Skip to main content
CVE-2025-15441 MEDIUM POC PATCH This Month

SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.

SQLi WordPress
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-6203 MEDIUM POC This Month

The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.

Open Redirect WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6158 MEDIUM POC This Month

Remote code execution in Totolink N300RH firmware 6.1c.1353_B20190305 allows unauthenticated network attackers to execute arbitrary OS commands via command injection in the FileName parameter of the setUpgradeUboot function in upgrade.so. Publicly available exploit code exists for this vulnerability, which carries a CVSS 6.9 score reflecting network-accessible attack vector with low complexity and no authentication requirements.

Command Injection N300Rh
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
2.4%
CVE-2026-6224 MEDIUM POC This Month

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure Plugin Workflow Javascript
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6160 MEDIUM POC This Month

Remote file and directory information exposure in code-projects Simple ChatBox 1.0 allows unauthenticated attackers to disclose sensitive file paths and directory structures via manipulation of the SimpleChatbox_PHP endpoint. The vulnerability affects the chatbox.sql component and has publicly available exploit code; attackers can enumerate filesystem information without authentication or user interaction, creating risk for reconnaissance and secondary attack planning.

Information Disclosure Simple Chatbox
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6193 MEDIUM POC This Month

A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6189 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Username parameter in /ajax.php?action=login. The vulnerability enables low-complexity attacks requiring no user interaction, with publicly available exploit code (EPSS probability data not provided, not listed in CISA KEV). Attackers can compromise confidentiality, integrity, and availability of the pharmacy inventory database without authentication.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6188 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=delete_sales, with publicly available exploit code and evidence of active proof-of-concept publication.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6187 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=chk_prod_availability, enabling unauthorized data access and modification. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed proof-of-concept code available on GitHub.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6183 MEDIUM POC This Month

SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /web/index.php and execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score reflecting moderate confidentiality, integrity, and availability impact across the network-accessible endpoint.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6182 MEDIUM POC This Month

SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the User parameter in /web/admin/login.php, enabling database query manipulation with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, increasing real-world attack likelihood despite the moderate CVSS score of 6.9.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6167 MEDIUM POC This Month

SQL injection in code-projects Faculty Management System 1.0 via the ID parameter in /subject-print.php allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate or modify database contents with low confidentiality and integrity impact. Publicly available exploit code exists, creating immediate operational risk for organizations running this system.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6166 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the VEHICLE_ID parameter in /util/UpdateVehicleFunction.php, achieving confidentiality and integrity compromise. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score with confirmed exploitability (E:P rating).

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6165 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /util/Login_check.php, leading to unauthorized data access or modification. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite its low-to-moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6164 MEDIUM POC This Month

SQL injection in Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the cata parameter in /addcat.php. The vulnerability has CVSS 6.9 (network-accessible, low complexity) and publicly available exploit code exists, making it a practical attack vector for data exfiltration and manipulation in this PHP-based application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6163 MEDIUM POC This Month

SQL injection in code-projects Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the cat parameter in /catageory.php, enabling data exfiltration and potential database manipulation. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed low impact to confidentiality, integrity, and availability. Active exploitation status has not been confirmed at time of analysis, but the accessible nature of the vulnerability and public exploit availability elevate operational risk.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6161 MEDIUM POC This Month

SQL injection in code-projects Simple ChatBox up to version 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via manipulation of the msg parameter in the /chatbox/insert.php endpoint, leading to confidentiality and integrity compromise. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, increasing real-world risk despite the moderate base score.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6153 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the STAFF_ID parameter in /util/StaffDetailsFunction.php, enabling unauthorized database access with limited confidentiality and integrity impact. Public exploit code is available, and the vulnerability has a CVSS score of 6.9 with confirmed exploitability.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6152 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to read, modify, or delete database contents via the STAFF_ID parameter in /util/StaffAddingFunction.php. CVSS score of 7.3 (High) reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier, though no active exploitation confirmed via CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6151 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the CUSTOMER_ID parameter in /util/PaymentStatusFunction.php. CVSS 7.3 (High) with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis, creating an urgent risk for exposed deployments.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6149 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in /util/BookVehicleFunction.php. The vulnerability has publicly available exploit code (GitHub POC), enabling trivial exploitation with low attack complexity. CVSS 7.3 reflects medium-severity impacts across confidentiality, integrity, and availability. No vendor patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6148 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no user interaction required. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication barrier, creating immediate risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6142 MEDIUM POC This Month

SQL injection in tushar-2223 Hotel Management System /admin/roomdelete.php allows unauthenticated remote attackers to manipulate database queries via the ID parameter, potentially compromising confidentiality, integrity, and availability of hotel management data. Publicly available exploit code exists (CVSS 7.3, EPSS not provided). The vulnerability affects all versions up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 in this rolling-release project, and the maintainer has not responded to responsible disclosure attempts.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-33740 MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.

Authentication Bypass Espocrm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6218 MEDIUM POC This Month

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.

XSS Ytdownloader
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-33657 MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.

XSS Espocrm
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-2728 MEDIUM POC PATCH GHSA This Month

Cross-site Scripting (XSS) in LibreNMS versions before 26.3.0 allows authenticated administrators to inject malicious scripts on the showconfig page, enabling attacks against other authorized users. The vulnerability requires high administrative privileges and user interaction (clicking a malicious link) to execute, resulting in integrity impact to other users' sessions. Publicly available exploit code exists, though CISA KEV status is not confirmed.

XSS Librenms
NVD VulDB GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-33534 MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4.

SSRF Espocrm
NVD GitHub Exploit-DB VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39979 MEDIUM PATCH This Month

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

Buffer Overflow Information Disclosure Jq
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-21013 MEDIUM This Month

Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information through incorrect default file or directory permissions, exposing high-value data on affected wearable devices. The vulnerability requires local access but no authentication or user interaction, making it exploitable by any user on the device.

Privilege Escalation Galaxy Wearable
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-40446 MEDIUM This Month

Type confusion vulnerability in Samsung Open Source Escargot JavaScript engine allows local attackers with user interaction to manipulate pointers and achieve memory corruption, enabling information disclosure and privilege escalation through heap spray and type-confusion exploitation techniques. CVSS score is 6.5; no public exploit code or CISA KEV status confirmed at time of analysis.

Information Disclosure Samsung Memory Corruption
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-28553 MEDIUM This Month

HarmonyOS and EMUI theme setting modules fail to enforce proper permission controls, allowing local attackers with user interaction to read sensitive system information across security boundaries. The vulnerability requires physical or local access and user interaction but can compromise confidentiality of protected data; CVSS 6.9 reflects moderate-to-high real-world risk due to local attack surface and CVSS vector showing high confidentiality impact (C:H) despite lower integrity and availability consequences.

Information Disclosure Emui
NVD
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-21012 MEDIUM This Month

External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers to create files with system privileges, potentially leading to privilege escalation or system compromise. The vulnerability requires high-level local privileges and affects Samsung Mobile devices through a path traversal or file name manipulation flaw in the AODManager component. No public exploit code has been identified at the time of analysis.

Information Disclosure Samsung Mobile Devices
NVD VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-34864 MEDIUM This Month

Local privilege escalation in HarmonyOS application read module allows unauthenticated local attackers to cause memory corruption through a boundary-unlimited buffer overflow, potentially achieving code execution or system crash with high availability impact. CVSS 6.8 reflects local attack vector with integrity and availability consequences. Huawei has released security bulletins addressing this CWE-119 vulnerability affecting HarmonyOS devices.

Buffer Overflow
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-25206 MEDIUM This Month

Out-of-bounds read in Samsung Open Source Escargot JavaScript engine allows local attackers to leak sensitive memory contents and cause denial of service. Affects Escargot commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 and potentially other versions; the vulnerability requires local access and specific conditions to trigger but can expose confidential data and crash the application without authentication. No public exploit identified at time of analysis.

Samsung Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-34863 MEDIUM This Month

Out-of-bounds write in HarmonyOS file system allows local privileged attackers to corrupt memory with high impact on confidentiality, integrity, and availability. The vulnerability affects HarmonyOS across versions and requires high-level local system privileges to exploit, making it a critical concern for multi-user systems and containerized deployments where privilege escalation vectors exist.

Buffer Overflow Memory Corruption
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-21010 MEDIUM This Month

Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with limited privileges to trigger privileged functions, potentially leading to information disclosure and unauthorized modification of device state. The vulnerability requires physical or local access and low-privilege credentials, limiting immediate remote exploitation risk but posing significant concern for retail environments where devices are physically accessible to untrusted parties.

Information Disclosure Samsung Mobile Devices
NVD VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-25209 MEDIUM This Month

Out-of-bounds read in Samsung Open Source Escargot JavaScript engine exposes sensitive memory content to remote attackers through user interaction. The vulnerability affects Escargot commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 and allows information disclosure with partial availability impact. CVSS 5.9 (medium) reflects the requirement for user interaction and high complexity attack prerequisites, though the memory exposure potential warrants monitoring for patches.

Samsung Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31280 MEDIUM NEWS This Month

Denial of service in Parani M10 Motorcycle Intercom v2.1.3 via crafted Bluetooth RFCOMM frames allows unauthenticated attackers within wireless range to crash the device. The vulnerability exploits a buffer overflow in the RFCOMM service handler, causing high availability impact. A proof-of-concept exists but active exploitation has not been confirmed; EPSS score of 0.02% suggests limited real-world exploitation pressure despite the accessible attack vector.

Denial Of Service Buffer Overflow N A
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6179 MEDIUM This Month

Stored cross-site scripting (XSS) in NightWolf Penetration Testing Platform 2.1.5 allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires user interaction is absent from the CVSS vector (UI:N), meaning the injected payload executes automatically when a victim views affected content. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Nightwolf Penetration Testing Platform
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-34862 MEDIUM This Month

Race condition in Huawei HarmonyOS power consumption statistics module allows local privileged users to disclose information and modify system integrity, potentially affecting service availability. The vulnerability requires high privilege level and local access but enables information disclosure combined with integrity and availability impact. CVSS 6.3 reflects moderate real-world risk given the privilege requirement; Huawei has issued security advisories indicating patch availability.

Race Condition Information Disclosure
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-34861 MEDIUM This Month

Race condition in Huawei HarmonyOS thermal management module allows local authenticated users to disclose information and modify system integrity through concurrent access exploitation. An attacker with high privileges can trigger a timing-dependent race condition to achieve information disclosure, integrity compromise, and potential availability impact. CVSS 6.3 reflects the attack's requirement for high privilege escalation and local access, though the integrity impact (I:H) signals significant potential for system manipulation despite the officially stated availability focus.

Race Condition Information Disclosure
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-25204 MEDIUM This Month

Deserialization of untrusted data in Samsung Open Source Escargot JavaScript engine prior to commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 allows local attackers without privileges to trigger a denial of service condition via process abort. The vulnerability exploits unsafe deserialization of Java objects, resulting in application termination rather than code execution. No public exploit code or active exploitation has been identified at the time of analysis.

Deserialization Samsung Denial Of Service Java
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-33947 MEDIUM PATCH This Month

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.

Denial Of Service Jq
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-29628 MEDIUM This Month

Stack overflow in tinyobjloader's experimental MTL file parser (tinyobj_loader_opt.h) allows local attackers to trigger denial of service by supplying a malformed .mtl file. The vulnerability affects the library's material file parsing logic and crashes the application via stack memory corruption, though with EPSS score of 0.01% and no confirmed active exploitation, real-world risk is minimal despite the moderate CVSS 6.2 rating.

Denial Of Service Stack Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-40312 MEDIUM PATCH GHSA This Month

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-40169 MEDIUM POC PATCH GHSA This Month

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.

Heap Overflow Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-26460 MEDIUM This Month

A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser

XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-39956 MEDIUM PATCH This Month

jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.

Buffer Overflow Information Disclosure Jq
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34852 MEDIUM This Month

Stack overflow in HarmonyOS media platform allows authenticated local attackers to cause denial of service and potentially achieve limited information disclosure or integrity compromise through malicious user interaction. CVSS 6.1 reflects moderate severity with local attack vector, low complexity, and requirement for user interaction; EPSS and KEV status not provided. No public exploit code or active exploitation confirmed at time of analysis.

Denial Of Service
NVD
CVSS 3.1
6.1
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy