347 CVEs tracked today. 31 Critical, 129 High, 164 Medium, 23 Low.
-
CVE-2026-41329
CRITICAL
CVSS 9.0
Sandbox bypass in OpenClaw (pre-2026.3.31) enables authenticated remote attackers to escalate privileges by manipulating heartbeat context inheritance and senderIsOwner parameters. Exploitation requires low attack complexity with present attack technique capability, achieving complete compromise of confidentiality, integrity, and availability across vulnerable and subsequent system scope. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosure indicates researcher-identified vulnerability with public GitHub commit and security advisory available.
Privilege Escalation
-
CVE-2026-41264
CRITICAL
CVSS 9.2
## Abstract
Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise.
## Vulnerability Details
- **Version tested:** 3.0.13
- **Installer file:** https://github.com/FlowiseAI/Flowise
- **Platform tested:** Ubuntu 25.10
## Analysis
This vulnerability allows re...
RCE
Python
Node.js
Ubuntu
-
CVE-2026-41197
CRITICAL
CVSS 9.3
## Description
Noir programs can invoke external functions through foreign calls. When compiling to Brillig bytecode, the SSA instructions are processed block-by-block in `BrilligBlock::compile_block()`. When the compiler encounters an `Instruction::Call` with a `Value::ForeignFunction` target, it ...
Information Disclosure
-
CVE-2026-41193
CRITICAL
CVSS 9.1
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code execution by uploading malicious ZIP archives during module installation. The path traversal vulnerability (CWE-22) enables attackers to write files to any location on the server filesystem, including web-accessible directories where PHP shells can be placed. With CVSS 9.1 (Critical) and EPSS data not provided, the primary risk factor is the changed scope (S:C) indicating potential container/hosting infrastructure compromise beyond the application itself. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, though the fix commit provides implementation details that could facilitate exploit development.
Path Traversal
-
CVE-2026-41064
CRITICAL
CVSS 9.3
Remote code execution in WWBN AVideo up to version 29.0 allows unauthenticated attackers to execute arbitrary system commands via unsanitized URL parameters in test.php. This vulnerability stems from an incomplete fix that sanitized wget calls but left file_get_contents and curl code paths exploitable through regex bypass (accepting strings like 'httpevil[.]com'). CVSS 9.3 with Critical scope change reflects the severity. Upstream fix available in commit 78bccae but no tagged release version confirmed at time of analysis. EPSS data not provided; no CISA KEV listing identified.
PHP
Command Injection
-
CVE-2026-40946
CRITICAL
CVSS 9.2
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated...
Authentication Bypass
-
CVE-2026-40911
CRITICAL
CVSS 10.0
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `e...
RCE
Code Injection
-
CVE-2026-40906
CRITICAL
CVSS 9.9
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORD...
SQLi
PostgreSQL
-
CVE-2026-40903
CRITICAL
CVSS 9.1
Remote unauthenticated attackers can leak GitHub workflow tokens from goshs repositories via ArtiPACKED attack. The vulnerability exploits artifact packaging mechanisms to extract GITHUB_TOKEN credentials despite the token never appearing in source code. With CVSS 9.1 (Critical) and network attack vector requiring no authentication, this poses immediate risk to CI/CD pipelines using goshs. No public exploit identified at time of analysis, though the attack technique (ArtiPACKED) is documented. EPSS data unavailable; not listed in CISA KEV.
Information Disclosure
-
CVE-2026-40872
CRITICAL
CVSS 9.3
Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.
XSS
Docker
Redis
-
CVE-2026-40576
CRITICAL
CVSS 9.4
Remote unauthenticated path traversal in excel-mcp-server versions ≤0.1.7 allows network attackers to read, write, and overwrite arbitrary files on the host filesystem. The server's get_excel_path() function fails to validate file paths in two ways: it passes absolute paths without checking boundaries and joins relative paths without resolving traversal sequences. With default configuration binding to 0.0.0.0 (all network interfaces) and no authentication on SSE/Streamable-HTTP transport modes, exploitation is trivial. Vendor-released patch available in version 0.1.8. EPSS data not available; no CISA KEV listing identified at time of analysis.
Path Traversal
-
CVE-2026-40569
CRITICAL
CVSS 9.0
Mass assignment vulnerability in FreeScout versions before 1.8.213 allows authenticated administrators to covertly exfiltrate all outgoing emails and inject malicious content into email communications. By exploiting unfiltered parameter binding in mailbox connection settings endpoints, an attacker with admin credentials can silently set auto_bcc to forward copies of every outgoing email, redirect SMTP traffic through attacker-controlled servers, inject tracking pixels or phishing links into signatures, and enable malicious auto-replies-all invisible to other administrators. The CVSS score of 9.0 reflects high confidentiality and integrity impact with changed scope, though exploitation requires high-privilege (admin) access. No public exploit code or CISA KEV listing identified, but the vulnerability is particularly dangerous in multi-admin deployments and when combined with session compromise vectors like XSS (noted in tags), as it provides persistent email surveillance beyond initial access.
PHP
XSS
Authentication Bypass
-
CVE-2026-40372
CRITICAL
CVSS 9.1
Cryptographic signature verification bypass in ASP.NET Core 10.0 enables remote unauthenticated attackers to forge authentication tokens and gain unauthorized access to protected resources. Tagged as a JWT attack involving authentication bypass, this vulnerability allows complete compromise of confidentiality and integrity without requiring any special conditions (AV:N/AC:L/PR:N/UI:N). Microsoft has released a security update addressing this flaw. No active exploitation confirmed in CISA KEV at time of analysis, though the authentication bypass nature and network-accessible attack surface present significant risk for widely deployed ASP.NET Core applications.
Authentication Bypass
Red Hat
Jwt Attack
-
CVE-2026-40050
CRITICAL
CVSS 9.8
Unauthenticated path traversal in CrowdStrike LogScale cluster API allows remote attackers to read arbitrary files from server filesystems. Affects only self-hosted LogScale deployments with specific vulnerable versions; Next-Gen SIEM customers are not impacted. CrowdStrike proactively identified this during internal testing and deployed network-layer blocks for SaaS customers on April 7, 2026, with log analysis confirming no evidence of exploitation. CVSS 9.8 critical severity with network vector and no authentication required (AV:N/PR:N), though EPSS and KEV data not available at time of analysis.
Path Traversal
-
CVE-2026-38835
CRITICAL
CVSS 9.8
Command injection in Tenda W30E V2.0 firmware V16.01.0.21 allows remote unauthenticated attackers to execute arbitrary operating system commands as root through the formSetUSBPartitionUmount function by manipulating the usbPartitionName parameter. The vulnerability achieves maximum CVSS severity (9.8) due to network accessibility without authentication, though EPSS exploitation probability remains low (0.17%, 38th percentile), suggesting limited attacker interest at time of analysis. No active exploitation confirmed by CISA KEV, and public exploit code status is unverified from researcher disclosure.
Command Injection
Tenda
-
CVE-2026-34287
CRITICAL
CVSS 9.1
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager C...
Authentication Bypass
Oracle
-
CVE-2026-34286
CRITICAL
CVSS 9.1
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager C...
Authentication Bypass
Oracle
-
CVE-2026-34285
CRITICAL
CVSS 9.1
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager C...
Authentication Bypass
Oracle
-
CVE-2026-34279
CRITICAL
CVSS 9.1
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracl...
Authentication Bypass
Oracle
-
CVE-2026-34275
CRITICAL
CVSS 9.8
Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracl...
Authentication Bypass
Oracle
-
CVE-2026-33519
CRITICAL
CVSS 9.8
An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.
Information Disclosure
Kubernetes
Microsoft
-
CVE-2026-33518
CRITICAL
CVSS 9.8
An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.
Information Disclosure
Microsoft
-
CVE-2026-21571
CRITICAL
CVSS 9.4
Remote code execution in Atlassian Bamboo Data Center versions 9.6.0 through 12.1.0 allows authenticated attackers to execute arbitrary OS commands via command injection vulnerability. The attack requires low-privilege authentication (PR:L) but no user interaction, enabling complete system compromise across confidentiality, integrity, and availability with cross-scope impact (SC:H/SI:H/SA:H indicating container escape or lateral movement potential). Atlassian has released patches for three major version branches (9.6.25, 10.2.18, 12.1.6). No active exploitation confirmed in CISA KEV at time of analysis, though the authenticated nature and critical CVSS 9.4 score warrant immediate patching for internet-exposed instances with broad user access.
RCE
Command Injection
Atlassian
-
CVE-2026-6771
CRITICAL
CVSS 9.8
DOM security mitigation bypass in Mozilla Firefox allows remote unauthenticated attackers to completely compromise browser security, achieving high confidentiality, integrity, and availability impact. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. The vulnerability bypasses critical browser security controls designed to protect the Document Object Model. SSVC assessment indicates the flaw is automatable with total technical impact, though no active exploitation has been confirmed at time of analysis. CVSS 9.8 critical rating reflects network-based attack with no complexity barriers.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-6768
CRITICAL
CVSS 9.8
Authentication bypass in Firefox's cookie-handling mechanism allows remote unauthenticated attackers to bypass security controls via network requests, achieving full confidentiality, integrity, and availability compromise. Affects Firefox versions prior to 150. Mozilla has released patches in security advisories MFSA2026-30 and MFSA2026-33. CISA SSVC framework classifies this as fully automatable with total technical impact, though no active exploitation is confirmed at time of analysis. CVSS 9.8 critical severity reflects the network attack vector with no authentication or user interaction required.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-6760
CRITICAL
CVSS 9.8
Authentication bypass in Firefox's cookie handling mechanism allows remote unauthenticated attackers to circumvent security controls and potentially execute arbitrary code or access protected resources. The vulnerability affects Firefox versions prior to 150 and has a critical CVSS score of 9.8 (network-exploitable, no authentication required, low complexity). Despite the severe CVSS rating, EPSS probability indicates only 0.02% likelihood of exploitation (4th percentile), suggesting limited real-world targeting. Mozilla has patched this in Firefox 150 per security advisories MFSA2026-30 and MFSA2026-33. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-6748
CRITICAL
CVSS 9.8
Uninitialized memory access in Firefox's Web Codecs API enables remote code execution without authentication. Attackers can exploit this CWE-457 (Use of Uninitialized Variable) flaw through network-accessible vectors with low complexity (AV:N/AC:L/PR:N/UI:N) to achieve complete system compromise including data exfiltration, arbitrary code execution, and denial of service. CVSS 9.8 severity is supported by SSVC assessment indicating automatable exploitation with total technical impact. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. CISA SSVC reports no active exploitation at time of analysis, though the vulnerability is classified as automatable with total technical impact.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-5965
CRITICAL
CVSS 9.3
OS command injection in NewSoft NewSoftOA allows remote unauthenticated attackers to execute arbitrary system commands on the server. CVSS 9.3 (Critical) with network attack vector and no authentication required. The description contains a contradiction - it states 'local attackers' while CVSS vector indicates AV:N (network-accessible). Based on CVSS vector, this is remotely exploitable without authentication. No CISA KEV listing or public exploit code identified at time of analysis, but network accessibility and lack of auth barriers make this a high-priority remediation target for organizations running NewSoftOA.
Command Injection
-
CVE-2026-5652
CRITICAL
CVSS 9.0
Crafty Controller Users API allows authenticated administrators with high privileges to modify other user accounts due to improper API permission validation. Despite requiring PR:H (high privileges) and authentication, the vulnerability achieves CVSS 9.0 due to scope change, enabling privilege escalation and potential system-wide compromise. GitLab reports this as an authentication bypass affecting Crafty Controller by Arcadia Technology, LLC. No CISA KEV listing or public exploit code identified at time of analysis, though the authentication bypass tag suggests deviation from intended access controls even for privileged users.
Authentication Bypass
-
CVE-2025-41029
CRITICAL
CVSS 9.3
SQL injection in Zeon Academy Pro allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'phonenumber' parameter in /private/continue-upload.php, enabling full database compromise including data exfiltration, modification, and deletion. The vulnerability is exploitable over the network without authentication (CVSS:4.0 9.3 Critical, AV:N/PR:N), representing a complete compromise of database confidentiality and integrity. Patch available from vendor per INCIBE-CERT advisory, though specific fixed version not disclosed in public references.
PHP
SQLi
-
CVE-2025-15638
CRITICAL
CVSS 10.0
Remote code execution with complete system compromise affects Net::Dropbear Perl module versions before 0.14 due to bundled vulnerable libtomcrypt library. The module ships with Dropbear 2019.78 or earlier containing libtomcrypt v1.18.1, inheriting CVE-2016-6129 (RSA signature forgery) and CVE-2018-12437 (RSA key recovery via side-channel). CVSS 10.0 reflects network-accessible attack with no authentication or user interaction required and complete confidentiality, integrity, and availability impact with scope change. CISA SSVC framework confirms automatable exploitation with total technical impact, though no active exploitation reported. Patch available in Net::Dropbear 0.14 with updated cryptographic dependencies.
Information Disclosure
Suse
-
CVE-2026-41304
HIGH
CVSS 8.9
Remote code execution in AVideo versions 29.0 and below allows unauthenticated attackers to execute arbitrary shell commands on the server via command injection in the CloneSite plugin's cloneServer.json.php endpoint. Attackers exploit unsanitized user input in the 'url' parameter that gets directly concatenated into a wget command executed through PHP's exec() function. With CVSS 8.9 (AV:N/AC:L/PR:N/UI:N) and proof-of-concept exploitation confirmed (E:P), this represents a critical risk requiring immediate patching. Fix available in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.
PHP
RCE
Command Injection
-
CVE-2026-41303
HIGH
CVSS 8.7
Authorization bypass in OpenClaw before 2026.3.28 allows authenticated Discord users to approve pending host execution requests without proper privileges. Attackers with low-privileged Discord accounts can bypass the execApprovals.approvers allowlist by sending crafted Discord text commands, gaining unauthorized approval authority for exec requests. EPSS score is relatively low (0.06%, 18th percentile), and no active exploitation is confirmed, but the vulnerability enables complete compromise of the execution approval workflow with low attack complexity.
Authentication Bypass
-
CVE-2026-41299
HIGH
CVSS 7.1
Authorization bypass in OpenClaw's chat.send gateway allows authenticated operator clients to spoof ACP (Access Control Provider) identity labels and inject reserved provenance metadata by manipulating WebSocket handshake client metadata. Attackers with low-privilege operator credentials can bypass intended privilege boundaries to impersonate the ACP bridge, achieving high integrity impact through unauthorized modification of chat message provenance. EPSS probability is low (0.05%, 15th percentile) and CISA SSVC indicates no active exploitation, non-automatable attacks, and partial technical impact. Vendor patch available as of version 2026.3.28.
Authentication Bypass
-
CVE-2026-41296
HIGH
CVSS 8.8
Remote filesystem bridge in OpenClaw (<2026.3.31) enables sandbox escape through a TOCTOU race condition in readFile validation. Authenticated remote attackers can exploit the timing gap between path validation and file read operations to bypass sandbox restrictions and access arbitrary files outside the intended security boundary, potentially compromising both confidentiality and integrity of the underlying system. EPSS score of 0.03% (7th percentile) suggests low probability of widespread exploitation despite CVSS 8.8 severity, though patch availability from vendor (commit 121870a) enables defenders to remediate proactively before active exploitation begins.
Authentication Bypass
-
CVE-2026-41295
HIGH
CVSS 8.5
Malicious workspace plugins in OpenClaw versions before 2026.4.2 achieve arbitrary code execution by shadowing built-in channel IDs during workspace clone and setup operations. The vulnerability exploits a trust boundary flaw (CWE-829) where untrusted plugins execute before explicit user trust confirmation, requiring only that a victim clone a poisoned workspace repository. With CVSS 8.5 (High) and local attack vector requiring user interaction, real-world risk is moderate: EPSS probability sits at 0.01% (2nd percentile) with no confirmed active exploitation (not in CISA KEV), and SSVC assessment classifies it as non-automatable with total technical impact but no current exploitation.
RCE
-
CVE-2026-41294
HIGH
CVSS 8.5
OpenClaw versions before 2026.3.28 allow local attackers to inject malicious environment variables by placing a .env file in the current working directory, which is loaded before trusted state-directory configuration during application startup. This enables attackers to override security-sensitive runtime settings without privileges, achieving high confidentiality, integrity, and availability impact with low complexity when a user launches OpenClaw from a compromised directory. Exploitation probability is minimal (EPSS 0.01%, percentile 2%) with no active exploitation confirmed (not in CISA KEV), but a public advisory from VulnCheck describes the attack mechanism, making exploitation straightforward for local threat actors.
Information Disclosure
-
CVE-2026-41192
HIGH
CVSS 7.1
Authenticated mailbox users can delete arbitrary conversation attachments in FreeScout versions prior to 1.8.215 by replaying encrypted attachment IDs through the draft-saving API. The vulnerability exploits insufficient authorization checks in the reply/draft workflows, allowing peers with legitimate conversation access to extract encrypted attachment IDs via load_attachments, then submit those IDs through save_draft to trigger deletion of attachments they should not control. With CVSS 7.1 (AV:N/AC:L/PR:L) and EPSS data unavailable, risk depends heavily on whether attackers have mailbox credentials and access to shared conversations. GitHub commit 5f182818e confirms the fix validates attachment ownership before deletion.
Authentication Bypass
-
CVE-2026-41191
HIGH
CVSS 7.1
Privilege escalation in FreeScout self-hosted help desk allows authenticated users with limited mailbox signature permissions to modify global chat settings beyond their authorization. The vulnerability (CVE-2026-41191) affects versions prior to 1.8.215 through insufficient input validation in the mailbox update endpoint, enabling low-privileged users to manipulate administrative configuration parameters via crafted POST requests. CVSS score of 7.1 reflects high integrity impact with low complexity network-based attack requiring only low-level authentication. No active exploitation confirmed in CISA KEV, and EPSS data not available at time of analysis, but the fix is available in version 1.8.215 with a corresponding GitHub commit.
Authentication Bypass
-
CVE-2026-41190
HIGH
CVSS 7.1
Authorization bypass in FreeScout's draft save functionality allows authenticated users with low privileges to create draft messages in conversations they should not access when APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled. While the conversation view correctly enforces access controls, the save_draft AJAX endpoint fails to validate user permissions, enabling unauthorized information disclosure and message manipulation (CVSS 7.1, High integrity impact). No active exploitation confirmed (not in CISA KEV), but publicly available commit reveals exact vulnerability location. EPSS data not provided, limiting probability assessment.
Authentication Bypass
-
CVE-2026-41189
HIGH
CVSS 7.1
Authorization bypass in FreeScout allows low-privileged authenticated users to edit customer threads in conversations they cannot access. The ThreadPolicy::edit() method validates mailbox access but fails to enforce assigned-only conversation restrictions from ConversationPolicy, enabling unauthorized modification of customer communications with high integrity impact. Vendor patch released in version 1.8.215 with fix commit confirmed in GitHub advisory GHSA-4h5p-7f5c-q7gj. No public exploit identified at time of analysis, CVSS 7.1 (High) with low attack complexity indicates straightforward exploitation once authenticated.
Authentication Bypass
-
CVE-2026-41066
HIGH
CVSS 7.5
### Impact
Using either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files.
### Patches
lxml 6.1.0 changes the default to `resolve_entities='internal'`, thus disallowing local file access by default.
### Workarounds
Setting...
XXE
Red Hat
Suse
-
CVE-2026-41060
HIGH
CVSS 7.7
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check comp...
PHP
SSRF
-
CVE-2026-41059
HIGH
CVSS 8.2
Authentication bypass in OAuth2 Proxy 7.5.0-7.15.1 allows remote unauthenticated attackers to access protected resources by exploiting path normalization discrepancies between the proxy and backend services. When deployments use skip_auth_routes or skip_auth_regex with broad wildcard patterns, attackers can inject '#' or '%23' (URL-encoded fragment delimiter) to match public allowlist rules while the upstream application serves sensitive endpoints. CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-based unauthenticated access; no public exploit identified at time of analysis. EPSS data not provided. Fixed in version 7.15.2 through conservative path normalization.
Authentication Bypass
Red Hat
-
CVE-2026-41058
HIGH
CVSS 8.1
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6ac...
Path Traversal
-
CVE-2026-41057
HIGH
CVSS 7.1
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 un...
PHP
Information Disclosure
-
CVE-2026-41056
HIGH
CVSS 8.1
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by...
PHP
Information Disclosure
Cors Misconfiguration
-
CVE-2026-41055
HIGH
CVSS 8.6
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoi...
SSRF
-
CVE-2026-41039
HIGH
CVSS 8.7
Information disclosure in Quantum Networks Router QN-I-470 version 6.1.1.B1 allows unauthenticated remote attackers to access sensitive internal data including API endpoints, scripts, and directories through exposed web management interface. Vulnerability stems from improper access control and insecure default configuration (CWE-306). CVSS 8.7 reflects network-accessible, low-complexity attack requiring no authentication or user interaction. No public exploit code identified at time of analysis, though the attack surface (exposed API endpoints) suggests straightforward exploitation. Reported by CERT-In (India national CERT), indicating potential regional targeting or discovery during incident response.
Authentication Bypass
-
CVE-2026-41038
HIGH
CVSS 7.6
Weak password policy enforcement in Quantum Networks router QN-I-470 version 6.1.1.B1 enables adjacent network attackers to gain unauthorized administrative access through password brute-force attacks. CVSS 7.6 reflects adjacent network requirement (AV:A) and high complexity (AC:H), limiting exploitation to attackers already on the local network segment. No active exploitation confirmed (not in CISA KEV), but authentication bypass via brute-force is a well-understood attack primitive requiring only network proximity and time.
Authentication Bypass
Brute Force
-
CVE-2026-41037
HIGH
CVSS 8.7
Remote code execution with root privileges in Quantum Networks router QN-I-470 version 6.1.1.B1 allows adjacent network attackers to execute arbitrary OS commands through the management CLI interface via command injection. The vulnerability requires no authentication (CVSS PR:N) and exploits inadequate input sanitization (CWE-78). Adjacent network access (AV:A) limits attack surface to local network segments. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though EPSS data unavailable to assess real-world exploitation probability.
RCE
Command Injection
-
CVE-2026-41036
HIGH
CVSS 8.7
Remote code execution in Quantum Networks router QN-I-470 allows authenticated attackers to execute arbitrary OS commands as root via command injection in the management CLI interface. The vulnerability stems from inadequate input sanitization, enabling low-privileged authenticated users to escalate privileges to root level. CVSS 8.7 (Critical) reflects network-accessible exploitation with low complexity, requiring only low-privilege authentication. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, but the authenticated nature and CLI access requirement limits exploitation to users with existing device credentials.
RCE
Command Injection
-
CVE-2026-40945
HIGH
CVSS 8.7
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnera...
Information Disclosure
-
CVE-2026-40943
HIGH
CVSS 8.7
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing...
Information Disclosure
Race Condition
-
CVE-2026-40938
HIGH
CVSS 7.5
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses ...
RCE
Kubernetes
-
CVE-2026-40926
HIGH
CVSS 7.1
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints - `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` - enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin...
PHP
CSRF
-
CVE-2026-40925
HIGH
CVSS 8.3
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest...
PHP
CSRF
-
CVE-2026-40909
HIGH
CVSS 8.7
Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.
PHP
RCE
Path Traversal
CSRF
-
CVE-2026-40905
HIGH
CVSS 8.1
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipu...
Open Redirect
-
CVE-2026-40892
HIGH
CVSS 8.1
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.sl...
Buffer Overflow
Stack Overflow
-
CVE-2026-40879
HIGH
CVSS 7.5
Remote attackers can crash Nest.js applications (versions prior to 11.1.19) by sending approximately 47 KB of fragmented JSON messages within a single TCP frame, triggering a call stack overflow. The handleData() function's recursive processing of small valid JSON messages causes stack exhaustion before maxBufferSize limits are enforced, resulting in RangeError and denial of service. No authentication required (CVSS AV:N/PR:N). Vendor patch released in version 11.1.19. EPSS data not available; no confirmed active exploitation (not in CISA KEV).
Buffer Overflow
Node.js
-
CVE-2026-40875
HIGH
CVSS 7.0
Cross-site scripting in mailcow dockerized versions prior to 2026-03b enables remote attackers to execute malicious JavaScript in victim browsers through a chained Login CSRF and Self-XSS attack. Exploitation requires low-privileged attacker credentials and victim interaction, but can result in unauthorized access to victim email accounts and session hijacking (CVSS 7.0, AV:N/AC:H/PR:L/UI:P). The vulnerability stems from insufficient HTML escaping of X-Real-IP header values in the login history dashboard, combined with server trust of client-supplied IP headers. No active exploitation or public POC identified at time of analysis, but technical details disclosed via GitHub Security Advisory make weaponization feasible.
XSS
Docker
CSRF
-
CVE-2026-40873
HIGH
CVSS 8.9
Stored cross-site scripting (XSS) in mailcow: dockerized (versions prior to 2026-03b) allows remote unauthenticated attackers to execute arbitrary JavaScript in administrator sessions by delivering emails with malicious attachment filenames. When administrators view quarantined emails through the web interface, unsanitized filenames inject into HTML without escaping, triggering automatic JavaScript execution that can compromise administrator accounts. No public exploit or active exploitation confirmed at time of analysis, though CVSS 8.9 (CVSS 4.0) reflects high impact with low attack complexity requiring user interaction.
XSS
Docker
-
CVE-2026-40871
HIGH
CVSS 7.2
Second-order SQL injection in mailcow: dockerized versions prior to 2026-03b allows authenticated API users with high privileges to execute arbitrary SQL commands through the quarantine notification system. Attackers inject malicious SQL via the quarantine_category field in /api/v1/add/mailbox endpoint, which executes when quarantine_notify.py runs its scheduled job, enabling data exfiltration of admin credentials and sensitive information through UNION-based queries rendered in notification emails. No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available in version 2026-03b.
Information Disclosure
Docker
SQLi
-
CVE-2026-40867
HIGH
CVSS 7.1
Broken access control in Horilla HRMS 1.5.0 helpdesk module allows any authenticated employee to view support ticket attachments belonging to other users by manipulating attachment IDs in URLs. This exposes confidential HR documents, employee grievances, and internal communications across organizational boundaries. The vulnerability requires only basic authentication (CVSS PR:L) with no technical complexity (AC:L), making it trivially exploitable by malicious insiders. EPSS data not available, not currently listed in CISA KEV, but the authentication bypass tag indicates a fundamental access control failure in a system designed to handle sensitive employee data.
Authentication Bypass
-
CVE-2026-40866
HIGH
CVSS 8.6
Authenticated users in Horilla HRMS 1.5.0 can overwrite or corrupt any employee's documents via insecure direct object reference (IDOR) in the document upload endpoint. By manipulating the document ID parameter in upload requests, attackers with low-level access can modify HR records belonging to other employees, including executives or administrators. This enables unauthorized tampering with sensitive personnel files such as contracts, certifications, or compliance documents. EPSS data not available; no confirmed active exploitation (not in CISA KEV), though exploitation requires only basic authentication and no technical complexity (CVSS AV:N/AC:L/PR:L).
Authentication Bypass
-
CVE-2026-40865
HIGH
CVSS 7.1
Insecure direct object reference in Horilla HRMS 1.5.0 employee document viewer allows authenticated users to access other employees' sensitive HR files by manipulating document IDs in API requests. Successful exploitation exposes identity documents, employment contracts, certificates, and other confidential employee records. No public exploit code identified at time of analysis, with EPSS data unavailable for this 2026 CVE.
Authentication Bypass
-
CVE-2026-40706
HIGH
CVSS 8.4
In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when pr...
Buffer Overflow
Heap Overflow
Suse
-
CVE-2026-40614
HIGH
CVSS 8.5
Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or crash the application via maliciously crafted Opus audio frames. The vulnerability stems from undersized FEC decode buffers (960 bytes at 8 kHz mono) that receive up to 1280 bytes of encoded data without bounds checking during Opus codec decoding. With CVSS 8.5 severity and a public GitHub commit fix available, this represents a high-impact memory corruption vulnerability in a widely-deployed VoIP library, though exploitation requires local access and user interaction (AV:L/UI:P), limiting remote attack scenarios.
Buffer Overflow
Heap Overflow
-
CVE-2026-40613
HIGH
CVSS 7.5
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a single malformed UDP packet. The vulnerability triggers a fatal SIGBUS signal via misaligned memory access during STUN attribute parsing, requiring no authentication or special configuration. All ARM64 installations of Coturn prior to 4.10.0 are vulnerable to instant process termination. EPSS exploitation probability is not yet available as this is a newly disclosed CVE, but the attack complexity is low (AC:L) and requires no privileges (PR:N), making exploitation trivial once awareness spreads in attacker communities.
Denial Of Service
-
CVE-2026-40604
HIGH
CVSS 8.2
Local privilege escalation in ClearanceKit opfilter system extension allows root-level processes on macOS to completely bypass file-access policy enforcement by suspending or killing the Endpoint Security extension. An attacker with root access can send SIGSTOP to the uk.craigbass.clearancekit.opfilter extension, causing all AUTH events to time out and silently default to allow, effectively disabling all ClearanceKit file-access controls. This represents a critical security control bypass for environments relying on ClearanceKit for file-system access restrictions. Fixed in version 5.0.6. No public exploit identified at time of analysis, though exploitation is straightforward for any attacker who has already achieved root access on the macOS system.
Information Disclosure
Apple
-
CVE-2026-40599
HIGH
CVSS 8.4
ClearanceKit 5.0.4 and earlier allows local attackers with low-privilege accounts to bypass file-system access controls and read/modify all protected files by spoofing Apple platform binary status. The vulnerability stems from incorrect validation of code signing identifiers - specifically, treating processes with empty Team IDs but non-empty Signing IDs as trusted Apple binaries. Malicious software can exploit this logic flaw to impersonate processes in the global allowlist and gain unauthorized access to sensitive data. CVSS 8.4 reflects high confidentiality and integrity impact in local attack scenarios. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though the GitHub security advisory provides detailed vulnerability disclosure.
Authentication Bypass
Apple
-
CVE-2026-40591
HIGH
CVSS 7.1
Low-privileged agents in FreeScout can escalate mailbox access by exploiting insufficient customer visibility enforcement in phone conversation creation. Attackers with agent credentials for Mailbox A can reference and modify customer records from Mailbox B, adding alias emails to hidden customer profiles and bypassing mailbox isolation boundaries. This constitutes an authentication bypass enabling cross-mailbox data manipulation. Fixed in version 1.8.214. EPSS data not provided; no CISA KEV listing at time of analysis. GitHub security advisory and upstream commit confirm the vulnerability and patch.
Authentication Bypass
-
CVE-2026-40589
HIGH
CVSS 7.6
Privilege escalation in FreeScout versions prior to 1.8.214 allows low-privileged agents to hijack hidden customer email addresses across mailbox boundaries, disclosing confidential customer names, profile URLs, and reassigning conversations from restricted mailboxes to attacker-controlled customer records. The vulnerability enables authenticated agents to bypass mailbox isolation controls and access data they should not see. CVSS score of 7.6 (High) reflects network-exploitable access with high integrity impact; EPSS and KEV data not provided in intelligence sources.
Authentication Bypass
-
CVE-2026-40588
HIGH
CVSS 8.1
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
XSS
-
CVE-2026-40586
HIGH
CVSS 7.5
Unlimited credential brute-forcing against blueprintUE Self-Hosted Edition login form allows remote attackers to enumerate valid accounts and compromise credentials through dictionary attacks, credential stuffing, or exhaustive guessing. The login handler (versions prior to 4.2.0) implements zero rate limiting, no progressive delays, no account lockouts, and no CAPTCHA challenges, enabling attackers to submit authentication attempts at full network speed. While a strong password policy is enforced (10+ characters, mixed case, digit, special), this does not prevent attacks using breached credential databases or targeted guessing against predictable passwords. EPSS exploitation probability data not available; no public exploit code or active exploitation confirmed at time of analysis.
Information Disclosure
-
CVE-2026-40585
HIGH
CVSS 7.4
Password reset tokens in blueprintUE self-hosted edition remain valid indefinitely, allowing attackers who intercept a reset link to compromise accounts at any future time. The vulnerability affects all versions prior to 4.2.0. While exploitation requires initial interception of a password reset token (AC:H), successful exploitation grants persistent unauthorized access with high confidentiality and integrity impact but no availability impact (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, score 7.4). No active exploitation, KEV listing, or public POC identified at time of analysis.
Information Disclosure
-
CVE-2026-40583
HIGH
CVSS 8.8
State corruption in UltraDAG 0.1 allows remote unauthenticated attackers to bypass authorization controls and manipulate blockchain state integrity through malformed SmartOp::Vote transactions. The vulnerability enables attackers to trigger state mutations before authorization checks complete, causing high availability impact and low integrity impact to the blockchain. No active exploitation or public POC has been identified, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation against default configurations. Upstream fixes are available via GitHub commits but no tagged release version has been confirmed.
Information Disclosure
-
CVE-2026-40568
HIGH
CVSS 8.5
Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.
PHP
XSS
-
CVE-2026-40520
HIGH
CVSS 8.6
Command injection in FreePBX API module 17.0.8 and earlier allows authenticated attackers with valid bearer tokens to execute arbitrary operating system commands as the web server user via malicious GraphQL mutations. The initiateGqlAPIProcess() function passes unsanitized GraphQL moduleOperations mutation input directly to shell_exec(), enabling backtick-wrapped command execution. While requiring high privileges (PR:H), the vulnerability provides complete system compromise within the web server context (CVSS 8.6). Vendor patch available via GitHub commit 5f194e39. No public exploit code or active exploitation confirmed at time of analysis.
Command Injection
-
CVE-2026-40498
HIGH
CVSS 8.9
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213, exploiting a predictable MD5 hash derived from the exposed APP_KEY. Attackers can harvest sensitive server information (full path disclosure, process IDs) and trigger resource exhaustion denial-of-service by repeatedly invoking unprotected background tasks. The vulnerability has publicly available exploit code (CVSS E:P), making it immediately actionable for attackers. EPSS data not provided, but the combination of network exposure (AV:N), no authentication required (PR:N), and confirmed POC significantly elevates real-world risk for internet-facing FreeScout installations.
Denial Of Service
Information Disclosure
-
CVE-2026-40497
HIGH
CVSS 8.1
CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).
XSS
Privilege Escalation
CSRF
-
CVE-2026-40496
HIGH
CVSS 8.8
Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.
Information Disclosure
-
CVE-2026-40250
HIGH
CVSS 8.4
Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) enables local attackers to trigger memory corruption when processing maliciously crafted EXR image files requiring user interaction. This vulnerability represents a missed instance of the same integer overflow pattern addressed in related CVEs 2026-34589, 34588, and 34544, occurring in `internal_dwa_compressor.h:1040` where width multiplication lacks proper size_t casting. Given the local attack vector requiring user interaction (CVSS AV:L/UI:A), real-world exploitation requires social engineering to trick users into opening weaponized EXR files, making this primarily a workstation-targeted threat in media production environments. No active exploitation or public POC identified at time of analysis.
Buffer Overflow
Integer Overflow
Red Hat
Suse
-
CVE-2026-40244
HIGH
CVSS 8.4
Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) allows local attackers to trigger memory corruption via maliciously crafted EXR image files requiring user interaction. This overflow at internal_dwa_compressor.h:1722 was missed in the CVE-2026-34589 remediation batch, performing width*height multiplication in 32-bit arithmetic without proper bounds checking. While CVSS scores 8.4 (High), the local attack vector and required user interaction (opening malicious file) somewhat limit real-world exploitation compared to remotely exploitable vulnerabilities. No EPSS score or KEV status available; exploitation probability depends on attacker's ability to deliver weaponized EXR files to targets in media production environments.
Buffer Overflow
Integer Overflow
Red Hat
Suse
-
CVE-2026-40161
HIGH
CVSS 7.7
Credential leakage in Tekton Pipelines git resolver allows authenticated users to exfiltrate system-configured Git API tokens (GitHub PAT, GitLab tokens) by directing the resolver to attacker-controlled endpoints. Affects versions 1.0.0 through 1.10.0 when users omit the token parameter in TaskRun or PipelineRun configurations. CVSS 7.7 with scope change reflects cross-tenant credential theft potential in multi-tenant Kubernetes environments. No active exploitation confirmed (not in CISA KEV), but exploitation is straightforward for authenticated cluster users with TaskRun/PipelineRun creation privileges.
Information Disclosure
Kubernetes
Gitlab
-
CVE-2026-39973
HIGH
CVSS 7.1
Path traversal in Apktool 3.0.0-3.0.1 enables malicious APK files to write arbitrary files during decoding operations, potentially achieving remote code execution by overwriting shell configuration files or startup scripts. This security regression, introduced December 12, 2025 when sanitization controls were removed from resource decoder logic, allows attackers to embed directory traversal sequences in APK metadata that escape output directories and target critical system files like ~/.ssh/config or Windows Startup folders. CVSS 7.1 with local attack vector and required user interaction. No active exploitation (CISA KEV) or public POC identified at time of analysis, but exploit development is straightforward given the detailed technical disclosure in GitHub advisory GHSA-m8mh-x359-vm8m.
Path Traversal
Google
Microsoft
-
CVE-2026-39866
HIGH
CVSS 7.4
Command injection in Lawnchair's GitHub Actions workflow allows authenticated repository contributors to execute arbitrary code on GitHub-hosted CI/CD runners. The vulnerability affects Lawnchair for Android versions prior to commit fcba413f5 and stems from unsanitized workflow_dispatch inputs in release_update.yml. Authenticated attackers with repository write access can inject shell commands through workflow parameters, achieving full code execution in the build environment. A patch is available (commit fcba413f5), and the CVSS vector indicates this is a network-accessible, low-complexity attack requiring low privileges. CVSS v4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact scoped to the vulnerable CI/CD system. EPSS data not provided; no CISA KEV listing at time of analysis.
RCE
Google
Command Injection
-
CVE-2026-39861
HIGH
CVSS 7.7
Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting symlink handling between sandboxed and unsandboxed processes, potentially leading to code execution. The vulnerability requires prompt injection to trigger malicious sandboxed code execution, creating an exploitable chain where neither component can independently breach the sandbox but their interaction does. EPSS score of 0.08% (23rd percentile) suggests limited real-world exploitation likelihood, and CISA SSVC indicates no known exploitation with non-automatable attack requirements. Version 2.1.64 patches this issue, auto-deployed to standard installations.
RCE
Path Traversal
-
CVE-2026-39467
HIGH
CVSS 7.2
PHP object injection in MetaSlider Responsive Slider plugin (WordPress) through version 3.106.0 allows authenticated administrators with high privileges to execute arbitrary code by deserializing untrusted data. The vulnerability requires authenticated high-privilege access (PR:H), limiting exploitation to compromised admin accounts or malicious insiders. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.
Deserialization
-
CVE-2026-39386
HIGH
CVSS 8.8
Privilege escalation in Neko virtual browser (versions 3.0.0-3.0.10, 3.1.0-3.1.1) allows any authenticated user with low privileges to immediately gain full administrative control over the entire instance, including member management, room settings, broadcast control, and session termination. This complete instance compromise requires only network access and valid user credentials (CVSS 8.8, AV:N/AC:L/PR:L). While EPSS exploitation probability is low (0.12%, 31st percentile) and no active exploitation has been confirmed, the vulnerability is trivially exploitable by any authenticated user and classified as non-automatable but with total technical impact per SSVC. Vendor patches are available in versions 3.0.11 and 3.1.2.
Information Disclosure
Docker
-
CVE-2026-39320
HIGH
CVSS 7.5
Signal K Server versions before 2.25.0 allow remote unauthenticated attackers to crash the server via Regular Expression Denial of Service (ReDoS) in WebSocket subscription handling. By injecting unescaped regex metacharacters into the context parameter, attackers trigger catastrophic backtracking that consumes 100% CPU and renders the server completely unresponsive to all API and socket requests. This creates a complete denial of service for marine navigation systems relying on Signal K Server as their central data hub. While EPSS score is low (0.04%, 13th percentile), the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) and complete availability impact make this a priority for boat operators running vulnerable versions. No public exploit identified at time of analysis, but the GitHub security advisory provides clear technical details. Vendor-released patch available in version 2.25.0.
Denial Of Service
Node.js
-
CVE-2026-38834
HIGH
CVSS 7.3
Command injection in Tenda W30E router firmware V16.01.0.21 allows unauthenticated remote attackers to execute arbitrary system commands via the 'hostName' parameter in the diagnostic ping function. Attack requires only network access to the router's web interface with no authentication or user interaction. Proof-of-concept exploit code is publicly available (SSVC exploitation status: POC). EPSS data not available, but SSVC framework marks this as automatable with partial technical impact, making it suitable for mass scanning campaigns targeting exposed Tenda routers.
Command Injection
Tenda
-
CVE-2026-37748
HIGH
CVSS 7.2
Remote code execution in Visitor Management System 1.0 allows authenticated administrators to upload PHP webshells via two unvalidated file upload endpoints (admin_user_insert.php and update_1.php). The move_uploaded_file() function lacks MIME type, extension, and content validation, enabling direct server compromise. Public proof-of-concept exists (SSVC exploitation: POC). EPSS data not available, but the combination of network-accessible attack vector (AV:N) and total technical impact (SSVC) against a specific niche product suggests targeted exploitation risk rather than widespread automated attacks.
PHP
RCE
File Upload
-
CVE-2026-35587
HIGH
CVSS 7.3
Server-Side Request Forgery in Glances IP plugin allows authenticated attackers to force the monitoring application to send HTTP requests to arbitrary internal or external endpoints, with automatic credential leakage when public_username and public_password are configured. The vulnerability affects all versions prior to 4.5.4 and arises from insufficient validation of the public_api configuration parameter. EPSS exploitation probability is low (0.04%, 12th percentile), but SSVC framework confirms proof-of-concept availability and automatable exploitation with partial technical impact. Vendor patch released in version 4.5.4.
Information Disclosure
SSRF
Suse
-
CVE-2026-35570
HIGH
CVSS 8.4
Path traversal in OpenClaude CLI versions before 0.5.1 allows local authenticated users to bypass sandbox directory restrictions and access arbitrary filesystem paths. A logic flaw in the bash permission handler causes path constraint checks to be skipped when sandbox auto-allow is enabled without explicit deny rules, permitting traversal sequences like '../../../etc/passwd' to escape containment boundaries. EPSS score of 0.01% indicates low probability of widespread exploitation, and no active exploitation has been reported.
Path Traversal
-
CVE-2026-35251
HIGH
CVSS 7.5
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracl...
Authentication Bypass
Oracle
-
CVE-2026-35246
HIGH
CVSS 7.5
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracl...
Authentication Bypass
Oracle
-
CVE-2026-35245
HIGH
CVSS 7.5
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of thi...
Authentication Bypass
Oracle
-
CVE-2026-35243
HIGH
CVSS 7.8
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where...
Authentication Bypass
Oracle
-
CVE-2026-35242
HIGH
CVSS 7.5
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracl...
Authentication Bypass
Oracle
-
CVE-2026-35231
HIGH
CVSS 7.5
Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to ...
Authentication Bypass
Oracle
-
CVE-2026-35230
HIGH
CVSS 7.5
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracl...
Authentication Bypass
Oracle
-
CVE-2026-35229
HIGH
CVSS 7.5
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability...
Authentication Bypass
Java
Oracle
-
CVE-2026-34839
HIGH
CVSS 7.7
Cross-origin data exfiltration in Glances web server allows remote unauthenticated attackers to read sensitive system information (CPU, memory, processes, network stats) through the REST API endpoint /api/4/* via malicious websites exploiting permissive CORS policy. Affects all versions prior to 4.5.4. EPSS score of 0.06% (18th percentile) suggests low widespread exploitation probability despite proof-of-concept availability, though the network-accessible, unauthenticated attack vector (AV:N/PR:N) combined with high confidentiality impact (VC:H) makes this a priority for internet-exposed instances.
Information Disclosure
Suse
-
CVE-2026-34320
HIGH
CVSS 7.5
Vulnerability in the Oracle Financial Services Customer Screening product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to com...
Authentication Bypass
Oracle
-
CVE-2026-34310
HIGH
CVSS 7.5
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker wit...
Authentication Bypass
Oracle
-
CVE-2026-34309
HIGH
CVSS 8.1
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools...
Authentication Bypass
Oracle
-
CVE-2026-34305
HIGH
CVSS 7.5
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to co...
Authentication Bypass
Information Disclosure
Oracle
-
CVE-2026-34297
HIGH
CVSS 7.5
Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HCM ...
Authentication Bypass
Information Disclosure
Oracle
-
CVE-2026-34292
HIGH
CVSS 7.2
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server....
Authentication Bypass
Oracle
-
CVE-2026-34291
HIGH
CVSS 8.7
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Whil...
Authentication Bypass
Oracle
-
CVE-2026-34290
HIGH
CVSS 7.5
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Identity Manager Con...
Denial Of Service
Oracle
-
CVE-2026-34282
HIGH
CVSS 7.5
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10;...
Denial Of Service
Java
Oracle
Red Hat
Suse
-
CVE-2026-33813
HIGH
CVSS 7.5
Denial of service in Go's x/image/webp library allows remote attackers to crash 32-bit applications by sending specially crafted WEBP images with invalid large size values, triggering runtime panic. Vendor patch released (version 0.39.0) with low EPSS score (0.02%) indicating minimal observed exploitation activity. Despite network vector and no authentication requirements (CVSS AV:N/PR:N), exploitation is platform-specific to 32-bit architectures only.
Information Disclosure
-
CVE-2026-31368
HIGH
CVSS 7.8
Local privilege escalation in Honor AiAssistant (all versions) allows authenticated users with low privileges to gain full system control (high impact on confidentiality, integrity, and availability) through authentication bypass. Vendor advisory confirmed by Honor with CVSS 7.8. No active exploitation confirmed; EPSS data not yet available as this is a recently disclosed 2026 CVE.
Privilege Escalation
-
CVE-2026-31019
HIGH
CVSS 8.8
Remote code execution in Dolibarr ERP 22.0.4 and earlier allows authenticated users with PHP content editing permissions to execute arbitrary OS commands on the server. The vulnerability stems from a bypassable blacklist-based filter for dangerous PHP functions in the Website module. Attack complexity is low (CVSS AV:N/AC:L/PR:L), requiring only valid low-privilege credentials. Public proof-of-concept code exists on GitHub, though CISA has not confirmed active exploitation. EPSS data is unavailable, but SSVC assessment indicates total technical impact with no current exploitation evidence.
PHP
RCE
Command Injection
-
CVE-2026-31018
HIGH
CVSS 8.8
Authenticated users with restricted HTML/JavaScript editing permissions in Dolibarr ERP & CRM 22.0.4 and earlier can escalate privileges to execute arbitrary PHP code via the Website module. The vulnerability exploits inconsistent permission enforcement across input parameters during website page creation, allowing low-privileged authenticated users to bypass intended restrictions and inject PHP code. Public proof-of-concept exists on GitHub (PhDg1410), though no active exploitation is confirmed by CISA KEV. EPSS data unavailable, but the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability when exploited by authenticated insiders or compromised accounts.
PHP
RCE
Code Injection
-
CVE-2026-24189
HIGH
CVSS 8.2
Out-of-bounds read in NVIDIA CUDA-Q endpoint allows remote unauthenticated attackers to crash services and disclose sensitive memory contents via malformed network requests. The vulnerability affects an exposed network endpoint with no authentication barrier (CVSS AV:N/AC:L/PR:N/UI:N), enabling trivial exploitation against internet-facing deployments. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or limited to targeted scenarios.
Buffer Overflow
Denial Of Service
Information Disclosure
Nvidia
-
CVE-2026-24177
HIGH
CVSS 7.7
Authorization bypass in NVIDIA KAI Scheduler allows authenticated network attackers to access protected API endpoints and disclose sensitive information across security boundaries. The vulnerability (CWE-306: Missing Authentication for Critical Function) enables low-privileged authenticated users to read high-value data outside their intended scope (CVSS scope changed to 'C', high confidentiality impact). NVIDIA has published advisory 5818 with remediation guidance. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
Authentication Bypass
Information Disclosure
Nvidia
-
CVE-2026-22016
HIGH
CVSS 7.5
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 a...
Authentication Bypass
Java
Information Disclosure
Oracle
Red Hat
-
CVE-2026-22011
HIGH
CVSS 7.6
Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Succ...
Authentication Bypass
Oracle
-
CVE-2026-22010
HIGH
CVSS 7.5
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker wit...
Authentication Bypass
Oracle
-
CVE-2026-21997
HIGH
CVSS 8.5
Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Lif...
Authentication Bypass
Oracle
-
CVE-2026-6832
HIGH
CVSS 7.2
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated ...
Path Traversal
-
CVE-2026-6823
HIGH
CVSS 8.3
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach h...
Privilege Escalation
-
CVE-2026-6819
HIGH
CVSS 8.7
Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management commands. Pre-PR#156 versions expose /plugin install, /plugin enable, /plugin disable, and /reload-plugins endpoints to unauthenticated remote senders via the channel layer, allowing complete control over plugin trust and activation state. Vendor patch available in v0.1.7 (commit 59017e0). CVSS 8.7 with network vector and no authentication required, though user interaction is needed. No active exploitation confirmed (not in CISA KEV), but VulnCheck advisory and GitHub references provide technical details that could facilitate exploitation.
Privilege Escalation
-
CVE-2026-6786
HIGH
CVSS 7.5
Multiple memory corruption bugs in Firefox ESR 140.9, Firefox 149, Thunderbird ESR 140.9, and Thunderbird 149 could enable remote code execution against users visiting malicious websites. Mozilla has fixed these memory safety vulnerabilities in Firefox 150 and Firefox ESR 140.10, with vendor advisories (MFSA2026-30, MFSA2026-32, MFSA2026-33, MFSA2026-34) confirming patches are available. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit identified at time of analysis, though SSVC framework assesses total technical impact if successfully weaponized.
RCE
Buffer Overflow
Memory Corruption
Mozilla
-
CVE-2026-6785
HIGH
CVSS 7.5
Use-after-free memory corruption (CWE-416) in Mozilla Firefox 149 and ESR 115.34/140.9, plus the shared Gecko engine in Thunderbird 149 and Thunderbird ESR 140.9, can lead to arbitrary code execution within the browser process when a victim renders attacker-controlled web content. This is a rolled-up batch of memory-safety bugs reported by Mozilla's own developers; Mozilla states some showed evidence of memory corruption presumed exploitable for code execution. There is no public exploit identified at time of analysis, the bug is not in CISA KEV, and EPSS is very low (0.06%, 17th percentile), consistent with the CVSS 7.5 rating being held down by high attack complexity (AC:H) and required user interaction (UI:R).
RCE
Buffer Overflow
Use After Free
Memory Corruption
Mozilla
-
CVE-2026-6784
HIGH
CVSS 7.5
Memory corruption in Firefox 149 and Thunderbird 149 enables remote code execution when users interact with malicious web content. Mozilla patched 55 distinct memory safety bugs in Firefox 150, some demonstrating memory corruption that could be weaponized for arbitrary code execution. While no public exploit is confirmed, the CVSS score of 7.5 reflects high complexity requiring user interaction, with SSVC assessment indicating total technical impact despite no current automation or active exploitation.
RCE
Buffer Overflow
Information Disclosure
Mozilla
-
CVE-2026-6782
HIGH
CVSS 7.5
Unauthenticated remote attackers can obtain sensitive information from Firefox's IP Protection component prior to version 150 via network-accessible requests with low attack complexity. The vulnerability leaks confidential data (CVSS:C=High) without requiring user interaction or special privileges, affecting all Firefox installations below version 150. Mozilla has released a vendor-confirmed patch in Firefox 150. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though CVSS vector indicates trivial exploitation conditions (AV:N/AC:L/PR:N/UI:N).
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6781
HIGH
CVSS 7.5
Denial-of-service in Firefox versions prior to 150 allows remote attackers to crash the browser via malformed audio/video content during playback. The vulnerability requires no authentication and minimal attack complexity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), enabling attackers to render the browser unresponsive or terminated through crafted media files. Mozilla has released Firefox 150 to address this issue. EPSS data not available; no evidence of active exploitation (not in CISA KEV), though SSVC assessment notes the vulnerability is not currently being exploited and is classified as non-automatable with partial technical impact.
Denial Of Service
Red Hat
Mozilla
Suse
-
CVE-2026-6780
HIGH
CVSS 7.5
Denial-of-service in Firefox's Audio/Video playback component allows remote attackers to crash the browser via network-based exploitation requiring no authentication or user interaction. Mozilla patched the vulnerability in Firefox 150. CVSS 7.5 (High) reflects high availability impact, but SSVC assessment marks it as partial technical impact with no confirmed exploitation, indicating lower real-world priority than critical RCE vulnerabilities. No public exploit code or CISA KEV listing identified.
Denial Of Service
Red Hat
Mozilla
Suse
-
CVE-2026-6776
HIGH
CVSS 7.8
Buffer overflow in Firefox WebRTC networking component allows local attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. No public exploit identified at time of analysis. CVSS 7.8 reflects high severity but requires local access and user interaction, limiting remote attack surface. Mozilla has released patches in Firefox 150 and Firefox ESR 140.10.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6773
HIGH
CVSS 7.5
Integer overflow in Firefox's WebGPU graphics component enables remote denial-of-service attacks against default browser configurations. Attackers can trigger high availability impact via network-accessible exploitation without authentication or user interaction. Mozilla patched this in Firefox 150, with SSVC framework rating it automatable with partial technical impact despite CVSS 7.5 severity. No active exploitation confirmed and EPSS data not provided for risk quantification.
Buffer Overflow
Integer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6772
HIGH
CVSS 7.5
Information disclosure in Mozilla Firefox NSS Library component allows remote unauthenticated attackers to extract high-value confidential data via network-accessible boundary condition errors. Affects Firefox versions prior to 150, ESR 115.x prior to 115.35, and ESR 140.x prior to 140.10. SSVC framework classifies as automatable with partial technical impact. No public exploit identified at time of analysis, though SSVC automation rating and CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicate straightforward exploitation potential once vulnerability details are published.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6769
HIGH
CVSS 8.8
Privilege escalation in Firefox's Debugger component allows remote attackers to gain elevated system privileges after user interaction with a malicious site. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. CVSS 8.8 severity with network attack vector and no authentication required. SSVC framework indicates no active exploitation detected and non-automatable attack pattern. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10 per Mozilla security advisories MFSA2026-30 through MFSA2026-34.
Privilege Escalation
Red Hat
Mozilla
Suse
-
CVE-2026-6766
HIGH
CVSS 7.5
Remote information disclosure in Mozilla Network Security Services (NSS) library allows unauthenticated attackers to extract high-sensitivity data via network requests with no user interaction. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. The vulnerability stems from incorrect boundary condition handling (CWE-754) in NSS cryptographic libraries. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. SSVC framework classifies as automatable with partial technical impact, though no public exploit identified at time of analysis.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6761
HIGH
CVSS 8.8
Remote attackers can escalate privileges in Firefox and Firefox ESR through a flaw in the Networking component when a user interacts with malicious content. The vulnerability affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10, allowing attackers with no initial privileges to achieve high impact on confidentiality, integrity, and availability. Mozilla has released patches for both product lines. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV); public exploit code status unknown.
Privilege Escalation
Red Hat
Mozilla
Suse
-
CVE-2026-6759
HIGH
CVSS 7.5
Memory corruption in Firefox's Widget: Cocoa component on macOS enables remote denial of service through use-after-free exploitation. Mozilla patched this in Firefox 150 and Firefox ESR 140.10 after internal discovery. The CVSS vector indicates network-accessible exploitation requiring no authentication or user interaction, though SSVC assessment classifies technical impact as partial and exploitation as non-automatable. No public exploit identified at time of analysis, with SSVC indicating no evidence of active exploitation.
Information Disclosure
Use After Free
Memory Corruption
Red Hat
Mozilla
-
CVE-2026-6758
HIGH
CVSS 7.5
Use-after-free in Firefox's WebAssembly JavaScript engine enables remote denial-of-service attacks against users running unpatched versions below Firefox 150. The vulnerability allows network-based attackers to crash the browser without authentication or user interaction by triggering memory corruption in WebAssembly processing. Mozilla patched this in Firefox 150 (MFSA2026-30). EPSS data not available, not listed in CISA KEV, and SSVC framework rates exploitation as 'none' with non-automatable, partial technical impact-suggesting lower real-world risk despite CVSS 7.5 severity.
Information Disclosure
Use After Free
Memory Corruption
Red Hat
Mozilla
-
CVE-2026-6756
HIGH
CVSS 7.5
A mitigation bypass in Firefox for Android allows remote attackers to achieve high-impact integrity violations without authentication or user interaction. Fixed in Firefox 150, this CWE-200 information disclosure flaw enables attackers to circumvent existing security controls via network-based vectors. Despite a CVSS base score of 7.5 (High), real-world exploitation risk appears limited: EPSS probability is only 0.02% (5th percentile), no public exploit code has been identified, and CISA SSVC framework rates it as non-exploited with partial technical impact, though automatable.
Information Disclosure
Google
Red Hat
Mozilla
Suse
-
CVE-2026-6754
HIGH
CVSS 7.5
Remote attackers can crash Mozilla Firefox by triggering a use-after-free in the JavaScript Engine, exploiting freed memory during JS execution to cause denial of service. Affects all unpatched Firefox versions below 150, ESR 115.35, and ESR 140.10. CVSS 7.5 (High) reflects network-accessible exploitation with no authentication required, though SSVC assessment indicates non-automatable exploitation with partial technical impact. No public exploit code or active exploitation (KEV) confirmed at time of analysis, and ENISA tracking suggests European-focused monitoring.
Information Disclosure
Use After Free
Memory Corruption
Red Hat
Mozilla
-
CVE-2026-6753
HIGH
CVSS 7.3
Remote attackers can execute code and corrupt memory in Firefox (versions prior to 150) and Firefox ESR (prior to 140.10) by exploiting boundary condition errors in the WebRTC component. The vulnerability permits network-based exploitation without authentication or user interaction, enabling partial confidentiality, integrity, and availability impact. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite the high CVSS 7.3 rating. No public exploit identified at time of analysis, though the vulnerability is classified as automatable with total technical impact per SSVC framework. Mozilla has released patches in Firefox 150 and Firefox ESR 140.10.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6752
HIGH
CVSS 7.3
Remote code execution or information disclosure in Mozilla Firefox's WebRTC component allows network-based attackers to trigger memory corruption through incorrect boundary checks (CWE-119 buffer overflow class). All Firefox versions prior to 150, ESR versions prior to 115.35, and ESR versions prior to 140.10 are vulnerable. The CVSS vector indicates network-accessible exploitation with no authentication required (AV:N/PR:N), though CISA SSVC framework classifies exploitation as 'none' and automatable as 'no', suggesting limited real-world exploitation evidence at time of analysis. EPSS data not provided. Mozilla has released patches across all affected product lines.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6751
HIGH
CVSS 7.3
Uninitialized memory access in Firefox's Web Codecs API enables remote attackers to disclose sensitive data, modify limited application state, and potentially trigger denial of service without authentication. The vulnerability affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. Mozilla has released patches addressing this memory safety issue. EPSS data not available, but SSVC framework indicates non-automated exploitation with partial technical impact. No public exploit identified at time of analysis.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6750
HIGH
CVSS 8.8
Privilege escalation in Firefox WebRender allows remote attackers to gain elevated access through malicious web content requiring user interaction. Affects Firefox versions before 150, Firefox ESR before 115.35, and Firefox ESR before 140.10. Mozilla released patches in advisories MFSA2026-30 through MFSA2026-34. CVSS 8.8 (High) severity with network attack vector, but exploitation requires user interaction (visiting malicious site). No public exploit identified at time of analysis, with SSVC framework indicating no confirmed exploitation and partial technical impact.
Privilege Escalation
Red Hat
Mozilla
Suse
-
CVE-2026-6749
HIGH
CVSS 7.5
Uninitialized memory in Firefox's Canvas2D graphics component allows remote attackers to disclose sensitive information from browser memory without authentication. Affects Firefox versions prior to 150, ESR prior to 115.35, and ESR prior to 140.10. The vulnerability carries a CVSS score of 7.5 with network-based exploitation requiring low complexity and no user interaction. SSVC framework indicates no confirmed exploitation and non-automatable attack, but EPSS data not available to assess real-world exploitation probability. Mozilla has released patches across all affected product lines.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6747
HIGH
CVSS 7.5
High-severity denial-of-service in Firefox WebRTC component allows remote unauthenticated attackers to crash the browser via network-based use-after-free memory corruption. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. Vendor-released patches available (Firefox 150, Firefox ESR 140.10). CVSS 7.5 reflects high availability impact with low attack complexity and no privileges required. No public exploit identified at time of analysis, though SSVC framework classifies technical impact as partial and exploitation as none, suggesting limited real-world activity despite the theoretical ease of exploitation indicated by CVSS.
Information Disclosure
Use After Free
Memory Corruption
Red Hat
Mozilla
-
CVE-2026-6746
HIGH
CVSS 7.5
High-severity denial-of-service condition in Mozilla Firefox DOM processing allows remote attackers to crash the browser via network-delivered content without authentication or user interaction. Fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. CVSS 7.5 reflects network attack vector with low complexity (AV:N/AC:L/PR:N/UI:N) but impact limited to availability (A:H). EPSS data not provided. Not listed in CISA KEV, indicating no confirmed active exploitation. SSVC framework rates exploitation as 'none' and technical impact as 'partial', suggesting lower real-world priority despite high CVSS score.
Information Disclosure
Use After Free
Memory Corruption
Red Hat
Mozilla
-
CVE-2026-6553
HIGH
CVSS 7.3
TYPO3 CMS 14.2.0 stores backend user passwords in cleartext within database fields (uc, user_settings) when passwords are changed through the user settings module. Remote attackers with database read access or exploiting SQL injection vulnerabilities can retrieve plaintext credentials for backend administrator accounts. Vendor patch available via GitHub commit 9a6e913f. No active exploitation confirmed at time of analysis, though high CVSS subsequent system impact scores (SC:H/SI:H/SA:H) indicate potential for privilege escalation if database is compromised.
Information Disclosure
-
CVE-2026-5921
HIGH
CVSS 8.9
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the noteboo...
SSRF
Open Redirect
-
CVE-2026-5845
HIGH
CVSS 7.2
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that trea...
Authentication Bypass
-
CVE-2026-5789
HIGH
CVSS 8.5
Local privilege escalation in CivetWeb v1.16 service allows authenticated users to execute arbitrary code with SYSTEM privileges via unquoted service path exploitation. The Windows service configuration lacks quotes around 'C:\Program Files\CivetWeb\CivetWeb.exe', enabling attackers to place malicious executables in directories scanned before the intended path (e.g., 'C:\Program.exe' or 'C:\Program Files\CivetWeb.exe'). No public exploit identified at time of analysis, though EPSS data not available. Patch available per vendor advisory from INCIBE.
RCE
Suse
-
CVE-2026-4821
HIGH
CVSS 8.1
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of ...
Command Injection
-
CVE-2026-4296
HIGH
CVSS 7.5
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when cli...
Authentication Bypass
-
CVE-2026-3298
HIGH
CVSS 8.8
Out-of-bounds buffer write in CPython's asyncio.ProactorEventLoop (Windows only) allows remote attackers to trigger memory corruption via oversized network data. The sock_recvfrom_into() method lacks buffer size validation when the nbytes parameter is used, enabling writes beyond allocated memory boundaries. Patch available via GitHub PR #148809. CVSS 8.8 reflects network-accessible attack surface with no authentication required, though exploitation is platform-specific (Windows only) and requires specific asyncio usage patterns.
Buffer Overflow
Memory Corruption
Microsoft
-
CVE-2025-70420
HIGH
CVSS 8.8
A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.
SQLi
-
CVE-2025-14362
HIGH
CVSS 7.3
SFTP authentication in GoAnywhere MFT prior to 7.10.0 allows remote unauthenticated attackers to bypass login attempt limits when targeting accounts configured with SSH key authentication, enabling brute force attacks against SSH private keys. The vulnerability affects the SFTP service specifically when Web Users are configured for SSH key-based login, exposing organizations to credential stuffing attacks. EPSS exploitation probability data not available; no evidence of active exploitation or public exploit code at time of analysis, though the attack vector is straightforward given network accessibility and low complexity (AV:N/AC:L/PR:N).
Information Disclosure
-
CVE-2025-13826
HIGH
CVSS 8.2
Remote denial of service in Zervit portable HTTP/web server allows unauthenticated attackers to crash the application via malformed configuration reset requests. Network-accessible (AV:N) with low complexity (AC:L) but requires specific timing (AT:P). EPSS data unavailable; not listed in CISA KEV. No public exploit code identified at time of analysis. High availability impact (VA:H) makes this critical for production deployments, though manual restart capability partially mitigates sustained outage risk.
Information Disclosure
-
CVE-2026-41527
MEDIUM
CVSS 6.9
KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.
Information Disclosure
Microsoft
-
CVE-2026-41456
MEDIUM
CVSS 5.1
Reflected cross-site scripting in Bludit CMS search plugin allows unauthenticated attackers to inject arbitrary JavaScript through malicious search queries. When users visit attacker-crafted URLs containing the XSS payload, malicious scripts execute in their browsers, enabling session cookie theft and actions performed on behalf of victims. Publicly available exploit code exists; patch available via commit 6732dde.
XSS
-
CVE-2026-41331
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.31 allows unauthenticated remote attackers to trigger resource-intensive audio transcription processing via Telegram without proper authorization, enabling denial-of-service through billing or infrastructure exhaustion. The vulnerability stems from insufficient allowlist enforcement that permits unauthorized group senders to initiate preflight transcription operations before authentication is validated, and no public exploit code has been identified at the time of analysis.
Authentication Bypass
-
CVE-2026-41320
MEDIUM
CVSS 6.5
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14...
SQLi
-
CVE-2026-41302
MEDIUM
CVSS 4.8
OpenClaw before version 2026.3.31 contains a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality, where unguarded fetch() calls allow authenticated users with user interaction to make arbitrary network requests on behalf of the affected system. Remote attackers can access internal resources or interact with external services, potentially disclosing sensitive data or compromising internal infrastructure; no public exploit code or active exploitation has been identified at time of analysis.
SSRF
-
CVE-2026-41301
MEDIUM
CVSS 6.9
OpenClaw 2026.3.22 through 2026.3.30 contain a signature verification bypass in the Nostr direct message (DM) ingress handler that processes pairing challenges before validating event signatures. Remote unauthenticated attackers can send forged DMs to create bogus pending pairing entries, exhaust shared pairing capacity, and trigger unbounded relay and logging work on the Nostr channel, causing denial of service. No public exploit code or active exploitation has been confirmed; a vendor patch is available in version 2026.3.31 and later.
Authentication Bypass
Jwt Attack
-
CVE-2026-41300
MEDIUM
CVSS 6.9
OpenClaw before version 2026.3.31 fails to properly invalidate attacker-discovered endpoints during trust decline operations in remote onboarding workflows, allowing attackers to route gateway credentials to malicious endpoints by preserving their URLs through the trust decline process into manual operator acceptance prompts. The vulnerability requires user interaction (UI:A) but affects gateway credential confidentiality (VC:H), posing a significant risk to organizations using OpenClaw's remote onboarding feature with CVSS 6.9 (medium-high severity).
Information Disclosure
-
CVE-2026-41298
MEDIUM
CVSS 5.3
OpenClaw before version 2026.4.2 fails to enforce write-scope authorization on the POST /sessions/:sessionKey/kill endpoint, allowing authenticated users with read-only credentials to terminate arbitrary subagent sessions. The vulnerability requires valid API credentials with read scope but does NOT require write permissions, enabling privilege escalation within identity-bearing authentication modes. No public exploit code has been identified, and this is not listed as actively exploited by CISA; however, the low CVSS score of 5.3 reflects the requirement for prior authentication rather than the ease of exploitation once credentials are obtained.
Authentication Bypass
-
CVE-2026-41297
MEDIUM
CVSS 4.8
OpenClaw before version 2026.3.31 allows authenticated users to exploit server-side request forgery (SSRF) through unvalidated HTTP redirects in the marketplace plugin download functionality, enabling access to internal resources and potential information disclosure. The marketplace.ts module fails to validate redirect destinations during archive downloads, permitting remote attackers with valid credentials and user interaction to redirect requests to arbitrary internal or external servers. Real-world exploitation is limited by authentication and interaction requirements, keeping the baseline CVSS at 4.8 (medium), though impact depends on network exposure of internal services.
SSRF
-
CVE-2026-41285
MEDIUM
CVSS 4.3
Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending crafted ICMPv6 Neighbor Discovery packets with zero-length options, causing affected daemons to hang due to missing validation of the nd_opt_len field before arithmetic operations. OpenBSD versions through 7.8 are affected. No evidence of active exploitation has been identified.
Denial Of Service
-
CVE-2026-41194
MEDIUM
CVSS 5.4
Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.
CSRF
-
CVE-2026-41183
MEDIUM
CVSS 4.3
FreeScout prior to version 1.8.215 leaks confidential help desk conversations to authenticated users through global search and AJAX filter endpoints, bypassing per-conversation access controls that should restrict visibility to assigned agents. An authenticated user with any level of helpdesk access can enumerate and view conversations they should not have permission to access via non-folder query builders, revealing sensitive customer and internal communication that the application explicitly restricts in folder views.
Information Disclosure
-
CVE-2026-41067
MEDIUM
CVSS 6.1
## Summary
The `defineScriptVars` function in Astro's server-side rendering pipeline uses a case-sensitive regex `/<\/script>/g` to sanitize values injected into inline `<script>` tags via the `define:vars` directive. HTML parsers close `<script>` elements case-insensitively and also accept whitesp...
XSS
-
CVE-2026-41063
MEDIUM
CVSS 5.4
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sa...
XSS
-
CVE-2026-41062
MEDIUM
CVSS 6.5
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream f...
PHP
Path Traversal
-
CVE-2026-41061
MEDIUM
CVSS 5.4
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duratio...
PHP
XSS
-
CVE-2026-40944
MEDIUM
CVSS 6.9
Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. ...
Information Disclosure
-
CVE-2026-40942
MEDIUM
CVSS 6.3
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every inco...
Information Disclosure
-
CVE-2026-40939
MEDIUM
CVSS 6.8
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This ...
Information Disclosure
-
CVE-2026-40935
MEDIUM
CVSS 5.3
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined w...
PHP
Information Disclosure
-
CVE-2026-40929
MEDIUM
CVSS 5.4
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check...
PHP
CSRF
-
CVE-2026-40928
MEDIUM
CVSS 5.4
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malic...
PHP
CSRF
-
CVE-2026-40927
MEDIUM
CVSS 5.4
Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.
XSS
-
CVE-2026-40924
MEDIUM
CVSS 6.5
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HT...
Denial Of Service
Kubernetes
Red Hat
Suse
-
CVE-2026-40923
MEDIUM
CVSS 5.4
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strin...
Path Traversal
Kubernetes
Red Hat
Suse
-
CVE-2026-40910
MEDIUM
CVSS 6.5
frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend...
Authentication Bypass
-
CVE-2026-40908
MEDIUM
CVSS 5.3
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), d...
PHP
Information Disclosure
-
CVE-2026-40907
MEDIUM
CVSS 6.5
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...
PHP
Authentication Bypass
-
CVE-2026-40895
MEDIUM
CVSS 6.9
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie hea...
Information Disclosure
Red Hat
-
CVE-2026-40889
MEDIUM
CVSS 6.5
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
Authentication Bypass
-
CVE-2026-40888
MEDIUM
CVSS 6.5
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are availabl...
Authentication Bypass
-
CVE-2026-40874
MEDIUM
CVSS 6.0
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, ...
Authentication Bypass
Docker
-
CVE-2026-40608
MEDIUM
CVSS 6.2
Denial of service in Next AI Draw.io prior to version 0.4.15 allows local attackers to crash the embedded HTTP sidecar by sending oversized request bodies to three POST endpoints (/api/state, /api/restore, /api/history-svg) without size limits, exhausting Node.js V8 heap memory and forcing an out-of-memory shutdown. CVSS 6.2 reflects local attack vector and high availability impact; no public exploit code confirmed at time of analysis.
Denial Of Service
Node.js
-
CVE-2026-40606
MEDIUM
CVSS 4.8
Authentication bypass in mitmproxy 12.2.1 and below allows remote attackers to bypass LDAP-based proxy authentication through unsanitized username injection. The vulnerability affects only instances explicitly configured with the proxyauth option using LDAP authentication, which is disabled by default. Attackers can exploit this over the network without authentication or user interaction to gain unauthorized access to proxied connections.
Authentication Bypass
LDAP
Code Injection
Suse
-
CVE-2026-40592
MEDIUM
CVSS 5.9
FreeScout versions prior to 1.8.214 allow authenticated agents in shared mailboxes to recall another agent's reply within a 15-second undo window due to insufficient authorization checks on the undo-send endpoint. The vulnerability requires agent-level authentication and shared mailbox access but enables one user to suppress a colleague's outbound communication, affecting message integrity and audit trails in multi-agent help desk environments.
Authentication Bypass
-
CVE-2026-40590
MEDIUM
CVSS 4.3
FreeScout prior to version 1.8.214 permits authenticated users to modify hidden customer profiles through email-based object reuse in the customer creation endpoint. By supplying an email address already associated with a hidden customer via POST /customers/ajax?action=create, an attacker can bypass unique-email validation and populate that customer's empty profile fields with arbitrary data, enabling account takeover or data manipulation without administrative privileges.
Authentication Bypass
-
CVE-2026-40587
MEDIUM
CVSS 6.5
blueprintUE prior to version 4.2.0 fails to invalidate active user sessions when passwords are changed or reset, allowing attackers with compromised sessions to maintain indefinite account access even after the legitimate user detects the breach and changes their password. The attacker retains full account privileges until the session naturally expires (default 24 hours) or is manually cleared, creating a critical window where password changes provide no security benefit.
Information Disclosure
-
CVE-2026-40584
MEDIUM
CVSS 6.9
RansomLook versions prior to 1.9.0 disclose non-public location information through an improper list-filtering logic error in the API layer. The vulnerability stems from removing elements from a list during iteration in website/web/api/genericapi.py, causing entries marked as private to persist in API responses. Unauthenticated remote attackers can retrieve sensitive location data that should remain hidden, with CVSS 6.9 indicating low confidentiality impact across the network.
Information Disclosure
-
CVE-2026-40570
MEDIUM
CVSS 5.7
FreeScout versions prior to 1.8.213 expose complete customer PII through an authentication bypass in the `load_customer_info` action of POST /conversation/ajax, allowing any authenticated user to retrieve sensitive profile data for arbitrary customers by providing only a valid email address. The vulnerability affects the authorization layer rather than authentication, enabling lateral access to customer records across mailboxes without proper access control verification.
Authentication Bypass
-
CVE-2026-40567
MEDIUM
CVSS 5.8
HTML injection in FreeScout prior to version 1.8.213 allows unauthenticated attackers to inject arbitrary HTML into outgoing support emails by crafting a malicious From display name. The unsanitized name is stored in the database and rendered unescaped via the {%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.
Code Injection
-
CVE-2026-40566
MEDIUM
CVSS 4.1
Server-Side Request Forgery (SSRF) in FreeScout versions before 1.8.213 allows authenticated administrators to probe internal networks and fingerprint services via unvalidated IMAP and SMTP connection test functionality. Three AJAX actions in MailboxesController pass attacker-controlled server hostnames and ports directly to fsockopen() and protocol clients without IP validation, hostname restrictions, or internal-range blocklists, enabling port scanning and service banner disclosure through IMAP debug logs and AJAX responses. The vulnerability requires admin authentication but affects confidentiality of internal infrastructure.
PHP
SSRF
-
CVE-2026-40565
MEDIUM
CVSS 6.1
Stored cross-site scripting (XSS) in FreeScout prior to version 1.8.213 allows remote attackers to inject arbitrary HTML attributes into email message bodies by embedding unescaped double-quote characters in URLs. When the linkify() function converts plain-text URLs to anchor tags without proper escaping, attackers can break out of the href attribute and inject malicious JavaScript or event handlers. This requires user interaction (UI:R) to view a crafted email, but once viewed, the injected script executes in the context of the victim's session with potential for account compromise or data theft.
PHP
XSS
-
CVE-2026-40343
MEDIUM
CVSS 6.9
Fail-open request handling in free5GC UDR's POST /nudr-dr/v2/policy-data/subs-to-notify endpoint allows Policy Data notification subscriptions to be created with invalid, empty, or partially processed input after HTTP body read or deserialization failures. The handler fails to return after sending error responses (HTTP 500 for body read failure, HTTP 400 for deserialization failure), causing execution to continue and invoke the subscription processor with an uninitialized or malformed PolicyDataSubscription object. This is a logic flaw rather than memory corruption or remote code execution, but it violates fail-secure design principles for a write-capable API and may result in inconsistent subscription state or unintended database entries depending on downstream validation behavior.
Deserialization
-
CVE-2026-40045
MEDIUM
CVSS 5.9
OpenClaw before version 2026.4.2 transmits stored gateway credentials over unencrypted WebSocket (ws://) connections when accepting non-loopback endpoints, allowing adjacent network attackers with user interaction to forge discovery results or craft malicious setup codes that redirect clients to attacker-controlled endpoints and exfiltrate plaintext credentials. No public exploit code has been identified, but the vulnerability requires proximity to the target network and user interaction to trigger the credential disclosure.
Information Disclosure
-
CVE-2026-39946
MEDIUM
CVSS 4.6
OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.
SQLi
PostgreSQL
Red Hat
Hashicorp
Suse
-
CVE-2026-39886
MEDIUM
CVSS 5.3
Signed integer overflow in OpenEXR 3.4.0-3.4.9 HTJ2K decompression allows remote attackers to cause denial of service via crafted EXR files with excessive FLOAT channels. The `ht_undo_impl()` function accumulates a bytes-per-line value in a 32-bit signed integer without overflow protection; on memory-permissive systems, the wrapped negative value enables heap out-of-bounds writes. OpenEXR 3.4.10 contains the fix. This is a distinct overflow from CVE-2026-34545 in the same function and mirrors the pattern of CVE-2026-34588.
Buffer Overflow
Integer Overflow
Red Hat
Suse
-
CVE-2026-39378
MEDIUM
CVSS 6.5
Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated remote attackers to read arbitrary files from the conversion host when HTMLExporter.embed_images is enabled, by embedding malicious image references with path traversal sequences in a crafted notebook. A malicious actor can exfiltrate sensitive files as base64-encoded data URIs in the output HTML, achieving confidentiality breach with no integrity or availability impact. Vendor-released patch: version 7.17.1.
Path Traversal
Red Hat
Suse
-
CVE-2026-39377
MEDIUM
CVSS 6.5
Arbitrary file write in Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated attackers to write files to arbitrary filesystem locations outside the intended output directory by crafting malicious cell attachment filenames in notebooks. The ExtractAttachmentsPreprocessor fails to sanitize attachment filenames, enabling path traversal that provides full control over destination paths and file extensions. Requires user interaction (opening a malicious notebook) and is patched in version 7.17.1.
Path Traversal
Red Hat
Suse
-
CVE-2026-35588
MEDIUM
CVSS 6.3
Cassandra export module in Glances prior to version 4.5.4 allows local privilege-escalated users to redirect monitoring data to attacker-controlled databases by injecting CQL statements through unvalidated configuration parameters. An authenticated local attacker with write access to the Glances configuration file can modify keyspace, table, and replication_factor settings to execute arbitrary CQL, enabling data exfiltration or denial of service against the monitoring infrastructure. This vulnerability requires elevated local access but carries high confidentiality and integrity impact.
SQLi
Suse
-
CVE-2026-35451
MEDIUM
CVSS 5.7
Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.
XSS
-
CVE-2026-35252
MEDIUM
CVSS 6.4
Vulnerability in the Oracle Security Service product of Oracle Fusion Middleware (component: C Oracle SSL API). Supported versions that are affected are 12.2.1.4.0 and 12.1.3.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle S...
Authentication Bypass
Oracle
-
CVE-2026-35248
MEDIUM
CVSS 5.0
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracl...
Authentication Bypass
Denial Of Service
Oracle
-
CVE-2026-35247
MEDIUM
CVSS 6.0
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...
Authentication Bypass
Oracle
-
CVE-2026-35244
MEDIUM
CVSS 5.2
Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle H...
Authentication Bypass
Oracle
-
CVE-2026-35241
MEDIUM
CVSS 5.7
Vulnerability in the PeopleSoft Enterprise CS Student Records product of Oracle PeopleSoft (component: Research Tracking). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise...
Authentication Bypass
Oracle
-
CVE-2026-35240
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise My...
Authentication Bypass
Oracle
Red Hat
-
CVE-2026-35239
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Se...
Authentication Bypass
Oracle
Red Hat
-
CVE-2026-35238
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server....
Authentication Bypass
Oracle
Red Hat
-
CVE-2026-35237
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server....
Authentication Bypass
Oracle
Red Hat
-
CVE-2026-35236
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server....
Authentication Bypass
Oracle
Red Hat
-
CVE-2026-35235
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of th...
Authentication Bypass
Oracle
Red Hat
-
CVE-2026-35234
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks...
Authentication Bypass
Oracle
Red Hat
-
CVE-2026-35232
MEDIUM
CVSS 5.4
Vulnerability in Oracle Fusion Middleware (component: Dynamic Monitoring Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Fusion Middleware. Successful at...
Authentication Bypass
Oracle
-
CVE-2026-34325
MEDIUM
CVSS 6.8
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows low privileged attacke...
Authentication Bypass
Oracle
-
CVE-2026-34324
MEDIUM
CVSS 6.5
Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Lif...
Authentication Bypass
Oracle
-
CVE-2026-34323
MEDIUM
CVSS 6.3
Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: IDM Authentication). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Or...
Authentication Bypass
Denial Of Service
Oracle
-
CVE-2026-34321
MEDIUM
CVSS 4.8
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low privileged attac...
Authentication Bypass
Oracle
-
CVE-2026-34319
MEDIUM
CVSS 5.0
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes ...
Denial Of Service
Oracle
-
CVE-2026-34318
MEDIUM
CVSS 5.8
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise ...
Authentication Bypass
Information Disclosure
Oracle
-
CVE-2026-34317
MEDIUM
CVSS 5.0
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes ...
Denial Of Service
Oracle
-
CVE-2026-34315
MEDIUM
CVSS 6.5
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to co...
Authentication Bypass
Oracle
-
CVE-2026-34314
MEDIUM
CVSS 6.8
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low privileged attacker wi...
Authentication Bypass
Oracle
-
CVE-2026-34313
MEDIUM
CVSS 6.5
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with...
Authentication Bypass
Information Disclosure
Oracle
-
CVE-2026-34308
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Se...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34307
MEDIUM
CVSS 5.4
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools...
Authentication Bypass
Oracle
-
CVE-2026-34306
MEDIUM
CVSS 6.5
Vulnerability in the PeopleSoft Enterprise FIN Project Costing product of Oracle PeopleSoft (component: Projects). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Pro...
Authentication Bypass
Oracle
-
CVE-2026-34304
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server....
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34303
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MyS...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34302
MEDIUM
CVSS 5.5
Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vuln...
Authentication Bypass
Denial Of Service
Oracle
-
CVE-2026-34301
MEDIUM
CVSS 6.5
Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSof...
Authentication Bypass
Oracle
-
CVE-2026-34300
MEDIUM
CVSS 6.5
Vulnerability in the PeopleSoft Enterprise FIN Contracts product of Oracle PeopleSoft (component: Contracts). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Contract...
Authentication Bypass
Information Disclosure
Oracle
-
CVE-2026-34299
MEDIUM
CVSS 6.5
Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSof...
Authentication Bypass
Oracle
-
CVE-2026-34298
MEDIUM
CVSS 4.7
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application...
Authentication Bypass
Denial Of Service
Oracle
-
CVE-2026-34296
MEDIUM
CVSS 4.3
Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compro...
Information Disclosure
Oracle
-
CVE-2026-34295
MEDIUM
CVSS 6.5
Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purcha...
Authentication Bypass
Oracle
-
CVE-2026-34294
MEDIUM
CVSS 5.9
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Microsoft Active Directory). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Ora...
Authentication Bypass
Microsoft
Oracle
-
CVE-2026-34293
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of t...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34289
MEDIUM
CVSS 5.9
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager...
Authentication Bypass
Oracle
-
CVE-2026-34288
MEDIUM
CVSS 5.9
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager ...
Authentication Bypass
Oracle
-
CVE-2026-34284
MEDIUM
CVSS 6.1
Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to c...
Authentication Bypass
Oracle
-
CVE-2026-34283
MEDIUM
CVSS 6.1
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Ide...
Authentication Bypass
Oracle
-
CVE-2026-34281
MEDIUM
CVSS 6.5
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the...
Denial Of Service
Oracle
-
CVE-2026-34280
MEDIUM
CVSS 6.5
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Job Profile Manager). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterp...
Authentication Bypass
Oracle
-
CVE-2026-34278
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attack...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34277
MEDIUM
CVSS 6.6
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTo...
Authentication Bypass
Denial Of Service
Oracle
-
CVE-2026-34276
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34274
MEDIUM
CVSS 6.1
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Success...
Authentication Bypass
Oracle
-
CVE-2026-34273
MEDIUM
CVSS 5.3
Vulnerability in Oracle GoldenGate (component: Libraries). Supported versions that are affected are 23.4-23.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGate. Successful attacks of this vulnerability can result in una...
Information Disclosure
Oracle
-
CVE-2026-34272
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks ...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34271
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34270
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34269
MEDIUM
CVSS 6.1
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools....
Authentication Bypass
Oracle
-
CVE-2026-34267
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attack...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-34266
MEDIUM
CVSS 6.5
Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Ente...
Authentication Bypass
Oracle
-
CVE-2026-33812
MEDIUM
CVSS 6.1
Parsing a malicious font file can cause excessive memory allocation.
Denial Of Service
-
CVE-2026-32147
MEDIUM
CVSS 5.3
Erlang OTP SSH daemon (ssh_sftpd) stores unresolved user-supplied paths in file handles, allowing authenticated SFTP users to modify file attributes (permissions, ownership, timestamps) outside the configured chroot directory via SSH_FXP_FSETSTAT requests. When the SSH daemon runs as root, this enables privilege escalation through setting setuid bits or changing ownership of system files. The vulnerability affects OTP versions 17.0 through 28.4.3 (and earlier point releases in 27.x and 26.x series); patched versions are available per vendor advisory.
Privilege Escalation
Path Traversal
-
CVE-2026-31370
MEDIUM
CVSS 6.3
Honor E App discloses sensitive information to unauthorized users via network-accessible endpoints, requiring user interaction but affecting service confidentiality across all product versions. The vulnerability carries a moderate CVSS score of 6.3 (AV:N/AC:L/PR:N/UI:R) indicating remote exploitation without authentication, though successful attack requires user interaction. Patch availability and exploitation status remain unconfirmed from available sources.
Information Disclosure
-
CVE-2026-31014
MEDIUM
CVSS 6.3
Cross-site request forgery (CSRF) in Dovestones AD Self Update versions before 4.0.0.5 allows unauthenticated attackers to modify authenticated user account information by crafting malicious requests that exploit missing CSRF token validation. The vulnerability affects state-changing endpoints that accept both POST and GET requests without proper anti-CSRF protections, enabling account takeover when a victim visits a malicious page while logged in. Publicly available exploit code exists.
CSRF
-
CVE-2026-31013
MEDIUM
CVSS 6.1
Reflected cross-site scripting (XSS) in Dovestones ADPhonebook versions below 4.0.1.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via the search parameter of the /ADPhonebook?Department=HR endpoint. User input is reflected without proper encoding. Publicly available exploit code exists, though CISA KEV status is not confirmed, and CVSS 6.1 with UI:R indicates user interaction is required for successful exploitation.
XSS
-
CVE-2026-30452
MEDIUM
CVSS 6.5
Textpattern CMS 4.9.0 allows authenticated low-privilege users to modify articles owned by higher-privilege users by manipulating the article ID parameter in the duplicate-and-save workflow, bypassing authorization checks in the article management system. The vulnerability affects only authenticated users with existing CMS access and requires no user interaction or special network access. No public exploit code or active exploitation has been identified, though the EPSS score of 0.02% suggests minimal real-world attack probability despite the moderate CVSS 6.5 score.
PHP
Authentication Bypass
-
CVE-2026-29644
MEDIUM
CVSS 5.3
XiangShan open-source RISC-V processor commit edb1dfaf7d290ae99724594507dc46c2c2125384 and earlier versions fail to properly gate the Control and Status Register (CSR) write-enable path for Physical Memory Attribute (PMA) configuration, allowing local attackers with code execution privileges to write to PMA CSRs that should raise illegal-instruction exceptions per the RISC-V specification. Successful exploitation enables attackers to alter memory attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service depending on platform security boundaries. No public exploit code or active exploitation has been confirmed at time of analysis.
Authentication Bypass
Privilege Escalation
Denial Of Service
Information Disclosure
N A
-
CVE-2026-26274
MEDIUM
CVSS 6.6
October CMS versions prior to 3.7.14 and 4.1.10 allow backend developers with Developer permissions to bypass Twig sandbox restrictions and execute unauthorized database write operations (insert, update, delete) via the query builder when cms.safe_mode is enabled. This privilege escalation vulnerability enables data manipulation on any database table despite sandbox security policies intended to restrict template functionality.
Information Disclosure
-
CVE-2026-26067
MEDIUM
CVSS 4.9
October CMS versions prior to 3.7.14 and 4.1.10 allow authenticated backend users with Editor permissions to read arbitrary server files by crafting malicious CSS preprocessor files (.less, .sass, .scss) that exploit the compiler's import functionality. The vulnerability persists even when cms.safe_mode is enabled, enabling high-confidence information disclosure of sensitive configuration files, credentials, and application source code without requiring administrative privileges.
Authentication Bypass
Information Disclosure
-
CVE-2026-25542
MEDIUM
CVSS 6.5
Tekton Pipelines 0.43.0 through 1.11.0 allows authenticated attackers to bypass trusted resource verification policies via unanchored regular expression patterns that match substrings rather than exact resource sources, enabling policy manipulation and unauthorized verification mode changes. The vulnerability stems from Go's regexp.MatchString function matching patterns anywhere within a string rather than requiring full anchoring, permitting attackers to craft source URIs containing trusted patterns as substrings to trigger unintended policy matches and potentially apply weaker verification keys or modes.
Authentication Bypass
Kubernetes
-
CVE-2026-24176
MEDIUM
CVSS 4.3
NVIDIA KAI Scheduler contains an improper authorization vulnerability allowing authenticated attackers to reference pods across Kubernetes namespaces they do not own, enabling data tampering. The vulnerability requires valid credentials and network access to the scheduler but does not permit confidentiality breaches or denial of service. CVSS 4.3 (low) reflects authenticated access requirement and integrity impact only; no active exploitation or public POC identified.
Authentication Bypass
Nvidia
-
CVE-2026-22751
MEDIUM
CVSS 4.8
Time-of-check Time-of-use (TOCTOU) race condition in Spring Security's JdbcOneTimeTokenService allows unauthenticated remote attackers to bypass one-time token validation and gain unauthorized access. Affected versions include 6.4.0-6.4.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. The vulnerability requires explicit configuration of One-Time Token login and involves high attack complexity, limiting real-world exploitation despite network accessibility.
Java
Information Disclosure
-
CVE-2026-22021
MEDIUM
CVSS 5.3
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 a...
Denial Of Service
Java
Oracle
Red Hat
Suse
-
CVE-2026-22019
MEDIUM
CVSS 5.4
Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise ...
Authentication Bypass
Oracle
-
CVE-2026-22017
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MyS...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-22015
MEDIUM
CVSS 4.3
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compr...
Information Disclosure
Oracle
Red Hat
-
CVE-2026-22013
MEDIUM
CVSS 5.3
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 a...
Authentication Bypass
Java
Oracle
Red Hat
Suse
-
CVE-2026-22009
MEDIUM
CVSS 6.5
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MyS...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-22006
MEDIUM
CVSS 5.4
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterpris...
Information Disclosure
Oracle
-
CVE-2026-22005
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise My...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-22004
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server....
Denial Of Service
Oracle
Red Hat
-
CVE-2026-22003
MEDIUM
CVSS 6.0
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged ...
Denial Of Service
Java
Oracle
Suse
-
CVE-2026-22002
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise My...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-21999
MEDIUM
CVSS 5.3
Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction ...
Authentication Bypass
Information Disclosure
Oracle
-
CVE-2026-21998
MEDIUM
CVSS 4.9
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise My...
Denial Of Service
Oracle
Red Hat
-
CVE-2026-6830
MEDIUM
CVSS 4.8
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and...
Information Disclosure
-
CVE-2026-6829
MEDIUM
CVSS 5.3
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/st...
Path Traversal
-
CVE-2026-6797
MEDIUM
CVSS 5.3
A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to laun...
Denial Of Service
Java
-
CVE-2026-6796
MEDIUM
CVSS 5.3
A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext sto...
Java
Information Disclosure
-
CVE-2026-6783
MEDIUM
CVSS 5.3
Integer overflow in Firefox's Audio/Video Playback component allows remote unauthenticated attackers to cause integrity violations through specially crafted multimedia content. The vulnerability stems from incorrect boundary condition handling in numeric calculations, potentially enabling attackers to modify playback state or corrupt audio/video streams without user interaction. Firefox 150 and later contain the fix.
Buffer Overflow
Integer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6779
MEDIUM
CVSS 5.3
Mozilla Firefox JavaScript Engine contains an improper input validation flaw that permits remote, unauthenticated information disclosure to attackers without user interaction. The vulnerability (CWE-20: Improper Input Validation) affects all versions prior to Firefox 150 and allows attackers to access sensitive data via a network-based attack with low complexity. A vendor-released patch is available in Firefox 150.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6778
MEDIUM
CVSS 5.3
Denial of service via null pointer dereference in Firefox's Audio/Video Playback component allows remote attackers to crash the browser without user interaction. The vulnerability affects Firefox versions prior to 150 and requires only a network connection to trigger, resulting in availability loss but not code execution or data compromise. No active exploitation has been confirmed at time of analysis.
Denial Of Service
Null Pointer Dereference
Red Hat
Mozilla
Suse
-
CVE-2026-6777
MEDIUM
CVSS 5.3
Denial of service in Firefox DNS networking component allows unauthenticated remote attackers to cause partial availability impact through crafted network requests. The vulnerability, classified as a cross-site request forgery (CSRF) issue within DNS handling, affects Firefox versions prior to 150 and has been patched by Mozilla.
CSRF
Red Hat
Mozilla
Suse
-
CVE-2026-6775
MEDIUM
CVSS 5.3
Incorrect boundary conditions in Firefox's WebRTC component allow remote attackers to read limited memory contents without authentication. Firefox versions prior to 150 are affected by this low-confidentiality vulnerability, which CVSS rates at 5.3 due to network exploitability without user interaction, though CISA's SSVC framework indicates no current exploitation activity and limited technical impact.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6774
MEDIUM
CVSS 5.4
Mitigation bypass in Firefox's DOM Security component allows authenticated remote attackers with user interaction to circumvent security controls and gain limited read/write access to sensitive data across security boundaries. Firefox 150 and later versions contain the fix; versions prior to 150 are vulnerable. SSVC assessment indicates no current public exploitation, though the vulnerability requires user interaction and authentication to trigger.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-6770
MEDIUM
CVSS 6.5
Information disclosure in Firefox's IndexedDB storage component allows remote unauthenticated attackers to leak sensitive data through a network-accessible vulnerability with no user interaction required. Affected versions include Firefox prior to 150 and Firefox ESR prior to 140.10. The vulnerability has a CVSS score of 6.5 reflecting moderate severity with confidentiality impact and limited availability risk.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6767
MEDIUM
CVSS 5.3
Confidentiality compromise in Firefox NSS Libraries allows remote unauthenticated attackers to leak sensitive information over the network without user interaction. The vulnerability affects Firefox 150 and earlier, Firefox ESR 115.34 and earlier, and Firefox ESR 140.9 and earlier, and has been patched in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. No public exploit code or active exploitation has been identified at the time of analysis.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6765
MEDIUM
CVSS 5.3
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-6764
MEDIUM
CVSS 6.5
Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-6763
MEDIUM
CVSS 6.5
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-6762
MEDIUM
CVSS 6.3
DOM spoofing in Firefox allows remote attackers to deceive users about webpage origin and integrity through rendering manipulation, requiring user interaction. Affects Firefox 149 and earlier, Firefox ESR 115.34 and earlier, and Firefox ESR 140.9 and earlier. Fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. EPSS score of 0.02% indicates low exploitation probability despite CVSS 6.3 rating, suggesting practical exploitation constraints despite network accessibility.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-6757
MEDIUM
CVSS 6.3
Invalid pointer handling in Firefox's JavaScript-WebAssembly component allows remote attackers to disclose information or cause limited memory corruption via a malicious webpage, requiring user interaction. The vulnerability affects Firefox versions prior to 150 and Firefox ESR prior to 140.10, with an EPSS score of 0.02% indicating minimal real-world exploitation probability despite moderate CVSS severity. Vendor-released patches are available in Firefox 150 and Firefox ESR 140.10.
Information Disclosure
Memory Corruption
Red Hat
Mozilla
Suse
-
CVE-2026-6755
MEDIUM
CVSS 6.5
A cross-site request forgery (CSRF) mitigation bypass in the DOM postMessage component of Firefox allows authenticated attackers to trigger denial of service against affected systems. The vulnerability bypasses existing CSRF protections through improper validation of postMessage origin checks, affecting Firefox versions prior to 150. No public exploit code has been identified, and exploitation requires authenticated network access without user interaction.
CSRF
Red Hat
Mozilla
Suse
-
CVE-2026-6712
MEDIUM
CVSS 4.4
Stored cross-site scripting in Website LLMs.txt plugin for WordPress versions up to 8.2.6 allows authenticated administrators to inject arbitrary JavaScript into plugin settings that executes when any user visits affected pages. The vulnerability requires high privilege level (PR:H) and occurs only in multi-site installations or where unfiltered_html capability is disabled. No public exploit code or active exploitation has been identified.
WordPress
XSS
-
CVE-2026-6711
MEDIUM
CVSS 6.1
Reflected cross-site scripting (XSS) in the Website LLMs.txt WordPress plugin versions up to 8.2.6 allows unauthenticated attackers to inject arbitrary JavaScript via the 'tab' parameter due to improper use of filter_input() without sanitization and insufficient output escaping. Exploitation requires social engineering an administrator to click a malicious link, but once successful grants the attacker ability to execute scripts in the admin's browser session with access to sensitive WordPress functions and data.
WordPress
XSS
-
CVE-2026-6703
MEDIUM
CVSS 4.3
Responsive Blocks - Page Builder for Blocks & Patterns plugin for WordPress versions up to 2.2.1 allows authenticated contributors and higher to modify global site-wide plugin configuration, including custom CSS settings, block availability, layout defaults (content width, padding, gap), and auto-recovery behavior due to missing authorization checks. This capability escalation bypasses intended role-based access control, enabling lower-privileged users to degrade site functionality and inject CSS-based attacks. No public exploit code or active exploitation confirmed at time of analysis; CVSS 4.3 (low) reflects the authentication requirement and integrity-only impact, but real-world risk depends on contributor population and site governance.
WordPress
Authentication Bypass
-
CVE-2026-6675
MEDIUM
CVSS 5.3
Unauthenticated open email relay in Responsive Blocks - Page Builder for Blocks & Patterns WordPress plugin (versions up to 2.2.0) allows remote attackers to send arbitrary emails through the affected site's mail server via a public REST API endpoint lacking authorization checks and email recipient validation. The vulnerability enables attackers to abuse WordPress sites for spam distribution and phishing campaigns without authentication.
WordPress
Information Disclosure
-
CVE-2026-6674
MEDIUM
CVSS 6.5
SQL injection in the CMS für Motorrad Werkstätten WordPress plugin (versions up to 1.0.0) allows authenticated attackers with subscriber-level privileges to extract sensitive database information via an unsanitized 'arttype' parameter. The vulnerability requires valid WordPress user credentials but no special configuration, making it exploitable against any WordPress installation running the affected plugin. No public exploit code or active exploitation has been identified at the time of analysis.
WordPress
SQLi
-
CVE-2026-6058
MEDIUM
CVSS 4.5
Denial-of-service in Zyxel WRE6505 v2 firmware via improper encoding in the CGI program allows an adjacent WLAN attacker to crash the web management interface by crafting a malformed SSID and convincing an authenticated administrator to visit the 'AP Select' page. CVSS 4.5 (moderate) with attack vector limited to adjacent networks (Wi-Fi range). No public exploit code identified; Zyxel has marked this as unsupported (end-of-life product).
Information Disclosure
Zyxel
-
CVE-2026-5512
MEDIUM
CVSS 5.3
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messa...
Information Disclosure
-
CVE-2026-3317
MEDIUM
CVSS 5.1
Reflected cross-site scripting in Navigate CMS allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers via unsanitized query parameters in the /blog endpoint. The vulnerability affects Navigate CMS versions 0 through 2.9.5 and requires user interaction (clicking a malicious link). CVSS 5.1 reflects the limited scope (only session/cookie theft) and mandatory user interaction, though exploitation is straightforward for phishing campaigns.
XSS
-
CVE-2026-3307
MEDIUM
CVSS 5.3
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body....
Authentication Bypass
-
CVE-2026-1354
MEDIUM
CVSS 5.9
Zero Motorcycles firmware versions 44 and prior enable an attacker to
forcibly pair a device with the motorcycle via Bluetooth. Once paired,
an attacker can utilize over-the-air firmware updating functionality to
potentially upload malicious firmware to the motorcycle. The motorcycle
must first ...
Information Disclosure
-
CVE-2026-1089
MEDIUM
CVSS 6.5
User-controlled HTTP headers in Fortra GoAnywhere MFT prior to version 7.10.0 enable remote unauthenticated attackers to trigger arbitrary DNS lookups and execute DNS rebinding attacks, leading to information disclosure and potential service degradation. The vulnerability exploits improper handling of attacker-supplied header values in network requests, allowing reconnaissance of internal infrastructure and circumvention of network segmentation controls.
Information Disclosure
-
CVE-2026-0972
MEDIUM
CVSS 5.4
SSH key brute-force attack against GoAnywhere MFT SFTP service allows remote unauthenticated attackers to compromise Web User accounts configured with SSH key authentication in versions prior to 7.10.0. The SFTP service fails to enforce login attempt limits when SSH key authentication is used, enabling attackers to programmatically guess private keys. EPSS and KEV data not provided; vendor Fortra disclosed this vulnerability directly (FI-2026-004).
Information Disclosure
-
CVE-2026-0971
MEDIUM
CVSS 4.3
Improper session timeout handling in Fortra GoAnywhere MFT prior to version 7.10.0 allows unauthenticated remote attackers to bypass SAML authentication and redirect users to the regular login page, potentially enabling credential harvesting or session hijacking attacks. The vulnerability requires user interaction (clicking a malicious link or visiting a crafted URL) but affects all web users configured with SAML single sign-on, creating an information disclosure risk through unexpected authentication flow exposure.
Information Disclosure
-
CVE-2025-41011
MEDIUM
CVSS 5.1
HTML injection vulnerability in PHP Point of Sale v19.4 allows unauthenticated remote attackers to render arbitrary HTML in victims' browsers via the '/reports/generate/specific_customer' endpoint, affecting the 'start_date_formatted' and 'end_date_formatted' parameters. User interaction is required (victim must visit a crafted link), limiting impact to stored/reflected XSS scenarios. No public exploit code or active exploitation has been confirmed at the time of analysis.
PHP
XSS
-
CVE-2025-31981
MEDIUM
CVSS 5.3
HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers to passively intercept and read sensitive data in transit without authentication or user interaction. The vulnerability exposes confidential information including credentials and system details to packet sniffing attacks on any network where the service is accessible.
Information Disclosure
-
CVE-2025-10354
MEDIUM
CVSS 5.1
Reflected cross-site scripting (XSS) in Semantic MediaWiki 5.0.2 allows unauthenticated remote attackers to inject malicious JavaScript via the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. A victim visiting an attacker-crafted URL executes arbitrary JavaScript in their browser, enabling session cookie theft or unauthorized actions on behalf of the user. User interaction (clicking the link) is required. No public exploit code or active exploitation has been identified at time of analysis.
PHP
XSS
-
CVE-2025-1241
MEDIUM
CVSS 5.8
Fortra GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 use a static initialization vector (IV) for encryption, allowing authenticated administrative users to brute-force decryption of encrypted data. The vulnerability requires high-privilege access and computational effort but results in complete confidentiality loss of encrypted values. No public exploit code or active exploitation has been confirmed at time of analysis.
Information Disclosure
-
CVE-2026-41330
LOW
CVSS 2.0
OpenClaw before version 2026.3.31 fails to sanitize environment variables in its host exec policy, allowing authenticated local attackers to override proxy, TLS, Docker, and Git TLS security controls. An attacker with local access and limited privileges can bypass intended security restrictions by injecting malicious environment variables, potentially disabling certificate verification or redirecting traffic through unauthorized proxies. No public exploit code has been identified, and the vulnerability requires process interaction (AT:P) to trigger.
Authentication Bypass
Docker
-
CVE-2026-40878
LOW
CVSS 2.1
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.tw...
XSS
Docker
-
CVE-2026-40279
LOW
CVSS 3.7
BACnet Stack prior to version 1.4.3 exhibits undefined behavior in the decode_signed32() function when processing signed-integer property values containing bytes with the high bit set, causing denial of service through integer overflow. Network-remote attackers can trigger this vulnerability by sending specially crafted BACnet packets with high-bit-set byte sequences, resulting in application instability or crash on embedded systems running vulnerable versions. The vulnerability is confirmed fixed in version 1.4.3.
Buffer Overflow
-
CVE-2026-40264
LOW
CVSS 2.0
OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tokens belonging to users in other tenants if the token accessor is disclosed, bypassing the multi-tenant isolation guarantee. The vulnerability requires high privilege level and user interaction but undermines the core security boundary of OpenBao's namespace-based multi-tenancy model. No active exploitation has been reported.
Information Disclosure
-
CVE-2026-39396
LOW
CVSS 3.1
Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim disk resources by serving a crafted container image. The vulnerability exists in ExtractPluginFromImage() which writes decompressed tar streams without size bounds, and validates SHA256 integrity only after the full file is written to disk. An attacker controlling or compromising the OCI registry can replace legitimate plugin images with malicious compressed payloads that decompress to arbitrarily large files, causing denial of service. OpenBao versions prior to 2.5.3 are affected; the CVSS score of 3.1 reflects low impact (availability only) but the attack requires the victim to manually trigger plugin extraction with a compromised registry configured.
Denial Of Service
-
CVE-2026-39388
LOW
CVSS 2.0
OpenBao's Certificate authentication method with disable_binding=true allows token renewal using any sibling certificate signed by the same CA, rather than requiring the original certificate, enabling attackers with knowledge of a token or accessor to extend dynamic lease lifetimes beyond intended scope. The vulnerability affects OpenBao versions prior to 2.5.3 and requires high privileges and user interaction, resulting in a CVSS 2.0 score with low confidentiality and integrity impact. No public exploit code or active exploitation has been identified.
Information Disclosure
Hashicorp
-
CVE-2026-35250
LOW
CVSS 2.3
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...
Authentication Bypass
Denial Of Service
Oracle
-
CVE-2026-35249
LOW
CVSS 3.2
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...
Authentication Bypass
Oracle
-
CVE-2026-34312
LOW
CVSS 2.4
Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attack...
Authentication Bypass
Oracle
-
CVE-2026-34268
LOW
CVSS 2.9
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0....
Java
Information Disclosure
Oracle
-
CVE-2026-31369
LOW
CVSS 3.2
Honor PcManager contains a privilege bypass vulnerability allowing local attackers without privileges to impact service availability through a type-confusion mechanism. The vulnerability requires high attack complexity and local access, resulting in a CVSS 3.2 (low severity) score with confidentiality and integrity impact ruled out. No active exploitation or public exploit code has been identified at the time of analysis.
Privilege Escalation
-
CVE-2026-29179
LOW
CVSS 3.3
October CMS versions prior to 3.7.16 and 4.1.16 fail to enforce fine-grained sub-permission checks for asset and blueprint file operations in the CMS and Tailor editor extensions, allowing backend users with editor access but explicitly withheld editor.cms_assets or editor.tailor_blueprints permissions to perform unauthorized file operations (create, delete, rename, move, upload) on theme assets and blueprint files. Additionally, an operator precedence error discloses the theme blueprint directory tree under the same conditions. This affects an uncommon permission configuration where high-privileged users have granular restrictions selectively applied.
Authentication Bypass
-
CVE-2026-27937
LOW
CVSS 3.1
Reflected cross-site scripting (XSS) in October CMS backend DataTable widget allows unauthenticated remote attackers to inject arbitrary JavaScript via a query parameter, requiring user interaction to execute malicious code. The vulnerability affects versions prior to 3.7.16 and 4.1.16, with a low severity CVSS score of 3.1 reflecting the requirement for high attack complexity and user clicking a malicious link.
XSS
-
CVE-2026-22018
LOW
CVSS 3.7
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0...
Denial Of Service
Java
Oracle
-
CVE-2026-22014
LOW
CVSS 3.8
Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Workflow and Business Events). Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle User ...
Authentication Bypass
Oracle
-
CVE-2026-22008
LOW
CVSS 3.7
Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerab...
Privilege Escalation
Java
Oracle
-
CVE-2026-22007
LOW
CVSS 2.9
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0....
Java
Information Disclosure
Oracle
-
CVE-2026-22001
LOW
CVSS 2.7
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to comp...
Information Disclosure
Oracle
-
CVE-2026-6799
LOW
CVSS 2.1
A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The atta...
Command Injection
-
CVE-2026-6745
LOW
CVSS 2.0
Stored cross-site scripting (XSS) in Bagisto up to version 2.3.15 allows authenticated attackers to inject malicious scripts via the Custom Scripts Handler component, which are then executed in the browsers of other users with user-interaction. The vulnerability has publicly available exploit code and affects the integrity of user sessions. Vendor has acknowledged the issue and committed to fixes in upcoming releases but no patched version has been released at time of analysis.
XSS
-
CVE-2026-6744
LOW
CVSS 2.1
Server-side request forgery in Bagisto's Downloadable Link Handler component (versions up to 2.3.15) allows authenticated remote attackers to perform arbitrary HTTP requests on behalf of the server, potentially enabling access to internal resources, metadata services, or information disclosure. The vulnerability has publicly available exploit code and affects the copy function with low-to-moderate CVSS score (5.3) but concrete real-world impact if internal services are exposed. Vendor acknowledges the issue and states fixes are coming in upcoming releases.
SSRF
-
CVE-2026-6743
LOW
CVSS 2.0
Cross-site scripting (XSS) in WebSystems WebTOTUM 2026 Calendar component allows authenticated remote attackers to inject malicious scripts via an unknown function, requiring user interaction for exploitation. Publicly available exploit code exists, and vendor has released a patched version following responsible disclosure.
XSS
-
CVE-2025-31958
LOW
CVSS 3.7
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing inconsistencies between front-end and back-end servers, potentially leading to limited information disclosure through cache poisoning or request hijacking attacks. The vulnerability has a CVSS score of 3.7 with low confidentiality impact but no direct availability or integrity impact.
Authentication Bypass
Request Smuggling