Skip to main content
CVE-2026-41253 MEDIUM This Month

Remote code execution in iTerm2 through version 3.6.9 allows local attackers to execute arbitrary code by displaying a specially crafted text file when a malicious file with a conductor-protocol-compatible name exists in the working directory. The vulnerability exploits iTerm2's acceptance of SSH conductor protocol sequences (DCS 2000p and OSC 135) from terminal output without validating the source, enabling in-band signaling abuse where filenames themselves become attack vectors. CVSS 6.9 reflects local attack vector and high complexity, but practical exploitation requires user interaction (opening a file) combined with directory-resident malware.

RCE Iterm2
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-40490 MEDIUM PATCH This Month

AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).

Information Disclosure Java Open Redirect Red Hat
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-40491 MEDIUM PATCH This Month

gdown prior to version 5.2.2 allows remote attackers to write arbitrary files outside the intended extraction directory via maliciously crafted ZIP or TAR archives due to insufficient path traversal validation in the extractall functionality. An attacker can craft a malicious archive with path traversal sequences (e.g., ../ entries) in filenames, which when extracted by a user, permits file overwrite and potential remote code execution. The vulnerability requires user interaction (UI:R) to trigger extraction but affects all unauthenticated remote users downloading via the gdown library.

Path Traversal RCE Google
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1559 MEDIUM This Month

Youzify plugin for WordPress (versions up to 1.3.6) allows authenticated subscribers to execute stored cross-site scripting attacks via the 'checkin_place_id' parameter due to insufficient input sanitization and output escaping. An attacker with subscriber-level access can inject arbitrary JavaScript that executes when other users view the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at the time of this analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2986 MEDIUM This Month

Stored Cross-Site Scripting in Contextual Related Posts plugin for WordPress (versions up to 4.2.1) allows authenticated contributors and above to inject malicious scripts via the 'other_attributes' parameter, which execute in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling privilege escalation from contributor-level access to site-wide code execution. No active exploitation in the wild has been confirmed, but the attack requires only authenticated access at a low privilege level that is commonly granted in WordPress environments.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0894 MEDIUM This Month

Stored Cross-Site Scripting in Content Blocks (Custom Post Widget) plugin for WordPress affects all versions up to 3.3.9, allowing authenticated contributors and above to inject arbitrary JavaScript via the content_block shortcode that executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping; no public exploit code or active exploitation has been identified at the time of analysis, but the low attack complexity and broad scope (cross-site) make this a significant risk for WordPress sites with untrusted contributor accounts.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4801 MEDIUM This Month

Stored Cross-Site Scripting in CoBlocks Page Builder plugin for WordPress allows authenticated Contributor-level users to inject malicious scripts via external iCal feed data in the Events block, executing arbitrary JavaScript in pages visited by any user. The vulnerability exists in all versions through 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations. CVSS 6.4 reflects limited direct impact (confidentiality and integrity) but broad scope across WordPress installations, and no public exploit code or active exploitation has been confirmed at this time.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6048 MEDIUM This Month

Stored XSS in Flipbox Addon for Elementor WordPress plugin (versions ≤2.1.1) allows authenticated authors to inject malicious scripts via the button URL custom_attributes field due to insufficient validation of attribute names. The vulnerability uses esc_html() on attribute names, which fails to block event handler attributes like onmouseover and onclick, enabling arbitrary JavaScript execution in pages viewed by any user. CVSS 6.4 reflects the requirement for authenticated author-level access, but the stored nature and cross-site scope increase practical risk. Patch available in version 2.1.2.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-40881 MEDIUM PATCH GHSA This Month

Zebra cryptocurrency node prior to version 4.3.1 allocates excessive memory (up to 233,016 addresses) when deserializing addr/addrv2 protocol messages, even though the specification limits messages to 1,000 addresses. An attacker can trigger out-of-memory crashes by sending multiple oversized address messages over different connections. This is a network-accessible denial of service vulnerability affecting all Zebra versions before 4.3.1, with no public exploit code identified but straightforward to execute given the protocol specification.

Denial Of Service Deserialization
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-1838 MEDIUM This Month

Reflected XSS in Hostel WordPress plugin versions up to 1.1.6 allows unauthenticated attackers to inject arbitrary JavaScript via the 'shortcode_id' parameter, requiring user interaction (clicking a malicious link) to execute. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handling code. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-40333 MEDIUM PATCH This Month

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive information from process memory or cause denial of service via malformed EOS event data. Two functions in ptp-pack.c lack length validation, enabling unbounded buffer reads when processing camera events. The vulnerability requires physical device access and is not remotely exploitable, with no public exploit code identified at time of analysis.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40340 MEDIUM PATCH This Month

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a USB-connected camera to trigger information disclosure or denial of service via malformed PTP protocol data during Samsung Galaxy device enumeration. The vulnerability exists in `ptp_unpack_OI()` which validates buffer boundaries at 48 bytes but subsequently reads up to 56 bytes, exceeding the boundary by 9 bytes. A fix is available in commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33.

Samsung Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41078 MEDIUM GHSA This Month

OpenTelemetry.Exporter.Jaeger allows memory exhaustion and denial of service when processing high-cardinality or attacker-influenced telemetry data due to pooled list structures that retain oversized allocations across subsequent requests. The affected .NET NuGet package may experience sustained memory pressure if telemetry attributes or events contain large payloads, particularly in environments where input originates from untrusted sources and memory limits are increased from defaults. Notably, this deprecated exporter (end-of-support since 2023) will not receive vendor patches and users should migrate to maintained alternatives such as OpenTelemetry Protocol (OTLP) exporters.

Denial Of Service
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-2505 MEDIUM This Month

Stored Cross-Site Scripting in Categories Images WordPress plugin versions up to 3.3.1 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'z_taxonomy_image' shortcode, which executes in the context of other users viewing the affected page. The vulnerability stems from insufficient HTML escaping in the shortcode's fallback image builder. No public exploit code or active exploitation has been identified, but the attack requires only authenticated contributor-level access and user interaction with the injected content.

XSS WordPress
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40948 MEDIUM PATCH GHSA This Month

Session fixation and login-CSRF in apache-airflow-providers-keycloak prior to 0.7.0 allows remote attackers without prior authentication to hijack user sessions by delivering a crafted OAuth callback URL, enabling credential theft from stored Airflow connections. The vulnerability stems from missing OAuth 2.0 state parameter validation and lack of PKCE implementation, requiring only user interaction to trick victims into clicking a malicious link. EPSS score of 0.01% suggests minimal real-world exploitation despite moderate CVSS impact rating.

Apache CSRF
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40483 MEDIUM This Month

ChurchCRM versions prior to 7.2.0 allow authenticated users with Finance permissions to store malicious JavaScript in pledge donation comments via missing HTML escaping, which executes in the browsers of any subsequent users who edit the pledge record, resulting in stored cross-site scripting (XSS). The vulnerability requires Finance role access and victim interaction (opening the pledge editor), but affects all users who view the compromised record, with no known public exploit code or active exploitation confirmed at time of analysis.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40485 MEDIUM This Month

ChurchCRM versions prior to 7.2.0 leak valid usernames through the public API login endpoint by returning distinguishable HTTP status codes (404 for non-existent users, 401 for valid users with wrong passwords). An unauthenticated attacker can enumerate valid usernames without rate limiting or account lockout restrictions, enabling targeted credential attacks and social engineering. This information disclosure vulnerability affects all ChurchCRM deployments using the vulnerable API endpoint and has been patched in version 7.2.0.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40339 MEDIUM PATCH This Month

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive memory and potentially cause denial of service via a specially crafted Sony camera device. The vulnerability exists in the Sony-specific PTP packet unpacking function which omits bounds validation present in the standard variant, enabling attackers with direct camera access to trigger information disclosure and minor availability impact.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-40338 MEDIUM PATCH This Month

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows physical attackers to disclose sensitive memory and cause denial of service via a malicious PTP (Picture Transfer Protocol) device. The vulnerability exists in the Sony-specific DPD unpacking function, which fails to validate buffer boundaries before reading an enumeration count, enabling attackers with direct device access to craft responses that trigger the out-of-bounds read. Patch is available via upstream commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-40335 MEDIUM PATCH This Month

Out-of-bounds read in libgphoto2 versions up to 2.5.33 in the PTP protocol parser allows information disclosure and potential denial of service when processing specially crafted camera responses. The vulnerability exists in ptp_unpack_DPV() where UINT128 and INT128 cases advance the buffer offset by 16 bytes without verifying sufficient buffer remains available, potentially exposing adjacent memory. Exploitation requires physical access to connect a malicious camera device (AV:P), but no special authentication or user interaction is needed once connected. No public exploit code identified at time of analysis.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-40337 MEDIUM This Month

Sentry kernel prior to version 0.4.7 allows tasks with DEV or IO capabilities to manipulate another task's IRQ line via the __sys_int_* syscall family, enabling denial of service and covert information channels between privileged tasks and external systems. The vulnerability affects embedded systems using Sentry micro-kernel versions before 0.4.7, and no public exploit code has been identified at time of analysis, though the fix is vendor-released and publicly available.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-40593 MEDIUM PATCH This Month

Stored cross-site scripting in ChurchCRM UserEditor.php prior to version 7.2.0 allows authenticated administrators to inject malicious HTML and JavaScript into username fields, which then executes in the browsers of other administrators viewing the user editor page. The vulnerability stems from failure to sanitize usernames before rendering them into HTML input value attributes, and exploitation requires administrator-level privileges combined with user interaction (another admin viewing the compromised user's editor). This is a low-CVSS but real privilege-escalation concern within multi-administrator deployments, particularly where administrators may have differing trust levels.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-41254 MEDIUM PATCH This Month

Integer overflow in Little CMS (lcms2) version 2.18 and earlier allows local attackers to trigger a buffer overflow via CubeSize calculation in cmslut.c, where the overflow check occurs after rather than before multiplication. This can result in memory corruption leading to information disclosure or denial of service with low complexity requirements. No active exploitation in CISA KEV confirmed at time of analysis, but proof-of-concept technical details are publicly available.

Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy