THREAT ALERT

ACT NOW CVE-2026-32201 6.5 Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5. | ACT NOW CVE-2026-33825 7.8 Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency. | ACT NOW CVE-2026-32202 4.3 Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector. | ACT NOW CVE-2026-34621 8.6 Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | ACT NOW CVE-2026-39987 9.3 Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis. | ACT NOW CVE-2026-34197 8.8 Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). | ACT NOW CVE-2026-5281 8.8 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 20, 2026

162 CVEs tracked today. 18 Critical, 44 High, 62 Medium, 38 Low.

CVE-2026-32956 CRITICAL CVSS 9.3
Remote code execution in silex technology SD-330AC and AMC Manager allows unauthenticated network attackers to execute arbitrary code via heap-based buffer overflow when processing redirect URLs. CVSS 9.3 critical severity with attack vector AV:N/AC:L/PR:N/UI:N indicates trivial exploitation against internet-facing devices. No public exploit identified at time of analysis, though JPCERT coordination suggests vendor-confirmed vulnerability. EPSS data not available; real-world risk depends on internet exposure of affected silex wireless bridge and management software installations.

RCE Buffer Overflow Heap Overflow
CVE-2026-39918 CRITICAL CVSS 9.2
Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's subdir parameter, which is written directly into env.php without sanitization. The vulnerability enables complete system compromise as the web server user with no authentication required. Publicly available patch exists (version 1.0.8.1) with detailed fix commit reference.

PHP RCE Code Injection
CVE-2026-39109 CRITICAL CVSS 9.4
SQL injection in Apartment Visitors Management System V1.1's login form allows remote unauthenticated attackers to bypass authentication and extract database contents via the username parameter. The vulnerability scores 9.4 CVSS with network attack vector and low complexity. Public exploit code exists (SSVC confirms POC status), making this immediately exploitable. EPSS data unavailable, but SSVC framework rates it as automatable with partial technical impact, indicating high practical risk for internet-exposed installations.

PHP SQLi N A
CVE-2026-33557 CRITICAL CVSS 9.1
Apache Kafka 4.1.0 and 4.1.1 accept forged JWT tokens without signature validation, allowing remote unauthenticated attackers to authenticate as any user and gain unauthorized access to Kafka resources. The default SASL/OAUTHBEARER validator (DefaultJwtValidator) fails to verify token signatures, issuers, or audiences, enabling complete authentication bypass. CVSS 9.1 (Critical) with network vector and no privileges required. SSVC indicates the vulnerability is automatable with partial technical impact. No active exploitation confirmed at time of analysis, but the attack requires minimal sophistication and could be scripted trivially given the token acceptance behavior.

Apache Information Disclosure Red Hat
CVE-2026-32965 HIGH CVSS 8.7
SD-330AC wireless LAN modules and AMC Manager devices from silex technology allow unauthenticated remote attackers to modify device configuration using null-string passwords when devices remain in factory-default state. CVSS:4.0 8.7 (High Vector, High Integrity Impact) rates this as high severity due to network-based attack vector with no authentication required (AV:N/PR:N/UI:N). EPSS probability remains low at 0.03% (8th percentile), suggesting limited observed exploitation attempts. No active exploitation confirmed at time of analysis per available intelligence. Vulnerability class CWE-1188 (insecure default initialization) represents common industrial IoT security gap where devices ship with unsafe out-of-box configurations.

Information Disclosure
CVE-2026-32960 HIGH CVSS 7.1
Authentication bypass in silex technology SD-330AC (≤1.42) and AMC Manager (≤5.0.2) allows remote attackers to gain unauthorized access by sending specially crafted packets that exploit residual sensitive data in memory. Attacker can log in without valid credentials due to improper clearance of authentication tokens or session data between requests. EPSS score of 0.03% (7th percentile) indicates low observed exploitation probability. JPCERT/CC reported this vulnerability, and vendor advisory confirms patches are available. Requires user interaction (CVSS 4.0 UI:P), limiting automated exploitation.

Information Disclosure
CVE-2026-32959 HIGH CVSS 8.2
Weak cryptographic implementation in Silex Technology SD-330AC wireless LAN adapters (v1.42 and earlier) and AMC Manager software (v5.0.2 and earlier) allows network-positioned attackers to intercept and decrypt network traffic through man-in-the-middle attacks. The vulnerability stems from use of broken or risky cryptographic algorithms (CWE-327), enabling confidentiality breach of transmitted data. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and CISA SSVC framework classifies this as non-exploited with non-automatable attacks requiring attacker positioning. No public exploit code or active exploitation reported at time of analysis.

Information Disclosure
CVE-2026-32955 HIGH CVSS 8.7
Stack-based buffer overflow in silex technology's SD-330AC (Ver.1.42 and earlier) and AMC Manager (Ver.5.0.2 and earlier) enables authenticated remote attackers to execute arbitrary code on the device via maliciously crafted redirect URLs. Reported by JPCERT with vendor advisories published, though EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and SSVC assessment marks exploitation status as 'none' despite the critical nature of remote code execution capability.

RCE Buffer Overflow Stack Overflow
CVE-2026-32613 CRITICAL CVSS 9.9
Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. The CVSS 9.9 score reflects network attack vector with low complexity, scope change to impact other components, and complete CIA triad compromise. EPSS and KEV data not available - exploitation status unknown but patches are available from Spinnaker project.

RCE Java Code Injection
CVE-2026-32604 CRITICAL CVSS 9.9
Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability enables credential theft, file manipulation, and resource injection with minimal complexity (CVSS 9.9, AV:N/AC:L/PR:L). EPSS data not available; no public exploit or active exploitation confirmed at time of analysis, but the attack simplicity and multi-cloud CD platform context create high risk for supply chain compromise in containerized environments.

Code Injection
CVE-2026-32311 CRITICAL CVSS 9.3
Remote code execution with container escape in Flowsint OSINT tool allows unauthenticated attackers to execute arbitrary OS commands as root on the host machine. The vulnerability exploits shell metacharacter injection in the 'org_to_asn' transformer when processing organization nodes in OSINT sketches. With CVSS 9.3 (CVSS 4.0), network attack vector, low complexity, and no authentication required, this represents critical risk to any internet-exposed Flowsint instance. Upstream fix committed (b52cbbb904c) removes vulnerable code, but no tagged release version confirmed yet. CVSS vector indicates proof-of-concept exploit exists (E:P).

Docker Command Injection
CVE-2026-30269 CRITICAL CVSS 9.9
Privilege escalation in Doorman API gateway v0.1.0 and v1.0.2 allows authenticated users to elevate their role to high-privileged (non-admin) accounts by directly editing the 'role' field via the /platform/user/{username} endpoint. The vulnerability stems from missing authorization checks on self-service user updates - any valid login credential is sufficient to escalate privileges to roles like 'manager' or 'developer'. CVSS 9.9 (Critical) reflects the Changed scope and broad compromise potential. SSVC indicates proof-of-concept code exists but exploitation requires human interaction (not automatable), suggesting targeted rather than mass-exploitation risk. No CISA KEV listing at time of analysis.

Privilege Escalation
CVE-2026-29649 CRITICAL CVSS 9.8
NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to in...

Denial Of Service
CVE-2026-29646 CRITICAL CVSS 9.8
OpenXiangShan NEMU emulator's RISC-V Hypervisor extension implementation allows VS-mode guest writes to the sie (supervisor interrupt-enable) CSR to corrupt machine-level mie state, breaking privilege isolation between virtualization layers. Fixed in commit 55295c4 per GitHub PR #938. Despite CVSS 9.8 Critical rating with network attack vector (AV:N), the EPSS score of 0.03% (9th percentile) indicates extremely low observed exploitation probability, and the vulnerability specifically affects RISC-V emulator environments rather than typical network-accessible services. No CISA KEV listing or public exploit identified at time of analysis, suggesting this is a theoretical high-severity issue in specialized research/development contexts rather than an imminent widespread threat.

Denial Of Service N A
CVE-2026-24467 CRITICAL CVSS 9.0
Account takeover in OpenAEV cyber adversary simulation platform (versions 1.0.0 through 2.0.12) allows remote unauthenticated attackers to reset any user's password via non-expiring 8-digit reset tokens. By mass-generating tokens (which never expire) and brute-forcing the small token space, attackers can reliably compromise administrator accounts within minutes, leading to full platform compromise including modification of payloads executed on all agent-deployed hosts. EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor-released patch available in version 2.0.13.

Information Disclosure
CVE-2026-6644 CRITICAL CVSS 9.4
Remote code execution in ASUSTOR ADM (ASUSTOR Data Master) operating system versions 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1 allows authenticated administrators to inject arbitrary OS commands via the PPTP VPN Clients web interface. The command injection (CWE-78) bypasses the restricted web environment, enabling full system compromise. Attack complexity is low (AC:L) with network attack vector (AV:N), and CVSS 9.4 reflects critical impact across confidentiality, integrity, and availability. No active exploitation or public POC confirmed at time of analysis, though EPSS probability data not available.

RCE Command Injection
CVE-2026-6257 CRITICAL CVSS 9.2
Remote code execution in Vvveb CMS v1.0.8 allows authenticated administrators to execute arbitrary system commands as www-data via a two-stage file upload attack. Attackers exploit a logic flaw in the media management file rename handler that fails to block .php and .htaccess extensions, enabling MIME type manipulation followed by PHP code execution. VulnCheck published an advisory and GitHub commit 6fb8eaa confirms upstream fix. No EPSS data available; no active exploitation confirmed at time of analysis.

PHP RCE Apache File Upload
CVE-2026-5964 CRITICAL CVSS 9.3
SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.

SQLi
CVE-2026-5963 CRITICAL CVSS 9.3
Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.

SQLi
CVE-2026-5760 CRITICAL CVSS 9.8
Remote code execution in SGLang 0.5.9's /v1/rerank endpoint allows unauthenticated attackers to execute arbitrary code by loading specially crafted model files with malicious Jinja2 templates. The vulnerability stems from unsandboxed rendering of tokenizer.chat_template fields, enabling template injection attacks. Publicly available exploit code exists (GitHub POC by Stuub). With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and SSVC ratings of automatable with total technical impact, this represents critical risk for exposed SGLang deployments handling untrusted model files.

RCE Code Injection
CVE-2026-5450 CRITICAL CVSS 9.8
Heap buffer overflow in glibc scanf functions versions 2.7 through 2.43 allows remote unauthenticated attackers to execute arbitrary code by providing malicious input to applications using %mc format specifiers with width >1024. CVSS 9.8 indicates critical network-accessible impact, but EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation activity at time of analysis. No CISA KEV listing confirms this as a theoretical risk requiring specific application usage patterns rather than widespread active exploitation. Successful exploitation depends on target applications parsing attacker-controlled input through affected scanf family functions with specific format string configurations.

Buffer Overflow Heap Overflow Red Hat Suse
CVE-2026-5358 CRITICAL CVSS 9.1
Buffer overflow in glibc's obsolete NIS authentication function allows remote attackers to compromise integrity and availability via spoofed UDP responses. Affects all glibc versions through 2.43, but exploitation requires the target application to actively use the deprecated nis_local_principal function (obsolete since glibc 2.26). EPSS score of 0.02% (5th percentile) indicates low real-world exploitation probability, consistent with the narrow attack surface of legacy NIS deployments. No active exploitation or public exploit code identified at time of analysis.

Buffer Overflow Red Hat Glibc Suse
CVE-2026-41445 HIGH CVSS 8.7
Heap buffer overflow in KissFFT library (all versions before commit 8a8e66e) enables remote code execution when applications process attacker-controlled FFT dimensions. Integer overflow in kiss_fftndr_alloc() causes malloc() to allocate undersized buffers, allowing heap memory corruption during multidimensional FFT operations. CVSS 8.8 (network vector, no authentication, user interaction required). EPSS and KEV data not provided; no public exploit confirmed at time of analysis. Upstream fix available via GitHub commit, but released patched version number not independently confirmed.

Buffer Overflow Integer Overflow Suse
CVE-2026-40488 HIGH CVSS 8.7
Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided.

RCE Adobe File Upload
CVE-2026-39454 HIGH CVSS 8.5
Local privilege escalation in SKYSEA Client View (≤21.200.07j) and SKYMEC IT Manager (≤2024.005.10a) allows low-privileged users to execute arbitrary code with administrative privileges by exploiting insecure installation folder permissions. Attackers can write malicious files into the product directory, achieving full system compromise. EPSS score of 0.01% (2nd percentile) indicates low likelihood of widespread exploitation despite CVSS 8.5 severity. No active exploitation confirmed; CISA SSVC assessment marks exploitation status as 'none' and automatable as 'no', suggesting targeted attack potential rather than mass exploitation risk.

Privilege Escalation RCE
CVE-2026-39111 HIGH CVSS 7.5
SQL Injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive user data via the forgot-password.php email parameter. The vulnerability requires no authentication (PR:N), no user interaction (UI:N), and has low attack complexity (AC:L), enabling trivial exploitation against any internet-facing installation. EPSS data unavailable; not listed in CISA KEV. GitHub repository references suggest proof-of-concept code may exist, increasing immediate exploitation risk for the small but vulnerable user base of this PHP-based application.

PHP SQLi
CVE-2026-39110 HIGH CVSS 8.2
SQL injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive database contents via the contactno parameter on the password reset page. The vulnerability bypasses authentication controls through crafted input during password recovery operations. EPSS and KEV data not available, but SSVC framework indicates proof-of-concept exists and the vulnerability is automatable with partial technical impact. The CVSS score of 8.2 reflects high confidentiality impact with network-accessible attack surface requiring no user interaction.

PHP SQLi N A
CVE-2026-34428 HIGH CVSS 8.3
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary local files via file:// URLs or probe internal network services via http:// URLs through the oEmbedProxy action's unvalidated url parameter. The vulnerability (CWE-918) enables information disclosure from the web server's filesystem and internal network reconnaissance. Patch available in version 1.0.8.1. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

SSRF
CVE-2026-34427 HIGH CVSS 8.7
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=1 into profile save requests, escalating to Super Administrator and enabling plugin upload for remote code execution. Vendor patch available in version 1.0.8.1. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided; KEV status unknown. Public disclosure via VulnCheck advisory with commit-level fix details increases likelihood of exploitation attempts.

Privilege Escalation RCE
CVE-2026-33626 HIGH CVSS 7.5
Server-Side Request Forgery (SSRF) in InternLM LMDeploy's vision-language module allows remote unauthenticated attackers to access cloud metadata services, internal networks, and sensitive resources through unvalidated URL fetching in the load_image() function. Affects all versions prior to 0.12.3. EPSS score not available; no public exploit identified at time of analysis. Patch released in version 0.12.3.

SSRF
CVE-2026-33432 HIGH CVSS 7.7
LDAP injection in Roxy-WI web management interface (all versions through 8.2.8.2) allows complete authentication bypass when LDAP authentication is enabled. Unauthenticated remote attackers can inject LDAP filter metacharacters into the username field to manipulate directory queries and access the application without valid credentials. Proof-of-concept code exists (CVSS:4.0 E:P). No vendor patch available at time of publication, affecting production deployments managing Haproxy, Nginx, Apache, and Keepalived infrastructure.

Authentication Bypass Apache Nginx
CVE-2026-33031 HIGH CVSS 8.6
Disabled user accounts in Nginx UI versions before 2.3.4 retain full API access through previously issued JWT tokens for the entire token lifetime, allowing attackers with stolen credentials to maintain persistent access and create new accounts even after administrative remediation attempts. This authentication bypass enables continued confidentiality and integrity compromise of Nginx configurations despite account lockout. Reported by GitHub security advisories; no evidence of active exploitation (not in CISA KEV), but the token-reuse mechanism makes exploitation straightforward for attackers who have already obtained credentials.

Authentication Bypass Nginx
CVE-2026-32135 HIGH CVSS 7.7
Heap buffer overflow in NanoMQ MQTT Broker's REST API allows remote unauthenticated attackers to trigger denial of service via crafted HTTP requests. The off-by-one error in uri_param_parse function (CWE-122) affects all versions prior to 0.24.11. CVSS 7.7 (High) with network attack vector, low complexity, and no authentication required. Proof-of-concept exploit exists (CVSS E:P), though no CISA KEV listing indicates limited observed exploitation. Vendor patch available in version 0.24.11 with upstream fix committed (GitHub 69a97b3).

Buffer Overflow Heap Overflow
CVE-2026-31430 HIGH CVSS 7.1
Out-of-bounds read in the Linux kernel's X.509 certificate parser allows local unprivileged users to trigger memory corruption or denial of service by submitting a specially crafted certificate via the keyrings(7) API. The flaw exists in the handling of empty Basic Constraints or Key Usage extensions, where the first byte is dereferenced before the length check. A proof-of-concept was responsibly disclosed by the reporter, though no public exploit is identified at time of analysis and EPSS rates the exploitation probability as very low (0.01%).

Buffer Overflow Information Disclosure Linux Red Hat Suse
CVE-2026-30266 HIGH CVSS 7.8
Local privilege escalation in DeepCool DeepCreative software version 1.2.7 and earlier allows unauthenticated attackers to execute arbitrary code with elevated privileges through malicious file processing. The vulnerability stems from insecure permission configuration (CWE-277) requiring user interaction to open a crafted file. Public exploit research exists on GitHub (uncle-hash repository), though CISA has not confirmed active exploitation. CVSS 7.8 indicates high severity, but EPSS data unavailable; SSVC framework rates technical impact as total with no confirmed exploitation and non-automatable attack path.

RCE
CVE-2026-29648 HIGH CVSS 8.8
Privilege escalation in OpenXiangShan NEMU allows authenticated local attackers to bypass state-enable isolation controls when Smstateen extension is enabled. Clearing mstateen0.ENVCFG fails to properly restrict access to henvcfg and senvcfg Control and Status Registers (CSRs), enabling less-privileged code to read or write privileged configuration registers without triggering required exceptions. This undermines virtualization boundaries and multi-privilege isolation in RISC-V processor emulation environments. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, and publicly available exploit code exists via GitHub issue #690.

Privilege Escalation N A
CVE-2026-29645 HIGH CVSS 7.5
NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted a...

Denial Of Service
CVE-2026-29643 HIGH CVSS 7.1
Control-flow disruption in XiangShan open-source RISC-V processor allows local authenticated attackers to trigger denial of service through malformed CSR operations that fail to properly invoke trap handlers. Affected commits from November 2024 contain improper exception handling in the NewCSR subsystem that can leave the processor core in a hung state when targeting non-existent CSR addresses. GitHub issue #3959 and pull request #3966 document the flaw and proposed fix. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability. No public exploit code identified and not listed in CISA KEV, suggesting primarily theoretical risk limited to specialized RISC-V development environments.

Denial Of Service N A
CVE-2026-29642 HIGH CVSS 7.8
Privileged CSR manipulation in XiangShan RISC-V processor core (commit aecf601e80, 2024-11-19) allows local attackers with M-mode access to corrupt processor status registers by exploiting improper handling of WPRI (Write Preserve, Read Ignore) fields in menvcfg operations. Carefully crafted csrrs instructions targeting menvcfg unexpectedly set reserved bits in xstatus to 1, violating RISC-V specification requirements that WPRI fields remain unchanged during CSR operations. Upstream fix committed (5e3dd63) but released version not confirmed. EPSS score 5th percentile indicates low real-world exploitation probability despite theoretical high impact, with no active exploitation or public POC identified.

Information Disclosure N A
CVE-2026-26944 HIGH CVSS 8.8
Missing authentication in Dell PowerProtect Data Domain 7.7.1.0-8.6 and LTS releases allows remote unauthenticated attackers to execute arbitrary commands with root privileges when combined with user interaction. Affects enterprise backup appliances across multiple release branches including LTS2025 (8.3.1.0-8.3.1.20) and LTS2024 (7.13.1.0-7.13.1.60). CVSS 8.8 with network vector but requires user interaction (UI:R), reducing immediate automation risk. No EPSS or KEV data available at time of analysis, indicating vulnerability is newly disclosed. Dell security advisory DSA-2026-060 confirms patch availability.

Authentication Bypass Dell
CVE-2026-26943 HIGH CVSS 7.2
OS command injection in Dell PowerProtect Data Domain allows authenticated administrative users with network access to execute arbitrary commands with root privileges. Affects multiple release branches (7.7.1.0-8.6, LTS2025 8.3.1.0-8.3.1.20, LTS2024 7.13.1.0-7.13.1.60). Dell released patches across all affected branches (8.6.1.10, 7.13.1.70, 8.3.1.30). EPSS data unavailable; no KEV listing or public exploit identified at time of analysis. While CVSS 7.2 reflects high impact, exploitation requires pre-existing high-privilege administrative credentials, significantly limiting real-world attack surface to insider threats or credential compromise scenarios.

Command Injection Dell
CVE-2026-25524 HIGH CVSS 8.1
Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.

PHP RCE Deserialization Adobe
CVE-2026-25058 HIGH CVSS 7.5
Unauthenticated access to meeting transcripts in Vexa transcription-collector service versions before 0.10.0-260419-1910 allows remote attackers to retrieve sensitive business conversations, credentials, and personally identifiable information. The service exposes an internal endpoint without authentication, enabling enumeration of meeting IDs and bulk extraction of confidential data. No public exploit identified at time of analysis, but exploitation requires only standard HTTP requests with no special conditions (CVSS AV:N/AC:L/PR:N/UI:N).

Authentication Bypass
CVE-2026-24506 HIGH CVSS 7.2
OS command injection in Dell PowerProtect Data Domain versions 7.7.1.0-8.6, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 allows high-privileged remote attackers to execute arbitrary commands as root. Network-accessible exploitation requires existing administrative credentials but minimal attack complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor patch available per DSA-2026-060, addressing CWE-78 command injection weakness in multiple product streams including LTS releases.

Command Injection Dell
CVE-2026-24505 HIGH CVSS 7.2
Arbitrary command execution with root privileges in Dell PowerProtect Data Domain versions 8.5 through 8.6 allows high-privileged remote attackers to escalate from administrative access to full system control via improper input validation. Dell has released patches (versions 2.7.9 with DD OS 8.3.1.30, and 8.6.1.10+) per DSA-2026-060. EPSS data not available, not listed in CISA KEV, suggesting targeted risk rather than widespread exploitation. The network attack vector (AV:N) combined with high privilege requirement (PR:H) indicates this is an admin-to-root escalation vulnerability rather than initial access.

Information Disclosure Dell
CVE-2026-24504 HIGH CVSS 7.2
Root-level command injection in Dell PowerProtect Data Domain versions 7.7.1.0-8.6, 8.3.1.0-8.3.1.20 (LTS2025), and 7.13.1.0-7.13.1.60 (LTS2024) allows high-privileged remote attackers to execute arbitrary commands as root through improper input validation. Vendor patch available via DSA-2026-060. EPSS and KEV data not provided; CVSS 7.2 reflects high impact but requires existing high-level authentication, limiting real-world exploitation to scenarios where admin credentials are already compromised or insider threats exist.

Information Disclosure Dell
CVE-2026-23774 HIGH CVSS 7.2
OS command injection in Dell PowerProtect Data Domain allows remote high-privileged attackers to execute arbitrary commands on DD OS versions 7.7.1.0-8.5, LTS2025 8.3.1.0-8.3.1.10, and LTS2024 7.13.1.0-7.13.1.40. Dell published DSA-2026-060 addressing this CWE-78 flaw with CVSS 7.2 (high impact on confidentiality, integrity, availability). No public exploit identified at time of analysis. Post-authentication requirement (PR:H) reduces immediate risk for environments with strong privileged access controls, but network attack vector (AV:N) enables remote exploitation once administrative credentials are obtained.

Command Injection Dell
CVE-2026-6643 HIGH CVSS 8.6
Remote code execution in ASUSTOR ADM (4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1) allows authenticated high-privilege attackers to execute arbitrary code via stack-based buffer overflow in VPN client components. The vulnerability combines unbounded sscanf() calls with format string weaknesses (printf with user-controlled data), exploitable due to absent PIE and stack canary protections. EPSS exploitation probability is low (0.23%, 46th percentile) with no public exploit code identified at time of analysis, suggesting limited real-world targeting despite high CVSS score.

RCE Buffer Overflow Stack Overflow
CVE-2026-6632 HIGH CVSS 7.4
Buffer overflow in Tenda F451 router firmware 1.0.0.7_cn_svn7958 allows authenticated remote attackers to achieve complete compromise via the SafeClientFilter function. The httpd service improperly validates 'menufacturer' and 'Go' parameters, enabling memory corruption that leads to code execution with firmware-level privileges. A public exploit (GitHub PoC) exists, but no CISA KEV listing indicates exploitation remains proof-of-concept rather than widespread. EPSS data unavailable; CVSS 7.4 reflects network attack vector with low complexity, though low-privilege authentication is required.

Buffer Overflow Tenda
CVE-2026-6631 HIGH CVSS 7.4
Buffer overflow in Tenda F451 router (version 1.0.0.7_cn_svn7958) allows authenticated remote attackers to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability exists in the httpd component's webExcptypemanFilter function, exploitable via malicious 'page' parameter input to /goform/webExcptypemanFilter. Public exploit code is available on GitHub (CVSS 7.4, CWE-120). EPSS data not provided, not listed in CISA KEV. This targets a specific legacy Chinese firmware version of a consumer-grade router with known end-of-life support issues.

Buffer Overflow Tenda
CVE-2026-6630 HIGH CVSS 7.4
Remote buffer overflow in Tenda F451 router (version 1.0.0.7_cn_svn7958) allows authenticated attackers to achieve arbitrary code execution via crafted DHCP server configuration requests. The vulnerability exists in the httpd service's /goform/GstDhcpSetSer endpoint, exploitable by manipulating the 'dips' parameter. Public exploit code is available on GitHub, significantly lowering exploitation barriers for authenticated attackers with network access to the router's management interface.

Buffer Overflow Tenda
CVE-2026-6249 HIGH CVSS 8.7
Remote code execution in Vvveb CMS 1.0.8 allows authenticated attackers with low privileges to upload PHP webshells disguised with .phtml extensions, bypassing file type restrictions to achieve full server compromise. The vulnerability stems from inadequate file upload validation in the media handler, enabling malicious files in publicly accessible directories. Upstream fix available via GitHub commit; EPSS data unavailable, no CISA KEV listing at time of analysis.

PHP RCE File Upload
CVE-2026-6248 HIGH CVSS 8.1
Arbitrary file deletion in wpForo Forum plugin versions ≤3.0.5 allows authenticated attackers with subscriber-level privileges to delete critical WordPress files including wp-config.php, enabling remote code execution. The vulnerability chains two flaws: unvalidated file paths in custom profile fields and insufficient path sanitization before file deletion. Exploitation requires the wpForo User Custom Fields addon with at least one file-type custom field configured. CVSS 8.1 (High) with network attack vector, low complexity, and low privilege requirements. EPSS data and active exploitation status not available in current intelligence.

PHP WordPress RCE Path Traversal
CVE-2026-6066 HIGH CVSS 7.1
Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interception in all versions before 2026.4. Remote authenticated attackers with network access can capture Solution Center traffic containing potentially high-value confidential information (CVSS:3.1 C:H). No active exploitation confirmed at time of analysis. EPSS data unavailable for this recent CVE.

Information Disclosure
CVE-2026-5967 HIGH CVSS 8.7
OS command injection in TeamT5 ThreatSonar Anti-Ransomware ≤4.0.0 allows authenticated remote attackers with shell access to escalate privileges to root. Despite the high CVSS score (8.7), exploitation requires legitimate shell access and low-privilege authentication, limiting attack surface to environments where ransomware protection agents are accessible to compromised accounts. EPSS probability is low (0.12%, 32nd percentile), and no active exploitation or public POC has been identified. Taiwan CERT published advisories, suggesting regional deployment significance.

Privilege Escalation Command Injection
CVE-2026-5966 HIGH CVSS 7.2
Path traversal in TeamT5 ThreatSonar Anti-Ransomware versions ≤4.0.0 allows authenticated remote attackers with web access to delete arbitrary system files, potentially disabling security protections or causing system instability. With CVSS 7.2 (High Integrity and Availability impact), this poses significant risk to security infrastructure despite requiring authentication. EPSS score of 0.31% suggests low immediate exploitation likelihood, and CISA SSVC classifies it as non-automatable with total technical impact but no confirmed exploitation.

Path Traversal
CVE-2026-5928 HIGH CVSS 7.5
Out-of-bounds read in GNU C Library (glibc) versions 2.1.1 through 2.43 during wide character pushback operations can cause application crashes and potential information disclosure. The ungetwc() function incorrectly operates on the regular character buffer instead of the wide-stream buffer due to an implementation bug in _IO_wdefault_pbackfail, leading to reads before allocated memory regions. While CVSS rates this 7.5 High with network vector, EPSS exploitation probability is extremely low (0.02%, 5th percentile), reflecting the highly specialized conditions required: applications must use ungetwc() with character encodings having single-byte/multi-byte overlaps (not standard Unicode sets). No active exploitation confirmed (not in CISA KEV), no public exploit code identified at time of analysis.

Denial Of Service Red Hat Suse
CVE-2026-5478 HIGH CVSS 8.1
Path traversal in Everest Forms (WordPress plugin) allows unauthenticated attackers to read and delete arbitrary files on the server through malicious form submissions containing crafted old_files parameters. Vulnerable versions ≤3.4.4 use regex-based path resolution without canonicalization, enabling attackers to traverse directories, exfiltrate wp-config.php via email attachments (exposing database credentials and authentication salts), and trigger automatic deletion of targeted files post-email. CVSS 8.1 (AV:N/AC:H) reflects the remote vector with high attack complexity. EPSS and KEV status not provided; proof-of-concept details available in Wordfence advisory and plugin source code references.

PHP WordPress Denial Of Service Path Traversal
CVE-2026-4048 HIGH CVSS 8.4
OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

RCE Command Injection File Upload
CVE-2026-3519 HIGH CVSS 8.4
Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.

RCE Command Injection
CVE-2026-3518 HIGH CVSS 8.4
OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.

RCE Command Injection
CVE-2026-3517 HIGH CVSS 8.4
Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.

RCE Command Injection
CVE-2026-41389 MEDIUM CVSS 6.3
OpenClaw versions 2026.4.7 through 2026.4.14 fail to enforce path containment on tool-result media references, enabling attackers to craft malicious tool-result inputs that trigger arbitrary local file reads or Windows UNC path access without authentication. An attacker can disclose sensitive files or extract credentials by exploiting this path-traversal weakness in the tool-result processing logic, requiring only network access and the ability to provide crafted tool-result media parameters to an exposed endpoint.

Information Disclosure Microsoft
CVE-2026-41282 MEDIUM CVSS 4.0
DSL expression injection in ProjectDiscovery Nuclei before 3.8.0 allows remote code execution when using the -env-vars flag with multi-step templates against untrusted targets. An attacker can inject malicious expressions into environment variables that are evaluated as Nuclei DSL code, achieving arbitrary code execution with the privileges of the Nuclei process. This vulnerability requires non-default configuration (explicit -env-vars usage) and high attack complexity, limiting real-world impact despite the RCE tag.

RCE Code Injection
CVE-2026-41245 MEDIUM CVSS 5.9
Path traversal in Junrar library versions prior to 7.5.10 allows remote attackers to write arbitrary files into sibling directories by extracting a crafted RAR archive, enabling unauthorized file creation and potential code injection. The vulnerability requires high attack complexity (AC:H) but no authentication or user interaction, affecting any Java application using vulnerable Junrar versions to process untrusted RAR files. Vendor-released patch: version 7.5.10.

Java Path Traversal Red Hat
CVE-2026-40896 MEDIUM CVSS 6.5
OpenProject versions prior to 17.3.0 allow authenticated users with manage_agendas permission in any single project to inject malicious agenda items into meetings across all other projects on the instance, including projects to which the attacker has no access. The vulnerability requires only valid project membership with limited permissions and no knowledge of target meetings, enabling an attacker to systematically compromise meeting integrity across an entire OpenProject deployment. No public exploit code has been identified, and the vendor has released patched version 17.3.0 addressing this privilege escalation flaw.

Code Injection
CVE-2026-40098 MEDIUM CVSS 5.3
Magento LTS prior to version 20.17.0 allows authenticated attackers to access private wishlist items from other users via an authorization bypass in the shared wishlist add-to-cart endpoint. The vulnerability permits an attacker with a valid sharing code for one wishlist to import items from a different victim's wishlist into their cart by manipulating the wishlist_item_id parameter, potentially exposing private custom option data and enabling cross-user file disclosure when file upload custom options are present. CVSS 5.3 (AV:N/AC:L/PR:L) indicates network-accessible exploitation requiring low privileges; patch version 20.17.0 resolves the issue.

Authentication Bypass Adobe
CVE-2026-39112 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in Apartment Visitors Management System v1.1 allows authenticated attackers to inject malicious JavaScript via the visname parameter in visitors-form.php, which executes when other users view the injected data in manage-newvisitors.php or visitor-detail.php. The vulnerability requires user interaction (victim visiting affected pages) and valid authentication but can escalate privileges, steal session tokens, or perform actions on behalf of administrative users viewing visitor records.

PHP XSS
CVE-2026-35154 MEDIUM CVSS 6.3
Dell PowerProtect Data Domain appliances versions 7.7.1.0-8.7.0.0, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 contain an improper privilege management vulnerability in iDRAC that allows a high-privileged local attacker with user interaction to elevate privileges and perform unauthorized delete operations. The vulnerability requires high privileges and local access combined with user interaction, limiting real-world attack surface primarily to insider threats or physical facility access scenarios.

Privilege Escalation Dell
CVE-2026-34429 MEDIUM CVSS 5.1
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript in administrator browsers by bypassing MIME type validation with a GIF89a header prepend, renaming files to .html extensions, and injecting malicious payloads that can create backdoor accounts or upload remote code execution plugins. Publicly available exploit code exists and vendor-released patch 1.0.8.1 is available. Real-world risk is moderate due to authentication requirement and required user interaction (administrator must visit malicious page), but privilege escalation path to RCE via plugin upload makes this a critical persistence vector.

XSS RCE
CVE-2026-34403 MEDIUM CVSS 5.5
nginx-ui before version 2.3.5 allows Cross-Site WebSocket Hijacking (CSWSH) attacks due to improper WebSocket origin validation and insecurely configured authentication cookies. An attacker can trick a logged-in administrator into visiting a malicious webpage that establishes authenticated WebSocket connections to the target nginx-ui instance, enabling information disclosure and administrative actions without explicit user consent. Version 2.3.5 patches the issue; no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Nginx
CVE-2026-34082 MEDIUM CVSS 5.3
Dify prior to version 1.13.1 allows any authenticated user to delete other users' chat histories via the DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> endpoint due to insufficient authorization checks. An authenticated attacker can target any conversation ID to perform unauthorized deletion, resulting in data loss for other users. This vulnerability requires valid Dify authentication but no special privileges, affecting all vulnerable versions via network access.

Authentication Bypass
CVE-2026-33558 MEDIUM CVSS 5.3
Apache Kafka's NetworkClient component logs entire request and response payloads at DEBUG level, exposing sensitive authentication credentials, delegation tokens, and configuration data in plaintext logs. This affects Kafka versions 0.11.0 through 3.9.1 and 4.0.0 across the broker and client libraries. While DEBUG logging is not enabled by default (INFO is the standard), organizations that enable DEBUG logging for troubleshooting inadvertently create persistent records of authentication material and secrets that can be harvested by local log readers or accessed via log aggregation systems. CVSS 5.3 reflects low network attack surface (requires prior DEBUG enablement), but SSVC rates this as automatable with partial technical impact, suitable for prioritization in environments using centralized logging.

Apache Information Disclosure
CVE-2026-33431 MEDIUM CVSS 5.7
Roxy-WI versions prior to 8.2.6.4 allow authenticated attackers to read arbitrary files via path traversal in the POST /config/<service>/show API endpoint. The configver parameter is directly concatenated into a file path without proper validation, permitting directory escape sequences (../) to bypass the existing path guard. An authenticated user can exploit this to access sensitive configuration files and other data readable by the web application process.

Apache Path Traversal Nginx
CVE-2026-32964 MEDIUM CVSS 6.9
CRLF injection in Silex Technology SD-330AC and AMC Manager allows unauthenticated remote attackers to inject arbitrary configuration entries via crafted input, degrading system integrity and availability. The vulnerability affects all versions of both products and requires no authentication or user interaction, with public disclosure through JPCERT and vendor advisories indicating elevated awareness in production environments.

Code Injection
CVE-2026-32963 MEDIUM CVSS 5.1
Reflected cross-site scripting (XSS) in Silex Technology SD-330AC and AMC Manager allows remote attackers to execute arbitrary JavaScript in users' browsers when they visit crafted web pages after authenticating to the affected device. The vulnerability requires user interaction and affects both products across all versions. No patch release or active exploitation status has been confirmed.

XSS
CVE-2026-32962 MEDIUM CVSS 6.9
SD-330AC and AMC Manager by Silex Technology lack authentication controls on critical configuration functions, allowing remote attackers to modify device settings without credentials. The CVSS score of 5.3 reflects network-accessible integrity impact with no complexity barrier, though confidentiality and availability are not directly affected. No active exploitation has been confirmed in CISA KEV or public exploit repositories at the time of analysis.

Authentication Bypass
CVE-2026-32961 MEDIUM CVSS 6.9
Heap-based buffer overflow in Silex SD-330AC and AMC Manager packet processing allows remote unauthenticated attackers to trigger a temporary denial-of-service condition via crafted network packets to the sx_smpd service. CVSS score is 5.3 (moderate) with confirmed active reporting by JPCERT, though no public exploit code or CISA KEV listing is evident from available data. Attack requires only network access and no authentication or user interaction.

Buffer Overflow Heap Overflow
CVE-2026-32958 MEDIUM CVSS 6.9
Hard-coded cryptographic keys in Silex Technology SD-330AC and AMC Manager enable attackers to forge firmware updates that administrative users may be tricked into applying via social engineering, allowing arbitrary firmware installation without detection. The vulnerability affects all versions of both products and exploits a fundamental key management flaw (CWE-321). While the CVSS score of 6.5 reflects network accessibility and high integrity impact, real-world exploitation requires user interaction (UI:R) to convince an administrator to install malicious firmware.

Information Disclosure
CVE-2026-32957 MEDIUM CVSS 6.9
Unauthenticated arbitrary file upload in Silex Technology SD-330AC and AMC Manager firmware maintenance functions allows remote attackers to upload malicious files without credentials, potentially leading to device compromise or unauthorized firmware modification. The CVSS score of 5.3 reflects limited integrity impact in a network-accessible service with no authentication requirement, though the real-world risk depends on what actions an attacker can perform post-upload.

Authentication Bypass
CVE-2026-31429 MEDIUM CVSS 5.5
Cross-cache slab free in the Linux kernel's socket buffer (SKB) subsystem allows a local authenticated attacker to trigger a kernel panic and denial of service on systems where KFENCE is enabled. When KFENCE intercepts a kzalloc() call whose requested size exactly matches SKB_SMALL_HEAD_CACHE_SIZE, the computed skb_end_offset misleads skb_kfree_head() into freeing the object to skb_small_head_cache instead of the originating kmalloc cache, corrupting slab allocator state. No public exploit is identified at time of analysis and EPSS is 0.02% (4th percentile), placing this firmly in the low-urgency tier absent a KFENCE-enabled production environment.

Information Disclosure Linux Red Hat Suse
CVE-2026-29647 MEDIUM CVSS 6.5
OpenXiangShan NEMU fails to properly enforce Smstateen permission controls, allowing authenticated local users to access IMSIC (Incoming Message Signal Interrupt Controller) state through stopei/vstopei CSRs despite mstateen0.IMSIC being cleared. This privilege escalation enables cross-context information disclosure of interrupt state and potential disruption of interrupt handling mechanisms in lower-privileged execution contexts.

Privilege Escalation N A
CVE-2026-28684 MEDIUM CVSS 6.6
Local privilege escalation in python-dotenv before version 1.2.2 allows authenticated users to overwrite arbitrary files via symlink following in the set_key() and unset_key() functions when a cross-device rename fallback is triggered. An attacker with local access and the ability to write to the filesystem can create malicious symlinks that python-dotenv will follow during .env file rewriting, leading to unintended file modification or deletion. The vulnerability requires user interaction (the application must call set_key() or unset_key()) but affects any system using vulnerable versions of the library. No public exploit code or active exploitation has been reported at time of analysis.

Python Information Disclosure Red Hat Suse
CVE-2026-26951 MEDIUM CVSS 6.7
Stack-based buffer overflow in Dell PowerProtect Data Domain versions 7.7.1.0-8.6, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 allows high-privileged local attackers to execute arbitrary commands as root. The vulnerability requires local access and elevated privileges, limiting exposure to insider threats or compromised administrative accounts rather than remote attackers. No public exploit has been identified at time of analysis.

Buffer Overflow Stack Overflow Dell
CVE-2026-26942 MEDIUM CVSS 6.7
OS command injection in Dell PowerProtect Data Domain versions 8.5 through 8.6 allows high-privileged remote attackers to execute arbitrary commands with root privileges by exploiting improper neutralization of special elements in OS command processing. This vulnerability requires high privilege level access but, once exploited, grants full system compromise. No active exploitation or public exploit code has been identified at time of analysis, but vendor has released patches addressing the issue.

Command Injection Dell
CVE-2026-26399 MEDIUM CVSS 5.3
A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the functio...

Buffer Overflow
CVE-2026-25883 MEDIUM CVSS 5.8
Server-Side Request Forgery in Vexa meeting bot allows unauthenticated remote attackers to forge HTTP POST requests to arbitrary internal URLs (Redis, databases, cloud metadata endpoints) via unvalidated webhook configuration, enabling credential theft and lateral movement. CVSS 5.8 with network attack vector and no user interaction required. Fixed in version 0.10.0-260419-1910.

SSRF Redis
CVE-2026-25525 MEDIUM CVSS 4.9
OpenMage LTS Dataflow module prior to version 20.17.0 allows authenticated administrators to read arbitrary files via a bypassable path traversal filter that uses simple string replacement (`str_replace('../', '', $input)`). Attackers can circumvent the blacklist by using nested patterns like `..././` or `....//` which resolve to valid `../` sequences after filtering. Remote administrative access is required, but the high confidentiality impact and confirmed patch availability make immediate patching necessary for affected deployments.

Path Traversal Adobe
CVE-2026-24468 MEDIUM CVSS 5.3
User enumeration via timing/response code discrepancy in OpenAEV /api/reset endpoint allows unauthenticated remote attackers to reliably discover registered email addresses by observing HTTP 400 vs HTTP 200 responses. Affected versions 1.11.0 through 2.0.12 expose account lists without authentication; no active exploitation confirmed but the vulnerability requires trivial effort to exploit at scale. Fixed in version 2.0.13.

Information Disclosure
CVE-2026-23758 MEDIUM CVSS 6.4
GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subject fields via inadequate sanitization in the editsubject POST parameter, enabling arbitrary script execution when other staff or administrators view affected tickets. The vulnerability impacts confidentiality and integrity within the application's scope, with exploitation confirmed possible but requiring valid staff credentials and user interaction (viewing the malicious ticket). Patch version 4.99.9 or later is available from the vendor.

XSS
CVE-2026-23757 MEDIUM CVSS 5.1
Stored cross-site scripting in GFI HelpDesk before version 4.99.10 allows authenticated attackers to inject arbitrary JavaScript into report titles via the Reports module, with payload execution triggered when staff members access the report link in the Manage Reports interface. The vulnerability requires attacker authentication and user interaction (clicking the report link), limiting real-world impact to internal staff compromise scenarios rather than mass exploitation. Patch is available from the vendor.

XSS
CVE-2026-23756 MEDIUM CVSS 5.1
Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary JavaScript via the Troubleshooter step subject field, with execution occurring when any user views the affected step. The vulnerability stems from unsanitized POST parameter handling in Controller_Step.InsertSubmit() and EditSubmit() methods, enabling persistent payload storage and broad user impact within the application.

XSS
CVE-2026-23753 MEDIUM CVSS 4.8
GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the charset POST parameter is not HTML-sanitized before being rendered by the View_Language.RenderGrid() function. An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, with the payload executing in the browsers of other administrators viewing the Languages page. This is a medium-risk vulnerability limited to authenticated administrators but affecting any admin viewer.

XSS
CVE-2026-23752 MEDIUM CVSS 4.8
GFI HelpDesk before version 4.99.9 allows authenticated administrators to inject stored cross-site scripting (XSS) payloads via the companyname parameter in template group creation and editing, with malicious scripts executing in the browsers of other administrators viewing the Templates > Groups page. The attack requires administrative credentials and user interaction (victim viewing the affected page), but succeeds against all administrator accounts with access to that interface.

XSS
CVE-2026-22761 MEDIUM CVSS 6.7
Dell PowerProtect Data Domain versions 8.5 through 8.6 contain a local command injection vulnerability (CWE-78) allowing high-privileged remote attackers to execute arbitrary commands with root privileges. The attack requires local access and elevated privileges (CVSS PR:H) but results in complete system compromise through unauthenticated code execution. No public exploit code has been identified, and CVSS 6.7 reflects the significant privilege barrier despite high impact.

Command Injection Dell
CVE-2026-6729 MEDIUM CVSS 5.3
Session key derivation in HKUDS OpenHarness prior to PR #159 fails to verify sender identity in shared chat/thread scopes, allowing authenticated users to hijack other participants' sessions and disrupt their active tasks through collision attacks on the shared ohmo session key. The vulnerability requires prior authentication and network access but enables lateral privilege escalation within collaborative environments. No public exploit code has been identified, though the fix is available via upstream commit 3186851c.

Authentication Bypass
CVE-2026-6662 MEDIUM CVSS 5.5
Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint without authentication, enabling cross-domain requests from untrusted origins. The vulnerability exists in the cors function of src/server.ts and permits information disclosure with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS 6.9 score.

Information Disclosure Cors Misconfiguration
CVE-2026-6654 MEDIUM CVSS 5.1
Double-free and use-after-free vulnerability in Mozilla's thin_vec Rust crate allows local attackers to read sensitive memory via panic-induced length corruption in IntoIter::drop and ThinVec::clear functions. The vulnerability occurs when a panic in ptr::drop_in_place fails to reset the vector length to zero, leaving dangling pointers accessible to subsequent operations. Affected applications linking thin_vec versions prior to the patched release face local information disclosure risk with low real-world exploitation probability (EPSS 0.02%).

Information Disclosure
CVE-2026-6635 MEDIUM CVSS 5.5
Improper authentication in rowboatlabs rowboat (versions up to 0.1.67) allows remote unauthenticated attackers to bypass authentication by manipulating the X-Tools-JWE header in the tools_webhook component. The vulnerability enables unauthorized access with low confidentiality, integrity, and availability impact. A public exploit exists (CVSS E:P). The vendor did not respond to early disclosure attempts. EPSS data unavailable; not listed in CISA KEV, suggesting limited widespread exploitation despite public POC.

Authentication Bypass
CVE-2026-6629 MEDIUM CVSS 5.5
SQL injection in Metasoft MetaCRM versions up to 6.4.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'sql' parameter in sql.jsp interface endpoint. Publicly available exploit code exists (disclosed via Feishu document), enabling attackers to read/modify database contents and potentially execute commands. CVSS 7.3 (High) with network vector and low complexity. Vendor non-responsive to disclosure, leaving patch status uncertain. EPSS data not provided but POC availability elevates practical exploitation risk.

SQLi
CVE-2026-6625 MEDIUM CVSS 5.5
Server-side request forgery (SSRF) in Mogu Blog v2 up to version 5.2 allows unauthenticated remote attackers to initiate arbitrary HTTP requests from the affected server through the picture upload functionality. The vulnerability exists in the LocalFileServiceImpl.uploadPictureByUrl method within the Picture Storage Service component, enabling attackers to access internal services, scan internal networks, or exfiltrate sensitive data. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Java SSRF
CVE-2026-6623 MEDIUM CVSS 4.8
Stored cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated high-privilege users to inject malicious scripts via the Profile Page Handler settings/users-view endpoint, affecting subsequent users who view the compromised profile. The vulnerability requires high-privilege authentication and user interaction (page viewing), limiting exploitation scope; however, publicly available proof-of-concept code exists and the vendor has not responded to disclosure attempts.

XSS
CVE-2026-6621 MEDIUM CVSS 5.5
Prototype pollution in extend-deep npm package (up to 0.1.6) enables remote attackers to manipulate JavaScript object prototypes via crafted __proto__ payloads, achieving low-severity confidentiality, integrity, and availability impacts. Public exploit code exists on GitHub. CVSS 7.3 with network attack vector and no authentication required. Project repository inactive for years, making official patch unlikely. EPSS data unavailable, but prototype pollution attacks are well-understood and automatable. Not listed in CISA KEV, suggesting limited widespread exploitation despite public POC.

Information Disclosure Prototype Pollution
CVE-2026-6615 MEDIUM CVSS 5.5
Path traversal in TransformerOptimus SuperAGI versions up to 0.0.14 allows remote unauthenticated attackers to read, write, or delete arbitrary files via manipulated 'Name' parameter in multipart upload requests. Publicly available exploit code exists (GitHub Gist) demonstrating exploitation. EPSS data unavailable, not currently listed in CISA KEV. CVSS 7.3 reflects network-accessible attack with no authentication barrier, though impact is rated as 'Low' across confidentiality, integrity, and availability - likely indicating file system scope limitations rather than full system compromise.

Path Traversal
CVE-2026-6608 MEDIUM CVSS 5.5
Information disclosure in lm-sys FastChat up to version 0.2.36 allows remote unauthenticated attackers to manipulate the add_text function in the Arena Side-by-Side View Handler, resulting in incorrect control flow that exposes sensitive data. The vulnerability has publicly available exploit code and affects the web-based arena comparison interface. A partial fix was applied in commit 34eca62 to gradio_block_arena_named.py, but three additional affected files remain unpatched.

Information Disclosure
CVE-2026-6607 MEDIUM CVSS 5.5
Resource exhaustion in lm-sys FastChat up to 0.2.36 allows remote attackers to trigger denial of service by sending manipulated requests to the Worker API Endpoint's api_generate function. The vulnerability has publicly available exploit code and is confirmed patched upstream, though the fix in commit c9e84b89c91d45191dc24466888de526fa04cf33 addresses only the primary entry point in base_model_worker.py while missing other vulnerable code paths. EPSS score of 5.5 (CVSS 4.0) indicates low to moderate real-world exploitation probability despite public exploit availability.

Denial Of Service
CVE-2026-6606 MEDIUM CVSS 5.5
Modelscope AgentScope versions up to 1.0.18 contain a server-side request forgery (SSRF) vulnerability in the _process_audio_block function that allows remote unauthenticated attackers to manipulate the 'url' argument and trigger arbitrary HTTP requests from the vulnerable server. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected deployments without an official patch.

SSRF
CVE-2026-6605 MEDIUM CVSS 5.5
Server-side request forgery in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate the _get_bytes_from_web_url function in src/agentscope/_utils/_common.py, enabling them to make arbitrary HTTP requests from the affected server. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, leaving affected installations vulnerable to attackers probing internal networks and services.

SSRF
CVE-2026-6604 MEDIUM CVSS 5.5
Server-side request forgery (SSRF) in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate image_url and audio_file_url parameters in the _parse_url, prepare_image, and openai_audio_to_text functions, enabling arbitrary HTTP requests from the affected server. The vulnerability has publicly available exploit code and affects the Cloud Metadata Endpoint component. The vendor has not responded to early disclosure attempts, and exploitation is confirmed to be possible with low attack complexity.

SSRF
CVE-2026-6603 MEDIUM CVSS 5.5
Remote code execution in ModelScope AgentScope up to version 1.0.18 allows unauthenticated network attackers to inject and execute arbitrary Python code or shell commands through the execute_python_code and execute_shell_command functions in src/AgentScope/tool/_coding/_python.py. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications, leaving all versions up to 1.0.18 unpatched and actively exploitable.

RCE Code Injection
CVE-2026-6602 MEDIUM CVSS 5.5
Unrestricted file upload in rickxy Hospital Management System allows remote unauthenticated attackers to upload malicious files via the /backend/admin/his_admin_account.php endpoint, leading to potential remote code execution, data exfiltration, or system compromise. Public exploit code exists (GitHub), significantly lowering exploitation barrier. The product uses rolling releases with no fixed versioning, complicating patch tracking. CVSS 7.3 with EPSS not provided, but publicly available POC elevates real-world risk.

PHP File Upload
CVE-2026-6596 MEDIUM CVSS 5.5
Unrestricted file upload in Langflow (langflow-ai) versions up to 1.1.0 allows remote unauthenticated attackers to upload arbitrary files via the create_upload_file API endpoint, potentially leading to remote code execution, data manipulation, and service disruption. Publicly available exploit code exists (CVSS:3.1 E:P) with GIST-hosted POC, elevating immediate risk. Vendor unresponsive to disclosure at time of publication.

File Upload
CVE-2026-6595 MEDIUM CVSS 5.5
SQL injection in ProjectsAndPrograms School Management System allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the bus_id parameter in buslocation.php. The vulnerability affects all versions up to commit 6b6fae5, with publicly available exploit code (EPSS not provided). Vendor was notified but did not respond, leaving the product vulnerable at time of analysis. The rolling release model means no fixed version number exists.

PHP SQLi
CVE-2026-6594 MEDIUM CVSS 6.9
Prototype pollution in brikcss merge library versions 1.0 through 1.3.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript Object prototypes via crafted __proto__, constructor.prototype, or prototype arguments, potentially leading to information disclosure, authentication bypass, or denial of service. Publicly available exploit code exists (GitHub PoC from sudo-secure). CVSS 7.3 with network vector and no authentication required. Vendor unresponsive to disclosure attempts.

Information Disclosure Prototype Pollution
CVE-2026-6588 MEDIUM CVSS 5.5
Missing authentication in serge-chat serge up to version 1.4TB allows unauthenticated remote attackers to manipulate the download_model and delete_model API endpoints, enabling unauthorized model file deletion and modification through the Model API Endpoint in api/src/serge/routers/model.py. The vulnerability is confirmed to have publicly available exploit code and represents a direct authentication bypass with integrity and availability impact. The vendor did not respond to early disclosure notification.

Authentication Bypass
CVE-2026-6550 MEDIUM CVSS 5.7
Cryptographic algorithm downgrade in AWS Encryption SDK for Python's caching layer allows authenticated local attackers to bypass key commitment policy enforcement through a shared key cache, enabling decryption of single ciphertext to multiple different plaintexts. Affected versions include Python 2 up to 2.5.1, Python 3 up to 3.3.0, and Python 4 up to 4.0.4. AWS has released vendor patches (versions 3.3.1, 4.0.5, and later) to remediate the vulnerability, which requires local access and authenticated credentials but has no known public exploit.

Authentication Bypass Python
CVE-2026-6369 MEDIUM CVSS 5.7
Canonical Livepatch snap client prior to 10.15.0 allows local unprivileged users to obtain a root-level authentication token via an unauthenticated request to the livepatchd.sock Unix domain socket, enabling attackers to impersonate the victim and access Livepatch services on systems with an active Ubuntu Pro subscription.

Authentication Bypass Ubuntu Canonical
CVE-2026-6060 MEDIUM CVSS 4.5
Uncontrolled resource consumption in OTRS admin interface SQL Box causes denial of service against the webserver, affecting OTRS 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and 2026.x before 2026.3. The vulnerability requires high-privilege admin access and user interaction, limiting real-world impact to authenticated administrators performing deliberate actions. No public exploit code or active exploitation has been identified.

Denial Of Service Suse
CVE-2026-5721 MEDIUM CVSS 4.7
Stored Cross-Site Scripting in wpDataTables WordPress plugin (all versions up to 6.5.0.4) allows unauthenticated attackers to inject malicious scripts into data tables via insufficient input sanitization in LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. Exploitation requires an Administrator to import attacker-controlled data with affected column types configured, but once injected, the malicious script executes for all users viewing the infected page. No public exploit code or active exploitation confirmed at time of analysis.

WordPress XSS
CVE-2026-4852 MEDIUM CVSS 6.4
Stored XSS in Image Source Control Lite WordPress plugin versions up to 3.9.1 allows authenticated attackers with Author-level permissions or higher to inject malicious scripts via the 'Image Source' attachment field, executing arbitrary JavaScript in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the attachment metadata handler. No public exploit code or active exploitation has been confirmed at the time of analysis, but the low attack complexity and network accessibility make this a practical risk for multi-author WordPress installations.

WordPress XSS
CVE-2026-3219 MEDIUM CVSS 4.6
pip before version 26.1 incorrectly treats concatenated tar and ZIP archives as ZIP files regardless of filename, potentially installing unintended package contents when ambiguous archive formats are processed. Local attackers with user interaction can exploit this during package installation to cause integrity confusion, where an archive's actual contents diverge from its declared format. The vulnerability requires local access and user interaction (downloading/installing a crafted archive), limiting real-world impact to supply-chain scenarios or direct social engineering of pip users.

Red Hat File Upload Suse
CVE-2025-66954 MEDIUM CVSS 6.5
Buffalo Link Station version 1.85-0.01 allows privilege escalation through username and role enumeration via parameter manipulation at the /nasapi endpoint. Authenticated or guest-level users can identify valid usernames and their associated privilege roles by modifying request parameters, enabling targeted privilege escalation attacks. While CVSS indicates a network vector, actual exploitation requires prior authentication or guest access, limiting immediate exposure but creating a stepping stone for further attacks.

Authentication Bypass
CVE-2025-66335 MEDIUM CVSS 5.3
SQL injection in Apache Doris MCP Server versions before 0.6.1 allows unauthenticated remote attackers to execute unintended SQL statements and bypass query validation and access restrictions via improper neutralization in the MCP query execution interface. The vulnerability has a CVSS score of 5.3 (network-accessible, low complexity, no authentication required) but is classified as partial impact (confidentiality only, no integrity or availability impact) and has not been confirmed as actively exploited. A vendor patch is available.

Apache SQLi
CVE-2025-13480 MEDIUM CVSS 5.1
Fudo Enterprise versions 5.5.0 through 5.6.2 permit low-privileged users to access administrator-only API endpoints, exposing sensitive system logs and configuration data due to improper authorization controls. Authenticated attackers with minimal privileges can escalate access to protected resources without additional user interaction. The vulnerability has been patched in version 5.6.3.

Authentication Bypass
CVE-2026-22051 LOW CVSS 2.3
StorageGRID versions before 11.9.0.13 and 12.0.0.6 allow authenticated attackers with low privileges to execute arbitrary metrics queries, exposing metric data they lack authorization to access. The vulnerability requires low-privilege authentication and specific timing conditions but poses direct information disclosure risk in multi-tenant or role-restricted deployments where metric visibility should be compartmentalized.

Information Disclosure
CVE-2026-6652 LOW CVSS 2.0
Improper neutralization of directives in dynamically evaluated code in Pagekit CMS up to version 1.0.18 allows high-privileged remote attackers to inject and execute arbitrary PHP code through the StringStorage Template Handler's evaluate function in app/modules/view/src/PhpEngine.php. The vulnerability requires administrator-level access but enables information disclosure, code injection, and potential system compromise. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.

PHP Information Disclosure Code Injection
CVE-2026-6651 LOW CVSS 1.9
Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high privileges to inject malicious scripts via the Item Name parameter on the Inventory Edit Item Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification, leaving affected deployments without a patched remediation path.

XSS
CVE-2026-6650 LOW CVSS 2.0
Z-BlogPHP 1.7.5 allows authenticated remote attackers with administrative privileges to upload arbitrary files via the App::UnPack function in the ZBA File Handler component (/zb_users/plugin/AppCentre/app_upload.php), bypassing file upload restrictions and potentially enabling remote code execution. Public exploit code exists, and the vendor has not responded to early disclosure attempts.

PHP File Upload
CVE-2026-6649 LOW CVSS 2.1
Server-side request forgery in Qibo CMS 1.0 allows authenticated remote attackers to manipulate the 'starts' parameter in /index/image/headers endpoint, triggering arbitrary internal requests from the server. Publicly available exploit code exists. The vendor did not respond to early disclosure notification, leaving no patched version available.

SSRF
CVE-2026-6648 LOW CVSS 2.0
Cross-site scripting (XSS) in Qibo CMS 1.0 Internal Message Module allows authenticated remote attackers to inject malicious scripts through message manipulation, affecting user sessions and data integrity. The vulnerability requires user interaction (UI:P) and valid authentication (PR:L), limiting exposure to authenticated users. Public exploit code is available, though the vendor has not responded to disclosure attempts.

XSS
CVE-2026-6636 LOW CVSS 2.1
Path traversal in p2r3 convert's Bun.serve API endpoint allows authenticated remote attackers to access arbitrary files on the server by manipulating the pathname parameter in buildCache.js. The vulnerability affects all versions up to commit 6998584ace3e11db66dff0b423612a5cf91de75b, with publicly available exploit code and no vendor patch forthcoming due to non-response from the maintainer. CVSS score of 5.3 reflects limited scope (confidentiality only) but the public exploit and authenticated attack vector present moderate operational risk.

Path Traversal
CVE-2026-6634 LOW CVSS 2.1
Improper authorization in usememos memos up to version 0.22.1 allows authenticated remote attackers to bypass access controls via manipulation of additionalStyle and additionalScript arguments in the UpdateInstanceSetting component, potentially leading to unauthorized information disclosure, modification, and service disruption. The vulnerability has publicly available exploit code and affects the memos_access_token function in src/App.tsx. The vendor did not respond to early disclosure efforts.

Authentication Bypass
CVE-2026-6633 LOW CVSS 2.0
Stored cross-site scripting (XSS) in Yifang CMS up to version 2.0.5 allows authenticated attackers to inject malicious scripts via the Account parameter in the Extended Management Module's RBAC admin component, affecting stored data integrity with user interaction required. The vulnerability has publicly available proof-of-concept code, though the CVSS score of 3.5 reflects its limited scope (no confidentiality or availability impact, information disclosure only). The vendor has not responded to early disclosure efforts.

PHP XSS
CVE-2026-6628 LOW CVSS 2.1
SQL injection in phili67 Ecclesia CRM up to version 8.0.0 allows authenticated remote attackers to execute arbitrary SQL queries via the 'custom' parameter in the Query Viewer Component (/v2/query/view/). The vulnerability has a publicly available exploit and affects confidentiality, integrity, and availability of database operations. The vendor has not responded to early disclosure notification.

SQLi
CVE-2026-6626 LOW CVSS 2.1
NoSQL injection in Cockpit-HQ Cockpit up to version 2.13.5 allows authenticated remote attackers to manipulate data query logic through the Asset Handler or Aggregate Handler components, resulting in information disclosure with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

Information Disclosure Nosql Injection
CVE-2026-6624 LOW CVSS 1.9
Cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated high-privilege users to inject malicious scripts via the Pool List Interface (/?_route=pool/add endpoint), affecting data integrity through stored or reflected XSS. The vulnerability requires administrator authentication and user interaction (UI:R), limiting immediate risk; however, publicly available exploit code exists and the vendor has not responded to disclosure, leaving affected deployments without an official patch.

XSS
CVE-2026-6622 LOW CVSS 1.9
Stored cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated remote attackers with high privileges to inject malicious scripts via the Customer Handler edit endpoint (/?_route=customers/edit/), affecting other users who view manipulated customer records. Exploitation requires user interaction (victim viewing the crafted page), but publicly available exploit code exists and the vendor has not responded to disclosure attempts.

XSS
CVE-2026-6620 LOW CVSS 2.1
Remote authenticated path traversal in SonicCloudOrg sonic-server up to version 2.0.0 allows attackers with low-level privileges to manipulate the Type parameter in the File Upload Endpoint (FileTool.java) to traverse the filesystem and read or write arbitrary files. The vulnerability has publicly available exploit code and affects all versions up to 2.0.0; the vendor has not responded to early disclosure attempts, leaving no patch available.

Java Path Traversal File Upload
CVE-2026-6619 LOW CVSS 2.0
Cross-site scripting in Dify's ImagePreview component (web/app/components/base/image-uploader/image-preview.tsx) allows authenticated users to inject malicious scripts via the filename argument in the openInNewTab function, affecting versions up to 1.13.3. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting impact to low integrity compromise with no confidentiality or availability impact. Publicly available exploit code exists; vendor has not responded to early disclosure.

XSS
CVE-2026-6618 LOW CVSS 2.1
Server-side request forgery in Dify up to version 1.13.3 allows authenticated remote attackers to manipulate the URL argument in the ApiBasedToolSchemaParser component, enabling arbitrary HTTP requests from the server to internal or external systems. The vulnerability affects the parse_openai_plugin_json_to_tool_bundle function in api/core/tools/utils/parser.py. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SSRF
CVE-2026-6617 LOW CVSS 2.1
Server-side request forgery (SSRF) in Dify's ApiToolManageService allows authenticated remote attackers to manipulate the URL argument in the get_api_tool_provider_remote_schema function, enabling them to make arbitrary HTTP requests from the server. Affects Dify versions up to 0.6.9. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

SSRF
CVE-2026-6616 LOW CVSS 2.1
Server-side request forgery (SSRF) in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to manipulate the WebScraperTool's webpage extraction functions (extract_with_bs4, extract_with_3k, extract_with_lxml) to forge requests to arbitrary servers. The vulnerability has publicly available exploit code and low vendor responsiveness, creating immediate risk for deployments using affected versions.

SSRF
CVE-2026-6614 LOW CVSS 2.1
Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to access or modify project data without proper authorization checks in the project controller endpoints (get_project, update_project, get_projects_organisation). The vulnerability has publicly available exploit code and affects the project management functionality with limited confidentiality and integrity impact. The vendor did not respond to early disclosure notification.

Authentication Bypass
CVE-2026-6613 LOW CVSS 2.1
Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated attackers to manipulate the agent_id parameter in delete_agent, stop_schedule, and get_schedule_data endpoints, bypassing access controls to perform unauthorized operations on agents and schedules. The vulnerability is remotely exploitable by any authenticated user and publicly available exploit code exists; however, the vendor has not responded to early disclosure attempts.

Authentication Bypass
CVE-2026-6612 LOW CVSS 2.1
TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to bypass authorization controls in the Agent Execution Endpoint by manipulating the agent_execution_id parameter in get_agent_execution and update_agent_execution functions. An attacker with valid credentials can access or modify agent execution records they should not have permission to interact with. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.

Authentication Bypass
CVE-2026-6611 LOW CVSS 1.3
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argument is manipulated during file upload operations, allowing remote attackers with user interaction to obtain sensitive information. The attack requires high complexity and user participation, resulting in a low confidentiality impact (CVSS 2.3). Publicly available exploit code exists, though the vendor has not responded to disclosure attempts.

File Upload
CVE-2026-6610 LOW CVSS 2.9
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotely to bypass authentication and gain unauthorized access. The vulnerability stems from sensitive USER/PASSWORD arguments being embedded in configuration files, allowing attackers with network access to retrieve database credentials. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

Authentication Bypass
CVE-2026-6609 LOW CVSS 2.1
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipulate the oauthid parameter in the oauth/views.py form_valid function, bypassing access controls to perform unauthorized operations. The vulnerability has confirmed public exploit code available and affects all instances where OAuth functionality is enabled. This is a privilege escalation or horizontal access control bypass vulnerability accessible to any authenticated user.

Authentication Bypass
CVE-2026-6601 LOW CVSS 2.1
Denial of service in Lagom WHMCS Template through version 2.4.2 allows authenticated remote attackers to exhaust server resources via manipulation of the Datatables component, resulting in application unavailability. Publicly available exploit code exists and the vendor has not responded to early disclosure notification. CVSS 4.3 reflects moderate severity with low attack complexity requiring authenticated access.

Denial Of Service
CVE-2026-6600 LOW CVSS 2.0
Stored cross-site scripting (XSS) in langflow-ai langflow up to version 1.8.3 allows authenticated users to inject malicious scripts into chat messages via the edit-message component, which are then executed in the browsers of other users viewing the manipulated message. The vulnerability requires user interaction (recipient must view the crafted message) and authenticated access, limiting scope to users within a langflow instance, but publicly available exploit code exists and the vendor has not responded to early disclosure.

XSS
CVE-2026-6599 LOW CVSS 2.1
Code injection in langflow-ai langflow up to version 1.8.3 allows authenticated remote attackers to execute arbitrary code via manipulation of the X-Forwarded-For HTTP header in the Model Context Protocol Configuration API endpoint. The vulnerability affects the get_client_ip function in src/backend/base/langflow/api/v1/mcp_projects.py and has publicly available exploit code; the vendor did not respond to early disclosure notification.

Code Injection
CVE-2026-6598 LOW CVSS 2.1
Langflow up to version 1.8.3 stores authentication settings in cleartext on disk when processing project creation requests, allowing authenticated remote attackers to read sensitive credentials. The vulnerability exists in the create_project/encrypt_auth_settings function within the Project Creation Endpoint, where the auth_settings parameter bypasses encryption despite the function's intent. Publicly available exploit code exists, and the vendor has not released a patch or responded to disclosure notices.

Information Disclosure
CVE-2026-6597 LOW CVSS 2.0
Langflow up to version 1.8.3 stores API credentials without encryption in the remove_api_keys and has_api_terms functions, allowing remote attackers with high privileges to disclose sensitive credentials through the Flow Using API component. The vulnerability has publicly available exploit code, though real-world exploitation likelihood is constrained by the requirement for high-privilege access; vendor has not responded to disclosure.

Information Disclosure
CVE-2026-6593 LOW CVSS 2.0
Cross-site scripting (XSS) in ComfyUI up to version 0.13.0 allows authenticated remote attackers to inject malicious scripts through the View Endpoint in server.py, affecting user integrity with publicly available exploit code. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting its severity despite network accessibility. ComfyUI's vendor has not responded to early disclosure attempts, and the exploit has been published on GitHub, making this a low-CVSS but publicly weaponized vulnerability affecting an AI image generation framework.

XSS
CVE-2026-6592 LOW CVSS 2.0
Stored cross-site scripting (XSS) in ComfyUI's userdata endpoint (getuserdata function in app/user_manager.py) allows authenticated attackers to inject malicious scripts that execute in other users' browsers. Affected versions range from 0.1 through 0.13.0. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world impact, but publicly available exploit code exists and the vendor has not responded to disclosure.

XSS
CVE-2026-6591 LOW CVSS 2.1
Path traversal in ComfyUI up to version 0.13.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the Name argument in the LoadImage Node's folder_paths.get_annotated_filepath function. The vulnerability has publicly available exploit code and affects the image loading functionality, enabling attackers with valid credentials to access sensitive files outside intended directories.

Path Traversal
CVE-2026-6590 LOW CVSS 2.1
Path traversal in ComfyUI up to version 0.13.0 allows authenticated remote attackers to read arbitrary files via manipulation of the get_model_preview function in the Model Preview Endpoint. An attacker with valid credentials can traverse the file system to access sensitive configuration files, model weights, or other data outside intended directories. Public exploit code is available, and the vendor has not provided a patched version despite early disclosure notification.

Path Traversal
CVE-2026-6589 LOW CVSS 2.1
Cross-site request forgery (CSRF) in ComfyUI up to version 0.13.0 allows unauthenticated remote attackers to modify application state via crafted requests to the create_origin_only_middleware function in server.py. The vulnerability requires user interaction (clicking a malicious link or visiting an attacker-controlled site) but has low integrity impact and is publicly exploitable with proof-of-concept code available. The vendor has not responded to early disclosure notification.

CSRF
CVE-2026-6587 LOW CVSS 2.1
Server-side request forgery in vibrantlabsai RAGAS up to version 0.4.3 allows authenticated remote attackers to manipulate the retrieved_contexts argument in the Collections Module's _try_process_local_file and _try_process_url functions, enabling arbitrary file reads and network requests with the application's privileges. Publicly available exploit code exists; the vendor has not responded to early disclosure attempts despite the security patch for related CVE-2025-45691 being applied to a different module only.

SSRF
CVE-2026-6586 LOW CVSS 2.1
Remote authentication bypass in TransformerOptimus SuperAGI budget endpoints (versions up to 0.0.14) allows authenticated users to manipulate budget settings without proper authorization checks, potentially enabling unauthorized modification of financial controls. The vulnerability affects the get_budget and update_budget functions in superagi/controllers/budget.py and has publicly available exploit code. The vendor did not respond to early disclosure attempts.

Authentication Bypass
CVE-2026-5958 LOW CVSS 2.1
GNU sed with -i (in-place edit) and --follow-symlinks options is vulnerable to a time-of-check-time-of-use (TOCTOU) race condition that allows local attackers to overwrite arbitrary files with attacker-controlled content. An attacker can atomically replace a symlink target between sed's symlink resolution and file open operations, causing sed to read from an attacker-chosen file while writing output to an unintended location. The vulnerability affects sed versions prior to 4.10 and requires precise timing on the same filesystem, resulting in a CVSS score of 2.1 due to low attack complexity but limited practical exploitation window.

Information Disclosure
CVE-2026-0930 LOW CVSS 2.3
Out-of-bounds read in wolfSSHd on Windows allows authenticated users to leak adjacent stack memory via malformed terminal resize requests, exposing sensitive data through pseudo-console output. Affects wolfSSH versions prior to 1.5.0. CVSS score of 2.3 reflects low severity due to authentication requirement and limited confidentiality impact; vendor patch available.

Buffer Overflow Microsoft

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities