Skip to main content
CVE-2026-29923 HIGH This Week

PowerStrip driver (pstrip64.sys) through version 3.90.736 enables authenticated local users to escalate privileges to SYSTEM by sending malicious IOCTL requests that map arbitrary physical memory into user-mode address space, allowing modification of kernel structures. EPSS score of 0.02% (5th percentile) indicates low automated exploitation likelihood, though publicly available exploit code exists (PacketStorm Security reference), making this a realistic threat in environments where PowerStrip is deployed and local access is possible. No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Privilege Escalation N A
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-39853 HIGH PATCH This Week

Stack buffer overflow in osslsigncode <2.12 allows local attackers to execute arbitrary code during signature verification. The vulnerability affects PE, MSI, CAB, and script file verification handlers that copy digest values from SpcIndirectDataContent structures into fixed 64-byte stack buffers without length validation. Attackers craft malicious signed files with oversized digest fields triggering memcpy overflow when users verify files via osslsigncode verify command, corrupting stack state and enabling code execution with high confidentiality, integrity, and availability impact.

Stack Overflow Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34734 HIGH PATCH This Week

Heap use-after-free in HDF5 h5dump utility allows local attackers to achieve arbitrary code execution when processing malicious HDF5 files. Affects HDF5 versions 1.14.1-2 and earlier from HDFGroup. Attacker must convince user to open crafted file (user interaction required, CVSS UI:R). Unauthenticated attack vector enables high-impact compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Vulnerability stems from premature deallocation in H5D__typeinfo_term followed by unsafe reference in H5T__conv_struct memmove operation.

Memory Corruption Information Disclosure Use After Free Hdf5
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40150 HIGH PATCH GHSA This Week

Server-side request forgery in PraisonAIAgents multi-agent system allows authenticated attackers to force internal network reconnaissance and data exfiltration through unvalidated URL crawling. The web_crawl() function in versions prior to 1.5.128 accepts arbitrary URLs from AI agents without scheme allowlisting, hostname blocking, or private network checks, enabling access to cloud metadata endpoints (AWS/Azure/GCP), internal services, and local filesystems via file:// URIs. Exploitation requires low-privileged authenticated access with network reachability and no user interaction. No public exploit identified at time of analysis.

SSRF Praisonaiagents
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-39843 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Makeplane Plane (versions 0.28.0 to before 1.3.0) allows authenticated attackers with low privileges to perform full-read SSRF attacks against internal network resources. The vulnerability exists because incomplete remediation of a previous SSRF issue (GHSA-jcc6-f9v6-f7jw) left the favicon fetch path vulnerable to redirect-based attacks. When an attacker supplies an HTML page containing a link tag with an href redirecting to a private IP address via the 'Add link' feature, the fetch_and_encode_favicon() function follows redirects without validation, enabling unauthorized access to internal resources. Requires authenticated access; no public exploit identified at time of analysis.

SSRF Plane
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-5959 HIGH PATCH This Week

Remote authentication bypass in GL.iNet GL-RM1, GL-RM10, GL-RM10RC, and GL-RM1PE versions up to 1.8.1 allows authenticated remote attackers with high privileges to manipulate the Factory Reset Handler component, resulting in improper authentication controls. The vulnerability requires high attack complexity and is difficult to exploit but enables unauthorized access to sensitive device functionality. A vendor-released patch addressing this issue is available in version 1.8.2.

Authentication Bypass Gl Rm1 Gl Rm10 Gl Rm10Rc Gl Rm1Pe
NVD VulDB GitHub
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-1584 HIGH PATCH This Week

Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid Pre-Shared Key binder values, triggering a NULL pointer dereference. Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images are affected. Vendor patches are available. EPSS score of 0.08% (24th percentile) suggests low current exploitation probability despite network-accessible attack vector. SSVC framework classifies this as automatable with partial technical impact but no known exploitation, making this a medium-priority patching target focused on preventing service disruption rather than data breach.

Null Pointer Dereference Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +4
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40116 HIGH PATCH GHSA This Week

Unauthenticated resource exhaustion in PraisonAI versions prior to 4.5.128 allows remote attackers to drain OpenAI API credits and exhaust server resources. The /media-stream WebSocket endpoint in the call module accepts connections without authentication or Twilio signature validation, enabling unlimited concurrent sessions to OpenAI's Realtime API using the server's credentials. No public exploit identified at time of analysis. Affects PraisonAI deployments exposing the call module's WebSocket interface.

Denial Of Service Praisonai
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40069 HIGH PATCH GHSA This Week

Incorrect transaction broadcast failure detection in BSV Ruby SDK 0.1.0 through 0.8.1 allows unauthenticated remote attackers to manipulate application logic by exploiting incomplete ARC response validation. The SDK's BSV::Network::ARC module only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED status codes as failures, silently treating INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN-containing responses as successful broadcasts. Applications relying on broadcast confirmation for gating critical actions accept failed transactions as valid, enabling integrity compromise in blockchain-dependent workflows. No public exploit identified at time of analysis.

Information Disclosure Bsv Ruby Sdk
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4660 HIGH PATCH GHSA This Week

Arbitrary file read vulnerability in HashiCorp go-getter library versions up to 1.8.5 enables unauthenticated remote attackers to access sensitive files from the target filesystem through specially crafted git operation URLs. The vulnerability permits confidentiality breach without authentication requirements, affecting network-accessible services utilizing the library for repository cloning or fetching operations. Fixed in version 1.8.6; go-getter/v2 branch unaffected. No public exploit identified at time of analysis.

Information Disclosure Hashicorp Tooling
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5440 HIGH This Week

Memory exhaustion in Orthanc DICOM Server versions up to 1.12.10 allows remote unauthenticated attackers to crash the service by sending HTTP requests with excessively large Content-Length header values. The server allocates memory based on the header without validation, enabling denial-of-service without transmitting actual payload data. EPSS score of 0.02% (6th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

Denial Of Service Dicom Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34487 HIGH PATCH GHSA This Week

Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.

Apache Kubernetes Tomcat Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34483 HIGH PATCH GHSA This Week

Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

Apache Information Disclosure Tomcat Red Hat Suse
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29129 HIGH PATCH GHSA This Week

Cipher preference order enforcement failure in Apache Tomcat 9.0.114-9.0.115, 10.1.51-10.1.52, and 11.0.16-11.0.18 allows unauthenticated remote attackers to force selection of weaker cryptographic ciphers during TLS negotiation, enabling potential decryption of confidential data transmitted over HTTPS connections. The vulnerability stems from improper preservation of administrator-configured cipher suite priority, potentially exposing sensitive session data, credentials, or application content. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network-accessible confidentiality impact requiring no privileges.

Apache Information Disclosure Tomcat Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24880 HIGH PATCH GHSA This Week

HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

Apache Information Disclosure Request Smuggling Tomcat Red Hat +1
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-62188 HIGH PATCH GHSA This Week

Unauthenticated remote disclosure of database credentials and other sensitive configuration data in Apache DolphinScheduler 3.1.x via overly-permissive Spring Boot Actuator endpoints. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication. EPSS score of 0.02% (5th percentile) indicates low current exploitation likelihood despite the critical nature of credential exposure. Vendor patch available in version 3.2.0, with documented configuration-based workaround for organizations unable to upgrade immediately. No public exploit code identified and SSVC framework shows no active exploitation, though the vulnerability is automatable.

Apache Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40046 HIGH PATCH GHSA This Week

Remote denial-of-service in Apache ActiveMQ 6.0.0 through 6.2.3 allows unauthenticated network attackers to crash the MQTT broker via malformed control packets. An integer overflow in the MQTT protocol handler's remaining length field validation enables resource exhaustion without authentication. This vulnerability stems from an incomplete patch - the fix for CVE-2025-66168 was applied only to 5.19.x branches but omitted from all 6.x releases until 6.2.4. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

Apache Integer Overflow Buffer Overflow Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34020 HIGH PATCH GHSA This Week

Apache OpenMeetings REST login endpoint exposes credentials through HTTP GET query parameters, enabling credential harvesting via browser history, server logs, referrer headers, and intermediate proxies. Affects versions 3.1.3 through 8.x. CVSS 7.5 HIGH reflects unauthenticated network-accessible information disclosure with no user interaction required. No public exploit identified at time of analysis, low observed exploitation activity (EPSS 0.02%).

Apache Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5439 HIGH This Week

Memory exhaustion in Orthanc DICOM Server versions ≤1.12.10 allows remote attackers to trigger denial of service by uploading specially crafted ZIP archives with forged uncompressed size metadata. The server allocates excessive memory buffers based on untrusted size fields during automatic extraction, enabling resource exhaustion attacks without authentication (CVSS:3.1 AV:N/AC:L/PR:N). EPSS probability of 0.02% (4th percentile) indicates low likelihood of imminent exploitation, with no public exploit identified at time of analysis.

Denial Of Service Dicom Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5438 HIGH This Week

Memory exhaustion in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to trigger denial-of-service via gzip decompression bombs in HTTP requests. Attackers send maliciously crafted gzip-compressed payloads with inflated decompression metadata, forcing the server to allocate unbounded memory and crash. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis. CVSS 7.5 reflects network-reachable, low-complexity attack requiring no authentication, but impact limited to availability only.

Denial Of Service Dicom Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5437 HIGH This Week

Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial-of-service conditions via malformed DICOM meta-header structures. CVSS 7.5 (High) with network attack vector and low complexity, requiring no privileges or user interaction. EPSS score of 0.01% (3rd percentile) indicates minimal observed exploitation activity. No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though CERT/CC coordination (VU#536588) suggests coordinated disclosure process.

Buffer Overflow Information Disclosure Dicom Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33266 HIGH PATCH GHSA This Week

Hard-coded cryptographic key in Apache OpenMeetings 6.1.0-9.0.0 enables cookie-based credential theft. The default remember-me cookie encryption key in openmeetings.properties is not auto-rotated, allowing attackers who steal session cookies to decrypt and extract full user credentials without authentication. This unauthenticated network-accessible vulnerability achieves high confidentiality impact through cryptographic weakness. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.

Apache Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5988 HIGH This Week

Stack-based buffer overflow in Tenda F451 wireless router firmware 1.0.0.7 enables authenticated remote attackers to execute arbitrary code via crafted mit_ssid parameter to formWrlsafeset function in /goform/AdvSetWrlsafeset endpoint. Publicly available exploit code exists. Attack requires low-privilege authenticated access to the router's web management interface, resulting in complete compromise of device confidentiality, integrity, and availability with no impact to other network segments.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-5983 HIGH Monitor

Buffer overflow in D-Link DIR-605L 2.13B01 router enables remote code execution via POST request manipulation of curTime parameter in formSetDDNS function. Publicly available exploit code exists. Affected device is end-of-life with no vendor support. Authenticated attacker with low-privilege network access can achieve complete system compromise (high confidentiality, integrity, availability impact per CVSS 4.0 scoring).

D-Link Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-5980 HIGH Monitor

Buffer overflow in D-Link DIR-605L 2.13B01 router allows authenticated attackers to achieve remote code execution via crafted curTime parameter in formSetMACFilter POST handler. This end-of-life product receives no vendor support. Publicly available exploit code exists. Attackers with low-privilege network access can compromise device confidentiality and integrity remotely without user interaction.

D-Link Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-40153 HIGH PATCH GHSA This Week

Environment variable exfiltration in PraisonAIAgents versions prior to 1.5.128 allows unauthenticated remote attackers to steal secrets (database credentials, API keys, cloud access keys) through shell_tools.py execute_command function. The vulnerability leverages deceptive command approval where unexpanded $VAR references shown to human reviewers differ from executed commands containing expanded environment variable values. Requires user interaction. No public exploit identified at time of analysis.

Information Disclosure Praisonaiagents
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-5984 HIGH Monitor

Buffer overflow in D-Link DIR-605L 2.13B01 router allows authenticated remote attackers to achieve code execution via POST request manipulation. The formSetLog function in /goform/formSetLog improperly handles the curTime parameter, enabling memory corruption. Publicly available exploit code exists. This end-of-life product receives no vendor support or security updates.

D-Link Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2024-1490 HIGH This Week

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-4112 HIGH NEWS This Week

SQL injection in SonicWall SMA1000 series appliances allows authenticated attackers with read-only administrator privileges to escalate to primary administrator access through SQL injection vectors. The vulnerability affects SMA1000 versions 12.4.3-03245 and earlier, and 12.5.0-02283 and earlier. While CVSS scores this 7.2 (High) with network-based attack vector and low complexity, real-world exploitation risk appears moderate: EPSS probability is low at 0.06% (17th percentile), CISA SSVC indicates no active exploitation and the attack is not automatable, and the high privilege requirement (existing administrative credentials) significantly limits attacker pool.

Sonicwall SQLi
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4113 HIGH NEWS This Week

SonicWall SMA1000 SSL VPN appliances allow remote authenticated administrators to enumerate valid user credentials through observable timing or response differences. Affects SMA1000 versions 12.4.3-03245 and earlier, plus 12.5.0-02283 and earlier. While CVSS rates this 7.2 High, real-world risk is moderate: exploitation requires existing high-privilege access (PR:H), EPSS shows only 0.04% probability (11th percentile), and no active exploitation or public POC identified at time of analysis. The vulnerability enables credential harvesting for subsequent lateral movement attacks.

Information Disclosure Sonicwall
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-34512 HIGH PATCH This Week

Authorization bypass in OpenClaw versions prior to 2026.3.25 enables authenticated users to terminate arbitrary subagent sessions through the /sessions/:sessionKey/kill HTTP endpoint. Exploiting CWE-863 improper authorization, low-privilege authenticated attackers execute admin-level killSubagentRunAdmin functions without ownership or operator scope validation, achieving high integrity and availability impact on targeted sessions. No public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-4116 HIGH NEWS This Week

Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to circumvent TOTP requirements via Unicode encoding manipulation. Affects SMA1000 versions 12.5.0-02283 and 12.4.3-03245 and earlier. Requires high-privilege (PR:H) authenticated access but enables complete authentication bypass (CVSS 7.2). Low EPSS score (0.03%, 10th percentile) indicates minimal observed exploitation likelihood. No public exploit code identified at time of analysis.

Authentication Bypass Sonicwall
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-40114 HIGH PATCH GHSA This Week

Server-Side Request Forgery in PraisonAI versions prior to 4.5.128 allows unauthenticated remote attackers to force the server to send HTTP POST requests to arbitrary internal or external destinations via an unvalidated webhook_url parameter in the /api/v1/runs endpoint. Attackers can abuse this to access cloud metadata services (AWS/GCP/Azure instance metadata), internal APIs, and network-adjacent services, potentially exposing credentials, configuration data, or triggering unauthorized actions. No public exploit identified at time of analysis. CVSS 7.2 indicates changed scope with low confidentiality and integrity impact.

SSRF Praisonai
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-39976 HIGH PATCH GHSA This Week

Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.

Authentication Bypass Passport
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-33783 HIGH PATCH This Week

Complete persistent denial of service in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated, low-privilege network attackers to crash the evo-aftmand service with no automatic recovery. The vulnerability triggers when PCEP-provisioned colored SRTE policy tunnels with 32-bit ASN values (greater than 65,535) in the Originator ASN field are monitored via gRPC, causing permanent forwarding plane failure until manual system restart. Affects multiple versions through 25.2 release train. No public exploit identified at time of analysis.

Juniper Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-39977 HIGH PATCH This Week

Path traversal in flatpak-builder 1.4.5 through 1.4.7 enables arbitrary host file exfiltration through license-files manifest exploitation. Attacker-crafted manifest with symlink manipulation bypasses g_file_get_relative_path() and g_file_query_file_type() validation, allowing reads outside source directory. Successful exploitation requires user interaction (processing malicious manifest) but grants unauthenticated remote attackers high confidentiality impact with no authentication required. Publicly available exploit code exists. CVSS 7.1 reflects network vector with user participation prerequisite.

Path Traversal Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-21919 HIGH PATCH This Week

Management daemon deadlock in Juniper Networks Junos OS 23.4-24.4 and Junos OS Evolved enables network-based authenticated attackers to trigger complete management plane denial-of-service via rapid NETCONF session cycling. Vulnerability causes mgd processes to hang in lockf state, exhausting process pool and preventing administrative logins. Recovery requires device power-cycle. Affects deployments using NETCONF management interface with authenticated remote users. No public exploit identified at time of analysis.

Information Disclosure Juniper
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-35636 HIGH PATCH This Week

Session isolation bypass in OpenClaw 2026.3.11 through 2026.3.24 allows authenticated attackers to access parent or sibling sessions bypassing visibility restrictions. The vulnerability exploits session_status logic that resolves sessionId to canonical session keys before enforcing explicit sessionKey-based access controls, enabling sandboxed child sessions to read data from sessions they should not access. No public exploit identified at time of analysis. Impacts confidentiality of session data across isolation boundaries in multi-tenant or sandboxed deployment scenarios.

Canonical Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-35631 HIGH PATCH This Week

Authorization bypass in OpenClaw versions prior to 2026.3.22 allows authenticated low-privilege users to execute administrative control-plane operations through internal ACP chat commands. The vulnerability stems from missing operator.admin scope enforcement on mutating commands, enabling unauthorized users to invoke privileged actions that modify system configuration or state. Exploitation requires authenticated access but no elevated privileges, permitting lateral privilege escalation to administrative functions. No public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-35644 HIGH PATCH This Week

Credential exposure in OpenClaw gateway snapshots enables authenticated attackers with operator.read scope to extract embedded authentication tokens from channel configuration URLs. Attackers query config.get and channels.status API endpoints to retrieve gateway snapshots containing credentials in URL userinfo components of baseUrl and httpUrl fields. Affects OpenClaw versions prior to 2026.3.22. Authentication required (PR:L); no public exploit identified at time of analysis.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33775 HIGH PATCH This Week

Memory exhaustion in Juniper Networks Junos OS BroadBand Edge subscriber management daemon (bbe-smgd) on MX Series allows adjacent unauthenticated attackers to trigger persistent denial of service by sending authentication packets that do not match configured packet-type options. Each mismatched packet leaks memory, eventually consuming all available daemon heap memory and preventing new subscriber logins. Authentication packet-type configuration must be active for exploitation. No public exploit identified at time of analysis.

Juniper Denial Of Service
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33797 HIGH PATCH This Week

BGP session reset vulnerability in Juniper Networks Junos OS 25.2 and Junos OS Evolved 25.2-EVO allows adjacent unauthenticated attackers to trigger Denial of Service by sending malformed BGP packets within established sessions. Affects both eBGP and iBGP implementations across IPv4 and IPv6. Repeated exploitation enables sustained service disruption. Vulnerability confirmed actively exploited (CISA KEV). No public exploit identified at time of analysis. Adjacent network access required; attacker must be on same network segment as BGP peering.

Juniper Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-5444 HIGH This Week

Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the service via maliciously crafted PAM images embedded in DICOM files. The vulnerability stems from integer overflow during buffer size calculation when multiplying image dimensions with 32-bit arithmetic, leading to undersized heap allocation followed by oversized writes during pixel processing. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability; no public exploit code or active exploitation confirmed at time of analysis.

Buffer Overflow Memory Corruption Dicom Server
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-5441 HIGH This Week

Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory into rendered medical images via maliciously crafted DICOM files. Affects versions ≤1.12.10. Requires user interaction (opening crafted file). EPSS 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis. CERT/CC reported (VU#536588).

Buffer Overflow Information Disclosure Dicom Server
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33781 HIGH PATCH This Week

Packet buffer allocation failure in Juniper EX4000 and QFX5000 Series switches allows adjacent unauthenticated attackers to cause persistent Denial of Service requiring manual device restart. Attack vector requires specific configuration: device configured as service-provider edge with L2PT enabled on UNI and VSTP enabled on NNI in VXLAN scenarios. Receiving VSTP BPDUs on UNI triggers buffer exhaustion, halting all traffic forwarding. Affects Junos OS 24.4 through 24.4R1, 25.2 through 25.2R1. No public exploit identified at time of analysis.

Juniper Denial Of Service
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33780 HIGH PATCH This Week

Memory leak in Juniper Networks l2ald daemon allows adjacent attackers to crash Layer 2 services on EVPN-MPLS networks. Affects Junos OS and Junos OS Evolved across multiple versions. Unauthenticated attackers on the same network segment can trigger resource exhaustion by causing ESI route churn from multi-homed Provider Edge devices, forcing l2ald process crash and restart. No public exploit identified at time of analysis, but exploitation requires only network adjacency without authentication.

Juniper Denial Of Service
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-59969 HIGH PATCH This Week

Unauthenticated buffer overflow in Juniper Networks Junos OS Evolved advanced forwarding toolkit (evo-aftmand/evo-pfemand) permits adjacent attackers to crash PTX Series and QFX5000 Series devices via crafted multicast packets. Exploitation triggers line card or device restart, sustaining denial of service under continuous attack. Affects multiple Junos OS Evolved release branches before patched versions. No public exploit identified at time of analysis. Attack requires adjacent network access but no authentication, making exploitation feasible in shared network segments.

Buffer Overflow Juniper Denial Of Service
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-5974 MEDIUM PATCH GHSA This Month

Remote command injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated network attackers to execute arbitrary OS commands via the Bash.run function in metagpt/tools/libs/terminal.py. The vulnerability has a CVSS score of 6.9 with network-accessible attack vector and low complexity, and matches CISA SSVC criteria for partial technical impact with automatable exploitation; a proof-of-concept exists but no confirmed active exploitation has been reported.

Command Injection Metagpt
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.8%
CVE-2025-13914 HIGH PATCH This Week

Man-in-the-middle attack against Juniper Networks Apstra allows unauthenticated attackers to impersonate managed network devices and capture credentials due to insufficient SSH host key validation. The vulnerability affects all Apstra versions before 6.1.1, enabling interception of SSH connections between the Apstra orchestration platform and managed infrastructure. No public exploit identified at time of analysis, though the attack requires network positioning between Apstra and target devices.

Information Disclosure Microsoft Juniper Apstra
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-5263 HIGH PATCH This Week

Certificate chain verification bypass in wolfSSL allows malicious intermediate CAs to violate URI nameConstraints. A compromised sub-CA with high-privilege access can issue leaf certificates containing URI Subject Alternative Name entries that breach parent CA nameConstraints restrictions. wolfSSL versions fail to enforce URI-based nameConstraints during chain validation in wolfcrypt/src/asn.c, accepting invalid certificates as legitimate. No public exploit identified at time of analysis. Attack complexity rated low but requires privileged issuer access.

Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy