Skip to main content
CVE-2026-40897 HIGH POC PATCH GHSA This Week

This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. The issue was introduced in mathjs `v13.1.1`, and patched in mathjs `v15.2.0`. There is no workaround without upgrading to `v15.2.0`. You can find out more via the commit fixing this issue: https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad (part of PR https://github.com/josdejong/mathjs/pull/3656).

Information Disclosure
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40308 HIGH POC PATCH GHSA This Week

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

PHP Authentication Bypass WordPress Denial Of Service
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-31843 CRITICAL GHSA Act Now

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

PHP Authentication Bypass RCE
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.9%
CVE-2026-40933 CRITICAL PATCH GHSA Act Now

{ "command": "npx", "args": [ "-c", "touch /tmp/pwn" ] }

Command Injection RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-3596 CRITICAL Act Now

Unauthenticated remote attackers can escalate to administrator privileges on WordPress sites running Riaxe Product Customizer plugin ≤2.1.2. The plugin exposes an AJAX endpoint ('install-imprint') without authentication checks that allows arbitrary WordPress option manipulation, enabling attackers to create administrator accounts by modifying registration settings. CVSS 9.8 (Critical) reflects the complete site compromise potential. EPSS data not provided but exploitation requires only HTTP access to any vulnerable WordPress installation with this plugin active-no special conditions beyond plugin presence.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37345 CRITICAL Act Now

SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37340 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0's /music/edit_music.php endpoint allows unauthenticated remote attackers to execute arbitrary SQL commands with full database access. The vulnerability carries a critical CVSS 9.8 score with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS probability is notably low at 0.01% (2nd percentile), suggesting limited real-world exploitation interest despite the critical severity rating. Proof-of-concept code is publicly available via GitHub, lowering the barrier for opportunistic attacks against exposed instances.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37339 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the /music/view_genre.php endpoint, enabling complete database compromise including data theft, modification, and potential server takeover. CVSS 9.8 (Critical) with network-exploitable attack vector requiring no authentication or user interaction. EPSS score of 0.01% (2nd percentile) indicates low observed exploitation probability despite critical severity. Publicly available proof-of-concept exists (GitHub repository), lowering exploitation barrier for opportunistic attackers.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-32179 CRITICAL PATCH GHSA Act Now

Integer underflow in Microsoft QUIC's ACK frame parser enables remote unauthenticated privilege escalation. The vulnerability (CWE-191: integer wrap-around) affects Microsoft's native QUIC library implementations (both OpenSSL and SChannel variants) distributed via NuGet packages. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and vendor-confirmed patch available (commit 1e6e999b), this represents a critical network-exposed flaw in QUIC protocol implementations. No active exploitation confirmed (not in CISA KEV) and public exploit code status unknown at time of analysis, but the straightforward attack vector (network-accessible protocol parsing) and authentication bypass capability warrant immediate patching priority for systems using Microsoft QUIC libraries.

Authentication Bypass Integer Overflow Microsoft
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6349 CRITICAL PATCH Act Now

OS Command Injection in HGiga iSherlock-base and iSherlock-audit versions 4.5 and 5.5 allows remote unauthenticated attackers to execute arbitrary operating system commands on the server with full system privileges. All four product variants (iSherlock-base-4.5, iSherlock-audit-4.5, iSherlock-base-5.5, iSherlock-audit-5.5) are affected in versions below build 476 (base) and 261 (audit). Vendor-released patch available per Taiwan CERT (TWCERT) advisory. CVSS 4.0 score of 10.0 reflects maximum severity with network attack vector, no authentication required, and high impact to all CIA triad properties including scope change. No public exploit identified at time of analysis.

Command Injection Isherlock Base 4 5 Isherlock Audit 4 5 Isherlock Base 5 5 Isherlock Audit 5 5
NVD VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-37338 CRITICAL Act Now

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.

PHP SQLi
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-40504 CRITICAL PATCH Act Now

Heap buffer overflow in Creolabs Gravity scripting language before 0.9.6 enables remote code execution when applications evaluate untrusted scripts containing many string literals at global scope. The vulnerability stems from insufficient bounds checking in gravity_fiber_reassign(), allowing heap metadata corruption. VulnCheck disclosed this issue with a vendor-released patch (commit 18b9195) available. CVSS 9.3 reflects the critical network-accessible, unauthenticated attack vector. No active exploitation (CISA KEV) or public POC identified at time of analysis, but technical details in GitHub issue #437 could facilitate exploit development.

Heap Overflow Buffer Overflow RCE Gravity
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-6350 CRITICAL PATCH Act Now

Remote unauthenticated code execution in Openfind MailGates (5.0-6.0) and MailAudit (5.0-6.0) via stack-based buffer overflow allows complete system compromise. Attackers can send crafted network requests to exploit CWE-121 buffer overflow conditions without authentication, achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. Vendor patches available (MailGates 6.1.10.054, 5.2.10.099; MailAudit 6.1.10.054, 5.2.10.099). CVSS 9.3 with network attack vector (AV:N), low complexity (AC:L), and no privileges required (PR:N) creates critical exposure for internet-facing mail security appliances. EPSS data unavailable; no confirmed active exploitation or public POC identified at time of analysis.

Stack Overflow Buffer Overflow RCE Mailgates Mailaudit
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-6348 CRITICAL Act Now

WinMatrix agent escalates privileges to SYSTEM without authentication, enabling authenticated local users to execute arbitrary code with full administrative control on both the local machine and all networked hosts where the agent is deployed. This environmental spread capability (CVSS scope change: H) transforms a local vulnerability into an enterprise-wide threat. Taiwan CERT issued advisories in January 2026 for versions 3.5.13 through 3.5.26.15. No public exploit identified at time of analysis, but CVSS 9.3 reflects catastrophic potential impact given the agent's privileged access and network propagation capability. EPSS data not available for new 2026 CVE.

Authentication Bypass RCE Winmatrix
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-40959 CRITICAL PATCH Act Now

Lua sandbox escape in Luanti 5.x (formerly Minetest) game engine allows malicious mod code to break out of LuaJIT security restrictions and execute arbitrary code on the host system. Affects all Luanti 5.0.0 through 5.15.1 when compiled with LuaJIT instead of standard Lua. Attackers with ability to distribute crafted mods can achieve complete system compromise with scope change (S:C in CVSS), escalating from sandboxed mod execution to full host access. No authentication required but local access needed (AV:L). Patch available in version 5.15.2 via two upstream commits. EPSS data not available; no confirmed active exploitation or public POC at time of analysis.

Information Disclosure Luanti
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-40324 CRITICAL PATCH GHSA Act Now

Hot Chocolate's `Utf8GraphQLParser` is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as **40 KB**. Because `StackOverflowException` is **uncatchable in .NET** (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs **before any validation rules run** - `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The existing `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. **Severity:** Critical (9.1) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` - **v12 line:** Fixed in `12.22.7` - **v13 line:** Fixed in `13.9.16` - **v14 line:** Fixed in `14.3.1` - **v15 line:** Fixed in `15.1.14` The fix adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip). - Fix for v15: https://github.com/ChilliCream/graphql-platform/pull/9528

Denial Of Service Kubernetes
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-5426 CRITICAL PATCH Act Now

Remote code execution in Digital Knowledge KnowledgeDeliver (all versions prior to February 24, 2026) via malicious ViewState deserialization. A hard-coded ASP.NET machineKey allows unauthenticated remote attackers to bypass ViewState validation and execute arbitrary code on the server. Mandiant reported this critical deserialization vulnerability. EPSS score of 0.08% (24th percentile) suggests low observed exploitation activity, though no public exploit is confirmed at time of analysis. CVSS vector indicates network-accessible attack requiring no privileges or user interaction, but the 7.5 score reflects only Confidentiality impact-real-world RCE capability makes this significantly more severe than the partial CVSS rating suggests.

Deserialization RCE Knowledgedeliver
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-37347 CRITICAL Act Now

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-6270 CRITICAL PATCH GHSA Act Now

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Authentication Bypass Fastify Middie
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40322 CRITICAL Act Now

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.

XSS Microsoft RCE
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2023-3634 HIGH This Week

In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mse6 C2M 5000 Fb36 D M Rg Bar M12L4 Agd Mse6 C2M 5000 Fb36 D M Rg Bar M12L5 Agd Mse6 C2M 5000 Fb43 D M Rg Bar M12L4 Mq1 Agd Mse6 C2M 5000 Fb43 D M Rg Bar M12L5 Mq1 Agd +8
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-1620 HIGH This Week

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).

PHP LFI WordPress Path Traversal Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40611 HIGH PATCH GHSA This Week

{ return "/.well-known/acme-challenge/" + token } ``` The webroot provider in `providers/http/webroot/webroot.go:31` then joins this with the configured webroot directory and writes the key authorization content to the resulting path: ```go challengeFilePath := filepath.Join(w.path, http01.ChallengePath(token)) err = os.MkdirAll(filepath.Dir(challengeFilePath), 0o755) err = os.WriteFile(challengeFilePath, []byte(keyAuth), 0o644) ``` RFC 8555 Section 8.3 specifies that ACME tokens must only contain characters from the base64url alphabet (`[A-Za-z0-9_-]`), but this constraint is never enforced anywhere in the codebase. When a malicious ACME server returns a token such as `../../../../../../tmp/evil`, `filepath.Join()` resolves the `..` components, producing a path outside the webroot directory. The same vulnerability exists in the `CleanUp()` function at `providers/http/webroot/webroot.go:48`, which deletes the challenge file using the same unsanitized path: ```go err := os.Remove(filepath.Join(w.path, http01.ChallengePath(token))) ``` This additionally enables arbitrary file deletion. In a real attack scenario, the victim uses `--server` to point lego at a malicious ACME server, combined with `--http.webroot`: ```bash lego --server https://malicious-acme.example.com \ --http --http.webroot /var/www/html \ --email user@example.com \ --domains example.com \ run ``` The malicious server returns a challenge token containing path traversal sequences `../../../../../../tmp/pwned`. lego's webroot provider writes the key authorization to the traversed path without validation, resulting in arbitrary file write outside the webroot. The following minimal Go program demonstrates the core vulnerability by directly calling the webroot provider with a crafted token: ```go package main import ( "fmt" "os" "github.com/go-acme/lego/v4/providers/http/webroot" ) func main() { webrootDir, _ := os.MkdirTemp("", "lego-webroot-*") defer os.RemoveAll(webrootDir) provider, _ := webroot.NewHTTPProvider(webrootDir) token := "../../../../../../../../../../tmp/pwned" provider.Present("example.com", token, "EXPLOITED-BY-PATH-TRAVERSAL") data, err := os.ReadFile("/tmp/pwned") if err == nil { fmt.Println("[+] VULNERABILITY CONFIRMED") fmt.Printf("[+] File written outside webroot: /tmp/pwned\n") fmt.Printf("[+] Content: %s\n", data) } } ``` ```bash go build -o exploit ./exploit.go && ./exploit ``` Expected output: ``` [+] VULNERABILITY CONFIRMED [+] File written outside webroot: /tmp/pwned [+] Content: EXPLOITED-BY-PATH-TRAVERSAL ``` This is a path traversal vulnerability (CWE-22). Any user running lego with the HTTP-01 challenge solver against a malicious or compromised ACME server is affected. A malicious ACME server can: - Achieve remote code execution by writing to cron directories, systemd unit paths, shell profiles, or web application directories served by the webroot. - Destroy data by overwriting configuration files, TLS certificates, or application state. - Escalate privileges if lego runs as root, granting unrestricted filesystem write access. - Delete arbitrary files via the `CleanUp()` code path using the same unsanitized token.

Path Traversal RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-14868 HIGH This Week

Cross-Site Request Forgery (CSRF) in Career Section WordPress plugin versions ≤1.6 enables unauthenticated attackers to delete arbitrary server files through social engineering. Attackers trick authenticated WordPress administrators into clicking malicious links that exploit missing nonce validation in the delete action handler, leading to path traversal and unrestricted file deletion. CVSS 8.8 (High) with network attack vector but requires user interaction (UI:R). EPSS and KEV data not provided; public exploit code status unknown. Wordfence advisory and upstream patch commit available.

Path Traversal WordPress CSRF
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3614 HIGH This Week

Privilege escalation in AcyMailing WordPress plugin (versions 9.11.0-10.8.1) allows authenticated Subscriber-level users to gain administrator access through a multi-stage attack chain. Attackers exploit a missing capability check in the wp_ajax_acymailing_router AJAX handler to access admin-only configuration controllers, enable autologin features, inject malicious cms_id values into newsletter subscribers, and authenticate as any WordPress user including administrators. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the low attack complexity (AC:L) and detailed public code references increase exploitation risk for installations with subscriber registration enabled.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-40502 HIGH PATCH This Week

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative commands like /permissions full_auto without authorization, escalating privileges to modify security controls of running instances. Vulnerability exploits insufficient command validation in chat interface. Fixed in commit dd1d235. CVSS 8.7 (High) with network attack vector and low complexity. EPSS data unavailable; not listed in CISA KEV. VulnCheck advisory and GitHub patch available.

Authentication Bypass Command Injection Openharness
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-39313 HIGH PATCH GHSA This Week

{ return new Promise((resolve, reject) => { let body = ''; req.on('data', (chunk) => { body += chunk.toString(); // No size limit }); req.on('end', () => { try { const parsed = body ? JSON.parse(body) : null; resolve(parsed); } catch (error) { reject(error); } }); req.on('error', reject); }); } ``` A `maxMessageSize` configuration value exists in `DEFAULT_HTTP_STREAM_CONFIG` (4MB, defined in `src/transports/http/types.ts` line 124) but is never enforced in `readRequestBody()`. This creates a false sense of security. Local testing with 50MB POST payloads against the vulnerable `readRequestBody()` function: | Trial | Payload | RSS growth | Time | Result | |-------|---------|-----------|------|--------| | 1 | 50MB | +197MB | 42ms | Vulnerable | | 2 | 50MB | +183MB | 46ms | Vulnerable | | 3 | 50MB | +15MB | 43ms | Vulnerable | | 4 | 50MB | +14MB | 32ms | Vulnerable | | 5 | 50MB | +65MB | 38ms | Vulnerable | Reproducibility: 5/5 (100%) - **Denial of Service:** Any mcp-framework HTTP server can be crashed by a single large POST request to /mcp - **No authentication required:** readRequestBody() executes before any auth checks (auth is opt-in, default is no auth) - **Dead config:** maxMessageSize exists but is never enforced, giving a false sense of security - **Affected:** All applications using mcp-framework HttpStreamTransport (60,000 weekly npm downloads) **CWE-770:** Allocation of Resources Without Limits or Throttling **Suggested CVSS 3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Enforce `maxMessageSize` in `readRequestBody()`: ```typescript private async readRequestBody(req: IncomingMessage): Promise<any> { const maxSize = this._config.maxMessageSize || 4 * 1024 * 1024; return new Promise((resolve, reject) => { let body = ''; let size = 0; req.on('data', (chunk) => { size += chunk.length; if (size > maxSize) { req.destroy(); reject(new Error('Request body too large')); return; } body += chunk.toString(); }); // ... }); } ``` This report follows coordinated disclosure. I request a 90-day window before public disclosure. **Reporter:** Raza Sharif, CyberSecAI Ltd (contact@agentsign.dev)

Denial Of Service Node.js
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-2336 HIGH PATCH This Week

A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03.

Privilege Escalation Istax
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40900 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33121 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33084 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied sort value to the sorting metadata DTO, which is passed to Order2SQLObj where it is incorporated into the SQL ORDER BY clause without any whitelist validation, and then executed via CalciteProvider. An authenticated attacker can inject arbitrary SQL commands through the sort parameter, enabling time-based blind SQL injection. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33083 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.

Denial Of Service SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33082 HIGH PATCH This Week

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6351 HIGH PATCH This Week

CRLF Injection in Openfind MailGates/MailAudit allows remote unauthenticated attackers to read arbitrary system files via HTTP header manipulation. Affects MailGates/MailAudit versions 5.0-6.0 (prior to 5.2.10.099 and 6.1.10.054 respectively). CVSS 8.7 with network vector, low complexity, and no authentication required indicates critical real-world risk. Taiwan CERT advisory published; no CISA KEV listing or public exploit code identified at time of analysis, suggesting early disclosure phase.

Code Injection Mailgates Mailaudit
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35469 HIGH PATCH GHSA This Week

The SPDY/3 frame parser in spdystream does not validate attacker-controlled counts and lengths before allocating memory. A remote peer that can send SPDY frames to a service using spdystream can cause the process to allocate gigabytes of memory with a small number of malformed control frames, leading to an out-of-memory crash.   Three allocation paths in the receive side are affected: 1. **SETTINGS entry count** -- The SETTINGS frame reader reads a 32-bit `numSettings` from the payload and allocates a slice of that size without checking it against the declared frame length. An attacker can set `numSettings` to a value far exceeding the actual payload, triggering a large allocation before any setting data is read.   2. **Header count** -- `parseHeaderValueBlock` reads a 32-bit `numHeaders` from the decompressed header block and allocates an `http.Header` map of that size with no upper bound.   3. **Header field size** -- Individual header name and value lengths are read as 32-bit integers and used directly as allocation sizes with no validation.   Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into attacker-controlled bytes that the parser interprets as 32-bit counts and lengths. A single crafted frame is enough to exhaust process memory.  Any program that accepts SPDY connections using spdystream -- directly or through a dependent library -- is affected. A remote peer that can send SPDY frames to the service can crash the process with a single crafted SPDY control frame, causing denial of service.  `github.com/moby/spdystream` <= v0.5.0  v0.5.1 addresses the receive-side allocation bugs and adds related hardening:   **Core fixes:**   - **SETTINGS entry-count validation** -- The SETTINGS frame reader now checks that `numSettings` is consistent with the declared frame length (`numSettings <= (length-4)/8`) before allocating.   - **Header count limit** -- `parseHeaderValueBlock` enforces a maximum number of headers per frame (default: 1000).   - **Header field size limit** -- Individual header name and value lengths are checked against a per-field size limit (default: 1 MiB) before allocation.   - **Connection closure on protocol error** -- The connection read loop now closes the underlying `net.Conn` when it encounters an `InvalidControlFrame` error, preventing further exploitation on the same connection.   **Additional hardening:**   - **Write-side bounds checks** -- All frame write methods now verify that payloads fit within the 24-bit length field, preventing the library from producing invalid frames.   **Configurable limits:**   - Callers can adjust the defaults using `NewConnectionWithOptions` or the lower-level `spdy.NewFramerWithOptions` with functional options: `WithMaxControlFramePayloadSize`, `WithMaxHeaderFieldSize`, and `WithMaxHeaderCount`.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33207 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

Java SQLi
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33122 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-22734 HIGH This Week

Authentication bypass in Cloud Foundry UAA allows remote unauthenticated attackers to obtain access tokens for arbitrary users when SAML 2.0 bearer assertions are enabled, leading to unauthorized access to all UAA-protected systems. Affects UAA versions 77.30.0 through 78.7.0 and CF Deployment versions 48.7.0 through 54.14.0. The vulnerability stems from acceptance of unsigned and unencrypted SAML 2.0 assertions (CWE-290: Authentication Bypass by Spoofing), enabling complete authentication mechanism bypass with network access and low attack complexity (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but the technical details disclosed in the vendor blog create high weaponization potential.

Authentication Bypass Uua
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-40318 HIGH PATCH GHSA This Week

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Path Traversal Siyuan
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-6442 HIGH PATCH This Week

Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1.0.25 allowed subsequent commands to execute outside the sandbox. An attacker could exploit this by embedding specially crafted commands in untrusted content, such as a malicious repository, causing the CLI agent to execute arbitrary code on the local device without user consent. Exploitation is non-deterministic and model-dependent. The fix is automatically applied upon relaunch with no user action required.

RCE Cortex Code Cli
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-40899 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.

Deserialization Dataease
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2024-58343 MEDIUM POC PATCH This Month

Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Helpdesk
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3324 HIGH This Week

Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.

Authentication Bypass
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-41113 HIGH PATCH This Week

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Command Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-5785 HIGH PATCH This Week

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.

SQLi Manageengine Pam360 Manageengine Password Manager Pro
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40960 HIGH PATCH This Week

Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. CVSS 8.1 reflects local attack vector with high complexity but no authentication required and scope change with high confidentiality/integrity/availability impact. GitHub security advisory and two fix commits confirm patch availability. No CISA KEV listing or public exploit code identified at time of analysis.

Information Disclosure Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41035 HIGH PATCH This Week

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync with the -X (--xattrs) option. The receive_xattr function trusts an attacker-supplied length value during a qsort operation, which a malicious sender/server can abuse to crash the receiver or potentially achieve code execution; Linux hosts are vulnerable in many common configurations and non-Linux platforms more broadly. No public exploit identified at time of analysis, EPSS is very low (0.01%), and SSVC scores exploitation as none, indicating a real-but-not-urgent memory-safety bug rather than a mass-exploited threat.

Information Disclosure Rsync
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-22619 HIGH PATCH This Week

Arbitrary code execution in Eaton Intelligent Power Protector (IPP) software via insecure library loading allows local authenticated attackers with low privileges to execute code with elevated integrity impact across security boundaries. Attack complexity is high, requiring the attacker to have access to the software package installation files. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis. Eaton has released a patched version available through their download center.

RCE Ipp Software
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-41082 HIGH PATCH This Week

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.

Information Disclosure Opam
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40474 HIGH GHSA This Week

Authenticated low-privileged users in wger can modify installation-wide gym configuration via /config/gym-config/edit due to missing permission enforcement, enabling vertical privilege escalation. The GymConfigUpdateView declares 'config.change_gymconfig' permission but inherits WgerFormMixin instead of WgerPermissionMixin, causing the permission check to never execute. Exploiting this allows attackers to manipulate default gym assignments affecting all users, with GymConfig.save() automatically reassigning user profiles and creating gym configurations tenant-wide. CVSS 7.6 (High) with network attack vector, low complexity, and low privileges required. No active exploitation (KEV) or public POC identified at time of analysis, though GitHub advisory provides detailed reproduction steps.

Authentication Bypass Docker Python Privilege Escalation
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy