Skip to main content
CVE-2026-5173 HIGH PATCH NEWS This Week

Improper access control in GitLab CE/EE 16.9.6-18.10.2 enables authenticated attackers to invoke unauthorized server-side methods via websocket connections, achieving high-severity information disclosure with changed scope. Affects continuous integration/deployment platforms running vulnerable GitLab instances. Exploitation requires low-privilege authentication but no user interaction, enabling lateral information access across security boundaries.

Information Disclosure Gitlab
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-40032 HIGH PATCH This Week

Command injection in Unix-like Artifacts Collector (UAC) pre-3.3.0-rc1 enables arbitrary code execution through unsanitized placeholder substitution in the _run_command() pipeline. Attackers inject shell metacharacters via %line%, %user%, or %user_home% placeholders processed by foreach iterators and system file parsers, exploiting direct eval() execution without input validation. Exploitation requires local access with user interaction but no authentication, executing commands at UAC process privilege level. No public exploit identified at time of analysis.

Command Injection Uac
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-40031 HIGH PATCH This Week

DLL and shared-library hijacking in ufrisk MemProcFS versions prior to 5.17 enables local arbitrary code execution through six distinct attack surfaces. Unsafe library-loading patterns-including unqualified LoadLibraryU and dlopen calls for vmmpyc, libMSCompression, and plugin DLLs-allow attackers to plant malicious libraries in the working directory or manipulate LD_LIBRARY_PATH. Exploitation requires user interaction (CVSS UI:P) but no authentication (PR:N), achieving high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.

RCE Memprocfs
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-1342 HIGH This Week

Local code execution in IBM Security Verify Access 10.0-10.0.9.1 and 11.0-11.0.2 (both container and non-container deployments) allows unauthenticated local attackers to execute malicious scripts from outside the application's control sphere. This CWE-829 inclusion of functionality from untrusted control sphere vulnerability achieves container escape (scope change to C in CVSS vector), enabling high confidentiality impact and limited integrity/availability impact. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and lack of required privileges (PR:N) make this readily exploitable by local users.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-40030 HIGH PATCH This Week

OS command injection in parseusbs (versions prior to 1.9) allows local attackers to execute arbitrary commands through unsanitized volume path arguments passed to the -v flag. The vulnerability stems from passing user-controlled input directly to os.popen() with shell=True during volume enumeration via ls command, enabling shell metacharacter injection. Exploitation requires user interaction to execute parseusbs with a malicious -v argument. No public exploit identified at time of analysis, though proof-of-concept exists in commit history.

Command Injection Parseusbs
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-30650 HIGH PATCH This Week

Privilege escalation in Juniper Networks Junos OS allows high-privileged local attackers to gain root access on Linux-based line cards running Junos OS Evolved. Missing authentication in critical command processing functions enables authenticated administrators with elevated privileges to bypass access controls and execute commands as root on affected hardware modules including MPC7-11, LC2101/2103, LC480/4800/9600, MX304 built-in FPC, MX-SPC3, SRX5K-SPC3, EX9200-40XS, and PTX-series line cards. No public exploit identified at time of analysis.

Authentication Bypass Juniper
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-4788 HIGH PATCH This Week

Sensitive information disclosure in IBM Tivoli Netcool Impact versions 7.1.0.0 through 7.1.0.37 allows local attackers with no authentication required to extract credentials and configuration secrets from application log files. With CVSS 8.4 and High impact to confidentiality, integrity, and availability, the CWE-532 flaw enables privilege escalation through exposed secrets. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) suggests straightforward exploitation once local access is obtained.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-40027 HIGH PATCH This Week

Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.

Path Traversal Google RCE
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-40024 HIGH PATCH This Week

Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.

Path Traversal RCE Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-35478 HIGH PATCH This Week

Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.

Authentication Bypass Inventree
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-34719 HIGH PATCH This Week

Server-side request forgery in Zammad webhook implementation allows authenticated administrators to retrieve confidential cloud provider metadata by exploiting insufficient validation of loopback and link-local addresses. Affects versions before 7.0.1 and 6.5.4. Attackers with privileged access can configure malicious webhook URLs targeting internal infrastructure endpoints, bypassing intended URL scheme restrictions. No public exploit identified at time of analysis. CVSS 8.3 reflects high confidentiality and availability impacts on vulnerable and subsequent systems.

SSRF Zammad
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-39429 HIGH PATCH GHSA This Week

Unauthenticated access to kcp root shard cache server exposes cluster topology, RBAC policies, and API configurations to network-reachable attackers. The cache server at /services/cache/* bypasses authentication and authorization middleware, allowing any attacker with network access to the root shard (CVSS:3.1/AV:N/AC:L/PR:N) to read replicated resources including ClusterRoles, LogicalClusters, Shards, APIExports, and admission control policies. A secondary race condition permits temporary privi

Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-35525 HIGH PATCH GHSA This Week

Path traversal via symlink in LiquidJS npm package allows authenticated template contributors to read arbitrary filesystem content outside configured template roots. The vulnerability affects applications where untrusted users can influence template directories (uploaded themes, extracted archives, repository-controlled templates). LiquidJS validates template paths using string-based directory containment checks but fails to resolve canonical filesystem paths before file access, enabling symlinks placed within allowed partials/layouts directories to reference external files. Publicly available exploit code exists. No EPSS score available, but impact is limited to information disclosure in specific deployment scenarios requiring attacker filesystem access.

Information Disclosure Canonical
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-5208 HIGH PATCH This Week

Command injection in CoolerControl daemon (coolercontrold) versions prior to 4.0.0 allows high-privileged local attackers to escalate privileges to root by embedding malicious bash commands in alert configuration names. The vulnerability enables authenticated administrators to execute arbitrary system commands with root privileges through the alert management interface. EPSS score of 0.05% (17th percentile) indicates low current exploitation probability, with no active exploitation confirmed and CISA SSVC assessment marking exploitation status as 'none' and automatable as 'no'.

Command Injection RCE Suse
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-33810 HIGH PATCH This Week

Certificate validation bypass in Go's crypto/x509 library (versions 1.26.0-1.26.1) allows remote attackers to circumvent DNS name constraints through case-sensitivity mismatches in wildcard Subject Alternative Names. Attackers with certificates from trusted CAs can bypass intended domain restrictions and impersonate constrained subdomains, achieving unauthorized confidentiality access with limited integrity impact. Vendor-released patch available (Go 1.26.2). EPSS score is 0.01% (percentile 0%), indicating very low observed exploitation probability. No public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Crypto X509
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33466 HIGH This Week

Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. When automatic pipeline reloading is enabled, arbitrary file writes escalate to full RCE with Logstash process privileges. CVSS 8.1 (High) with network vector but high attack complexity. EPSS data and KEV status not provided; no public exploit confirmed at time of analysis, though the technical details disclosed increase weaponization risk for environments with exposed update mechanisms.

Path Traversal RCE Logstash
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-5436 HIGH This Week

Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.

PHP Path Traversal WordPress File Upload RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-5915 HIGH PATCH This Week

Out-of-bounds memory write in Google Chrome's WebML component (versions prior to 147.0.7727.55) allows remote attackers to corrupt memory via malicious HTML pages, enabling potential code execution or denial of service. Exploitation requires user interaction to visit a crafted webpage. CVSS 8.1 severity reflects unauthenticated network-based attack with high integrity and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.04%).

Google Information Disclosure Chrome
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-5913 HIGH PATCH This Week

Out-of-bounds read in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows remote attackers to disclose sensitive memory contents and trigger denial-of-service via malicious HTML pages. Despite an 8.1 CVSS score, this is rated Chromium security severity 'Low', requires user interaction (visiting a crafted page), has minimal real-world exploitation probability (EPSS 0.03%, 10th percentile), and is not actively exploited (no KEV listing). Vendor-released patch available in Chrome 147.0.7727.55.

Buffer Overflow Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-5907 HIGH PATCH This Week

Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).

Information Disclosure Buffer Overflow Google Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-39394 HIGH PATCH GHSA This Week

Environment file injection in CI4MS versions prior to 0.31.4.0 allows remote attackers to inject arbitrary configuration directives by exploiting unvalidated newline characters in the host parameter during installation. The Install::index() controller's CSRF protection is intentionally disabled, and InstallFilter bypass is possible when settings cache expires or on fresh deployments. EPSS score of 0.02% (4th percentile) indicates low exploitation probability despite proof-of-concept availability (SSVC: poc). CVSS 8.1 reflects high potential impact but is tempered by high attack complexity (AC:H) requiring specific timing conditions.

CSRF Ci4ms
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-39393 HIGH PATCH GHSA This Week

CI4MS CMS skeleton versions below 0.31.4.0 permit complete application takeover through installation wizard re-access when the database becomes unreachable. Unauthenticated remote attackers exploit a race condition window during cache expiry or database downtime to bypass the install route guard and inject malicious database credentials into the .env configuration file. No active exploitation confirmed (not in CISA KEV), EPSS probability 0.01% indicates low observed targeting. Vendor patch released in version 0.31.4.0.

Authentication Bypass Ci4ms
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28261 HIGH PATCH This Week

Local privilege escalation in Dell Elastic Cloud Storage (≤3.8.1.7) and ObjectScale (<4.1.0.3, =4.2.0.0) allows authenticated users with low privileges to extract credentials from log files and escalate to compromised account privileges. CVSS 7.8 (High). No public exploit identified at time of analysis. EPSS data not available, but local access requirement and low attack complexity suggest moderate exploitation likelihood in multi-tenant or shared administrative environments.

Dell Information Disclosure Elastic
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27806 HIGH PATCH GHSA This Week

Local privilege escalation to root in Fleet Orbit agent (macOS) allows authenticated local users to inject arbitrary Tcl commands via malformed FileVault password input. The vulnerability stems from unsafe interpolation of user-supplied passwords into expect scripts executed as root. CVSS 7.8 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though exploitation requires only a specially crafted password containing closing brace characters. Impacts organizations using Fleet's macOS disk encryption management.

Command Injection Privilege Escalation
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-5726 HIGH CISA This Week

Stack-based buffer overflow in Delta Electronics ASDA-Soft allows local attackers with no privileges to execute arbitrary code by tricking users into opening a malicious file. The vulnerability achieves complete system compromise (confidentiality, integrity, availability all rated High in CVSS) through user interaction with crafted input. No public exploit identified at time of analysis, though the low attack complexity and lack of required privileges increase realistic exploitation risk once details emerge.

Buffer Overflow Stack Overflow Asda Soft
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-33461 HIGH This Week

Authorization bypass in Elastic Kibana allows authenticated users with limited Fleet privileges to retrieve sensitive configuration data including private keys and authentication tokens through an internal API endpoint. The vulnerability affects network-accessible instances and bypasses intended privilege boundaries by returning full configuration objects without proper authorization checks. CVSS score of 7.7 reflects high confidentiality impact with scope change. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.

Authentication Bypass Elastic Information Disclosure
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-4498 HIGH This Week

Authenticated Kibana users with Fleet management privileges can read Elasticsearch index data beyond their intended RBAC permissions through debug route handlers in the Fleet plugin. This scope bypass affects Elastic Kibana deployments where users hold Fleet sub-feature privileges (agent policies, settings management). The vulnerability requires low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), enabling cross-scope data confidentiality breach (S:C/C:H). No public exploit identified at time of analysis. EPSS data not available, but the specific privilege escalation vector and remote exploitability warrant prioritization in Kibana Fleet deployments.

Privilege Escalation Elastic
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-35446 HIGH PATCH This Week

Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated attackers to bypass directory restrictions in FilesDownloadHandler, enabling unauthorized access to files outside intended download directories. The vulnerability exploits incorrect operation ordering during file access validation, permitting low-privileged authenticated users to exfiltrate sensitive neuroimaging data and project files across organizational boundaries. CVSS 7.7 severity reflects cross-scope confidentiality breach with network accessibility and low attack complexity. No public exploit identified at time of analysis.

Information Disclosure Path Traversal Loris
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-39497 HIGH This Week

Blind SQL injection in FOX WooCommerce Currency Switcher plugin (versions ≤1.4.5) allows authenticated high-privilege users to extract database contents via crafted SQL commands. Attacker requires high-privilege access (PR:H) but can breach scope boundaries (S:C), achieving high confidentiality impact and limited availability disruption. No public exploit identified at time of analysis. Affects WordPress installations using the vulnerable plugin for multi-currency e-commerce functionality.

SQLi WordPress
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-39496 HIGH This Week

SQL injection in YayCommerce YayMail plugin through version 4.3.3 enables authenticated administrators with high privileges to extract sensitive database information via blind SQL injection attacks. The vulnerability allows cross-scope confidentiality impact, meaning attackers can access data beyond their normal authorization boundaries. No public exploit identified at time of analysis, with EPSS score of 0.02% (6th percentile) indicating very low probability of exploitation in the wild.

SQLi Yaymail
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-39487 HIGH This Week

Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged users to extract database contents through improper input sanitization. The vulnerability requires high-privilege access (administrator-level) but permits cross-scope impact, enabling extraction of confidential data and potential service disruption. CVSS 7.6 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

SQLi Amelia
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-39479 HIGH This Week

Blind SQL injection in Brainstorm Force OttoKit (WordPress plugin suretriggers) versions up to 1.1.20 allows privileged attackers with high-level administrative access to extract sensitive database information and potentially cause service disruptions. CVSS 7.6 severity driven by changed scope (container escape to underlying WordPress database). EPSS score of 0.02% (6th percentile) indicates very low observed exploitation probability. No public exploit identified at time of analysis, and no CISA KEV listing confirms active exploitation.

SQLi Ottokit
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-39475 HIGH This Week

Blind SQL injection in User Feedback WordPress plugin (versions ≤1.10.1) allows authenticated attackers with low privileges to extract database contents through malicious SQL queries. The vulnerability enables cross-scope exploitation with high confidentiality impact and limited availability disruption. EPSS probability is low (0.02%, 6th percentile), no public exploit identified at time of analysis, and exploitation requires authenticated access with low attack complexity.

SQLi User Feedback
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-39466 HIGH This Week

Blind SQL injection in WPMU DEV Broken Link Checker WordPress plugin versions ≤2.4.7 allows authenticated high-privilege users to extract database contents and potentially cause limited availability impact. CVSS 7.6 with scope change indicates potential container escape from plugin context. EPSS score of 0.02% (6th percentile) suggests low immediate exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis. Patchstack discovery indicates vulnerability likely responsibly disclosed through bug bounty channel.

SQLi WordPress
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-5301 HIGH PATCH This Week

Remote stored cross-site scripting in CoolerControl UI's log viewer (versions 2.0.0 through 3.x) enables complete service compromise when administrators view poisoned log entries. GitLab-reported vulnerability affects coolercontrol-ui versions before 4.0.0. Attack requires user interaction (administrator must view logs) but no authentication to inject payload. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No public exploit identified at time of analysis, not listed in CISA KEV.

XSS Suse
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-23869 HIGH PATCH GHSA This Week

Denial of service in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4) allows unauthenticated remote attackers to cause excessive CPU consumption lasting up to one minute via specially crafted HTTP requests to Server Function endpoints. The malicious payload triggers resource exhaustion without requiring authentication or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS unavailable).

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-39863 HIGH PATCH This Week

Out-of-bounds memory access in Kamailio SIP server versions before 5.8.8, 6.0.6, and 6.1.1 enables unauthenticated remote attackers to crash server processes via malformed TCP packets. Affects deployments with TCP or TLS listeners enabled. Exploits network-accessible SIP signaling infrastructure without authentication or user interaction, resulting in complete service unavailability. No public exploit identified at time of analysis.

Buffer Overflow Denial Of Service Kamailio
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33756 HIGH PATCH This Week

Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching. Unauthenticated remote attackers can submit a single HTTP request containing an unbounded array of GraphQL operations, bypassing per-query complexity controls to exhaust server resources and render the platform unavailable. Vendor-released patches are available across all affected major versions (3.20.118, 3.21.54, 3.22.47, 3.23.0a3). No public exploit identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N).

Denial Of Service Saleor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39684 HIGH This Week

Local file inclusion in UnTheme OrganicFood WordPress theme versions up to 3.6.4 enables authenticated attackers with low privileges to read arbitrary files on the server and potentially achieve remote code execution. Exploitation requires network access and high attack complexity (CVSS AC:H), allowing disclosure of sensitive configuration data, credentials, and system files. Authenticated access (PR:L) is required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.05%).

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39681 HIGH This Week

Local File Inclusion in ApusTheme Homeo WordPress theme versions ≤1.2.59 allows authenticated attackers with low privileges to read arbitrary files on the server via improper file inclusion controls. The vulnerability stems from insufficient validation of file paths in PHP include/require statements, enabling access to sensitive configuration files, credentials, or other restricted content. EPSS score of 0.05% (17th percentile) indicates low predicted exploitation probability, and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39679 HIGH This Week

Local File Inclusion in ApusTheme Freeio WordPress theme (versions ≤1.3.21) allows authenticated attackers with low privileges to read arbitrary files on the server via PHP file inclusion flaws. Attack complexity is high (AC:H), requiring specific conditions beyond basic authentication. EPSS probability is low (0.05%, 17th percentile) with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39677 HIGH This Week

Local File Inclusion in Emphires WordPress theme versions ≤3.9 allows authenticated attackers with low privileges to read arbitrary files from the server file system via improper PHP file inclusion controls. Attack complexity is rated high (AC:H), suggesting specific conditions must be met. EPSS exploitation probability is low (0.05%, 17th percentile) with no public exploit identified at time of analysis. Authenticated access requirement and high complexity reduce immediate risk despite CVSS 7.5 rating.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39623 HIGH This Week

Local file inclusion vulnerability in kutethemes Biolife WordPress theme versions up to 3.2.3 enables authenticated attackers with low privileges to include and execute arbitrary PHP files from the server filesystem via improper filename control in include/require statements. Exploitation requires network access and high complexity conditions (CVSS:3.1 AV:N/AC:H/PR:L), potentially leading to information disclosure, code execution, and full system compromise. No public exploit identified at time of analysis. EPSS score indicates low observed exploitation activity (0.05%).

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39613 HIGH This Week

Local file inclusion in kutethemes Boutique WordPress theme versions ≤2.3.3 allows authenticated attackers with low privileges to include arbitrary PHP files, leading to high-severity impacts including information disclosure, code execution, and system compromise. Exploitation requires network access with high attack complexity. No public exploit identified at time of analysis. Authenticated attack vector (PR:L) limits exposure to users with existing credentials.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39611 HIGH This Week

Local File Inclusion vulnerability in KuteShop WordPress theme versions ≤4.2.9 enables authenticated attackers with low privileges to include arbitrary PHP files through improper filename control in require/include statements. Exploitation requires high attack complexity and yields complete confidentiality, integrity, and availability compromise within the application context. No public exploit identified at time of analysis. EPSS 0.05% indicates low observed exploitation activity.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39544 HIGH This Week

Local file inclusion in themeStek LabtechCO WordPress theme versions through 8.3 allows authenticated attackers with low privileges to read arbitrary files from the web server. Despite the CWE classification mentioning remote file inclusion, available data (tags, Patchstack categorization) confirms this is a local file inclusion vulnerability. EPSS score of 0.05% (17th percentile) indicates low observed exploitation probability in the wild, with no confirmed active exploitation (not in CISA KEV)

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39538 HIGH This Week

Local File Inclusion in Mikado Core WordPress plugin (≤1.6) allows authenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Despite a 7.5 CVSS score, real-world risk is limited by low-privilege authentication requirement (PR:L) and high attack complexity (AC:H). EPSS exploitation probability is minimal (0.05%, 17th percentile), with no public exploit identified at time of analysis. Reported by Patchstack, this CWE-98 vulnerability enables information disclosure and potential code execution if attackers chain it with file upload or log poisoning techniques.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-35401 HIGH PATCH This Week

GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-based or chained mutation requests. Attackers craft single API calls containing excessive GraphQL operations (mutations/queries) via aliasing or chaining, exhausting server resources and disrupting service availability. Affects Saleor versions 2.0.0 through 3.22.x, with no authentication required for exploitation. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.

Denial Of Service Saleor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39889 HIGH PATCH GHSA This Week

Unauthenticated information disclosure in PraisonAI's A2U event stream server allows remote attackers to intercept real-time AI agent activity including responses, internal reasoning chains, and tool invocation arguments. The create_a2u_routes() function exposes five endpoints (/a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, /a2u/health) without authentication controls. Attackers subscribe via POST /a2u/subscribe to receive subscription IDs, then stream live Server-Sent Events containing sensitive agent outputs. Affects PraisonAI Python package (pkg:pip/praisonai) versions prior to 4.5.115. No public exploit identified at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33350 HIGH PATCH This Week

SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote attackers to extract or modify database contents via the MRI feedback popup window in the imaging browser module. The vulnerability permits unauthorized access to sensitive neuroimaging research data and project management information without authentication. CVSS 7.5 (High severity) reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis.

SQLi Loris
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy