THREAT ALERT

EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). | ACT NOW CVE-2026-5281 8.8 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. | EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | ACT NOW CVE-2025-14558 7.2 The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH] |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 07, 2026

254 CVEs tracked today. 41 Critical, 104 High, 99 Medium, 8 Low.

CVE-2026-39847 CRITICAL CVSS 9.1
Path traversal in Emmett Python web framework versions 2.5.0 through 2.8.0 allows unauthenticated remote attackers to read arbitrary files from the server filesystem via malicious requests to the RSGI static handler endpoint. Attackers can bypass directory restrictions by inserting ../ sequences in /__emmett__ asset paths (e.g., /__emmett__/../rsgi/handlers.py) to access sensitive files including source code, configuration files, and credentials. With CVSS 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe confidentiality and availability risks. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Python Path Traversal
CVE-2026-39846 CRITICAL CVSS 9.0
Remote code execution in SiYuan Electron desktop client (prior to version 3.6.4) allows authenticated attackers to execute arbitrary code on victim systems through maliciously crafted notes synced across workspaces. The vulnerability chains a stored XSS flaw in table caption rendering with insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled), elevating DOM-based script injection to full Node.js API access. No public exploit identified at time of analysis, though the attack vector is well-documented in the GitHub security advisory. CVSS 9.0 reflects the scope change and high impact across confidentiality, integrity, and availability.

XSS Node.js RCE
CVE-2026-39397 CRITICAL CVSS 9.4
Access control bypass in PayloadCMS Puck plugin (delmaredigital/payload-puck) versions prior to 0.6.23 allows unauthenticated remote attackers to perform unauthorized CRUD operations on all Puck-managed content collections. The vulnerability stems from hardcoded overrideAccess: true in API endpoint handlers, completely circumventing collection-level access controls that developers implemented. With CVSS 9.4 (critical severity), CVSS vector PR:N confirms no authentication required, and AC:L indicates trivial exploitation. No CISA KEV listing or public exploit identified at time of analysis, but the vulnerability is straightforward to exploit given the network-accessible API endpoints and complete access control failure.

Authentication Bypass
CVE-2026-39382 CRITICAL CVSS 9.3
Command injection in dbt-labs/actions workflow allows remote code execution via malicious GitHub issue comments. Unauthenticated attackers can inject arbitrary shell commands through unescaped comment-body output in the open-issue-in-repo.yml reusable workflow, affecting dbt-core infrastructure. The vulnerability exists in GitHub Actions workflows where attacker-controlled comment text is interpolated directly into bash if statements without sanitization. Fixed in commit bbed8d28, no public exploit identified at time of analysis, but EPSS scoring and CVSS 9.3 indicate critical severity with network attack vector requiring no privileges.

Command Injection
CVE-2026-39355 CRITICAL CVSS 9.9
Authenticated users can hijack arbitrary team workspaces in Genealogy PHP application versions before 5.9.1 through broken access control, enabling complete takeover of genealogy data belonging to other users. The vulnerability requires only low-privilege authentication (PR:L) with network access (AV:N) and low attack complexity (AC:L), allowing any authenticated user to transfer ownership of non-personal teams to themselves. No public exploit code has been identified at time of analysis, though the straightforward access control flaw and detailed GitHub security advisory make exploitation highly feasible for authenticated attackers.

PHP Authentication Bypass
CVE-2026-39342 CRITICAL CVSS 9.4
SQL injection in ChurchCRM's QueryView.php allows authenticated users with Data/Reports access to execute arbitrary SQL commands via the searchwhat parameter when using QueryID=15 (Advanced Search). Affects all versions prior to 7.1.0. CVSS 9.4 critical severity reflects network-accessible attack requiring low privileges with high impact across confidentiality, integrity, and availability. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Vendor-released patch available in version 7.1.0.

PHP SQLi
CVE-2026-39339 CRITICAL CVSS 9.1
Authentication bypass in ChurchCRM API middleware enables unauthenticated remote attackers to access all protected endpoints by manipulating URL paths with 'api/public' strings, exposing complete church member databases and system configurations. Affects ChurchCRM versions prior to 7.1.0 with critical CVSS 9.1 rating. EPSS exploitation probability data unavailable; no public exploit code confirmed at time of analysis, though the trivial attack complexity (path manipulation) significantly increases exploitation risk for internet-exposed installations.

PHP Authentication Bypass
CVE-2026-39337 CRITICAL CVSS 10.0
Remote code execution in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code through the unsanitized $dbPassword variable during setup wizard initialization, resulting in complete server compromise. This critical flaw (CVSS 10.0) exists as an incomplete fix for CVE-2025-62521 and requires no authentication or user interaction to exploit. The pre-authentication nature and maximum CVSS severity indicate immediate patching priority for all exposed ChurchCRM installations.

PHP Code Injection RCE
CVE-2026-39324 CRITICAL CVSS 9.3
Session authentication bypass in Rack::Session::Cookie 2.0.0 through 2.1.1 allows unauthenticated remote attackers to forge valid session cookies and gain unauthorized access. When configured with secrets, the implementation incorrectly falls back to a default decoder on decryption failures rather than rejecting malformed cookies, enabling attackers to manipulate session state without any secret knowledge. CVSS 9.3 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit or active exploitation (CISA KEV) identified at time of analysis, though the simplicity of the attack vector (AC:L, PR:N) suggests exploitation is straightforward once the vulnerability is understood.

Authentication Bypass
CVE-2026-39322 CRITICAL CVSS 9.2
Authentication bypass in PolarLearn ≤0-PRERELEASE-15 allows unauthenticated remote attackers to gain authenticated session access as banned users without password verification. The flaw enables complete account takeover and unauthorized data access through a session generation vulnerability in the /api/v1/auth/sign-in endpoint. CVSS 9.2 (Critical) reflects network-based attack with low complexity and no authentication required. No public exploit identified at time of analysis, but exploitation is straightforward given the authentication bypass mechanism.

Authentication Bypass
CVE-2026-35614 CRITICAL CVSS 9.3
SQL injection in Frappe's bulk_update function enables unauthenticated remote attackers to execute arbitrary SQL commands, potentially achieving complete database compromise including data exfiltration, modification, and deletion. Affects Frappe versions prior to 16.14.0 and 15.104.0. CVSS 9.3 (Critical) reflects network-accessible attack requiring no authentication or user interaction. No public exploit identified at time of analysis, though the attack surface (bulk update API endpoint) and vulnerability class (SQL injection) are well-understood by attackers.

SQLi
CVE-2026-35580 CRITICAL CVSS 9.1
Shell command injection in Emissary workflow engine below version 8.39.0 allows high-privileged attackers with repository write access to execute arbitrary commands via GitHub Actions workflow_dispatch inputs. Attackers exploit unsanitized ${{ }} expression syntax in workflow files to inject malicious shell commands, enabling repository poisoning and supply chain attacks affecting downstream users. CVSS 9.1 (Critical) with Changed scope indicates potential to compromise beyond the vulnerable component. No public exploit code or CISA KEV listing identified at time of analysis, though exploitation requires only repository write access with low attack complexity.

Command Injection
CVE-2026-35573 CRITICAL CVSS 9.1
Remote code execution in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload malicious files via path traversal in the backup restore functionality, overwriting Apache .htaccess files to execute arbitrary code. The vulnerability exploits unsanitized user input in RestoreJob.php, enabling attackers with high-privilege access to bypass intended upload restrictions. No public exploit identified at time of analysis, though CVSS 9.1 reflects the critical impact of complete system compromise through changed security scope.

RCE PHP Path Traversal Apache
CVE-2026-34580 CRITICAL CVSS 9.3
Certificate validation bypass in Botan 3.11.0 allows unauthenticated remote attackers to impersonate trusted certificate authorities by presenting end-entity certificates with matching Distinguished Names and subject key identifiers. The flaw in Certificate_Store::certificate_known incorrectly accepts malicious certificates as trusted roots without verifying actual certificate identity, enabling complete TLS/PKI chain validation bypass. This affects only version 3.11.0 and is fixed in 3.11.1. EPSS data not available; no public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:4.0 AV:N/AC:L/PR:N).

Information Disclosure
CVE-2026-34078 CRITICAL CVSS 9.3
Sandbox escape in Flatpak versions prior to 1.16.4 allows applications to access arbitrary host filesystem paths and achieve host-level code execution through symlink manipulation in portal sandbox-expose options. The vulnerability requires no authentication (CVSS:4.0 PR:N) and is exploitable over the network with low complexity. No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack primitive is clearly documented in the vendor advisory.

RCE
CVE-2026-33816 CRITICAL CVSS 9.8
Memory-safety vulnerability in github.com/jackc/pgx/v5 PostgreSQL driver library allows unauthenticated remote attackers to achieve complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability resides in the pgproto3 subpackage and enables network-accessible exploitation without user interaction. Attack complexity is low, requiring no special privileges. Information disclosure confirmed via source tagging. No public exploit identified at time of analysis.

Information Disclosure Github Com Jackc Pgx V5 Pgproto3
CVE-2026-33815 CRITICAL CVSS 9.8
Remote memory-safety vulnerability in github.com/jackc/pgx/v5 (Go PostgreSQL driver) enables unauthenticated attackers to achieve arbitrary code execution, information disclosure, and denial of service via network vectors. The flaw affects the pgproto3 protocol implementation subpackage with critical-severity CVSS 9.8 scoring. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis. Vulnerability allows complete compromise of confidentiality, integrity, and availability without user interaction or elevated privileges.

Information Disclosure Github Com Jackc Pgx V5 Pgproto3
CVE-2026-33439 CRITICAL CVSS 9.3
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQueue→TemplatesImpl gadget chain with libraries bundled in OpenAM's WAR file. Vendor-released patch available in version 16.0.6 (GitHub commit 014007c). No public exploit code identified at time of analysis, but detailed technical writeup with gadget chain specifics has been published.

Deserialization RCE Java Apache Tomcat
CVE-2026-31272 CRITICAL CVSS 9.8
Unauthenticated super administrator account creation in MRCMS 3.1.2 allows remote attackers to bypass all access controls and add privileged accounts directly via UserController.save() method. The vulnerability exposes full system compromise through network-accessible endpoints requiring no prior authentication. CVSS 9.8 critical severity reflects unrestricted administrative takeover. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).

Authentication Bypass Java N A
CVE-2026-31271 CRITICAL CVSS 9.8
Unauthenticated account creation bypass in megagao production_ssm v1.0 allows remote attackers to create super administrator accounts via direct API access to /user/insert endpoint. The UserController.java insert() method processes account creation requests without authentication enforcement (CVSS vector PR:N confirms unauthenticated access). Successful exploitation grants full administrative control, enabling attackers to compromise confidentiality, integrity, and availability of the entire application. No public exploit identified at time of analysis.

Authentication Bypass Java N A
CVE-2026-30079 CRITICAL CVSS 9.8
Authentication bypass in OpenAirInterface V2.2.0 Access Management Function (AMF) allows unauthenticated remote attackers to register unauthorized User Equipment (UE) devices on 5G core networks. Exploiting incorrect state machine transitions during UE registration, attackers send SecurityModeComplete messages after InitialUERegistration to trigger registration acceptance without completing proper authentication procedures. This grants full network access to malicious devices, enabling unauthorized subscriber services consumption, interception of traffic, and potential lateral movement within 5G infrastructure. No public exploit identified at time of analysis.

Authentication Bypass N A
CVE-2026-28386 CRITICAL CVSS 9.1
Out-of-bounds read in OpenSSL 3.6.0-3.6.1 allows denial of service when AES-CFB128 encryption or decryption processes partial cipher blocks on x86-64 systems with AVX-512 and VAES support. Vulnerability triggers when input buffer ends at a memory page boundary with subsequent unmapped page, causing crashes. Exploitation requires unauthenticated network access but demands specific architectural conditions (AVX-512/VAES) and partial block handling. No public exploit identified at time of analysis. EPSS percentile 5% indicates low observed exploitation activity.

Information Disclosure Denial Of Service Buffer Overflow OpenSSL
CVE-2026-23696 CRITICAL CVSS 9.4
SQL injection in Windmill workflow orchestration platform versions 1.276.0 through 1.603.2 enables authenticated attackers to escalate privileges to administrator and achieve remote code execution. The vulnerability exists in folder ownership management functionality where the owner parameter lacks input sanitization, allowing extraction of JWT signing secrets and administrative user identifiers to forge admin tokens. Publicly available exploit code exists (GitHub POC by Chocapikk), and EPSS risk assessment is critical given the low-complexity remote attack vector requiring only low-privilege authentication. Vendor-released patch: version 1.603.3.

SQLi RCE Information Disclosure
CVE-2026-22679 CRITICAL CVSS 9.3
Unauthenticated remote code execution in Weaver E-cology 10.0 (pre-20260312) allows attackers to execute arbitrary system commands via exposed debug functionality at /papi/esearch/data/devops/dubboApi/debug/method. Attackers exploit this by sending crafted POST requests with malicious interfaceName and methodName parameters to invoke command-execution helpers. Confirmed actively exploited (CISA KEV) with exploitation first observed by Shadowserver Foundation on March 31, 2026. Publicly available exploit code exists (h4cker.zip PoC), CVSS 9.8 (Critical), EPSS data not provided but real-world exploitation confirmed.

RCE Authentication Bypass E Cology
CVE-2026-21413 CRITICAL CVSS 9.8
Heap-based buffer overflow in LibRaw's lossless JPEG processing (commits 0b56545 and d20315b) allows unauthenticated remote attackers to achieve arbitrary code execution by providing a malicious image file. The vulnerability scores CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, though Talos Intelligence has published detailed vulnerability research (TALOS-2026-2331).

Buffer Overflow
CVE-2026-20911 CRITICAL CVSS 9.8
Heap-based buffer overflow in LibRaw's HuffTable::initval function allows unauthenticated remote attackers to achieve arbitrary code execution via malformed image files. Affects LibRaw commits 0b56545 and d20315b with CVSS 9.8 critical severity. Attack requires no user interaction beyond processing a malicious file. No public exploit identified at time of analysis, though technical details from Cisco Talos suggest proof-of-concept exists. EPSS data not available, but the combination of network-accessible attack vector, low complexity, and no authentication barrier represents significant risk for applications processing untrusted image files.

Buffer Overflow
CVE-2026-20889 CRITICAL CVSS 9.8
Heap-based buffer overflow in LibRaw's x3f_thumb_loader function allows remote code execution via malformed image files. The vulnerability affects LibRaw commit d20315b, a widely-used raw image processing library integrated into applications like ImageMagick, GIMP, and numerous photo management tools. The CVSS 9.8 critical rating reflects network-exploitable conditions requiring no authentication or user interaction. With an EPSS score not yet available and no CISA KEV listing, active exploitation is not confirmed at time of analysis, though the attack complexity is low and requires only delivering a specially crafted file to vulnerable processing workflows.

Buffer Overflow Integer Overflow
CVE-2026-5735 CRITICAL CVSS 9.8
Remote code execution in Mozilla Firefox versions prior to 149.0.2 stems from multiple memory safety bugs allowing unauthenticated network attackers to execute arbitrary code without user interaction. Mozilla confirmed memory corruption evidence across affected versions (Firefox 149.0.1 and Thunderbird 149.0.1), though Thunderbird patch status remains unconfirmed. CVSS 9.8 reflects maximum severity due to network-accessible attack vector with no complexity barriers. No public exploit identified at time of analysis, though the CWE-787 out-of-bounds write class has high weaponization potential once technical details emerge from linked Bugzilla entries.

Memory Corruption Buffer Overflow Mozilla RCE
CVE-2026-5734 CRITICAL CVSS 9.8
Multiple memory corruption vulnerabilities in Mozilla Firefox (< 149.0.2) and Firefox ESR (< 140.9.1) enable unauthenticated remote code execution with critical CVSS 9.8 severity. These memory safety bugs-including CWE-787 out-of-bounds write issues-affect both standard and Extended Support Release channels, with Mozilla confirming evidence of memory corruption exploitable for arbitrary code execution. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack requiring no user interaction.

Memory Corruption Buffer Overflow Mozilla RCE
CVE-2026-5731 CRITICAL CVSS 9.8
Remote code execution in Mozilla Firefox and Thunderbird via memory corruption vulnerabilities allows unauthenticated remote attackers to execute arbitrary code without user interaction. Affects Firefox <149.0.2, Firefox ESR <115.34.1, and Firefox ESR <140.9.1 across desktop platforms. With CVSS 9.8 (critical severity, network-accessible, no privileges required) and CWE-119 buffer overflow classification, this represents multiple memory safety bugs that Mozilla assessed could be exploited for arbitrary code execution. No public exploit identified at time of analysis; EPSS data not provided but critical browser vulnerabilities historically attract rapid exploitation interest.

Mozilla Buffer Overflow RCE
CVE-2026-5627 CRITICAL CVSS 9.1
Path traversal in mintplex-labs/anything-llm (versions ≤1.9.1) allows authenticated administrators to read or delete arbitrary JSON files on the server, bypassing directory restrictions in the AgentFlows component. Exploitation requires high privileges (administrator access) but achieves cross-scope impact including leaking sensitive API keys from configuration files or destroying critical package.json files. Fixed in version 1.12.1. No public exploit identified at time of analysis, though technical details are disclosed via Huntr bounty platform.

Path Traversal Information Disclosure Denial Of Service
CVE-2026-4631 CRITICAL CVSS 9.8
Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the host system by injecting malicious SSH options through the login endpoint. Affecting Red Hat Enterprise Linux versions 7 through 10, this critical pre-authentication vulnerability (CVSS 9.8) requires no credentials and executes code before any authentication checks occur. EPSS data not available; no confirmed active exploitation (CISA KEV) at time of analysis, though the pre-authentication nature and command injection vector present severe risk for internet-exposed Cockpit instances.

RCE Command Injection
CVE-2026-4277 CRITICAL CVSS 9.8
Unauthenticated attackers can bypass add permissions in Django GenericInlineModelAdmin (versions 6.0 <6.0.4, 5.2 <5.2.13, 4.2 <4.2.30) by submitting forged POST data to inline model forms. Permission checks fail to validate creation rights on inline model instances, enabling unauthorized database record insertion with network access alone. CVSS 9.8 critical severity reflects complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.01%).

Authentication Bypass Python Django
CVE-2026-1114 CRITICAL CVSS 9.8
JWT secret key brute-forcing in Parisneo Lollms 2.1.0 allows unauthenticated remote attackers to forge administrative tokens and achieve full system compromise. The application uses a weak secret for signing JSON Web Tokens, enabling offline attacks to recover credentials and escalate privileges to administrator level. With CVSS 9.8 (critical network-accessible attack requiring no privileges) and EPSS data unavailable, this represents a severe authentication bypass in AI/LLM management software. Fixed in version 2.2.0. No public exploit identified at time of analysis, though the attack technique (JWT cracking) is well-documented.

AI / ML Jwt Attack Privilege Escalation Parisneo Lollms
CVE-2026-0740 CRITICAL CVSS 9.8
Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable.

WordPress PHP File Upload RCE Ninja Forms File Uploads
CVE-2025-71058 CRITICAL CVSS 9.1
DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
CVE-2025-69515 CRITICAL CVSS 9.1
GPS spoofing vulnerability in JXL 9 Inch Car Android Double Din Player (Android 12.0) allows unauthenticated remote attackers to inject falsified GPS signals that the infotainment system accepts as legitimate, forcing incorrect or static location reporting. Exploitation requires no user interaction and achieves high integrity and availability impact through manipulation of navigation data. No public exploit identified at time of analysis. CVSS 9.1 reflects network-accessible attack vector with low complexity.

Google Information Disclosure N A
CVE-2025-62818 CRITICAL CVSS 9.8
Out-of-bounds write in Samsung Exynos chipsets (processors 980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, wearables W920/W930/W1000, modems 5123/5300/5400) allows unauthenticated remote attackers to achieve arbitrary code execution via malformed SMS TP-UD packets. Exploitation occurs through TP-UDHI/UDL value mismatch during SMS message parsing, enabling network-level attacks without user interaction. No public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Samsung N A
CVE-2025-52909 CRITICAL CVSS 9.8
Buffer overflow in Samsung Exynos Wi-Fi drivers (980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000) allows unauthenticated remote attackers to execute arbitrary code with high integrity/confidentiality impact through malformed NL80211 vendor command ioctl messages. Improper input validation enables network-accessible exploitation without user interaction. CVSS 9.8 critical severity. No public exploit identified at time of analysis.

Buffer Overflow Samsung N A
CVE-2025-52908 CRITICAL CVSS 9.8
Buffer overflow in Samsung Exynos Wi-Fi driver (980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000) allows unauthenticated remote code execution via malformed NL80211 vendor command ioctl message. Incorrect handling of vendor-specific wireless configuration commands enables network-based memory corruption. CVSS 9.8 critical severity reflects network attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.01%).

Buffer Overflow Samsung
CVE-2025-39666 CRITICAL CVSS 9.3
Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site context files processed by the root-executed 'omd' administrative command. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and 2.5.0 beta before b3. No public exploit identified at time of analysis. CVSS 9.3 reflects total technical impact, but SSVC assessment indicates non-automatable exploitation requiring existing high-privilege access, tempering the real-world urgency for organizations with strict site user access controls.

Checkmk Privilege Escalation
CVE-2026-39937 HIGH CVSS 8.8
Information disclosure in MediaWiki CentralAuth extension exposes sensitive authentication data to unauthorized parties through improper removal before storage or transfer. This affects non-release development branches with network-accessible attack vector requiring no authentication (CVSS:4.0 AV:N/PR:N). While no public exploit or active exploitation (not in CISA KEV) is identified at time of analysis, the CVSS 8.8 rating reflects high confidentiality impact and low complexity, making this a significant risk for organizations running development builds.

Information Disclosure
CVE-2026-39384 HIGH CVSS 7.6
Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. CVSS 7.6 (High) with network-based attack vector and low complexity. No public exploit identified at time of analysis, EPSS data not provided.

Authentication Bypass
CVE-2026-39376 HIGH CVSS 7.5
Unbounded recursion in FastFeedParser (Python RSS/Atom parser) allows remote attackers to crash applications via malicious HTML meta-refresh redirect chains. Affecting all versions prior to 0.5.10, attackers can trigger denial-of-service by serving infinite meta-refresh redirects when parse() fetches attacker-controlled URLs, exhausting the Python call stack with no recursion depth limit. EPSS data not available, no public exploit identified at time of analysis, but exploit development is trivial given the straightforward attack vector requiring only HTTP server control.

SSRF Python
CVE-2026-39371 HIGH CVSS 8.1
Cross-Site Request Forgery (CSRF) in RedwoodSDK 1.0.0-beta.50 through 1.0.5 allows unauthenticated remote attackers to execute state-changing server functions via crafted GET requests. The vulnerability stems from server functions exported from 'use server' files accepting GET requests despite being intended for POST-only invocation, enabling exploitation through cross-site navigation in cookie-authenticated applications where browsers automatically attach SameSite=Lax cookies to top-level GET requests. CVSS score 8.1 reflects high integrity and availability impact with low attack complexity requiring only user interaction. No public exploit identified at time of analysis, with EPSS data unavailable. Fixed in version 1.0.6.

CSRF
CVE-2026-39370 HIGH CVSS 7.1
Server-Side Request Forgery (SSRF) in WWBN AVideo 26.0 and earlier allows authenticated uploaders to exfiltrate data from internal network resources via objects/aVideoEncoder.json.php. The flaw bypasses existing SSRF protections by permitting attacker-controlled URLs with common media extensions (.mp4, .mp3, .zip, .jpg, .png, .gif, .webm), forcing the server to fetch and store arbitrary remote content. This represents an incomplete fix for CVE-2026-27732. No public exploit identified at time of analysis. CVSS 7.1 with network-accessible attack vector requiring low-privileged authentication.

SSRF PHP
CVE-2026-39369 HIGH CVSS 7.6
Path traversal in WWBN AVideo platform ≤26.0 allows authenticated uploaders to read arbitrary server files via GIF poster manipulation. An attacker with uploader privileges can exploit aVideoEncoderReceiveImage.json.php to bypass path sanitization, fetch local files like /etc/passwd or application source code, and republish the contents through publicly accessible GIF media URLs. CVSS 7.6 reflects high confidentiality impact with low-complexity network attack requiring only low-privilege authentication. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.

PHP Path Traversal
CVE-2026-39361 HIGH CVSS 7.7
Server-Side Request Forgery (SSRF) in OpenObserve up to 0.70.3 allows authenticated attackers to bypass IPv6 address validation and access internal network resources, including cloud metadata services. The vulnerability enables retrieval of AWS IMDSv1 credentials at 169.254.169.254, GCP metadata endpoints, and Azure IMDS on cloud deployments, or probing of internal services in self-hosted environments. CVSS score of 7.7 reflects high confidentiality impact with changed scope. No public exploit identified at time of analysis, though exploitation requires only low-complexity authenticated network access.

SSRF Microsoft
CVE-2026-39356 HIGH CVSS 7.5
SQL injection in Drizzle ORM (TypeScript) allows unauthenticated remote attackers to extract database contents via improperly escaped SQL identifiers in versions prior to 0.45.2 and 1.0.0-beta.20. Applications passing user-controlled input to sql.identifier() or .as() methods are vulnerable to identifier termination and arbitrary SQL injection. CVSS 7.5 (High) with network attack vector and low complexity. EPSS data not available; no public exploit identified at time of analysis, though the GitHub security advisory provides technical details that could enable exploitation.

SQLi
CVE-2026-39344 HIGH CVSS 8.1
Reflected Cross-Site Scripting (XSS) in ChurchCRM login page allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious URLs containing unsanitized username parameters. ChurchCRM versions prior to 7.1.0 fail to encode the username parameter, enabling attackers to craft URLs that inject malicious scripts capable of stealing session cookies or displaying phishing forms. With CVSS 8.1 (AV:N/AC:L/PR:N/UI:R) and no public exploit identified at time of analysis, this represents a moderate-priority risk requiring user interaction but no authentication for exploitation.

XSS Information Disclosure
CVE-2026-39343 HIGH CVSS 7.2
SQL injection in ChurchCRM 7.0.x and earlier allows authenticated administrators to execute arbitrary SQL commands via unsanitized EN_tyid parameter in EditEventTypes.php. While requiring high-privilege administrative access (CVSS PR:H), successful exploitation enables complete database compromise including data exfiltration, modification, and potential server-level access through database features. Patched in version 7.1.0. No public exploit identified at time of analysis, EPSS data not available for assessment.

PHP SQLi
CVE-2026-39341 HIGH CVSS 8.1
Time-based SQL injection in ChurchCRM versions before 7.1.0 allows authenticated remote attackers to extract sensitive database contents through the ConfirmReportEmail.php endpoint. The familyId parameter fails to properly sanitize user input in SQL query construction, enabling attackers with low-privilege accounts to exfiltrate high-value data including confidential church member information. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the vulnerability class (CWE-89) is well-understood and exploitation techniques are widely documented.

PHP SQLi
CVE-2026-39340 HIGH CVSS 8.1
SQL injection in ChurchCRM's PropertyTypeEditor.php allows authenticated users with MenuOptions role permission to exfiltrate database contents including password hashes. The vulnerability stems from replacing SQL-escaping function legacyFilterInput() with sanitizeText() which only strips HTML, leaving Name and Description fields in property type management vulnerable to time-based blind injection. CVSS 8.1 reflects high confidentiality and integrity impact with low attack complexity from network-accessible authenticated attackers. No public exploit identified at time of analysis, though exploitation requires only basic staff-level permissions rather than administrative access.

PHP SQLi
CVE-2026-39338 HIGH CVSS 8.6
Reflected cross-site scripting (XSS) in ChurchCRM's dashboard search parameter allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers. Versions prior to 7.1.0 fail to sanitize user input, enabling payload execution even when server-side validation triggers HTTP 500 errors. The CVSS v4.0 score of 8.6 reflects network accessibility (AV:N), low complexity (AC:L), no authentication required (PR:N), and high confidentiality/integrity impact (VC:H/VI:H). No public exploit identified at time of analysis, though EPSS data is unavailable for risk quantification.

XSS RCE
CVE-2026-39334 HIGH CVSS 8.8
SQL injection in ChurchCRM 7.0.5 /SettingsIndividual.php endpoint allows authenticated low-privilege users to extract, modify, or delete database contents remotely. The vulnerability exploits insufficient input validation on the type array parameter, enabling arbitrary SQL statement execution. ChurchCRM is an open-source church management system handling sensitive member data including personal information, donations, and pastoral records. Fixed in version 7.1.0. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.

PHP SQLi
CVE-2026-39333 HIGH CVSS 8.7
Reflected cross-site scripting (XSS) in ChurchCRM versions prior to 7.1.0 allows authenticated attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs targeting the FindFundRaiser.php endpoint. The vulnerability stems from improper output encoding of DateStart and DateEnd parameters in HTML attributes. CVSS 8.7 reflects the changed scope (S:C) enabling potential session hijacking and account compromise across the church management platform. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though exploitation probability remains moderate given the authenticated requirement and user interaction dependency.

XSS PHP
CVE-2026-39332 HIGH CVSS 8.7
Reflected XSS in ChurchCRM GeoPage.php enables authenticated attackers to execute arbitrary JavaScript in victims' browsers and hijack administrator sessions without user interaction. The vulnerability affects all versions prior to 7.1.0 and leverages autofocus to automatically trigger malicious payloads when authenticated users are socially engineered into submitting a crafted form. Session cookie theft leads to complete account takeover including administrative privileges. No public exploit identified at time of analysis, though technical details are available in the GitHub security advisory.

XSS PHP
CVE-2026-39331 HIGH CVSS 8.1
Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrary family records without proper authorization checks. Attackers with any valid API credentials can modify family verification status, trigger spam emails, activate/deactivate accounts, and force geocoding operations on any family record by manipulating the familyId parameter in API requests. Affects all ChurchCRM versions prior to 7.1.0. CVSS 8.1 (High) reflects the network-accessible attack vector with low complexity and high integrity/availability impact. No evidence of active exploitation (CISA KEV negative) or public exploit code at time of analysis, but the vulnerability is trivially exploitable given the low attack complexity and published security advisory.

Authentication Bypass
CVE-2026-39330 HIGH CVSS 8.8
SQL injection in ChurchCRM's /PropertyAssign.php endpoint allows authenticated users with 'Manage Groups & Roles' and 'Edit Records' privileges to execute arbitrary SQL commands through the Value parameter. Affecting all versions prior to 7.1.0, attackers can extract sensitive church membership data, modify database records, or potentially achieve complete database compromise. CVSS 8.8 (High) with network-accessible attack vector and low complexity. No public exploit identified at time of analysis, with EPSS data unavailable. Vendor-released patch: version 7.1.0.

PHP SQLi
CVE-2026-39329 HIGH CVSS 8.8
SQL injection in ChurchCRM /EventNames.php allows authenticated users with AddEvent privileges to execute arbitrary SQL commands via the newEvtTypeCntLst parameter during event type creation. The vulnerability reaches an ON DUPLICATE KEY UPDATE clause where user input is interpolated without sanitization, enabling high-impact database manipulation. Affects all versions prior to 7.1.0. No public exploit identified at time of analysis, though EPSS data not available. Attack requires low-privilege authenticated access but presents high confidentiality, integrity, and availability risk (CVSS 8.8).

PHP SQLi
CVE-2026-39328 HIGH CVSS 8.9
ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrate administrator session cookies through stored XSS in social media profile fields. Attackers chain JavaScript payloads across Facebook, LinkedIn, and X fields using onfocus event handlers to bypass 50-character limits, automatically executing when any user (including administrators) views the malicious profile. No public exploit code or confirmed active exploitation identified at time of analysis, though EPSS data unavailable. CVSS 8.9 reflects high impact but requires authenticated access and user interaction.

XSS
CVE-2026-39327 HIGH CVSS 8.8
SQL injection in ChurchCRM 7.0.5 allows authenticated users with 'Manage Groups & Roles' permission to execute arbitrary SQL commands via the NewRole parameter in /MemberRoleChange.php endpoint. This network-accessible vulnerability requires low-complexity exploitation with no user interaction, enabling complete database compromise including data exfiltration and modification. EPSS data unavailable, no CISA KEV listing indicating no confirmed active exploitation at time of analysis, though CVSS 8.8 (High) reflects significant impact potential. Patched in version 7.1.0.

PHP SQLi
CVE-2026-39326 HIGH CVSS 8.8
SQL injection in ChurchCRM PropertyTypeEditor.php allows authenticated users with menu options privileges to execute arbitrary SQL commands via Name and Description parameters, enabling full database compromise including data extraction and modification. Affects all versions before 7.1.0. CVSS 8.8 (High) with network-accessible attack vector requiring low-privilege authentication. EPSS data not available; no confirmed active exploitation (not in CISA KEV), but publicly disclosed via GitHub Security Advisory increases likelihood of future exploitation attempts.

PHP SQLi
CVE-2026-39325 HIGH CVSS 7.2
SQL injection in ChurchCRM 7.0.5 allows authenticated administrators to execute arbitrary SQL commands through the /SettingsUser.php endpoint's type array parameter. Attackers with high-privilege administrative access can extract sensitive database contents, modify church records, or potentially escalate privileges within the system. Fixed in version 7.1.0. No public exploit identified at time of analysis, with EPSS probability data unavailable for this recent CVE.

PHP SQLi
CVE-2026-39323 HIGH CVSS 8.8
SQL injection in ChurchCRM's PropertyTypeEditor.php allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands through unsanitized Name and Description POST parameters. ChurchCRM versions prior to 7.1.0 are affected. The vulnerability relies on inadequate input validation (strip_tags() only) before SQL concatenation, enabling data exfiltration, modification, and deletion. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity once authenticated. EPSS data not provided, but the requirement for authenticated access with specific permissions reduces immediate exploitation surface compared to unauthenticated vulnerabilities.

PHP SQLi
CVE-2026-39319 HIGH CVSS 8.8
Second-order SQL injection in ChurchCRM FundRaiserEditor.php allows authenticated low-privilege users to extract and modify database contents remotely. All versions prior to 7.1.0 are affected. This network-accessible vulnerability requires minimal attack complexity and no user interaction, enabling authenticated attackers to achieve full database compromise (confidentiality, integrity, and availability impact). EPSS data not available; no public exploit identified at time of analysis, though vulnerability details are disclosed in GitHub security advisory.

PHP SQLi
CVE-2026-39318 HIGH CVSS 8.8
SQL injection in ChurchCRM GroupPropsFormRowOps.php allows authenticated attackers to execute arbitrary SQL commands and extract, modify, or destroy database contents. The Field parameter accepts unsanitized user input that is inserted directly into SQL queries; while mysqli_real_escape_string() is applied, it fails to escape backtick characters, enabling attackers to break out of SQL identifier context. Affects all versions prior to 7.1.0. With network-accessible attack vector (AV:N), low complexity (AC:L), and requiring only low-privilege authentication (PR:L), this vulnerability poses significant risk to church management systems with authenticated user access. EPSS data not available; no CISA KEV status indicating confirmed active exploitation; exploit scenario is straightforward given the technical details disclosed in the GitHub advisory.

PHP SQLi
CVE-2026-39317 HIGH CVSS 8.8
SQL injection in ChurchCRM's SettingsIndividual.php allows authenticated users to extract sensitive database contents including member personal information, financial records, and credentials. Affecting all versions prior to 7.1.0, attackers with low-privilege accounts can escalate to full database compromise via unsanitized POST parameter array keys used directly in SQL queries. EPSS data not available, but the low attack complexity (AC:L) and network accessibility (AV:N) combined with publicly disclosed technical details create elevated risk for exposed installations. Vendor-released patch available in version 7.1.0.

Information Disclosure PHP SQLi
CVE-2026-39312 HIGH CVSS 7.5
Remote unauthenticated denial-of-service in SoftEther VPN Developer Edition 5.2.5188 and earlier allows attackers to crash the vpnserver process and terminate all active VPN sessions by sending a single malformed EAP-TLS packet over raw L2TP (UDP port 1701). This pre-authentication vulnerability requires no privileges or user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N), enabling trivial service disruption. No public exploit identified at time of analysis, though the attack mechanism is well-documented in vendor advisory GHSA-q5g3-qhc6-pr3h.

Denial Of Service
CVE-2026-35611 HIGH CVSS 7.5
Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or # operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.

Denial Of Service
CVE-2026-35610 HIGH CVSS 8.8
Privilege escalation in PolarLearn account-management module allows authenticated non-admin users to arbitrarily reset passwords and delete user accounts due to an inverted admin permission check in versions 0-PRERELEASE-14 and earlier. The inverted logic in setCustomPassword() and deleteUser() functions grants administrative capabilities to regular users while blocking legitimate administrators. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical account takeover risk. No public exploit identified at time of analysis, though the authentication bypass nature (per tags) makes exploitation straightforward once the flaw is understood.

Authentication Bypass
CVE-2026-35607 HIGH CVSS 8.1
Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.

Privilege Escalation
CVE-2026-35604 HIGH CVSS 8.2
Authorization bypass in File Browser allows unauthenticated access to shared files after permissions revoked. When administrators revoke a user's Share and Download permissions in File Browser (versions prior to 2.63.1), previously created share links remain accessible to unauthenticated users due to missing permission re-validation in the public share handler. This CWE-863 authorization flaw enables persistent unauthorized data access with high confidentiality impact (CVSS 8.2), though no public exploit or active exploitation (not in CISA KEV) has been identified at time of analysis.

Authentication Bypass
CVE-2026-35585 HIGH CVSS 7.5
Remote code execution in File Browser versions 2.0.0 through 2.63.1 allows authenticated administrators to execute arbitrary OS commands via malicious filenames. The vulnerability stems from unsanitized variable substitution in the hook system, which processes file events (upload, rename, delete) using administrator-defined shell commands. Attackers with file write permissions can inject shell metacharacters into filenames that trigger command execution when hooks fire. No public exploit identified at time of analysis, though EPSS data not provided. The vulnerable feature has been disabled by default from v2.33.8 onwards as a mitigation measure.

RCE Command Injection
CVE-2026-35581 HIGH CVSS 7.2
Command injection in NSA Emissary P2P workflow engine (versions prior to 8.39.0) allows authenticated remote administrators to execute arbitrary shell commands through unsanitized PLACE_NAME parameter values. The Executrix utility class passes configuration-derived values directly to /bin/sh -c with only space-to-underscore sanitization, enabling shell metacharacters (semicolons, pipes, backticks) to trigger command execution. CVSS 7.2 (High) reflects network accessibility with low attack complexity, though exploitation requires high-privilege administrator credentials (PR:H). No public exploit code identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available in version 8.39.0 per GitHub security advisory.

Command Injection
CVE-2026-35576 HIGH CVSS 8.7
Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScript through the Person Property Management subsystem, executing when other users view affected profiles. This vulnerability persists despite previous CVE-2023-38766 patches and enables session hijacking or account compromise through persistent payload execution. No public exploit identified at time of analysis, though CVSS score of 8.7 reflects high impact with cross-site scripting scope allowing privilege escalation beyond the attacker's session context.

XSS
CVE-2026-35575 HIGH CVSS 8.0
Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover through malicious group names. Authenticated users with group-creation privileges can inject JavaScript that executes when administrators view group listings, stealing session cookies. ChurchCRM versions prior to 6.5.3 are affected. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) and availability of technical details in the GitHub Security Advisory increase exploitation risk for authenticated internal threats.

XSS
CVE-2026-35574 HIGH CVSS 7.3
Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. EPSS and KEV data not provided; no public exploit identified at time of analysis. Vendor patch released in version 6.5.3.

XSS Privilege Escalation Authentication Bypass
CVE-2026-35572 HIGH CVSS 7.0
Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound HTTP/HTTPS requests to arbitrary external hosts by injecting malicious URLs into the Referer header. Attackers with high-privilege access can exploit this to probe internal networks, exfiltrate data, or interact with cloud metadata services. CVSS 7.0 reflects medium-high severity requiring privileged access (PR:H). No public exploit identified at time of analysis, though SSRF exploitation techniques are well-documented. EPSS data not provided, but the requirement for admin credentials significantly reduces real-world attack surface compared to unauthenticated SSRF vulnerabilities.

SSRF
CVE-2026-35568 HIGH CVSS 7.6
DNS rebinding in Model Context Protocol (MCP) Java SDK before v1.0.0 enables remote attackers to invoke arbitrary tool calls on local or network-private MCP servers via a victim's browser. The SDK failed to validate Origin headers per MCP specification requirements, violating mandatory server-side protections against cross-origin attacks. Exploitation requires social engineering (victim visits malicious site), but grants full tool invocation privileges as if the attacker were a locally authorized AI agent. Patch available in v1.0.0. No public exploit identified at time of analysis, but attack technique is well-understood (DNS rebinding). EPSS data not available; authentication requirements not confirmed from available data.

Nginx Information Disclosure Java
CVE-2026-35567 HIGH CVSS 8.8
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with ManageGroups role to execute arbitrary SQL commands via the NewRole POST parameter in MemberRoleChange.php. The vulnerability requires low-privilege authentication (PR:L) but permits complete database compromise with high confidentiality, integrity, and availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the attack complexity is low (AC:L) and requires no user interaction.

SQLi PHP
CVE-2026-35566 HIGH CVSS 8.8
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary SQL commands via the fund raiser statement report functionality. The vulnerability stems from inadequate input validation of session-based fundraiser identifiers in src/Reports/FundRaiserStatement.php, enabling attackers to achieve complete database compromise including data exfiltration, modification, and potential remote code execution. EPSS exploitation probability and KEV status unavailable, but public advisory exists from GitHub Security (GHSA-grq6-q49f-44xh). No public exploit identified at time of analysis, though SQL injection exploits are well-documented and exploitation complexity is low per CVSS vector (AC:L).

SQLi PHP Crm
CVE-2026-35554 HIGH CVSS 8.7
Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.

Information Disclosure Memory Corruption Apache Use After Free Deserialization
CVE-2026-35534 HIGH CVSS 7.6
Stored cross-site scripting (XSS) in ChurchCRM versions prior to 7.1.0 enables authenticated users with EditRecords role to inject malicious JavaScript through improperly sanitized Facebook profile fields, executing arbitrary code in administrators' browser sessions and enabling account takeover. The vulnerability exploits inadequate output encoding in PersonView.php where sanitizeText() strips HTML tags but fails to escape quote characters in href attribute contexts. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the technical barrier is low (CVSS AC:L) for authenticated attackers.

XSS PHP
CVE-2026-35533 HIGH CVSS 7.7
Local trust-control bypass in mise (Rust task runner) versions ≤2026.3.17 allows attackers to inject malicious configuration through `.mise.toml` files, leading to arbitrary code execution. By setting `trusted_config_paths = ["/"]` in a project-local config file, attackers bypass the trust verification mechanism that should prevent execution of dangerous directives like `[env] _.source`, hooks, templates, and tasks. Exploitation requires victim interaction (cloning/opening a malicious repository), but no authentication. EPSS data not available; no confirmed active exploitation or public exploit code beyond the GitHub advisory's proof-of-concept. Attack complexity is high due to the requirement for victim action and specific execution context (mise hook-env invocation).

Docker Authentication Bypass
CVE-2026-35521 HIGH CVSS 8.8
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DHCP hosts configuration parameter. Exploitation requires low-complexity network access with low-level authentication (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vulnerability's straightforward injection mechanism and the popularity of Pi-hole as a DNS/DHCP solution elevate practical risk for environments with multiple administrative users or compromised credentials.

Command Injection RCE
CVE-2026-35520 HIGH CVSS 8.8
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary dnsmasq configuration directives via newline character injection in the DHCP lease time parameter (dhcp.leaseTime), leading to command execution on the underlying system. Affects the FTLDNS component that provides Pi-hole's interactive API and web statistics. No public exploit identified at time of analysis, though exploitation requires only low-complexity attack methods with network access and low-privilege authentication (CVSS 8.8).

RCE Command Injection
CVE-2026-35519 HIGH CVSS 8.8
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via newline injection in DNS host record configuration. The vulnerability exploits improper input sanitization in the dns.hostRecord parameter, enabling injection of malicious dnsmasq directives that execute at the system level. With CVSS 8.8 (network-accessible, low complexity, requires low-privilege authentication), this represents a critical risk for Pi-hole deployments where administrative access controls are weak. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.

RCE Command Injection
CVE-2026-35518 HIGH CVSS 8.8
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DNS CNAME records parameter (dns.cnameRecords). Authentication requirements confirmed (CVSS PR:L - low privileges required). Publicly available exploit code exists. CVSS 8.8 with network attack vector and low complexity indicates high exploitability once authenticated access is obtained.

RCE Command Injection
CVE-2026-35517 HIGH CVSS 8.8
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges to execute arbitrary system commands by injecting newline-delimited dnsmasq configuration directives into the upstream DNS servers parameter (dns.upstreams). The vulnerability requires network access with authentication (CVSS:3.1 PR:L) but has low attack complexity and no user interaction required. No public exploit identified at time of analysis, though technical details are available in the GitHub Security Advisory.

RCE Command Injection
CVE-2026-35489 HIGH CVSS 7.3
Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of service. The /api/food/{id}/shopping/ endpoint accepts unvalidated amount and unit parameters, allowing attackers to cause application crashes via malformed numeric inputs (HTTP 500 errors) and leak foreign-key references across multi-tenant Space boundaries by associating unit IDs from other tenants. CVSS 7.3 reflects network-accessible, low-complexity attacks requiring no authentication. No public exploit identified at time of analysis, though exploitation is straightforward via direct API calls. EPSS data not available. Vendor-released patch: version 2.6.4.

Authentication Bypass
CVE-2026-35488 HIGH CVSS 8.1
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access to recipe books to perform unauthorized write and delete operations. The CustomIsShared permission class incorrectly permits DELETE, PUT, and PATCH methods without validating safe HTTP methods, enabling shared users to overwrite or delete recipe books despite having semantically read-only permissions. This represents a high-severity authorization bypass with CVSS 8.1 (AV:N/AC:L/PR:L) requiring authenticated access but no user interaction. No public exploit identified at time of analysis, though the vulnerability affects a specific permission boundary and could be easily exploited by any user granted shared access.

Information Disclosure
CVE-2026-35486 HIGH CVSS 7.5
Server-Side Request Forgery (SSRF) in oobabooga text-generation-webui versions prior to 4.3 allows unauthenticated remote attackers to access cloud metadata endpoints, exfiltrate IAM credentials, and probe internal network services via malicious URLs processed by the superbooga/superboogav2 RAG extensions. The vulnerability stems from unvalidated requests.get() calls with no scheme, IP, or hostname filtering. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided, but the attack vector is network-accessible without authentication (AV:N/PR:N), making this a significant risk for publicly exposed instances in cloud environments.

SSRF
CVE-2026-35485 HIGH CVSS 7.5
Remote unauthenticated file disclosure in oobabooga text-generation-webui versions prior to 4.3 allows arbitrary file reading through path traversal in load_grammar() function. Attackers can retrieve any file from the server filesystem without authentication by exploiting insufficient validation of Gradio dropdown values, submitting directory traversal sequences via API requests. EPSS data not available; no public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L) requiring only network access.

Path Traversal
CVE-2026-35458 HIGH CVSS 8.7
Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).

Denial Of Service
CVE-2026-34904 HIGH CVSS 7.5
Cross-Site Request Forgery in Analytify Simple Social Media Share Buttons WordPress plugin (versions ≤6.2.0) enables unauthenticated remote attackers to execute unauthorized actions on behalf of authenticated administrators through high-complexity social engineering attacks. CVSS 7.5 severity reflects potential for complete compromise of confidentiality, integrity, and availability when successfully exploited. No public exploit identified at time of analysis, though CSRF vulnerabilities are well-understood with documented exploitation techniques.

WordPress PHP CSRF Simple Social Media Share Buttons
CVE-2026-34896 HIGH CVSS 7.5
Cross-Site Request Forgery (CSRF) in Analytify's Under Construction, Coming Soon & Maintenance Mode WordPress plugin versions up to 2.1.1 allows remote attackers to perform unauthorized actions on behalf of authenticated administrators through social engineering. With CVSS 7.5 (high severity) and high complexity attack vector requiring user interaction, this vulnerability has no public exploit identified at time of analysis. EPSS data not available, not listed in CISA KEV.

WordPress PHP CSRF Under Construction Coming Soon Maintenance Mode
CVE-2026-34582 HIGH CVSS 8.7
TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.

Authentication Bypass
CVE-2026-34197 HIGH CVSS 8.8
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(). CVSS 8.8 (High) with network attack vector and low complexity. EPSS score 0.06% (19th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though SSVC assessment confirms total technical impact with non-automatable exploitation.

Apache Java RCE
CVE-2026-34079 HIGH CVSS 8.7
Arbitrary file deletion in Flatpak versions prior to 1.16.4 allows sandboxed applications to delete files on the host system via path traversal during ld.so cache cleanup. The vulnerability stems from improper validation of application-controlled paths when removing outdated cache files, enabling applications to escape sandbox constraints and delete arbitrary host files. No active exploitation or public exploit code is confirmed at time of analysis, though the technical barrier is low given the CVSS vector shows network-accessible attack with low complexity and no authentication required.

Path Traversal
CVE-2026-34045 HIGH CVSS 8.2
Unauthenticated network access to Podman Desktop's HTTP server enables remote denial-of-service attacks and information disclosure via verbose error messages. Attackers can exhaust file descriptors and kernel memory without authentication, causing application crashes or complete host freezes, while error responses leak internal paths and Windows usernames. Fixed in version 1.26.2. EPSS data not available; no public exploit identified at time of analysis.

Kubernetes Information Disclosure Microsoft
CVE-2026-33034 HIGH CVSS 7.5
Unbounded memory consumption in Django ASGI applications allows unauthenticated remote attackers to bypass DATA_UPLOAD_MAX_MEMORY_SIZE protections via malformed Content-Length headers, leading to denial of service. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. CVSS 7.5 (High) with network-accessible, low-complexity attack vector requiring no privileges. EPSS data not available; no public exploit identified at time of analysis. Vendor patches released April 2026 across all affected major branches.

Denial Of Service Python
CVE-2026-32864 HIGH CVSS 8.5
Memory corruption via out-of-bounds read in NI LabVIEW's mgcore_SH_25_3!aligned_free() function enables information disclosure or arbitrary code execution when users open maliciously crafted VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity stems from local attack vector requiring user interaction but no authentication. No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability's existence and technical details.

Information Disclosure Buffer Overflow RCE
CVE-2026-32863 HIGH CVSS 8.5
Memory corruption in NI LabVIEW 26.1.0 and earlier allows local attackers to execute arbitrary code or disclose sensitive information via maliciously crafted VI files. The vulnerability stems from an out-of-bounds read in sentry_transaction_context_set_operation(), requiring user interaction to open a specially crafted file. CVSS 8.5 (High) with local attack vector and low complexity. No public exploit identified at time of analysis, and EPSS data not available for this recently published CVE.

Information Disclosure Buffer Overflow RCE
CVE-2026-32862 HIGH CVSS 8.5
Memory corruption in NI LabVIEW's ResFileFactory::InitResourceMgr() function allows arbitrary code execution or information disclosure when users open malicious VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity reflects high impact potential, though exploitation requires user interaction to open a crafted file. No public exploit identified at time of analysis, with EPSS data unavailable for this recently assigned CVE. Local attack vector limits remote exploitation scenarios.

Memory Corruption Information Disclosure Buffer Overflow RCE
CVE-2026-32861 HIGH CVSS 8.5
Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution and information disclosure when processing maliciously crafted .lvclass files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open the weaponized file (CVSS AV:L/UI:P). No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability and provides remediation guidance.

Memory Corruption Information Disclosure Buffer Overflow RCE
CVE-2026-32860 HIGH CVSS 8.5
Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution when processing malicious LVLIB files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open a specially crafted .lvlib project library file (CVSS 8.5, AV:L/PR:N/UI:P). No public exploit identified at time of analysis. EPSS data not available, but the local attack vector and user interaction requirement significantly limit immediate mass exploitation risk despite high CVSS score.

Memory Corruption Information Disclosure Buffer Overflow RCE
CVE-2026-32144 HIGH CVSS 7.6
Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responder certificate signatures, allowing network attackers to forge OCSP responses with self-signed certificates bearing matching issuer names and OCSPSigning extended key usage. This bypasses certificate revocation checks in SSL/TLS clients using OCSP stapling, enabling man-in-the-middle attackers to present revoked certificates as valid and intercept sensitive communications. Vendor-released patches are available (OTP 28.4.2, 27.3.4.10). CISA SSVC analysis indicates no current exploitation and non-automatable attack requirements, but technical impact is rated total due to potential cryptographic security control bypass. No public exploit identified at time of analysis.

Authentication Bypass Tls Otp
CVE-2026-31842 HIGH CVSS 8.7
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.

Request Smuggling Denial Of Service Tinyproxy
CVE-2026-31790 HIGH CVSS 7.5
OpenSSL 3.0.0 through 3.6.1 leaks uninitialized memory contents to remote attackers through flawed RSA key encapsulation (RSASVE). Applications using EVP_PKEY_encapsulate() with attacker-supplied invalid RSA public keys can expose stale process memory containing sensitive data due to improper error handling in RSA_public_encrypt(). The vulnerability requires no authentication (CVSS AV:N/PR:N) but has low exploitation probability (EPSS 0.01%). Vendor patches are available for all affected 3.x branches. No active exploitation confirmed (not in CISA KEV), but multiple GitHub commits provide upstream fixes.

Information Disclosure
CVE-2026-30460 HIGH CVSS 8.8
Authenticated remote code execution in Daylight Studio FuelCMS version 1.5.2 allows low-privileged users to execute arbitrary code via the Blocks module. CVSS 8.8 rating indicates network-accessible attack requiring low-complexity exploitation without user interaction, enabling full system compromise (confidentiality, integrity, availability impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

RCE Code Injection
CVE-2026-29181 HIGH CVSS 7.5
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger severe CPU and memory amplification via crafted HTTP baggage headers. The vulnerability allows unauthenticated attackers to send multiple baggage header lines that bypass the 8192-byte per-value parse limit by triggering repeated parsing operations - achieving 77x memory amplification (10.3MB vs 133KB per request) in vendor-provided proof-of-concept testing. Vendor-released patch available in v1.41.0. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code exists (vendor-provided PoC demonstrating 77x amplification).

Canonical Denial Of Service
CVE-2026-28808 HIGH CVSS 8.3
Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts protected by directory-level access controls. The vulnerability stems from a path mismatch where mod_auth validates access against DocumentRoot-relative paths while mod_cgi executes scripts at ScriptAlias-resolved paths outside DocumentRoot. With CVSS 8.3 (AV:N/AC:L/PR:N), the attack requires no authentication and low complexity but depends on specific ScriptAlias configurations (AT:P). SSVC assessment confirms the vulnerability is automatable with partial technical impact. No public exploit identified at time of analysis, though SSVC indicates exploitation status 'none'. Vendor-released patches available for affected OTP versions 17.0 through 28.4.1.

Authentication Bypass Path Traversal Otp
CVE-2026-28390 HIGH CVSS 7.5
NULL pointer dereference in OpenSSL CMS EnvelopedData processing enables unauthenticated remote denial of service. Affects OpenSSL 1.0.2 through 3.6.x when processing attacker-controlled CMS messages with KeyTransportRecipientInfo using RSA-OAEP encryption. Missing optional parameters field in algorithm identifier triggers crash before authentication occurs. Applications calling CMS_decrypt() on untrusted input (S/MIME, CMS-based protocols) vulnerable. FIPS modules unaffected. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.

Denial Of Service Null Pointer Dereference OpenSSL
CVE-2026-28389 HIGH CVSS 7.5
Null pointer dereference in OpenSSL 1.0.2 through 3.6 CMS EnvelopedData processing crashes applications before authentication when KeyAgreeRecipientInfo messages lack optional parameters field. Unauthenticated remote attackers can trigger denial of service against S/MIME processors and CMS-based protocol handlers calling CMS_decrypt() on untrusted input. FIPS modules unaffected. Vendor-released patches available for all affected branches (1.0.2zp, 1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2). Low observed exploitation activity; no public exploit identified at time of analysis.

Denial Of Service Null Pointer Dereference OpenSSL
CVE-2026-28388 HIGH CVSS 7.5
NULL pointer dereference in OpenSSL 1.0.2 through 3.6.x delta CRL processing enables remote denial-of-service attacks against applications performing X.509 certificate verification. Exploitation requires X509_V_FLAG_USE_DELTAS flag enabled, certificates with freshestCRL extension or base CRL with EXFLAG_FRESHEST flag, and attacker-supplied malformed delta CRL missing required CRL Number extension. Unauthenticated network-accessible attack with low complexity causes application crash. Impact limited to availability; memory disclosure and code execution ruled out by vendor. FIPS modules unaffected.

RCE Denial Of Service Null Pointer Dereference OpenSSL
CVE-2026-27314 HIGH CVSS 8.8
Apache Cassandra 5.0 through 5.0.6 in mTLS environments using MutualTlsAuthenticator allows authenticated users with only CREATE permission to escalate privileges to superuser via certificate identity manipulation through the ADD IDENTITY command. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with SSVC indicating non-automatable exploitation but total technical impact. Apache released patch version 5.0.7+ addressing this privilege escalation flaw (CWE-267: Privilege Defined With Unsafe Actions).

Privilege Escalation Apache
CVE-2026-24660 HIGH CVSS 8.1
Heap buffer overflow in LibRaw's x3f_load_huffman function (commit d20315b) allows remote attackers to achieve arbitrary code execution via malicious X3F image files. The vulnerability stems from an integer overflow (CWE-190) leading to heap corruption. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated high. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Reported by Cisco Talos (TALOS-2026-2359), affecting LibRaw's Sigma X3F raw image parsing functionality.

Buffer Overflow Integer Overflow
CVE-2026-24450 HIGH CVSS 8.1
Heap buffer overflow in LibRaw's DNG image processing (commit 8dc68e2) enables remote code execution when parsing maliciously crafted uncompressed floating-point DNG files. The vulnerability stems from an integer overflow in uncompressed_fp_dng_load_raw that miscalculates buffer sizes, allowing network-based attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). No public exploit identified at time of analysis, though Cisco Talos has published technical details. Authentication requirements not confirmed from available data, but CVSS vector indicates no privileges required (PR:N).

Integer Overflow Buffer Overflow
CVE-2026-24175 HIGH CVSS 7.5
Remote denial of service in NVIDIA Triton Inference Server versions prior to r26.02 allows unauthenticated attackers to crash the server by sending malformed HTTP request headers over the network. The vulnerability scores 7.5 (High) with maximum availability impact, requires no authentication or user interaction, and has low attack complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis.

Nvidia Denial Of Service
CVE-2026-24174 HIGH CVSS 7.5
Remote denial of service in NVIDIA Triton Inference Server (all versions prior to r26.02) allows unauthenticated attackers to crash the server via malformed requests. The vulnerability has a CVSS score of 7.5 with network-accessible attack vector and low complexity, requiring no privileges or user interaction. EPSS data not provided; no public exploit identified at time of analysis. The issue stems from improper conversion between numeric types (CWE-681), enabling trivial service disruption for ML inference workloads.

Nvidia Denial Of Service
CVE-2026-24173 HIGH CVSS 7.5
Integer overflow in NVIDIA Triton Inference Server allows unauthenticated remote attackers to crash the server through malformed requests, causing denial of service. All versions prior to r26.02 are affected. CVSS 7.5 (High) with network attack vector, low complexity, and no authentication required. EPSS and KEV data not provided; no public exploit identified at time of analysis. Organizations running Triton Inference Server for ML model deployment should prioritize patching to prevent service disruption.

Nvidia Denial Of Service Integer Overflow
CVE-2026-24156 HIGH CVSS 7.3
Arbitrary code execution in NVIDIA DALI (all versions prior to 2.0) allows local authenticated attackers with low privileges to execute malicious code by exploiting insecure deserialization of untrusted data, requiring user interaction. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. The vulnerability affects NVIDIA's Data Loading Library, a critical component in AI/ML data preprocessing pipelines.

Nvidia RCE Deserialization
CVE-2026-24146 HIGH CVSS 7.5
NVIDIA Triton Inference Server crashes when processing inference requests with insufficient input validation combined with large output counts, enabling remote denial of service without authentication (CVSS 7.5, EPSS data not available). The vulnerability affects all versions prior to r26.02, with no public exploit identified at time of analysis. Unauthenticated remote attackers can exploit this flaw with low complexity (AV:N/AC:L/PR:N) to completely disrupt machine learning inference services.

Nvidia Denial Of Service
CVE-2026-23818 HIGH CVSS 8.8
Open redirect vulnerability in HPE Aruba Networking Private 5G Core On-Prem GUI enables credential harvesting attacks against authenticated users. Remote attackers can craft malicious URLs that redirect victims from the legitimate login flow to attacker-controlled phishing pages designed to capture credentials. With CVSS 8.8 (High) severity and network-reachable attack surface requiring no authentication, this represents significant phishing risk for organizations deploying private 5G infrastructure. No public exploit identified at time of analysis, though exploitation requires minimal technical complexity.

Aruba Open Redirect Private 5G Core
CVE-2026-22683 HIGH CVSS 8.7
Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. Public exploit code exists (GitHub: Chocapikk/Windfall). EPSS data unavailable, but the low attack complexity (AC:L), network access vector (AV:N), and availability of weaponized POC indicate elevated real-world risk for self-hosted Windmill deployments with Operator-level users.

Privilege Escalation RCE Authentication Bypass
CVE-2026-22682 HIGH CVSS 8.4
Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence over agent tool execution to read arbitrary local files and write/overwrite files outside intended repository boundaries. The vulnerability stems from inconsistent parameter handling where the path parameter is not passed to PermissionChecker in four file operation tools (read_file, write_file, edit_file, notebook_edit), enabling bypass of deny rules to access sensitive credentials, SSH keys, and configuration files. Upstream fix available (PR/commit); released patched version not independently confirmed. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass
CVE-2026-22666 HIGH CVSS 8.6
Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. With a CVSS score of 7.2 and publicly available exploit code documented by Jiva Security, this represents an elevated risk for organizations running unpatched Dolibarr instances, though exploitation requires high-privilege administrator access (CVSS:3.1/PR:H), limiting the attack surface to insider threats or compromised admin accounts.

PHP RCE Code Injection Dolibarr Erp Crm
CVE-2026-20884 HIGH CVSS 8.1
Integer overflow in LibRaw's deflate_dng_load_raw function (commit 8dc68e2) enables remote heap buffer overflow via crafted DNG image files, allowing potential code execution without authentication. With CVSS 8.1 and network-accessible attack vector requiring no user interaction, this represents significant risk for applications processing untrusted DNG files. EPSS data not available; no public exploit identified at time of analysis.

Integer Overflow Buffer Overflow
CVE-2026-20433 HIGH CVSS 8.8
Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack scenario requires specialized radio equipment and victim proximity to malicious infrastructure. Patch ID MOLY01088681 addresses the missing bounds check in modem baseband code.

Buffer Overflow Privilege Escalation Memory Corruption
CVE-2026-20432 HIGH CVSS 8.0
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.

Buffer Overflow Privilege Escalation Memory Corruption
CVE-2026-5733 HIGH CVSS 8.8
Buffer overflow in Firefox WebGPU implementation allows remote code execution when users interact with malicious web content. Affects all Firefox versions prior to 149.0.2. Network-based attack requires user interaction (visiting crafted webpage) but no authentication. CVSS 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though Mozilla's rapid patch release suggests significant risk potential.

Mozilla Buffer Overflow
CVE-2026-5732 HIGH CVSS 8.8
Integer overflow in Firefox and Firefox ESR text rendering engine allows remote attackers to achieve arbitrary code execution via specially crafted web content. Affects Firefox versions prior to 149.0.2 and Firefox ESR prior to 140.9.1. Attack requires user interaction (visiting malicious webpage) but no authentication. CVSS 8.8 (High severity). No public exploit identified at time of analysis, though the vulnerability class (integer overflow leading to buffer overflow) is well-understood and exploitable.

Mozilla Integer Overflow Buffer Overflow
CVE-2026-5465 HIGH CVSS 8.8
Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. EPSS data not provided; no confirmed active exploitation (CISA KEV) at time of analysis, though public exploit code exists via disclosed source code references.

WordPress PHP Privilege Escalation Booking For Appointments And Events Calendar Amelia
CVE-2026-5373 HIGH CVSS 8.1
Improper privilege management in runZero Platform allows organization administrators to escalate privileges to superuser status. Authenticated admin users with high privileges (PR:H) can exploit this network-accessible flaw (AV:N) with user interaction (UI:R) to gain unauthorized superuser access, potentially compromising confidentiality and integrity across organizational boundaries (scope changed to C). Fixed in version 4.0.260202.0. EPSS risk data not available; no public exploit identified at time of analysis.

Privilege Escalation
CVE-2026-4740 HIGH CVSS 8.2
Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.

Privilege Escalation Redhat Kubernetes
CVE-2026-3902 HIGH CVSS 7.5
Header spoofing in Django 4.2 through 6.0 allows remote attackers to bypass security controls by exploiting ambiguous ASGI header normalization. The ASGIRequest handler incorrectly maps both hyphenated and underscored header variants to the same underscored version, enabling attackers to send conflicting headers where the malicious version overwrites legitimate security headers. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. No public exploit identified at time of analysis. EPSS data not available, but the unauthenticated network attack vector and high integrity impact warrant immediate patching.

Python Authentication Bypass
CVE-2026-3466 HIGH CVSS 8.5
Stored cross-site scripting (XSS) in Checkmk dashboard functionality allows authenticated users with dashboard creation privileges to inject malicious scripts through unsanitized dashlet title links, achieving high confidentiality and integrity impact (CVSS 8.5) when victims click crafted links on shared dashboards. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and beta 2.5.0 before b3. SSVC framework indicates no active exploitation and non-automatable attack requiring user interaction, but classifies technical impact as total. No public exploit identified at time of analysis.

XSS
CVE-2026-1078 HIGH CVSS 7.2
Arbitrary file write in Pega Browser Extension allows remote attackers to compromise system integrity when Robot Runtime users visit malicious websites while running automations in Chrome or Edge. Affects Pega Robotic Automation versions 22.1 and R25. Attack requires user interaction (navigating to attacker-controlled site) but no authentication. No public exploit identified at time of analysis, though attack complexity is low once user visits malicious site.

Google Microsoft Authentication Bypass
CVE-2025-65115 HIGH CVSS 8.8
Remote code execution in Hitachi's JP1/IT Desktop Management suite allows authenticated network attackers to execute arbitrary code on Windows systems running Manager, Operations Director, and Client components. Affects multiple product generations spanning versions 9.x through 13.x across nine distinct product lines. CVSS score of 8.8 reflects network-accessible attack surface with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though CWE-73 (external control of file name or path) indicates potential for path traversal-based exploitation. Hitachi has released patches addressing versions 13-50-02, 13-11-04, 13-10-07, 13-01-07, 13-00-05, and 12-60-12 for actively supported products.

Windows RCE Jp1 It Desktop Management 2 Manager Jp1 It Desktop Management 2 Operations Director Job Management Partner 1 It Desktop Management 2 Manager
CVE-2025-56015 HIGH CVSS 7.5
Unauthenticated remote information disclosure in GenieACS 1.2.13 NBI API allows network-based attackers to read sensitive configuration data without authentication. The CVSS vector confirms zero authentication requirements (PR:N), enabling attackers to directly access the NBI API endpoint and exfiltrate high-confidentiality information. Publicly available exploit code exists. Attack complexity is low with no user interaction required. EPSS indicates low observed exploitation activity.

Authentication Bypass
CVE-2025-24818 HIGH CVSS 8.0
OS command injection in Nokia MantaRay NM Log Search application allows authenticated adjacent network attackers to execute arbitrary OS commands with high impact to confidentiality, integrity, and availability. The vulnerability affects versions prior to 25R1-NM due to improper neutralization of special elements in OS commands (CWE-77). CVSS score of 8.0 reflects high severity with low attack complexity requiring low-level authentication from adjacent network position. No public exploit identified at time of analysis, though command injection vulnerabilities are well-understood and relatively straightforward to exploit once access requirements are met.

Nokia Command Injection
CVE-2025-24817 HIGH CVSS 8.0
OS command injection in Nokia MantaRay NM Symptom Collector application allows authenticated adjacent network attackers to execute arbitrary OS commands with high confidentiality, integrity, and availability impact. The vulnerability affects all versions prior to 25R1-NM and requires low-privilege authenticated access over adjacent network with low attack complexity. No public exploit identified at time of analysis, with EPSS exploitation probability at 0.06% (19th percentile), indicating relatively low observed real-world exploitation likelihood despite the high CVSS score.

Command Injection Nokia
CVE-2025-14859 HIGH CVSS 7.0
Cryptographic bypass in Semtech LR11xx LoRa transceiver secure boot allows physically proximate attackers to install arbitrary firmware via hash collision. The implementation uses a non-standard, collision-vulnerable hashing algorithm (CWE-327), enabling second preimage attacks that forge signed firmware images. Affects LR1110, LR1120, and LR1121 transceivers widely deployed in IoT/LoRaWAN devices. CVSS 7.0 requires physical access (AV:P), low complexity, no privileges. No public exploit identified at time of analysis; EPSS data unavailable for this recent CVE.

Authentication Bypass
CVE-2025-14821 HIGH CVSS 7.8
Local privilege escalation in libssh on Windows systems allows authenticated users with low privileges to conduct man-in-the-middle attacks against SSH connections by creating malicious configuration files in C:\etc. The vulnerability stems from insecure default behavior where libssh automatically loads SSH configuration from a world-writable directory location. Red Hat Enterprise Linux 6-10, RHEL Hardened Images, and OpenShift Container Platform 4 are affected. No public exploit identified at time of analysis, though EPSS data is not available and exploitation complexity is low (CVSS AC:L).

Microsoft Information Disclosure
CVE-2026-39936 MEDIUM CVSS 6.9
Stored cross-site scripting (XSS) vulnerability in Mediawiki Score Extension allows unauthenticated remote attackers to inject malicious scripts that execute in the context of wiki pages, potentially compromising user sessions and enabling defacement or data theft. The vulnerability exists due to improper input neutralization during web page generation (CWE-79). Affected versions include 1.45.2, 1.43.7, and 1.44.4, with patches available from Wikimedia Foundation.

XSS
CVE-2026-39935 MEDIUM CVSS 6.9
Improper input neutralization in Mediawiki CampaignEvents Extension versions 1.43.7, 1.44.4, and 1.45.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in user browsers via cross-site scripting (XSS). The vulnerability affects web page generation with a CVSS 4.0 base score of 6.9, indicating low confidentiality, integrity, and availability impact across both changed and unchanged security scopes.

XSS
CVE-2026-39934 MEDIUM CVSS 6.9
Infinite loop vulnerability in Wikimedia MediaWiki GrowthExperiments Extension (versions 1.45.2, 1.44.4, 1.43.7) allows unauthenticated remote attackers to trigger a denial of service condition by exploiting a Time-of-Check and Time-of-Use (TOCTOU) race condition that causes unreachable loop exit logic. The vulnerability has a CVSS score of 6.9 with low confidentiality, integrity, and availability impact across all scopes. No public exploit code or active exploitation has been confirmed at time of analysis.

Denial Of Service
CVE-2026-39933 MEDIUM CVSS 6.9
Cross-site scripting (XSS) in Wikimedia Foundation's MediaWiki GlobalWatchlist Extension enables unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers with critical impact across confidentiality, integrity, and availability (CVSS 10.0). This vulnerability affects only non-release development branches, not production deployments. No public exploit identified at time of analysis, though the publicly accessible Phabricator task and Gerrit code review may facilitate proof-of-concept development.

XSS
CVE-2026-39841 MEDIUM CVSS 6.3
Stored XSS vulnerability in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing permissions to inject malicious scripts via improper neutralization of HTML script tags, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers when stored content is viewed. The vulnerability requires user interaction (page view) and authenticated access but carries high scope impact on integrity and confidentiality through script injection in a collaborative wiki environment.

XSS
CVE-2026-39840 MEDIUM CVSS 5.1
Cross-site scripting (XSS) vulnerability in Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts into non-script page elements through improper input neutralization. The vulnerability requires user interaction (UI:P) and has limited scope impact, affecting only the confidentiality and integrity of session data. No public exploit code or active exploitation has been identified at the time of analysis.

XSS
CVE-2026-39839 MEDIUM CVSS 6.3
Stored XSS in Wikimedia Cargo Extension before 3.8.7 allows authenticated users with page editing privileges to inject malicious scripts via improper HTML tag neutralization, affecting all installations of the extension using vulnerable versions. The vulnerability requires user interaction (page view) to trigger, and impacts script integrity and site integrity for affected wiki installations. No public exploit code or active exploitation has been reported at the time of analysis.

XSS
CVE-2026-39838 MEDIUM CVSS 6.9
Improper input neutralization in the Wikimedia MediaWiki ProofreadPage Extension allows cross-site scripting (XSS) attacks targeting non-script elements via unauthenticated remote requests. The vulnerability has a CVSS 4.0 base score of 6.9 with network-accessible attack vector and low integrity and confidentiality impact. No public exploit code or active exploitation (KEV status) is documented at time of analysis, though the low attack complexity and absence of privilege requirements make this a practical threat to deployed MediaWiki instances using this extension.

XSS
CVE-2026-39837 MEDIUM CVSS 6.3
Stored cross-site scripting (XSS) in the Mediawiki Cargo Extension before version 3.8.7 allows authenticated users to inject malicious scripts via improper neutralization of HTML tags, enabling persistent client-side attacks against other users viewing affected content. The vulnerability requires user interaction (page view) but grants attackers the ability to modify page content and session information for victims, with CVSS 6.3 reflecting medium severity and EPSS exploitation probability not independently confirmed from available data.

XSS
CVE-2026-39401 MEDIUM CVSS 5.3
Cronicle prior to 0.9.111 allows low-privilege authenticated users to modify arbitrary event properties via an authorization bypass in the job child process update mechanism. An attacker with permission to create and run events can inject an update_event key in JSON output that the server applies directly to any event's configuration without authorization checks, enabling modification of webhook URLs, notification emails, and other sensitive event parameters. This vulnerability requires prior authentication and event creation capabilities but represents a significant privilege escalation risk in multi-user Cronicle deployments.

Authentication Bypass
CVE-2026-39400 MEDIUM CVSS 5.3
Stored cross-site scripting (XSS) in Cronicle prior to 0.9.111 allows authenticated users with create_events and run_events privileges to inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The injected payload is stored server-side without sanitization and executed client-side via innerHTML when other users view the Job Details page, enabling session hijacking, credential theft, or malicious actions performed in the context of the viewing user's session. No public exploit code or active exploitation has been reported at the time of analysis.

XSS
CVE-2026-39395 MEDIUM CVSS 4.3
Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.

Authentication Bypass
CVE-2026-39381 MEDIUM CVSS 5.3
Parse Server versions prior to 9.8.0-alpha.7 and 8.6.75 expose protected session fields to authenticated users via the GET /sessions/me endpoint, bypassing the protectedFields server configuration that should restrict access to sensitive data. An authenticated attacker can retrieve their own session's protected fields in a single request, whereas the equivalent GET /sessions and GET /sessions/:objectId endpoints correctly enforce field-level access controls. This information disclosure vulnerability affects any Parse Server deployment where administrators have configured protected fields on the _Session class and expects those fields to remain confidential from users.

Node.js Authentication Bypass
CVE-2026-39380 MEDIUM CVSS 5.4
Stored cross-site scripting in Open Source Point of Sale allows authenticated users to inject malicious JavaScript through the Stock Locations configuration feature, which executes when rendered in the Employees interface. Versions prior to 3.4.3 are affected. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk in multi-user POS environments where administrative interfaces may be accessible to untrusted staff.

XSS PHP
CVE-2026-39374 MEDIUM CVSS 6.5
Plane project management tool versions prior to 1.3.0 allow authenticated project members to modify issue dates across workspace and project boundaries via the IssueBulkUpdateDateEndpoint, which lacks proper authorization filtering. An attacker with ADMIN or MEMBER role in any project can arbitrarily change start_date and target_date fields on issues they have no legitimate access to, enabling data integrity violations across the entire Plane instance. EPSS score of 6.5 reflects moderate real-world risk for this privilege escalation, with no public exploit code or active exploitation confirmed at time of analysis.

Authentication Bypass
CVE-2026-39373 MEDIUM CVSS 5.3
Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.

Information Disclosure Python
CVE-2026-39368 MEDIUM CVSS 6.5
Stored SSRF in WWBN AVideo 26.0 and prior allows authenticated streamers with low-privilege streaming permissions to store arbitrary callback URLs in the live restream log feature, triggering server-side requests to internal or loopback HTTP services. The vulnerability affects all versions up to and including 26.0; exploitation requires valid streaming credentials but no user interaction. No public exploit code has been identified, though a proof-of-concept exists per CISA SSVC data.

SSRF
CVE-2026-39367 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject malicious JavaScript into EPG (Electronic Program Guide) XML files, which executes in the browsers of unauthenticated visitors to the public EPG page without sanitization. Attackers can exploit this to hijack sessions and takeover accounts of any user viewing the compromised EPG. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS
CVE-2026-39366 MEDIUM CVSS 6.5
Replay attack in WWBN AVideo versions 26.0 and prior allows authenticated attackers to repeatedly submit legitimate PayPal IPN notifications to the v1 handler, inflating wallet balances and renewing subscriptions without additional payment. The vulnerability exploits missing transaction deduplication in plugin/PayPalYPT/ipn.php, while newer v2 handlers correctly implement deduplication. CVSS 6.5 reflects high integrity impact with network accessibility and low attack complexity, though exploitation requires valid subscription credentials.

Information Disclosure PHP
CVE-2026-39360 MEDIUM CVSS 5.3
RustFS alpha versions prior to alpha.90 allow authenticated users with limited permissions to bypass authorization checks in the multipart copy operation (UploadPartCopy), enabling exfiltration of objects from buckets they cannot directly read. This breaks tenant isolation in multi-tenant deployments by allowing a low-privileged user to copy victim objects into their own multipart upload and complete the transfer without proper authorization validation.

Authentication Bypass
CVE-2026-39354 MEDIUM CVSS 6.5
Scoold versions prior to 1.66.2 allow authenticated low-privilege users to overwrite arbitrary existing questions by submitting a POST request to /questions/ask with another user's question ID as the postId parameter. Since question IDs are publicly visible in URLs, attackers can identify target questions and replace their content with malicious text, corrupting discussion threads and destroying legitimate user-generated content. The vulnerability requires only basic user authentication and network access, making it trivially exploitable by any logged-in account.

Authentication Bypass
CVE-2026-39351 MEDIUM CVSS 6.9
Frappe web application framework prior to versions 16.14.0 and 15.104.0 allows unauthenticated remote attackers to bypass access controls and retrieve restricted Doctype data through API endpoints, resulting in information disclosure of sensitive application data. The vulnerability is tagged as an authentication bypass with a CVSS 6.9 score and exploits missing authorization checks on API methods.

Authentication Bypass
CVE-2026-39348 MEDIUM CVSS 5.3
OrangeHRM 5.0 through 5.8 allows authenticated low-privilege users to bypass authorization controls and directly access job specification and vacancy attachment files by manipulating attachment identifiers, exposing sensitive HR documents. The vulnerability affects the attachment download handlers which fail to validate user permissions before serving files. This issue is fixed in version 5.8.1.

Authentication Bypass
CVE-2026-39347 MEDIUM CVSS 5.1
OrangeHRM Open Source versions 5.0 through 5.8 allow high-privileged administrator users to modify self-appraisal submissions after those submissions have been marked as completed, compromising the integrity of finalized appraisal records. The vulnerability requires administrator authentication and has a CVSS score of 5.1 with low integrity impact. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass
CVE-2026-39346 MEDIUM CVSS 5.3
OrangeHRM Open Source versions 5.0 through 5.8 allow authenticated users to bypass module access controls by submitting URL-encoded request paths, enabling unauthorized access to administrator-disabled functionality. The vulnerability requires valid user credentials but presents a moderate confidentiality and integrity risk. A vendor-released patch is available in version 5.8.1.

Authentication Bypass
CVE-2026-39345 MEDIUM CVSS 4.6
OrangeHRM Open Source 5.0 through 5.8 allows authenticated users with high privileges to read arbitrary local files by manipulating email template file paths, bypassing the intended plugin directory restriction. The vulnerability requires high-privilege credentials and manual path influence but enables confidential file disclosure. Vendor has released patch version 5.8.1; no public exploit code or active exploitation is confirmed.

Path Traversal
CVE-2026-39336 MEDIUM CVSS 6.1
Stored cross-site scripting in ChurchCRM prior to version 7.1.0 allows authenticated administrators with high privileges to inject malicious scripts through configuration fields, Person editor defaults, and self-registration form defaults, which are then rendered without sanitization when accessed by other administrators or users. The vulnerability requires admin interaction to exploit (UI:R) and affects confidentiality and integrity but not availability. No public exploit code or active exploitation has been identified.

XSS
CVE-2026-39335 MEDIUM CVSS 6.1
Stored XSS in ChurchCRM prior to 7.1.1 allows authenticated administrators to inject malicious scripts via group remove controls and family editor state/country fields. The vulnerability requires high-privilege account access and user interaction to trigger, making it an admin-to-admin attack surface rather than a direct threat to end-users. ChurchCRM 7.1.1 and later contain the fix.

XSS
CVE-2026-39321 MEDIUM CVSS 6.3
Parse Server versions prior to 9.8.0-alpha.6 and 8.6.74 leak valid usernames through timing side-channel attacks on the login endpoint, allowing unauthenticated attackers to enumerate existing user accounts by measuring response latency differences between non-existent users and incorrect password attempts. The vulnerability exploits inadequate constant-time comparison in password verification, enabling account enumeration without authentication and with moderate attack complexity.

Information Disclosure Node.js
CVE-2026-39316 MEDIUM CVSS 4.0
Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.

Denial Of Service Use After Free RCE Memory Corruption
CVE-2026-39314 MEDIUM CVSS 4.0
Denial of service in OpenPrinting CUPS 2.4.16 and prior allows unprivileged local users to crash the cupsd root process via integer underflow in _ppdCreateFromIPP() by supplying a negative job-password-supported IPP attribute, which wraps to a large size_t value and triggers a stack buffer overflow in memset(). When combined with systemd's automatic restart mechanism, an attacker can sustain repeated crashes without requiring elevated privileges or user interaction.

Denial Of Service Integer Overflow
CVE-2026-35613 MEDIUM CVSS 5.1
Path traversal in coursevault-preview versions before 0.1.1 allows local attackers without authentication to read arbitrary files outside the configured base directory by exploiting a flawed boundary check in the resolveSafe utility. The vulnerability exists because the code uses String.prototype.startsWith() to validate normalized paths, which fails to enforce proper directory boundaries when sibling directories share the same string prefix. This enables disclosure of sensitive files on systems where the application is installed.

Path Traversal
CVE-2026-35608 MEDIUM CVSS 5.3
Stored cross-site scripting (XSS) in QuickDrop prior to version 1.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of the application domain by uploading a malicious SVG file via the file upload endpoint and triggering execution when any user views the file preview. The vulnerability requires user interaction (viewing the preview) but no authentication, making it moderately exploitable in multi-user deployment scenarios where file sharing is expected functionality.

XSS
CVE-2026-35606 MEDIUM CVSS 5.3
File Browser versions prior to 2.63.1 allow authenticated users with download permission disabled to bypass access controls and read arbitrary text file content through the resourceGetHandler endpoint in http/resource.go, which fails to validate the Perm.Download permission flag unlike three other content-serving endpoints that correctly enforce this check. This authentication bypass affects any File Browser deployment where users are granted access but restricted from downloading files, and is fixed in version 2.63.1.

Authentication Bypass
CVE-2026-35605 MEDIUM CVSS 6.3
File Browser versions prior to 2.63.1 contain a path traversal vulnerability in the Matches() function that fails to enforce directory boundaries when evaluating access control rules. An attacker can bypass intended access restrictions by exploiting the use of strings.HasPrefix() without trailing directory separators, allowing a rule intended to restrict access to /uploads to inadvertently grant or deny access to similarly-named directories such as /uploads_backup/. This affects all File Browser versions before 2.63.1 and requires network access but no authentication or user interaction; no public exploit code or active exploitation has been confirmed at time of analysis.

Path Traversal
CVE-2026-35592 MEDIUM CVSS 5.3
Path traversal in pyLoad's tar extraction allows writing files outside the intended directory via specially crafted archives. The vulnerability stems from incomplete remediation of a prior path traversal fix (CVE-2026-32808), where the _safe_extractall() function continues to use the insecure os.path.commonprefix() instead of the correct os.path.commonpath(). Unauthenticated remote attackers can exploit this via a malicious tar file when a user extracts it, achieving arbitrary file write on the system. The vulnerability affects pyLoad versions prior to 0.5.0b3.dev97 and is fixed in that release.

Python Path Traversal
CVE-2026-35586 MEDIUM CVSS 6.8
Privilege escalation in pyLoad prior to 0.5.0b3.dev97 allows authenticated users with SETTINGS permission to bypass admin-only protections and modify SSL certificate and key file paths due to incorrect option name mappings in the ADMIN_ONLY_CORE_OPTIONS authorization set. The vulnerability arises from name mismatches (ssl_cert/ssl_key vs. ssl_certfile/ssl_keyfile) and complete omission of the ssl_certchain option from authorization checks, enabling any SETTINGS-privileged user to overwrite critical SSL configuration-a capability intended exclusively for administrators. CVSS 6.8 reflects high confidentiality and integrity impact with authenticated access required and high attack complexity.

Python Authentication Bypass
CVE-2026-35584 MEDIUM CVSS 6.9
Unauthenticated attackers can read arbitrary threads, enumerate thread IDs, and manipulate thread timestamps in FreeScout versions before 1.8.212 via an unvalidated IDOR vulnerability in the GET /thread/read/{conversation_id}/{thread_id} endpoint. The endpoint fails to verify both authentication and thread-conversation association, enabling complete enumeration of help desk conversations and metadata manipulation without credentials. This affects all FreeScout installations below version 1.8.212.

Authentication Bypass
CVE-2026-35583 MEDIUM CVSS 5.3
Emissary versions prior to 8.39.0 allow unauthenticated remote attackers to read arbitrary configuration files through path traversal via the /api/configuration/{name} endpoint. The vulnerability stems from incomplete blacklist validation of configuration names that can be bypassed using URL-encoded variants, double-encoding, or Unicode normalization attacks. No public exploit code or active exploitation has been confirmed.

Path Traversal
CVE-2026-35578 MEDIUM CVSS 5.3
Open redirect vulnerability in ChurchCRM prior to version 7.0.0 allows authenticated users to be redirected to arbitrary URLs via crafted links containing unvalidated redirect parameters, particularly through the 'linkBack' parameter used across multiple application pages including DonatedItemEditor.php. An attacker can create a malicious link that redirects authenticated users to external sites when they interact with UI elements, enabling phishing attacks and credential theft. The vulnerability requires an authenticated user and user interaction (clicking a button), reducing immediate risk but posing moderate concern in social engineering scenarios.

PHP Open Redirect
CVE-2026-35571 MEDIUM CVSS 4.8
Stored cross-site scripting in Emissary prior to 8.39.0 allows authenticated administrators to inject malicious javascript: URIs into navigation item configuration, which are then rendered unsafely in href attributes viewed by other authenticated users. The vulnerability requires high-privilege administrative access to modify navItems configuration but affects all other users accessing the web interface, with confirmed fix available in version 8.39.0.

XSS
CVE-2026-35516 MEDIUM CVSS 5.0
Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from internal services by updating links to private IP addresses, exposing cloud credentials and internal service metadata. The links:check cron job executes requests without IP filtering, enabling attackers to probe AWS IMDSv1, cloud metadata endpoints, and internal APIs. The vulnerability requires authentication but operates over the network with low complexity, affecting all installations running versions before 2.5.4. No public exploit code or confirmed active exploitation has been identified at time of analysis.

SSRF
CVE-2026-35491 MEDIUM CVSS 6.1
Pi-hole FTL versions 6.0 through 6.5 allow authenticated local users with CLI API session privileges to bypass authorization controls and overwrite configuration settings via Teleporter archive imports. The vulnerability exists because the /api/teleporter endpoint incorrectly permits CLI-scoped sessions (intended to be read-only) to execute privileged Teleporter operations, while the /api/config endpoint correctly enforces restrictions. This authentication bypass is fixed in Pi-hole FTL 6.6.

Authentication Bypass
CVE-2026-35487 MEDIUM CVSS 5.3
Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary .txt files from the server filesystem via the load_prompt() function, with file contents returned directly in API responses. The vulnerability requires no authentication, user interaction, or special conditions, resulting in confidentiality impact with a CVSS score of 5.3. A vendor-released patch is available in version 4.3.

Path Traversal
CVE-2026-35484 MEDIUM CVSS 5.3
Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary YAML files from the server filesystem via the load_preset() function, exposing sensitive credentials such as passwords, API keys, and connection strings in API responses. The vulnerability requires only network access with no authentication, user interaction, or special configuration, making it a practical attack vector despite the moderate CVSS score of 5.3.

Path Traversal
CVE-2026-35483 MEDIUM CVSS 5.3
Unauthenticated path traversal in text-generation-webui prior to version 4.3 enables remote attackers to read arbitrary files with .jinja, .jinja2, .yaml, or .yml extensions from the server filesystem. The vulnerability resides in the load_template() function and allows disclosure of configuration files, templates, and other sensitive data without authentication. EPSS score of 5.3 reflects low to moderate real-world exploitation risk despite network accessibility, as successful exploitation requires knowledge of file paths and extension constraints.

Path Traversal
CVE-2026-35462 MEDIUM CVSS 4.3
Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.

Information Disclosure
CVE-2026-35461 MEDIUM CVSS 5.0
Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to register arbitrary webhook endpoints without URL validation, enabling the server to make HTTP POST requests to localhost, internal networks, and cloud metadata endpoints on document events. Attack requires valid user authentication and knowledge of internal network topology but can exfiltrate sensitive data from restricted network segments.

SSRF
CVE-2026-35460 MEDIUM CVSS 4.3
Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.

XSS
CVE-2026-35406 MEDIUM CVSS 6.2
Aardvark-dns enters an unrecoverable infinite error loop consuming 100% CPU when processing a truncated TCP DNS query followed by a connection reset, causing denial of service to DNS resolution services. The vulnerability affects the aardvark-dns container DNS service and requires local network access to trigger. No public exploit code or active exploitation has been identified, but the trivial attack vector (malformed DNS packets) and high CPU impact make this a practical denial-of-service risk for containerized deployments.

Denial Of Service
CVE-2026-34903 MEDIUM CVSS 5.4
Missing authorization in OceanWP Ocean Extra plugin versions through 2.5.3 allows authenticated users to bypass access control restrictions and perform unauthorized modifications or denial-of-service actions. An attacker with valid user credentials can exploit incorrectly configured access control checks to escalate privileges beyond their intended permission level. No public exploit code has been identified at time of analysis, but the vulnerability has been documented by Patchstack security researchers.

WordPress PHP Authentication Bypass Ocean Extra
CVE-2026-34899 MEDIUM CVSS 5.3
Missing authorization in Eniture Technology LTL Freight Quotes - Worldwide Express Edition plugin (versions through 5.2.1) allows unauthenticated remote attackers to modify data through incorrectly configured access control, affecting WordPress installations. The vulnerability has a CVSS score of 5.3 with no public exploit code confirmed, and affects WordPress plugin deployments where access control security levels are improperly enforced.

WordPress PHP Authentication Bypass Ltl Freight Quotes Worldwide Express Edition
CVE-2026-34765 MEDIUM CVSS 6.0
Electron's window.open() handler fails to properly scope named-window lookups to the opener's browsing context group, allowing a renderer to hijack an existing child window opened by a different renderer and potentially inherit elevated webPreferences including privileged preload scripts. This affects Electron versions before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, and poses a remote code execution risk only in applications that open multiple top-level windows with differing trust levels and grant child windows elevated permissions via setWindowOpenHandler. No public exploit identified at time of analysis.

Microsoft RCE Information Disclosure
CVE-2026-34371 MEDIUM CVSS 6.3
Arbitrary file write in LibreChat prior to 0.8.4 allows authenticated users to overwrite arbitrary server files via path traversal in code artifact filenames. The vulnerability affects LibreChat deployments using the default local file storage strategy, where the execute_code sandbox returns a user-controllable filename that is concatenated directly into the file write path without sanitization. An authenticated attacker can craft malicious artifact names containing traversal sequences (e.g., ../../../../../app/client/dist/poc.txt) to write files outside the intended directory, potentially compromising application integrity or enabling remote code execution through client-side file injection.

Path Traversal
CVE-2026-34080 MEDIUM CVSS 6.8
Policy parser vulnerability in xdg-dbus-proxy prior to 0.1.7 allows authenticated local users to bypass eavesdrop restrictions and intercept D-Bus messages by exploiting improper whitespace handling in policy rule parsing. The proxy fails to normalize eavesdrop policy directives, permitting attackers to craft malformed policies (e.g., eavesdrop ='true' with spacing variations) that evade the eavesdrop=true access control checks. No public exploit code has been identified at time of analysis.

Authentication Bypass
CVE-2026-33866 MEDIUM CVSS 5.3
MLflow through version 3.10.1 allows authenticated users to bypass authorization controls and download model artifacts from experiments they lack permission to access via an unprotected AJAX endpoint. The vulnerability requires valid MLflow authentication but no special privileges, enabling lateral access to restricted experiment data. Patch availability confirmed via upstream pull request; CISA SSVC assessment indicates partial technical impact with automatable exploitation path but no confirmed active exploitation.

Authentication Bypass
CVE-2026-33865 MEDIUM CVSS 5.1
Stored cross-site scripting (XSS) in MLflow through version 3.10.1 allows authenticated attackers to inject malicious payloads via YAML-based MLmodel artifacts that execute when other users view the artifact in the web interface, enabling session hijacking or unauthorized actions on behalf of victims. CVSS 5.1 reflects low severity due to authentication requirement and user interaction; SSVC framework rates exploitation as none, automatable as no, and technical impact as partial. Upstream fix is available in a GitHub PR, though no formally released patched version has been independently confirmed from provided data.

XSS
CVE-2026-33227 MEDIUM CVSS 4.3
Improper path validation in Apache ActiveMQ Client and Broker allows authenticated users to traverse the classpath via crafted 'key' values in Stomp consumer creation and Web console message browsing operations, potentially enabling information disclosure or chaining with secondary attacks for greater impact. Affects ActiveMQ Client/Broker versions before 5.19.3 and 6.0.0–6.2.1; patch available in 5.19.4 and 6.2.3 (5.19.3/6.2.2 have platform-specific limitations). EPSS score of 0.04% indicates low real-world exploitation probability despite authenticated attack vector requirement.

Apache Path Traversal Microsoft
CVE-2026-33033 MEDIUM CVSS 6.5
Django's MultiPartParser allows authenticated remote attackers to cause denial of service through performance degradation by submitting multipart uploads with Content-Transfer-Encoding: base64 and excessive whitespace. Affected versions include Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30, with unsupported series 5.0.x, 4.1.x, and 3.2.x potentially also vulnerable. The vulnerability has a CVSS 6.5 score reflecting high availability impact but requires authentication (PR:L) and is not actively exploited or publicly weaponized at analysis time.

Python Information Disclosure
CVE-2026-32712 MEDIUM CVSS 5.4
Stored XSS in Open Source Point of Sale versions prior to 3.4.3 allows authenticated users with customer management permissions to inject malicious JavaScript into customer name fields, which executes when any user views the Daily Sales page. The vulnerability stems from the bootstrap-table column configuration explicitly disabling HTML escaping (escape: false) for the customer_name column, enabling arbitrary script execution with cross-site impact. Vendor-released patch: 3.4.3.

XSS PHP
CVE-2026-32588 MEDIUM CVSS 6.5
Authenticated denial of service via CQL in Apache Cassandra 4.0 through 5.0 allows authenticated users to elevate query latencies by repeatedly changing passwords, disrupting service availability for legitimate users. The vulnerability affects Cassandra 4.0.0-4.0.19, 4.1.0-4.1.10, and 5.0.0-5.0.6. Vendor-released patches are available (4.0.20, 4.1.11, 5.0.7). With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite the moderate CVSS score of 6.5, reflecting the requirement for prior authentication and the low likelihood of widespread abuse.

Apache Denial Of Service
CVE-2026-28810 MEDIUM CVSS 6.3
Erlang/OTP kernel inet_res DNS resolver uses predictable sequential transaction IDs and lacks source port randomization, enabling DNS cache poisoning attacks against systems relying on this resolver in untrusted network environments. Affects OTP 17.0 through 28.4.2 (and specific patch versions 27.3.4.10, 26.2.5.19); unauthenticated remote attackers who can observe or predict DNS query patterns can forge DNS responses to redirect traffic or execute man-in-the-middle attacks. Vendor-released patches available; no public exploit code or active exploitation confirmed.

Dns Cache Poisoning Otp
CVE-2026-27315 MEDIUM CVSS 5.5
Apache Cassandra 4.0 through 4.0.19 stores cleartext passwords and other sensitive command history in the ~/.cassandra/cqlsh_history file without redaction, allowing local authenticated users to extract credentials via direct file access. Vendor-released patch available in version 4.0.20; exploitation requires local file system access and existing user privileges but poses significant risk in multi-tenant or shared system environments.

Apache Information Disclosure
CVE-2026-24147 MEDIUM CVSS 4.8
NVIDIA Triton Inference Server prior to r26.02 allows unauthenticated remote attackers to trigger information disclosure and denial of service through malicious model configuration uploads, exploiting a path traversal vulnerability (CWE-22) that enables access to sensitive files outside intended directories. The CVSS 4.8 score reflects moderate risk with high attack complexity, though real-world exploitation likelihood depends on network accessibility to model upload endpoints.

Information Disclosure Nvidia Denial Of Service Path Traversal
CVE-2026-22711 MEDIUM CVSS 6.9
Cross-site scripting (XSS) in the Mediawiki Wikilove Extension via improper neutralization of alternate XSS syntax allows unauthenticated remote attackers to inject malicious scripts with low complexity attack surface. The vulnerability affects Mediawiki Wikilove Extension versions 1.43.7, 1.44.4, and 1.45.2, enabling stored or reflected XSS attacks that can compromise user sessions, steal credentials, or deface wiki content. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no user interaction or privileges, making it a moderate-risk priority for affected wiki administrators.

XSS
CVE-2026-22680 MEDIUM CVSS 6.9
OpenViking versions prior to 0.3.3 expose a missing authorization vulnerability in task polling endpoints that allows unauthenticated remote attackers to enumerate and retrieve background task metadata created by other users, exposing task types, status, resource identifiers, archive URIs, result payloads, and error information. This vulnerability enables information disclosure with a CVSS score of 6.9 and carries particular risk in multi-tenant deployments where cross-tenant data leakage could occur. No public exploit code has been identified at the time of analysis, though the vulnerability requires only network access and no special attack complexity.

Authentication Bypass
CVE-2026-20446 MEDIUM CVSS 4.3
Integer overflow in MediaTek secure boot (sec boot) leads to out-of-bounds write causing local denial of service on affected MediaTek chipsets. Attack requires physical device access and local user execution privileges, with no user interaction needed. EPSS score of 0.02% and CISA SSVC assessment of 'none' exploitation status indicate low real-world risk despite the moderate CVSS base score of 4.3.

Integer Overflow Denial Of Service Mediatek Chipset
CVE-2026-20431 MEDIUM CVSS 6.5
Remote denial of service in MediaTek modem chipsets allows unauthenticated attackers to crash the system via a logic error when connecting to a rogue base station. The vulnerability affects 19 MediaTek chipset models (MT8678, MT6899, MT6897, and others) with no authentication or user interaction required. EPSS score of 0.08% (24th percentile) and CISA SSVC framework rating of no confirmed exploitation and partial technical impact suggest this is a low real-world priority despite the moderate CVSS 6.5 score.

Denial Of Service
CVE-2026-5762 MEDIUM CVSS 5.3
Denial-of-service via unthrottled resource allocation in the Wikimedia MediaWiki ReportIncident Extension allows authenticated remote attackers to trigger HTTP DoS by exhausting server resources without rate limiting. Affected versions include ReportIncident 1.43.7, 1.44.4, and 1.45.2. No public exploit code or active exploitation has been confirmed at time of analysis.

Denial Of Service
CVE-2026-5745 MEDIUM CVSS 5.5
Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.

Denial Of Service Null Pointer Dereference
CVE-2026-5741 MEDIUM CVSS 6.9
Remote code execution via OS command injection in suvarchal docker-mcp-server through 0.1.0 allows unauthenticated attackers to execute arbitrary commands by manipulating the stop_container, remove_container, or pull_image HTTP interface functions. Publicly available exploit code exists, and while the vendor was notified early through GitHub issue #3, no patch has been released as of the analysis date.

Docker Command Injection
CVE-2026-5739 MEDIUM CVSS 6.9
Remote code injection in PowerJob 5.1.0, 5.1.1, and 5.1.2 allows unauthenticated attackers to execute arbitrary code via the GroovyEvaluator.evaluate function in the OpenAPI endpoint /openApi/addWorkflowNode by manipulating the nodeParams argument. The vulnerability exploits unsafe Groovy code evaluation without input sanitization, enabling full remote code execution with a low CVSS complexity score (6.9/10). No public exploit code is confirmed at time of analysis, and the vendor has not yet responded to the early disclosure notification.

Code Injection RCE
CVE-2026-5736 MEDIUM CVSS 6.9
SQL injection in PowerJob 5.1.0 through 5.1.2 allows remote attackers to execute arbitrary SQL queries via the customQuery parameter in the detailPlus endpoint of InstanceController.java, potentially enabling unauthorized data access or modification. The vulnerability is remotely exploitable without authentication (CVSS 6.9, EPSS P), with a GitHub pull request indicating a fix is under review but not yet released as a patched version.

Java SQLi
CVE-2026-5719 MEDIUM CVSS 5.3
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the code parameter in /borrowedtool.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (Medium) with publicly available exploit code; exploitation requires valid user credentials but no user interaction.

PHP SQLi Construction Management System
CVE-2026-5705 MEDIUM CVSS 5.3
Reflected cross-site scripting (XSS) in code-projects Online Hotel Booking 1.0 allows unauthenticated remote attackers to inject malicious scripts via the roomname parameter in the /booknow.php endpoint, exploitable through user interaction (UI:P). Publicly available exploit code exists for this vulnerability, which carries a moderate CVSS score of 5.3 but limited impact scope (information disclosure only, no integrity or availability impact).

PHP XSS
CVE-2026-5384 MEDIUM CVSS 5.8
Credential scope bypass in runZero Platform allows high-privileged administrators to update credentials and apply them to tasks outside their authorized organization scope, resulting in unauthorized information disclosure. The vulnerability affects runZero Platform versions prior to 4.0.26021.0 and requires administrative privileges to exploit. No public exploit code or confirmed active exploitation has been identified.

Authentication Bypass
CVE-2026-5383 MEDIUM CVSS 4.4
RunZero Explorer versions prior to 4.0.260208.0 allow high-privileged authenticated users to access Explorer groups outside their authorized organization scope, enabling unauthorized cross-organizational information disclosure and potential service disruption. The vulnerability stems from incorrect authorization controls (CWE-863) and requires administrator-level credentials and high attack complexity to exploit. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
CVE-2026-5380 MEDIUM CVSS 5.3
runZero Platform versions prior to 4.0.260204.2 expose cleartext secrets for a subset of credential types and fields to authorized users due to insufficient credential protection, allowing users with legitimate platform access to view sensitive authentication data they should not be able to access. The vulnerability requires user interaction and has a CVSS score of 5.3 (Medium) with high confidentiality impact but no active exploitation or public exploit code identified at time of analysis.

Authentication Bypass
CVE-2026-5378 MEDIUM CVSS 5.8
runZero Platform allows high-privileged administrators to create and update users outside their authorized organization scope due to improper authorization checks, enabling privilege escalation and cross-organizational user manipulation. Versions prior to 4.0.260203.0 are affected. The vulnerability requires high-privilege authentication but can impact multiple organizations within a multi-tenant deployment, making it a significant risk for runZero deployments where administrative role separation is enforced.

Authentication Bypass
CVE-2026-5376 MEDIUM CVSS 5.9
Session inactivity timeouts fail to trigger in runZero Platform due to automatic page reloading, allowing authenticated administrators to maintain unauthorized access beyond intended session expiration windows. This CWE-613 resource control vulnerability affects runZero Platform versions prior to 4.0.260203.0 and requires high-privilege authentication, with confirmed confidentiality and integrity impacts. No public exploit code or active exploitation has been reported.

Information Disclosure
CVE-2026-5374 MEDIUM CVSS 5.8
Runzero Platform versions prior to 4.0.260202.0 allow authenticated administrators with high privileges to access remediation and asset information across organizational boundaries through MCP agents, exposing sensitive data from unauthorized organization scopes. The vulnerability stems from improper authorization controls (CWE-863) and requires high-privilege account compromise to exploit, carrying a CVSS score of 5.8 (Medium). Vendor-released patch version 4.0.260202.0 resolves this issue.

Authentication Bypass
CVE-2026-5372 MEDIUM CVSS 6.4
SQL injection in runZero Platform versions 4.0.260123.0 through 4.0.260123.0 allows authenticated high-privileged users to execute arbitrary SQL commands via improperly sanitized saved query parameters, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires high privileges, user interaction, and non-standard attack complexity, resulting in a CVSS 6.4 medium severity rating. Vendor-released patch version 4.0.260123.1 addresses the issue.

SQLi
CVE-2026-4931 MEDIUM CVSS 6.8
Marginal v1 smart contract implements an unsafe numeric downcast that enables attackers to settle large debt positions using negligible asset amounts, creating a critical financial manipulation vector in the DeFi protocol. The vulnerability affects Marginal Smart Contract v1 across all deployment instances accessible via the public blockchain network. An attacker can exploit this type confusion flaw to bypass intended collateral requirements and artificially close positions at drastically undervalued rates, causing financial loss to the protocol and legitimate liquidity providers.

Information Disclosure
CVE-2026-4420 MEDIUM CVSS 5.1
Stored XSS in Bludit page creation functionality allows authenticated users with author privileges or higher to inject malicious JavaScript via the tags field, executing arbitrary code in victims' browsers when they access the affected page. Bludit versions 3.17.2 and 3.18.0 are confirmed vulnerable; the vendor did not respond with remediation details or clarify the full version range affected. This vulnerability poses moderate immediate risk (CVSS 5.1) but carries elevated concern because injected scripts could escalate privileges to administrator level if the victim has sufficient permissions, and the malicious resource is accessible without authentication.

WordPress PHP XSS Bludit
CVE-2026-4079 MEDIUM CVSS 6.5
SQL injection in SQL Chart Builder WordPress plugin before version 2.3.8 allows remote attackers to execute arbitrary SQL queries through the dynamic filter functionality due to improper input escaping. The vulnerability affects all versions before 2.3.8, requires no authentication or user interaction, and carries a moderate CVSS score of 6.5 with low real-world exploitation probability (EPSS 0.02%). Publicly available exploit code exists, though the low EPSS percentile suggests limited active exploitation relative to the attack surface.

WordPress SQLi
CVE-2026-4065 MEDIUM CVSS 5.4
Smart Slider 3 plugin for WordPress through version 3.5.1.33 allows authenticated attackers with Contributor-level access to enumerate slider metadata and create, modify, or delete image storage records due to missing capability checks in multiple AJAX controller actions. The vulnerability exploits exposed nonce tokens on post editor pages combined with incomplete permission validation, enabling privilege escalation from Contributor to administrative-equivalent capabilities for slider management without requiring unfiltered_html permissions. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Authentication Bypass
CVE-2026-3177 MEDIUM CVSS 5.3
Unauthenticated attackers can forge Stripe webhook events in the Charitable donation plugin for WordPress up to version 1.8.9.7, allowing them to mark pending donations as completed without processing actual payments. The plugin fails to cryptographically verify incoming webhook payloads, enabling attackers to manipulate donation records and bypass payment validation. This impacts all WordPress sites using affected versions and could result in financial loss for fundraising organizations.

WordPress PHP Authentication Bypass Charitable Donation Plugin For Wordpress Fundraising With Recurring Donations More
CVE-2026-1900 MEDIUM CVSS 6.5
Unauthenticated attackers can modify plugin settings via a publicly accessible REST endpoint in Link Whisper Free WordPress plugin before version 0.9.1, enabling information disclosure and unauthorized configuration changes. The vulnerability has publicly available exploit code and affects all versions prior to 0.9.1. Although the CVSS score is 6.5 (medium), the EPSS score of 0.02% indicates very low real-world exploitation probability despite public POC availability.

WordPress PHP Authentication Bypass Link Whisper Free
CVE-2026-1839 MEDIUM CVSS 6.5
Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The `_load_rng_state()` method in the `Trainer` class calls `torch.load()` without the `weights_only=True` parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. An attacker can craft a malicious `rng_state.pth` checkpoint file that executes arbitrary code when loaded by an application using affected Transformers versions. The fix is available in version v5.0.0rc3, and no public exploit has been independently confirmed at time of analysis.

Hugging Face Pytorch Python AI / ML RCE
CVE-2026-1079 MEDIUM CVSS 6.0
Remote code execution via malicious websites targeting Pega Browser Extension (PBE) allows unauthenticated attackers to trigger unexpected message boxes and cause availability impact on affected systems. All versions of Pega Browser Extension prior to 3.1.45 are vulnerable; the attack requires user interaction (navigation to a malicious website) but no special privileges. CVSS 6.0 score reflects the moderate severity with high availability impact potential. No active exploitation or public exploit code has been identified at the time of analysis.

Authentication Bypass
CVE-2025-70844 MEDIUM CVSS 6.1
Stored cross-site scripting (XSS) in yaffa v2.0.0 allows unauthenticated remote attackers to inject malicious JavaScript via the 'Add Account Group' function, enabling arbitrary script execution in the browsers of users who view the affected page. The vulnerability requires user interaction (clicking/viewing) to trigger but can compromise account confidentiality and integrity for affected users. EPSS exploitation probability is minimal at 0.02%, indicating low real-world exploitation likelihood despite the moderate CVSS score of 6.1.

RCE XSS Code Injection N A
CVE-2025-65116 MEDIUM CVSS 5.5
Buffer overflow in Hitachi JP1/IT Desktop Management suite and Job Management Partner 1 software on Windows allows local authenticated users to cause denial of service by triggering memory corruption in affected manager and client components. The vulnerability spans multiple product lines and versions, with CVSS 5.5 indicating moderate local attack surface; active exploitation status not confirmed.

Windows Buffer Overflow Jp1 It Desktop Management 2 Manager Jp1 It Desktop Management 2 Operations Director Job Management Partner 1 It Desktop Management 2 Manager
CVE-2025-24819 MEDIUM CVSS 5.7
Relative path traversal in Nokia MantaRay NM Software Manager allows authenticated local network attackers to read sensitive files on the affected system. The vulnerability stems from improper validation of input parameters in the file system handling code, enabling an attacker with local network access and low privileges to enumerate and access files outside the intended directory structure without modifying or disrupting them. No public exploit code or active exploitation has been confirmed at the time of analysis.

Nokia Path Traversal
CVE-2025-20628 MEDIUM CVSS 6.9
Remote attackers can spoof client-mode Remote Connector Servers in PingIDM to intercept and modify identity security properties including passwords and account recovery information, due to insufficient access control granularity that prevents administrators from properly restricting RCS communications. This vulnerability affects PingIDM deployments using Remote Connector Servers in client mode and requires specific RCS configuration to be exploitable; no public exploit code has been identified at the time of analysis.

Information Disclosure
CVE-2025-15611 MEDIUM CVSS 5.4
Cross-Site Request Forgery in Popup Box WordPress plugin before 5.5.0 allows authenticated admins to be tricked into creating or modifying popups containing arbitrary JavaScript via missing nonce validation in the add_or_edit_popupbox() function. While the CVSS score of 5.4 reflects moderate severity, the EPSS score of 0.02% (6th percentile) indicates very low real-world exploitation probability despite publicly available proof-of-concept code, suggesting this vulnerability requires precise social engineering to be actionable in practice.

WordPress CSRF SSRF
CVE-2025-14944 MEDIUM CVSS 5.3
Unauthenticated attackers can trigger backup upload queue processing in Backup Migration plugin for WordPress (all versions up to 2.0.0) via the 'initializeOfflineAjax' AJAX endpoint, which lacks capability checks and relies on publicly exposed hardcoded tokens for validation. This allows remote attackers to cause unexpected backup transfers to cloud storage and resource exhaustion without authentication or user interaction. CVSS 5.3 (medium), no confirmed active exploitation reported.

WordPress Authentication Bypass Denial Of Service
CVE-2025-14858 MEDIUM CVSS 5.1
Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.

Information Disclosure
CVE-2025-14857 MEDIUM CVSS 5.4
Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.

RCE
CVE-2025-13044 MEDIUM CVSS 6.2
IBM Concert versions 1.0.0 through 2.2.0 create temporary files with predictable names, allowing local unauthenticated attackers to overwrite arbitrary files through symlink attacks. An attacker with local system access can exploit this insecure temporary file handling to modify critical application or system files, achieving high integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.

IBM Information Disclosure
CVE-2026-39349 LOW CVSS 2.1
OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.

Information Disclosure
CVE-2026-34781 LOW CVSS 2.8
Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.

Denial Of Service RCE Null Pointer Dereference Buffer Overflow
CVE-2026-31789 None
Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker ca...

Memory Corruption OpenSSL Buffer Overflow RCE
CVE-2026-28387 None
Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences...

Memory Corruption Use After Free Denial Of Service RCE OpenSSL
CVE-2026-27949 LOW CVSS 2.0
Plane project management tool versions prior to 1.3.0 leak user email addresses in authentication error URLs, transmitting personally identifiable information via unencrypted GET query parameters. The vulnerability requires high-privilege access and user interaction to trigger, exposing email disclosure with low confidentiality impact and no integrity or availability consequences. This is a low-severity information disclosure issue with CVSS 2.0, actively patched in version 1.3.0.

Information Disclosure
CVE-2026-5382 LOW CVSS 3.0
Incorrect authorization in runZero Platform MCP endpoints allows authenticated high-privilege users to access records outside their authorized organization scope, exposing sensitive data across organizational boundaries. The vulnerability affects runZero Platform versions prior to 4.0.260206.0 and requires high-privilege credentials to exploit, resulting in limited confidentiality impact. No public exploit code or active exploitation has been identified.

Authentication Bypass
CVE-2026-5381 LOW CVSS 2.2
runZero Platform versions prior to 4.0.260205.0 contain an incorrect authorization flaw that allows authenticated high-privileged users to access task information outside their authorized organization scope via network-based vectors with high complexity. The vulnerability is low-severity (CVSS 2.2) and limited to confidentiality impact (information disclosure), with no public exploit identified at time of analysis.

Authentication Bypass
CVE-2026-5379 LOW CVSS 3.0
runZero Platform versions prior to 4.0.260203.0 allow authenticated high-privilege MCP agents to access certificate information outside their authorized organization scope, enabling lateral information disclosure across organizational boundaries. The vulnerability stems from improper authorization checks (CWE-863) and carries a CVSS score of 3.0 (Low) due to high attack complexity and privilege requirements; no public exploit code or active exploitation has been identified.

Authentication Bypass
CVE-2026-5375 LOW CVSS 2.7
runZero Platform API exposes sensitive credential fields to high-privilege users via unauthenticated remote requests, allowing information disclosure of confidential data. Affected versions prior to 4.0.260203.0 permit high-privilege account holders to retrieve sensitive fields through API responses that should be restricted. The vulnerability requires high privileges (PR:H) and has low real-world impact (CVSS 2.7), but affects the core credential management functionality of the runZero asset intelligence platform.

Information Disclosure
CVE-2026-4292 LOW CVSS 2.7
Django admin changelist forms with ModelAdmin.list_editable enabled allow high-privileged users to create new instances via forged POST requests, bypassing intended access controls. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30; unsupported versions 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. The vulnerability requires admin-level privileges and results in unauthorized data modification rather than data exposure or availability impact. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass Python

Today's Vulnerabilities Vulnerabilities