Skip to main content
CVE-2025-69515 CRITICAL Act Now

GPS spoofing vulnerability in JXL 9 Inch Car Android Double Din Player (Android 12.0) allows unauthenticated remote attackers to inject falsified GPS signals that the infotainment system accepts as legitimate, forcing incorrect or static location reporting. Exploitation requires no user interaction and achieves high integrity and availability impact through manipulation of navigation data. No public exploit identified at time of analysis. CVSS 9.1 reflects network-accessible attack vector with low complexity.

Google Information Disclosure N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-35580 CRITICAL PATCH GHSA Act Now

Shell command injection in Emissary workflow engine below version 8.39.0 allows high-privileged attackers with repository write access to execute arbitrary commands via GitHub Actions workflow_dispatch inputs. Attackers exploit unsanitized ${{ }} expression syntax in workflow files to inject malicious shell commands, enabling repository poisoning and supply chain attacks affecting downstream users. CVSS 9.1 (Critical) with Changed scope indicates potential to compromise beyond the vulnerable component. No public exploit code or CISA KEV listing identified at time of analysis, though exploitation requires only repository write access with low attack complexity.

Command Injection Suse
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39846 CRITICAL PATCH GHSA Act Now

Remote code execution in SiYuan desktop client (Electron-based) versions prior to 3.6.4 allows authenticated attackers to execute arbitrary code on victim systems via malicious notes propagated through workspace sync. Stored XSS in table caption fields escalates to RCE due to nodeIntegration enabled and contextIsolation disabled in Electron renderer. CVSS 9.0 (Critical) with scope change indicates escape from browser context. No active exploitation confirmed (not in CISA KEV). EPSS score 0.14% suggests low current exploitation probability. Vendor-released patch: version 3.6.4.

XSS Node.js RCE
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-39328 HIGH PATCH This Week

ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrate administrator session cookies through stored XSS in social media profile fields. Attackers chain JavaScript payloads across Facebook, LinkedIn, and X fields using onfocus event handlers to bypass 50-character limits, automatically executing when any user (including administrators) views the malicious profile. No public exploit code or confirmed active exploitation identified at time of analysis, though EPSS data unavailable. CVSS 8.9 reflects high impact but requires authenticated access and user interaction.

XSS Crm
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-35521 HIGH PATCH This Week

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DHCP hosts configuration parameter. Exploitation requires low-complexity network access with low-level authentication (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vulnerability's straightforward injection mechanism and the popularity of Pi-hole as a DNS/DHCP solution elevate practical risk for environments with multiple administrative users or compromised credentials.

Command Injection RCE Ftl
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-35520 HIGH PATCH This Week

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary dnsmasq configuration directives via newline character injection in the DHCP lease time parameter (dhcp.leaseTime), leading to command execution on the underlying system. Affects the FTLDNS component that provides Pi-hole's interactive API and web statistics. No public exploit identified at time of analysis, though exploitation requires only low-complexity attack methods with network access and low-privilege authentication (CVSS 8.8).

RCE Command Injection Ftl
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-35519 HIGH PATCH This Week

Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via newline injection in DNS host record configuration. The vulnerability exploits improper input sanitization in the dns.hostRecord parameter, enabling injection of malicious dnsmasq directives that execute at the system level. With CVSS 8.8 (network-accessible, low complexity, requires low-privilege authentication), this represents a critical risk for Pi-hole deployments where administrative access controls are weak. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.

RCE Command Injection Ftl
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-35518 HIGH PATCH This Week

Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DNS CNAME records parameter (dns.cnameRecords). Authentication requirements confirmed (CVSS PR:L - low privileges required). Publicly available exploit code exists. CVSS 8.8 with network attack vector and low complexity indicates high exploitability once authenticated access is obtained.

RCE Command Injection Ftl
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-35517 HIGH PATCH This Week

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges to execute arbitrary system commands by injecting newline-delimited dnsmasq configuration directives into the upstream DNS servers parameter (dns.upstreams). The vulnerability requires network access with authentication (CVSS:3.1 PR:L) but has low attack complexity and no user interaction required. No public exploit identified at time of analysis, though technical details are available in the GitHub Security Advisory.

RCE Command Injection Ftl
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-65115 HIGH PATCH This Week

Remote code execution in Hitachi's JP1/IT Desktop Management suite allows authenticated network attackers to execute arbitrary code on Windows systems running Manager, Operations Director, and Client components. Affects multiple product generations spanning versions 9.x through 13.x across nine distinct product lines. CVSS score of 8.8 reflects network-accessible attack surface with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though CWE-73 (external control of file name or path) indicates potential for path traversal-based exploitation. Hitachi has released patches addressing versions 13-50-02, 13-11-04, 13-10-07, 13-01-07, 13-00-05, and 12-60-12 for actively supported products.

RCE Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-20433 HIGH This Week

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack s

Buffer Overflow Privilege Escalation Memory Corruption Mediatek Chipset
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5465 HIGH This Week

Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. EPSS data not provided; no confirmed active exploitation (CISA KEV) at time of analysis, though public exploit code exists via disclosed source code references.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-35567 HIGH PATCH This Week

SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with ManageGroups role to execute arbitrary SQL commands via the NewRole POST parameter in MemberRoleChange.php. The vulnerability requires low-privilege authentication (PR:L) but permits complete database compromise with high confidentiality, integrity, and availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the attack complexity is low (AC:L) and requires no user interaction.

SQLi PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39937 HIGH This Week

Information disclosure in MediaWiki CentralAuth extension exposes sensitive authentication data to unauthorized parties through improper removal before storage or transfer. This affects non-release development branches with network-accessible attack vector requiring no authentication (CVSS:4.0 AV:N/PR:N). While no public exploit or active exploitation (not in CISA KEV) is identified at time of analysis, the CVSS 8.8 rating reflects high confidentiality impact and low complexity, making this a significant risk for organizations running development builds.

Information Disclosure Mediawiki Centralauth Extension
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-35610 HIGH This Week

Privilege escalation in PolarLearn account-management module allows authenticated non-admin users to arbitrarily reset passwords and delete user accounts due to an inverted admin permission check in versions 0-PRERELEASE-14 and earlier. The inverted logic in setCustomPassword() and deleteUser() functions grants administrative capabilities to regular users while blocking legitimate administrators. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical account takeover risk. No public exploit identified at time of analysis, though the authentication bypass nature (per tags) makes exploitation straightforward once the flaw is understood.

Authentication Bypass Polarlearn
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5732 HIGH PATCH This Week

Integer overflow in Firefox and Firefox ESR text rendering engine allows remote attackers to achieve arbitrary code execution via specially crafted web content. Affects Firefox versions prior to 149.0.2 and Firefox ESR prior to 140.9.1. Attack requires user interaction (visiting malicious webpage) but no authentication. CVSS 8.8 (High severity). No public exploit identified at time of analysis, though the vulnerability class (integer overflow leading to buffer overflow) is well-understood and exploitable.

Mozilla Integer Overflow Buffer Overflow Firefox Esr
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23818 HIGH This Week

Open redirect vulnerability in HPE Aruba Networking Private 5G Core On-Prem GUI enables credential harvesting attacks against authenticated users. Remote attackers can craft malicious URLs that redirect victims from the legitimate login flow to attacker-controlled phishing pages designed to capture credentials. With CVSS 8.8 (High) severity and network-reachable attack surface requiring no authentication, this represents significant phishing risk for organizations deploying private 5G infrastructure. No public exploit identified at time of analysis, though exploitation requires minimal technical complexity.

Aruba Open Redirect
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5733 HIGH PATCH This Week

Buffer overflow in Firefox WebGPU implementation allows remote code execution when users interact with malicious web content. Affects all Firefox versions prior to 149.0.2. Network-based attack requires user interaction (visiting crafted webpage) but no authentication. CVSS 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though Mozilla's rapid patch release suggests significant risk potential.

Mozilla Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39319 HIGH PATCH This Week

Second-order SQL injection in ChurchCRM FundRaiserEditor.php allows authenticated low-privilege users to extract and modify database contents remotely. All versions prior to 7.1.0 are affected. This network-accessible vulnerability requires minimal attack complexity and no user interaction, enabling authenticated attackers to achieve full database compromise (confidentiality, integrity, and availability impact). EPSS data not available; no public exploit identified at time of analysis, though vulnerability details are disclosed in GitHub security advisory.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39334 HIGH PATCH This Week

SQL injection in ChurchCRM 7.0.5 /SettingsIndividual.php endpoint allows authenticated low-privilege users to extract, modify, or delete database contents remotely. The vulnerability exploits insufficient input validation on the type array parameter, enabling arbitrary SQL statement execution. ChurchCRM is an open-source church management system handling sensitive member data including personal information, donations, and pastoral records. Fixed in version 7.1.0. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39330 HIGH PATCH This Week

SQL injection in ChurchCRM's /PropertyAssign.php endpoint allows authenticated users with 'Manage Groups & Roles' and 'Edit Records' privileges to execute arbitrary SQL commands through the Value parameter. Affecting all versions prior to 7.1.0, attackers can extract sensitive church membership data, modify database records, or potentially achieve complete database compromise. CVSS 8.8 (High) with network-accessible attack vector and low complexity. No public exploit identified at time of analysis, with EPSS data unavailable. Vendor-released patch: version 7.1.0.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39329 HIGH PATCH This Week

SQL injection in ChurchCRM /EventNames.php allows authenticated users with AddEvent privileges to execute arbitrary SQL commands via the newEvtTypeCntLst parameter during event type creation. The vulnerability reaches an ON DUPLICATE KEY UPDATE clause where user input is interpolated without sanitization, enabling high-impact database manipulation. Affects all versions prior to 7.1.0. No public exploit identified at time of analysis, though EPSS data not available. Attack requires low-privilege authenticated access but presents high confidentiality, integrity, and availability risk (CVSS 8.8).

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39327 HIGH PATCH This Week

SQL injection in ChurchCRM 7.0.5 allows authenticated users with 'Manage Groups & Roles' permission to execute arbitrary SQL commands via the NewRole parameter in /MemberRoleChange.php endpoint. This network-accessible vulnerability requires low-complexity exploitation with no user interaction, enabling complete database compromise including data exfiltration and modification. EPSS data unavailable, no CISA KEV listing indicating no confirmed active exploitation at time of analysis, though CVSS 8.8 (High) reflects significant impact potential. Patched in version 7.1.0.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39326 HIGH PATCH This Week

SQL injection in ChurchCRM PropertyTypeEditor.php allows authenticated users with menu options privileges to execute arbitrary SQL commands via Name and Description parameters, enabling full database compromise including data extraction and modification. Affects all versions before 7.1.0. CVSS 8.8 (High) with network-accessible attack vector requiring low-privilege authentication. EPSS data not available; no confirmed active exploitation (not in CISA KEV), but publicly disclosed via GitHub Security Advisory increases likelihood of future exploitation attempts.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39323 HIGH PATCH This Week

SQL injection in ChurchCRM's PropertyTypeEditor.php allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands through unsanitized Name and Description POST parameters. ChurchCRM versions prior to 7.1.0 are affected. The vulnerability relies on inadequate input validation (strip_tags() only) before SQL concatenation, enabling data exfiltration, modification, and deletion. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity once authenticated. EPSS data not provided, but the requirement for authenticated access with specific permissions reduces immediate exploitation surface compared to unauthenticated vulnerabilities.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39318 HIGH PATCH This Week

SQL injection in ChurchCRM GroupPropsFormRowOps.php allows authenticated attackers to execute arbitrary SQL commands and extract, modify, or destroy database contents. The Field parameter accepts unsanitized user input that is inserted directly into SQL queries; while mysqli_real_escape_string() is applied, it fails to escape backtick characters, enabling attackers to break out of SQL identifier context. Affects all versions prior to 7.1.0. With network-accessible attack vector (AV:N), low complexity (AC:L), and requiring only low-privilege authentication (PR:L), this vulnerability poses significant risk to church management systems with authenticated user access. EPSS data not available; no CISA KEV status indicating confirmed active exploitation; exploit scenario is straightforward given the technical details disclosed in the GitHub advisory.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39317 HIGH PATCH This Week

SQL injection in ChurchCRM's SettingsIndividual.php allows authenticated users to extract sensitive database contents including member personal information, financial records, and credentials. Affecting all versions prior to 7.1.0, attackers with low-privilege accounts can escalate to full database compromise via unsanitized POST parameter array keys used directly in SQL queries. EPSS data not available, but the low attack complexity (AC:L) and network accessibility (AV:N) combined with publicly disclosed technical details create elevated risk for exposed installations. Vendor-released patch available in version 7.1.0.

Information Disclosure PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27314 HIGH PATCH GHSA This Week

Apache Cassandra 5.0 through 5.0.6 in mTLS environments using MutualTlsAuthenticator allows authenticated users with only CREATE permission to escalate privileges to superuser via certificate identity manipulation through the ADD IDENTITY command. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with SSVC indicating non-automatable exploitation but total technical impact. Apache released patch version 5.0.7+ addressing this privilege escalation flaw (CWE-267: Privilege Defined With Unsafe Actions).

Privilege Escalation Apache
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30460 HIGH This Week

Authenticated remote code execution in Daylight Studio FuelCMS version 1.5.2 allows low-privileged users to execute arbitrary code via the Blocks module. CVSS 8.8 rating indicates network-accessible attack requiring low-complexity exploitation without user interaction, enabling full system compromise (confidentiality, integrity, availability impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

RCE Code Injection N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-35566 HIGH PATCH This Week

SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary SQL commands via the fund raiser statement report functionality. The vulnerability stems from inadequate input validation of session-based fundraiser identifiers in src/Reports/FundRaiserStatement.php, enabling attackers to achieve complete database compromise including data exfiltration, modification, and potential remote code execution. EPSS exploitation probability and KEV status unavailable, but public advisory exists from GitHub Security (GHSA-grq6-q49f-44xh). No public exploit identified at time of analysis, though SQL injection exploits are well-documented and exploitation complexity is low per CVSS vector (AC:L).

SQLi PHP Crm
NVD GitHub
CVSS 3.1
8.8
CVE-2026-34079 HIGH PATCH This Week

Arbitrary file deletion in Flatpak versions prior to 1.16.4 allows sandboxed applications to delete files on the host system via path traversal during ld.so cache cleanup. The vulnerability stems from improper validation of application-controlled paths when removing outdated cache files, enabling applications to escape sandbox constraints and delete arbitrary host files. No active exploitation or public exploit code is confirmed at time of analysis, though the technical barrier is low given the CVSS vector shows network-accessible attack with low complexity and no authentication required.

Path Traversal Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-31842 HIGH This Week

HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.

Request Smuggling Denial Of Service Nginx Node.js
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35458 HIGH PATCH GHSA This Week

Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).

Denial Of Service Gotenberg
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-39333 HIGH PATCH This Week

Reflected cross-site scripting (XSS) in ChurchCRM versions prior to 7.1.0 allows authenticated attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs targeting the FindFundRaiser.php endpoint. The vulnerability stems from improper output encoding of DateStart and DateEnd parameters in HTML attributes. CVSS 8.7 reflects the changed scope (S:C) enabling potential session hijacking and account compromise across the church management platform. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though exploitation probability remains moderate given the authenticated requirement and user interaction dependency.

XSS PHP
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-39332 HIGH PATCH This Week

Reflected XSS in ChurchCRM GeoPage.php enables authenticated attackers to execute arbitrary JavaScript in victims' browsers and hijack administrator sessions without user interaction. The vulnerability affects all versions prior to 7.1.0 and leverages autofocus to automatically trigger malicious payloads when authenticated users are socially engineered into submitting a crafted form. Session cookie theft leads to complete account takeover including administrative privileges. No public exploit identified at time of analysis, though technical details are available in the GitHub security advisory.

XSS PHP
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-35576 HIGH PATCH This Week

Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScript through the Person Property Management subsystem, executing when other users view affected profiles. This vulnerability persists despite previous CVE-2023-38766 patches and enables session hijacking or account compromise through persistent payload execution. No public exploit identified at time of analysis, though CVSS score of 8.7 reflects high impact with cross-site scripting scope allowing privilege escalation beyond the attacker's session context.

XSS Crm
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-34582 HIGH PATCH This Week

TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.

Authentication Bypass Botan
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35554 HIGH PATCH GHSA This Week

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.

Information Disclosure Memory Corruption Apache Use After Free Deserialization +3
NVD HeroDevs
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-39338 HIGH PATCH This Week

Reflected cross-site scripting (XSS) in ChurchCRM's dashboard search parameter allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers. Versions prior to 7.1.0 fail to sanitize user input, enabling payload execution even when server-side validation triggers HTTP 500 errors. The CVSS v4.0 score of 8.6 reflects network accessibility (AV:N), low complexity (AC:L), no authentication required (PR:N), and high confidentiality/integrity impact (VC:H/VI:H). No public exploit identified at time of analysis, though EPSS data is unavailable for risk quantification.

XSS RCE Churchcrm
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-3466 HIGH PATCH This Week

Stored cross-site scripting in Checkmk dashboard dashlet title links enables authenticated attackers with dashboard creation privileges to execute malicious JavaScript in victims' browsers when they click crafted dashlet links on shared dashboards. Affects Checkmk 2.2.0 (EOL), 2.3.0 before p46, 2.4.0 before p25, and 2.5.0 beta before b3. Vendor-released patches are available for all supported versions. EPSS score of 0.05% (14th percentile) indicates low predicted exploitation probability, and no public exploit identified at time of analysis, though CVSS 8.5 reflects the high impact of successful exploitation (complete confidentiality, integrity, and availability compromise in victim context).

XSS Checkmk
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32864 HIGH PATCH This Week

Memory corruption via out-of-bounds read in NI LabVIEW's mgcore_SH_25_3!aligned_free() function enables information disclosure or arbitrary code execution when users open maliciously crafted VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity stems from local attack vector requiring user interaction but no authentication. No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability's existence and technical details.

Information Disclosure Buffer Overflow RCE Labview
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32863 HIGH PATCH This Week

Memory corruption in NI LabVIEW 26.1.0 and earlier allows local attackers to execute arbitrary code or disclose sensitive information via maliciously crafted VI files. The vulnerability stems from an out-of-bounds read in sentry_transaction_context_set_operation(), requiring user interaction to open a specially crafted file. CVSS 8.5 (High) with local attack vector and low complexity. No public exploit identified at time of analysis, and EPSS data not available for this recently published CVE.

Information Disclosure Buffer Overflow RCE Labview
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32862 HIGH PATCH This Week

Memory corruption in NI LabVIEW's ResFileFactory::InitResourceMgr() function allows arbitrary code execution or information disclosure when users open malicious VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity reflects high impact potential, though exploitation requires user interaction to open a crafted file. No public exploit identified at time of analysis, with EPSS data unavailable for this recently assigned CVE. Local attack vector limits remote exploitation scenarios.

Memory Corruption Information Disclosure Buffer Overflow RCE Labview
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32861 HIGH PATCH This Week

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution and information disclosure when processing maliciously crafted .lvclass files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open the weaponized file (CVSS AV:L/UI:P). No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability and provides remediation guidance.

Memory Corruption Information Disclosure Buffer Overflow RCE Labview
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32860 HIGH PATCH This Week

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution when processing malicious LVLIB files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open a specially crafted .lvlib project library file (CVSS 8.5, AV:L/PR:N/UI:P). No public exploit identified at time of analysis. EPSS data not available, but the local attack vector and user interaction requirement significantly limit immediate mass exploitation risk despite high CVSS score.

Memory Corruption Information Disclosure Buffer Overflow RCE Labview
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-22682 HIGH PATCH This Week

Improper access control in OpenHarness (prior to commit 166fcfe) allows local authenticated attackers with influence over agent tool execution to read arbitrary local files and write/overwrite files outside intended repository boundaries. The vulnerability stems from inconsistent parameter handling where the path parameter is not passed to PermissionChecker in four file operation tools (read_file, write_file, edit_file, notebook_edit), enabling bypass of deny rules to access sensitive credentials, SSH keys, and configuration files. Upstream fix available (PR/commit); released patched version not independently confirmed. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass Openharness
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-28808 HIGH PATCH This Week

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts protected by directory-level access controls. The vulnerability stems from a path mismatch where mod_auth validates access against DocumentRoot-relative paths while mod_cgi executes scripts at ScriptAlias-resolved paths outside DocumentRoot. With CVSS 8.3 (AV:N/AC:L/PR:N), the attack requires no authentication and low complexity but depends on specific ScriptAlias configuration

Authentication Bypass Otp
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-35604 HIGH PATCH GHSA This Week

Authorization bypass in File Browser allows unauthenticated access to shared files after permissions revoked. When administrators revoke a user's Share and Download permissions in File Browser (versions prior to 2.63.1), previously created share links remain accessible to unauthenticated users due to missing permission re-validation in the public share handler. This CWE-863 authorization flaw enables persistent unauthorized data access with high confidentiality impact (CVSS 8.2), though no public exploit or active exploitation (not in CISA KEV) has been identified at time of analysis.

Authentication Bypass Filebrowser
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-4740 HIGH PATCH GHSA This Week

Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.

Privilege Escalation Red Hat Kubernetes Multicluster Engine For Kubernetes
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-35607 HIGH PATCH GHSA This Week

Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.

Privilege Escalation Filebrowser
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy