Skip to main content
CVE-2026-3396 HIGH POC This Week

Time-based SQL injection in WCAPF (WooCommerce Ajax Product Filter) WordPress plugin versions up to 4.2.3 allows unauthenticated remote attackers to extract sensitive database information via the 'post-author' parameter. The vulnerability stems from inadequate input sanitization and SQL query preparation, enabling attackers to append malicious SQL commands to existing queries. EPSS data not provided, but the unauthenticated network-accessible attack vector and public disclosure via Wordfence Threat Intelligence create immediate exploitation risk for WordPress sites using this e-commerce filtering plugin. No active exploitation confirmed (not in CISA KEV), though publicly available proof-of-concept code exists in security advisories.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4338 HIGH POC PATCH This Week

Improper access control in the ActivityPub WordPress plugin before 8.0.2 exposes draft, scheduled, and pending posts to unauthenticated remote users, resulting in confidentiality breach. This information disclosure vulnerability (CVSS 7.5) allows network-based attackers to access unpublished content without authentication or user interaction. Publicly available exploit code exists, though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% (6th percentile) suggests low current exploitation probability despite POC availability, but SSVC framework marks it as automatable with partial technical impact.

WordPress Information Disclosure
NVD WPScan
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5815 HIGH POC Monitor

Stack-based buffer overflow in D-Link DIR-645 router (versions 1.01, 1.02, 1.03) via hedwigcgi_main function in /cgi-bin/hedwig.cgi allows authenticated remote attackers to achieve complete system compromise. Exploitation requires low-privilege credentials but no user interaction. Publicly available exploit code exists. Product is end-of-life with no vendor support, making remediation limited to device replacement or network isolation.

D-Link Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-39883 HIGH POC PATCH GHSA This Week

Command injection in OpenTelemetry Go SDK allows local attackers to execute arbitrary code by placing malicious `kenv` binary in PATH on BSD and Solaris systems. Vulnerability occurs during resource detection initialization when application resolves bare command name instead of absolute path. Affects DragonFly BSD, FreeBSD, NetBSD, OpenBSD, and Solaris platforms when `/etc/hostid` does not exist. Incomplete fix for prior CVE-2026-24051 left BSD/Solaris code path vulnerable to identical PATH hijacking attack.

RCE
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-39981 HIGH PATCH GHSA This Week

Path traversal in AGiXT Python package (versions ≤1.9.1) allows authenticated attackers to read, write, or delete arbitrary files on the host server. The essential_abilities extension's safe_join() function fails to validate that resolved paths remain within the agent workspace directory, enabling directory traversal sequences (e.g., ../../etc/passwd) to bypass intended file access restrictions. Exploitation requires low-privilege authentication (valid API key) but no user interaction. Public exploit code exists demonstrating /etc/passwd disclosure via the read_file command endpoint.

Path Traversal Denial Of Service RCE Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-3243 HIGH This Week

Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.

WordPress PHP RCE Path Traversal
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-39983 HIGH PATCH GHSA This Week

Command injection in basic-ftp npm package v5.2.0 allows unauthenticated remote attackers to inject arbitrary FTP protocol commands via CRLF sequences in file path parameters. Affected methods include cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). Inadequate input sanitization in protectWhitespace() combined with direct socket writes enables attackers to split single FTP commands into multiple commands, leading to unauthorized file deletion, directory manipulation, file exfiltration, or session hijacking. Vendor-released patch available in version 5.2.1. No public exploit identified at time of analysis. EPSS unavailable.

Command Injection Node.js
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
1.2%
CVE-2026-3357 HIGH PATCH This Week

Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class.

Deserialization RCE IBM
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32590 HIGH This Week

Authenticated remote code execution in Red Hat Quay 3 and Mirror Registry for Red Hat OpenShift arises from unsafe deserialization (CWE-502) of resumable container image layer upload state stored in the database. An attacker with the privileges needed to initiate image uploads can tamper with intermediate upload data to execute arbitrary code on the Quay server. No public exploit identified at time of analysis; EPSS is low (0.06%) and CISA SSVC marks exploitation status as none, though technical impact is rated total.

Red Hat Deserialization RCE Mirror Registry For Red Hat Openshift Mirror Registry For Red Hat Openshift 2 +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5884 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to escape renderer sandbox via malicious HTML page. A remote attacker who has already compromised the renderer process can achieve arbitrary code execution within the sandbox through insufficient input validation in Chrome's Media component. Requires user interaction (visiting crafted page). EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability; no confirmed active exploitation (not in CISA KEV). Vendor patch released in Chrome 147.0.7727.55.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5879 HIGH PATCH This Week

Remote code execution in Google Chrome's ANGLE graphics layer on macOS prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox via malicious HTML pages. The vulnerability stems from insufficient input validation (CWE-20) in ANGLE, Chrome's OpenGL ES implementation layer. While rated 8.8 CVSS due to complete confidentiality/integrity/availability impact, EPSS exploitation probability is low (0.05%, 16th percentile) with no public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV).

Google RCE Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-39891 HIGH PATCH GHSA This Week

{{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.

RCE Python Code Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5883 HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use After Free Memory Corruption Google Denial Of Service RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5877 HIGH PATCH This Week

Remote code execution within Chrome's sandbox affects all versions prior to 147.0.7727.55 through a use-after-free vulnerability in the browser's navigation component. Remote attackers can execute arbitrary code by delivering a specially crafted HTML page that triggers memory corruption when a user visits the malicious site. EPSS probability of 0.04% indicates low observed exploitation activity, and no CISA KEV listing confirms this is not confirmed actively exploited at time of analysis. Google has released patches in Chrome 147.0.7727.55.

Denial Of Service RCE Google Memory Corruption Use After Free +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5873 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to execute arbitrary code within the browser sandbox through crafted HTML pages exploiting out-of-bounds read/write conditions in the V8 JavaScript engine. User interaction (visiting a malicious page) is required, but no authentication is needed. With CVSS 8.8 and low EPSS (0.04%, 11th percentile), this represents a high-severity browser vulnerability with limited observed real-world exploitation activity. Patch available in Chrome 147.0.7727.55. No public exploit identified at time of analysis.

RCE Google Information Disclosure Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5872 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox by delivering a malicious HTML page that triggers a use-after-free vulnerability. While rated High severity (CVSS 8.8) due to complete confidentiality/integrity/availability impact, EPSS scoring places exploitation probability at only 4% (11th percentile), indicating low observed targeting in the wild. No confirmed active exploitation (not in CISA KEV) and no public proof-of-concept identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.

Memory Corruption Denial Of Service Use After Free RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5871 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser sandbox via a maliciously crafted HTML page exploiting a type confusion vulnerability in the V8 JavaScript engine. With CVSS 8.8 (High), network-based attack vector requiring only user interaction, and available vendor patch, this represents a significant but contained threat. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability, and no active exploitation or public POC is identified at time of analysis. The sandbox containment limits initial impact severity compared to full system compromise.

Memory Corruption Google RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5870 HIGH PATCH This Week

Remote code execution in Google Chrome's Skia graphics library (versions prior to 147.0.7727.55) allows remote attackers to execute arbitrary code within the browser's sandbox via specially crafted HTML pages exploiting an integer overflow vulnerability. Google patched this high-severity flaw in Chrome 147.0.7727.55 released April 2026. No active exploitation confirmed (not on CISA KEV), with low EPSS score (0.04%, 11th percentile) indicating minimal observed exploitation activity. Exploitation requires user interaction (visiting malicious webpage) but no authentication, making it viable for drive-by attacks against unpatched Chrome installations.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5866 HIGH PATCH This Week

Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.

Google RCE Memory Corruption Denial Of Service Use After Free +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5865 HIGH PATCH This Week

Remote code execution within Chrome's V8 JavaScript sandbox affects Google Chrome versions prior to 147.0.7727.55 through a type confusion vulnerability. Attackers can execute arbitrary code by convincing users to visit a malicious webpage, requiring no authentication. Vendor-released patch available (Chrome 147.0.7727.55). No public exploit identified at time of analysis, with EPSS probability at 0.04% (11th percentile) indicating low observed exploitation likelihood despite high CVSS score of 8.8.

Memory Corruption Google RCE Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5863 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows attackers to execute arbitrary code within the browser sandbox via malicious HTML pages. Publicly available exploit code exists. While CVSS scored 8.8 (High), EPSS indicates low exploitation probability (0.04%, 11th percentile), suggesting limited real-world targeting despite proof-of-concept availability. No CISA KEV listing confirms active exploitation campaigns.

Google RCE Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5862 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox through a crafted HTML page exploiting an inappropriate implementation in the V8 JavaScript engine. User interaction is required (visiting a malicious webpage). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.04% (11th percentile), indicating low observed attacker interest despite high CVSS severity.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5861 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows unauthenticated remote attackers to execute arbitrary code within the sandbox by exploiting a use-after-free memory corruption vulnerability through a malicious HTML page. User interaction (visiting a crafted website) is required. No public exploit identified at time of analysis, with EPSS probability at 4% (11th percentile), indicating relatively low immediate exploitation risk despite high CVSS severity.

Memory Corruption Denial Of Service Use After Free RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5910 HIGH PATCH This Week

Integer overflow in Google Chrome's media handling (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption through specially crafted video files, achieving potential arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires user interaction to open malicious media content. Exploitation is unauthenticated (network-accessible). No public exploit identified at time of analysis. Classified as low severity by Chromium project despite CVSS 8.8 rating.

Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5909 HIGH PATCH This Week

Integer overflow in Google Chrome's Media component enables remote heap corruption through malicious video files. Affects Chrome versions prior to 147.0.7727.55 on all desktop platforms. Unauthenticated attackers can achieve arbitrary code execution, data theft, or denial of service by convincing users to open specially crafted video content. CVSS 8.8 severity reflects network-based attack requiring user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).

Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5908 HIGH PATCH This Week

Integer overflow in Google Chrome's Media component allows remote attackers to trigger heap corruption via specially crafted video files. Affects Chrome versions prior to 147.0.7727.55. Attack requires user interaction (opening malicious video file) but no authentication. Successful exploitation enables arbitrary code execution with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. Chromium project rates severity as Low despite CVSS 8.8 score.

Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5868 HIGH PATCH This Week

Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.

RCE Google Buffer Overflow Heap Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5860 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 147.0.7727.55 allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebRTC component. The attack requires user interaction (visiting a malicious page). EPSS probability is low (0.03%, 10th percentile), and no public exploit or active exploitation (KEV) has been identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.

Memory Corruption Denial Of Service Use After Free RCE Google +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5912 HIGH PATCH This Week

Integer overflow in Google Chrome's WebRTC component (versions prior to 147.0.7727.55) enables remote attackers to trigger out-of-bounds memory writes through specially crafted HTML pages. Exploitation requires user interaction (visiting malicious page) but no authentication, potentially allowing arbitrary code execution, data corruption, or information disclosure. Vendor-assigned security severity: Low; CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis.

Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5859 HIGH PATCH This Week

Integer overflow in Google Chrome's WebML component (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption via malicious HTML pages, requiring only user interaction to visit a crafted website. The vendor-assigned severity is Critical, though EPSS indicates only 0.03% probability of exploitation in the wild (9th percentile), and no public exploit identified at time of analysis. Patch available in Chrome 147.0.7727.55 and later.

Google Buffer Overflow Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5858 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code by exploiting a heap buffer overflow in the WebML component through specially crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but presents critical risk with high impact to confidentiality, integrity, and availability. EPSS score of 0.03% (9th percentile) indicates low probability of imminent exploitation in the wild, with no public exploit identified at time of analysis and no CISA KEV listing confirming active exploitation.

RCE Google Buffer Overflow Heap Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3499 HIGH This Week

Cross-Site Request Forgery (CSRF) in Product Feed PRO for WooCommerce by AdTribes versions 13.4.6 through 13.5.2.1 allows unauthenticated attackers to manipulate critical feed management functions by tricking authenticated WordPress administrators into executing malicious requests. Exploitation enables attackers to trigger feed migrations, clear custom-attribute caches, modify feed file URLs, alter legacy filter settings, and delete feed posts without proper authorization. EPSS exploitation probability data not available; no confirmed active exploitation (not in CISA KEV) identified at time of analysis. Wordfence reported this vulnerability with patches available via WordPress plugin repository.

WordPress CSRF
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5914 HIGH PATCH This Week

Type confusion vulnerability in Google Chrome CSS engine (versions prior to 147.0.7727.55) enables heap corruption through malicious extensions. Attacker must convince user to install crafted Chrome extension, then exploit triggers memory corruption allowing high-severity impacts: arbitrary code execution, information disclosure, and denial of service. CVSS 8.8 rating reflects unauthenticated network vector requiring only user interaction. No public exploit identified at time of analysis. Chromium project classifies severity as Low despite critical CVSS score, indicating successful exploitation barriers beyond user interaction.

Memory Corruption Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5904 HIGH PATCH This Week

Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8

Denial Of Service Use After Free Google Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39621 HIGH This Week

CSRF vulnerability in SpicePress WordPress theme versions ≤2.3.2.5 enables unauthenticated attackers to upload web shells via arbitrary plugin installation, achieving remote code execution. Successful exploitation requires user interaction (victim must click malicious link while authenticated). No public exploit identified at time of analysis. CVSS 8.8 score reflects network-accessible, low-complexity attack with high impact to confidentiality, integrity, and availability.

CSRF Spicepress
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27140 HIGH PATCH NEWS This Week

Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.

RCE Authentication Bypass Cmd Go
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-34723 HIGH PATCH This Week

Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers to access sensitive internal entity data through exposed getting started endpoint. The vulnerability bypasses authentication controls, enabling unauthorized access to confidential system information post-setup. Attack vector is network-based with low complexity requiring no user interaction. No public exploit identified at time of analysis. CVSS 8.7 reflects high confidentiality impact.

Authentication Bypass Zammad
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40036 HIGH PATCH GHSA This Week

Unbounded zlib decompression in dfir-unfurl versions through 20250810 enables unauthenticated remote attackers to exhaust server memory via crafted compressed payloads submitted to the /json/visjs endpoint. Attackers can submit highly compressed data that expands to gigabytes when decompressed, crashing the service through resource exhaustion. The vulnerability affects the parse_compressed.py module and requires no authentication. No public exploit identified at time of analysis.

Denial Of Service Dfir Unfurl
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-34724 HIGH PATCH This Week

Remote code execution in Zammad 7.0.0 allows authenticated administrators with high-level privileges to inject malicious server-side templates through AI Agent configuration parameters, leading to arbitrary code execution on the helpdesk server. Exploitation requires administrative access to control type_enrichment_data settings and user interaction. Vendor-released patch version 7.0.1 is available. EPSS score of 0.04% indicates low exploitation probability in the wild; no public exploit identified at time of analysis.

RCE Code Injection Zammad
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-24913 HIGH This Week

SQL injection in MATCHA INVOICE 2.6.6 and earlier allows authenticated users with low-level privileges to extract or modify database contents via network access. With CVSS 8.8 (High severity), low attack complexity, and no user interaction required, authenticated attackers can achieve full confidentiality, integrity, and availability impact on the application database. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.

SQLi Matcha Invoice
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35169 HIGH PATCH This Week

Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.

XSS Loris
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-5747 HIGH PATCH This Week

Memory corruption in Amazon Firecracker's virtio PCI transport (versions 1.13.0-1.14.3, 1.15.0) enables guest root users to crash the host VMM process or achieve host code execution through malicious virtio queue register modifications post-device activation. Affects x86_64 and aarch64 architectures. While exploitation requires guest root privileges and high attack complexity (CVSS AC:H, PR:H), successful compromise breaches VM isolation boundaries with high impact to host confidentiality, integrity, and availability (CVSS 8.7). No public exploit identified at time of analysis; vendor-released patches available in versions 1.14.4 and 1.15.1.

Buffer Overflow RCE Firecracker
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33229 HIGH PATCH GHSA This Week

Privilege escalation in XWiki Platform 17.x allows users with script rights to execute arbitrary Python code via an improperly protected scripting API, bypassing Velocity sandbox protections and gaining full system access. This affects XWiki Platform oldcore and legacy-oldcore components prior to versions 17.4.8 and 17.10.1. While requiring existing script-level privileges, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Vendor-released patch available; no public exploit identified at time of analysis.

Authentication Bypass Python
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-30818 HIGH PATCH This Week

OS command injection in TP-Link Archer AX53 v1.0 dnsmasq module allows authenticated adjacent attackers to execute arbitrary code through maliciously crafted configuration files. Successful exploitation enables device configuration modification, sensitive data access, and complete system compromise. Affects TP-Link Archer AX53 v1.0 firmware versions prior to 1.7.1 Build 20260213. Requires high-privilege adjacent network access (CVSS:4.0 AV:A/PR:H). No public exploit identified at time of analysis.

TP-Link RCE Command Injection
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-30815 HIGH PATCH This Week

OS command injection in TP-Link Archer AX53 v1.0 OpenVPN module allows authenticated adjacent attackers to execute arbitrary system commands through maliciously crafted configuration files. Exploitation requires high-privilege adjacency access but enables complete device compromise including configuration modification, credential disclosure, and persistent backdoor installation. Affects AX53 v1.0 firmware prior to 1.7.1 Build 20260213. No public exploit identified at time of analysis.

TP-Link Command Injection
NVD
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-39416 HIGH PATCH This Week

Stored cross-site scripting in AIL Framework <6.8 allows authenticated high-privilege attackers to inject malicious JavaScript through the modal item preview function. When processing item content exceeding 800 characters, the application returns attacker-controlled content without explicit text/plain content-type headers, enabling browser interpretation as HTML. Successful exploitation executes arbitrary JavaScript in victim browsers viewing crafted items, compromising confidentiality and integrity across system and user contexts. No public exploit identified at time of analysis.

XSS Ail Framework
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-39974 HIGH PATCH GHSA This Week

Server-Side Request Forgery in n8n-mcp (npm package) versions ≤2.47.3 allows authenticated attackers with valid AUTH_TOKEN to force the server to issue HTTP requests to arbitrary URLs via manipulated multi-tenant HTTP headers (x-n8n-url, x-n8n-key). Response bodies are reflected through JSON-RPC, enabling unauthorized access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Oracle, Alibaba), internal network services, and any host reachable by the server process. Multi-tenant HTTP deployments with shared or multiple AUTH_TOKENs are at highest risk. No public exploit identified at time of analysis.

SSRF Oracle Microsoft
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-40029 HIGH PATCH This Week

OS command injection in parseusbs <1.9 enables arbitrary code execution on forensic examiner systems through maliciously crafted .lnk filenames. The parseUSBs.py module passes LNK file paths unsanitized into os.popen() shell commands, allowing attackers to embed shell metacharacters in filenames that execute during USB artifact parsing. Exploitation requires no authentication (PR:N) but necessitates user interaction (UI:P) when the examiner processes USB artifacts containing weaponized .lnk files. No public exploit identified at time of analysis.

Command Injection Parseusbs
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-39495 HIGH This Week

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated attackers with low-privilege access to extract sensitive database contents and potentially trigger denial-of-service conditions. The vulnerability stems from improper neutralization of SQL special elements in user-controlled input. Network-accessible exploitation requires valid credentials but no user interaction. CVSS 8.5 severity reflects high confidentiality impact with scope change, enabling cross-boundary data access. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, 6th percentile).

SQLi Simply Schedule Appointments
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-39486 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.

SQLi Download Monitor
NVD
CVSS 3.1
8.5
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy