Skip to main content
CVE-2026-34781 LOW PATCH GHSA Monitor

Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.

Denial Of Service RCE Null Pointer Dereference Buffer Overflow
NVD GitHub
CVSS 3.1
2.8
EPSS
0.0%
CVE-2026-5375 LOW PATCH Monitor

runZero Platform API exposes sensitive credential fields to high-privilege users via unauthenticated remote requests, allowing information disclosure of confidential data. Affected versions prior to 4.0.260203.0 permit high-privilege account holders to retrieve sensitive fields through API responses that should be restricted. The vulnerability requires high privileges (PR:H) and has low real-world impact (CVSS 2.7), but affects the core credential management functionality of the runZero asset intelligence platform.

Information Disclosure Platform
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-4292 LOW PATCH GHSA Monitor

Django admin changelist forms with ModelAdmin.list_editable enabled allow high-privileged users to create new instances via forged POST requests, bypassing intended access controls. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30; unsupported versions 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. The vulnerability requires admin-level privileges and results in unauthorized data modification rather than data exposure or availability impact. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass Python
NVD VulDB HeroDevs
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-5381 LOW PATCH Monitor

runZero Platform versions prior to 4.0.260205.0 contain an incorrect authorization flaw that allows authenticated high-privileged users to access task information outside their authorized organization scope via network-based vectors with high complexity. The vulnerability is low-severity (CVSS 2.2) and limited to confidentiality impact (information disclosure), with no public exploit identified at time of analysis.

Authentication Bypass Platform
NVD
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-39349 LOW PATCH Monitor

OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.

Information Disclosure Orangehrm
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5705 LOW Monitor

Reflected cross-site scripting (XSS) in code-projects Online Hotel Booking 1.0 allows unauthenticated remote attackers to inject malicious scripts via the roomname parameter in the /booknow.php endpoint, exploitable through user interaction (UI:P). Publicly available exploit code exists for this vulnerability, which carries a moderate CVSS score of 5.3 but limited impact scope (information disclosure only, no integrity or availability impact).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27949 LOW PATCH Monitor

Plane project management tool versions prior to 1.3.0 leak user email addresses in authentication error URLs, transmitting personally identifiable information via unencrypted GET query parameters. The vulnerability requires high-privilege access and user interaction to trigger, exposing email disclosure with low confidentiality impact and no integrity or availability consequences. This is a low-severity information disclosure issue with CVSS 2.0, actively patched in version 1.3.0.

Information Disclosure Plane
NVD GitHub
CVSS 3.1
2.0
EPSS
0.0%
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy