Skip to main content
CVE-2026-31843 CRITICAL GHSA Act Now

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

PHP Authentication Bypass RCE
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.9%
CVE-2026-40933 CRITICAL PATCH GHSA Act Now

### Summary Due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. ### Details The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example "npx" can be combined with code execution arguments ("-c touch /tmp/pwn") that enable direct code execution on the underlying OS. https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L223 https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L177 https://github.com/FlowiseAI/Flowise/blob/d848baeb6bd9737a1e7fc912349c45fbdcc7bb38/packages/components/nodes/tools/MCP/core.ts#L269 ### PoC Create a new Custom MCP and add an "npx -c" command. ``` { "command": "npx", "args": [ "-c", "touch /tmp/pwn" ] } ``` <img width="358" height="628" alt="Screenshot 2026-01-12 at 18 32 37" src="https://github.com/user-attachments/assets/d95c1ae2-23a7-4afe-b586-722003baf50e" /> ### Impact This is an authenticated arbitrary command execution due to unsanitized input, even though the input is sanitized, more protections should be added in order to close ways for attackers to execute arbitrary commands.

Command Injection RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-3596 CRITICAL Act Now

Unauthenticated remote attackers can escalate to administrator privileges on WordPress sites running Riaxe Product Customizer plugin ≤2.1.2. The plugin exposes an AJAX endpoint ('install-imprint') without authentication checks that allows arbitrary WordPress option manipulation, enabling attackers to create administrator accounts by modifying registration settings. CVSS 9.8 (Critical) reflects the complete site compromise potential. EPSS data not provided but exploitation requires only HTTP access to any vulnerable WordPress installation with this plugin active-no special conditions beyond plugin presence.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37345 CRITICAL Act Now

SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37340 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0's /music/edit_music.php endpoint allows unauthenticated remote attackers to execute arbitrary SQL commands with full database access. The vulnerability carries a critical CVSS 9.8 score with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS probability is notably low at 0.01% (2nd percentile), suggesting limited real-world exploitation interest despite the critical severity rating. Proof-of-concept code is publicly available via GitHub, lowering the barrier for opportunistic attacks against exposed instances.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37339 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the /music/view_genre.php endpoint, enabling complete database compromise including data theft, modification, and potential server takeover. CVSS 9.8 (Critical) with network-exploitable attack vector requiring no authentication or user interaction. EPSS score of 0.01% (2nd percentile) indicates low observed exploitation probability despite critical severity. Publicly available proof-of-concept exists (GitHub repository), lowering exploitation barrier for opportunistic attackers.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-32179 CRITICAL PATCH GHSA Act Now

Integer underflow in Microsoft QUIC's ACK frame parser enables remote unauthenticated privilege escalation. The vulnerability (CWE-191: integer wrap-around) affects Microsoft's native QUIC library implementations (both OpenSSL and SChannel variants) distributed via NuGet packages. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and vendor-confirmed patch available (commit 1e6e999b), this represents a critical network-exposed flaw in QUIC protocol implementations. No active exploitation confirmed (not in CISA KEV) and public exploit code status unknown at time of analysis, but the straightforward attack vector (network-accessible protocol parsing) and authentication bypass capability warrant immediate patching priority for systems using Microsoft QUIC libraries.

Authentication Bypass Integer Overflow Microsoft
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6349 CRITICAL PATCH Act Now

OS Command Injection in HGiga iSherlock-base and iSherlock-audit versions 4.5 and 5.5 allows remote unauthenticated attackers to execute arbitrary operating system commands on the server with full system privileges. All four product variants (iSherlock-base-4.5, iSherlock-audit-4.5, iSherlock-base-5.5, iSherlock-audit-5.5) are affected in versions below build 476 (base) and 261 (audit). Vendor-released patch available per Taiwan CERT (TWCERT) advisory. CVSS 4.0 score of 10.0 reflects maximum severity with network attack vector, no authentication required, and high impact to all CIA triad properties including scope change. No public exploit identified at time of analysis.

Command Injection Isherlock Base 4 5 Isherlock Audit 4 5 Isherlock Base 5 5 Isherlock Audit 5 5
NVD VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-37338 CRITICAL Act Now

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.

PHP SQLi
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-40504 CRITICAL PATCH Act Now

Heap buffer overflow in Creolabs Gravity scripting language before 0.9.6 enables remote code execution when applications evaluate untrusted scripts containing many string literals at global scope. The vulnerability stems from insufficient bounds checking in gravity_fiber_reassign(), allowing heap metadata corruption. VulnCheck disclosed this issue with a vendor-released patch (commit 18b9195) available. CVSS 9.3 reflects the critical network-accessible, unauthenticated attack vector. No active exploitation (CISA KEV) or public POC identified at time of analysis, but technical details in GitHub issue #437 could facilitate exploit development.

Heap Overflow Buffer Overflow RCE Gravity
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-6350 CRITICAL PATCH Act Now

Remote unauthenticated code execution in Openfind MailGates (5.0-6.0) and MailAudit (5.0-6.0) via stack-based buffer overflow allows complete system compromise. Attackers can send crafted network requests to exploit CWE-121 buffer overflow conditions without authentication, achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. Vendor patches available (MailGates 6.1.10.054, 5.2.10.099; MailAudit 6.1.10.054, 5.2.10.099). CVSS 9.3 with network attack vector (AV:N), low complexity (AC:L), and no privileges required (PR:N) creates critical exposure for internet-facing mail security appliances. EPSS data unavailable; no confirmed active exploitation or public POC identified at time of analysis.

Stack Overflow Buffer Overflow RCE Mailgates Mailaudit
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-6348 CRITICAL Act Now

WinMatrix agent escalates privileges to SYSTEM without authentication, enabling authenticated local users to execute arbitrary code with full administrative control on both the local machine and all networked hosts where the agent is deployed. This environmental spread capability (CVSS scope change: H) transforms a local vulnerability into an enterprise-wide threat. Taiwan CERT issued advisories in January 2026 for versions 3.5.13 through 3.5.26.15. No public exploit identified at time of analysis, but CVSS 9.3 reflects catastrophic potential impact given the agent's privileged access and network propagation capability. EPSS data not available for new 2026 CVE.

Authentication Bypass RCE Winmatrix
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-40959 CRITICAL PATCH Act Now

Lua sandbox escape in Luanti 5.x (formerly Minetest) game engine allows malicious mod code to break out of LuaJIT security restrictions and execute arbitrary code on the host system. Affects all Luanti 5.0.0 through 5.15.1 when compiled with LuaJIT instead of standard Lua. Attackers with ability to distribute crafted mods can achieve complete system compromise with scope change (S:C in CVSS), escalating from sandboxed mod execution to full host access. No authentication required but local access needed (AV:L). Patch available in version 5.15.2 via two upstream commits. EPSS data not available; no confirmed active exploitation or public POC at time of analysis.

Information Disclosure Luanti
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-40324 CRITICAL PATCH GHSA Act Now

### Impact Hot Chocolate's `Utf8GraphQLParser` is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as **40 KB**. Because `StackOverflowException` is **uncatchable in .NET** (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs **before any validation rules run** - `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The existing `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. **Severity:** Critical (9.1) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` ### Patches - **v12 line:** Fixed in `12.22.7` - **v13 line:** Fixed in `13.9.16` - **v14 line:** Fixed in `14.3.1` - **v15 line:** Fixed in `15.1.14` The fix adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. ### Workarounds There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip). ### References - Fix for v15: https://github.com/ChilliCream/graphql-platform/pull/9528

Denial Of Service Kubernetes
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-5426 CRITICAL PATCH Act Now

Remote code execution in Digital Knowledge KnowledgeDeliver (all versions prior to February 24, 2026) via malicious ViewState deserialization. A hard-coded ASP.NET machineKey allows unauthenticated remote attackers to bypass ViewState validation and execute arbitrary code on the server. Mandiant reported this critical deserialization vulnerability. EPSS score of 0.08% (24th percentile) suggests low observed exploitation activity, though no public exploit is confirmed at time of analysis. CVSS vector indicates network-accessible attack requiring no privileges or user interaction, but the 7.5 score reflects only Confidentiality impact-real-world RCE capability makes this significantly more severe than the partial CVSS rating suggests.

Deserialization RCE Knowledgedeliver
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-37347 CRITICAL Act Now

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-6270 CRITICAL PATCH GHSA Act Now

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.

Authentication Bypass Fastify Middie
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40322 CRITICAL Act Now

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.

XSS Microsoft RCE
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy