Skip to main content
CVE-2026-40500 MEDIUM POC This Month

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.

SSRF Processwire
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-1314 MEDIUM POC This Month

The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0827 MEDIUM PATCH This Month

During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.

Information Disclosure Lenovo
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-40574 MEDIUM PATCH GHSA This Month

An authorization bypass exists in OAuth2 Proxy as part of the `email_domain` enforcement option. An attacker may be able to authenticate with an email claim such as `attacker@evil.com@company.com` and satisfy an allowed domain check for `company.com`, even though the claim is not a valid email address. The issue **ONLY** affects deployments that rely on `email_domain` restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. The practical risk ONLY exists in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach oauth2-proxy. Standard hosted providers that enforce valid email formatting ARE NOT effected. Users should upgrade to `v7.15.2` or later once available. The most effective workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.

Authentication Bypass Red Hat
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-33220 MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.

Path Traversal Weblate
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-28741 MEDIUM PATCH This Month

Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to validate CSRF tokens on authentication endpoints, allowing remote attackers to update a targeted user's authentication method by tricking them into visiting a malicious page. The attack requires user interaction (UI:R) and results in high confidentiality and integrity impact, but no public exploit or CISA KEV confirmation has been identified at the time of analysis.

CSRF Mattermost
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-20202 MEDIUM PATCH This Month

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.

Information Disclosure Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-5758 MEDIUM PATCH This Month

JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.

RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-20081 MEDIUM This Month

Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker&nbsp;to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials.&nbsp; These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.

Cisco Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-20078 MEDIUM This Month

Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker&nbsp;to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials.&nbsp; These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.

Cisco Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-6385 MEDIUM PATCH This Month

A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.

Denial Of Service Integer Overflow Buffer Overflow RCE Red Hat +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6364 MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)

Information Disclosure Buffer Overflow Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15470 MEDIUM This Month

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory.

WordPress Path Traversal
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15636 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1.

XSS Youtube Showcase
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40734 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.

XSS Categories Images
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3590 MEDIUM PATCH This Month

Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to enforce atomic consumption of guest magic link tokens, allowing unauthenticated attackers to establish multiple concurrent authenticated sessions from a single valid magic link. This enables unauthorized access and potential information disclosure without requiring additional credentials or user interaction beyond intercepting or obtaining the link.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25219 MEDIUM PATCH This Month

The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.2.0.

Information Disclosure Microsoft
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3659 MEDIUM This Month

Stored Cross-Site Scripting in WP Circliful plugin for WordPress up to version 1.2 allows authenticated attackers with Contributor-level access to inject arbitrary HTML and JavaScript via insufficiently sanitized shortcode attributes in [circliful] and [circliful_direct] shortcodes. The vulnerability exists in the circliful_shortcode() and circliful_direct_shortcode() functions, which concatenate user input directly into HTML attributes without escaping. When a user visits a page containing the injected shortcode, the malicious script executes in their browser. No public exploit code or active exploitation in the wild has been confirmed at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-40346 MEDIUM PATCH GHSA This Month

{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows

PostgreSQL SSRF Microsoft Redis
NVD GitHub VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-4011 MEDIUM This Month

Stored cross-site scripting in Power Charts Lite WordPress plugin versions up to 0.1.0 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'id' parameter of the [pc] shortcode. The vulnerability exists because the plugin extracts user-supplied shortcode attributes, directly concatenates them into HTML class attributes without sanitization, and then decodes HTML entities, creating a persistent XSS payload that executes for all users viewing the affected page. No active exploitation has been confirmed, but the attack requires only standard WordPress contributor permissions and no additional complexity.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3998 MEDIUM This Month

Stored cross-site scripting in WM JqMath WordPress plugin up to version 1.3 allows authenticated contributors and above to inject arbitrary JavaScript via the 'style' shortcode attribute, which executes in the browsers of all users viewing affected pages. The vulnerability stems from direct concatenation of unsanitized user input into HTML without proper escaping (missing esc_attr() calls). CVSS 6.4 reflects moderate risk with scope change; no public exploit code or active KEV status identified at time of analysis.

WordPress XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4005 MEDIUM This Month

Stored cross-site scripting in Coachific Shortcode plugin for WordPress versions up to 1.0 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the 'userhash' shortcode attribute. The plugin sanitizes input with sanitize_text_field() but fails to apply JavaScript-specific escaping before interpolating the value into a script tag, enabling persistent XSS attacks visible to all page visitors. EPSS score of 6.4 reflects moderate real-world risk constrained by the requirement for authenticated contributor access and user interaction.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5717 MEDIUM This Month

Stored Cross-Site Scripting in VI: Include Post By WordPress plugin up to version 0.4.200706 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class_container' shortcode attribute, which executes in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode parameters. No public exploit code or active exploitation has been reported; however, the low attack complexity and broad scope of impact (affecting all site visitors) make this a moderate-priority issue for WordPress installations using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5588 MEDIUM PATCH This Month

Signature verification bypass in Bouncy Castle BC-JAVA (bcpkix module versions 1.49-1.83) allows remote unauthenticated attackers to forge cryptographic signatures by submitting empty signature sequences that are incorrectly accepted as valid by the draft CompositeVerifier implementation. This critical flaw (CVSS 4.0: 10.0) enables complete subversion of digital signature trust chains, potentially allowing authentication bypass, code signing forgery, and man-in-the-middle attacks against Java ap

Java Information Disclosure Bc Java
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-20170 MEDIUM This Month

A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information.

Cisco XSS Cisco Webex Contact Center
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-20059 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40186 MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.

XSS Node.js Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-4091 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in OPEN-BRAIN plugin for WordPress versions up to 0.5.0 allows unauthenticated attackers to inject malicious web scripts by tricking site administrators into clicking a malicious link, due to missing nonce verification in the func_page_main() settings form handler. With a CVSS score of 6.1 and network-level attack surface requiring only user interaction, this vulnerability affects any WordPress installation using the affected plugin. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40919 MEDIUM PATCH This Month

A flaw was found in GIMP. This vulnerability, a buffer overflow in the `file-seattle-filmworks` plugin, can be exploited when a user opens a specially crafted Seattle Filmworks file. A remote attacker could leverage this to cause a denial of service (DoS), leading to the plugin crashing and potentially impacting the stability of the GIMP application.

Denial Of Service Memory Corruption Buffer Overflow Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1852 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Product Pricing Table by WooBeWoo plugin for WordPress allows unauthenticated attackers to inject arbitrary web scripts or delete pricing tables by tricking site administrators into clicking a malicious link, exploiting missing nonce validation in the updateLabel() and remove() functions across all versions up to and including 1.1.0. No public exploit code identified at time of analysis, but the vulnerability requires only user interaction (UI:R) and has a network attack vector, making it moderately exploitable in real-world scenarios.

WordPress CSRF
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20136 MEDIUM This Month

A vulnerability in the&nbsp;CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system.

Cisco Command Injection Cisco Identity Services Engine Software
NVD VulDB
CVSS 3.1
6.0
EPSS
0.1%
CVE-2026-6370 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.

WordPress XSS
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-0636 MEDIUM PATCH GHSA This Month

LDAP injection in Bouncy Castle BC-JAVA bcprov module (versions 1.49 through 1.83) allows remote unauthenticated attackers to manipulate LDAP queries via specially crafted input to LDAPStoreHelper.java, enabling complete compromise of confidentiality, integrity, and availability across security boundaries. This critical vulnerability (CVSS 10.0) affects a widely deployed cryptographic library used throughout the Java ecosystem. No active exploitation confirmed (not in CISA KEV), but the attack r

Java LDAP Code Injection Bc Java
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-40915 MEDIUM PATCH This Month

A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel data. Successful exploitation could result in a denial of service (DoS) or potentially arbitrary code execution.

Denial Of Service Integer Overflow Buffer Overflow RCE Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-40918 MEDIUM PATCH This Month

A flaw was found in GIMP. Processing a specially crafted PVR image file with large dimensions can lead to a denial of service (DoS). This occurs due to a stack-based buffer overflow and an out-of-bounds read in the PVR image loader, causing the application to crash. Systems that process untrusted PVR image files are affected.

Denial Of Service Buffer Overflow Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-6245 MEDIUM PATCH This Month

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).

Denial Of Service Buffer Overflow Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20161 MEDIUM This Month

A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system&nbsp;of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.

Authentication Bypass Cisco
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-1509 MEDIUM This Month

Arbitrary WordPress action execution in Avada (Fusion) Builder plugin versions up to 3.15.1 allows authenticated attackers with Subscriber-level access to invoke unvalidated WordPress action hooks via the Dynamic Data feature, potentially enabling privilege escalation, file inclusion, denial of service, or remote code execution depending on available hooks in the WordPress installation. The vulnerability stems from the `output_action_hook()` function accepting user-controlled input without authorization checks. No public exploit code or active exploitation has been confirmed at time of analysis.

Denial Of Service RCE WordPress Privilege Escalation Code Injection
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6383 MEDIUM PATCH This Month

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.

Authentication Bypass Red Hat Suse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33889 MEDIUM PATCH GHSA This Month

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.

XSS Privilege Escalation Node.js
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40479 MEDIUM PATCH GHSA This Month

{ '&': '&amp;', '<': '&lt;', '>': '&gt;', // MISSING: '"': '&quot;' // MISSING: "'": '&#039;' }; ``` **Affected code files**: - `assets/js/plugins/KimaiEscape.js:24-38` - incomplete escape function - `assets/js/forms/KimaiTeamForm.js:77,86` - replacement + innerHTML - `templates/macros/widgets.html.twig:126` - `title="{{ tooltip }}"` in avatar macro - `templates/form/blocks.html.twig:104` - `{{ widgets.avatar('__INITIALS__', '__COLOR__', '__DISPLAY__') }}` [poc.zip](https://github.com/user-attachments/files/26537515/poc.zip) Please extract the uploaded compressed file before proceeding 1. ./setup.sh 2. ./poc_xss.sh <img width="751" height="155" alt="스크린샷 2026-04-07 오후 9 06 27" src="https://github.com/user-attachments/assets/c09a23fb-f60b-49dd-9018-8c723e35b4c4" /> - Stored XSS: payload persists in the database (user alias field) - Privilege escalation: ROLE_USER injects XSS that executes in ROLE_ADMIN/ROLE_SUPER_ADMIN browser session

XSS Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39350 MEDIUM PATCH GHSA This Month

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

Information Disclosure Istio
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40740 MEDIUM This Month

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.

Authentication Bypass Tutor Lms
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1636 MEDIUM PATCH This Month

A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges.

Information Disclosure Lenovo
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-33888 MEDIUM PATCH GHSA This Month

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.

Information Disclosure Node.js
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-20152 MEDIUM This Month

A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device.

Authentication Bypass Cisco
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-40347 MEDIUM PATCH GHSA This Month

A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Two inefficient multipart parsing paths could be abused with attacker-controlled input. Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary. An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application. Upgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1782 MEDIUM This Month

Remote attackers can manipulate payment amounts in Stripe and PayPal transactions through the MetForm Pro WordPress plugin by submitting arbitrary values in the 'mf-calculation' field, bypassing price validation. Versions up to 3.9.7 are affected; the plugin fails to recompute or validate user-submitted calculation fields against configured form prices, allowing unauthenticated attackers to reduce or alter payment amounts on vulnerable forms. No active exploitation has been publicly confirmed, though the attack requires minimal complexity and produces direct financial impact.

Information Disclosure WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4812 MEDIUM This Month

Unauthenticated attackers can bypass field-level authorization in Advanced Custom Fields (ACF) plugin versions up to 6.7.0 via AJAX endpoints that process user-supplied filter parameters without proper privilege checks, enabling disclosure of draft, private, and restricted post/page content that should be hidden by field configuration. The vulnerability affects any WordPress site with ACF installed and frontend forms exposed, requiring only network access and no user interaction. CVSS 5.3 reflects confidentiality impact with low attack complexity; no KEV status or public POC confirmed at analysis time.

Authentication Bypass WordPress Advanced Custom Fields
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39857 MEDIUM PATCH GHSA This Month

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0.

Information Disclosure Node.js
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy