THREAT ALERT

EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). | ACT NOW CVE-2026-5281 8.8 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. | EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 11, 2026

39 CVEs tracked today. 4 Critical, 21 High, 12 Medium, 1 Low.

CVE-2026-31845 CRITICAL CVSS 9.3
Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.

XSS PHP
CVE-2026-5059 CRITICAL CVSS 9.8
Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via command injection in the allowed commands list handler. The vulnerability stems from improper validation of user-supplied strings before system call execution, enabling attackers to run code in the MCP server context with no authentication required. EPSS score of 1.01% (77th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.

RCE Command Injection
CVE-2026-5058 CRITICAL CVSS 9.8
Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via improper validation of the allowed commands list. The command injection flaw (CWE-78) enables system call execution without authentication barriers. With a CVSS score of 9.8 (critical severity) and EPSS probability of 1.01% (77th percentile), this represents a high-severity vulnerability with moderate real-world exploitation likelihood. No public exploit identified at time of analysis, and no active exploitation confirmed.

RCE Command Injection
CVE-2026-4149 CRITICAL CVSS 10.0
Remote code execution in Sonos Era 300 smart speakers (build 17.5/91.0-70070) allows unauthenticated network attackers to execute arbitrary kernel-level code via malformed SMB server responses. The vulnerability achieves maximum CVSS 10.0 severity due to network accessibility without authentication, low complexity, and kernel-level code execution with scope change. EPSS indicates 1.27% exploitation probability (80th percentile), suggesting moderate real-world risk. No active exploitation confirmed at time of analysis, though ZDI publication increases weaponization likelihood.

RCE Buffer Overflow
CVE-2026-34621 HIGH CVSS 8.6
Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis.

Prototype Pollution RCE Adobe
CVE-2026-5809 HIGH CVSS 7.1
Arbitrary file deletion in wpForo Forum plugin for WordPress (≤3.0.2) allows authenticated attackers with subscriber-level access to delete critical server files including wp-config.php. A two-step logic flaw permits injection of attacker-controlled file paths via poisoned postmeta arrays (data[body][fileurl]), which are later passed unvalidated to wp_delete_file(). The vulnerability requires low-privilege authentication (PR:L) and enables denial-of-service against WordPress installations through deletion of configuration or core files. No public exploit identified at time of analysis.

WordPress PHP Information Disclosure Wpforo Forum
CVE-2026-5496 HIGH CVSS 7.8
Type confusion in Labcenter Electronics Proteus PDSPRJ file parser enables remote code execution when users open malicious project files. Attackers exploit insufficient validation during file parsing to trigger memory corruption, achieving arbitrary code execution with victim user privileges. Requires social engineering to deliver weaponized PDSPRJ files via email, web download, or file sharing. Publicly available exploit code exists (ZDI advisory disclosure). CVSS 7.8 reflects local attack vector requiring user interaction but no authentication.

RCE Memory Corruption
CVE-2026-5495 HIGH CVSS 7.8
Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution when victims open crafted project files. The vulnerability stems from insufficient validation during PDSPRJ file processing, allowing buffer overflow conditions that permit arbitrary code execution with victim's privileges. Exploitation requires user interaction-opening a malicious PDSPRJ file or visiting attacker-controlled web content. CVSS 7.8 (High) reflects local attack vector with no privileges required but mandatory user interaction. No public exploit identified at time of analysis. Affects all versions per available CPE data.

RCE Memory Corruption Buffer Overflow
CVE-2026-5494 HIGH CVSS 7.8
Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution with high integrity impact. Exploitation requires user interaction (opening malicious PDSPRJ file or visiting attacker-controlled page). Insufficient input validation during PDSPRJ processing allows buffer overflow, writing arbitrary data beyond allocated memory boundaries. Successful exploitation grants attacker code execution in application context with full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.

RCE Memory Corruption Buffer Overflow
CVE-2026-5493 HIGH CVSS 7.8
Out-of-bounds write during PDSPRJ file parsing in Labcenter Electronics Proteus enables remote code execution when users open malicious project files. Attackers exploit insufficient input validation to write beyond allocated buffer boundaries, executing arbitrary code with victim's privileges. Requires user interaction (opening crafted PDSPRJ file). CWE-787 memory corruption vulnerability. No public exploit identified at time of analysis.

RCE Memory Corruption Buffer Overflow
CVE-2026-5217 HIGH CVSS 7.2
Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.

XSS PHP WordPress
CVE-2026-5144 HIGH CVSS 8.8
Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.

WordPress Privilege Escalation
CVE-2026-5055 HIGH CVSS 7.8
Local privilege escalation in NoMachine Device Server allows authenticated low-privileged attackers to execute arbitrary code with SYSTEM privileges by exploiting unsafe library loading from an unsecured search path. The vulnerability (ZDI-CAN-28494) requires prior local access but enables full system compromise through DLL hijacking or similar path manipulation. No KEV listing or public exploit identified at time of analysis. CVSS 7.8 (High) with attack vector requiring local access and low privileges (AV:L/PR:L).

RCE Privilege Escalation
CVE-2026-5054 HIGH CVSS 7.8
Local privilege escalation in NoMachine allows authenticated low-privileged attackers to execute arbitrary code as root through improper validation of command line path parameters. The vulnerability stems from insufficient sanitization of user-supplied file paths in file operations, enabling path traversal to manipulate privileged system resources. Exploitation requires existing low-privileged code execution on the target system. CVSS 7.8 (High) reflects local attack vector with low complexity and no user interaction required. No public exploit identified at time of analysis.

RCE Privilege Escalation
CVE-2026-5053 HIGH CVSS 7.1
Arbitrary file deletion in NoMachine through environment variable path manipulation allows authenticated local attackers to delete system files with root privileges. Vulnerability stems from insufficient validation of user-supplied paths in file operations, enabling low-privileged users to escalate impact by removing critical files. Affects NoMachine cross-platform remote desktop software. No public exploit identified at time of analysis.

RCE
CVE-2026-4158 HIGH CVSS 7.3
Local privilege escalation in KeePassXC password manager allows authenticated attackers with low privileges to execute arbitrary code by exploiting insecure OpenSSL configuration file loading. When a target user launches KeePassXC, malicious configuration planted in an unsecured path is loaded, enabling code execution in KeePassXC's security context. Attack requires user interaction and prior low-privileged access. CVSS 7.3 (AV:L/AC:L/PR:L/UI:R). No public exploit identified at time of analysis.

RCE Privilege Escalation OpenSSL
CVE-2026-4157 HIGH CVSS 7.5
Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.

RCE Command Injection
CVE-2026-4156 HIGH CVSS 7.5
Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to execute arbitrary code as root via malformed OCPP messages. Unauthenticated exploitation allows complete device compromise through improper length validation in OCPP getpreq message handling. Attack complexity is high (CVSS AC:H), requiring local network access. No public exploit identified at time of analysis.

RCE Buffer Overflow Stack Overflow
CVE-2026-4155 HIGH CVSS 7.5
Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.

Information Disclosure
CVE-2026-4154 HIGH CVSS 7.8
Integer overflow in GIMP XPM file parser enables remote code execution when processing malicious XPM image files. Affects GIMP installations across platforms. Attackers can execute arbitrary code in victim's process context by delivering crafted XPM files via social engineering or drive-by downloads. Vulnerability requires user interaction (opening malicious file). CVSS 7.8 (High severity). No public exploit identified at time of analysis. Upstream patch committed to GIMP repository; vendor-released version not independently confirmed.

RCE Integer Overflow Suse
CVE-2026-4153 HIGH CVSS 7.8
Heap-based buffer overflow in GIMP's PSP (Paint Shop Pro) file parser enables remote code execution when processing malicious PSP image files. Unauthenticated attackers can execute arbitrary code with user privileges by convincing targets to open crafted PSP files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. No public exploit identified at time of analysis. Vulnerability tracked as ZDI-CAN-28874 by Zero Day Initiative.

RCE Buffer Overflow Heap Overflow Suse
CVE-2026-4152 HIGH CVSS 7.8
Heap-based buffer overflow in GIMP's JP2 image parser enables unauthenticated remote code execution when users open crafted JPEG 2000 files. The vulnerability stems from insufficient validation of user-supplied data length before copying to heap memory, allowing attackers to execute arbitrary code with user privileges. Exploitation requires social engineering to convince targets to open malicious JP2 files. No public exploit identified at time of analysis.

RCE Buffer Overflow Heap Overflow
CVE-2026-4151 HIGH CVSS 7.8
Remote code execution in GIMP via integer overflow during ANI (animated cursor) file parsing allows unauthenticated attackers to execute arbitrary code with user privileges when malicious ANI files are opened. Exploitation requires user interaction (opening crafted file or visiting attacker-controlled page). Insufficient validation of user-supplied data triggers integer overflow before buffer allocation, enabling memory corruption. No public exploit identified at time of analysis. CVSS 7.8 (High) reflects local attack vector with no privilege requirements.

RCE Integer Overflow Suse
CVE-2026-4150 HIGH CVSS 7.8
Integer overflow in GIMP PSD file parser enables remote code execution when users open malicious PSD files. Affects GIMP installations across platforms. Exploitation requires user interaction (opening crafted file). Attacker achieves arbitrary code execution in application context with high confidentiality, integrity, and availability impact. Publicly available exploit code exists. Insufficient validation of user-supplied data during buffer allocation causes overflow, allowing memory corruption and code execution.

RCE Integer Overflow Suse
CVE-2026-3690 HIGH CVSS 7.4
Unauthenticated remote attackers bypass authentication in OpenClaw canvas endpoints due to improper authentication implementation (CWE-291). Exploitation requires no user interaction and yields high confidentiality/integrity impact. Network-accessible attack vector with high complexity (CVSS:3.0 7.4 AV:N/AC:H/PR:N). No public exploit identified at time of analysis. Originally reported as ZDI-CAN-29311.

Authentication Bypass
CVE-2026-32146 MEDIUM CVSS 6.2
Path traversal in Gleam compiler versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 allows arbitrary file system modification when resolving git dependencies, enabling attackers to delete and overwrite directories outside the intended dependency folder via malicious dependency names containing relative or absolute paths. A user must invoke dependency download (e.g., gleam deps download) for exploitation; attackers can leverage this to cause data loss or achieve code execution by overwriting git hooks or shell configuration files. Vendor-released patches are available.

Path Traversal RCE Gleam
CVE-2026-6106 MEDIUM CVSS 5.1
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.

XSS
CVE-2026-6105 MEDIUM CVSS 6.9
Improper authorization in perfree go-fastdfs-web up to version 1.3.7 allows remote unauthenticated attackers to access the doInstall interface in InstallController.java, potentially disclosing sensitive information or manipulating system configuration. The vulnerability has been publicly disclosed with exploit code available; however, the vendor has not responded to early disclosure notifications and no official patch has been released.

Java Information Disclosure
CVE-2026-5226 MEDIUM CVSS 6.1
Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.

XSS WordPress
CVE-2026-5207 MEDIUM CVSS 6.5
SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.

SQLi WordPress
CVE-2026-4979 MEDIUM CVSS 5.0
Blind Server-Side Request Forgery in UsersWP WordPress plugin versions up to 1.2.58 allows authenticated subscribers and above to force the WordPress server to make arbitrary HTTP requests via the uwp_crop parameter in avatar/banner image crop operations. The vulnerability stems from insufficient URL origin validation in the process_image_crop() method, which accepts user-controlled URLs and passes them to PHP image processing functions that support URL wrappers, enabling internal network reconnaissance and potential access to sensitive services. No public exploit code or active exploitation has been confirmed, though the vulnerability requires only authenticated access and low attack complexity.

PHP SSRF WordPress
CVE-2026-4895 MEDIUM CVSS 6.4
Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.

XSS WordPress
CVE-2026-3691 MEDIUM CVSS 5.3
OpenClaw Client exposes PKCE verifier and stored credentials through unencrypted OAuth authorization URL query strings, allowing remote attackers to disclose authentication data when users initiate OAuth flows. The vulnerability requires user interaction (target must start authorization), has a CVSS score of 5.3 (medium), and affects all versions of OpenClaw Client. No active exploitation has been publicly reported, though the ZDI designation (ZDI-CAN-29381) indicates coordinated disclosure.

Information Disclosure
CVE-2026-3689 MEDIUM CVSS 6.5
Authenticated remote attackers can traverse the file system through the OpenClaw canvas gateway endpoint to disclose sensitive information due to insufficient path validation. The vulnerability affects OpenClaw across unspecified versions and requires valid user credentials; attackers operating with low-privilege accounts can read arbitrary files in the service account context. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure Path Traversal
CVE-2026-3498 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.

XSS WordPress
CVE-2026-3371 MEDIUM CVSS 4.3
Insecure Direct Object Reference in Tutor LMS WordPress plugin versions up to 3.9.7 allows authenticated Subscriber-level users to manipulate course content structure across any course by exploiting missing authorization checks in the save_course_content_order() method, enabling attackers to detach lessons from topics, reorder course content, and reassign lessons between courses without proper ownership verification.

WordPress Authentication Bypass
CVE-2026-3358 MEDIUM CVSS 5.4
Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.

WordPress Authentication Bypass
CVE-2026-40354 LOW CVSS 2.9
Flatpak xdg-desktop-portal versions before 1.20.4 and 1.21.x before 1.21.1 allow any sandboxed Flatpak application to delete arbitrary files on the host system through a symlink race condition in the g_file_trash function. The vulnerability exploits insufficient validation of file paths during trash operations, enabling local privilege escalation from a confined container context to affect host files. CVSS severity is low (2.9) due to high attack complexity and local-only vector, but the impact affects all Flatpak users whose host system contains a vulnerable xdg-desktop-portal installation.

Information Disclosure
CVE-2026-23900 None
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.

PHP XSS WordPress Phoca Cz Phoca Maps For Joomla

Today's Vulnerabilities Vulnerabilities