Skip to main content
CVE-2026-40602 MEDIUM PATCH GHSA This Month

### Impact Up to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. E. g., it was possible to render a template with `hass-cli template bad-template.j2 --local` that contained entries like ````j2 {%- set b = environ.__globals__['__builtins__'] -%} {%- set os = b['__import__']('os') -%} {%- set bio = b['__import__']('builtins') -%} ... ```` or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine. In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with `--local`. The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions. ### Patches 1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables. ### Workarounds Evaluate the Jninja2 templates manually or tool-based before rendering with `hass-cli`.

Code Injection Python RCE
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2023-20585 MEDIUM PATCH This Month

Insuffient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised HV to trigger an out of bounds condition without RMP checks resulting in a. Rated medium severity (CVSS 5.6).

Information Disclosure Suse
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-3369 MEDIUM This Month

The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-4867 MEDIUM PATCH This Month

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Wso2 Api Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-5363 MEDIUM Monitor

TP-Link Archer C7 v5 and v5.8 routers use weak RSA-1024 encryption for admin password transmission during web login, allowing adjacent attackers with network traffic interception capability to perform cryptanalytic attacks (brute-force or key factorization) to recover plaintext credentials and gain unauthorized administrative access. EPSS score of P (Probable) and active POC availability indicate realistic exploitation risk in local network environments; however, exploitation requires both network adjacency and successful cryptanalysis of a 1024-bit RSA key, limiting attack scope to motivated adversaries on shared networks (e.g., compromised WiFi).

Authentication Bypass TP-Link
NVD VulDB
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-1880 MEDIUM PATCH This Month

Privilege escalation in ASUS DriverHub through version 1.0.6.11 allows local authenticated users to modify update validation resources, bypassing security checks to execute arbitrary code with elevated privileges during driver updates. The vulnerability exploits improper file permission assignment in the update process, requiring user interaction to trigger the elevated execution. CVSS 5.4 indicates moderate severity; exploitation requires local access and authenticated user status with specific file system conditions.

Privilege Escalation Driverhub
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-3428 MEDIUM This Month

Privilege escalation in ASUS Member Center (华硕大厅) versions 1.6.6.4 and earlier allows authenticated local users to achieve Administrator-level privilege escalation by exploiting a Time-of-check Time-of-use (TOC-TOU) race condition during the update process. An attacker can substitute a malicious payload for the legitimate downloaded update immediately after integrity verification completes but before execution, causing the compromised code to run with administrative privileges upon user consent. CVSS 5.4 reflects the requirement for local access, user interaction, and elevated (but non-Administrator) initial privileges; however, the vulnerability achieves full privilege escalation to Administrator with moderate technical difficulty.

Privilege Escalation Member Center
NVD
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-40922 MEDIUM PATCH This Month

SiYuan 3.6.1 through 3.6.3 allows arbitrary code execution when users view malicious bazaar packages in the marketplace UI. The vulnerability stems from an incomplete XSS fix (for CVE-2026-33066) that enabled an HTML sanitizer but failed to block iframe tags with srcdoc attributes containing embedded scripts. A malicious package author can inject JavaScript that executes in the Electron process with full application privileges, compromising the user's machine. The issue is confirmed fixed in version 3.6.4 and no public exploitation has been reported at time of analysis.

XSS RCE Siyuan
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-3595 MEDIUM This Month

Riaxe Product Customizer plugin for WordPress versions up to 2.1.2 allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint lacking permission checks. The POST /wp-json/InkXEProductDesignerLite/customer/delete_customer route accepts a list of user IDs and directly deletes them without authentication or authorization validation, enabling attackers to remove administrator accounts and cause complete site lockout. This is confirmed by Wordfence and affects all installations running the vulnerable plugin version.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-40304 MEDIUM PATCH GHSA This Month

Summary The unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Attack Vector: Network - the endpoint is a standard HTTP API call. Attack Complexity: High - successful exploitation requires prior knowledge of a global frontend token. These tokens are not returned to non-admin users by any standard API endpoint; obtaining one requires an out-of-band step (e.g., leaked server logs, admin documentation for a self-hosted instance, or social engineering). Privileges Required: Low - a valid user account with at least one registered environment is required; no admin privileges needed. User Interaction: None. Scope: Unchanged - the impact stays within the same server instance. Confidentiality Impact: None - no data is disclosed. Integrity Impact: None - no data is improperly modified; the record is deleted (not corrupted). Availability Impact: High - deleting a global frontend disrupts every public share routed through it on the instance, constituting a platform-wide availability impact. Affected Component controller/unaccess.go - unaccessHandler.Handle (line 56)

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24749 MEDIUM PATCH GHSA This Month

The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.

Authentication Bypass Silverstripe Assets
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4160 MEDIUM This Month

The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6410 MEDIUM PATCH GHSA This Month

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

Path Traversal Node.js
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0718 MEDIUM This Month

Unauthenticated attackers can modify post share count metadata in Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX (PostX) plugin versions up to 5.0.5 due to a missing capability check in the ultp_shareCount_callback() function. This allows unauthorized modification of share_count post meta for any post including private and draft posts, affecting all WordPress installations running the vulnerable plugin. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3581 MEDIUM This Month

Unauthenticated attackers can modify stored map latitude and longitude options in the Basic Google Maps Placemarks WordPress plugin through version 1.10.7 due to missing authorization checks on administrative functions. The vulnerability allows remote, unauthenticated modification of critical map configuration without requiring user interaction, affecting any WordPress site running the vulnerable plugin with default settings. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40353 MEDIUM GHSA This Month

Stored cross-site scripting (XSS) in wger fitness application allows authenticated users to inject malicious JavaScript via unescaped license attribution fields in ingredient and image models, which executes when any visitor views the affected page. The vulnerability persists in the database and can be exploited to steal session cookies, perform unauthorized actions as other users, or conduct phishing attacks. Affected versions allow low-privilege authenticated users (any non-temporary account) to create ingredients with JavaScript payloads in the `license_author` field, which bypasses all input sanitization and is rendered with Django's `|safe` filter, disabling auto-escaping.

XSS Python
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-40118 MEDIUM This Month

UDP Console in Arcserve allows information disclosure when an administrator configures the activation server hostname to an arbitrary or malicious URL, causing the product to unintentionally communicate with and leak data to the attacker-controlled domain. The vulnerability requires user interaction (configuring a malicious hostname) and affects all versions of Arcserve UDP Console, with CVSS 6.3 (network-accessible, low complexity) indicating moderate real-world risk. No active exploitation or public proof-of-concept has been identified at the time of analysis.

Information Disclosure Udp Console
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-36579 MEDIUM PATCH This Month

Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access.

Authentication Bypass Dell
NVD VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-41034 MEDIUM PATCH This Month

ONLYOFFICE DocumentServer before 9.3.0 contains an untrusted pointer dereference vulnerability in XLS file processing that enables authenticated remote attackers to leak sensitive memory and bypass ASLR protections. The vulnerability affects XLS conversion workflows through multiple vectors including pictFmla.cbBufInCtlStm manipulation, allowing information disclosure without requiring user interaction. CVSS 5.0 reflects moderate risk given network accessibility and the authentication barrier, though the scope change to CVSS:C indicates potential cross-boundary impact.

Information Disclosure Buffer Overflow Onlyoffice Documentserver
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-34164 MEDIUM PATCH GHSA This Month

### Summary The `InboxHandlingService` logs the full content of every incoming inbox message at INFO level (`logger.info("Received message: {}", message)`). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details. ### Impact This data is exposed to: - Anyone with access to application logs (stdout/log files) - Any Valtimo user with the admin role, through the logging module in the Admin UI ### Affected Code `com.ritense.inbox.InboxHandlingService#handle` in the `inbox` module. ### Resolution Fixed in [13.22.0](https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0) via commit [`f16a1940ba`](https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335) (PR [#497](https://github.com/valtimo-platform/valtimo/pull/497), tracking issue [gzac-issues#653](https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653)). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output. ### Mitigation For versions before 13.22.0, consider: - Restricting access to application logs - Adjusting the log level for `com.ritense.inbox` to WARN or higher in your application configuration

Information Disclosure
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-40962 MEDIUM PATCH This Month

Integer overflow in FFmpeg's CENC subsample data parsing (libavformat/mov.c) before version 8.1 enables out-of-bounds memory writes on local systems processing specially crafted MP4 files. The vulnerability requires attacker-controlled media file input and non-default system configuration, limiting exploitation to local contexts; no active exploitation or public exploit code has been identified. With a CVSS score of 4.9 and low attack complexity requirement, this represents a moderate local integrity and confidentiality risk primarily affecting users who process untrusted video files from untrusted sources.

Integer Overflow Buffer Overflow Ffmpeg
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-40505 MEDIUM PATCH This Month

MuPDF mutool fails to sanitize PDF metadata before displaying it in terminal output, allowing local attackers to inject ANSI escape sequences through crafted PDF files. When a user runs mutool info on a malicious PDF, embedded escape codes can clear the terminal and display fabricated text for social engineering attacks such as fake login prompts or spoofed shell commands. This is a low-severity local vulnerability (CVSS 3.3) requiring user interaction, with a vendor-released patch available.

RCE Mupdf
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-33472 MEDIUM PATCH This Month

Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.

Authentication Bypass Microsoft Hashicorp
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-40594 MEDIUM PATCH GHSA This Month

Race condition in pyLoad's Flask session cookie handler allows unauthenticated attackers to manipulate the SESSION_COOKIE_SECURE flag globally across all concurrent requests by spoofing the X-Forwarded-Proto header. On deployments behind a TLS-terminating proxy, this enables session cookie downgrade attacks resulting in plaintext cookie transmission; on default plain HTTP deployments, it causes session denial of service by forcing the Secure flag and breaking all concurrent user sessions. The vulnerability requires no authentication and exploits a multi-threaded race window in the Cheroot WSGI server (request_queue_size=512) combined with missing proxy origin validation (acknowledged TODO in code).

Denial Of Service Kubernetes Python
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-37346 MEDIUM This Month

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-3995 MEDIUM PATCH This Month

Stored cross-site scripting in OPEN-BRAIN WordPress plugin versions up to 0.5.0 allows authenticated administrators to inject malicious scripts via the API Key settings field, which are executed when any user accesses the plugin settings page. The vulnerability stems from improper use of sanitize_text_field() (which does not prevent attribute breakout) combined with missing esc_attr() escaping when outputting the API key to an HTML input value attribute. While exploitation requires administrator-level access, the stored nature means scripts persist and affect all subsequent user interactions with the settings page.

XSS WordPress
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3551 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Custom New User Notification plugin for WordPress versions up to 1.2.0 allows authenticated administrators to inject arbitrary JavaScript into plugin settings pages via unescaped admin form fields (User Mail Subject, User From Name, User From Email, Admin Mail Subject, Admin From Name, Admin From Email). When any user accesses the plugin settings page, the injected scripts execute in their browser context, enabling privilege escalation in WordPress multisite environments where subsite administrators target super administrators. No public exploit code or active exploitation has been identified; the attack requires Administrator-level credentials, limiting real-world risk despite moderate CVSS score.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-43935 MEDIUM PATCH This Month

Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service.

Denial Of Service Dell
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2023-5872 MEDIUM This Month

In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Smart Designer
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-43883 MEDIUM PATCH This Month

Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service.

Denial Of Service Dell
NVD VulDB
CVSS 3.1
4.1
EPSS
0.0%
CVE-2024-8010 LOW PATCH Monitor

The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Wso2 Api Manager
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-3155 LOW Monitor

The OneSignal - Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-41080 LOW PATCH Monitor

libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Information Disclosure Libexpat
NVD GitHub VulDB
CVSS 3.1
2.9
EPSS
0.0%
CVE-2026-27820 LOW PATCH GHSA Monitor

zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.

Buffer Overflow Zlib
NVD GitHub VulDB
CVSS 4.0
1.7
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy