Skip to main content
CVE-2026-40897 HIGH POC PATCH GHSA This Week

This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. The issue was introduced in mathjs `v13.1.1`, and patched in mathjs `v15.2.0`. There is no workaround without upgrading to `v15.2.0`. You can find out more via the commit fixing this issue: https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad (part of PR https://github.com/josdejong/mathjs/pull/3656).

Information Disclosure
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40308 HIGH POC PATCH GHSA This Week

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

PHP Authentication Bypass WordPress Denial Of Service
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2023-3634 HIGH This Week

In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mse6 C2M 5000 Fb36 D M Rg Bar M12L4 Agd Mse6 C2M 5000 Fb36 D M Rg Bar M12L5 Agd Mse6 C2M 5000 Fb43 D M Rg Bar M12L4 Mq1 Agd Mse6 C2M 5000 Fb43 D M Rg Bar M12L5 Mq1 Agd +8
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-1620 HIGH This Week

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).

PHP LFI WordPress Path Traversal Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40611 HIGH PATCH GHSA This Week

{ return "/.well-known/acme-challenge/" + token } ``` The webroot provider in `providers/http/webroot/webroot.go:31` then joins this with the configured webroot directory and writes the key authorization content to the resulting path: ```go challengeFilePath := filepath.Join(w.path, http01.ChallengePath(token)) err = os.MkdirAll(filepath.Dir(challengeFilePath), 0o755) err = os.WriteFile(challengeFilePath, []byte(keyAuth), 0o644) ``` RFC 8555 Section 8.3 specifies that ACME tokens must only contain characters from the base64url alphabet (`[A-Za-z0-9_-]`), but this constraint is never enforced anywhere in the codebase. When a malicious ACME server returns a token such as `../../../../../../tmp/evil`, `filepath.Join()` resolves the `..` components, producing a path outside the webroot directory. The same vulnerability exists in the `CleanUp()` function at `providers/http/webroot/webroot.go:48`, which deletes the challenge file using the same unsanitized path: ```go err := os.Remove(filepath.Join(w.path, http01.ChallengePath(token))) ``` This additionally enables arbitrary file deletion. In a real attack scenario, the victim uses `--server` to point lego at a malicious ACME server, combined with `--http.webroot`: ```bash lego --server https://malicious-acme.example.com \ --http --http.webroot /var/www/html \ --email user@example.com \ --domains example.com \ run ``` The malicious server returns a challenge token containing path traversal sequences `../../../../../../tmp/pwned`. lego's webroot provider writes the key authorization to the traversed path without validation, resulting in arbitrary file write outside the webroot. The following minimal Go program demonstrates the core vulnerability by directly calling the webroot provider with a crafted token: ```go package main import ( "fmt" "os" "github.com/go-acme/lego/v4/providers/http/webroot" ) func main() { webrootDir, _ := os.MkdirTemp("", "lego-webroot-*") defer os.RemoveAll(webrootDir) provider, _ := webroot.NewHTTPProvider(webrootDir) token := "../../../../../../../../../../tmp/pwned" provider.Present("example.com", token, "EXPLOITED-BY-PATH-TRAVERSAL") data, err := os.ReadFile("/tmp/pwned") if err == nil { fmt.Println("[+] VULNERABILITY CONFIRMED") fmt.Printf("[+] File written outside webroot: /tmp/pwned\n") fmt.Printf("[+] Content: %s\n", data) } } ``` ```bash go build -o exploit ./exploit.go && ./exploit ``` Expected output: ``` [+] VULNERABILITY CONFIRMED [+] File written outside webroot: /tmp/pwned [+] Content: EXPLOITED-BY-PATH-TRAVERSAL ``` This is a path traversal vulnerability (CWE-22). Any user running lego with the HTTP-01 challenge solver against a malicious or compromised ACME server is affected. A malicious ACME server can: - Achieve remote code execution by writing to cron directories, systemd unit paths, shell profiles, or web application directories served by the webroot. - Destroy data by overwriting configuration files, TLS certificates, or application state. - Escalate privileges if lego runs as root, granting unrestricted filesystem write access. - Delete arbitrary files via the `CleanUp()` code path using the same unsanitized token.

Path Traversal RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-14868 HIGH This Week

Cross-Site Request Forgery (CSRF) in Career Section WordPress plugin versions ≤1.6 enables unauthenticated attackers to delete arbitrary server files through social engineering. Attackers trick authenticated WordPress administrators into clicking malicious links that exploit missing nonce validation in the delete action handler, leading to path traversal and unrestricted file deletion. CVSS 8.8 (High) with network attack vector but requires user interaction (UI:R). EPSS and KEV data not provided; public exploit code status unknown. Wordfence advisory and upstream patch commit available.

Path Traversal WordPress CSRF
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3614 HIGH This Week

Privilege escalation in AcyMailing WordPress plugin (versions 9.11.0-10.8.1) allows authenticated Subscriber-level users to gain administrator access through a multi-stage attack chain. Attackers exploit a missing capability check in the wp_ajax_acymailing_router AJAX handler to access admin-only configuration controllers, enable autologin features, inject malicious cms_id values into newsletter subscribers, and authenticate as any WordPress user including administrators. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the low attack complexity (AC:L) and detailed public code references increase exploitation risk for installations with subscriber registration enabled.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-40502 HIGH PATCH This Week

Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative commands like /permissions full_auto without authorization, escalating privileges to modify security controls of running instances. Vulnerability exploits insufficient command validation in chat interface. Fixed in commit dd1d235. CVSS 8.7 (High) with network attack vector and low complexity. EPSS data unavailable; not listed in CISA KEV. VulnCheck advisory and GitHub patch available.

Authentication Bypass Command Injection Openharness
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-39313 HIGH PATCH GHSA This Week

{ return new Promise((resolve, reject) => { let body = ''; req.on('data', (chunk) => { body += chunk.toString(); // No size limit }); req.on('end', () => { try { const parsed = body ? JSON.parse(body) : null; resolve(parsed); } catch (error) { reject(error); } }); req.on('error', reject); }); } ``` A `maxMessageSize` configuration value exists in `DEFAULT_HTTP_STREAM_CONFIG` (4MB, defined in `src/transports/http/types.ts` line 124) but is never enforced in `readRequestBody()`. This creates a false sense of security. Local testing with 50MB POST payloads against the vulnerable `readRequestBody()` function: | Trial | Payload | RSS growth | Time | Result | |-------|---------|-----------|------|--------| | 1 | 50MB | +197MB | 42ms | Vulnerable | | 2 | 50MB | +183MB | 46ms | Vulnerable | | 3 | 50MB | +15MB | 43ms | Vulnerable | | 4 | 50MB | +14MB | 32ms | Vulnerable | | 5 | 50MB | +65MB | 38ms | Vulnerable | Reproducibility: 5/5 (100%) - **Denial of Service:** Any mcp-framework HTTP server can be crashed by a single large POST request to /mcp - **No authentication required:** readRequestBody() executes before any auth checks (auth is opt-in, default is no auth) - **Dead config:** maxMessageSize exists but is never enforced, giving a false sense of security - **Affected:** All applications using mcp-framework HttpStreamTransport (60,000 weekly npm downloads) **CWE-770:** Allocation of Resources Without Limits or Throttling **Suggested CVSS 3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Enforce `maxMessageSize` in `readRequestBody()`: ```typescript private async readRequestBody(req: IncomingMessage): Promise<any> { const maxSize = this._config.maxMessageSize || 4 * 1024 * 1024; return new Promise((resolve, reject) => { let body = ''; let size = 0; req.on('data', (chunk) => { size += chunk.length; if (size > maxSize) { req.destroy(); reject(new Error('Request body too large')); return; } body += chunk.toString(); }); // ... }); } ``` This report follows coordinated disclosure. I request a 90-day window before public disclosure. **Reporter:** Raza Sharif, CyberSecAI Ltd (contact@agentsign.dev)

Denial Of Service Node.js
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-2336 HIGH PATCH This Week

A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03.

Privilege Escalation Istax
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40900 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33121 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33084 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied sort value to the sorting metadata DTO, which is passed to Order2SQLObj where it is incorporated into the SQL ORDER BY clause without any whitelist validation, and then executed via CalciteProvider. An authenticated attacker can inject arbitrary SQL commands through the sort parameter, enabling time-based blind SQL injection. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33083 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.

Denial Of Service SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33082 HIGH PATCH This Week

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6351 HIGH PATCH This Week

CRLF Injection in Openfind MailGates/MailAudit allows remote unauthenticated attackers to read arbitrary system files via HTTP header manipulation. Affects MailGates/MailAudit versions 5.0-6.0 (prior to 5.2.10.099 and 6.1.10.054 respectively). CVSS 8.7 with network vector, low complexity, and no authentication required indicates critical real-world risk. Taiwan CERT advisory published; no CISA KEV listing or public exploit code identified at time of analysis, suggesting early disclosure phase.

Code Injection Mailgates Mailaudit
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35469 HIGH PATCH GHSA This Week

The SPDY/3 frame parser in spdystream does not validate attacker-controlled counts and lengths before allocating memory. A remote peer that can send SPDY frames to a service using spdystream can cause the process to allocate gigabytes of memory with a small number of malformed control frames, leading to an out-of-memory crash.   Three allocation paths in the receive side are affected: 1. **SETTINGS entry count** -- The SETTINGS frame reader reads a 32-bit `numSettings` from the payload and allocates a slice of that size without checking it against the declared frame length. An attacker can set `numSettings` to a value far exceeding the actual payload, triggering a large allocation before any setting data is read.   2. **Header count** -- `parseHeaderValueBlock` reads a 32-bit `numHeaders` from the decompressed header block and allocates an `http.Header` map of that size with no upper bound.   3. **Header field size** -- Individual header name and value lengths are read as 32-bit integers and used directly as allocation sizes with no validation.   Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into attacker-controlled bytes that the parser interprets as 32-bit counts and lengths. A single crafted frame is enough to exhaust process memory.  Any program that accepts SPDY connections using spdystream -- directly or through a dependent library -- is affected. A remote peer that can send SPDY frames to the service can crash the process with a single crafted SPDY control frame, causing denial of service.  `github.com/moby/spdystream` <= v0.5.0  v0.5.1 addresses the receive-side allocation bugs and adds related hardening:   **Core fixes:**   - **SETTINGS entry-count validation** -- The SETTINGS frame reader now checks that `numSettings` is consistent with the declared frame length (`numSettings <= (length-4)/8`) before allocating.   - **Header count limit** -- `parseHeaderValueBlock` enforces a maximum number of headers per frame (default: 1000).   - **Header field size limit** -- Individual header name and value lengths are checked against a per-field size limit (default: 1 MiB) before allocation.   - **Connection closure on protocol error** -- The connection read loop now closes the underlying `net.Conn` when it encounters an `InvalidControlFrame` error, preventing further exploitation on the same connection.   **Additional hardening:**   - **Write-side bounds checks** -- All frame write methods now verify that payloads fit within the 24-bit length field, preventing the library from producing invalid frames.   **Configurable limits:**   - Callers can adjust the defaults using `NewConnectionWithOptions` or the lower-level `spdy.NewFramerWithOptions` with functional options: `WithMaxControlFramePayloadSize`, `WithMaxHeaderFieldSize`, and `WithMaxHeaderCount`.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33207 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

Java SQLi
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33122 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-22734 HIGH This Week

Authentication bypass in Cloud Foundry UAA allows remote unauthenticated attackers to obtain access tokens for arbitrary users when SAML 2.0 bearer assertions are enabled, leading to unauthorized access to all UAA-protected systems. Affects UAA versions 77.30.0 through 78.7.0 and CF Deployment versions 48.7.0 through 54.14.0. The vulnerability stems from acceptance of unsigned and unencrypted SAML 2.0 assertions (CWE-290: Authentication Bypass by Spoofing), enabling complete authentication mechanism bypass with network access and low attack complexity (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but the technical details disclosed in the vendor blog create high weaponization potential.

Authentication Bypass Uua
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-40318 HIGH PATCH GHSA This Week

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4.

Path Traversal Siyuan
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-6442 HIGH PATCH This Week

Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1.0.25 allowed subsequent commands to execute outside the sandbox. An attacker could exploit this by embedding specially crafted commands in untrusted content, such as a malicious repository, causing the CLI agent to execute arbitrary code on the local device without user consent. Exploitation is non-deterministic and model-dependent. The fix is automatically applied upon relaunch with no user action required.

RCE Cortex Code Cli
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-40899 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.

Deserialization Dataease
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-3324 HIGH This Week

Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.

Authentication Bypass
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-41113 HIGH PATCH This Week

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Command Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-5785 HIGH PATCH This Week

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.

SQLi Manageengine Pam360 Manageengine Password Manager Pro
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40960 HIGH PATCH This Week

Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. CVSS 8.1 reflects local attack vector with high complexity but no authentication required and scope change with high confidentiality/integrity/availability impact. GitHub security advisory and two fix commits confirm patch availability. No CISA KEV listing or public exploit code identified at time of analysis.

Information Disclosure Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41035 HIGH PATCH This Week

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync with the -X (--xattrs) option. The receive_xattr function trusts an attacker-supplied length value during a qsort operation, which a malicious sender/server can abuse to crash the receiver or potentially achieve code execution; Linux hosts are vulnerable in many common configurations and non-Linux platforms more broadly. No public exploit identified at time of analysis, EPSS is very low (0.01%), and SSVC scores exploitation as none, indicating a real-but-not-urgent memory-safety bug rather than a mass-exploited threat.

Information Disclosure Rsync
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-22619 HIGH PATCH This Week

Arbitrary code execution in Eaton Intelligent Power Protector (IPP) software via insecure library loading allows local authenticated attackers with low privileges to execute code with elevated integrity impact across security boundaries. Attack complexity is high, requiring the attacker to have access to the software package installation files. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis. Eaton has released a patched version available through their download center.

RCE Ipp Software
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-41082 HIGH PATCH This Week

In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.

Information Disclosure Opam
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40474 HIGH GHSA This Week

Authenticated low-privileged users in wger can modify installation-wide gym configuration via /config/gym-config/edit due to missing permission enforcement, enabling vertical privilege escalation. The GymConfigUpdateView declares 'config.change_gymconfig' permission but inherits WgerFormMixin instead of WgerPermissionMixin, causing the permission check to never execute. Exploiting this allows attackers to manipulate default gym assignments affecting all users, with GymConfig.save() automatically reassigning user profiles and creating gym configurations tenant-wide. CVSS 7.6 (High) with network attack vector, low complexity, and low privileges required. No active exploitation (KEV) or public POC identified at time of analysis, though GitHub advisory provides detailed reproduction steps.

Authentication Bypass Docker Python Privilege Escalation
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-40901 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

Deserialization SQLi RCE Dataease
NVD GitHub
CVSS 4.0
7.5
EPSS
0.4%
CVE-2026-3489 HIGH This Week

The DirectoryPress - Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30656 HIGH PATCH This Week

A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.

Null Pointer Dereference Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40303 HIGH PATCH GHSA This Week

**Summary** endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. - Attack Vector: Network - exploitable via a single HTTP request with a crafted Cookie header. - Attack Complexity: Low - no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect). - Privileges Required: None - reached before JWT validation or any authentication check. - User Interaction: None. - Scope: Unchanged - impact is confined to the affected proxy process. - Confidentiality Impact: None. - Integrity Impact: None. Availability Impact: High - sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves. **Affected Components** - endpoints/oauthCookies.go - GetSessionCookie (line 81) - endpoints/publicProxy/authOAuth.go - handleOAuth (line 50) - call site, pre-auth - endpoints/dynamicProxy/cookies.go - getSessionCookie (line 29) - call site

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40170 HIGH PATCH This Week

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.

Stack Overflow Buffer Overflow Ngtcp2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3599 HIGH This Week

SQL injection in Riaxe Product Customizer for WordPress (all versions ≤2.1.2) allows unauthenticated remote attackers to extract sensitive database contents via crafted REST API requests. The vulnerability exists in the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint where the 'options' parameter keys within 'product_data' lack proper SQL escaping. CVSS 7.5 (High) with attack vector network/low complexity/no authentication required. Wordfence discovery indicates active researcher attention. No CISA KEV listing or public exploit code identified at time of analysis, but EPSS data unavailable for risk calibration.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31987 HIGH PATCH GHSA This Week

Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI user with log access to escalate privileges and impersonate DAG Authors. CVSS rates this 7.5 HIGH for confidentiality impact, though the EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. No active exploitation is confirmed; vendor patch available in version 3.2.0 released April 2026.

Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5050 HIGH This Week

Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.

Information Disclosure Jwt Attack WordPress Google
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-2374 HIGH PATCH This Week

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Denial Of Service Wso2 Api Manager Wso2 Identity Server Wso2 Open Banking Am +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33804 HIGH PATCH GHSA This Week

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Authentication Bypass Fastify Middie
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-41015 HIGH PATCH This Week

Command injection in radare2's rabin2 PDB parser allows local attackers to execute arbitrary commands when the tool is compiled without SSL support on UNIX systems. The vulnerability (CWE-78) affected a narrow window between commits 01ca2f6 and 9236f44 (post-6.1.2, pre-6.1.3), spanning less than one week in the development timeline. CVSS 7.4 (HIGH) reflects local attack vector with high complexity but no authentication required. No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists. EPSS data not provided. Fixed in commit 9236f44a28 per GitHub PR #25651.

Command Injection Suse
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-37337 HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.

PHP SQLi
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-37336 HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.

PHP SQLi
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-23772 HIGH PATCH This Week

Local privilege escalation in Dell Storage Manager - Replay Manager for Microsoft Servers 8.0 allows low-privileged authenticated users to gain elevated privileges with high integrity and availability impact. Dell has released security advisory DSA-2026-058 with patches. The CVSS 7.3 (High) score reflects significant post-exploitation impact, though local access and existing authentication requirements limit initial attack surface. No active exploitation (CISA KEV) or public proof-of-concept code identified at time of analysis.

Privilege Escalation Dell Microsoft
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-3876 HIGH This Week

Stored Cross-Site Scripting in Prismatic WordPress plugin (all versions ≤3.7.3) allows unauthenticated remote attackers to inject malicious scripts via crafted comment submissions containing the 'prismatic_encoded' pseudo-shortcode. Vulnerable code in prismatic_decode function fails to sanitize user-supplied attributes. CVSS 7.2 with scope change (S:C) elevates impact beyond vulnerable component. EPSS data not available; no CISA KEV listing identified. Wordfence threat intelligence confirms vulnerability; patch released in version 3.7.4 per WordPress plugin repository changelog.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37344 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated administrators to execute arbitrary SQL commands via the /parking/manage_location.php endpoint. CVSS 7.2 indicates high-privilege requirement (PR:H) limiting exploitation to compromised admin accounts or insider threats. EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation activity. No CISA KEV listing indicates no confirmed active exploitation in enterprise environments.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37343 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /parking/manage_user.php endpoint. CVSS 7.2 with network vector but requires high-privilege authentication (PR:H), significantly limiting attack surface. EPSS probability is very low (0.01%, 2nd percentile), indicating minimal observed exploitation activity. No CISA KEV listing or public POC confirmation, though a technical writeup exists in GitHub repository mt-0505/cve-report.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37342 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL commands via the /parking/view_parked_details.php endpoint. The vulnerability requires administrative credentials (CVSS PR:H) but enables full database compromise once authenticated. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. A public proof-of-concept exists on GitHub, lowering the technical barrier for authenticated attackers.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37341 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL commands via the /parking/manage_category.php endpoint, enabling complete database compromise. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. Proof-of-concept exploit code is publicly available on GitHub, lowering the barrier for authenticated attackers with administrative access.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy