Skip to main content
CVE-2026-34621 HIGH POC KEV THREAT NEWS Act Now

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis.

Prototype Pollution RCE Adobe
NVD VulDB GitHub
CVSS 3.1
8.6
EPSS
0.2%
Threat
4.7
CVE-2026-4149 CRITICAL Act Now

Remote code execution in Sonos Era 300 smart speakers (build 17.5/91.0-70070) allows unauthenticated network attackers to execute arbitrary kernel-level code via malformed SMB server responses. The vulnerability achieves maximum CVSS 10.0 severity due to network accessibility without authentication, low complexity, and kernel-level code execution with scope change. EPSS indicates 1.27% exploitation probability (80th percentile), suggesting moderate real-world risk. No active exploitation confirmed at time of analysis, though ZDI publication increases weaponization likelihood.

RCE Buffer Overflow Era 300
NVD VulDB
CVSS 3.1
9.8
EPSS
1.3%
CVE-2026-5059 CRITICAL GHSA Act Now

Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via command injection in the allowed commands list handler. The vulnerability stems from improper validation of user-supplied strings before system call execution, enabling attackers to run code in the MCP server context with no authentication required. EPSS score of 1.01% (77th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.

RCE Command Injection Aws Mcp Server
NVD VulDB
CVSS 3.0
9.8
EPSS
1.0%
CVE-2026-5058 CRITICAL Act Now

Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via improper validation of the allowed commands list. The command injection flaw (CWE-78) enables system call execution without authentication barriers. With a CVSS score of 9.8 (critical severity) and EPSS probability of 1.01% (77th percentile), this represents a high-severity vulnerability with moderate real-world exploitation likelihood. No public exploit identified at time of analysis, and no active exploitation confirmed.

RCE Command Injection Aws Mcp Server
NVD VulDB
CVSS 3.0
9.8
EPSS
1.0%
CVE-2026-31845 CRITICAL Act Now

Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.

XSS PHP
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-5144 HIGH This Week

Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.

WordPress Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32146 HIGH PATCH This Week

Path traversal in Gleam compiler versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 allows arbitrary file system modification when resolving git dependencies, enabling attackers to delete and overwrite directories outside the intended dependency folder via malicious dependency names containing relative or absolute paths. A user must invoke dependency download (e.g., gleam deps download) for exploitation; attackers can leverage this to cause data loss or achieve code execution by overwriting git hooks or shell configuration files. Vendor-released patches are available.

Path Traversal RCE Gleam
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-4154 HIGH PATCH This Week

Integer overflow in GIMP XPM file parser enables remote code execution when processing malicious XPM image files. Affects GIMP installations across platforms. Attackers can execute arbitrary code in victim's process context by delivering crafted XPM files via social engineering or drive-by downloads. Vulnerability requires user interaction (opening malicious file). CVSS 7.8 (High severity). No public exploit identified at time of analysis. Upstream patch committed to GIMP repository; vendor-released version not independently confirmed.

RCE Integer Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-4151 HIGH PATCH This Week

Remote code execution in GIMP via integer overflow during ANI (animated cursor) file parsing allows unauthenticated attackers to execute arbitrary code with user privileges when malicious ANI files are opened. Exploitation requires user interaction (opening crafted file or visiting attacker-controlled page). Insufficient validation of user-supplied data triggers integer overflow before buffer allocation, enabling memory corruption. No public exploit identified at time of analysis. CVSS 7.8 (High) reflects local attack vector with no privilege requirements.

RCE Integer Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-4150 HIGH PATCH This Week

Integer overflow in GIMP PSD file parser enables remote code execution when users open malicious PSD files. Affects GIMP installations across platforms. Exploitation requires user interaction (opening crafted file). Attacker achieves arbitrary code execution in application context with high confidentiality, integrity, and availability impact. Publicly available exploit code exists. Insufficient validation of user-supplied data during buffer allocation causes overflow, allowing memory corruption and code execution.

RCE Integer Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-4153 HIGH PATCH This Week

Heap-based buffer overflow in GIMP's PSP (Paint Shop Pro) file parser enables remote code execution when processing malicious PSP image files. Unauthenticated attackers can execute arbitrary code with user privileges by convincing targets to open crafted PSP files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. No public exploit identified at time of analysis. Vulnerability tracked as ZDI-CAN-28874 by Zero Day Initiative.

RCE Buffer Overflow Heap Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-4152 HIGH PATCH This Week

Heap-based buffer overflow in GIMP's JP2 image parser enables unauthenticated remote code execution when users open crafted JPEG 2000 files. The vulnerability stems from insufficient validation of user-supplied data length before copying to heap memory, allowing attackers to execute arbitrary code with user privileges. Exploitation requires social engineering to convince targets to open malicious JP2 files. No public exploit identified at time of analysis.

RCE Buffer Overflow Heap Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-5495 HIGH This Week

Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution when victims open crafted project files. The vulnerability stems from insufficient validation during PDSPRJ file processing, allowing buffer overflow conditions that permit arbitrary code execution with victim's privileges. Exploitation requires user interaction-opening a malicious PDSPRJ file or visiting attacker-controlled web content. CVSS 7.8 (High) reflects local attack vector with no privileges required but mandatory user interaction. No public exploit identified at time of analysis. Affects all versions per available CPE data.

RCE Memory Corruption Buffer Overflow Proteus
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-5494 HIGH This Week

Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution with high integrity impact. Exploitation requires user interaction (opening malicious PDSPRJ file or visiting attacker-controlled page). Insufficient input validation during PDSPRJ processing allows buffer overflow, writing arbitrary data beyond allocated memory boundaries. Successful exploitation grants attacker code execution in application context with full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.

RCE Memory Corruption Buffer Overflow Proteus
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-5493 HIGH This Week

Out-of-bounds write during PDSPRJ file parsing in Labcenter Electronics Proteus enables remote code execution when users open malicious project files. Attackers exploit insufficient input validation to write beyond allocated buffer boundaries, executing arbitrary code with victim's privileges. Requires user interaction (opening crafted PDSPRJ file). CWE-787 memory corruption vulnerability. No public exploit identified at time of analysis.

RCE Memory Corruption Buffer Overflow Proteus
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-5496 HIGH This Week

Type confusion in Labcenter Electronics Proteus PDSPRJ file parser enables remote code execution when users open malicious project files. Attackers exploit insufficient validation during file parsing to trigger memory corruption, achieving arbitrary code execution with victim user privileges. Requires social engineering to deliver weaponized PDSPRJ files via email, web download, or file sharing. Publicly available exploit code exists (ZDI advisory disclosure). CVSS 7.8 reflects local attack vector requiring user interaction but no authentication.

RCE Memory Corruption Proteus
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-5054 HIGH This Week

Local privilege escalation in NoMachine allows authenticated low-privileged attackers to execute arbitrary code as root through improper validation of command line path parameters. The vulnerability stems from insufficient sanitization of user-supplied file paths in file operations, enabling path traversal to manipulate privileged system resources. Exploitation requires existing low-privileged code execution on the target system. CVSS 7.8 (High) reflects local attack vector with low complexity and no user interaction required. No public exploit identified at time of analysis.

RCE Privilege Escalation Nomachine
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-5055 HIGH This Week

Local privilege escalation in NoMachine Device Server allows authenticated low-privileged attackers to execute arbitrary code with SYSTEM privileges by exploiting unsafe library loading from an unsecured search path. The vulnerability (ZDI-CAN-28494) requires prior local access but enables full system compromise through DLL hijacking or similar path manipulation. No KEV listing or public exploit identified at time of analysis. CVSS 7.8 (High) with attack vector requiring local access and low privileges (AV:L/PR:L).

RCE Privilege Escalation Nomachine
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-4155 HIGH This Week

Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.

Information Disclosure Home Flex
NVD VulDB
CVSS 3.0
7.5
EPSS
0.2%
CVE-2026-4157 HIGH This Week

Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.

RCE Command Injection Home Flex
NVD VulDB
CVSS 3.0
7.5
EPSS
0.2%
CVE-2026-4156 HIGH This Week

Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to execute arbitrary code as root via malformed OCPP messages. Unauthenticated exploitation allows complete device compromise through improper length validation in OCPP getpreq message handling. Attack complexity is high (CVSS AC:H), requiring local network access. No public exploit identified at time of analysis.

RCE Buffer Overflow Stack Overflow Home Flex
NVD VulDB
CVSS 3.0
7.5
EPSS
0.1%
CVE-2026-3690 HIGH PATCH This Week

Unauthenticated remote attackers bypass authentication in OpenClaw canvas endpoints due to improper authentication implementation (CWE-291). Exploitation requires no user interaction and yields high confidentiality/integrity impact. Network-accessible attack vector with high complexity (CVSS:3.0 7.4 AV:N/AC:H/PR:N). No public exploit identified at time of analysis. Originally reported as ZDI-CAN-29311.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.0
7.4
EPSS
0.1%
CVE-2026-4158 HIGH This Week

Local privilege escalation in KeePassXC password manager allows authenticated attackers with low privileges to execute arbitrary code by exploiting insecure OpenSSL configuration file loading. When a target user launches KeePassXC, malicious configuration planted in an unsecured path is loaded, enabling code execution in KeePassXC's security context. Attack requires user interaction and prior low-privileged access. CVSS 7.3 (AV:L/AC:L/PR:L/UI:R). No public exploit identified at time of analysis.

RCE Privilege Escalation OpenSSL Suse
NVD GitHub VulDB
CVSS 3.0
7.3
EPSS
0.0%
CVE-2026-5217 HIGH This Week

Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.

XSS PHP WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5809 HIGH This Week

Arbitrary file deletion in wpForo Forum plugin for WordPress (≤3.0.2) allows authenticated attackers with subscriber-level access to delete critical server files including wp-config.php. A two-step logic flaw permits injection of attacker-controlled file paths via poisoned postmeta arrays (data[body][fileurl]), which are later passed unvalidated to wp_delete_file(). The vulnerability requires low-privilege authentication (PR:L) and enables denial-of-service against WordPress installations through deletion of configuration or core files. No public exploit identified at time of analysis.

WordPress PHP Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-5053 HIGH This Week

Arbitrary file deletion in NoMachine through environment variable path manipulation allows authenticated local attackers to delete system files with root privileges. Vulnerability stems from insufficient validation of user-supplied paths in file operations, enabling low-privileged users to escalate impact by removing critical files. Affects NoMachine cross-platform remote desktop software. No public exploit identified at time of analysis.

RCE Nomachine
NVD VulDB
CVSS 3.0
7.1
EPSS
0.0%
CVE-2026-3689 MEDIUM PATCH This Month

Authenticated remote attackers can traverse the file system through the OpenClaw canvas gateway endpoint to disclose sensitive information due to insufficient path validation. The vulnerability affects OpenClaw across unspecified versions and requires valid user credentials; attackers operating with low-privilege accounts can read arbitrary files in the service account context. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.0
6.5
EPSS
0.3%
CVE-2026-23900 MEDIUM This Month

Stored XSS vulnerabilities in Phoca Maps for Joomla 5.0.0-6.0.2 allow unauthenticated remote attackers to inject and execute arbitrary JavaScript in map and icon rendering logic, potentially compromising user sessions and stealing sensitive data. CVSS 6.5 reflects network accessibility and information disclosure risk, though EPSS (0.03%) suggests low current exploitation likelihood. The vulnerability requires no authentication or user interaction to inject payloads, but stored nature means victims are affected upon viewing contaminated maps.

XSS Phoca Cz Phoca Maps For Joomla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5207 MEDIUM This Month

SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4895 MEDIUM This Month

Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3498 MEDIUM This Month

Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5226 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6106 LOW POC PATCH Monitor

Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.

XSS Maxkb
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6105 MEDIUM This Month

Improper authorization in perfree go-fastdfs-web up to version 1.3.7 allows remote unauthenticated attackers to access the doInstall interface in InstallController.java, potentially disclosing sensitive information or manipulating system configuration. The vulnerability has been publicly disclosed with exploit code available; however, the vendor has not responded to early disclosure notifications and no official patch has been released.

Java Information Disclosure
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3358 MEDIUM This Month

Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-3691 MEDIUM PATCH This Month

OpenClaw Client exposes PKCE verifier and stored credentials through unencrypted OAuth authorization URL query strings, allowing remote attackers to disclose authentication data when users initiate OAuth flows. The vulnerability requires user interaction (target must start authorization), has a CVSS score of 5.3 (medium), and affects all versions of OpenClaw Client. No active exploitation has been publicly reported, though the ZDI designation (ZDI-CAN-29381) indicates coordinated disclosure.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.0
5.3
EPSS
0.1%
CVE-2026-4979 MEDIUM This Month

Blind Server-Side Request Forgery in UsersWP WordPress plugin versions up to 1.2.58 allows authenticated subscribers and above to force the WordPress server to make arbitrary HTTP requests via the uwp_crop parameter in avatar/banner image crop operations. The vulnerability stems from insufficient URL origin validation in the process_image_crop() method, which accepts user-controlled URLs and passes them to PHP image processing functions that support URL wrappers, enabling internal network reconnaissance and potential access to sensitive services. No public exploit code or active exploitation has been confirmed, though the vulnerability requires only authenticated access and low attack complexity.

PHP SSRF WordPress
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-3371 MEDIUM This Month

Insecure Direct Object Reference in Tutor LMS WordPress plugin versions up to 3.9.7 allows authenticated Subscriber-level users to manipulate course content structure across any course by exploiting missing authorization checks in the save_course_content_order() method, enabling attackers to detach lessons from topics, reorder course content, and reassign lessons between courses without proper ownership verification.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40354 LOW PATCH Monitor

Flatpak xdg-desktop-portal versions before 1.20.4 and 1.21.x before 1.21.1 allow any sandboxed Flatpak application to delete arbitrary files on the host system through a symlink race condition in the g_file_trash function. The vulnerability exploits insufficient validation of file paths during trash operations, enabling local privilege escalation from a confined container context to affect host files. CVSS severity is low (2.9) due to high attack complexity and local-only vector, but the impact affects all Flatpak users whose host system contains a vulnerable xdg-desktop-portal installation.

Information Disclosure Xdg Desktop Portal
NVD GitHub VulDB
CVSS 3.1
2.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy