Skip to main content
CVE-2026-39912 CRITICAL POC PATCH Act Now

Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required.

Information Disclosure Microsoft V2Board Xboard
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2025-13926 CRITICAL CISA Monitor

Session token exposure in Contemporary Controls BASControl20 3.1 building automation controller enables unauthenticated remote attackers to forge authenticated requests via network traffic interception. Exploitation requires attacker ability to sniff network traffic containing authentication credentials, which can then be replayed to execute arbitrary commands with full system privileges. Classified as CWE-807 (untrusted input reliance), this vulnerability permits complete compromise of controller confidentiality, integrity, and availability without user interaction. No public exploit identified at time of analysis.

Information Disclosure Bascontrol20
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-40089 CRITICAL Act Now

Server-Side Request Forgery in Sonicverse Radio Audio Streaming Stack dashboard API client allows authenticated operators to perform arbitrary HTTP requests from the backend server to internal or external targets. Affects Docker Compose deployments installed via the provided install.sh script, including one-liner installations. Attacker can exploit insufficient URL validation in apps/dashboard/lib/api.ts to access internal services, exfiltrate sensitive data from cloud metadata endpoints, or pivot to restricted network segments. CVSS 9.9 critical severity with changed scope indicates potential for significant cross-boundary impact. No public exploit identified at time of analysis.

Docker SSRF
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-1830 CRITICAL POC Act Now

Remote code execution in Quick Playground plugin for WordPress (all versions through 1.3.1) allows unauthenticated attackers to execute arbitrary PHP code on the server. Vulnerability stems from insufficient authorization on REST API endpoints that expose a sync code and permit unrestricted file uploads. Attackers can retrieve the sync code via unsecured endpoints, upload malicious PHP files using path traversal techniques, and achieve full server compromise without authentication. CVSS 9.8 critical severity. No public exploit identified at time of analysis.

WordPress PHP RCE Path Traversal Authentication Bypass
NVD VulDB Exploit-DB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-5442 CRITICAL Act Now

Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malformed DICOM images. Attackers exploit integer overflow during frame size calculation by submitting DICOM files with dimension fields encoded as Unsigned Long (UL) instead of Unsigned Short (US), causing out-of-bounds memory access during image decoding. CVSS 9.8 (Critical) with network-accessible attack vector requiring no authentication or user interaction. EPSS score 2% (percentile 4%) suggests low observed exploitation probability despite critical severity. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

Buffer Overflow Memory Corruption Dicom Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-5443 CRITICAL Act Now

Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code execution by sending specially crafted PALETTE COLOR DICOM images. The flaw stems from integer overflow during 32-bit width×height multiplication in pixel length validation, causing bounds checks to incorrectly pass and enabling out-of-bounds memory read/write operations. CVSS 9.8 critical severity with network attack vector requiring no privileges or user interaction. EPSS exp

Buffer Overflow Memory Corruption Dicom Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31170 CRITICAL Act Now

Command injection in ToToLink A3300R router firmware v17.0.0cu.557_B20221024 enables unauthenticated remote attackers to execute arbitrary OS commands via the stun-pass parameter in /cgi-bin/cstecgi.cgi endpoint. No public exploit identified at time of analysis, despite GitHub vulnerability disclosure repository. CVSS 9.8 (Critical) reflects trivial network-based exploitation without authentication, though EPSS probability remains low (0.01%, 2nd percentile), suggesting limited current attacker interest in this specific router model despite maximum severity rating.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34424 CRITICAL Act Now

Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.

RCE WordPress PHP
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-33784 CRITICAL PATCH Act Now

Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.

Authentication Bypass Juniper Virtual Lightweight Collector
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-5194 CRITICAL POC PATCH Act Now

ECDSA signature verification in wolfSSL 3.12.0 through 5.9.0 accepts cryptographically weak digest sizes below protocol-mandated minimums, enabling authentication bypass when attackers possess the public CA key. Authenticated network attackers can exploit this to compromise confidentiality and integrity of certificate-based sessions. Vulnerability arises specifically when EdDSA or ML-DSA algorithms are concurrently enabled alongside ECDSA/ECC verification. No public exploit identified at time of analysis.

Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-40154 CRITICAL PATCH GHSA Act Now

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to execute arbitrary code via malicious template files fetched from remote sources. The framework downloads and executes template files without integrity verification, origin validation, or user confirmation, creating a supply chain attack vector. Attackers with network access can distribute weaponized templates that execute when retrieved by victims, achieving high confidentiality and integrity compromise with scope change. No public exploit identified at time of analysis.

Information Disclosure Praisonai
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-40111 CRITICAL PATCH GHSA Act Now

Command injection in PraisonAIAgents memory hooks executor allows authenticated local attackers to execute arbitrary shell commands through unsanitized user input passed to subprocess.run() with shell=True. Affects versions prior to 1.5.128. Two attack vectors exist: direct exploitation via hook configuration (pre_run_command/post_run_command) and automated exploitation through .praisonai/hooks.json lifecycle hooks (BEFORE_TOOL/AFTER_TOOL). Agent prompt injection enables persistent compromise by overwriting hooks.json, executing payloads silently at every lifecycle event without user interaction. No public exploit identified at time of analysis.

Command Injection Praisonaiagents
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-28205 CRITICAL Act Now

Authentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through insecurely configured API endpoints. The vulnerability stems from insecure default resource initialization (CWE-1188), enabling complete circumvention of authentication mechanisms. Attackers can exploit this over the network with low attack complexity to achieve high confidentiality, integrity, and availability impact across vulnerable and subsequent systems. No public exploit identified at time of analysis.

Authentication Bypass Openplc V3
NVD
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-35556 CRITICAL Act Now

Plaintext credential storage in OpenPLC_V3 enables network-based attackers to retrieve authentication credentials without requiring prior authentication or user interaction, leading to complete system compromise. The CVSS v4.0 score of 9.2 reflects critical-severity risk from network-accessible credential exposure affecting confidentiality and integrity across all OpenPLC_V3 deployments. No public exploit identified at time of analysis.

Information Disclosure Openplc V3
NVD
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-34177 CRITICAL PATCH GHSA Act Now

Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to bypass project restrictions via incomplete denylist validation. Attackers inject AppArmor rules and QEMU chardev configurations through unblocked raw.apparmor and raw.qemu.conf keys, bridging the LXD Unix socket into guest VMs. Successful exploitation enables escalation to LXD cluster administrator and subsequently to host root access. No public exploit identified at time of analysis. Authenticated remote exploitation (PR:H) with cross-scope impact on confidentiality, integrity, and availability.

Canonical Privilege Escalation
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-34179 CRITICAL PATCH GHSA Act Now

Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.

Canonical Privilege Escalation
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-39980 CRITICAL PATCH NEWS Act Now

Server-Side Template Injection in OpenCTI notifier templates allows privileged administrators with 'Manage customization' capability to execute arbitrary JavaScript in the platform process context. Affecting all versions prior to 6.9.5, this vulnerability permits authenticated high-privilege users to achieve complete system compromise through unsafe EJS template rendering in safeEjs.ts. No public exploit code identified and EPSS score of 0.07% indicates low observed exploitation probability, but CVSS 9.1 Critical rating reflects the total technical impact once privileged access is obtained. Vendor patch released in version 6.9.5.

Ssti Information Disclosure
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-34178 CRITICAL PATCH GHSA Act Now

Backup import in Canonical LXD before 6.8 bypasses project security restrictions, enabling privilege escalation to full host compromise. An authenticated remote attacker with instance-creation permission in a restricted project crafts malicious backup archives containing conflicting configuration files: backup/index.yaml passes validation, while backup/container/backup.yaml (never validated) carries forbidden directives like security.privileged=true or raw.lxc commands. Exploiting this dual-file validation gap allows unrestricted container creation that breaks isolation boundaries. No public exploit identified at time of analysis.

Canonical Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-33771 CRITICAL Act Now

Juniper Networks CTP OS 9.2R1 and 9.2R2 fail to persist password complexity settings, enabling unauthenticated attackers to exploit predictable weak passwords on local accounts. The password management function allows administrators to configure complexity requirements but does not save these configurations, verifiable through 'Show password requirements' menu. This defect permits trivial passwords that attackers can brute-force remotely to gain full device control. No public exploit identified at time of analysis.

Authentication Bypass Juniper Brute Force Ctop Os
NVD VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-29145 CRITICAL PATCH GHSA Act Now

Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).

Apache Tomcat Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-30479 CRITICAL Act Now

Remote code execution in OSGeo MapServer versions prior to 8.0 enables unauthenticated attackers to execute arbitrary code through dynamic-link library (DLL) injection via a specially crafted executable. The vulnerability requires no user interaction and has low attack complexity (CVSS 9.1 Critical), though real-world exploitation probability remains low (EPSS 2%, 5th percentile). Publicly available exploit code exists in a researcher's GitHub repository, but no confirmed active exploitation (CISA KEV) has been documented at time of analysis.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-5445 CRITICAL Act Now

Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory contents and potentially crash the server via malformed PALETTE COLOR images. The vulnerability resides in the DecodeLookupTable function, which fails to validate pixel indices against palette size boundaries. With a 9.1 CVSS score but only 0.02% EPSS (4th percentile), the theoretical severity is high but observed real-world exploitation probability remains very low. No active exploitation confirmed (not in CISA KEV), no public exploit code identified at time of analysis.

Buffer Overflow Information Disclosure Dicom Server
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-50228 CRITICAL Act Now

Server-Side Request Forgery in Jizhicms v2.5.4 allows unauthenticated remote attackers to abuse User Evaluation, Message, and Comment modules to make arbitrary HTTP requests from the server. With critical CVSS 9.1 (AV:N/AC:L/PR:N/UI:N), attackers can achieve high confidentiality and integrity impact without authentication. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, and no vendor-released patch confirmed

SSRF
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-57735 CRITICAL PATCH GHSA Act Now

Apache Airflow 3.0.0 through 3.1.x fails to invalidate JWT tokens at logout, allowing intercepted tokens to remain valid for unauthorized API access. This session management weakness enables replay attacks against the workflow orchestration platform's REST API. No active exploitation confirmed (EPSS 3rd percentile), but SSVC rates as automatable with partial technical impact. Vendor-released patch: Apache Airflow 3.2.0.

Information Disclosure Airflow
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34987 CRITICAL PATCH GHSA Act Now

Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-34971 CRITICAL PATCH GHSA Act Now

Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allows authenticated remote attackers to escape WebAssembly sandbox restrictions. The Cranelift compilation backend on aarch64 architecture miscompiles specific heap access patterns, creating divergent address computations where bounds checks validate one address while loads access another, enabling sandbox escape through unrestricted host memory access. Exploitation requires 64-bit WebAssembly linear memories with Spectre mitigations and signals-based-traps disabled. No public exploit identified at time of analysis.

Information Disclosure Buffer Overflow Wasmtime
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy