Skip to main content
CVE-2026-40683 HIGH PATCH GHSA This Week

OpenStack Keystone's LDAP identity backend grants authentication access to disabled user accounts due to improper string-to-boolean conversion logic. Versions 8.0.0 through 28.0.0 fail to convert LDAP-disabled status into boolean values when user_enabled_invert is False (default), causing disabled accounts to authenticate as enabled. This affects all LDAP-backed Keystone deployments without specific configuration overrides. CVSS 7.7 with changed scope (S:C) indicates potential cross-tenant privilege issues. EPSS data not available; no public exploit identified at time of analysis, though the logic flaw is straightforward to trigger with valid low-privilege credentials.

Information Disclosure Memory Corruption Python Red Hat
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-27282 HIGH This Week

Security feature bypass in Adobe ColdFusion 2023.18, 2025.6, and earlier allows remote unauthenticated attackers to circumvent security controls via improper input validation, potentially enabling unauthorized access to protected resources. The vulnerability carries a CVSS score of 7.5 with high integrity impact, though exploitation reportedly requires user interaction per the description. No public exploit code or active exploitation confirmed at time of analysis, but the authentication bypass classification indicates potential for privilege escalation or access control circumvention.

Authentication Bypass Coldfusion
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-26154 HIGH PATCH Exploit Unlikely This Week

Windows Server Update Service (WSUS) fails to properly validate network inputs, allowing unauthenticated remote attackers to cause denial of service across all Windows Server versions from 2012 through 2025. The vulnerability (CVSS 7.5) enables network-based tampering with high availability impact (AV:N/AC:L/PR:N/UI:N/A:H), though confidentiality and integrity remain unaffected. Patch available per vendor advisory; no public exploit identified at time of analysis. The Authentication Bypass tag and PR:N vector confirm attackers require no credentials, making internet-exposed WSUS servers particularly vulnerable.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32071 HIGH PATCH Exploit Unlikely This Week

Remote denial-of-service in Windows Local Security Authority Subsystem Service (LSASS) allows unauthenticated network attackers to crash Windows systems through null pointer dereference exploitation. Affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2016-2025) across multiple release channels. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and unauthenticated netwo

Denial Of Service Null Pointer Dereference Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40245 HIGH GHSA This Week

Unauthenticated access to free5GC UDR subscriber identifiers exposes SUPI/IMSI values via unprotected 5G Service Based Interface endpoint. Missing return statements in free5GC UDR versions prior to 4.2.1 allow attackers to retrieve complete subscriber databases with a single parameterless HTTP GET request, undermining 3GPP SUCI privacy mechanisms. Public exploit code exists. EPSS score is low (0.10%) indicating limited observed exploitation, but impact is severe for exposed deployments with misconfigured network segmentation.

Information Disclosure Deserialization
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33096 HIGH PATCH Exploit Unlikely This Week

Denial of service in Windows HTTP.sys kernel-mode driver allows unauthenticated remote attackers to crash affected systems via malformed HTTP requests. Affects all currently supported Windows 11 versions (22H2 through 26H1) and Windows Server 2022/2025 editions. The vulnerability stems from an out-of-bounds read (CWE-125) triggered when HTTP.sys processes specially crafted network packets without authentication (CVSS AV:N/PR:N). Vendor-released patches available for all affected versions with specific build numbers identified. No public exploit identified at time of analysis, though low attack complexity (AC:L) suggests straightforward exploitation once technical details emerge.

Buffer Overflow Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4352 HIGH This Week

SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23708 HIGH This Week

Authentication bypass in Fortinet FortiSOAR allows unauthenticated remote attackers to circumvent two-factor authentication (2FA) protections via replay attacks against intercepted authentication tokens. Affects both PaaS and on-premise deployments of FortiSOAR versions 7.5.0-7.5.2 and 7.6.0-7.6.3. Successful exploitation requires network positioning to intercept and decrypt authentication traffic, then replay captured 2FA requests before token expiration (CVSS:3.1/AV:N/AC:H/PR:N/UI:R). EPSS data not available; no public exploit code or CISA KEV listing identified at time of analysis, though the precise attack requirements (traffic interception, decryption, timing) increase complexity beyond simple network access.

Fortinet Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40890 HIGH PATCH GHSA This Week

### Summary Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. ### Details The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs an out-of-bounds slice operation when processing a `<` character that is not followed by a `>` character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic. ### PoC ```golang package main import ( "bytes" "fmt" "github.com/gomarkdown/markdown/html" ) func main() { src := []byte("<a") fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src)) var buf bytes.Buffer sp := html.NewSmartypantsRenderer(html.Smartypants) sp.Process(&buf, src) // panics: slice bounds out of range fmt.Printf("Output: %q\n", buf.String()) } ``` ### Impact This vulnerability will lead to a Denial of Service / panic on the processing service. -- The Datadog Security Team

Denial Of Service Information Disclosure Buffer Overflow Red Hat
NVD GitHub HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40164 HIGH PATCH This Week

Algorithmic complexity attack in jq JSON processor allows remote denial of service via hash collision exploitation. An attacker can craft a ~100KB JSON object with precomputed colliding keys that degrade hash table performance from O(1) to O(n²), causing severe CPU exhaustion in unauthenticated network contexts including CI/CD pipelines and web services. The vulnerability stems from a hardcoded MurmurHash3 seed (0x432A9843) that enables offline collision calculation. Fixed in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. CVSS 7.5 (High severity, network-exploitable, no authentication required). No public exploit identified at time of analysis, but attack technique is well-documented and feasible.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40870 HIGH PATCH GHSA This Week

Decidim GraphQL API exposes all commentable resources platform-wide without permission checks, enabling unauthorized access to comments and associated data across public and private participation spaces. Affects decidim-api and decidim-comments Ruby gems with default configurations exposing the /api endpoint publicly. No vendor patch available - only workarounds via authentication enforcement or IP allowlisting. CVSS 7.5 (High) reflects network-accessible confidentiality breach, though real-world impact depends heavily on whether the Decidim instance hosts non-public participation spaces.

Authentication Bypass Nginx
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40869 HIGH PATCH GHSA This Week

Authorization bypass in Decidim Core allows any authenticated user to accept or reject amendments on proposals belonging to other users, effectively hijacking proposal authorship. Affects decidim-core gem versions 0.19.0 and later. The flaw stems from insufficient permission checks (CWE-266) that only verify if amendment reactions are enabled at the component level, not whether the user owns the proposal. CVSS 7.5 (High) reflects network-based integrity impact, though the PR:N (no privileges required) rating appears inconsistent with the description stating 'registered and authenticated user' - this discrepancy should be verified with the vendor. No patch version identified in available data; vendor advisory recommends disabling amendment reactions as a workaround. No active exploitation (CISA KEV) or public POC reported at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5756 HIGH This Week

Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services.

Information Disclosure Microsoft
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22155 HIGH This Week

Fortinet FortiSOAR transmits sensitive information in cleartext over the network, allowing authenticated remote attackers to disclose confidential data. The vulnerability affects both PaaS and on-premise deployments across versions 7.3 through 7.6.x, with CVSS 6.5 reflecting moderate confidentiality impact requiring low-privilege authentication. No public exploit code or active exploitation has been confirmed at time of analysis.

Fortinet Information Disclosure Fortisoar On Premise Fortisoar Paas
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31923 HIGH This Week

Sensitive authentication tokens in Apache APISIX OpenID Connect plugin transmit in cleartext when connecting to identity providers, affecting versions 0.7 through 3.15.0. The ssl_verify parameter defaults to false, disabling TLS certificate validation and enabling potential man-in-the-middle interception of authentication credentials. With CVSS 7.5 (High), network-based attackers can intercept confidential data without authentication. EPSS probability is minimal (0.01%, 2nd percentile) with no confirmed active exploitation (CISA KEV absent), indicating theoretical risk despite high CVSS severity.

Information Disclosure Apache
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32156 HIGH PATCH Exploit Unlikely This Week

Local code execution in Windows Universal Plug and Play (UPnP) Device Host across all supported Windows 10, 11, and Server versions allows unauthenticated attackers to achieve high-impact compromise via use-after-free memory corruption. The vulnerability affects Windows 10 versions 1607 through 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2012 through 2025 (including Server Core installations). Despite requiring local access and high attack complexity (CVSS:3.1/AV:L/AC:H), the

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-2450 HIGH This Week

Misconfigured .NET impersonation in upKeeper Instant Privilege Access through version 1.5.0 enables authenticated remote attackers to hijack privileged execution threads, leading to high confidentiality and integrity impact on underlying system resources. The vulnerability requires low-level privileges and presents network-based attack vector with high complexity. No public exploit identified at time of analysis, and CISA SSVC framework classifies this as non-automatable with partial technical impact. EPSS data not available for risk quantification.

Information Disclosure Upkeeper Instant Privilege Access
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-32149 HIGH PATCH Exploit Unlikely This Week

Windows Hyper-V local privilege escalation via improper input validation (CWE-20) enables authenticated low-privilege attackers with user interaction to execute arbitrary code with high confidentiality, integrity, and availability impact across Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-26H1), and Windows Server (2016-2025). Microsoft released patches addressing the vulnerability with EPSS exploitation probability data not available; no public exploit identified at time of analys

Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-33021 HIGH PATCH This Week

Use-after-free in libsixel 1.8.7 and earlier enables local attackers to crash applications or execute arbitrary code via crafted SIXEL image frames. The vulnerability occurs when sixel_encoder_encode_bytes() processes resize operations that free caller-owned pixel buffers, creating dangling pointers exploitable through repeated, predictable frame manipulation. EPSS data not available; no confirmed active exploitation (not in CISA KEV), but the technical details suggest reliable exploitation potential for local privilege escalation or RCE scenarios.

Use After Free RCE Memory Corruption Libsixel
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-40688 HIGH This Week

Out-of-bounds write in FortiWeb administrative interface enables authenticated remote code execution on web application firewall appliances. Affects FortiWeb 7.4.0-7.4.11, 7.6.0-7.6.6, and 8.0.0-8.0.3. CVSS 7.2 indicates high-privilege authenticated network attack with low complexity. No public exploit identified at time of analysis, though the incomplete advisory description ('<insert attack vector here>') suggests disclosure may be pending or sanitized. Memory corruption class (CWE-787) typically enables arbitrary code execution, confirmed by CVSS impact ratings (High C/I/A). EPSS data not available for risk probability assessment.

Buffer Overflow Memory Corruption Fortinet
NVD VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-6227 HIGH This Week

Local file inclusion in BackWPup WordPress plugin versions ≤5.6.6 allows authenticated administrators to read sensitive configuration files or achieve remote code execution via path traversal bypass in the `/wp-json/backwpup/v1/getblock` REST endpoint. The vulnerability stems from insufficient sanitization using non-recursive `str_replace()`, enabling crafted sequences like `....//` to bypass filtering. While requiring high privileges (PR:H), the plugin's permission delegation feature allows administrators to grant backup management rights to lower-privileged users, expanding the attack surface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CVSS 7.2 reflects high confidentiality, integrity, and availability impact.

PHP Path Traversal WordPress RCE
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-39387 HIGH This Week

Local File Inclusion in BoidCMS versions prior to 2.1.3 enables authenticated administrators to execute arbitrary PHP code via path traversal in the tpl parameter combined with file upload. The vulnerability chains unsanitized require_once() inclusion with media upload functionality, allowing attackers to upload malicious files and force their execution with web server privileges. Vendor-released patch available in version 2.1.3. CVSS 7.2 reflects high-privilege requirement (administrator access), but exploitation complexity is low once authenticated. No CISA KEV listing or public exploit code identified at time of analysis.

RCE LFI PHP File Upload Path Traversal
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-4388 HIGH This Week

Stored Cross-Site Scripting in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows unauthenticated attackers to inject malicious JavaScript through Matrix field submissions that executes when administrators view submission details. The vulnerability stems from inadequate sanitization (sanitize_text_field removes tags but preserves quotes) and missing output escaping in the admin Submissions view. With CVSS 7.2 (High) and network-based attack vector requiring no privileges or user int

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-33715 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Chamilo LMS 2.0-RC.2 allows unauthenticated remote attackers to weaponize the learning management system as an open email relay and probe internal networks. The vulnerability stems from an authentication bypass in install.ajax.php, which accepts arbitrary SMTP server connections via Symfony Mailer DSN strings. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided. Vendor-released patch: version 2.0.0-RC.3.

Authentication Bypass PHP SSRF
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3017 HIGH This Week

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.

PHP WordPress Information Disclosure Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-61848 HIGH This Week

SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.

Fortinet SQLi
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-39971 HIGH PATCH GHSA This Week

SMTP header injection in Serendipity CMS allows remote unauthenticated attackers to inject arbitrary email headers via malicious Host header during email-triggering operations (comments, subscriptions, password resets). The unsanitized $_SERVER['HTTP_HOST'] value is embedded directly into Message-ID headers without validation, enabling BCC injection, email spoofing, and reply hijacking. CVSS 7.2 with Changed scope indicates cross-domain impact. EPSS data not available; no public exploit identified at time of analysis, though a detailed proof-of-concept exists in the GitHub security advisory demonstrating successful header injection via comment submission.

PHP RCE
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-40315 HIGH PATCH This Week

SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.

SQLi Praisonai
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-26151 HIGH PATCH Exploit Likely This Week

Windows Remote Desktop spoofing vulnerability allows remote unauthenticated attackers to bypass security warnings and trick users into accepting malicious RDP connections, potentially exposing sensitive session data. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches are available. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) indicate exploitation would be straight

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-40090 HIGH PATCH GHSA This Week

Path traversal in Zarf package inspection commands enables arbitrary file write when processing malicious packages. Attackers can craft Zarf packages with traversal sequences in the Metadata.Name field (e.g., '../../etc/cron.d/malicious'), bypassing input validation to write attacker-controlled content to sensitive system locations when users run 'zarf package inspect sbom' or 'zarf package inspect documentation'. Fixed in version v0.74.2. CVSS 7.1 (High) with network attack vector but requires user interaction. No public exploit identified at time of analysis, though exploitation complexity is low as attackers only need to modify zarf.yaml and sboms.tar in a package archive.

Path Traversal
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-34256 HIGH This Week

Authenticated remote attackers can overwrite eight-character executable ABAP reports in SAP ERP and SAP S/4HANA systems due to missing authorization checks, enabling denial-of-service conditions when legitimate users execute corrupted reports. This authorization bypass (CWE-862) requires low-privilege authenticated access (CVSS PR:L) and has low attack complexity, combining limited integrity impact with high availability impact (CVSS 7.1). EPSS data not provided; no public exploit identified at time of analysis. Affects SAP ERP and SAP S/4HANA Private Cloud and On-Premise deployments.

SAP Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33714 HIGH PATCH This Week

SQL injection in Chamilo LMS 2.0.0-RC.2 allows authenticated administrators to extract arbitrary database contents via unsanitized date parameters in the statistics AJAX endpoint's users_active action. This represents an incomplete fix for CVE-2026-30881, where only one of two vulnerable parameter sets was sanitized. Time-based blind SQL injection techniques enable data exfiltration despite requiring admin-level authentication. EPSS data not available; no public exploit identified at time of analysis, though the incomplete remediation pattern and technical details in the GitHub advisory lower exploitation barriers for attackers with admin access.

SQLi PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-34602 HIGH PATCH This Week

Insecure Direct Object Reference in Chamilo LMS /api/course_rel_users endpoint allows authenticated attackers to enroll arbitrary users into any course without authorization (CVSS 7.1, High Integrity impact). Affects all versions prior to 2.0.0-RC.3. The vulnerability enables authenticated users to manipulate user-course relationships by modifying the user parameter in API requests, bypassing enrollment controls entirely. No public exploit code identified at time of analysis, though the attack v

Authentication Bypass Chamilo Lms
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-38528 HIGH This Week

SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.

PHP SQLi
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4344 HIGH PATCH This Week

Stored XSS in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files through malicious component names displayed in delete confirmation dialogs. When a user clicks the crafted payload, the vulnerability escalates from XSS to potential local code execution within the application context. Vendor-released patches available for Windows and macOS. No public exploit identified at time of analysis, though the attack vector is local (CVSS:3.1/AV:L) requiring user interaction but no authentication (PR:N), with CVSS 7.1 reflecting high confidentiality and integrity impact.

RCE XSS Fusion
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4345 HIGH PATCH This Week

Stored cross-site scripting (XSS) in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files by crafting malicious HTML payloads in design names that trigger when exported to CSV format. The vulnerability requires no authentication but depends on user interaction (opening the exported CSV). Vendor patch available via updated client installers for Windows and macOS. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code identified at time of analysis.

RCE XSS Fusion
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4369 HIGH PATCH This Week

Stored cross-site scripting in Autodesk Fusion desktop application enables arbitrary code execution when malicious assembly variant names render in delete confirmation dialogs. Attackers can craft HTML payloads that execute in the application context, enabling local file access and code execution with user privileges (CVSS 7.1, local attack vector requiring user interaction). Vendor-released patch available via official Fusion client installers for Windows and macOS. No public exploit identified at time of analysis.

RCE XSS Fusion
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33020 HIGH PATCH This Week

Heap buffer overflow in libsixel 1.8.7 and earlier allows local attackers to achieve arbitrary code execution by providing a maliciously crafted large palettised PNG image that triggers integer overflow in RGB888 conversion routines. The vulnerability requires user interaction to process the malicious image but no authentication. EPSS data not available; no public exploit identified at time of analysis, though the technical details in the advisory provide sufficient information for weaponization. Vendor-released patch: version 1.8.7-r1.

Heap Overflow Buffer Overflow RCE Libsixel
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33019 HIGH PATCH This Week

Out-of-bounds heap read in libsixel img2sixel via integer overflow allows local attackers to crash the application and potentially leak sensitive memory contents when processing malicious --crop arguments with otherwise valid images. Affects libsixel 1.8.7 and earlier; patched in 1.8.7-r1. EPSS data not available, but exploitation requires local access with user interaction (CVSS AV:L/UI:R). No CISA KEV listing; no public exploit identified at time of analysis.

Buffer Overflow Information Disclosure Libsixel
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-39907 HIGH This Week

Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 leak NTLMv2 machine-account hashes through an unauthenticated SOAP endpoint on TCP port 1208, enabling remote attackers to force SMB authentication attempts and relay credentials for privilege escalation or lateral movement. The WCF service accepts unsanitized file paths in the ReadLicense action, allowing UNC path injection to trigger outbound SMB connections. CVSS 7.0 with network attack vector, low complexity, and no authentication required (PR:N). No public exploit code identified at time of analysis, though the attack technique is straightforward for adversaries familiar with NTLM relay tactics.

Privilege Escalation Webperfect Image Suite
NVD VulDB GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-39906 HIGH This Week

NTLMv2 credential leakage in Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 enables remote unauthenticated attackers to extract machine-account hashes via deprecated .NET Remoting TCP channels, facilitating network-wide lateral movement and privilege escalation through hash relay attacks. Disclosed by VulnCheck, this flaw exploits insecure object deserialization to coerce NTLM authentication to attacker-controlled UNC paths. EPSS data not available; no KEV listing or public exploit code identified at time of analysis, though the disclosed technical details provide sufficient information for weaponization.

Privilege Escalation Microsoft
NVD VulDB GitHub
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-26152 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Cryptographic Services affects Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 due to insecure storage of cryptographic material. Authenticated attackers with low privileges can exploit this CWE-922 weakness (insecure storage of sensitive information) to gain high-level access to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis,

Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-27908 HIGH PATCH Exploit Likely This Week

Use-after-free in Windows TDI Translation Driver (tdx.sys) allows local privilege escalation to SYSTEM by authenticated low-privileged users on Windows 10/11 and Server 2012-2025. Microsoft has released security updates addressing this CWE-416 memory corruption flaw across all supported Windows versions. CVSS 7.0 reflects high attack complexity but full system compromise if successfully exploited. No public exploit identified at time of analysis, though the vulnerability's local attack vector an

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-26182 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) allows authenticated low-privilege users to gain SYSTEM-level access through use-after-free memory corruption. Affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025, including Server Core installations. Vendor-released patches available across all affected platforms. No public exploit identified at time of analysis, though high-complexity local exploitation (CVSS AC:H)

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-26177 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Ancillary Function Driver for WinSock affects all supported Windows 10, 11, and Server versions through use-after-free memory corruption. Authenticated local attackers with low privileges can exploit this CWE-416 vulnerability to gain SYSTEM-level access, achieving high impact to confidentiality, integrity, and availability. Vendor-released patches are available across all affected platforms. No public exploit identified at time of analysis, though the high

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-26166 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Shell via double-free memory corruption allows low-privileged authenticated users to gain SYSTEM-level access across Windows 11 (versions 22H3 through 26H1) and Windows Server 2022/2025 environments. The CWE-415 double-free vulnerability requires high attack complexity but no user interaction, enabling complete system compromise once exploited. Vendor-released patches are available with specific build numbers identified for each affected version. No public exploit identified at time of analysis, though the CVSS 7.0 score reflects significant impact potential when successfully exploited.

Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-26165 HIGH PATCH Exploit Unlikely This Week

Windows Shell use-after-free memory corruption enables local privilege escalation to SYSTEM on Windows 11 (all versions 22H3 through 26H1) and Windows Server 2022/2025. Authenticated low-privileged users can exploit freed memory references in Shell components despite high attack complexity requirements. Vendor-released patches address all affected versions. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability class (CWE-416) is well-understood and commonly weaponized in Windows privilege escalation chains.

Denial Of Service Use After Free Memory Corruption Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-26173 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) across Windows 10, 11, and Server 2012-2025 allows low-privileged authenticated attackers to gain SYSTEM-level access via race condition exploitation. The vulnerability affects widespread Windows deployments spanning a decade of operating system versions, from Server 2012 (6.2.9200.0) through Windows 11 26H1 and Server 2025. Microsoft has released patches for all affected versions. No public exploit identified

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-27921 HIGH PATCH Exploit Likely This Week

Local privilege escalation in Windows TCP/IP stack across Windows 10, 11, and Server editions allows low-privileged authenticated users to gain SYSTEM-level access by exploiting a race condition in shared resource synchronization. This CWE-362 flaw affects every supported Windows version from legacy Server 2012 through cutting-edge Windows 11 26H1, with vendor-released patches available. The local attack vector (AV:L) and high complexity (AC:H) reduce immediate mass-exploitation risk, though the

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-26174 HIGH PATCH Exploit Unlikely This Week

Windows Server Update Service (WSUS) race condition enables local privilege escalation to SYSTEM on Windows 10, 11, and Server 2012-2025. Authenticated users with low-level privileges can exploit improper synchronization in concurrent execution paths to gain full system control. Attack complexity is high (AC:H), requiring precise timing to win the race window. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the high CVSS 7.0 s

Information Disclosure Race Condition Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy