215 CVEs tracked today. 11 Critical, 80 High, 100 Medium, 8 Low.
-
CVE-2026-40258
CRITICAL
CVSS 9.1
Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.
PostgreSQL
Python
Path Traversal
Docker
-
CVE-2026-40189
CRITICAL
CVSS 9.3
Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.
Authentication Bypass
Goshs
-
CVE-2026-40177
CRITICAL
CVSS 9.3
Authentication bypass in Ajenti admin panel versions prior to 0.112 allows unauthenticated remote attackers to completely circumvent password authentication when two-factor authentication (2FA) is enabled. Attackers can gain full administrative access to the Ajenti server management interface without valid credentials, compromising confidentiality and integrity of managed systems. No public exploit identified at time of analysis.
Authentication Bypass
Ajenti
-
CVE-2026-40175
CRITICAL
CVSS 10.0
Remote code execution affects Axios HTTP client library versions prior to 1.15.0 via gadget chain escalation of prototype pollution vulnerabilities in third-party dependencies. Unauthenticated network attackers can exploit this chaining mechanism to achieve full remote code execution or cloud compromise through AWS IMDSv2 bypass. Critical severity (CVSS 10.0) with scope change indicates containment boundary violation. No public exploit identified at time of analysis.
RCE
Node.js
Axios
-
CVE-2026-40157
CRITICAL
CVSS 9.4
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite through malicious .praison archive bundles. The cmd_unpack function in recipe CLI performs unvalidated tar extraction, allowing attackers to embed ../ path sequences that escape the intended extraction directory. Unauthenticated attackers can distribute weaponized bundles that, when unpacked by victims via 'praisonai recipe unpack' command, overwrite critical system files with attacker-controlled content. No public exploit identified at time of analysis.
Path Traversal
Praisonai
-
CVE-2026-33707
CRITICAL
CVSS 9.4
Unauthenticated password reset takeover in Chamilo LMS 1.11.x (prior to 1.11.38) and 2.0.0-RC versions (prior to RC.3) allows remote attackers to hijack arbitrary user accounts by computing deterministic reset tokens. The vulnerability stems from insecure token generation using sha1($email) without randomization, expiration, or rate limiting. Attackers knowing a target's email address can directly calculate valid password reset tokens and change account credentials without prior authentication, enabling full account takeover with high confidentiality and integrity impact. No public exploit identified at time of analysis.
Information Disclosure
-
CVE-2026-33698
CRITICAL
CVSS 9.3
Arbitrary file write vulnerability in Chamilo LMS versions before 1.11.38 allows unauthenticated remote attackers to modify existing files or create new files with system-level permissions through a chained attack exploiting the main/install/ directory. Attackers can bypass PHP execution restrictions when the installation directory remains accessible post-deployment, enabling complete system compromise where filesystem permissions permit. This vulnerability affects portals that have not removed the main/install/ directory after initial setup. No public exploit identified at time of analysis.
PHP
Information Disclosure
Path Traversal
Chamilo Lms
-
CVE-2026-32892
CRITICAL
CVSS 9.1
OS command injection in Chamilo LMS 1.x (prior to 1.11.38) and 2.0.0-RC.x (prior to RC.3) allows authenticated teacher-role users to execute arbitrary system commands via unsanitized file path parameters. The move() function in fileManage.lib.php concatenates user-controlled move_to POST values directly into exec() shell commands without proper escaping. Any authenticated user can exploit this by creating a course (enabled by default), uploading a directory with shell metacharacters via Course Backup Import, then moving a document to trigger command execution as www-data. No public exploit identified at time of analysis.
PHP
Command Injection
-
CVE-2026-6057
CRITICAL
CVSS 9.8
Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).
RCE
Path Traversal
File Upload
Falkordb Browser
-
CVE-2026-5412
CRITICAL
CVSS 9.9
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.
Authentication Bypass
-
CVE-2026-1115
CRITICAL
CVSS 9.6
Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.
XSS
-
CVE-2026-40259
HIGH
CVSS 8.1
Unauthorized deletion of attribute view definitions in SiYuan note-taking application allows authenticated publish-service readers to permanently destroy arbitrary workspace data. Attackers with low-privilege publish credentials can extract attribute view IDs from published content markup (exposed as data-av-id attributes) and invoke the /api/av/removeUnusedAttributeView endpoint to delete corresponding JSON definition files. The endpoint lacks proper authorization controls, accepting RoleReader tokens despite performing destructive write operations. Successful exploitation corrupts database views, breaks local workspace rendering, and causes operational disruption requiring manual restoration.
Authentication Bypass
-
CVE-2026-40242
HIGH
CVSS 7.2
Server-side request forgery in Arcane Docker management interface versions prior to 1.17.3 allows unauthenticated remote attackers to conduct SSRF attacks via the /api/templates/fetch endpoint. Attackers can supply arbitrary URLs through the url parameter, causing the server to perform HTTP GET requests without URL scheme or host validation, with responses returned directly to the caller. This enables reconnaissance of internal network resources, access to cloud metadata endpoints, and potential interaction with internal services from the server's network context. No public exploit identified at time of analysis.
SSRF
Docker
Arcane
-
CVE-2026-40217
HIGH
CVSS 8.8
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute arbitrary code by exploiting bytecode rewriting functionality at the /guardrails/test_custom_code endpoint. The vulnerability requires low-privilege authentication (PR:L) but permits complete system compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
RCE
Litellm
-
CVE-2026-40200
HIGH
CVSS 8.1
Stack-based buffer overflow in musl libc 0.7.10 through 1.2.6 allows local attackers with high complexity requirements to corrupt memory during qsort operations on exceptionally large arrays (exceeding ~7 million elements on 32-bit systems, corresponding to the 32nd Leonardo number). Exploitation requires sorting arrays approaching billion-element scale on 64-bit platforms. Vulnerability stems from incorrect double-word primitive implementation in smoothsort algorithm. Successful exploitation enables arbitrary code execution with scope change, impacting confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Buffer Overflow
-
CVE-2026-40188
HIGH
CVSS 7.7
Path traversal in patrickhener goshs SFTP rename operation enables authenticated attackers to write files outside the configured root directory. Versions 1.0.7 through 2.0.0-beta.3 fail to sanitize destination paths in SFTP rename commands, allowing low-privileged users to overwrite arbitrary filesystem locations with network access. High integrity impact with scope change indicates potential host compromise. No public exploit identified at time of analysis.
Information Disclosure
Goshs
-
CVE-2026-40185
HIGH
CVSS 7.1
Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.
Authentication Bypass
Trek
-
CVE-2026-40180
HIGH
CVSS 7.7
Path traversal vulnerability in Quarkus OpenAPI Generator (Quarkiverse) versions prior to 2.16.0 and 2.15.0-lts allows unauthenticated remote attackers to write arbitrary files outside intended directories via malicious ZIP archives. The ApicurioCodegenWrapper.java unzip() method fails to validate file paths during extraction, enabling path traversal sequences (../../) to bypass output directory restrictions and achieve arbitrary file write with high integrity impact. No public exploit identified at time of analysis. Affects Java-based Quarkus extensions for REST client and server stub generation.
Java
Path Traversal
Quarkus Openapi Generator
-
CVE-2026-40168
HIGH
CVSS 8.2
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.
SSRF
Postiz App
-
CVE-2026-40163
HIGH
CVSS 8.2
Unauthenticated path traversal in Saltcorn no-code application builder enables remote attackers to write arbitrary JSON files and create directories anywhere on the server filesystem via /sync/offline_changes endpoint, and read JSON files plus list directory contents via /sync/upload_finished endpoint. Affects Saltcorn versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4. No public exploit identified at time of analysis. Exploitation requires no authentication (CVSS PR:N), permitting arbitrary file write with high integrity impact and limited confidentiality exposure.
Path Traversal
Saltcorn
-
CVE-2026-40162
HIGH
CVSS 7.1
Authenticated arbitrary file write in Bugsink 2.1.0 allows remote attackers to write malicious content to filesystem locations accessible by the application process through exploitation of the artifact bundle assembly flow. Attackers holding valid authentication tokens can achieve high-integrity impact and partial availability disruption by manipulating file operations. Vulnerability affects only version 2.1.0 of the self-hosted error tracking platform. No public exploit identified at time of analysis.
Information Disclosure
Bugsink
-
CVE-2026-40160
HIGH
CVSS 7.1
Server-Side Request Forgery (SSRF) in PraisonAIAgents versions prior to 1.5.128 allows unauthenticated attackers to manipulate LLM agents into crawling arbitrary internal URLs. The httpx fallback crawler accepts user-supplied URLs without host validation and follows redirects, enabling access to cloud metadata endpoints (169.254.169.254), internal services, and localhost. Response content is returned to the agent and may be exposed in attacker-visible output. This vulnerability is the default behavior on fresh installations without Tavily API keys or Crawl4AI dependencies. No public exploit identified at time of analysis.
SSRF
Praisonaiagents
-
CVE-2026-40158
HIGH
CVSS 8.6
Arbitrary code execution in PraisonAI multi-agent system (<4.5.128) via Python sandbox escape. Incomplete AST attribute filtering allows type.__getattribute__ trampoline to bypass restrictions on __subclasses__, __globals__, and __bases__, enabling untrusted agent code to break containment. Attack requires local access and user interaction to execute malicious code. No public exploit identified at time of analysis.
RCE
Python
Code Injection
Praisonai
-
CVE-2026-40156
HIGH
CVSS 7.8
Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. User interaction is required (running praisonai command). No public exploit identified at time of analysis.
RCE
Code Injection
Praisonai
-
CVE-2026-40073
HIGH
CVSS 8.2
Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads, causing denial of service through resource exhaustion. Affects SvelteKit versions prior to 2.57.1 running adapter-node. Exploitation requires specific timing conditions (CVSS AT:P). Platform-level and WAF body size limits remain effective. No public exploit identified at time of analysis. Vulnerability exploits CWE-770 resource allocation flaw where BODY_SIZE_LIMIT enforcement fails under race conditions or specific request patterns.
Denial Of Service
Kit
-
CVE-2026-39304
HIGH
CVSS 7.5
Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. Vulnerability arises from improper handling of TLSv1.3 handshake KeyUpdate messages, enabling clients to trigger unbounded memory allocation in the SSL engine. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N) indicates network-accessible, low-complexity attack requiring no authentication.
Apache
Denial Of Service
Apache Activemq Client
Apache Activemq Broker
Apache Activemq All
-
CVE-2026-35669
HIGH
CVSS 8.7
Privilege escalation in OpenClaw gateway-authenticated plugin HTTP routes allows authenticated attackers to bypass scope restrictions and gain operator.admin privileges. The vulnerability affects OpenClaw versions prior to 2026.3.25, enabling low-privileged authenticated users to perform unauthorized administrative actions through improperly minted runtime scopes. Exploitation requires network access and low-level authentication but no user interaction. No public exploit identified at time of analysis.
Privilege Escalation
-
CVE-2026-35668
HIGH
CVSS 7.1
Path traversal in OpenClaw before 2026.3.24 allows authenticated sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameters. Incomplete validation in normalizeSandboxMediaParams and missing mediaLocalRoots context enables attackers to bypass sandbox boundaries and access sensitive data including API keys and configuration files outside designated roots. This cross-agent data leakage vulnerability requires low-privilege authentication but no user interaction. No public exploit identified at time of analysis.
Path Traversal
-
CVE-2026-35666
HIGH
CVSS 7.7
Allowlist bypass in OpenClaw before 2026.3.22 permits authenticated attackers to execute arbitrary commands by wrapping disallowed executables with /usr/bin/time. The vulnerability exploits incomplete validation in system.run approvals, which fail to detect time wrapper prefixes, allowing reuse of approval state for inner prohibited commands. Remote exploitation requires low-privilege authentication (PR:L) with network access, enabling full system compromise through command injection. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-35663
HIGH
CVSS 8.7
Privilege escalation in OpenClaw versions prior to 2026.3.25 allows authenticated low-privilege operators to bypass pairing requirements during backend reconnection, self-requesting elevated scopes to gain operator.admin privileges. Attackers with existing operator credentials exploit improper scope validation (CWE-648) to escalate from limited operator access to full administrative control over the OpenClaw system. Exploitation requires network access and low-privilege authentication (CVSS:3.1 PR:L), enabling high-impact compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Privilege Escalation
-
CVE-2026-35660
HIGH
CVSS 7.2
Insufficient access control in OpenClaw Gateway agent allows authenticated attackers with operator.write permission to reset admin sessions without operator.admin authorization. By invoking /reset or /new endpoints with explicit sessionKey parameters, attackers bypass privilege requirements and terminate arbitrary administrative sessions, achieving high-impact session hijacking. Affects OpenClaw versions prior to 2026.3.23. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-35657
HIGH
CVSS 7.1
OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization checks on the /sessions/:sessionKey/history HTTP endpoint, enabling unauthorized access to session history data without requiring operator.read scope permissions. The vulnerability affects all OpenClaw versions prior to 2026.3.25 and requires valid authentication credentials to exploit; no public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-35653
HIGH
CVSS 7.2
Incorrect authorization in OpenClaw pre-2026.3.24 allows authenticated users with operator.write access to browser.request capability to invoke POST /reset-profile endpoint, bypassing privilege restrictions to terminate running browsers, sever Playwright connections, and relocate profile directories to system Trash. Exploitation requires low-privilege authentication (CVSS PR:L) but achieves high integrity and availability impact through unauthorized state mutation and service disruption across intended security boundaries. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-35650
HIGH
CVSS 7.7
Remote code execution in OpenClaw versions prior to 2026.3.22 allows authenticated attackers to bypass shared host environment policy via inconsistent environment variable sanitization. Attackers exploit validation inconsistencies by supplying malformed or blocked override keys that evade filtering mechanisms, enabling arbitrary code execution with unauthorized environment variable configurations. Vulnerability requires low-privilege authentication and high attack complexity. No public exploit identified at time of analysis.
RCE
-
CVE-2026-35643
HIGH
CVSS 8.6
Remote code execution in OpenClaw Android application (versions before 2026.3.22) allows unauthenticated attackers to execute arbitrary code through an unvalidated WebView JavascriptInterface. Attackers craft malicious web pages that invoke the exposed canvas bridge, executing instructions within the application's Android context when users interact with untrusted content. The vulnerability requires user interaction but no authentication, enabling high-severity compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
RCE
Google
-
CVE-2026-35641
HIGH
CVSS 8.4
Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. Exploitation requires user interaction to install the malicious plugin or hook locally. No public exploit identified at time of analysis.
RCE
Node.js
-
CVE-2026-35621
HIGH
CVSS 7.1
OpenClaw before version 2026.3.24 allows authenticated operator.write-scoped clients to escalate privileges and modify channel authorization policies normally restricted to operator.admin scope through improper scope re-validation in the /allowlist command. Attackers with write-level permissions can exploit the chat.send function to construct an internal command-authorized context and persist unauthorized changes to channel allowFrom and groupAllowFrom policies, effectively bypassing access control mechanisms.
Privilege Escalation
Authentication Bypass
-
CVE-2026-35595
HIGH
CVSS 8.3
Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.
Python
Privilege Escalation
-
CVE-2026-34727
HIGH
CVSS 7.4
Authentication bypass in Vikunja task management platform allows unauthenticated attackers to circumvent two-factor authentication when OIDC email-based user matching is enabled. The OIDC callback handler issues complete JWT tokens without validating TOTP enrollment status, enabling full account access to users with configured TOTP protection when matched through OIDC email fallback. Affects versions prior to 2.3.0. No public exploit identified at time of analysis.
Authentication Bypass
Vikunja
-
CVE-2026-33710
HIGH
CVSS 7.5
Predictable API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows unauthenticated remote attackers to brute-force valid REST API keys. The md5-based generation algorithm uses a flawed random seed (rand(10000,10000) always returns 10000), reducing the keyspace to md5(timestamp + user_id*5 - 10000). Attackers with knowledge of target usernames and approximate key creation timestamps can enumerate valid API keys through offline computation, enabling unauthorized access to REST API endpoints and confidential data exposure. No public exploit identified at time of analysis.
Information Disclosure
-
CVE-2026-33706
HIGH
CVSS 7.1
Privilege escalation in Chamilo LMS versions prior to 1.11.38 allows any authenticated user with a REST API key to elevate their account status from student (status=5) to teacher/course manager (status=1) by manipulating the status field through the update_user_from_username REST API endpoint. This enables unauthorized course creation and management capabilities. Authentication is required (PR:L), but once exploited, attackers gain high-integrity administrative functions within the learning management system. No public exploit identified at time of analysis.
Privilege Escalation
-
CVE-2026-33704
HIGH
CVSS 7.1
Remote code execution in Chamilo LMS versions prior to 1.11.38 allows authenticated users (including low-privilege students) to upload and execute arbitrary PHP code through the BigUpload endpoint. Attackers exploit insufficient file extension filtering by uploading .pht files containing malicious code, which Apache servers with default .pht handlers execute as PHP. The vulnerability enables authenticated attackers to achieve full server compromise through unrestricted arbitrary file write capabilities. No public exploit identified at time of analysis.
Apache
PHP
File Upload
RCE
-
CVE-2026-33703
HIGH
CVSS 7.1
Insecure Direct Object Reference in Chamilo LMS allows authenticated users to access complete personal data and API tokens of any user by manipulating the userId parameter in the /social-network/personal-data/{userId} endpoint. Attack requires only low-privilege authentication (PR:L) and no user interaction, enabling mass disclosure of credentials and sensitive information across the entire platform. Affects all Chamilo LMS versions prior to 2.0.0-RC.3. No public exploit identified at time of analysis.
Authentication Bypass
Chamilo Lms
-
CVE-2026-33702
HIGH
CVSS 7.1
Insecure Direct Object Reference in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated users enrolled in a course to manipulate arbitrary Learning Path progress data for other users. The lp_ajax_save_item.php endpoint accepts a uid parameter without ownership validation, enabling attackers to overwrite scores, completion status, and time tracking for any enrolled user by modifying the request parameter. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated network-based exploitation with high integrity impact.
PHP
Authentication Bypass
-
CVE-2026-33618
HIGH
CVSS 8.8
Remote code execution in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated attackers with administrative privileges to inject and execute arbitrary PHP code via platform configuration settings. The PlatformConfigurationController::decodeSettingArray() method unsafely uses eval() to parse database-stored settings, executing injected code when any user-including unauthenticated visitors-accesses the /platform-config/list endpoint. Exploitation requires low-privilege authentication (PR:L) but delivers full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
RCE
PHP
Code Injection
-
CVE-2026-33092
HIGH
CVSS 7.8
Local privilege escalation in Acronis True Image for macOS enables authenticated low-privileged users to gain elevated system privileges through improper environment variable handling. Affects Acronis True Image OEM (macOS) versions prior to build 42571 and Acronis True Image (macOS) prior to build 42902. Attackers with existing local access can achieve complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis. Exploitation requires low attack complexity with no user interaction.
Apple
Privilege Escalation
-
CVE-2026-32931
HIGH
CVSS 7.5
Remote code execution in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated teachers to upload PHP webshells through the exercise sound upload function by spoofing Content-Type headers to audio/mpeg. Uploaded malicious files retain their .php extensions and execute in web-accessible directories with web server privileges (www-data). Attack requires low-privilege teacher account but no user interaction. No public exploit identified at time of analysis.
RCE
PHP
File Upload
-
CVE-2026-32930
HIGH
CVSS 7.1
Authenticated teachers in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 can access and modify gradebook evaluation settings across unauthorized courses through Insecure Direct Object Reference in the editeval parameter. Attackers with low-privilege teacher accounts can alter evaluation names, maximum scores, and weights for assessments in courses they do not own, enabling unauthorized data disclosure and integrity compromise. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-32894
HIGH
CVSS 7.1
Authenticated teachers in Chamilo LMS can delete arbitrary student grades platform-wide through Insecure Direct Object Reference in gradebook result views. By manipulating delete_mark or resultdelete GET parameters, attackers bypass course-scope and ownership controls, enabling unauthorized grade deletion across all courses. Versions prior to 1.11.38 and 2.0.0-RC.3 lack server-side validation. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated access requirement with high integrity impact and low availability impact.
Denial Of Service
Null Pointer Dereference
Chamilo Lms
-
CVE-2026-32252
HIGH
CVSS 7.7
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sensitive project data from other tenants. The vulnerability exists in the template generation endpoint (GET /team/:team_id/template/generate/:project_id), where unawaited promise execution and missing tenant validation enable attackers with valid template-generation permissions in their own team to access chart configurations, database connection details, and query structures from victim teams' projects. No public exploit identified at time of analysis. CVSS 7.7 reflects high confidentiality impact with scope change due to cross-tenant boundary violation.
Authentication Bypass
Chartbrew
-
CVE-2026-31941
HIGH
CVSS 7.7
Server-Side Request Forgery in Chamilo LMS Social Wall feature enables authenticated attackers to force the server to make arbitrary HTTP requests to internal resources. The read_url_with_open_graph endpoint accepts user-controlled URLs via social_wall_new_msg_main POST parameter without validating internal versus external targets, allowing internal port scanning, access to cloud instance metadata (AWS/GCP/Azure), and reconnaissance of private network services. Affects Chamilo LMS versions before 1.11.38 and 2.0.0-RC.3. Attack requires low-privilege authenticated access; no public exploit identified at time of analysis.
SSRF
Chamilo Lms
-
CVE-2026-31940
HIGH
CVSS 7.5
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
PHP
Information Disclosure
Session Fixation
Chamilo Lms
-
CVE-2026-31939
HIGH
CVSS 8.3
Path traversal in Chamilo LMS main/exercise/savescores.php enables authenticated attackers to delete arbitrary files on the server. Vulnerable versions prior to 1.11.38 fail to sanitize the 'test' parameter from $_REQUEST, allowing directory traversal sequences to escape intended paths and target critical system or application files. Attackers with low-level authenticated access can exploit this remotely without user interaction, resulting in high integrity and availability impact through targeted file deletion.
PHP
Path Traversal
Chamilo Lms
-
CVE-2026-30232
HIGH
CVSS 7.8
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connections with arbitrary URLs, enabling attacks against internal networks and cloud metadata endpoints. The vulnerability stems from unvalidated URL fetching via request-promise library, permitting attackers to probe internal infrastructure, access cloud instance metadata (AWS, Azure, GCP), and potentially retrieve sensitive credentials or configuration data. No public exploit identified at time of analysis. CVSS 7.8 with network attack vector and no authentication requirement in subsequent chain exploitation.
SSRF
Chartbrew
-
CVE-2026-29002
HIGH
CVSS 8.6
Privilege escalation in CouchCMS allows authenticated Admin-level users to create SuperAdmin accounts by manipulating the f_k_levels_list parameter during user creation requests. Attackers modify the parameter value from 4 to 10 in HTTP POST bodies to bypass authorization controls and gain unrestricted application access. This authenticated attack (PR:H) enables lateral privilege movement from Admin to SuperAdmin, circumventing intended role hierarchy enforcement. Publicly available exploit code exists, lowering exploitation barrier for actors with existing Admin credentials.
Privilege Escalation
Authentication Bypass
-
CVE-2026-28704
HIGH
CVSS 8.4
DLL hijacking in JPCERT's Emocheck malware detection tool allows local code execution when malicious DLL placed in application directory. Unauthenticated attacker with local access can achieve arbitrary code execution at user privilege level by exploiting insecure library loading (CWE-427). User must invoke Emocheck executable with crafted DLL present. No public exploit identified at time of analysis. CVSS 7.8 indicates high severity requiring user interaction and local access.
RCE
-
CVE-2026-25203
HIGH
CVSS 7.8
Local privilege escalation in Samsung MagicINFO 9 Server versions prior to 21.1091.1 enables authenticated low-privileged users to escalate to high privileges through incorrect default file/directory permissions. Attackers with local access can obtain complete system control, compromising confidentiality, integrity, and availability. Attack requires local access and low-level authentication but no user interaction. No public exploit identified at time of analysis.
Samsung
Privilege Escalation
Magicinfo 9 Server
-
CVE-2026-22750
HIGH
CVSS 7.5
SSL bundle configuration bypass in VMware Spring Cloud Gateway 4.2.0 allows unaneticated remote attackers to compromise integrity through forced fallback to default SSL settings. When administrators configure custom SSL bundles via spring.ssl.bundle property, the framework silently ignores this configuration and applies insecure defaults instead, enabling man-in-the-middle attacks against intended encrypted communications. Affects Spring Cloud Gateway 4.2.0 with no public exploit identified at time of analysis.
Information Disclosure
Java
-
CVE-2026-6069
HIGH
CVSS 7.5
Stack-based buffer overflow in NASM's disasm() function enables unauthenticated denial-of-service when processing malicious assembly input. Attacker-controlled disassembly formatting triggers out-of-bounds write when string length exceeds buffer capacity, causing application crash. Affects NASM assembler version 3.02rc5. Publicly available exploit code exists. CVSS 7.5 (High) reflects network-accessible attack vector requiring no privileges or user interaction, with availability impact only.
Buffer Overflow
Nasm
-
CVE-2026-6067
HIGH
CVSS 7.5
Heap buffer overflow in Netwide Assembler (NASM) 3.02rc5 obj_directive() function enables arbitrary code execution and denial of service when processing maliciously crafted .asm files. Missing bounds validation allows attackers to corrupt heap memory through specially constructed assembly source files. Publicly available exploit code exists. Impacts NASM users assembling untrusted input files, particularly automated build systems and development environments processing external assembly code.
RCE
Denial Of Service
Buffer Overflow
Nasm
-
CVE-2026-6029
HIGH
CVSS 8.9
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the User parameter in setVpnAccountCfg function at /cgi-bin/cstecgi.cgi endpoint. CVSS 9.8 critical severity with publicly available exploit code documented on GitHub. No authentication, low complexity, network-accessible attack vector enables full system compromise with high confidentiality, integrity, and availability impact.
Command Injection
-
CVE-2026-6028
HIGH
CVSS 8.9
Remote unauthenticated OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables complete system compromise. Attackers exploit the setPptpServerCfg function in /cgi-bin/cstecgi.cgi CGI handler by injecting malicious commands through the 'enable' parameter. CVSS 9.8 critical severity reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists, significantly lowering exploitation barrier for remote attackers seeking router takeover, data exfiltration, or network pivoting.
Command Injection
-
CVE-2026-6027
HIGH
CVSS 8.9
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in the setUrlFilterRules function of /cgi-bin/cstecgi.cgi. Exploitation requires no user interaction, granting complete device compromise with potential for lateral network movement. Publicly available exploit code exists (GitHub POC). CVSS 9.8 severity reflects network-accessible attack vector with no privilege requirements.
Command Injection
-
CVE-2026-6026
HIGH
CVSS 8.9
Remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability resides in the setPortalConfWeChat function within /cgi-bin/cstecgi.cgi, exploitable by manipulating the 'enable' parameter. CVSS 9.8 severity reflects network-accessible attack vector requiring no authentication or user interaction, with full system compromise potential. Publicly available exploit code exists, significantly lowering exploitation barrier for remote attackers targeting vulnerable router deployments.
Command Injection
-
CVE-2026-6025
HIGH
CVSS 8.9
Remote unauthenticated OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows arbitrary command execution via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Attackers exploit the 'enable' parameter without authentication to achieve full system compromise. CVSS 9.8 critical severity reflects network accessibility, no complexity barriers, and complete confidentiality/integrity/availability impact. Publicly available exploit code exists, significantly lowering attack barrier for opportunistic scanning campaigns targeting consumer routers.
Command Injection
-
CVE-2026-6016
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda AC9 router firmware 15.03.02.13 enables authenticated remote attackers to execute arbitrary code or crash the device. The vulnerability resides in the decodePwd function within /goform/WizardHandle POST request handler, triggered by manipulating the WANS parameter. Attack requires low-privilege authentication but no user interaction. CVSS 8.8 (High) reflects potential for complete system compromise. Publicly available exploit code exists; no confirmed active exploitation (CISA KEV).
Buffer Overflow
Tenda
Stack Overflow
-
CVE-2026-6015
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda AC9 router firmware 15.03.02.13 allows authenticated remote attackers to execute arbitrary code via crafted PPPOEPassword parameter to formQuickIndex endpoint. Attack requires low-privilege credentials but no user interaction, enabling complete device compromise. Publicly available exploit code exists. CVSS 8.8 reflects network-accessible attack path with high impact to confidentiality, integrity, and availability.
Buffer Overflow
Tenda
Stack Overflow
-
CVE-2026-6014
HIGH
CVSS 7.4
Buffer overflow in D-Link DIR-513 firmware 1.10 formAdvanceSetup function enables authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in POST request handling at /goform/formAdvanceSetup endpoint, where insufficient input validation of the 'webpage' parameter triggers memory corruption. Publicly available exploit code exists. This router model is end-of-life with no vendor support.
D-Link
Buffer Overflow
Dir 513
-
CVE-2026-6013
HIGH
CVSS 7.4
Buffer overflow in D-Link DIR-513 1.10 POST request handler allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The formSetRoute function improperly validates the curTime parameter, enabling memory corruption attacks. Publicly available exploit code exists. This vulnerability affects end-of-life hardware no longer supported by D-Link, leaving no vendor remediation pathway.
D-Link
Buffer Overflow
Dir 513
-
CVE-2026-6012
HIGH
CVSS 7.4
Buffer overflow in D-Link DIR-513 1.10 formSetPassword function allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. Exploitation occurs through POST request manipulation of the curTime parameter in /goform/formSetPassword endpoint. This end-of-life product receives no vendor support, and publicly available exploit code exists. Attack requires low-privilege authentication (CVSS PR:L) but no user interaction, enabling straightforward remote exploitation once credentials are obtained.
D-Link
Buffer Overflow
Dir 513
-
CVE-2026-5997
HIGH
CVSS 8.9
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the admpass parameter in setLoginPasswordCfg function of /cgi-bin/cstecgi.cgi. Network-accessible with no user interaction required. Publicly available exploit code exists. CVSS 9.8 critical severity reflects complete system compromise potential.
TOTOLINK
Command Injection
RCE
A7100Ru
-
CVE-2026-5996
HIGH
CVSS 8.9
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the tty_server parameter in the setAdvancedInfoShow function of /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity reflects network-accessible exploitation requiring no authentication or user interaction. Publicly available exploit code exists. Attackers can achieve full system compromise including data exfiltration, configuration tampering, and denial of service against affected routers.
TOTOLINK
Command Injection
RCE
A7100Ru
-
CVE-2026-5995
HIGH
CVSS 8.9
OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via malicious lan_info parameter to setMiniuiHomeInfoShow function in /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity with network attack vector requiring no privileges or user interaction. Publicly available exploit code exists. Complete compromise of confidentiality, integrity, and availability achievable through CGI handler manipulation.
TOTOLINK
Command Injection
RCE
A7100Ru
-
CVE-2026-5994
HIGH
CVSS 8.9
Remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 via unauthenticated manipulation of telnet_enabled parameter in setTelnetCfg function. Critical CVSS 9.8 score reflects network-accessible attack requiring no authentication or user interaction, enabling full system compromise. Publicly available exploit code exists. Impacts router confidentiality, integrity, and availability with potential for complete device takeover and lateral network movement.
TOTOLINK
Command Injection
RCE
A7100Ru
-
CVE-2026-5993
HIGH
CVSS 8.9
Unauthenticated OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via the wifiOff parameter in the setWiFiGuestCfg function of /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity with network-accessible attack vector requiring no authentication or user interaction. Publicly available exploit code exists. Successful exploitation enables complete device compromise with high impact to confidentiality, integrity, and availability.
TOTOLINK
Command Injection
RCE
A7100Ru
-
CVE-2026-5992
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda F451 router (version 1.0.0.7) enables authenticated remote attackers to execute arbitrary code via malformed 'page' parameter in fromP2pListFilter function at /goform/P2pListFilter endpoint. Publicly available exploit code exists. Attack requires low-privilege authentication (PR:L) but no user interaction, yielding high confidentiality, integrity, and availability impact on vulnerable device.
Tenda
Buffer Overflow
RCE
-
CVE-2026-5991
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda F451 wireless router firmware 1.0.0.7 allows authenticated remote attackers to execute arbitrary code or crash the device via crafted GO parameter to the formWrlExtraSet function in /goform/WrlExtraSet endpoint. The vulnerability permits complete compromise of device confidentiality and integrity. Publicly available exploit code exists. Attack requires low-privilege authenticated access to the web management interface.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-5990
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda F451 router firmware version 1.0.0.7 allows authenticated remote attackers to execute arbitrary code or cause denial of service via crafted 'page' parameter in the fromSafeEmailFilter function at /goform/SafeEmailFilter endpoint. Publicly available exploit code exists. Attack requires low-privilege authentication but no user interaction, enabling complete compromise of device confidentiality, integrity, and availability.
Tenda
Buffer Overflow
Stack Overflow
-
CVE-2026-5777
HIGH
CVSS 8.7
Unauthenticated root access in Egate Atom 3x Projector enables complete device compromise via exposed Android Debug Bridge service on local network. Attacker on same network segment can execute arbitrary commands with full system privileges without credentials due to missing authentication controls and network exposure of ADB service. No public exploit identified at time of analysis. Critical impact includes data exfiltration, malware installation, and persistent backdoor deployment.
Google
Authentication Bypass
Atom 3X Projector
-
CVE-2026-5501
HIGH
CVSS 8.6
Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows authenticated network attackers to forge arbitrary certificates. Attackers possessing any legitimate leaf certificate from a trusted CA can craft fraudulent certificates for any subject name with arbitrary keys, bypassing signature verification when an untrusted CA:FALSE intermediate is inserted. Affects nginx and haproxy integrations using wolfSSL's OpenSSL compatibility API; native wolfSSL TLS handshake (ProcessPeerCerts) not vulnerable. No public exploit identified at time of analysis.
Information Disclosure
Nginx
OpenSSL
Wolfssl
-
CVE-2026-5500
HIGH
CVSS 8.7
Man-in-the-middle attackers can truncate AES-GCM authentication tags in wolfSSL's PKCS7 AuthEnvelopedData processing from 16 bytes to 1 byte, degrading cryptographic integrity verification from 2⁻¹²⁸ to 2⁻⁸ probability. Affects wolfSSL versions through 5.9.0 due to missing lower bounds validation in wc_PKCS7_DecodeAuthEnvelopedData(). Unauthenticated network-based attack enables high-severity integrity bypass without user interaction. No public exploit identified at time of analysis.
Information Disclosure
Wolfssl
-
CVE-2026-5483
HIGH
CVSS 8.5
Service Account token disclosure in Red Hat OpenShift AI odh-dashboard component exposes Kubernetes credentials through unprotected NodeJS endpoint. Low-privilege authenticated attackers can retrieve service account tokens enabling unauthorized access to Kubernetes cluster resources. Affects Red Hat OpenShift AI 2.16 and multiple RHOAI versions. Cross-scope impact allows privilege escalation beyond dashboard component boundaries. No public exploit identified at time of analysis.
Kubernetes
Redhat
Authentication Bypass
-
CVE-2026-5479
HIGH
CVSS 7.6
ChaCha20-Poly1305 AEAD decryption in wolfSSL's EVP layer bypasses authentication tag verification, allowing unauthenticated adjacent attackers to inject arbitrary ciphertext that is decrypted and returned as plaintext without cryptographic validation. Affects wolfSSL versions prior to 5.9.1. Applications using EVP API for ChaCha20-Poly1305 decryption receive potentially malicious plaintext, enabling man-in-the-middle attacks that compromise confidentiality and integrity of encrypted communications. No public exploit identified at time of analysis, low observed exploitation activity (EPSS <1%).
Information Disclosure
Wolfssl
-
CVE-2026-5477
HIGH
CVSS 8.2
Integer overflow in wolfSSL CMAC implementation (versions ≤5.9.0) enables zero-effort cryptographic forgery. The wc_CmacUpdate function uses a 32-bit counter (totalSz) that wraps to zero after processing 4 GiB of data, erroneously discarding live CBC-MAC chain state. Attackers can forge CMAC authentication tags by crafting messages with identical suffixes beyond the 4 GiB boundary, undermining message authentication integrity in unauthenticated network contexts. No public exploit identified at time of analysis.
Buffer Overflow
Integer Overflow
Wolfssl
-
CVE-2026-5466
HIGH
CVSS 7.6
Signature verification bypass in wolfSSL's ECCSI implementation allows adjacent network attackers to forge cryptographic signatures for any message and identity without authentication. The wc_VerifyEccsiHash function fails to validate that signature scalars r and s fall within the required mathematical range [1, q-1], enabling attackers with knowledge of public constants to craft universally-valid forged signatures. This defeats the cryptographic integrity guarantees of ECCSI-signed data, particularly affecting JWT authentication systems and identity-based cryptographic protocols. No public exploit identified at time of analysis.
Information Disclosure
Jwt Attack
Wolfssl
-
CVE-2026-4351
HIGH
CVSS 8.1
Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.
WordPress
PHP
Path Traversal
File Upload
Denial Of Service
-
CVE-2026-4162
HIGH
CVSS 7.1
Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.
WordPress
CSRF
Authentication Bypass
-
CVE-2026-3360
HIGH
CVSS 7.5
Unauthenticated attackers can overwrite billing profile data (name, email, phone, address) for any WordPress user with an incomplete manual order in Tutor LMS plugin versions ≤3.9.7. The pay_incomplete_order() function accepts attacker-controlled order_id parameters without identity verification, writing billing fields directly to the order owner's profile. Exploitation is simplified by predictable Tutor nonce exposure on public pages, enabling targeted profile manipulation via crafted POST requests with enumerated order IDs. No public exploit or active exploitation confirmed at time of analysis.
WordPress
PHP
Authentication Bypass
Tutor Lms Elearning And Online Course Solution
-
CVE-2025-58920
HIGH
CVSS 7.1
Reflected cross-site scripting in Zootemplate Cerato WordPress theme versions through 2.2.18 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers through crafted malicious links. Successful exploitation requires user interaction (victim must click attacker-controlled URL). Attack enables session hijacking, credential theft, and defacement within changed security context. No public exploit identified at time of analysis.
XSS
-
CVE-2025-58913
HIGH
CVSS 8.1
Local file inclusion in CactusThemes VideoPro WordPress theme through version 2.3.8.1 allows unauthenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Exploitation requires high attack complexity but no user interaction. EPSS score indicates low observed exploitation activity; no public exploit identified at time of analysis.
PHP
Information Disclosure
Lfi
-
CVE-2025-5804
HIGH
CVSS 7.5
Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.
PHP
Information Disclosure
Lfi
-
CVE-2026-40260
MEDIUM
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.
Information Disclosure
-
CVE-2026-40252
MEDIUM
CVSS 5.3
Broken Access Control in FastGPT versions prior to 4.14.10.4 allows authenticated teams to access and execute applications belonging to other teams by supplying a foreign application ID, enabling cross-tenant data exposure and unauthorized workflow execution. The vulnerability stems from insufficient API validation-while team tokens are verified, the API fails to confirm that the requested application belongs to the authenticated team. This affects all FastGPT instances with multi-tenant deployments where different teams manage separate AI Agent applications, and is fixed in version 4.14.10.4.
Information Disclosure
Authentication Bypass
Fastgpt
-
CVE-2026-40227
MEDIUM
CVSS 6.2
Denial of service in systemd 260 allows local unprivileged users to crash the systemd daemon by triggering an assert via IPC API calls containing arrays or maps with null elements. The vulnerability affects systemd versions 260 through 260, with no public exploit code identified at time of analysis. EPSS score of 6.2 reflects moderate real-world risk due to local-only attack vector and non-privileged requirements.
Information Disclosure
Systemd
-
CVE-2026-40226
MEDIUM
CVSS 6.4
Escape-to-host vulnerability in systemd nspawn (versions 233-259) allows local privileged users to break container isolation via a crafted optional config file, enabling arbitrary code execution on the host system. CVSS 6.4 reflects high integrity and confidentiality impact but requires high privilege and difficult attack conditions. No public exploit code or active exploitation has been confirmed at the time of analysis.
Information Disclosure
Systemd
-
CVE-2026-40225
MEDIUM
CVSS 6.4
Local root code execution in systemd's udev subsystem before version 260 allows attackers with physical access to craft malicious hardware devices that exploit unsanitized kernel output, achieving privilege escalation from local user context to root. The attack requires physical device insertion but no user interaction; CVSS 6.4 reflects the physical attack vector constraint, though successful exploitation grants complete system compromise. No public exploit code or active exploitation has been confirmed at time of analysis.
Information Disclosure
Systemd
-
CVE-2026-40224
MEDIUM
CVSS 6.7
Local privilege escalation in systemd 259 before 260 allows authenticated local users to gain root-level access via varlink communication to systemd-machined, exploiting improper namespace isolation. The vulnerability requires low privileges, high attack complexity, and user interaction, affecting the systemd init system across Linux distributions. No public exploit code or active exploitation has been confirmed at time of analysis.
Privilege Escalation
Authentication Bypass
-
CVE-2026-40223
MEDIUM
CVSS 4.7
Local denial of service in systemd 258 through 259 allows unprivileged users to trigger an assertion failure by interacting with service units configured with Delegate=yes and no explicit User setting, causing the systemd daemon to crash. The vulnerability requires local access and specific unit configuration but poses moderate risk to system availability with a CVSS score of 4.7 and no active exploitation currently identified.
Information Disclosure
-
CVE-2026-40212
MEDIUM
CVSS 5.4
DOM-based cross-site scripting in OpenStack Skyline console interface allows authenticated administrators to execute arbitrary JavaScript via unsafe document.write usage when viewing instance console logs. Affects Skyline versions before 5.0.1, 6.0.0, and 7.0.0. Attack requires administrator authentication and user interaction (UI:R), limiting real-world impact but enabling session hijacking or credential theft from privileged users.
XSS
-
CVE-2026-40191
MEDIUM
CVSS 6.8
ClearanceKit for macOS prior to version 5.0.4-beta-1f46165 fails to validate destination paths in dual-path file operations (rename, link, copyfile, exchangedata, clone), allowing authenticated local processes to bypass file-access protection and place or replace files in protected directories. The vulnerability affects all versions before 5.0.4-beta-1f46165 and has been patched; no public exploit code or active exploitation has been identified at the time of analysis.
Apple
Authentication Bypass
Clearancekit
-
CVE-2026-40190
MEDIUM
CVSS 5.6
Prototype pollution in LangSmith JavaScript/TypeScript SDK (langsmith) versions prior to 0.5.18 allows remote attackers to pollute Object.prototype via the createAnonymizer() API by supplying malicious constructor.prototype keys, bypassing an incomplete __proto__ filter. The vulnerability affects all objects in the Node.js process and can lead to information disclosure and integrity violations. No public exploit code or active exploitation has been confirmed at time of analysis.
Information Disclosure
Node.js
Prototype Pollution
Langsmith Sdk
-
CVE-2026-40178
MEDIUM
CVSS 6.9
Remote authentication bypass in Ajenti prior to version 0.112 allows unauthenticated network attackers to circumvent two-factor authentication during a brief post-authentication window with high attack complexity. The vulnerability affects the core authentication mechanism in ajenti.plugin.core and permits attackers to gain high-confidence access to protected resources; the vendor released patched version 0.112 to resolve this issue.
Authentication Bypass
Ajenti
-
CVE-2026-40159
MEDIUM
CVSS 5.5
PraisonAI before version 4.5.128 exposes sensitive environment variables to untrusted subprocess commands executed through its MCP (Model Context Protocol) integration, enabling credential theft and supply chain attacks when third-party tools like npx packages are invoked. An unauthenticated local attacker with user interaction can trigger MCP commands that inherit the parent process environment, gaining access to API keys, authentication tokens, and database credentials without the knowledge of developers using PraisonAI. The vulnerability is fixed in version 4.5.128.
Python
Information Disclosure
RCE
Praisonai
-
CVE-2026-40103
MEDIUM
CVSS 4.3
Vikunja's scoped API token enforcement for project background routes contains a method-confusion authorization bypass allowing tokens with only `projects.background` permission to delete project backgrounds despite lacking the `projects.background_delete` permission. This enables authenticated attackers to perform unintended destructive operations on projects they have update access to, weakening the permission model for narrowly scoped API tokens used in automation and third-party integrations. The vulnerability has a vendor-released patch available and is confirmed reproducible on the affected codebase.
Authentication Bypass
-
CVE-2026-40100
MEDIUM
CVSS 5.3
Server-side request forgery (SSRF) in FastGPT versions prior to 4.14.10.3 allows unauthenticated remote attackers to probe and access internal network resources via the /api/core/app/mcpTools/runTool endpoint, which accepts arbitrary URLs without proper validation. The vulnerability is exploitable by default because the internal IP check is gated behind a disabled configuration flag (CHECK_INTERNAL_IP=false), enabling attackers to bypass network segmentation and potentially discover or interact with backend services, databases, or cloud metadata endpoints.
SSRF
Fastgpt
-
CVE-2026-40086
MEDIUM
CVSS 5.3
Unauthenticated remote attackers can exploit a path traversal vulnerability in rembg's HTTP server (versions prior to 2.0.75) by sending a crafted request with a malicious model_path parameter to read arbitrary files from the server filesystem. The vulnerability allows attackers to enumerate file existence and permissions, and potentially extract file contents through verbose error messages when the server attempts to load arbitrary paths as ONNX models. This is a confirmed vulnerability with a vendor-released patch available in version 2.0.75.
Path Traversal
-
CVE-2026-40074
MEDIUM
CVSS 6.3
SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.
Information Disclosure
Kit
-
CVE-2026-40023
MEDIUM
CVSS 6.3
Apache Log4cxx XMLLayout before version 1.7.0 fails to sanitize XML-forbidden characters in log messages, NDC (Nested Diagnostic Context), and MDC (Mapped Diagnostic Context) properties, producing malformed XML that conforming parsers reject with fatal errors. Attackers who can influence logged data can exploit this to suppress individual log records, degrading audit trails and impairing detection of malicious activity. The vulnerability affects all versions prior to 1.7.0 across multiple distribution channels (native, Conan, Homebrew), with vendor-released patch version 1.7.0 now available.
Apache
Information Disclosure
-
CVE-2026-40021
MEDIUM
CVSS 6.3
Apache Log4net versions before 3.3.0 fail to sanitize XML 1.0-forbidden characters in MDC property keys and values, as well as identity fields, causing serialization exceptions that silently drop log events when XmlLayout or XmlLayoutSchemaLog4J are in use. An attacker who can influence these fields can suppress individual audit log records, impairing detection of malicious activity. No public exploit code or active exploitation has been confirmed; patch is available from the vendor.
Apache
Information Disclosure
-
CVE-2026-39922
MEDIUM
CVSS 5.3
GeoNode 4.0 before 4.4.5 and 5.0 before 5.0.2 contains a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to probe internal networks, including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by submitting a crafted WMS service URL during form validation. The vulnerability exploits insufficient URL validation without private IP filtering or allowlist enforcement. No public exploit code has been identified at the time of analysis.
SSRF
Geonode
-
CVE-2026-39921
MEDIUM
CVSS 5.3
Server-side request forgery in GeoNode 4.0-4.4.4 and 5.0-5.0.1 allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by supplying a malicious URL via the doc_url parameter, enabling attacks against internal network resources, loopback addresses, RFC1918 networks, and cloud metadata services without SSRF mitigations. CVSS 5.3 reflects low confidentiality and integrity impact but requires prior authentication; no public exploit code or active exploitation has been identified.
SSRF
Geonode
-
CVE-2026-35670
MEDIUM
CVSS 6.0
OpenClaw before version 2026.3.22 allows authenticated attackers to redirect webhook-triggered chat replies to unintended users by exploiting username-based recipient binding instead of stable numeric identifiers. An attacker with valid credentials can manipulate username changes to rebind webhook replies intended for one user to a different user, compromising message confidentiality and integrity. No public exploit code or active CISA exploitation data is available, but the vulnerability is confirmed patched by the vendor.
Authentication Bypass
-
CVE-2026-35667
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.24 permits authenticated local attackers to trigger improper process termination via the !stop chat command, which uses an unpatched killProcessTree function that sends SIGKILL without graceful SIGTERM shutdown. This incomplete fix for CVE-2026-27486 enables attackers to corrupt data, leak resources, and skip security-sensitive cleanup operations, resulting in integrity compromise and denial of service.
Information Disclosure
-
CVE-2026-35665
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.24 allows unauthenticated remote denial of service via the Feishu webhook handler, which accepts request bodies up to 1MB with a 30-second timeout before verifying the request signature. An attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests, blocking legitimate webhook deliveries and degrading service availability. This is an incomplete remediation of the earlier CVE-2026-32011.
Information Disclosure
-
CVE-2026-35664
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.25 contains an authentication bypass vulnerability in the raw card send surface that allows unauthenticated remote attackers to send malformed card commands, bypassing DM pairing restrictions and reaching callback handlers without proper authorization. This enables unpaired recipients to mint legacy callback payloads, resulting in integrity compromise of the messaging protocol. No public exploit code or active exploitation has been confirmed, but the low attack complexity and network accessibility make this a practical vulnerability.
Authentication Bypass
-
CVE-2026-35662
MEDIUM
CVSS 5.3
OpenClaw before version 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing authenticated leaf subagents to bypass access control and message child sessions beyond their authorized scope. An authenticated attacker with subagent privileges can exploit this via the send action to communicate with restricted child sessions without proper validation, resulting in unauthorized inter-session message relay. No public exploit code has been identified, but the vulnerability has a moderate CVSS score of 4.3 reflecting the integrity impact and low attack complexity.
Authentication Bypass
-
CVE-2026-35661
MEDIUM
CVSS 6.9
OpenClaw before 2026.3.25 allows remote attackers to bypass Telegram direct message pairing requirements and mutate session state through weaker callback-only authorization mechanisms. An unauthenticated attacker can craft malicious Telegram callback queries in direct messages to modify session state without satisfying the normal DM pairing security controls, resulting in unauthorized state modification with CVSS 5.3 (medium severity).
Authentication Bypass
-
CVE-2026-35659
MEDIUM
CVSS 5.1
OpenClaw before version 2026.3.22 accepts unresolved Bonjour and DNS-SD service discovery metadata to influence CLI routing decisions, allowing attackers on adjacent networks to redirect traffic to attacker-controlled targets through malicious TXT records. The vulnerability requires user interaction and adjacent network access but can cause information disclosure and integrity compromise without authentication.
Information Disclosure
-
CVE-2026-35658
MEDIUM
CVSS 6.0
Filesystem boundary bypass in OpenClaw before 2026.3.2 allows authenticated attackers to read arbitrary files by traversing sandbox bridge mounts outside the configured workspace, circumventing the tools.fs.workspaceOnly restriction. The vulnerability affects the image tool specifically and results in unauthorized information disclosure accessible via network with low complexity.
Information Disclosure
-
CVE-2026-35656
MEDIUM
CVSS 6.3
OpenClaw before version 2026.3.22 contains an authentication bypass vulnerability in X-Forwarded-For header processing when trustedProxies is configured, allowing unauthenticated remote attackers to spoof loopback client addresses and bypass canvas authentication and rate-limiting protections. The vulnerability exploits improper validation of forwarding headers to masquerade as local loopback connections, with a CVSS score of 6.5 reflecting moderate confidentiality and integrity impact but no direct availability impact.
Authentication Bypass
-
CVE-2026-35655
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.22 allows authenticated remote attackers to spoof tool identities through rawInput parameters, bypassing ACP permission resolution and suppressing dangerous-tool prompting via identity hint conflicts between rawInput and metadata. This authentication bypass with high integrity impact affects all versions prior to the fixed release, enabling attackers to circumvent security restrictions intended to prevent execution of dangerous operations.
Authentication Bypass
-
CVE-2026-35654
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass sender allowlist checks in Microsoft Teams feedback invoke endpoints, enabling unauthorized recording of session feedback. The vulnerability exploits improper authorization logic in feedback processing, granting attackers the ability to trigger feedback recording or reflection operations that should be restricted to authorized senders. No public exploit code has been identified at the time of analysis.
Authentication Bypass
Microsoft
-
CVE-2026-35652
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.22 suffers from an authorization bypass in its interactive callback dispatch mechanism that permits unauthenticated remote attackers to execute action handlers without sender allowlist validation. The vulnerability exploits a race condition or timing gap where callbacks are processed before security checks complete, enabling unauthorized state modification and availability impact. No public exploit code or active exploitation has been confirmed at time of analysis, but the low attack complexity and lack of authentication requirements make this a practical threat to exposed OpenClaw deployments.
Authentication Bypass
-
CVE-2026-35651
MEDIUM
CVSS 5.3
OpenClaw versions 2026.2.13 through 2026.3.24 allow unauthenticated remote attackers to inject ANSI escape sequences into approval prompts and permission logs via malicious tool metadata, enabling spoofing of terminal output and manipulation of displayed information. The vulnerability requires user interaction (display of the approval prompt) and results in integrity impact only, with a CVSS score of 4.3. A vendor patch is available.
Code Injection
-
CVE-2026-35649
MEDIUM
CVSS 6.3
OpenClaw before version 2026.3.22 allows unauthenticated remote attackers to bypass access control denials by exploiting improper handling of empty allowlists during settings reconciliation, silently restoring previously revoked permissions. The vulnerability treats explicitly empty allowlists as unset rather than as explicit deny-all configurations, enabling attackers to undo intended access revocations without authentication. With a CVSS score of 6.5 and network-accessible attack vector, this represents a moderate-severity logic flaw affecting access control enforcement.
Authentication Bypass
-
CVE-2026-35647
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass direct message policy controls by sending verification notices to users outside configured allowed peer lists. The vulnerability stems from insufficient access validation checks applied to verification notice transmission, enabling attackers to contact users who have restricted direct messaging policies in place. CVSS score of 5.3 reflects moderate integrity impact with low attack complexity and no authentication requirements.
Authentication Bypass
-
CVE-2026-35620
MEDIUM
CVSS 5.3
OpenClaw before version 2026.3.24 fails to enforce authorization checks in the /send and /allowlist chat command handlers, allowing authenticated users with operator.write scope to bypass owner-only restrictions and modify session delivery policies and allowlist configurations. Attackers can persistently alter sendPolicy settings and add entries to allowlists without proper admin authorization, resulting in integrity and availability impacts within the affected session.
Authentication Bypass
-
CVE-2026-35619
MEDIUM
CVSS 5.3
OpenClaw before version 2026.3.24 allows authenticated operators with only operator.approvals scope to enumerate sensitive gateway model metadata via the HTTP /v1/models endpoint, bypassing stricter WebSocket RPC authorization controls. Attackers with limited operator privileges can access information that should be restricted to higher-privilege read scopes, resulting in unauthorized information disclosure.
Authentication Bypass
-
CVE-2026-35602
MEDIUM
CVSS 5.4
Vikunja's file import endpoint bypasses configured maximum file size limits by trusting an attacker-controlled Size field in import metadata rather than validating actual decompressed file content. Authenticated users can upload small compressed zip files (e.g., ~25KB) containing files up to 25MB or larger, exhausting server storage and causing denial of service across all users. The vulnerability affects Vikunja v2.2.2 and earlier versions; a vendor-released patch is available in v2.3.0.
Python
Denial Of Service
-
CVE-2026-35601
MEDIUM
CVSS 4.1
CalDAV output generator in Vikunja allows authenticated users to inject arbitrary iCalendar properties via CRLF characters in task titles, bypassing RFC 5545 TEXT value escaping requirements. An attacker with project write access can craft malicious task titles that break iCalendar property boundaries, enabling injection of fake ATTACH URLs, VALARM notifications, or ORGANIZER spoofing when other users sync via CalDAV. Patch available in version 2.3.0; requires user interaction (calendar sync) to trigger on other users' clients.
RCE
Python
-
CVE-2026-35600
MEDIUM
CVSS 5.4
Vikunja task title injection in overdue email notifications allows authenticated attackers to embed phishing links and tracking pixels in legitimate SMTP emails by breaking Markdown link syntax with special characters. The vulnerability affects task notification rendering across multiple notification types in Vikunja prior to v2.3.0, where task titles are concatenated directly into Markdown without escaping, survive goldmark rendering and bluemonday sanitization (which intentionally permits <a> and <img> tags), and reach email recipients as trusted-source links within official Vikunja notifications.
XSS
Python
-
CVE-2026-35599
MEDIUM
CVSS 6.5
Denial of service in Vikunja via algorithmic complexity attack in the addRepeatIntervalToTime function allows authenticated users to exhaust server CPU and database connections by creating repeating tasks with 1-second intervals and dates far in the past (e.g., 1900), triggering billions of loop iterations that hang requests for 60+ seconds and exhaust the default 100-connection pool. CVSS 6.5 with authenticated attack vector; confirmed patched in v2.3.0.
Python
Information Disclosure
-
CVE-2026-35598
MEDIUM
CVSS 4.3
Vikunja task authorization bypass in CalDAV allows authenticated users to read arbitrary task details from any project by knowing a task UID, bypassing REST API permission checks. The GetResource and GetResourcesByList CalDAV methods query tasks by UID without verifying the authenticated user has project access, enabling information disclosure of task titles, descriptions, due dates, and other metadata across organizational boundaries in multi-tenant deployments. Patch available in v2.3.0.
Python
Authentication Bypass
-
CVE-2026-35597
MEDIUM
CVSS 5.9
Vikunja API brute-forces TOTP codes by exploiting a database transaction rollback bug that prevents account lockout persistence. When TOTP validation fails, the login handler rolls back the database session containing the failed-attempt counter increment and account lock status, leaving the lockout mechanism non-functional while per-IP rate limiting can be bypassed via distributed attack. Unauthenticated remote attackers who possess a user's password can exhaust the 6-digit TOTP code space (only 1 million combinations) and gain unauthorized access. Patch is available as of Vikunja v2.3.0.
Python
Authentication Bypass
-
CVE-2026-35596
MEDIUM
CVSS 4.3
Vikunja API versions prior to 2.3.0 allow authenticated users to read any label metadata and creator information across projects via SQL operator precedence flaw in the hasAccessToLabel function. Any label attached to at least one task becomes readable to all authenticated users regardless of project access permissions, enabling cross-project information disclosure of label titles, descriptions, colors, and creator usernames. The vulnerability requires prior authentication (PR:L per CVSS vector) and carries low complexity attack surface with direct impact to confidentiality. No public exploit code beyond the proof-of-concept in the advisory has been identified, and vendor-released patch version 2.3.0 is available.
Python
Information Disclosure
Authentication Bypass
-
CVE-2026-35594
MEDIUM
CVSS 6.5
Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication, allowing attackers with revoked or downgraded JWT tokens to maintain the original access level for up to 72 hours. This affects self-hosted task management deployments where link shares are used for collaboration, enabling unauthorized information disclosure and modification of shared projects even after a project owner explicitly revokes or restricts access.
Information Disclosure
Vikunja
-
CVE-2026-34481
MEDIUM
CVSS 6.3
Apache Log4j JsonTemplateLayout versions up to 2.25.3 generate invalid JSON when logging non-finite floating-point values (NaN, Infinity, -Infinity), violating RFC 8259 and causing downstream log processing systems to fail indexing or reject records. An unauthenticated remote attacker can trigger this by controlling floating-point values in MapMessages logged by vulnerable applications, resulting in data loss or processing failures in log aggregation pipelines. Vendor-released patch: version 2.25.4.
Apache
Information Disclosure
-
CVE-2026-34480
MEDIUM
CVSS 6.9
Apache Log4j Core's XmlLayout in versions up to 2.25.3 fails to sanitize XML-forbidden characters, producing malformed XML output when log messages or MDC values contain such characters. The impact varies by StAX implementation: JRE's built-in StAX silently writes invalid XML that conforming parsers reject, potentially causing downstream log-processing systems to drop records; alternative StAX implementations like Woodstox throw exceptions during logging calls, preventing event delivery to the intended appender. No public exploit code or active exploitation has been identified; this is a data integrity and log availability issue rather than a confidentiality or authentication bypass. Patch version 2.25.4 is available from Apache.
Apache
Information Disclosure
-
CVE-2026-34479
MEDIUM
CVSS 6.9
Log4j1XmlLayout in Apache Log4j 1-to-Log4j 2 bridge fails to escape XML 1.0-forbidden characters, causing malformed XML output that conforming XML parsers reject with fatal errors. This impacts downstream log processing systems that may drop or fail to index affected log records, affecting organizations using either Log4j1XmlLayout directly in Log4j Core 2 configurations or the deprecated Log4j 1 compatibility layer with XMLLayout. While no active exploitation has been confirmed, the vulnerability has a notable EPSS score and affects information disclosure integrity. Vendor-released patch version 2.25.4 is available.
Apache
Information Disclosure
-
CVE-2026-34478
MEDIUM
CVSS 6.9
Apache Log4j Core 2.21.0 through 2.25.3 allows remote log injection via CRLF sequences in Rfc5424Layout due to undocumented renaming of security-relevant configuration attributes (newLineEscape and useTlsMessageFormat). Attackers can inject malicious log entries or downgrade TLS-framed syslog to unframed TCP, compromising log integrity for stream-based syslog services. SyslogAppender users are not affected. CVSS 6.9 indicates medium-to-high severity; EPSS and exploitation signals not available at time of analysis.
Apache
Code Injection
-
CVE-2026-34477
MEDIUM
CVSS 6.3
Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.
Apache
Java
Information Disclosure
Apache Log4J Core
-
CVE-2026-33737
MEDIUM
CVSS 5.3
Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allow authenticated attackers to read arbitrary server files through XML External Entity (XXE) injection via improper use of simplexml_load_string() with the LIBXML_NOENT flag enabled across multiple application files. The vulnerability requires low-privilege authentication and medium attack complexity but grants high confidentiality impact with no integrity or availability impact; no public exploit code or active exploitation has been identified at the time of analysis.
XXE
-
CVE-2026-33736
MEDIUM
CVSS 6.5
Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students and lower-privileged users to enumerate all platform users and extract sensitive personal information (email addresses, phone numbers, role assignments) through an unauthenticated API endpoint (GET /api/users), enabling reconnaissance of administrator accounts and organizational structure. The vulnerability affects any installation with user accounts below administrative level and is fixed in version 2.0.0-RC.3.
Authentication Bypass
-
CVE-2026-33708
MEDIUM
CVSS 6.5
Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.
Authentication Bypass
-
CVE-2026-33705
MEDIUM
CVSS 5.3
Chamilo LMS versions prior to 1.11.38 expose Twig template files (.tpl) in the /main/template/default/ directory to unauthenticated HTTP GET requests, allowing remote attackers to disclose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure without authentication. This information disclosure vulnerability has a CVSS score of 5.3 with confirmed patch availability in version 1.11.38.
Information Disclosure
-
CVE-2026-33457
MEDIUM
CVSS 5.3
Livestatus command injection in Checkmk prediction graph page allows authenticated users to execute arbitrary Livestatus commands by injecting malicious service name parameters due to insufficient input sanitization. Affected versions include Checkmk 2.3.0 before p47, 2.4.0 before p26, and 2.5.0 before b4. The vulnerability requires valid authentication credentials to exploit and results in limited confidentiality, integrity, and availability impact within the Livestatus subsystem.
Code Injection
Checkmk
-
CVE-2026-33456
MEDIUM
CVSS 5.1
Livestatus injection in Checkmk's notification test mode allows authenticated users with high privileges to inject arbitrary Livestatus commands via crafted service descriptions in versions prior to 2.5.0b4 and 2.4.0p26. The vulnerability has a CVSS score of 5.1 with limited confidentiality and integrity impact, requiring high-privilege authentication. No public exploit code or active exploitation has been confirmed at time of analysis.
Code Injection
Checkmk
-
CVE-2026-33455
MEDIUM
CVSS 5.3
Livestatus injection in Checkmk's monitoring quicksearch function allows authenticated attackers to inject arbitrary livestatus commands through insufficiently sanitized search query parameters in versions prior to 2.5.0b4. The vulnerability requires valid authentication credentials and enables low-impact information disclosure and limited integrity/availability changes within the monitoring system. No public exploit code or active exploitation has been reported at time of analysis.
Code Injection
Checkmk
-
CVE-2026-33141
MEDIUM
CVSS 6.5
Insecure Direct Object Reference in Chamilo LMS REST API stats endpoint allows authenticated low-privilege users to read unauthorized access to any user's learning progress, certificates, and gradebook scores across all courses prior to version 2.0.0-RC.3. The vulnerability requires only valid user credentials (accessible to students with ROLE_USER) and network access, enabling horizontal privilege escalation without administrative intervention or system compromise. No public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-33119
MEDIUM
CVSS 5.4
Microsoft Edge (Chromium-based) on Android contains a user interface misrepresentation vulnerability that allows unauthenticated remote attackers to conduct spoofing attacks over a network. The vulnerability exploits UI rendering to misrepresent critical information to end users, enabling attackers to deceive users into taking unintended actions. While the CVSS score is moderate (5.4), the attack requires user interaction and only impacts confidentiality and integrity; a vendor-released patch is available.
Authentication Bypass
Google
Microsoft
Microsoft Edge For Android
-
CVE-2026-33118
MEDIUM
CVSS 4.3
Microsoft Edge (Chromium-based) allows remote attackers to spoof visual elements through a low-complexity network-based attack requiring user interaction, potentially disclosing limited information to unauthenticated users. The vulnerability affects all versions of Microsoft Edge based on Chromium and carries a CVSS score of 4.3 with low confidentiality impact but no code execution or availability risk. A vendor-released patch is available.
Information Disclosure
Google
Microsoft
Microsoft Edge Chromium Based
-
CVE-2026-32932
MEDIUM
CVSS 4.7
Open Redirect in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows unauthenticated remote attackers to redirect authenticated administrators to arbitrary external URLs via a malicious redirect parameter on the session course edit page, while simultaneously leaking the id_session parameter to attacker-controlled servers. The vulnerability requires user interaction (UI:R) but affects confidentiality through session parameter disclosure and crosses trust boundaries (S:C), resulting in CVSS 4.7 with low real-world risk due to authentication and user-interaction requirements.
Open Redirect
-
CVE-2026-32893
MEDIUM
CVSS 5.4
Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.
XSS
Chamilo Lms
-
CVE-2026-29043
MEDIUM
CVSS 5.5
Heap buffer overflow in HDF5 library versions 1.14.1-2 and earlier allows local attackers to trigger a write-based overflow in the H5T__ref_mem_setnull method by crafting malicious HDF5 files, leading to denial-of-service and potential remote code execution depending on heap exploitation complexity. Attack requires local file access and user interaction to parse a malicious file. No public exploit code identified at time of analysis.
RCE
Buffer Overflow
Heap Overflow
Hdf5
-
CVE-2026-27460
MEDIUM
CVSS 6.5
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality that allows authenticated users to crash the application server or severely degrade performance by uploading a specially crafted ZIP bomb file. The vulnerability affects recipe management and meal planning features accessible to authenticated users and has been patched in version 2.6.5.
Denial Of Service
-
CVE-2026-6068
MEDIUM
CVSS 6.5
NASM up to version 3.02rc5 contains a heap use-after-free vulnerability in response file (-@) processing that allows remote attackers without authentication to cause data corruption or denial of service. The vulnerability arises from a dangling pointer stored in the global depend_file variable that is dereferenced after the response-file buffer has been freed. A proof-of-concept exploit exists, and CISA's SSVC framework rates this as automatable with partial technical impact, indicating moderate real-world risk despite the relatively modest CVSS score of 6.5.
Denial Of Service
Nasm
-
CVE-2026-6042
MEDIUM
CVSS 4.8
Inefficient algorithmic complexity in musl libc's GB18030 4-byte decoder (iconv function in src/locale/iconv.c) affects versions up to 1.2.6 and allows local authenticated attackers to cause availability impact through resource exhaustion. The vulnerability requires local access and authenticated privileges but enables denial of service via algorithmic complexity exploitation. No public exploit code or active exploitation has been confirmed at time of analysis.
Information Disclosure
-
CVE-2026-6038
MEDIUM
CVSS 6.9
SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.
SQLi
PHP
Vehicle Showroom Management System
-
CVE-2026-6035
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ServiceAndSalesReport.php. The vulnerability requires user interaction (UI:P) but no authentication, with publicly available exploit code disclosed. CVSS 5.3 reflects moderate severity with integrity impact limited to confidentiality of user sessions rather than data modification.
XSS
PHP
Vehicle Showroom Management System
-
CVE-2026-6034
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ProfitAndLossReport.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and while the CVSS score of 5.3 is moderate, the low integrity impact combined with user interaction requirement limits practical risk, though XSS vulnerabilities remain routinely exploitable in real-world scenarios.
XSS
PHP
Vehicle Showroom Management System
-
CVE-2026-6033
MEDIUM
CVSS 5.3
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fname parameter in /updatedetailsfromstudent.php to execute arbitrary SQL queries, achieving limited confidentiality and integrity impact. The vulnerability has publicly available exploit code and a CVSS score of 5.3, representing a moderate risk requiring authentication to exploit.
SQLi
PHP
Online Classroom
-
CVE-2026-6032
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the serviceId parameter in /checkcheckout.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and the low CVSS score of 4.3 reflects the need for user click-through and limited scope (integrity impact only), though the attack vector is network-accessible and requires no special privileges or authentication.
XSS
PHP
-
CVE-2026-6031
MEDIUM
CVSS 6.9
SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.
SQLi
PHP
-
CVE-2026-6030
MEDIUM
CVSS 5.3
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the toolname parameter in /del1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, and the vulnerability has been assigned CVSS 6.3 with confirmed exploitability indicators (E:P rating).
SQLi
PHP
-
CVE-2026-6024
MEDIUM
CVSS 6.9
Path traversal in Tenda i6 router firmware 1.0.0.7(2204) allows unauthenticated remote attackers to read, write, or delete arbitrary files via malicious HTTP requests to the R7WebsSecurityHandlerfunction component. CVSS 7.3 (High) reflects network-accessible exploitation without authentication. Publicly available exploit code exists, documented in a GitHub repository demonstrating attack vectors. Affects Tenda i6 wireless router deployments running vulnerable firmware version.
Path Traversal
Tenda
-
CVE-2026-6011
MEDIUM
CVSS 6.3
Server-side request forgery (SSRF) in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) allows remote attackers to craft requests that bypass hostname validation and reach internal or restricted systems. Affected versions up to 2026.1.26 are vulnerable; the attack requires high complexity but publicly available exploit code exists. Vendor-released patch version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505) resolves the issue.
Node.js
SSRF
Openclaw
-
CVE-2026-6010
MEDIUM
CVSS 5.3
SQL injection in CodeAstro Online Classroom allows authenticated remote attackers to execute arbitrary SQL queries via the Q1 parameter in /OnlineClassroom/takeassessment2.php, enabling data exfiltration and modification with CVSS 6.3 severity; publicly available exploit code exists and the vulnerability affects all versions of the product.
SQLi
Online Classroom
-
CVE-2026-6007
MEDIUM
CVSS 5.3
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the equipname parameter in /del.php, enabling data exfiltration, modification, and potential denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.3 with confirmed exploitation potential (E:P rating).
SQLi
Construction Management System
-
CVE-2026-6006
MEDIUM
CVSS 5.3
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_hpatient.php, leading to unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists (CVSS 6.3, attack vector network, low complexity, requires valid credentials). This is not confirmed as actively exploited by CISA but poses immediate risk given public POC availability and low exploitation complexity.
SQLi
Patient Record Management System
-
CVE-2026-6005
MEDIUM
CVSS 5.3
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the hem_id parameter in /hematology_print.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code, though no CISA KEV confirmation indicates active widespread exploitation at time of analysis.
SQLi
Patient Record Management System
-
CVE-2026-6004
MEDIUM
CVSS 6.9
SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.
SQLi
PHP
RCE
Simple It Discussion Forum
-
CVE-2026-6003
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in code-projects Simple IT Discussion Forum 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the fname parameter in /admin/user.php, affecting user interactions through reflected XSS. The vulnerability has a CVSS score of 2.4 but carries a public exploit, though the low CVSS reflects the requirement for high-privilege authentication and user interaction to trigger the payload.
XSS
Simple It Discussion Forum
-
CVE-2026-5999
MEDIUM
CVSS 5.3
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to bypass access controls in the SysAnnouncementController component, potentially leading to unauthorized data modification and disclosure. The vulnerability has a CVSS score of 6.3 (medium severity) and carries an EPSS severity rating reflecting real-world exploitability; publicly available exploit code exists and the vendor has confirmed the issue with a patch expected in an upcoming release.
Authentication Bypass
Privilege Escalation
Jeecgboot
-
CVE-2026-5998
MEDIUM
CVSS 5.5
Path traversal in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows unauthenticated remote attackers to read arbitrary files via the filename parameter in the API Memory Content Endpoint (agent/memory/service.py). The vulnerability has a publicly available exploit, carries a moderate CVSS score of 5.3 reflecting limited confidentiality impact, and has been patched by the vendor in version 2.0.5 with patch commit 174ee0cafc9e8e9d97a23c305418251485b8aa89.
Python
Path Traversal
Information Disclosure
Chatgpt On Wechat Cowagent
-
CVE-2026-5774
MEDIUM
CVSS 6.0
Improper synchronization of the userTokens map in Canonical Juju API server (versions 4.0.5, 3.6.20, and 2.9.56) enables authenticated users to trigger denial of service or reuse single-use discharge tokens due to a race condition. The vulnerability requires low privilege authentication and partial attacker timing control but allows complete availability impact to the server. EPSS score of 6.1 reflects moderate real-world exploitation risk, though no public exploit code or active exploitation has been confirmed.
Race Condition
Canonical
Denial Of Service
-
CVE-2026-5724
MEDIUM
CVSS 6.3
Temporal's frontend gRPC server fails to enforce authentication and authorization on the StreamWorkflowReplicationMessages endpoint, allowing unauthenticated network attackers to establish replication streams and potentially exfiltrate workflow data when replication targets are configured. The vulnerability affects Temporal versions prior to 1.28.4, 1.29.6, and 1.30.4; Temporal Cloud deployments are unaffected. While exploitation requires knowledge of cluster configuration and correctly configured replication targets, the authentication bypass on a network-accessible service combined with a moderate CVSS score (6.3) reflects the practical risk of unauthorized data access in multi-tenant or sensitive workflow environments.
Authentication Bypass
-
CVE-2026-5525
MEDIUM
CVSS 6.0
Stack-based buffer overflow in Notepad++ 8.9.3 file drop handler allows local authenticated users to cause application crash and potentially execute code by dragging and dropping a directory path of exactly 259 characters without a trailing backslash, triggering unbounded buffer write via automatic backslash and null terminator appending. CVSS 6.0 (High) reflects local attack vector and high complexity; no public exploit code or active KEV status identified, but upstream fix is confirmed available.
Buffer Overflow
Stack Overflow
-
CVE-2026-5460
MEDIUM
CVSS 6.3
Heap use-after-free in wolfSSL's TLS 1.3 post-quantum cryptography hybrid KeyShare processing allows unauthenticated remote attackers to corrupt heap memory and potentially disclose information. The vulnerability occurs when TLSX_KeyShare_ProcessPqcHybridClient() error handling prematurely frees a KyberKey object in src/tls.c, and the caller's subsequent TLSX_KeyShare_FreeAll() invocation writes zero bytes to already-freed memory. CVSS 6.3 reflects low integrity and availability impact; exploitation requires precise network timing (AT:P). No public exploit identified at time of analysis, but the underlying use-after-free pattern is a known attack vector in memory-unsafe code.
Use After Free
Memory Corruption
-
CVE-2026-4977
MEDIUM
CVSS 4.3
Improper access control in UsersWP plugin for WordPress versions up to 1.2.58 allows authenticated subscribers and above to manipulate restricted user metadata fields via the upload_file_remove() AJAX handler, bypassing field-level permissions intended to restrict modifications to administrator-only fields. The vulnerability stems from insufficient validation of the $htmlvar parameter against allowed fields or admin-use restrictions, enabling attackers to clear or reset sensitive usermeta columns on their own user records.
WordPress
PHP
Privilege Escalation
Userswp Front End Login Form User Registration User Profile Members Directory Plugin For Wp
-
CVE-2026-4664
MEDIUM
CVSS 5.3
Unauthenticated attackers can bypass authentication in Customer Reviews for WooCommerce plugin versions up to 5.103.0 by submitting an empty string as the review permission key, allowing them to create, modify, and inject malicious product reviews via the REST API without any legitimate order association. The vulnerability exploits improper key validation using strict equality comparison without checking for empty values, combined with auto-approval of reviews by default, enabling widespread review injection across all products on affected WooCommerce installations.
WordPress
PHP
Authentication Bypass
Customer Reviews For Woocommerce
-
CVE-2026-4482
MEDIUM
CVSS 6.8
Improperly restricted file permissions on Rapid7 Insight Agent installer certificate files on Windows systems allow locally authenticated standard users to read the agent's private key (client.key), enabling identity material disclosure and potential lateral movement or agent impersonation. CVSS 6.8 (CVSS:4.0 LOCAL/LOW complexity, PR:L) reflects local authentication requirement; CISA KEV status not confirmed. Rapid7 released patched version 4.1.0.2 addressing this permission misconfiguration.
Information Disclosure
Microsoft
Insight Agent
-
CVE-2026-4432
MEDIUM
CVSS 6.5
Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists.
Information Disclosure
WordPress
Yith Woocommerce Wishlist
-
CVE-2026-4305
MEDIUM
CVSS 6.1
Reflected Cross-Site Scripting (XSS) in Royal WordPress Backup & Restore Plugin up to version 1.0.16 allows unauthenticated attackers to inject arbitrary JavaScript via the 'wpr_pending_template' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing the injected script to execute in the admin's browser with their privileges. This affects all installations running the vulnerable plugin versions, and no active exploitation has been confirmed, though the low attack complexity and lack of authentication requirements make this a practical threat.
WordPress
PHP
XSS
Royal Wordpress Backup Restore Migration Plugin Backup Wordpress Sites Safely
-
CVE-2026-4057
MEDIUM
CVSS 4.3
Authenticated attackers with Contributor-level or higher access to WordPress sites using the Download Manager plugin (versions up to 3.3.51) can strip protection metadata from any media file, including those they do not own, by exploiting a missing capability check in the makeMediaPublic() and makeMediaPrivate() functions. This allows unauthorized modification of access restrictions, passwords, and private flags on media files, exposing admin-protected content via direct URLs. The vulnerability is non-critical (CVSS 4.3) but represents a privilege escalation and data integrity issue requiring authenticated access.
WordPress
PHP
Privilege Escalation
Information Disclosure
Download Manager
-
CVE-2026-3446
MEDIUM
CVSS 6.0
CPython's base64.b64decode() function prematurely stops processing after encountering the first padded quad, allowing malformed base64 data to be accepted that may be interpreted differently by other implementations. This affects CPython 3.13.x before 3.13.13, 3.14.x before 3.14.4, and 3.15.0a1 before 3.15.0a8, with authenticated remote attackers on high-complexity networks potentially inducing information disclosure (CVSS 6.0, EPSS risk level moderate). Upstream fixes are available in tagged commits; users should upgrade to patched versions or enable validate=True parameter for stricter base64 validation.
Information Disclosure
Cpython
-
CVE-2026-2712
MEDIUM
CVSS 5.4
WP-Optimize plugin for WordPress allows authenticated subscribers and higher to execute admin-only operations including log file access, backup image deletion, and bulk image processing due to missing capability checks in the Heartbeat handler function. The vulnerability affects all versions up to 4.5.0 and requires user authentication but no elevated privileges, enabling privilege escalation from subscriber-level accounts to perform administrative image optimization tasks that should be restricted to site administrators.
WordPress
PHP
Privilege Escalation
Wp Optimize Cache Compress Images Minify Clean Database To Boost Page Speed Performance
-
CVE-2026-2305
MEDIUM
CVSS 6.4
Stored cross-site scripting (XSS) in AddFunc Head & Footer Code plugin for WordPress versions up to 2.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via custom post meta fields that execute when administrators preview or view posts. The vulnerability exists because the plugin outputs user-supplied code from `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` meta values without sanitization or escaping, and fails to restrict meta key access via WordPress `register_meta()` authentication callbacks despite restricting its own admin interface. No public exploit code or active exploitation has been confirmed at time of analysis.
WordPress
PHP
XSS
Addfunc Head Footer Code
-
CVE-2026-1924
MEDIUM
CVSS 4.3
Cross-site request forgery in Aruba HiSpeed Cache WordPress plugin up to version 3.0.4 allows unauthenticated attackers to reset all plugin settings to defaults by tricking site administrators into clicking a malicious link, due to missing nonce verification on the ahsc_ajax_reset_options() function. The CVSS score of 4.3 reflects the low-impact integrity violation requiring user interaction, with no known public exploit code or confirmed active exploitation.
WordPress
PHP
CSRF
Aruba Hispeed Cache
-
CVE-2026-1502
MEDIUM
CVSS 5.7
Python's HTTP client fails to reject carriage return and line feed (CR/LF) bytes in proxy tunnel headers and host parameters, enabling HTTP response splitting and header injection attacks. Authenticated attackers with high privileges can craft malicious proxy configurations to inject arbitrary HTTP headers or split responses, potentially leading to cache poisoning, session hijacking, or information disclosure. No public exploit code or active exploitation has been identified.
Information Disclosure
-
CVE-2026-1263
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. No public exploit code or active exploitation has been reported at time of analysis.
WordPress
PHP
XSS
Webling
-
CVE-2025-14545
MEDIUM
CVSS 6.5
Remote code execution in YML for Yandex Market WordPress plugin versions before 5.0.26 allows unauthenticated remote attackers to execute arbitrary code through the feed generation process. The vulnerability has a CVSS score of 6.5 and publicly available exploit code exists. Exploitation requires only network access with no user interaction, making it relatively straightforward to weaponize despite the low EPSS score (0.09%), suggesting limited real-world exploitation activity at the time of analysis.
RCE
WordPress
Yml For Yandex Market
-
CVE-2026-40228
LOW
CVSS 2.9
systemd-journald in systemd 259 allows local attackers to send ANSI escape sequences to terminals of arbitrary users via the logger utility when ForwardToWall=yes is enabled, enabling terminal manipulation and information disclosure attacks with low CVSS impact but realistic local access requirements.
Information Disclosure
Systemd
-
CVE-2026-40199
None
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass.
_pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value inst...
Authentication Bypass
-
CVE-2026-40198
None
Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass.
_pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed value...
Authentication Bypass
-
CVE-2026-40194
LOW
CVSS 3.7
phpseclib's SSH2 packet authentication uses PHP's non-constant-time != operator to compare HMACs, enabling timing-based information disclosure attacks on SSH sessions. The vulnerability affects phpseclib versions prior to 1.0.28, 2.0.53, and 3.0.51. An unauthenticated remote attacker can exploit variable-time comparison behavior to infer valid HMAC values through precise timing measurements, potentially compromising the confidentiality of SSH communications. No public exploit code or active exploitation has been confirmed, but this is a cryptographic timing vulnerability with proven scalability via benchmarking.
PHP
Information Disclosure
Phpseclib
-
CVE-2026-40184
LOW
CVSS 3.7
TREK collaborative travel planner versions before 2.7.2 serve uploaded user photos without authentication, allowing unauthenticated remote attackers to enumerate and access private photo collections through direct URL access. The vulnerability is restricted to information disclosure with low impact due to attack complexity constraints, though it exposes sensitive travel-related imagery that users expect to be private.
Authentication Bypass
Trek
-
CVE-2026-40097
LOW
CVSS 3.7
Step CA versions 0.24.0 through 0.30.0-rc2 suffer a denial-of-service vulnerability where an attacker can trigger an index out-of-bounds panic by sending a crafted TPM attestation key certificate with an empty Extended Key Usage extension during device-attest-01 ACME challenges. The vulnerability affects only deployments that have explicitly configured TPM device attestation; organizations using Step CA for standard certificate management are unaffected. While the CVSS score is low (3.7), the attack is unauthenticated and remotely triggerable, potentially causing service disruption in vulnerable configurations.
Buffer Overflow
Certificates
-
CVE-2026-36236
None
SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter.
PHP
SQLi
N A
-
CVE-2026-36235
None
A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation.
SQLi
PHP
N A
-
CVE-2026-36234
None
itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter.
SQLi
PHP
N A
-
CVE-2026-36233
None
A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropria...
PHP
SQLi
N A
-
CVE-2026-36232
None
A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation.
PHP
SQLi
N A
-
CVE-2026-35648
LOW
CVSS 2.3
OpenClaw before version 2026.3.22 allows policy bypass through unvalidated queued node actions, enabling attackers to execute unauthorized commands by exploiting stale allowlists or policy declarations that persist after policy changes. The vulnerability requires network access and high attack complexity but no authentication, resulting in integrity impact without exposing confidentiality or availability. No public exploit code or active exploitation has been confirmed.
Authentication Bypass
-
CVE-2026-33551
LOW
CVSS 3.5
OpenStack Keystone 14 through 29.x allows authenticated users with restricted application credentials to create EC2 credentials that inherit the parent user's full S3 permissions, bypassing role restrictions. This privilege escalation affects only deployments combining restricted application credentials with the EC2/S3 compatibility API (swift3/s3api), and requires valid authentication credentials and moderate attack complexity to exploit.
Authentication Bypass
-
CVE-2026-31412
None
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the bl...
Linux
Linux Kernel
Integer Overflow
-
CVE-2026-31262
None
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter
XSS
Information Disclosure
N A
-
CVE-2026-29861
None
PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
SQLi
PHP
N A
-
CVE-2026-23782
None
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unau...
Authentication Bypass
Information Disclosure
N A
-
CVE-2026-23781
None
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
Hardcoded Credentials
N A
-
CVE-2026-23780
None
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitra...
SQLi
RCE
N A
-
CVE-2026-22560
None
An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.
Rocket.Chat
Open Redirect
Rocket Chat
-
CVE-2026-6000
LOW
CVSS 2.1
Information disclosure in code-projects Online Library Management System 1.0 allows unauthenticated remote attackers to access sensitive data from SQL database backup files via the /sql/library.sql component, requiring user interaction (clicking a link or similar action). The vulnerability has a publicly available exploit and carries a CVSS score of 4.3 with an exploit proof-of-concept (E:P) rating, making it a low-to-moderate priority issue with confirmed public discoverability but limited real-world attack surface due to interaction requirements.
Information Disclosure
Online Library Management System
-
CVE-2026-5188
LOW
CVSS 2.3
Integer underflow in wolfSSL's ASN.1 certificate parser allows remote attackers to trigger information disclosure and potential memory access violations when processing malformed X.509 certificates with oversized Subject Alternative Name extensions. The vulnerability affects wolfSSL versions up to 5.9.0 but only impacts systems using the non-default original ASN.1 parsing implementation; no public exploit code or active exploitation has been identified at time of analysis.
Information Disclosure
Integer Overflow
Wolfssl
-
CVE-2025-66447
NONE
Open redirect vulnerability in Chamilo LMS login endpoint allows unauthenticated remote attackers to redirect users to arbitrary external websites via the redirect parameter, affecting versions 1.11.0 through 2.0-beta.1. The vulnerability was patched in 2.0-beta.2 and subsequent releases. No public exploit code or active exploitation has been confirmed, but the attack requires no authentication or special complexity and could be weaponized for phishing campaigns.
Open Redirect
Chamilo Lms
-
CVE-2025-44560
None
owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
Buffer Overflow
Denial Of Service
N A