216 CVEs tracked today. 14 Critical, 80 High, 113 Medium, 3 Low.
-
CVE-2026-39305
CRITICAL
CVSS 9.0
Path traversal in PraisonAI Action Orchestrator (v<4.5.113) allows arbitrary file write via directory traversal sequences in action target paths. Attackers can exploit this through malicious ActionStep payloads containing '../' sequences to overwrite critical system files (SSH keys, shell profiles) or plant executables, achieving local privilege escalation or remote code execution. CVSS 9.0 (Critical). Vendor-released patch available in v4.5.113. No public exploit identified at time of analysis, though detailed proof-of-concept demonstrates trivial exploitation via crafted ActionStep objects targeting paths like '../../../tmp/pwned.txt'.
Python
RCE
Path Traversal
-
CVE-2026-35615
CRITICAL
CVSS 9.2
Path traversal in PraisonAI's praisonai-agents package allows unauthenticated remote attackers to read or write arbitrary files on affected systems. The vulnerability stems from a critical logic flaw where path validation checks for '..' sequences after normalization has already collapsed them, rendering the security check completely ineffective. Attackers can trivially bypass protections using standard path traversal sequences (e.g., '/tmp/../etc/passwd') to access sensitive files including system credentials, SSH keys, or write malicious content. Publicly available exploit code exists demonstrating trivial exploitation. While no CVSS score is officially assigned, the vendor assessment indicates CVSS 4.0 score of 9.2 (Critical), and this represents a high-priority remediation given the ease of exploitation and severe impact.
Python
Path Traversal
-
CVE-2026-35490
CRITICAL
CVSS 9.8
Authentication bypass in changedetection.io allows unauthenticated remote attackers to access backup management endpoints due to incorrect Flask decorator ordering. Attackers can trigger backup creation, list all backups, download backup archives containing application secrets, webhook URLs with embedded tokens, monitored URLs, Flask secret keys, and password hashes, or delete all backups without authentication. The vulnerability affects 13 routes across 5 blueprint files where @login_optionally_required is placed before @blueprint.route() instead of after it, causing Flask to register the undecorated function and silently disable authentication. Publicly available exploit code exists (POC demonstrated complete data exfiltration), though no confirmed active exploitation (CISA KEV). EPSS data not provided, but CVSS 9.8 (network-exploitable, no authentication required, high confidentiality/integrity/availability impact) indicates critical severity.
Python
Information Disclosure
SSRF
Authentication Bypass
-
CVE-2026-35178
CRITICAL
CVSS 9.3
Remote code execution in Workbench for Salesforce (forceworkbench) prior to version 65.0.0 allows unauthenticated remote attackers to execute arbitrary code by injecting malicious payloads into timezone conversion cookie parameters. The vulnerability stems from unsafe processing of attacker-controlled cookie values (CWE-94: Code Injection). CVSS 9.3 (Critical) with network attack vector, low complexity, and no privileges required, though user interaction is needed. Publicly available exploit code exists via GitHub pull request #869, significantly elevating immediate risk despite no confirmed active exploitation (not in CISA KEV).
RCE
Code Injection
-
CVE-2026-35174
CRITICAL
CVSS 9.1
Path traversal in Chyrp Lite administration console allows privileged users with Change Settings permissions to manipulate the uploads path, enabling arbitrary file read (including database credentials from config.json.php) and arbitrary file write leading to remote code execution. Affects all versions prior to 2026.01. CVSS 9.1 (Critical) reflects post-authentication impact with scope change. EPSS data not available; no public exploit identified at time of analysis, no CISA KEV listing.
RCE
Path Traversal
PHP
-
CVE-2026-35050
CRITICAL
CVSS 9.1
Arbitrary Python file overwrite in text-generation-webui versions prior to 4.1.1 enables authenticated high-privilege users to achieve remote code execution by overwriting critical application files like download-model.py through malicious extension settings saved in .py format, then triggering execution via the Model download interface. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE and exploitation methodology is straightforward for authenticated attackers.
Python
Path Traversal
-
CVE-2026-35047
CRITICAL
CVSS 9.3
Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. EPSS data unavailable, no confirmed active exploitation (not in CISA KEV), but upstream fix is available via GitHub commit and version 2.0.6 release. Attack complexity is low with network-accessible vector requiring no privileges or user interaction, making this a critical exposure for internet-facing BraveCMS installations.
File Upload
RCE
-
CVE-2026-35022
CRITICAL
CVSS 9.3
OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to execute arbitrary commands through unsanitized authentication helper parameters processed with shell=true. The vulnerability enables credential theft and environment variable exfiltration in CI/CD pipelines where these tools run with elevated automation privileges. Publicly available exploit code exists, creating immediate risk for organizations using these SDKs in automated workflows.
Command Injection
-
CVE-2026-34977
CRITICAL
CVSS 9.3
Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.
Docker
Command Injection
Redis
PostgreSQL
-
CVE-2026-31151
CRITICAL
CVSS 9.8
Authentication bypass in Kaleris Yard Management System (YMS) v7.2.2.1 enables unauthenticated remote attackers to completely circumvent login verification and gain unauthorized access to application resources with full confidentiality, integrity, and availability impact. The vulnerability has a 9.8 CVSS score with network-based attack vector requiring no privileges or user interaction. Currently tracked at 2% EPSS (5th percentile) with no confirmed active exploitation (not in CISA KEV), though a public proof-of-concept repository exists on GitHub, significantly elevating exploitation risk for this critical authentication flaw.
Authentication Bypass
-
CVE-2026-31059
CRITICAL
CVSS 9.8
Remote command execution in UTT Aggressive HiPER 520W router firmware v1.7.7-180627 allows unauthenticated attackers to execute arbitrary system commands via crafted input to the /goform/formDia component. CVSS 9.8 severity indicates network-accessible, low-complexity exploitation requiring no authentication or user interaction. EPSS score of 0.04% (12th percentile) suggests currently low exploitation probability despite publicly available exploit code exists (GitHub POC). No vendor-released patch identified at time of analysis, presenting significant risk for exposed devices.
Command Injection
-
CVE-2026-26026
CRITICAL
CVSS 9.1
Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.
RCE
Code Injection
-
CVE-2025-58349
CRITICAL
CVSS 9.1
Baseband denial-of-service in Samsung Exynos chipsets (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400) allows remote attackers to crash mobile device basebands via malformed LTE MAC packets without authentication. The vulnerability affects the L2 layer processing of MAC Control Elements, enabling network-based attacks against cellular connectivity. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit identified at time of analysis, though the CVSS score of 9.1 reflects the severity of remotely disrupting critical cellular communications infrastructure.
Samsung
Denial Of Service
-
CVE-2025-54328
CRITICAL
CVSS 10.0
Stack-based buffer overflow in Samsung Exynos chipset SMS message processing allows remote attackers to execute arbitrary code or crash devices via malformed SMS RP-DATA messages. Affects 22 Exynos processor and modem variants across mobile, wearable, and IoT devices, requiring no user interaction. CVSS 10.0 with network-level attack vector (PR:N), scope change, and full system impact. EPSS and exploitation status not provided, but SSVC framework indicates automatable attack with total technical impact. No public exploit identified at time of analysis, though the vulnerability class (CWE-121 stack buffer overflow in SMS parsing) has high weaponization potential.
Buffer Overflow
Stack Overflow
Samsung
-
CVE-2026-39364
HIGH
CVSS 8.2
Vite development server allows unauthorized file disclosure by bypassing server.fs.deny restrictions when specific query parameters (?raw, ?import&raw, ?import&url&inline) are appended to file requests. The npm package 'vite' is affected when the dev server is explicitly exposed to the network and sensitive files exist within allowed directories but are supposedly blocked by deny patterns. A publicly available exploit code exists demonstrating retrieval of .env files and certificates. Fixed in versions 7.3.2 and 8.0.5 according to vendor release tags.
Information Disclosure
-
CVE-2026-39363
HIGH
CVSS 8.2
Vite dev server WebSocket allows unauthorized file system access, bypassing server.fs.allow restrictions when developers expose dev servers to networks (via --host). Attackers exploiting this can read arbitrary files (credentials, source code, secrets) from the development machine or CI environment through a WebSocket vite:invoke event calling fetchModule with file:// URLs. Vendor-released patches available in versions 6.4.2, 7.3.2, and 8.0.5. Public exploit code exists with detailed proof-of-concept demonstrating /etc/passwd retrieval via WebSocket without Origin header validation.
Information Disclosure
-
CVE-2026-39308
HIGH
CVSS 7.1
Path traversal in PraisonAI recipe registry (<=4.5.112) allows authenticated publishers to write arbitrary files outside the registry root via malicious bundle manifests. The publish endpoint (`POST /v1/recipes/{name}/{version}`) extracts and writes uploaded recipe bundles using attacker-controlled `name` and `version` fields from the bundle's internal `manifest.json` before validating them against the HTTP route parameters. By embedding directory traversal sequences (e.g., `../../outside-dir`) in the manifest, an attacker can create files in arbitrary filesystem locations on the registry host, even though the request ultimately returns HTTP 400. This represents an authenticated arbitrary file write vulnerability (CVSS 7.1, AV:N/AC:L/PR:L) affecting any deployment exposing the recipe registry publish flow. EPSS data not available; no confirmed active exploitation or public exploit code identified beyond researcher PoC at time of analysis.
Python
Path Traversal
D-Link
-
CVE-2026-39307
HIGH
CVSS 8.1
Arbitrary file write via Zip Slip in PraisonAI allows remote attackers to overwrite system files and achieve code execution when users install malicious community templates. The vulnerability affects the PraisonAI Python package's template installation feature, which uses unsafe `zipfile.extractall()` without path traversal validation. A publicly available proof-of-concept demonstrates creating ZIP archives with directory traversal paths (e.g., `../../../../tmp/evil.sh`) that escape the intended extraction directory. With CVSS 8.1 (High) and requiring only user interaction (UI:R) but no authentication (PR:N), this poses significant risk to organizations using PraisonAI's community template ecosystem. EPSS data not available, but exploitation is straightforward given the documented PoC.
Python
RCE
-
CVE-2026-39306
HIGH
CVSS 7.3
Arbitrary file write through path traversal in PraisonAI recipe registry allows authenticated publishers to escape extraction directories when victims pull malicious recipes. Attackers craft .praison tar archives with ../ traversal entries that bypass extraction boundaries, enabling file overwrites outside intended directories (CVSS 7.3, AV:N/AC:L/PR:L/UI:R). Both LocalRegistry and HttpRegistry pull operations use unsafe tar.extractall() without member path validation. No public exploit identified at time of analysis, though proof-of-concept demonstrates reliable exploitation via recipe bundle uploads. EPSS data not available, but attack vector requires minimal complexity-authenticated publisher uploads malicious bundle, victim triggers file write by pulling recipe.
Python
Path Traversal
-
CVE-2026-35526
HIGH
CVSS 7.5
Unauthenticated denial-of-service in Strawberry GraphQL WebSocket handlers allows remote attackers to crash Python servers via subscription flooding. The vulnerability affects both graphql-transport-ws and legacy graphql-ws protocol implementations, which fail to enforce per-connection subscription limits. An attacker can exhaust server memory and saturate the asyncio event loop by sending unlimited subscribe messages over a single WebSocket connection, leading to service degradation or out-of-memory crashes. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation is trivial given the low attack complexity (CVSS AC:L) and lack of authentication requirement (PR:N).
Denial Of Service
-
CVE-2026-35523
HIGH
CVSS 7.5
Authentication bypass in Strawberry GraphQL WebSocket subscriptions (versions <0.312.3) allows unauthenticated remote attackers to access protected GraphQL subscription endpoints by exploiting the legacy graphql-ws subprotocol handler. Attackers can skip the on_ws_connect authentication hook by connecting with graphql-ws and sending subscription start messages without completing the connection_init handshake. No public exploit identified at time of analysis, though exploitation is straightforward given the protocol-level nature of the bypass. CVSS 7.5 reflects network-accessible unauthenticated attack with high confidentiality impact.
Authentication Bypass
-
CVE-2026-35444
HIGH
CVSS 7.1
Heap out-of-bounds read in SDL_image library's XCF format parser allows remote information disclosure when processing malicious GIMP files. Attackers can craft .xcf files with undersized colormaps and invalid pixel indices to leak up to 762 bytes of heap memory into rendered image data, potentially exposing sensitive process memory. The vulnerability affects both indexed color code paths (1-bit and 2-bit per pixel). No public exploit identified at time of analysis, but EPSS and exploitation likelihood are notable given the library's widespread use in gaming and multimedia applications requiring minimal user interaction (opening a file).
Buffer Overflow
Information Disclosure
-
CVE-2026-35399
HIGH
CVSS 8.5
Stored cross-site scripting (XSS) in WeGIA Web manager for charitable institutions allows remote attackers to inject malicious scripts via specially crafted backup filenames, leading to session hijacking or unauthorized actions performed in victim browsers. Affects versions prior to 3.6.9. No public exploit identified at time of analysis, though CVSS 8.5 reflects high impact to confidentiality and integrity with low attack complexity and no authentication requirements.
XSS
-
CVE-2026-35395
HIGH
CVSS 8.8
SQL injection in WeGIA 3.6.8 and earlier allows authenticated users to execute arbitrary SQL commands through the id_memorando parameter in DespachoDAO.php. The vulnerability affects WeGIA, a web-based management system for charitable institutions, enabling attackers with valid credentials to potentially exfiltrate sensitive donor/beneficiary data, modify records, or compromise database integrity. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE. Vendor-released patch available in version 3.6.9.
SQLi
PHP
-
CVE-2026-35391
HIGH
CVSS 8.7
IP address spoofing in Bulwark Webmail versions prior to 1.4.11 allows unauthenticated remote attackers to bypass IP-based rate limiting and forge audit log entries by manipulating the X-Forwarded-For HTTP header. The vulnerability enables brute-force attacks against admin login interfaces and allows malicious actors to mask their true origin in security logs. CVSS 8.7 reflects high integrity impact (VI:H) with network-accessible attack vector requiring no privileges (AV:N, PR:N). No public exploit identified at time of analysis, though exploitation is straightforward given the trust-boundary violation in HTTP header processing.
Authentication Bypass
-
CVE-2026-35389
HIGH
CVSS 8.7
S/MIME signature verification in Bulwark Webmail prior to 1.4.11 fails to validate certificate trust chains, allowing attackers to forge digitally signed emails using self-signed or untrusted certificates that appear legitimate to recipients. This integrity bypass affects all unauthenticated remote attackers (CVSS:4.0 AV:N/AC:L/PR:N) with high integrity impact. No public exploit identified at time of analysis, though the attack is straightforward given the disabled trust validation (checkChain: false configuration flaw). ENISA EUVD-2026-19478 classifies this as an information disclosure issue, though the primary risk is message authenticity compromise in encrypted email workflows.
Information Disclosure
-
CVE-2026-35203
HIGH
CVSS 7.5
Heap-buffer-overflow in ZLMediaKit's VP9 RTP payload parser allows unauthenticated remote attackers to trigger denial of service by sending a maliciously crafted 1-byte VP9 RTP packet with all flag bits set (0xFF). The vulnerability affects the ext-codec/VP9Rtp.cpp parser which reads multiple fields based on flag bits without validating sufficient buffer data exists, causing out-of-bounds memory reads. EPSS risk data not provided; no public exploit identified at time of analysis, though exploit development is straightforward given the specific trigger (single-byte payload). Upstream fix available (commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d); released patched version not independently confirmed.
Buffer Overflow
Information Disclosure
-
CVE-2026-35185
HIGH
CVSS 8.7
Information disclosure in HAX CMS versions prior to 25.0.0 exposes authentication tokens and user activity via unauthenticated access to the /server-status endpoint. Remote attackers can retrieve active user tokens, monitor real-time interactions, harvest client IP addresses, and map internal infrastructure without authentication (CVSS:4.0 AV:N/AC:L/PR:N). EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Publicly available exploit code exists per GitHub security advisory.
PHP
Authentication Bypass
-
CVE-2026-35184
HIGH
CVSS 8.7
SQL injection in EcclesiaCRM v2/templates/query/queryview.php allows authenticated remote attackers to execute arbitrary SQL commands via unsanitized 'custom' and 'value' parameters. All versions prior to 8.0.0 are affected. CVSS 8.7 (High) with network vector, low complexity, and low privileges required. Publicly available exploit code exists (detailed PoC published in referenced Gist). EPSS data not provided, but the combination of public PoC, clear attack path, and critical CWE-89 classification elevates real-world exploitation risk. No confirmed active exploitation (CISA KEV) at time of analysis.
SQLi
PHP
-
CVE-2026-35183
HIGH
CVSS 7.1
Authenticated users in Brave CMS can delete arbitrary article images belonging to other users via an Insecure Direct Object Reference (IDOR) flaw in versions prior to 2.0.6. The deleteImage method in ArticleController.php accepts filenames without verifying ownership, allowing any authenticated user with edit permissions to delete images from articles they don't own. CVSS 7.1 reflects high integrity impact with low availability impact. No public exploit identified at time of analysis, and EPSS data not available for this recent vulnerability.
PHP
Authentication Bypass
-
CVE-2026-35182
HIGH
CVSS 8.8
Privilege escalation in Brave CMS 2.0.x before 2.0.6 allows authenticated users with low-privilege accounts to promote themselves to Super Admin by directly calling the unprotected role update endpoint. The vulnerability stems from a missing authorization middleware check on the /rights/update-role/{id} route, enabling complete takeover of the CMS by any user with valid credentials. No public exploit identified at time of analysis, but exploitation is trivial given the straightforward API endpoint access. With EPSS data unavailable and no KEV listing, risk primarily affects organizations using affected Brave CMS versions in multi-user environments.
PHP
Authentication Bypass
-
CVE-2026-35176
HIGH
CVSS 7.1
Heap buffer overflow in openFPGALoader 1.1.1 and earlier allows local attackers to read sensitive heap memory and cause denial-of-service by supplying a maliciously crafted .pof FPGA bitstream file. The vulnerability triggers during POF file parsing without requiring physical FPGA hardware, enabling information disclosure (high confidentiality impact) and application crashes (high availability impact). EPSS data not available; no public exploit identified at time of analysis, though GitHub security advisory confirms the flaw in open-source FPGA programming utility used by hardware developers and researchers.
Buffer Overflow
Information Disclosure
-
CVE-2026-35172
HIGH
CVSS 7.5
Repository-scoped authorization bypass in distribution container registry allows restored read access to explicitly deleted blobs when Redis caching is enabled. Affects distribution/distribution v2.8.x and v3.0.x when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are configured. Unauthenticated remote attackers can retrieve sensitive content deleted from repo A after repo B repopulates the shared Redis descriptor cache, exposing confidential data that operators believed was permanently revoked. CVSS 7.5 (High). Publicly available exploit code exists with deterministic PoC demonstrating the state-machine race condition. EPSS data not provided, but the low attack complexity (AC:L) and no privilege requirement (PR:N) indicate straightforward exploitation once the vulnerable configuration is identified.
Redis
Canonical
Authentication Bypass
-
CVE-2026-35170
HIGH
CVSS 7.1
Heap-buffer-overflow in openFPGALoader 1.1.1 and earlier allows local attackers to trigger information disclosure and denial-of-service through maliciously crafted .bit FPGA configuration files. The vulnerability requires user interaction (opening a malicious file) but requires no authentication or FPGA hardware. CVSS base score is 7.1 (High). No public exploit identified at time of analysis, though proof-of-concept development is feasible given the specific vulnerability class and file format parsing context. EPSS data not available.
Buffer Overflow
Information Disclosure
-
CVE-2026-35164
HIGH
CVSS 8.8
Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. No public exploit identified at time of analysis, though the attack requires only low-privilege authentication (PR:L) with low complexity (AC:L). CVSS 8.8 High severity reflects the complete system compromise possible post-authentication.
File Upload
PHP
RCE
-
CVE-2026-35045
HIGH
CVSS 8.1
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization in the batch update API endpoint. Any authenticated user within a shared Space can modify recipes marked private by other users, force-share private recipes, and tamper with metadata by exploiting the PUT /api/recipe/batch_update/ endpoint which bypasses authorization checks enforced on single-recipe endpoints. Affects all versions prior to 2.6.4. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication with no user interaction. No public exploit identified at time of analysis, though exploitation is straightforward for authenticated attackers.
Authentication Bypass
-
CVE-2026-35035
HIGH
CVSS 7.2
Stored cross-site scripting (XSS) in CI4MS administrative settings allows authenticated administrators to inject malicious scripts that execute on public-facing pages. The vulnerability affects CI4MS versions prior to 0.31.2.0, where unsanitized input in System Settings - Company Information fields is stored in the database and rendered without proper output encoding on the public frontend. CVSS 7.2 (High) with network attack vector and low complexity, requiring high privileges (PR:H). No public exploit identified at time of analysis. EPSS data not available.
XSS
-
CVE-2026-35021
HIGH
CVSS 8.4
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution via malicious file paths containing shell metacharacters. Local attackers can exploit POSIX shell command substitution within double-quoted strings to execute commands with user privileges. Publicly available exploit code exists. With CVSS 8.4 (High) and local attack vector requiring user interaction, this represents elevated risk in CI/CD pipelines and development environments where untrusted file paths may be processed.
Command Injection
-
CVE-2026-35020
HIGH
CVSS 8.6
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbitrary commands by poisoning the TERMINAL environment variable with shell metacharacters. The vulnerability affects both normal CLI operations and deep-link handlers, enabling privilege escalation to the user context running the CLI. Publicly available exploit code exists. With CVSS 8.6 (High) severity, this presents significant risk in CI/CD pipelines and developer environments where environment variables may be attacker-controlled.
Command Injection
-
CVE-2026-34982
HIGH
CVSS 8.2
Arbitrary OS command execution in Vim prior to version 9.2.0276 occurs when users open maliciously crafted files containing modeline directives that bypass sandbox protections. The vulnerability exploits missing security flags on the complete, guitabtooltip, and printheader options, plus an unchecked mapset() function, enabling attackers to escape Vim's modeline sandbox and execute system commands. Publicly available exploit code exists. With EPSS data unavailable and no CISA KEV listing, real-world exploitation risk depends heavily on social engineering success, though the low attack complexity (CVSS AC:L) and no authentication requirement (PR:N) lower the barrier for opportunistic attacks against users who routinely open untrusted files.
Command Injection
-
CVE-2026-34975
HIGH
CVSS 8.5
CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.
Code Injection
-
CVE-2026-34885
HIGH
CVSS 8.5
SQL injection in WordPress Media Library Assistant plugin through version 3.34 allows authenticated attackers with low-level privileges to extract sensitive database contents and potentially disrupt availability. The vulnerability has a CVSS score of 8.5 (High) with scope change, indicating authenticated attackers can access data beyond their permission level. EPSS data not available; no public exploit identified at time of analysis. No CISA KEV listing indicates this is not confirmed as actively exploited in the wild.
SQLi
-
CVE-2026-34589
HIGH
CVSS 8.4
Integer overflow in OpenEXR's DWA lossy decoder (versions 3.2.0-3.2.6, 3.3.0-3.3.8, 3.4.0-3.4.8) enables local attackers to trigger out-of-bounds memory writes when processing maliciously crafted EXR image files. The vulnerability stems from signed 32-bit arithmetic overflow in block pointer calculations for large image widths, causing decoder operations to write outside allocated memory buffers. User interaction is required (victim must open a malicious EXR file), but no authentication is needed. No public exploit identified at time of analysis, though the technical details in the GitHub security advisory provide sufficient information for proof-of-concept development.
Integer Overflow
Buffer Overflow
-
CVE-2026-34588
HIGH
CVSS 8.6
Integer overflow in OpenEXR's PIZ wavelet decompression leads to out-of-bounds memory access when processing malicious EXR image files. Affects OpenEXR 3.1.0 through 3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8. Local attackers can trigger memory corruption through crafted EXR files without authentication (CVSS:4.0 AV:L/PR:N), achieving high confidentiality, integrity, and availability impact. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available in versions 3.2.7, 3.3.9, and 3.4.9.
Buffer Overflow
Information Disclosure
-
CVE-2026-34444
HIGH
CVSS 7.9
Arbitrary code execution in Lupa (Python-Lua integration library) versions ≤2.6 allows unauthenticated remote attackers to bypass attribute filtering controls via Python's getattr/setattr built-ins. The vulnerability enables attackers to circumvent sandbox restrictions designed to limit Lua runtime access to sensitive Python objects, ultimately achieving code execution in the CPython host process. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, though exploitation complexity is low per CVSS vector (AC:L, PR:N).
RCE
Authentication Bypass
-
CVE-2026-34402
HIGH
CVSS 8.1
Time-based blind SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with Edit Records or Manage Groups permissions to exfiltrate or modify database content including credentials, PII, and configuration secrets via the PropertyAssign.php endpoint. Attack requires low-privilege authentication (PR:L) but enables high confidentiality and integrity impact through database manipulation. No public exploit identified at time of analysis, though EPSS data was not provided. CVSS 8.1 reflects network-accessible exploitation with low complexity requiring only basic user privileges.
SQLi
PHP
-
CVE-2026-34379
HIGH
CVSS 7.1
Unaligned memory write in OpenEXR DWA decoder causes immediate crashes on ARM/RISC-V architectures and enables potential exploitation on x86 systems via compiler optimization abuse. Affects OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8 when processing DWA/DWAB-compressed EXR files with FLOAT-type channels. Remote attackers can trigger this by convincing users to open malicious EXR files (CVSS 7.1, AV:N/PR:N/UI:R). No public exploit identified at time of analysis, though the technical details are fully disclosed in the GitHub security advisory.
Denial Of Service
-
CVE-2026-34148
HIGH
CVSS 7.5
Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. No public exploit identified at time of analysis, though the attack vector is straightforward given the low complexity (CVSS AC:L). CVSS base score 7.5 (High) reflects network-reachable, unauthenticated access with high availability impact.
Denial Of Service
-
CVE-2026-33540
HIGH
CVSS 7.5
Server-Side Request Forgery (SSRF) in distribution container toolkit versions before 3.1.0 enables credential theft via malicious upstream registry responses. When operating in pull-through cache mode, distribution parses WWW-Authenticate bearer challenges from upstream registries without validating the realm URL against the configured upstream host. Attackers controlling the upstream registry or positioned for man-in-the-middle attacks can specify arbitrary realm URLs, causing distribution to transmit configured upstream credentials via basic authentication to attacker-controlled endpoints (CVSS 7.5, High confidentiality impact). EPSS data and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only network access with low complexity (AV:N/AC:L) and no authentication (PR:N).
SSRF
-
CVE-2026-33510
HIGH
CVSS 8.8
DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.
XSS
-
CVE-2026-30078
HIGH
CVSS 7.5
AMF daemon in OpenAirInterface V2.2.0 crashes upon receipt of malformed NGAP control-plane messages containing mismatched procedure codes or PDU type violations (e.g., successfulOutcome where InitiatingMessage is required). Remote attackers can trigger denial of service without authentication (CVSS AV:N/PR:N), exploiting improper input validation (CWE-20) in 5G core network signaling. Publicly available exploit code exists, SSVC framework classifies as automatable with partial technical impact, and EPSS data not provided but attack simplicity (AC:L) indicates low barrier to exploitation.
Denial Of Service
-
CVE-2026-29047
HIGH
CVSS 7.2
SQL injection in GLPI asset management software versions 10.0.0 through 10.0.23 and 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary SQL commands through the logs export feature. The vulnerability requires high-level privileges (PR:H), limiting the attack surface to compromised admin accounts or malicious insiders. No public exploit identified at time of analysis. CVSS 7.2 reflects the high impact but limited attacker base, while the network attack vector (AV:N) means exploitation requires only network access to the GLPI instance.
SQLi
-
CVE-2026-26263
HIGH
CVSS 8.1
Time-based blind SQL injection in GLPI's Search engine allows remote unauthenticated attackers to extract sensitive database contents and potentially achieve code execution. GLPI versions 11.0.0 through 11.0.5 are vulnerable. The CVSS vector (PR:N) confirms no authentication required, though attack complexity is rated high (AC:H). EPSS data not available, no CISA KEV listing indicates no confirmed active exploitation at time of analysis, but the unauthenticated remote attack surface and SQL injection nature present significant risk for this widely-deployed IT asset management platform.
SQLi
-
CVE-2026-26027
HIGH
CVSS 7.5
Stored XSS in GLPI 11.0.0-11.0.5 allows remote attackers to inject malicious scripts via the inventory endpoint without authentication, leading to potential session hijacking and unauthorized actions when victims interact with poisoned inventory data. CVSS 7.5 (High) with Network attack vector and no privileges required (PR:N). No public exploit identified at time of analysis, though the unauthenticated nature and stored XSS persistence elevate practical risk for environments with publicly accessible GLPI installations.
XSS
-
CVE-2026-25932
HIGH
CVSS 7.2
Stored cross-site scripting (XSS) in GLPI asset management software allows authenticated technician-level users to inject malicious JavaScript into supplier fields, achieving code execution in victim browsers with high confidentiality, integrity, and availability impact. Affects GLPI versions 0.60 through 10.0.23, patched in version 10.0.24. EPSS data not available; no public exploit identified at time of analysis, and not listed in CISA KEV. The CVSS score of 7.2 reflects network-accessible attack requiring high privileges but no user interaction, making this a medium-priority issue for organizations running vulnerable GLPI instances with multiple technician accounts.
XSS
-
CVE-2026-21382
HIGH
CVSS 7.8
Memory corruption in Qualcomm Snapdragon components allows local authenticated users to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability through malformed power management requests. The vulnerability stems from improper validation of input/output buffer sizes in power management handlers. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV) or public exploit code identified at time of analysis. Qualcomm addressed this in their April 2026 security bulletin.
Buffer Overflow
-
CVE-2026-21381
HIGH
CVSS 7.6
Buffer over-read (CWE-126) in Qualcomm Snapdragon devices causes denial-of-service when processing malformed Neighborhood Awareness Networking (NAN) service data frames with excessive length values. Attack requires network proximity, high attacker privileges, user interaction, and high complexity (CVSS 7.6), yielding CVSS scope change with potential high confidentiality/integrity impact beyond availability disruption. Qualcomm April 2026 bulletin addresses this transient DOS condition. No public exploit identified at time of analysis, though the specific protocol implementation flaw in NAN device discovery presents measurable risk in adjacent network scenarios where attackers have elevated Wi-Fi protocol access.
Buffer Overflow
-
CVE-2026-21380
HIGH
CVSS 7.8
Local privilege escalation via use-after-free in Qualcomm Snapdragon video memory management allows authenticated attackers with low privileges to achieve complete system compromise. The vulnerability exists in deprecated DMABUF IOCTL interfaces used for direct memory access buffer operations. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE. Qualcomm addressed this in their April 2026 security bulletin.
Memory Corruption
Buffer Overflow
Use After Free
-
CVE-2026-21378
HIGH
CVSS 7.8
Local privilege escalation in Qualcomm Snapdragon camera sensor drivers allows authenticated users to execute arbitrary code with elevated privileges through memory corruption. The vulnerability stems from unbounded buffer access during IOCTL processing, enabling attackers to corrupt memory and achieve complete system compromise (confidentiality, integrity, and availability impact). EPSS data not available; no public exploit identified at time of analysis. Affects Qualcomm Snapdragon-powered devices across mobile and IoT ecosystems.
Buffer Overflow
-
CVE-2026-21376
HIGH
CVSS 7.8
Local privilege escalation in Qualcomm Snapdragon camera sensor drivers allows authenticated attackers with low privileges to execute arbitrary code with elevated permissions through unchecked output buffer access during IOCTL operations. This out-of-bounds read vulnerability (CWE-126) achieves complete system compromise (confidentiality, integrity, and availability impact all rated High in CVSS). No public exploit identified at time of analysis, though the local attack vector and low complexity suggest proof-of-concept development is feasible for researchers with device access.
Buffer Overflow
-
CVE-2026-21375
HIGH
CVSS 7.8
Memory corruption in Qualcomm Snapdragon chipsets allows authenticated local attackers with low privileges to execute arbitrary code, elevate privileges, or cause system crashes through improper IOCTL buffer validation. The vulnerability achieves complete compromise of confidentiality, integrity, and availability (CVSS 7.8 HIGH). No public exploit code identified at time of analysis, though exploitation requires only low attack complexity once local access is obtained. Qualcomm addressed this in their April 2026 security bulletin.
Buffer Overflow
-
CVE-2026-21374
HIGH
CVSS 7.8
Memory corruption in Qualcomm Snapdragon auxiliary sensor I/O control processing allows authenticated local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from insufficient buffer size validation (CWE-126: Buffer Over-read) when handling sensor control commands. With CVSS 7.8 and local attack vector requiring low privileges, this represents a moderate real-world risk for privilege escalation attacks on Android and IoT devices using affected Snapdragon chipsets. No public exploit code or CISA KEV listing identified at time of analysis, though the April 2026 bulletin date suggests recent disclosure.
Buffer Overflow
-
CVE-2026-21373
HIGH
CVSS 7.8
Local privilege escalation in Qualcomm Snapdragon products allows authenticated attackers to gain kernel-level code execution through memory corruption during IOCTL processing. The vulnerability stems from unchecked buffer size validation when writing to output buffers, enabling high-impact compromise of confidentiality, integrity, and availability on affected mobile and embedded devices. With a CVSS score of 7.8 and low attack complexity (AC:L), this represents a significant privilege escalation vector for malicious applications or local users, though no public exploit or active exploitation has been identified at time of analysis.
Buffer Overflow
-
CVE-2026-21372
HIGH
CVSS 7.8
Local privilege escalation in Qualcomm Snapdragon components allows authenticated local attackers to corrupt kernel memory through malformed IOCTL requests. Exploitation requires low-privilege local access but no user interaction (CVSS 7.8, AV:L/PR:L). The vulnerability enables attackers to achieve high impact across confidentiality, integrity, and availability through unsafe memcpy operations that fail to validate buffer sizes. No public exploit identified at time of analysis, though the straightforward attack complexity (AC:L) suggests exploitation development is feasible for adversaries with local access.
Buffer Overflow
Heap Overflow
-
CVE-2026-21371
HIGH
CVSS 7.8
Memory corruption in Qualcomm Snapdragon components allows local authenticated attackers to execute arbitrary code with high privileges. A buffer overflow vulnerability (CWE-126) occurs during output buffer retrieval due to insufficient size validation, enabling complete system compromise with high confidentiality, integrity, and availability impact. EPSS risk data not available; no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis. The local attack vector (AV:L) and low complexity (AC:L) make this exploitable by malicious apps or local users on affected Snapdragon-powered devices.
Buffer Overflow
-
CVE-2026-21367
HIGH
CVSS 7.6
Out-of-bounds read in Qualcomm Snapdragon WiFi firmware triggers denial-of-service when processing malformed FILS Discovery frames during network scans. Remote attackers on the same wireless network can crash affected devices by broadcasting specially crafted 802.11ai Fast Initial Link Setup frames with invalid action field sizes. CVSS 7.6 (High) reflects the high attack complexity and required high privileges, though the confidentiality/integrity impacts appear overstated for a transient DOS condition. EPSS data not available; no public exploit identified at time of analysis.
Buffer Overflow
-
CVE-2026-5709
HIGH
CVSS 7.7
Remote command injection in AWS Research and Engineering Studio (RES) 2024.10 through 2025.12.01 allows authenticated users to execute arbitrary commands on cluster-manager EC2 instances through unsanitized input in the FileBrowser API. Vendor-released patch available (version 2026.03). No public exploit identified at time of analysis, though CVSS 7.7 reflects high impact if exploited by low-privileged authenticated users with network access.
Command Injection
-
CVE-2026-5708
HIGH
CVSS 8.7
Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote attackers to assume virtual desktop host instance profile permissions and interact with AWS resources via crafted API requests. The vulnerability stems from unsanitized user-modifiable attributes in session creation. CVSS 8.7 (High) with network attack vector, low complexity, and requiring low privileges. Vendor-released patch available (version 2026.03). EPSS data not provided; no public exploit identified at time of analysis.
Privilege Escalation
-
CVE-2026-5707
HIGH
CVSS 8.7
Remote code execution as root in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 allows authenticated remote attackers to execute arbitrary OS commands via unsanitized input in virtual desktop session names. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78 command injection), enabling privilege escalation to root on virtual desktop hosts. Vendor-released patch available in version 2026.03. CVSS 8.7 (High) with network attack vector, low complexity, and low privileges required. No public exploit identified at time of analysis, though the technical details in GitHub issue #151 may facilitate weaponization.
Command Injection
-
CVE-2026-5687
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda CX12L router firmware 16.03.53.12 allows authenticated remote attackers to achieve arbitrary code execution via the 'page' parameter in the fromNatStaticSetting function at /goform/NatStaticSetting endpoint. Publicly available exploit code exists. EPSS data not provided, but CVSS 7.4 (High) with network attack vector and low complexity indicates significant risk for exposed administrative interfaces.
Tenda
Buffer Overflow
-
CVE-2026-5686
HIGH
CVSS 7.4
Remote stack-based buffer overflow in Tenda CX12L router firmware version 16.03.53.12 allows authenticated attackers to execute arbitrary code via crafted 'page' parameter to the RouteStatic configuration endpoint. CVSS 7.4 with publicly available exploit code (E:P in vector). EPSS and KEV data not provided, but public POC availability elevates immediate risk for exposed management interfaces.
Tenda
Buffer Overflow
-
CVE-2026-5685
HIGH
CVSS 7.4
Remote code execution in Tenda CX12L firmware version 16.03.53.12 allows authenticated attackers to overflow stack buffers via malicious 'page' parameter values sent to the addressNat endpoint (/goform/addressNat). The fromAddressNat function fails to validate input length, enabling memory corruption with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists (GitHub POC), elevating practical exploitation risk despite requiring low-privilege authentication. EPSS data not available, but CVSS 7.4 reflects network-accessible attack vector with low complexity.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-5684
HIGH
CVSS 8.6
Stack-based buffer overflow in Tenda CX12L router firmware version 16.03.53.12 enables adjacent network attackers with low-level credentials to execute arbitrary code or crash the device. The vulnerability resides in the webExcptypemanFilter function's handling of the 'page' parameter. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed devices. CVSS 8.6 reflects high impact across confidentiality, integrity, and availability within the adjacent network attack surface.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-5629
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve complete device compromise via the formSetFirewall firewall configuration function. The vulnerability has publicly available exploit code and carries an EPSS exploitation probability that warrants attention, though no active exploitation has been confirmed by CISA KEV at time of analysis. The vendor (Belkin) was notified but did not respond, leaving legacy hardware users without an official remediation path.
Buffer Overflow
-
CVE-2026-5628
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formSetSystemSettings function within the /goform/formSetSystemSettings endpoint, exploitable via the 'webpage' parameter. Publicly available exploit code exists (GitHub POC), CVSS 8.8 indicating network-exploitable with low complexity requiring only low-privilege authentication. Vendor unresponsive to coordinated disclosure attempts.
Buffer Overflow
Stack Overflow
-
CVE-2026-5614
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1015 v1.00.10 allows authenticated remote attackers to achieve code execution via the formSetPassword function. The vulnerability requires low-privilege credentials but no user interaction, carrying a CVSS score of 8.8 (High). Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation is confirmed (not in CISA KEV). The vendor did not respond to responsible disclosure attempts.
Stack Overflow
Buffer Overflow
-
CVE-2026-5613
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve code execution and full system compromise via the formReboot endpoint. The vulnerability has a publicly available exploit (GitHub POC) and requires only low-privileged authentication (EPSS risk assessment recommended but data not provided). Vendor did not respond to disclosure, indicating no patch is available.
Buffer Overflow
Stack Overflow
-
CVE-2026-5612
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve complete system compromise via crafted 'webpage' parameter to the formWlEncrypt endpoint. Publicly available exploit code exists (GitHub POC). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with confirmed POC availability indicate moderate-to-high exploitation risk. Vendor was notified but did not respond, leaving devices potentially unpatched.
Buffer Overflow
Stack Overflow
-
CVE-2026-5611
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware version 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formCrossBandSwitch function accessible via /goform/formCrossBandSwitch endpoint, where unsanitized input to the 'webpage' parameter triggers memory corruption. Publicly available exploit code exists (GitHub POC), elevating practical exploitation risk. CVSS 8.8 score reflects network attack vector with low complexity, requiring only low-privilege authentication. EPSS data not provided, but combination of public exploit and trivial attack complexity suggests elevated real-world risk. Vendor (Belkin) did not respond to coordinated disclosure attempts, and no vendor-released patch identified at time of analysis.
Stack Overflow
Buffer Overflow
-
CVE-2026-5610
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve full system compromise (code execution, denial of service, credential theft) via crafted requests to the formWISP5G endpoint. CVSS 8.8 severity with low attack complexity and publicly available exploit code. Vendor has not responded to disclosure, leaving users without an official patch. EPSS data not available, but the combination of network accessibility, low complexity, and public POC elevates real-world risk despite requiring low-privilege authentication.
Buffer Overflow
Stack Overflow
-
CVE-2026-5609
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda i12 router firmware 1.0.0.11(3862) allows authenticated remote attackers to execute arbitrary code via the WiFi SSID configuration interface. The vulnerability is exploitable over the network with low complexity through manipulation of the 'index' or 'wl_radio' parameters in the formwrlSSIDset function. With publicly available exploit code (GitHub POC) and a CVSS score of 8.8, this presents immediate risk to exposed management interfaces. EPSS data not provided, but the combination of network accessibility, authentication bypass potential, and weaponized exploit elevates real-world risk.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-5608
HIGH
CVSS 7.4
Stack-based buffer overflow in Belkin F9K1122 router firmware 1.00.33 enables authenticated remote attackers to achieve full device compromise via crafted 'webpage' parameter in formWlanSetup function. Publicly available exploit code exists, and EPSS data suggests low-probability targeting despite critical CVSS 8.8 severity. Vendor non-responsive to disclosure; no patch released.
Buffer Overflow
Stack Overflow
-
CVE-2026-3524
HIGH
CVSS 8.8
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal hold data without proper permission validation. After failed authorization checks, the plugin continues processing requests instead of terminating them, enabling low-privileged authenticated users to access, create, download, and delete sensitive legal hold data through direct API calls. This represents a critical failure in access control enforcement for compliance-critical data. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.
Authentication Bypass
-
CVE-2025-59440
HIGH
CVSS 7.5
Denial of service in Samsung Exynos USIM firmware across mobile, wearable, and modem processors allows unauthenticated remote attackers to crash affected devices via maliciously crafted SIM card proactive commands. The vulnerability affects over 20 Exynos chipset families (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400) due to improper handling of USIM proactive commands, classified as CWE-400 (Uncontrolled Resource Consumption). EPSS exploitation probability is low (0.02%, 5th percentile), no public exploit identified at time of analysis, and not currently listed in CISA KEV. Despite the high CVSS base score of 7.5, the practical exploitation requires attacker control over cellular network infrastructure or compromised SIM cards, significantly limiting real-world attack surface.
Samsung
Denial Of Service
Exynos 990 Firmware
Exynos 980 Firmware
Exynos 850 Firmware
-
CVE-2025-57835
HIGH
CVSS 7.5
System crash in Samsung Exynos processors (980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, Wearable W920/W930/W1000, Modems 5123/5300/5400) allows unauthenticated remote attackers to trigger denial-of-service via malformed RRCReconfiguration message exploiting improper memory initialization in the Radio Resource Control (RRC) layer. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates very low probability of imminent exploitation despite network-reachable attack surface and low complexity (CVSS 7.5, AV:N/AC:L/PR:N).
Samsung
Denial Of Service
Exynos 990 Firmware
Exynos 980 Firmware
Exynos 850 Firmware
-
CVE-2025-57834
HIGH
CVSS 7.5
Denial of Service in Samsung Exynos processors and modems (including 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, and Modems 5123, 5300, 5400, 5410) allows unauthenticated remote attackers to cause complete service disruption via network-based attacks requiring low complexity and no user interaction. The vulnerability stems from improper input validation (CWE-20) affecting mobile, wearable, and baseband modem chipsets used across Samsung's semiconductor product line. No public exploit identified at time of analysis, though the CVSS vector indicates trivial exploitation conditions (AV:N/AC:L/PR:N/UI:N) that could enable network-accessible denial of service attacks against devices containing these chipsets.
Denial Of Service
Samsung
-
CVE-2025-54602
HIGH
CVSS 7.0
Use-after-free in Samsung Exynos Wi-Fi driver affects 11 mobile and wearable processor models via race condition triggered by concurrent ioctl calls. Local attackers with low privileges can exploit improper synchronization on a global variable to achieve high-impact compromise (confidentiality, integrity, availability). EPSS data not available; no confirmed active exploitation (not in CISA KEV); public exploit code status unknown. Attack complexity rated high (AC:H) due to race condition timing requirements, reducing immediate weaponization risk despite 7.0 CVSS score.
Information Disclosure
Race Condition
Samsung
-
CVE-2025-54601
HIGH
CVSS 7.0
Race condition in Samsung Exynos Wi-Fi drivers enables local privilege escalation to kernel execution via double-free memory corruption. Affects 11 mobile and wearable processors (Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000). Local attackers with low privileges can trigger memory corruption by racing ioctl calls across threads, achieving high confidentiality, integrity, and availability impact. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood despite CVSS 7.0 severity. No public exploit identified at time of analysis.
Information Disclosure
Amd
Race Condition
Samsung
-
CVE-2025-54324
HIGH
CVSS 7.5
Denial of service in Samsung Exynos chipsets' NAS (Non-Access Stratum) layer allows remote unauthenticated attackers to crash mobile devices via malformed Downlink NAS Transport packets. Affects 23+ Exynos processor and modem variants used in mobile phones, wearables, and cellular modems (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400). Despite CVSS 7.5, EPSS shows only 0.02% exploitation probability (5th percentile), and no public exploit or active exploitation confirmed at time of analysis.
Samsung
Denial Of Service
-
CVE-2025-47400
HIGH
CVSS 7.1
Buffer overread in Qualcomm Snapdragon cryptographic implementation allows authenticated local attackers to expose sensitive memory contents and potentially manipulate cryptographic operations. The vulnerability (CWE-126) stems from copying data to a destination buffer without size validation, creating high confidentiality and integrity risk. EPSS scoring and KEV status not available at time of analysis; no public exploit identified. Affects Qualcomm Snapdragon chipsets with fix documented in April 2026 security bulletin.
Buffer Overflow
-
CVE-2025-47392
HIGH
CVSS 8.8
Memory corruption in Qualcomm Snapdragon chipsets allows adjacent network attackers to achieve arbitrary code execution without authentication when processing malformed satellite data files containing invalid signature offsets. The vulnerability stems from an integer overflow (CWE-190) that leads to buffer overflow conditions during satellite data decoding. With a CVSS score of 8.8 and adjacent network attack vector, this represents a significant risk for devices with satellite communication capabilities in proximity-based attack scenarios. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Integer Overflow
Buffer Overflow
-
CVE-2025-47391
HIGH
CVSS 7.8
Local privilege escalation in Qualcomm Snapdragon allows authenticated users to execute arbitrary code through memory corruption when processing frame requests. This CWE-121 stack-based buffer overflow enables complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with CVSS 7.8 indicating high severity requiring low attack complexity and low privileges. Qualcomm's April 2026 security bulletin addresses this vulnerability.
Buffer Overflow
Stack Overflow
-
CVE-2025-47390
HIGH
CVSS 7.8
Local privilege escalation via memory corruption in Qualcomm Snapdragon JPEG driver allows authenticated local users to achieve full system compromise (high confidentiality, integrity, and availability impact). The buffer overflow vulnerability (CWE-126) occurs during IOCTL request preprocessing, a common attack surface in kernel-mode device drivers. CVSS 7.8 indicates high severity with low attack complexity. No public exploit identified at time of analysis, and EPSS data not available in provided intelligence. Qualcomm's April 2026 security bulletin addresses this issue, indicating coordinated disclosure timeframe.
Buffer Overflow
-
CVE-2025-47389
HIGH
CVSS 7.8
Local privilege escalation in Qualcomm Snapdragon components enables authenticated users to achieve arbitrary code execution with elevated privileges through memory corruption triggered by integer overflow during attestation report generation. The vulnerability requires low attack complexity and low-level authentication (CVSS:3.1/AV:L/AC:L/PR:L), allowing complete compromise of confidentiality, integrity, and availability on affected devices. With CVSS 7.8 (High severity) and local attack vector, this represents a significant risk on multi-user Android devices where malicious apps could exploit the flaw to break out of sandboxing. No public exploit identified at time of analysis, though the buffer overflow class (CWE-120) is well-understood by exploit developers.
Buffer Overflow
-
CVE-2026-39365
MEDIUM
CVSS 6.3
Path traversal in Vite dev server versions 6.x through 7.3.1 allows unauthenticated remote attackers to bypass filesystem restrictions and retrieve sensitive `.map` files outside the project root by injecting path traversal sequences into optimized dependency URLs. The vulnerability requires explicit network exposure of the dev server and predictable file paths, but publicly available proof-of-concept code demonstrates the attack. Affected Vite instances should upgrade to v6.4.2, v7.3.2, or v8.0.5.
Path Traversal
-
CVE-2026-35515
MEDIUM
CVSS 6.3
NestJS Core's Server-Sent Events (SSE) stream handler fails to sanitize newline characters in message type and ID fields, allowing remote attackers to inject arbitrary SSE events, spoof event types, and corrupt client reconnection state. Affected versions prior to @nestjs/core@11.1.18 are vulnerable when developers map user-controlled data to SSE message type or id fields. This mirrors a vulnerability patched in Spring Framework and can lead to event spoofing, data injection with XSS potential, and reconnection state corruption if client applications render SSE data without additional sanitization.
XSS
Java
-
CVE-2026-35492
MEDIUM
CVSS 6.5
Path traversal in kedro-datasets PartitionedDataset allows authenticated attackers to write files outside the configured dataset directory by injecting .. components into partition IDs, potentially overwriting arbitrary files on affected systems. The vulnerability affects all versions prior to 9.3.0 across all storage backends (local filesystem, S3, GCS, etc.). A vendor-released patch is available; no public exploit code or active exploitation has been identified at the time of analysis.
Path Traversal
-
CVE-2026-35480
MEDIUM
CVSS 6.2
Denial-of-service vulnerability in go-ipld-prime DAG-CBOR decoder allows remote attackers to cause excessive memory allocation through CBOR headers declaring arbitrarily large collection sizes without preallocation caps. A malicious payload under 100 bytes with nested structures can trigger over 9GB of memory allocation, crashing applications using the library. The vulnerability affects all versions prior to v0.22.0, and while no confirmed active exploitation has been reported, the attack requires only unauthenticated network access and minimal attacker resources.
Denial Of Service
-
CVE-2026-35475
MEDIUM
CVSS 5.1
Open redirect vulnerability in WeGIA web manager prior to version 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external URLs by injecting a malicious redirect parameter into HTTP requests. The vulnerability exploits missing URL validation on the redirect parameter, which is passed directly to PHP's header() function without sanitization or whitelist checks. User interaction is required as the victim must click a crafted link, but successful exploitation can facilitate phishing attacks or credential theft by redirecting users to attacker-controlled domains that masquerade as legitimate institutional websites.
Open Redirect
-
CVE-2026-35474
MEDIUM
CVSS 5.1
Open redirect vulnerability in WeGIA web application versions prior to 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external URLs via an unvalidated redirect parameter in GET requests. The vulnerability requires user interaction (clicking a malicious link) and has limited confidentiality and integrity impact. This is fixed in version 3.6.9.
Open Redirect
-
CVE-2026-35473
MEDIUM
CVSS 5.1
Open redirect vulnerability in WeGIA web manager versions prior to 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external websites via the unvalidated nextPage parameter in the /WeGIA/controle/control.php endpoint. The vulnerability requires user interaction (clicking a malicious link) but leverages the trusted WeGIA domain to facilitate phishing, credential theft, and malware distribution attacks. This issue is fixed in version 3.6.9.
Open Redirect
PHP
-
CVE-2026-35472
MEDIUM
CVSS 5.1
Open Redirect vulnerability in WeGIA versions prior to 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external websites via the unvalidated nextPage parameter in the /WeGIA/controle/control.php endpoint when combined with specific parameters (metodo=listarTodos and nomeClasse=EstoqueControle). Attackers can exploit the application's trusted domain to conduct phishing attacks, steal credentials, distribute malware, or execute social engineering campaigns. The vulnerability has been patched in version 3.6.9.
Open Redirect
PHP
-
CVE-2026-35404
MEDIUM
CVSS 4.7
Open edX Platform versions prior to commit 76462f1e5fa9b37d2621ad7ad19514b403908970 suffer from an open redirect vulnerability in the view_survey endpoint that accepts unvalidated redirect_url parameters, enabling attackers to redirect authenticated users to arbitrary attacker-controlled URLs for phishing and credential theft. The vulnerability requires user interaction (clicking a malicious link) to trigger the redirect but affects all versions of the platform until the specific commit is applied; no public exploit code has been identified at the time of analysis.
Open Redirect
-
CVE-2026-35398
MEDIUM
CVSS 5.1
Open redirect vulnerability in WeGIA versions prior to 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external websites via the nextPage parameter in the /WeGIA/controle/control.php endpoint. By combining this with specific query parameters (metodo=listarTodos, listarId_Nome, nomeClasse=OrigemControle), attackers can leverage the trusted WeGIA domain for phishing, credential harvesting, malware distribution, and social engineering attacks. The vulnerability is fixed in version 3.6.9.
Open Redirect
PHP
-
CVE-2026-35396
MEDIUM
CVSS 5.1
Open redirect in WeGIA web management application versions prior to 3.6.9 allows unauthenticated remote attackers to redirect users to arbitrary external websites via an unvalidated nextPage parameter in the /WeGIA/controle/control.php endpoint. By crafting a malicious URL combining metodo=listarId and nomeClasse=IsaidaControle parameters, attackers can leverage the application's trusted domain for phishing, credential harvesting, malware distribution, and social engineering attacks. The vulnerability is fixed in version 3.6.9.
Open Redirect
PHP
-
CVE-2026-35390
MEDIUM
CVSS 5.3
Bulwark Webmail versions prior to 1.4.11 fail to enforce Content-Security-Policy headers, allowing unauthenticated attackers to execute arbitrary JavaScript through crafted email HTML. The reverse proxy incorrectly uses Content-Security-Policy-Report-Only instead of the enforcing Content-Security-Policy header, enabling XSS attacks that can steal session tokens or perform unauthorized actions on behalf of users. This vulnerability requires user interaction (opening a malicious email) and affects only the client-side context with limited scope, reflected in the CVSS 5.3 score; no public exploit code or active exploitation has been reported.
XSS
-
CVE-2026-35208
MEDIUM
CVSS 5.3
Stored HTML injection in lichess.org allows approved streamers to inject arbitrary markup into the /streamer page and homepage 'Live streams' widget via their Twitch or YouTube stream title, enabling defacement and phishing attacks. The vulnerability requires an attacker to first obtain an approved streamer account (accounts older than 2 days with 15+ games, or verified accounts) and then moderate approval, but no additional privileges or authentication beyond that approval is needed. Content Security Policy blocks inline script execution, limiting the immediate scope to HTML/CSS-based attacks rather than arbitrary JavaScript execution. A upstream fix is available via commit 0d5002696ae705e1888bf77de107c73de57bb1b3, and no public exploit code or active exploitation has been reported.
XSS
-
CVE-2026-35201
MEDIUM
CVSS 5.9
Out-of-bounds read in RDiscount's Markdown parser allows denial-of-service when processing attacker-controlled inputs exceeding 2GB. The vulnerability occurs because unsigned Ruby string lengths are truncated to signed integers before passing to the native parser, causing the parser to read past buffer boundaries and crash. Affected are RDiscount.new(input).to_html and RDiscount.new(input).toc_content methods. No public exploitation beyond proof-of-concept exists; patch version 2.2.7.4 is available.
Buffer Overflow
Information Disclosure
-
CVE-2026-35199
MEDIUM
CVSS 6.1
Heap buffer overflow in Microsoft SymCrypt versions 103.5.0 through 103.10.x allows local authenticated attackers to cause denial of service or limited integrity compromise via silent truncation of a 64-bit leaf count parameter to 32 bits in the SymCryptXmssSign function during XMSS^MT signature operations with tree height >= 32. Real-world risk is significantly mitigated by the requirement for attacker-controlled signing parameters (uncommon in production), the private-key-operation context, and Microsoft's explicit guidance that XMSS^MT signing should only occur in Hardware Security Modules and is provided in SymCrypt for testing purposes only. No public exploit code or active exploitation has been identified.
Heap Overflow
Buffer Overflow
Microsoft
-
CVE-2026-35197
MEDIUM
CVSS 6.6
Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.
RCE
Code Injection
-
CVE-2026-35180
MEDIUM
CVSS 4.3
Cross-site request forgery in WWBN AVideo 26.0 and earlier allows unauthenticated remote attackers to overwrite the platform's logo file via a malicious cross-origin POST to the admin/customize_settings_nativeUpdate.json.php endpoint. The vulnerability exploits missing CSRF token validation combined with a SameSite=None cookie policy and a file-write-before-validation logic flaw, enabling integrity compromise of the site's branding. No public exploit code or active exploitation has been identified at the time of analysis.
CSRF
PHP
-
CVE-2026-35177
MEDIUM
CVSS 4.1
Vim 9.2.0279 and earlier contains a path traversal bypass in the zip.vim plugin that allows local attackers with user interaction to overwrite arbitrary files when opening specially crafted zip archives. This vulnerability circumvents a prior fix for CVE-2025-53906, affecting users who process untrusted ZIP files. The vulnerability requires local access and user interaction to trigger, with a CVSS score of 4.1 indicating low to moderate severity; no public exploit code or active exploitation has been identified at the time of analysis.
Path Traversal
-
CVE-2026-35173
MEDIUM
CVSS 6.5
Chyrp Lite prior to version 2026.01 allows authenticated users with post editing permissions to modify posts owned by other users through an insecure direct object reference (IDOR) and mass assignment vulnerability in the Post model. Attackers can inject internal class properties such as post IDs into the post_attributes payload to alter which post is being edited, effectively enabling unauthorized post takeover. The vulnerability requires valid authentication and existing post editing permissions but no user interaction, posing a medium-to-high integrity risk to multi-user blogging instances.
Authentication Bypass
-
CVE-2026-35046
MEDIUM
CVSS 5.4
Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe step instructions due to improper sanitization by the bleach.clean() library, which whitelists <style> tags by default. Client applications rendering the instructions_markdown field from the API without additional sanitization will execute attacker-controlled CSS, enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration attacks. The vulnerability requires authentication and user interaction to exploit, limiting its scope, but affects any downstream application consuming the API.
XSS
-
CVE-2026-34981
MEDIUM
CVSS 5.8
Server-side request forgery (SSRF) in whisperX-FastAPI versions 0.3.1 through 0.5.0 allows unauthenticated remote attackers to make arbitrary HTTP requests to internal URLs by exploiting inadequate URL validation in the FileService.download_from_url() function. An attacker can bypass the post-request file extension check by appending .mp3 to any URL supplied to the /speech-to-text-url endpoint, enabling reconnaissance of internal services and potential information disclosure. The vulnerability carries moderate severity (CVSS 5.8) with confirmed patch availability in version 0.6.0.
SSRF
-
CVE-2026-34972
MEDIUM
CVSS 5.0
BatchCheck API calls in OpenFGA 1.8.0 through 1.13.1 can bypass authorization policies when multiple permission checks target the same object, relation, and user combination, allowing authenticated attackers with limited privileges to gain unauthorized access to protected resources. The vulnerability stems from improper handling of duplicate check parameters in batch operations and is fixed in version 1.14.0.
Google
Authentication Bypass
-
CVE-2026-34951
MEDIUM
CVSS 5.1
Reflected cross-site scripting (XSS) in Salesforce Workbench prior to version 65.0.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the footerScripts parameter on error pages, requiring user interaction to execute malicious payload. The vulnerability stems from improper input sanitization during web page generation. Vendor-released patch: version 65.0.0. No public exploit code or active exploitation confirmed at time of analysis.
XSS
-
CVE-2026-34897
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in David Lingren Media Library Assistant WordPress plugin through version 3.34 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability requires user interaction (UI:R per CVSS vector) and impacts confidentiality, integrity, and availability with a CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at the time of analysis.
XSS
-
CVE-2026-34380
MEDIUM
CVSS 5.9
Signed integer overflow in OpenEXR's undo_pxr24_impl() function allows unauthenticated remote attackers to bypass buffer bounds checks and trigger heap buffer overflow during EXR file decoding, potentially causing denial of service or limited data corruption when processing maliciously crafted EXR files. The vulnerability affects OpenEXR versions 3.2.0 through 3.2.6, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.8. No public exploit code or active exploitation has been confirmed at the time of analysis.
Buffer Overflow
Integer Overflow
-
CVE-2026-34378
MEDIUM
CVSS 6.5
Integer overflow in OpenEXR 3.4.0-3.4.8 allows remote attackers to crash applications processing malicious EXR files via a negative dataWindow.min.x value in the file header, triggering a signed integer overflow in generic_unpack() that causes process termination with SIGILL. The vulnerability requires user interaction (opening a crafted file) and affects availability only, with no confirmed active exploitation at time of analysis.
Integer Overflow
Buffer Overflow
-
CVE-2026-33817
MEDIUM
CVSS 6.2
Index out-of-bounds read in go.etcd.io/bbolt allows local unauthenticated attackers to cause a denial of service by crafting a malicious database file with a branch page containing zero elements, triggering a crash during cursor traversal. The vulnerability affects all versions of the library and has been patched upstream; no public exploit code or active exploitation has been reported.
Buffer Overflow
Information Disclosure
-
CVE-2026-33727
MEDIUM
CVSS 6.4
Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.
Privilege Escalation
RCE
-
CVE-2026-33406
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) via HTML attribute injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows unauthenticated remote attackers to perform UI redressing and information disclosure by injecting double quotes into configuration values displayed in settings-advanced.js, exploitable through malicious teleporter backup imports that bypass server-side field validation.
XSS
-
CVE-2026-33403
MEDIUM
CVSS 6.1
Reflected DOM-based XSS in Pi-hole Admin Interface versions 6.0 through 6.4 allows unauthenticated attackers to inject arbitrary HTML via a crafted malicious URL targeting the file parameter in taillog.js, potentially enabling credential exfiltration through injected form elements due to a missing form-action Content-Security-Policy directive; fixed in version 6.5.
XSS
-
CVE-2026-32602
MEDIUM
CVSS 4.2
Homarr prior to version 1.57.0 contains a race condition in the user registration endpoint that allows authenticated attackers to bypass single-use invite token restrictions and create multiple user accounts with a single token. The vulnerability stems from non-atomic database operations (CHECK, CREATE, DELETE) that can be exploited through concurrent requests, enabling unauthorized account creation on instances with restrictive registration policies. The issue is patched in version 1.57.0.
Information Disclosure
-
CVE-2026-31354
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Permissions module allows authenticated users to inject malicious scripts via Group, Category, or Description parameters, potentially enabling session hijacking or malware distribution to other authenticated users. Attack requires valid credentials and user interaction (UI:R per CVSS), limiting immediate risk despite network accessibility. No public exploit code or active exploitation has been confirmed; EPSS probability is minimal at 0.01% (3rd percentile).
XSS
-
CVE-2026-31353
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 Category module allows authenticated attackers to inject arbitrary web scripts via the Name parameter, affecting users who subsequently view the malicious content. The vulnerability requires user interaction (rendering in a browser) and authenticated access to inject the payload, but once stored, it executes in the context of any user viewing the affected category. EPSS exploitation probability is extremely low at 0.02% (5th percentile), indicating minimal real-world attack likelihood despite moderate CVSS score.
XSS
-
CVE-2026-31352
MEDIUM
CVSS 5.4
Stored XSS in Feehi CMS v2.1.1 Role Management module allows authenticated users to execute arbitrary scripts via malicious Role Name input, affecting all users viewing the affected role. The vulnerability requires prior authentication and user interaction (UI:R), limiting its scope to authenticated attackers within the application; EPSS score of 0.02% indicates minimal real-world exploitation probability despite public visibility.
XSS
-
CVE-2026-31351
MEDIUM
CVSS 4.8
Stored XSS in Feehi CMS v2.1.1 creation/editing module allows authenticated high-privilege users to execute arbitrary scripts via malicious Title parameter injection, affecting all users who view the affected content. The vulnerability requires high-privilege authentication and user interaction (UI:R), limiting real-world exploitability to insider threats or compromised administrative accounts; CVSS 4.8 reflects low impact (CIA:L) and confined scope.
XSS
-
CVE-2026-31350
MEDIUM
CVSS 5.4
Authenticated stored XSS in Feehi CMS v2.1.1 allows authenticated users to inject arbitrary web scripts or HTML via the Page Sign parameter, enabling session hijacking, credential theft, or malware distribution to other users viewing affected pages. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been confirmed, indicating low real-world attack urgency despite the CVSS medium score.
XSS
-
CVE-2026-31313
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in Feehi CMS v2.1.1 allows authenticated attackers to inject malicious scripts into the Content field during page/post creation or editing, which execute in the browsers of other users viewing the affected content. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting its severity to CVSS 5.4 (medium). No public exploit code or active exploitation has been identified; EPSS score of 0.02% indicates extremely low real-world exploitation probability despite public disclosure.
XSS
-
CVE-2026-31153
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in Bynder v0.1.394 allows authenticated attackers to inject and execute arbitrary web scripts or HTML through a crafted payload, affecting users who interact with malicious content. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but posing a risk to collaborative environments where users trust stored content. No public exploit has been confirmed as actively exploited per CISA records, and EPSS/KEV status indicates lower real-world exploitation probability despite the stored XSS vector.
XSS
-
CVE-2026-31150
MEDIUM
CVSS 4.3
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated users with the shipping/receiving role to access truck dashboard resources beyond their assigned permissions, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects a specific version of the Kaleris Yard Management System (YMS). Public exploit code is available, and CISA has identified this as exploitable through their SSVC framework, though technical impact is limited to confidentiality breach without integrity or availability consequences.
Authentication Bypass
-
CVE-2026-31067
MEDIUM
CVSS 6.8
Remote command execution in UTT Aggressive 520W v3v1.7.7-180627 via the /goform/formReleaseConnect component allows authenticated attackers with high privileges to execute arbitrary system commands through a crafted string parameter, resulting in complete system compromise (confidentiality, integrity, and availability impact). No public exploit code or active exploitation has been confirmed at the time of analysis.
Command Injection
-
CVE-2026-31066
MEDIUM
CVSS 4.5
Buffer overflow in UTT Aggressive HiPER 810G v3 v1.7.7-171114 formTaskEdit function allows authenticated administrators to cause denial of service through a malformed selDateType parameter. The vulnerability is a classic stack-based buffer overflow (CWE-120) requiring high-privilege local network access; no public exploitation framework has been identified, and CVSS 4.5 reflects the limited scope (DoS only, no code execution or information disclosure).
Denial Of Service
Buffer Overflow
-
CVE-2026-31065
MEDIUM
CVSS 4.5
Buffer overflow in UTT Aggressive 520W v3 firmware version 1.7.7-180627 allows authenticated high-privilege attackers to cause denial of service by supplying crafted input to the addCommand parameter of the formConfigCliForEngineerOnly function. The vulnerability requires administrative-level access and local network connectivity, limiting real-world attack surface despite the buffer overflow class of vulnerability.
Denial Of Service
Buffer Overflow
-
CVE-2026-31063
MEDIUM
CVSS 4.5
Buffer overflow in UTT Aggressive HiPER 1200GW v2.5.3-170306 formArpBindConfig function allows authenticated attackers with high privileges to cause denial of service by supplying a crafted input to the pools parameter. CVSS score of 4.5 reflects limited attack surface (local network access required) and high privilege requirement, though impact is complete availability loss. No public exploit code or active exploitation confirmed at time of analysis.
Denial Of Service
Buffer Overflow
-
CVE-2026-31062
MEDIUM
CVSS 4.5
Buffer overflow in UTT Aggressive 520W v3 v1.7.7-180627 filename parameter of formFtpServerDirConfig function allows authenticated attackers with high privileges to cause denial of service. The vulnerability requires local network access and high-level administrative credentials; no public exploit code or active exploitation has been confirmed at time of analysis.
Denial Of Service
Buffer Overflow
-
CVE-2026-31061
MEDIUM
CVSS 4.5
Buffer overflow in UTT Aggressive HiPER 810G v3 v1.7.7-171114 ConfigAdvideo function allows authenticated local attackers with high privileges to cause denial of service by crafting malicious input to the timestart parameter. The vulnerability scores low-to-moderate risk (CVSS 4.5) due to strict prerequisites: network access limited to adjacent network only, high privilege requirement, and impact restricted to availability.
Denial Of Service
Buffer Overflow
-
CVE-2026-31060
MEDIUM
CVSS 4.5
Buffer overflow in UTT Aggressive HiPER 810G v3 version 1.7.7-171114 within the notes parameter of the formGroupConfig function enables authenticated administrators to trigger a denial of service condition through a crafted input. The vulnerability requires high-privilege access and cannot result in code execution, but represents a threat to device availability. No public exploit code has been independently confirmed, and this CVE does not appear on the CISA KEV catalog at time of analysis.
Denial Of Service
Buffer Overflow
-
CVE-2026-31058
MEDIUM
CVSS 4.5
Buffer overflow in UTT Aggressive HiPER 1200GW v2.5.3-170306 timeRangeName parameter allows authenticated attackers with high privileges to cause denial of service through crafted input to the formConfigDnsFilterGlobal function. CVSS score of 4.5 reflects local/adjacent network attack vector and high-privilege requirement, with no confidentiality or integrity impact. No public exploit code or active exploitation confirmed at time of analysis.
Denial Of Service
Buffer Overflow
-
CVE-2026-31053
MEDIUM
CVSS 6.2
Double free vulnerability in Rizin's LE binary format parser (librz/bin/format/le/le.c) allows local attackers to trigger heap corruption and denial of service by providing a specially crafted LE binary with circular or malformed fixup chains. The le_load_fixup_record() function improperly manages memory during error handling, freeing relocation entries multiple times. With CVSS 6.2 and local attack vector, this poses moderate risk to systems and automated analysis pipelines that process untrusted binaries without sandboxing.
Denial Of Service
-
CVE-2026-30613
MEDIUM
CVSS 4.6
AZIOT 1 Node Smart Switch (16amp) WiFi/Bluetooth Enabled firmware version 1.1.9 allows information disclosure through unauthenticated UART debug interface access. An attacker with physical access to the device can connect to the serial console and extract sensitive information without any authentication barrier. This vulnerability has an EPSS score of 0.03% (9th percentile), indicating very low real-world exploitation probability despite the high confidentiality impact rating.
Information Disclosure
-
CVE-2026-22675
MEDIUM
CVSS 5.1
Stored cross-site scripting in OCS Inventory NG Server 2.12.3 and prior allows unauthenticated attackers to inject malicious JavaScript via User-Agent HTTP headers to the /ocsinventory endpoint, which is then stored and executed in the browsers of authenticated users viewing the statistics dashboard. The vulnerability requires user interaction (dashboard access) but affects all instances accepting agent registrations without input validation, creating a persistent attack surface for multi-user deployments.
XSS
-
CVE-2026-5704
MEDIUM
CVSS 5.0
Tar archive extraction allows hidden file injection by local authenticated users through crafted malicious archives, bypassing pre-extraction inspection mechanisms and enabling introduction of attacker-controlled files. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, requires local access and user interaction (extraction action), and presents a moderate integrity risk (CVSS 5.0) with no confirmed active exploitation or public proof-of-concept at time of analysis.
File Upload
-
CVE-2026-5692
MEDIUM
CVSS 6.9
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in the setGameSpeedCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists on GitHub (EPSS and KEV status not provided, but publicly available proof-of-concept increases immediate risk). Attack vector is network-based with low complexity requiring no user interaction or authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N).
Command Injection
-
CVE-2026-5691
MEDIUM
CVSS 6.9
Remote command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands via the firewallType parameter in the setFirewallType function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.9 with low confidentiality, integrity, and availability impact. Public exploit code exists and the vulnerability is potentially actively exploited.
Command Injection
-
CVE-2026-5690
MEDIUM
CVSS 6.9
Remote command injection in Totolink A7100RU firmware version 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands by manipulating the enable parameter in the setRemoteCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit and a CVSS 6.9 score reflecting remote network accessibility with low attack complexity. Real-world risk is elevated due to the presence of published exploit code and the direct path to command execution in a widely deployed home router model.
Command Injection
-
CVE-2026-5689
MEDIUM
CVSS 6.9
Remote code execution via OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated network attackers to execute arbitrary commands through the tz parameter in the setNtpCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the vulnerability carries a CVSS 6.9 score indicating moderate severity with low impact across confidentiality, integrity, and availability.
Command Injection
-
CVE-2026-5688
MEDIUM
CVSS 6.9
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'provider' parameter in the setDdnsCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub POC) demonstrating practical exploitation. With CVSS 7.3 and network-accessible attack vector requiring no authentication or user interaction, this represents a significant risk to exposed devices, though no active exploitation confirmed by CISA KEV at time of analysis.
Command Injection
-
CVE-2026-5683
MEDIUM
CVSS 5.1
Stack-based buffer overflow in Tenda CX12L firmware version 16.03.53.12 allows authenticated local network attackers to cause memory corruption via manipulation of the page parameter in the P2pListFilter function. The vulnerability requires local network access and authenticated privileges but carries publicly available exploit code, elevating practical risk despite the moderate CVSS score of 5.1.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-5682
MEDIUM
CVSS 6.3
Meesho Online Shopping App versions up to 27.3 on Android implement risky cryptographic algorithms in the /api/endpoint component (com.meesho.supply), enabling remote attackers to disclose sensitive information without authentication. The vulnerability has CVSS 6.3 severity with public exploit code availability, though exploitation requires high attack complexity. This impacts the confidentiality of user data processed through affected API endpoints.
Google
Information Disclosure
-
CVE-2026-5681
MEDIUM
CVSS 5.3
SQL injection in itsourcecode's 'sanitize or validate this input' application allows authenticated remote attackers to execute arbitrary SQL queries via the emp_id parameter in /borrowedequip.php, potentially compromising data confidentiality and integrity. The vulnerability affects version 1.0 and has publicly available exploit code; exploitation requires valid login credentials but carries low-to-moderate real-world risk given the CVSS 5.3 score and authenticated attack requirement.
SQLi
PHP
-
CVE-2026-5679
MEDIUM
CVSS 5.1
OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to execute arbitrary commands via the stun_pass parameter in the vsetTr069Cfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 5.1 (medium severity) with CVSS:4.0/AV:A/AC:L/PR:L vector indicating adjacent network access and low authentication requirements. Publicly available exploit code exists, though active exploitation status (CISA KEV) is not confirmed.
Command Injection
-
CVE-2026-5678
MEDIUM
CVSS 6.9
OS command injection in Totolink A7100RU firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary commands via manipulation of the mode parameter in the setScheduleCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists for this vulnerability, creating immediate risk for exposed devices.
Command Injection
-
CVE-2026-5677
MEDIUM
CVSS 6.9
Remote command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands via manipulation of the resetFlags parameter in the CsteSystem function (/cgi-bin/cstecgi.cgi). Publicly available exploit code exists for this vulnerability, which achieves a CVSS 6.9 score with low confidentiality, integrity, and availability impact across multiple scopes.
Command Injection
-
CVE-2026-5676
MEDIUM
CVSS 6.9
Authentication bypass in Totolink A8000R 5.9c.681_B20180413 allows remote attackers to manipulate the langType parameter in the setLanguageCfg function at /cgi-bin/cstecgi.cgi to bypass authentication controls without credentials. This unauthenticated remote vulnerability has publicly available exploit code and poses a confirmed risk to exposed router management interfaces.
Authentication Bypass
-
CVE-2026-5675
MEDIUM
CVSS 5.3
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the 'emp' parameter in /borrowed_tool.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability requires valid credentials (PR:L) but has publicly available exploit code, though exploitation probability remains moderate (EPSS indicates P:P status). This is a classic parameter injection flaw in a PHP application with real but constrained risk due to authentication requirements.
SQLi
PHP
-
CVE-2026-5673
MEDIUM
CVSS 5.6
Heap-based out-of-bounds read in libtheora's AVI parser allows local attackers with limited privileges to trigger application crashes or leak heap memory via specially crafted AVI files with truncated header sub-chunks. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and requires user interaction (opening a malicious file), with real-world impact limited to denial-of-service and potential information disclosure rather than code execution.
Information Disclosure
Buffer Overflow
-
CVE-2026-5672
MEDIUM
CVSS 6.9
SQL injection in code-projects Simple IT Discussion Forum 1.0 via the cat_id parameter in /edit-category.php allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to data exfiltration, modification, or deletion. The vulnerability has a publicly disclosed exploit and moderate CVSS score (6.9) with confirmed exploitation capability signals.
SQLi
PHP
-
CVE-2026-5671
MEDIUM
CVSS 5.3
Cross-site scripting (XSS) in Cyber-III Student-Management-System allows unauthenticated remote attackers to inject malicious scripts via the batch parameter in the /admin/class%20schedule/delete_batch.php endpoint, compromised by improper input validation. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f and has publicly available exploit code disclosed on GitHub; the vendor has not responded to early notification.
XSS
PHP
-
CVE-2026-5670
MEDIUM
CVSS 5.3
Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.
PHP
File Upload
Authentication Bypass
-
CVE-2026-5669
MEDIUM
CVSS 6.9
SQL injection in Cyber-III Student-Management-System login parameter handler allows unauthenticated remote attackers to execute arbitrary SQL queries via the Password parameter in /login.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and the affected project uses rolling releases without fixed version tagging, complicating patch status determination. CVSS 6.9 reflects moderate severity with low confidentiality, integrity, and availability impact across multiple scopes.
PHP
SQLi
-
CVE-2026-5668
MEDIUM
CVSS 4.8
Cross-site scripting (XSS) in Cyber-III Student-Management-System allows high-privileged authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the /admin/Add%20notice/add%20notice.php endpoint. The vulnerability requires user interaction (UI:P) to trigger and is confirmed by publicly available exploit code, though real-world risk is mitigated by high privilege requirements (PR:H) and limited technical impact (integrity only). The product uses rolling releases with no versioning, and the vendor has not responded to early disclosure.
PHP
XSS
-
CVE-2026-5666
MEDIUM
CVSS 5.5
Code-Projects Online FIR System 1.0 stores sensitive database backup files insecurely, allowing unauthenticated remote attackers to access the /complaints.sql backup file and disclose confidential information. The CVSS 5.5 score reflects low confidentiality impact but network-accessible exposure; publicly available exploit code exists, elevating practical risk despite the moderate score.
Information Disclosure
-
CVE-2026-5665
MEDIUM
CVSS 6.9
SQL injection in code-projects Online FIR System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the email and password parameters in /Login/checklogin.php. CVSS 7.3 (High) with attack vector Network, Low complexity, and No privileges required. Publicly available exploit code exists (GitHub POC published). EPSS data not provided, but the combination of unauthenticated access, public exploit, and login bypass potential makes this a significant risk for exposed instances.
SQLi
PHP
-
CVE-2026-5663
MEDIUM
CVSS 6.9
OS command injection in OFFIS DCMTK's storescp utility (versions up to 3.7.0) allows unauthenticated remote attackers to execute arbitrary system commands via crafted DICOM network operations. The vulnerability resides in the executeOnReception and executeOnEndOfStudy functions within dcmnet/apps/storescp.cc. With a CVSS score of 7.3 and network attack vector requiring no authentication, this presents significant risk to medical imaging systems using vulnerable DCMTK versions. Vendor patch edbb085e45788dccaf0e64d71534cfca925784b8 is available; no public exploit identified at time of analysis.
Command Injection
-
CVE-2026-5661
MEDIUM
CVSS 5.5
Denial of service in Free5GC 4.2.0 NGSetupRequest Handler allows unauthenticated remote attackers to crash the AMF (Access and Mobility Management Function) component via malformed requests. The vulnerability has a publicly available exploit and a vendor-released patch, with EPSS score of 5.3 indicating moderate but real exploitation risk despite low CVSS scoring.
Denial Of Service
-
CVE-2026-5660
MEDIUM
CVSS 5.3
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the emp parameter in /borrowed_equip.php, potentially compromising data confidentiality and integrity. The vulnerability has a CVSS score of 5.3 with publicly available exploit code; however, exploitation requires valid authentication credentials and does not grant administrative privileges or enable denial of service.
PHP
SQLi
-
CVE-2026-5659
MEDIUM
CVSS 5.3
Unsafe deserialization in pytries datrie through version 0.8.3 enables remote code execution when loading untrusted trie files via Trie.load(), Trie.read(), or Trie.__setstate__(). Unauthenticated remote attackers can exploit this vulnerability by crafting malicious serialized trie objects; publicly available exploit code exists, and the maintainers have not yet addressed the issue despite early notification.
Deserialization
-
CVE-2026-5650
MEDIUM
CVSS 5.5
Code-Projects Online Application System for Admission 1.0 stores sensitive information insecurely in the /enrollment/database/oas.sql file, allowing remote unauthenticated attackers to disclose confidential data. The vulnerability has publicly available exploit code and is rated CVSS 5.3 with an EPSS percentile indicating moderate exploitation probability. Attackers can access the database backup file remotely without authentication or user interaction, leading to information disclosure.
Information Disclosure
-
CVE-2026-5649
MEDIUM
CVSS 5.3
SQL injection in code-projects Online Application System for Admission 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the /enrollment/admsnform.php endpoint, enabling data exfiltration and database manipulation. The vulnerability has a CVSS score of 6.3 (medium severity) with public exploit code disclosed; exploitation requires valid user credentials but no special complexity.
PHP
SQLi
-
CVE-2026-5648
MEDIUM
CVSS 6.9
SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the firstName parameter in /userfinishregister.php, enabling data exfiltration and manipulation. The vulnerability has publicly available exploit code and a published CVSS 6.9 score reflecting moderate confidentiality and integrity impact.
PHP
SQLi
-
CVE-2026-5647
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in the Add Product Page (/admin/admin_feature.php), which execute in the context of other users' browsers. The vulnerability requires high-privilege administrative access and user interaction (clicking a malicious link), limiting real-world impact, but publicly available exploit code exists.
PHP
XSS
-
CVE-2026-5646
MEDIUM
CVSS 6.9
SQL injection in code-projects Easy Blog Site 1.0 allows unauthenticated remote attackers to compromise authentication and potentially extract, modify, or delete database contents via crafted username/password parameters in login.php. CVSS 7.3 (High) with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists (GitHub POC), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis.
SQLi
PHP
-
CVE-2026-5645
MEDIUM
CVSS 6.9
SQL injection in projectworlds Car Rental System 1.0 allows unauthenticated remote attackers to manipulate database queries via the mpesa parameter in /pay.php. The vulnerability carries a CVSS score of 7.3 with network-based exploitation requiring low complexity and no user interaction. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation, though no CISA KEV listing confirms active widespread exploitation at time of analysis.
SQLi
PHP
-
CVE-2026-5644
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in Cyber-III Student-Management-System via manipulation of the $_SERVER['PHP_SELF'] variable in the batch-notice.php admin file allows authenticated attackers with high privileges to inject malicious scripts. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f, exploitable remotely with user interaction, and publicly available exploit code exists. CVSS score of 4.8 reflects moderate risk constrained by authentication and interaction requirements, though the integrity impact and active public disclosure elevate operational concern.
PHP
XSS
-
CVE-2026-5643
MEDIUM
CVSS 4.8
Reflected cross-site scripting in Cyber-III Student-Management-System up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f allows high-privilege authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the admin notice endpoint (/admin/Add%20notice/notice.php). Publicly available exploit code exists, and the vulnerability requires user interaction (UI) to trigger, limiting practical impact despite remote accessibility.
PHP
XSS
-
CVE-2026-5642
MEDIUM
CVSS 6.9
Improper authorization in Cyber-III Student-Management-System allows unauthenticated remote attackers to bypass authentication controls via crafted HTTP POST requests to /viva/update.php. The vulnerability (CWE-285) enables unauthorized modification of student records by manipulating the 'Name' parameter. Publicly available exploit code exists (GitHub issue #236), and the project maintainer has not responded to responsible disclosure attempts. EPSS data not provided, but CVSS 7.3 with PR:N indicates significant risk for internet-facing deployments.
Authentication Bypass
PHP
-
CVE-2026-5641
MEDIUM
CVSS 5.3
SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS score.
PHP
SQLi
-
CVE-2026-5640
MEDIUM
CVSS 5.3
SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image2.php. The vulnerability affects the parameter handling mechanism and has publicly available exploit code; attackers with administrative credentials can manipulate the filename argument to inject SQL commands, potentially leading to data exfiltration or modification with limited direct impact to confidentiality and integrity of the application layer.
SQLi
PHP
-
CVE-2026-5639
MEDIUM
CVSS 5.3
SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the filename parameter in /admin/update-image3.php, leading to database query manipulation with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 5.3 (medium severity) and requires valid admin credentials to exploit; publicly available exploit code exists but the vulnerability is not confirmed as actively exploited in CISA KEV.
PHP
SQLi
-
CVE-2026-5638
MEDIUM
CVSS 5.5
Path traversal in HerikLyma CPPWebFramework up to version 3.1 allows remote attackers to read arbitrary files on the server with low confidentiality impact. The vulnerability requires no authentication and can be exploited over the network with low complexity; publicly available exploit code exists. The vendor has been notified via GitHub issue but has not yet responded or released a patch.
Path Traversal
-
CVE-2026-5637
MEDIUM
CVSS 6.9
SQL injection in projectworlds Car Rental System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Message parameter in /message_admin.php. Publicly available exploit code exists, significantly lowering the barrier to exploitation. The vulnerability enables unauthorized data access, modification, and potential denial of service against the administrative messaging interface. CVSS 7.3 severity reflects network-accessible attack vector with low complexity and no authentication requirement.
SQLi
PHP
-
CVE-2026-5636
MEDIUM
CVSS 5.3
SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the oid parameter in /cancelorder.php, potentially enabling unauthorized data access or modification. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component and carries a CVSS score of 5.3 with confirmed exploitation feasibility.
PHP
SQLi
-
CVE-2026-5635
MEDIUM
CVSS 5.3
SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the cid parameter in /categorywise-products.php. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component. The attack requires valid user credentials but carries low impact, affecting confidentiality, integrity, and availability of data at limited scope.
PHP
SQLi
-
CVE-2026-5634
MEDIUM
CVSS 6.9
SQL injection in projectworlds Car Rental Project 1.0 allows remote attackers to execute arbitrary SQL queries via the fname parameter in /book_car.php, enabling unauthenticated database manipulation with potential confidentiality and integrity impact. The vulnerability has publicly available exploit code and a moderate CVSS score of 6.9, indicating practical exploitability despite low attack complexity.
PHP
SQLi
-
CVE-2026-5633
MEDIUM
CVSS 6.9
Server-side request forgery in gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to manipulate the source_urls parameter at the ws endpoint, enabling partial confidentiality, integrity, and availability impacts. A publicly available exploit exists via GitHub issue #1696, though the vendor has not responded to early disclosure. EPSS data not provided, but the low attack complexity (AC:L) and proof-of-concept availability elevate immediate risk for exposed instances.
SSRF
-
CVE-2026-5632
MEDIUM
CVSS 6.9
Missing authentication in gpt-researcher HTTP REST API (versions ≤3.4.3) allows remote attackers to bypass access controls and interact with the API without credentials. Publicly available exploit code exists (GitHub issue #1695), enabling unauthorized information disclosure, data manipulation, and service disruption. CVSS 7.3 with network attack vector, low complexity, and no privileges required indicates significant exploitability. Vendor has not responded to early disclosure (VulDB submission 785874), leaving users without official patch guidance.
Authentication Bypass
-
CVE-2026-5631
MEDIUM
CVSS 6.9
Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.
Code Injection
RCE
-
CVE-2026-5630
MEDIUM
CVSS 5.3
Stored cross-site scripting (XSS) in assafelovic gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via the Report API in backend/server/app.py. The vulnerability requires user interaction (report viewing) to trigger payload execution and carries low integrity impact (CVSS 4.3). Publicly available exploit code exists, and the vendor has not addressed the issue despite early notification.
XSS
-
CVE-2026-5625
MEDIUM
CVSS 5.3
Cross-site scripting (XSS) vulnerability in assafelovic gpt-researcher up to version 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via manipulation of the task argument in the WebSocket Interface component. Publicly available exploit code exists, and the vulnerability affects the file gpt_researcher/skills/researcher.py with low CVSS severity (4.3) but confirmed proof-of-concept availability indicating active technical feasibility.
XSS
-
CVE-2026-5624
MEDIUM
CVSS 5.3
Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.
CSRF
PHP
File Upload
-
CVE-2026-5623
MEDIUM
CVSS 5.3
Server-side request forgery in hcengineering Huly Platform 0.7.382 allows authenticated remote attackers to make arbitrary HTTP requests from the affected server via manipulation of the Import Endpoint in server/front/src/index.ts, potentially enabling access to internal resources, metadata disclosure, or lateral movement within the infrastructure. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts.
SSRF
-
CVE-2026-5622
MEDIUM
CVSS 6.3
JWT token handling in hcengineering Huly Platform 0.7.382 uses hard-coded cryptographic keys in the token.ts component, allowing remote attackers to forge or manipulate authentication tokens with high attack complexity. The vulnerability affects confidentiality and integrity of token-based authentication but requires significant technical effort to exploit, reflected in a low CVSS score (3.7) and high attack complexity rating. No active exploitation has been confirmed, and the vendor has not responded to disclosure attempts.
Information Disclosure
-
CVE-2026-5621
MEDIUM
CVSS 4.8
Local command injection in ChrisChinchilla Vale-MCP up to version 0.1.0 allows authenticated local attackers to execute arbitrary OS commands via manipulation of the config_path argument in the HTTP Interface component (src/index.ts). The vulnerability requires local access and valid user privileges, with publicly available exploit code disclosed after vendor non-response, representing a moderate-risk issue in environments where the MCP tool is deployed with local user access.
Command Injection
-
CVE-2026-5620
MEDIUM
CVSS 5.3
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Home parameter in /borrowed_equip_report.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and demonstrates low attack complexity with network-based delivery requiring valid credentials.
PHP
SQLi
-
CVE-2026-5619
MEDIUM
CVSS 4.8
OS command injection in Braffolk mcp-summarization-functions through version 0.1.5 allows local attackers with user-level privileges to execute arbitrary system commands by manipulating the command argument in the summarize_command function. The vulnerability affects the src/server/mcp-server.ts component and requires local access; publicly available exploit code exists, and the vendor has not responded to disclosure attempts.
Command Injection
-
CVE-2026-5618
MEDIUM
CVSS 6.3
Server-side request forgery (SSRF) in Kalcaddle Kodbox up to version 1.64 allows unauthenticated remote attackers to perform arbitrary network requests via manipulation of the siteFrom/siteTo parameters in the shareMake/shareCheck component, with publicly available exploit code and high attack complexity. The vendor has not responded to disclosure efforts, leaving affected installations vulnerable to information disclosure and potential lateral network attacks.
SSRF
-
CVE-2026-5616
MEDIUM
CVSS 6.9
Missing authentication in JeecgBoot 3.9.0 and 3.9.1 allows unauthenticated remote attackers to access the AI Chat Module functionality without credential verification. The vulnerability resides in JeecgBizToolsProvider.java within the jeecg-module-system component. Vendor-released patches are available via GitHub commits (b7c9aeba and 2c1cc88b) pending inclusion in the next official release. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) with no authentication required (PR:N) indicate trivial exploitation potential.
Authentication Bypass
Java
-
CVE-2026-5615
MEDIUM
CVSS 5.3
Cross-site scripting (XSS) in givanz Vvvebjs file upload endpoint allows unauthenticated remote attackers to inject malicious scripts via the uploadAllowExtensions parameter in upload.php. The vulnerability affects Vvvebjs versions up to 2.0.5 and requires user interaction (UI:R). A publicly available exploit exists and a patch (commit 8cac22cff99b8bc701c408aa8e887fa702755336) has been released by the vendor; EPSS exploitation likelihood is indicated as probable (E:P) with a CVSS score of 4.3.
XSS
PHP
File Upload
-
CVE-2026-5607
MEDIUM
CVSS 5.3
Server-side request forgery (SSRF) in imprvhub mcp-browser-agent through version 0.8.0 allows authenticated remote attackers to manipulate URL parameters in the CallToolRequestSchema handler, enabling them to forge requests to arbitrary servers. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, creating unmitigated exposure for users of affected versions.
SSRF
-
CVE-2026-5606
MEDIUM
CVSS 5.3
SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the orderid parameter in /order-details.php, enabling data exfiltration and database manipulation. CVSS 6.3 reflects authenticated access requirement and limited scope; no public exploit code or active KEV status confirmed at time of analysis.
PHP
SQLi
-
CVE-2026-0049
MEDIUM
CVSS 6.2
Resource exhaustion in Android's LocalImageResolver.java onHeaderDecoded function allows local attackers to cause persistent denial of service without requiring special privileges or user interaction. The vulnerability affects Android 14, 15, and 16, with a CVSS score of 6.2 reflecting local attack vector and high availability impact. CISA SSVC assessment indicates no exploitation evidence detected at time of analysis, though the automatable attack vector and partial technical impact warrant prioritization for patching.
Denial Of Service
-
CVE-2025-61166
MEDIUM
CVSS 6.1
Open redirect in Ascertia SigningHub User v10.0 allows unauthenticated remote attackers to redirect users to attacker-controlled websites via crafted URLs, enabling phishing and credential harvesting attacks. The vulnerability requires user interaction (UI:R) to trigger but affects users across security domains (S:C), with CVSS 6.1 (Medium) and no confirmed active exploitation or public exploit code identified at time of analysis.
Open Redirect
-
CVE-2025-48651
MEDIUM
CVSS 5.5
Information disclosure in Google Android allows local authenticated users to read sensitive data from system memory via local file access, achieving high confidentiality impact with low attack complexity. The vulnerability affects Android System-on-Chip (SoC) implementations across multiple versions. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the moderate CVSS 5.5 rating, suggesting this is a low-priority issue in practice.
Information Disclosure
-
CVE-2025-47374
MEDIUM
CVSS 6.5
Memory corruption via use-after-free in Qualcomm Snapdragon SDK occurs when concurrent fence deregistration and signal handling operations access freed memory, allowing authenticated local attackers with low privileges to achieve information disclosure and integrity/availability compromise. CVSS 6.5 reflects local attack vector with high complexity; no public exploit code or active exploitation confirmed at time of analysis.
Use After Free
Memory Corruption
Buffer Overflow
-
CVE-2026-37977
LOW
CVSS 3.7
CORS header injection in Keycloak's User-Managed Access token endpoint allows remote attackers to reflect attacker-controlled origin values before JWT signature validation, potentially exposing low-sensitivity authorization error responses when clients are misconfigured with wildcard origin permissions. The vulnerability requires high attack complexity and affects only clients explicitly configured with webOrigins set to "*", resulting in a low-severity information disclosure with limited real-world exploitability.
Code Injection
-
CVE-2026-33405
LOW
CVSS 3.1
Stored HTML injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows authenticated high-privilege users to inject unescaped HTML into query log details via the formatInfo() function, affecting the upstream, client IP, and error description fields. JavaScript execution is mitigated by Content Security Policy, limiting the practical impact to HTML-based attacks such as DOM manipulation or phishing content injection. The vulnerability is fixed in version 6.5.
XSS
-
CVE-2026-33404
LOW
CVSS 3.4
Pi-hole Admin Interface versions 6.0 through 6.4 fail to escape client hostnames and IP addresses from the FTL database when rendering them into the DOM in the Network page and Dashboard chart tooltips, enabling stored cross-site scripting (XSS) attacks. An authenticated admin with high privileges can inject malicious scripts that execute in the context of other administrators' browsers, though the attack requires initial compromise of a DHCP/DNS client hostname field and circumvention of upstream validation in dnsmasq and FTL. This vulnerability is fixed in version 6.5, and no public exploit code or active exploitation has been identified at the time of analysis.
XSS
-
CVE-2026-31410
None
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION
Use sb->s_uuid for a proper volume identifier as the primary choice.
For filesystems that do not provide a UUID, fall back to stfs.f_fsid
obtained from vfs_statfs().
Linux
Linux Kernel
Information Disclosure
-
CVE-2026-31409
None
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: unset conn->binding on failed binding request
When a multichannel SMB2_SESSION_SETUP request with
SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true
but never clears it on the error path. This leaves the co...
Linux
Linux Kernel
Authentication Bypass
-
CVE-2026-31408
None
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close(...
Linux
Linux Kernel
Use After Free
-
CVE-2026-31407
None
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: add missing netlink policy validations
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly....
Linux
Linux Kernel
Buffer Overflow
-
CVE-2026-31406
None
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
After cancel_delayed_work_sync() is called from
xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining
states via __xfrm_state_delete(), which ca...
Linux
Linux Kernel
Race Condition
-
CVE-2026-31405
None
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-net: fix OOB access in ULE extension header tables
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the inde...
Linux Kernel
Buffer Overflow
RCE