THREAT ALERT

ACT NOW CVE-2026-32201 6.5 Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5. | ACT NOW CVE-2026-33825 7.8 Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency. | ACT NOW CVE-2026-32202 4.3 Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector. | ACT NOW CVE-2026-34621 8.6 Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | ACT NOW CVE-2026-39987 9.3 Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis. | ACT NOW CVE-2026-34197 8.8 Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). | ACT NOW CVE-2026-5281 8.8 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 19, 2026

24 CVEs tracked today. 0 Critical, 3 High, 10 Medium, 11 Low.

CVE-2026-6581 HIGH CVSS 7.4
Remote code execution in H3C Magic B1 router firmware versions up to 100R004 allows authenticated attackers to trigger a buffer overflow in the SetMobileAPInfoById function via crafted HTTP requests to /goform/aspForm. CVSS:4.0 rated 7.4 (High) with confirmed publicly available exploit code on GitHub. No vendor response or patch available. EPSS data not provided, but public exploit availability significantly elevates exploitation risk. The CWE-120 buffer overflow enables full device compromise (VC:H/VI:H/VA:H) with low attack complexity (AC:L) requiring only low-privileged authentication (PR:L).

Buffer Overflow
CVE-2026-6563 HIGH CVSS 7.4
Buffer overflow in H3C Magic B1 router firmware (versions through 100R004) allows authenticated remote attackers to achieve complete system compromise via crafted parameters to the SetAPWifiorLedInfoById function in /goform/aspForm. Public exploit code exists on GitHub. CVSS 7.4 (High) with network attack vector, low complexity, and confirmed proof-of-concept (CVSS:4.0 E:P). Vendor unresponsive to disclosure. EPSS and KEV status not provided in available data.

Buffer Overflow
CVE-2026-6560 HIGH CVSS 7.4
Buffer overflow in H3C Magic B0 routers (firmware versions up to 100R002) allows authenticated remote attackers to achieve arbitrary code execution via the Edit_BasicSSID function in /goform/aspForm. Public exploit code exists on GitHub. CVSS4.0 7.4 reflects network accessibility with low authentication (PR:L). Vendor unresponsive to disclosure - no patch confirmed. Exploitation requires valid router credentials but no special deployment conditions.

Buffer Overflow
CVE-2026-6582 MEDIUM CVSS 5.5
Remote unauthenticated access to vector database configurations in TransformerOptimus SuperAGI ≤0.0.14 allows attackers to retrieve, modify, or disrupt stored embeddings via the /vector_dbs endpoint. Missing authentication (CWE-306) in the get_vector_db_details function enables unauthorized manipulation of AI agent knowledge bases with CVSS 7.3. Publicly available exploit code exists (Proof-of-Concept published on GitHub Gist), but no active exploitation confirmed via CISA KEV. EPSS data not provided. Vendor unresponsive to early disclosure per VulDB report.

Authentication Bypass
CVE-2026-6580 MEDIUM CVSS 5.5
Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authentication. DjangoBlog versions up to 2.1.0.0 embed a fixed cryptographic key in owntracks/views.py for Amap API calls, enabling unauthorized API usage with low confidentiality, integrity, and availability impact. Publicly available exploit code exists (POC=YES). EPSS data not provided. Not listed in CISA KEV. Vendor unresponsive to disclosure.

Information Disclosure
CVE-2026-6579 MEDIUM CVSS 5.5
DjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint that allows remote unauthenticated attackers to trigger cache purge or data manipulation operations. The vulnerability has a CVSS score of 6.5 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, and the vendor has not responded to early disclosure.

Authentication Bypass
CVE-2026-6577 MEDIUM CVSS 5.5
Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking data via the owntracks/views.py logtracks endpoint. Publicly available exploit code exists (GitHub POC). CVSS 7.3 with full network attack vector (AV:N/AC:L/PR:N/UI:N). EPSS and KEV status not provided, but POC availability indicates medium-to-high exploitation risk for internet-facing DjangoBlog instances with OwnTracks integration enabled. Vendor non-responsive to disclosure.

Authentication Bypass
CVE-2026-6574 MEDIUM CVSS 5.5
Hard-coded credentials in osuuu LightPicture versions up to 1.2.2 allow unauthenticated remote attackers to bypass authentication via the /public/install/lp.sql file at the API upload endpoint. The vulnerability enables unauthorized access with confidentiality, integrity, and availability impacts. A public exploit exists (CVSS:3.1 E:P), significantly lowering the attack barrier. The vendor was notified but has not responded or issued patches.

Authentication Bypass
CVE-2026-6569 MEDIUM CVSS 6.9
Improper authentication in kodcloud KodExplorer versions up to 4.52 allows unauthenticated remote attackers to bypass access controls via the fileGet endpoint. The vulnerability resides in the fileGet function within /app/controller/share.class.php, exploitable by manipulating the fileUrl parameter. With CVSS 7.3 and network attack vector requiring no privileges or user interaction, this enables unauthorized file access and potential data manipulation. EPSS score unavailable; no CISA KEV listing indicates no confirmed widespread exploitation. Vendor non-responsive to disclosure attempts.

PHP Authentication Bypass
CVE-2026-6568 MEDIUM CVSS 5.5
Path traversal in kodcloud KodExplorer 4.52 and earlier allows unauthenticated remote attackers to access unauthorized files via the public share handler's path parameter. The vulnerability has publicly available exploit code (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure, leaving all versions through 4.52 unpatched at time of analysis.

PHP Path Traversal
CVE-2026-6562 MEDIUM CVSS 5.5
SQL injection in dameng100 muucmf 1.9.5.20260309 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the 'keyword' parameter in /index/Search/index.html. Public exploit code is available (thinhneee.github.io), increasing immediate exploitation risk. EPSS and KEV data not available, but CVSS 7.3 with network attack vector (AV:N), low complexity (AC:L), and no authentication required (PR:N) indicate high accessibility. Vendor (dameng100) has not responded to disclosure, suggesting no official patch timeline.

SQLi
CVE-2026-6559 MEDIUM CVSS 5.3
Stored cross-site scripting (XSS) in Wavlink WL-WN579A3 wireless router allows remote unauthenticated attackers to inject malicious scripts via the Hostname parameter in /cgi-bin/login.cgi, affecting all firmware versions prior to 2026-03-10. The vulnerability requires user interaction (UI:R) to trigger payload execution in a victim's browser, limiting direct remote code execution but enabling credential theft, session hijacking, or malware distribution. A vendor patch was released promptly after responsible disclosure.

XSS
CVE-2026-0868 MEDIUM CVSS 6.4
Stored cross-site scripting (XSS) in EMC - Easily Embed Calendly Scheduling Features WordPress plugin versions 4.4 and earlier allows authenticated contributors and above to inject arbitrary JavaScript into pages via insufficiently sanitized shortcode attributes, executing malicious scripts whenever site visitors access the affected pages. No public exploit code or active exploitation has been confirmed at analysis time.

WordPress XSS
CVE-2026-6585 LOW CVSS 2.1
Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated users to modify arbitrary organizations by manipulating the organisation_id parameter in the Organisation Update Endpoint, causing integrity and availability impact. Remote exploitation requires valid credentials and is limited to authenticated users (CVSS PR:L), but publicly available exploit code exists and the vendor has not responded to disclosure.

Authentication Bypass
CVE-2026-6584 LOW CVSS 2.1
Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to modify user accounts by manipulating the user_id parameter in the User Update Endpoint (superagi/controllers/user.py), enabling unauthorized data modification and availability impact. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.

Authentication Bypass
CVE-2026-6583 LOW CVSS 2.1
Authorization bypass in TransformerOptimus SuperAGI API Key Management allows authenticated users to delete or edit arbitrary API keys beyond their own permissions, affecting versions up to 0.0.14. The vulnerability exists in the delete_api_key and edit_api_key endpoints and enables authenticated attackers to manipulate other users' credentials remotely with low complexity. Publicly available exploit code exists, and the vendor has not responded to early disclosure.

Authentication Bypass
CVE-2026-6578 LOW CVSS 2.9
Liangliangyy DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in the SECRET_KEY parameter within djangoblog/settings.py, allowing remote unauthenticated attackers to bypass authentication and encrypt/decrypt sensitive session data. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor did not respond to early disclosure notification. With a CVSS score of 5.6 and AC:H rating, practical exploitation requires moderate technical effort but affects confidentiality, integrity, and availability.

Authentication Bypass
CVE-2026-6576 LOW CVSS 2.1
Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system commands by manipulating the Source argument in the CommandHandler function. Affected versions up to 2.1.0.0 are vulnerable. The exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure attempts. CVSS score of 6.3 reflects moderate severity with network-accessible attack vector requiring authentication.

Command Injection
CVE-2026-6573 LOW CVSS 2.1
Server-side request forgery in PHPEMS 11.0 allows authenticated remote attackers to manipulate the uploadfile parameter in the Instant Exam Creation Handler component, enabling SSRF attacks that can access internal resources or perform unauthorized requests from the server. The vulnerability affects the temppage function in /app/exam/controller/exams.master.php and has public exploit code available, though exploitation requires valid user credentials (PR:L).

PHP SSRF
CVE-2026-6572 LOW CVSS 2.9
Improper authorization in Collabora KodExplorer up to version 4.52 allows remote unauthenticated attackers to bypass authentication via manipulation of the fileUpload parameter in the /app/controller/share.class.php endpoint, potentially enabling unauthorized file access or modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the attack requires high complexity and is described as difficult to execute in practice, limiting real-world exploitation despite public disclosure and vendor non-responsiveness.

PHP Authentication Bypass
CVE-2026-6571 LOW CVSS 2.1
Kodcloud KodExplorer up to version 4.52 contains an authorization bypass vulnerability in the roleGroupAction function that allows authenticated remote attackers to manipulate the group_role parameter and gain unauthorized access to sensitive information and system modification capabilities. The vulnerability has a CVSS score of 6.3 with public exploit code available, and the vendor has not responded to early disclosure notifications, leaving deployed instances without official patching options.

PHP Authentication Bypass
CVE-2026-6570 LOW CVSS 2.0
Remote authorization bypass in KodCloud KodExplorer up to version 4.52 allows high-privileged authenticated attackers to manipulate the path argument in the initInstall function (/app/controller/systemMember.class.php), resulting in integrity compromise. The exploit code is publicly available, and the vendor has not responded to early disclosure notifications, leaving deployed instances vulnerable without official remediation guidance.

PHP Authentication Bypass
CVE-2026-6564 LOW CVSS 2.1
Improper authorization in EMQ EMQX Enterprise 6.0-6.1.0 allows authenticated remote attackers to trigger a denial-of-service condition via unspecified manipulation of the Session Handling component. CVSS 4.3 with attack vector AV:N/AC:L/PR:L reflects network-exploitable impact limited to availability; publicly available exploit code exists but active exploitation has not been confirmed by CISA KEV. The vendor has not responded to early disclosure notification.

Authentication Bypass
CVE-2026-6561 LOW CVSS 2.0
EyouCMS versions up to 1.7.1 allow high-privileged attackers to upload arbitrary files via manipulation of the filename parameter in the edit_adminlogo function, leading to information disclosure and potential code execution. The vulnerability requires authenticated admin access and is publicly exploitable with proof-of-concept code available on GitHub; the vendor has not responded to disclosure attempts.

PHP File Upload

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities