resulting in a CVSS 2.0 score with low confidentiality impact; a publicly available proof-of-concept exploit exists, and vendor-released patch version 8.7.4 fixes the issue.
Information Disclosure
-
CVE-2026-5199
LOW
CVSS 2.3
Temporal Server versions 1.29.0 through 1.30.2 allow a writer role user in one namespace to manipulate workflows and activities in arbitrary victim namespaces on the same cluster via namespace name spoofing in batch activity operations. The vulnerability stems from improper namespace validation introduced in v1.29.0, where batch activity code accepts attacker-controlled namespace names instead of enforcing the worker's bound namespace. Exploitation requires knowledge of target workflow IDs, cross-namespace authorization enabled in the server configuration (such as internal-frontend service deployment), and shared cluster placement. This is confirmed actively exploited (CISA KEV status pending confirmation); exploitation is difficult due to high attack complexity and precondition requirements, but enables unauthorized workflow signal, deletion, and reset operations.
Authentication Bypass
-
CVE-2026-2475
LOW
CVSS 3.1
Open redirect vulnerability in IBM Verify Identity Access Container versions 11.0-11.0.2 and 10.0-10.0.9.1, and IBM Security Verify Access Container and non-container variants across the same version ranges, enables remote phishing attacks via specially crafted requests that redirect users to arbitrary websites. The attack requires user interaction (UI:R) and unusual network or exploitation circumstances (AC:H), limiting real-world impact; no public exploit code or confirmed active exploitation has been identified.
IBM
Open Redirect
-
CVE-2025-67806
LOW
CVSS 3.7
Sage DPW versions before 2021_06_000 leak valid username existence through differential login response timing and messaging, enabling account enumeration without authentication. The vulnerability has a low CVSS score (3.7) reflecting limited confidentiality impact and high attack complexity, though it reduces the security barrier for subsequent targeted attacks against known valid accounts. No active exploitation has been confirmed.
Information Disclosure
-
CVE-2025-66487
LOW
CVSS 2.7
IBM Aspera Shares 1.9.9 through 1.11.0 lacks proper rate limiting on authenticated user email submissions, allowing high-privilege users to trigger email flooding or denial of service conditions. The vulnerability requires authentication at the admin or high-privilege level and results in service availability degradation rather than data compromise. EPSS exploitation probability is low (2.7 CVSS, high privilege requirement), and no public exploit code or active exploitation has been identified at time of analysis.
IBM
Denial Of Service