Skip to main content
CVE-2026-5483 CRITICAL PATCH Act Now

Kubernetes Service Account token disclosure in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) lets an authenticated low-privileged user retrieve SA tokens via an exposed NodeJS endpoint, then reuse them to reach Kubernetes resources beyond the dashboard's intended scope. Rated CVSS 9.9 with a changed scope, the flaw effectively converts limited dashboard access into broad cluster access. There is no public exploit identified at time of analysis and EPSS is very low (0.06%), but a vendor patch is already available via Red Hat errata.

Kubernetes Red Hat Authentication Bypass Red Hat Openshift Ai 2 16 Red Hat Openshift Ai Rhoai
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-5412 CRITICAL PATCH GHSA Act Now

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.

Authentication Bypass Juju
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-6057 CRITICAL Act Now

Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).

RCE Path Traversal File Upload Falkordb Browser
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-40190 CRITICAL PATCH GHSA Act Now

Prototype pollution in the LangSmith JavaScript/TypeScript SDK (npm 'langsmith', versions <= 0.5.17) lets an attacker who controls object keys passed to the createAnonymizer() API pollute Object.prototype for the entire Node.js process. The internally vendored lodash set() utility guards only the __proto__ key and misses the constructor.prototype traversal path, so a crafted key like 'constructor.prototype.polluted' bypasses the fix. Publicly available exploit code exists (SSVC 'poc' plus regression tests in the fix PR), but EPSS is only 0.04% with no evidence of active exploitation; notably the vendor GHSA rates this Medium (~CVSS 5.6), conflicting sharply with the NVD 9.8.

Information Disclosure Node.js Prototype Pollution Langsmith Sdk
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-23781 CRITICAL Act Now

Hardcoded debug credentials in BMC Control-M/MFT 9.0.20-9.0.22 enable unauthenticated remote attackers to access the MFT API debug interface with full system privileges. The vulnerability (CWE-798) stems from cleartext default credentials embedded in the application package, providing complete confidentiality, integrity, and availability compromise (CVSS 9.8). No public exploit identified at time of analysis, with EPSS score of 0.02% indicating low observed exploitation activity despite critical severity rating.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-44560 CRITICAL Act Now

Buffer overflow in owntone-server commit 2ca10d9 allows unauthenticated remote attackers to achieve code execution or denial of service with critical CVSS 9.8 severity. The vulnerability stems from inadequate recursive input validation (CWE-120), enabling network-accessible exploitation without user interaction. No public exploit identified at time of analysis, though proof-of-concept details exist in GitHub issue #1873. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability despite maximum theoretical severity.

Buffer Overflow
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36233 CRITICAL Act Now

SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'subjcode' parameter in assignInstructorSubjects.php, potentially enabling complete database compromise, authentication bypass, and data exfiltration. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no privileges or user interaction. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity, though publicly available exploit code exists via GitHub repository documentation. No vendor-released patch identified at time of analysis.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36236 CRITICAL Act Now

SQL injection in SourceCodester Engineers Online Portal v1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands through the new_password parameter in update_password.php, enabling complete database compromise, authentication bypass, and potential server takeover. Despite a critical CVSS score of 9.8, EPSS indicates only 0.01% exploitation probability (2nd percentile), and no public exploit identified at time of analysis beyond technical documentation. The vulnerable PHP application lacks input validation on password update functionality, a common weakness in legacy web portals.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36235 CRITICAL Act Now

SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'subjcode' parameter in scheduleSubList.php, achieving full database compromise with potential for complete system control. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no privileges or user interaction. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity, and no CISA KEV listing exists, suggesting limited real-world targeting despite the theoretical severity. Public proof-of-concept documentation exists on GitHub, lowering the technical barrier for exploitation.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36232 CRITICAL Act Now

SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via unsanitized classId parameter in instructorClasses.php. Despite critical CVSS 9.8 rating, EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. Public proof-of-concept documentation exists on GitHub, lowering exploitation barrier for opportunistic attackers targeting educational institutions using this enrollment platform.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36234 CRITICAL Act Now

SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'coursename' parameter in newCourse.php, potentially enabling complete database compromise, authentication bypass, and server-side code execution. Despite a critical 9.8 CVSS score, EPSS indicates only 0.01% exploitation probability (2nd percentile), suggesting minimal observed attacker interest. Publicly available exploit code exists (GitHub POC), but no CISA KEV listing confirms active exploitation.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-29861 CRITICAL Act Now

SQL injection in PHP-MYSQL-User-Login-System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the username parameter at login.php, potentially enabling complete database compromise, authentication bypass, and unauthorized administrative access. Publicly available exploit code exists (GitHub POC). Despite a critical CVSS score of 9.8, EPSS exploitation probability is extremely low (0.01%, 2nd percentile), and no confirmed active exploitation (not in CISA KEV). The low real-world exploitation signal suggests limited deployment or attacker interest in this specific application.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1115 CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.

XSS Parisneo Lollms
NVD GitHub
CVSS 3.0
9.6
EPSS
0.0%
CVE-2026-6068 CRITICAL PATCH Act Now

NASM up to version 3.02rc5 contains a heap use-after-free vulnerability in response file (-@) processing that allows remote attackers without authentication to cause data corruption or denial of service. The vulnerability arises from a dangling pointer stored in the global depend_file variable that is dereferenced after the response-file buffer has been freed. A proof-of-concept exploit exists, and CISA's SSVC framework rates this as automatable with partial technical impact, indicating moderate real-world risk despite the relatively modest CVSS score of 6.5.

Denial Of Service Use After Free Memory Corruption Nasm
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-40157 CRITICAL PATCH GHSA Act Now

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite through malicious .praison archive bundles. The cmd_unpack function in recipe CLI performs unvalidated tar extraction, allowing attackers to embed ../ path sequences that escape the intended extraction directory. Unauthenticated attackers can distribute weaponized bundles that, when unpacked by victims via 'praisonai recipe unpack' command, overwrite critical system files with attacker-controlled content. No public exploit identified at time of analysis.

Path Traversal Praisonai
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-33707 CRITICAL PATCH Act Now

Unauthenticated password reset takeover in Chamilo LMS 1.11.x (prior to 1.11.38) and 2.0.0-RC versions (prior to RC.3) allows remote attackers to hijack arbitrary user accounts by computing deterministic reset tokens. The vulnerability stems from insecure token generation using sha1($email) without randomization, expiration, or rate limiting. Attackers knowing a target's email address can directly calculate valid password reset tokens and change account credentials without prior authentication, enabling full account takeover with high confidentiality and integrity impact. No public exploit identified at time of analysis.

Information Disclosure Chamilo Lms
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-40189 CRITICAL PATCH GHSA Act Now

Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.

Authentication Bypass Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-40177 CRITICAL PATCH GHSA Act Now

Authentication bypass in Ajenti admin panel versions prior to 0.112 allows unauthenticated remote attackers to completely circumvent password authentication when two-factor authentication (2FA) is enabled. Attackers can gain full administrative access to the Ajenti server management interface without valid credentials, compromising confidentiality and integrity of managed systems. No public exploit identified at time of analysis.

Authentication Bypass Ajenti
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-33698 CRITICAL PATCH Act Now

Arbitrary file write vulnerability in Chamilo LMS versions before 1.11.38 allows unauthenticated remote attackers to modify existing files or create new files with system-level permissions through a chained attack exploiting the main/install/ directory. Attackers can bypass PHP execution restrictions when the installation directory remains accessible post-deployment, enabling complete system compromise where filesystem permissions permit. This vulnerability affects portals that have not removed the main/install/ directory after initial setup. No public exploit identified at time of analysis.

PHP Information Disclosure Path Traversal
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-32892 CRITICAL PATCH Act Now

OS command injection in Chamilo LMS 1.x (prior to 1.11.38) and 2.0.0-RC.x (prior to RC.3) allows authenticated teacher-role users to execute arbitrary system commands via unsanitized file path parameters. The move() function in fileManage.lib.php concatenates user-controlled move_to POST values directly into exec() shell commands without proper escaping. Any authenticated user can exploit this by creating a course (enabled by default), uploading a directory with shell metacharacters via Course Backup Import, then moving a document to trigger command execution as www-data. No public exploit identified at time of analysis.

PHP Command Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-40258 CRITICAL PATCH GHSA Act Now

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

PostgreSQL Python Path Traversal Docker
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy