Skip to main content
CVE-2026-3298 HIGH PATCH This Week

Out-of-bounds buffer write in CPython's asyncio.ProactorEventLoop (Windows only) allows remote attackers to trigger memory corruption via oversized network data. The sock_recvfrom_into() method lacks buffer size validation when the nbytes parameter is used, enabling writes beyond allocated memory boundaries. Patch available via GitHub PR #148809. CVSS 8.8 reflects network-accessible attack surface with no authentication required, though exploitation is platform-specific (Windows only) and requires specific asyncio usage patterns.

Memory Corruption Microsoft Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-41036 HIGH This Week

Remote code execution in Quantum Networks router QN-I-470 allows authenticated attackers to execute arbitrary OS commands as root via command injection in the management CLI interface. The vulnerability stems from inadequate input sanitization, enabling low-privileged authenticated users to escalate privileges to root level. CVSS 8.7 (Critical) reflects network-accessible exploitation with low complexity, requiring only low-privilege authentication. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, but the authenticated nature and CLI access requirement limits exploitation to users with existing device credentials.

Command Injection RCE Router Qn I 470
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-40909 HIGH GHSA This Week

Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.

PHP Path Traversal CSRF RCE
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-41303 HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.3.28 allows authenticated Discord users to approve pending host execution requests without proper privileges. Attackers with low-privileged Discord accounts can bypass the execApprovals.approvers allowlist by sending crafted Discord text commands, gaining unauthorized approval authority for exec requests. EPSS score is relatively low (0.06%, 18th percentile), and no active exploitation is confirmed, but the vulnerability enables complete compromise of the execution approval workflow with low attack complexity.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41039 HIGH This Week

Information disclosure in Quantum Networks Router QN-I-470 version 6.1.1.B1 allows unauthenticated remote attackers to access sensitive internal data including API endpoints, scripts, and directories through exposed web management interface. Vulnerability stems from improper access control and insecure default configuration (CWE-306). CVSS 8.7 reflects network-accessible, low-complexity attack requiring no authentication or user interaction. No public exploit code identified at time of analysis, though the attack surface (exposed API endpoints) suggests straightforward exploitation. Reported by CERT-In (India national CERT), indicating potential regional targeting or discovery during incident response.

Authentication Bypass Router Qn I 470
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40945 HIGH PATCH GHSA This Week

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.

Information Disclosure Oxia
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40943 HIGH PATCH GHSA This Week

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.

Information Disclosure Race Condition Oxia
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6819 HIGH PATCH This Week

Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management commands. Pre-PR#156 versions expose /plugin install, /plugin enable, /plugin disable, and /reload-plugins endpoints to unauthenticated remote senders via the channel layer, allowing complete control over plugin trust and activation state. Vendor patch available in v0.1.7 (commit 59017e0). CVSS 8.7 with network vector and no authentication required, though user interaction is needed. No active exploitation confirmed (not in CISA KEV), but VulnCheck advisory and GitHub references provide technical details that could facilitate exploitation.

Privilege Escalation Openharness
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-34291 HIGH This Week

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

Authentication Bypass Oracle
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-41037 HIGH This Week

Remote code execution with root privileges in Quantum Networks router QN-I-470 version 6.1.1.B1 allows adjacent network attackers to execute arbitrary OS commands through the management CLI interface via command injection. The vulnerability requires no authentication (CVSS PR:N) and exploits inadequate input sanitization (CWE-78). Adjacent network access (AV:A) limits attack surface to local network segments. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though EPSS data unavailable to assess real-world exploitation probability.

Command Injection RCE Router Qn I 470
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40520 HIGH PATCH This Week

Command injection in FreePBX API module 17.0.8 and earlier allows authenticated attackers with valid bearer tokens to execute arbitrary operating system commands as the web server user via malicious GraphQL mutations. The initiateGqlAPIProcess() function passes unsanitized GraphQL moduleOperations mutation input directly to shell_exec(), enabling backtick-wrapped command execution. While requiring high privileges (PR:H), the vulnerability provides complete system compromise within the web server context (CVSS 8.6). Vendor patch available via GitHub commit 5f194e39. No public exploit code or active exploitation confirmed at time of analysis.

Command Injection API
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-40866 HIGH This Week

Authenticated users in Horilla HRMS 1.5.0 can overwrite or corrupt any employee's documents via insecure direct object reference (IDOR) in the document upload endpoint. By manipulating the document ID parameter in upload requests, attackers with low-level access can modify HR records belonging to other employees, including executives or administrators. This enables unauthorized tampering with sensitive personnel files such as contracts, certifications, or compliance documents. EPSS data not available; no confirmed active exploitation (not in CISA KEV), though exploitation requires only basic authentication and no technical complexity (CVSS AV:N/AC:L/PR:L).

Authentication Bypass Horilla
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-41055 HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.

SSRF Avideo
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-40938 HIGH PATCH GHSA This Week

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. This vulnerability is fixed in 1.11.1.

Kubernetes RCE Pipeline
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-40568 HIGH PATCH This Week

Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.

XSS PHP
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-21997 HIGH This Week

Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Empirica Signal. While the vulnerability is in Oracle Life Sciences Empirica Signal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Life Sciences Empirica Signal accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Empirica Signal accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).

Authentication Bypass Oracle
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-40614 HIGH This Week

Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or crash the application via maliciously crafted Opus audio frames. The vulnerability stems from undersized FEC decode buffers (960 bytes at 8 kHz mono) that receive up to 1280 bytes of encoded data without bounds checking during Opus codec decoding. With CVSS 8.5 severity and a public GitHub commit fix available, this represents a high-impact memory corruption vulnerability in a widely-deployed VoIP library, though exploitation requires local access and user interaction (AV:L/UI:P), limiting remote attack scenarios.

Heap Overflow Buffer Overflow Pjproject
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5789 HIGH PATCH This Week

Local privilege escalation in CivetWeb v1.16 service allows authenticated users to execute arbitrary code with SYSTEM privileges via unquoted service path exploitation. The Windows service configuration lacks quotes around 'C:\Program Files\CivetWeb\CivetWeb.exe', enabling attackers to place malicious executables in directories scanned before the intended path (e.g., 'C:\Program.exe' or 'C:\Program Files\CivetWeb.exe'). No public exploit identified at time of analysis, though EPSS data not available. Patch available per vendor advisory from INCIBE.

RCE Suse
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-41295 HIGH PATCH This Week

Malicious workspace plugins in OpenClaw versions before 2026.4.2 achieve arbitrary code execution by shadowing built-in channel IDs during workspace clone and setup operations. The vulnerability exploits a trust boundary flaw (CWE-829) where untrusted plugins execute before explicit user trust confirmation, requiring only that a victim clone a poisoned workspace repository. With CVSS 8.5 (High) and local attack vector requiring user interaction, real-world risk is moderate: EPSS probability sits at 0.01% (2nd percentile) with no confirmed active exploitation (not in CISA KEV), and SSVC assessment classifies it as non-automatable with total technical impact but no current exploitation.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-41294 HIGH PATCH GHSA This Week

OpenClaw versions before 2026.3.28 allow local attackers to inject malicious environment variables by placing a .env file in the current working directory, which is loaded before trusted state-directory configuration during application startup. This enables attackers to override security-sensitive runtime settings without privileges, achieving high confidentiality, integrity, and availability impact with low complexity when a user launches OpenClaw from a compromised directory. Exploitation probability is minimal (EPSS 0.01%, percentile 2%) with no active exploitation confirmed (not in CISA KEV), but a public advisory from VulnCheck describes the attack mechanism, making exploitation straightforward for local threat actors.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-40250 HIGH PATCH This Week

Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) enables local attackers to trigger memory corruption when processing maliciously crafted EXR image files requiring user interaction. This vulnerability represents a missed instance of the same integer overflow pattern addressed in related CVEs 2026-34589, 34588, and 34544, occurring in `internal_dwa_compressor.h:1040` where width multiplication lacks proper size_t casting. Given the local attack vector requiring user interaction (CVSS AV:L/UI:A), real-world exploitation requires social engineering to trick users into opening weaponized EXR files, making this primarily a workstation-targeted threat in media production environments. No active exploitation or public POC identified at time of analysis.

Integer Overflow Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-40244 HIGH PATCH This Week

Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) allows local attackers to trigger memory corruption via maliciously crafted EXR image files requiring user interaction. This overflow at internal_dwa_compressor.h:1722 was missed in the CVE-2026-34589 remediation batch, performing width*height multiplication in 32-bit arithmetic without proper bounds checking. While CVSS scores 8.4 (High), the local attack vector and required user interaction (opening malicious file) somewhat limit real-world exploitation compared to remotely exploitable vulnerabilities. No EPSS score or KEV status available; exploitation probability depends on attacker's ability to deliver weaponized EXR files to targets in media production environments.

Integer Overflow Buffer Overflow Openexr
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-35570 HIGH PATCH GHSA This Week

Path traversal in OpenClaude CLI versions before 0.5.1 allows local authenticated users to bypass sandbox directory restrictions and access arbitrary filesystem paths. A logic flaw in the bash permission handler causes path constraint checks to be skipped when sandbox auto-allow is enabled without explicit deny rules, permitting traversal sequences like '../../../etc/passwd' to escape containment boundaries. EPSS score of 0.01% indicates low probability of widespread exploitation, and no active exploitation has been reported.

Path Traversal Openclaude
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-40599 HIGH PATCH This Week

ClearanceKit 5.0.4 and earlier allows local attackers with low-privilege accounts to bypass file-system access controls and read/modify all protected files by spoofing Apple platform binary status. The vulnerability stems from incorrect validation of code signing identifiers - specifically, treating processes with empty Team IDs but non-empty Signing IDs as trusted Apple binaries. Malicious software can exploit this logic flaw to impersonate processes in the global allowlist and gain unauthorized access to sensitive data. CVSS 8.4 reflects high confidentiality and integrity impact in local attack scenarios. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though the GitHub security advisory provides detailed vulnerability disclosure.

Authentication Bypass Apple
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-40706 HIGH PATCH This Week

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.

Heap Overflow Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-6823 HIGH PATCH This Week

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.

Privilege Escalation Openharness
NVD GitHub
CVSS 4.0
8.3
EPSS
0.1%
CVE-2026-40925 HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-41059 HIGH PATCH GHSA This Week

Authentication bypass in OAuth2 Proxy 7.5.0-7.15.1 allows remote unauthenticated attackers to access protected resources by exploiting path normalization discrepancies between the proxy and backend services. When deployments use skip_auth_routes or skip_auth_regex with broad wildcard patterns, attackers can inject '#' or '%23' (URL-encoded fragment delimiter) to match public allowlist rules while the upstream application serves sensitive endpoints. CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-based unauthenticated access; no public exploit identified at time of analysis. EPSS data not provided. Fixed in version 7.15.2 through conservative path normalization.

Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-13826 HIGH This Week

Remote denial of service in Zervit portable HTTP/web server allows unauthenticated attackers to crash the application via malformed configuration reset requests. Network-accessible (AV:N) with low complexity (AC:L) but requires specific timing (AT:P). EPSS data unavailable; not listed in CISA KEV. No public exploit code identified at time of analysis. High availability impact (VA:H) makes this critical for production deployments, though manual restart capability partially mitigates sustained outage risk.

Information Disclosure
NVD VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-24189 HIGH This Week

Out-of-bounds read in NVIDIA CUDA-Q endpoint allows remote unauthenticated attackers to crash services and disclose sensitive memory contents via malformed network requests. The vulnerability affects an exposed network endpoint with no authentication barrier (CVSS AV:N/AC:L/PR:N/UI:N), enabling trivial exploitation against internet-facing deployments. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or limited to targeted scenarios.

Denial Of Service Information Disclosure Nvidia Buffer Overflow
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-40604 HIGH PATCH This Week

Local privilege escalation in ClearanceKit opfilter system extension allows root-level processes on macOS to completely bypass file-access policy enforcement by suspending or killing the Endpoint Security extension. An attacker with root access can send SIGSTOP to the uk.craigbass.clearancekit.opfilter extension, causing all AUTH events to time out and silently default to allow, effectively disabling all ClearanceKit file-access controls. This represents a critical security control bypass for environments relying on ClearanceKit for file-system access restrictions. Fixed in version 5.0.6. No public exploit identified at time of analysis, though exploitation is straightforward for any attacker who has already achieved root access on the macOS system.

Information Disclosure Apple
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41058 HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.

Path Traversal Avideo
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41056 HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` - the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

PHP Cors Misconfiguration Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40892 HIGH This Week

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length.

Stack Overflow Buffer Overflow Pjproject
NVD GitHub
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-40588 HIGH PATCH This Week

Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.

XSS Blueprintue Self Hosted Edition
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34309 HIGH This Week

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Authentication Bypass Oracle
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40905 HIGH PATCH This Week

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.

Open Redirect
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40497 HIGH PATCH This Week

CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).

XSS Privilege Escalation CSRF Freescout
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4821 HIGH PATCH This Week

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and administrator privileges to the Management Console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.

Command Injection Enterprise Server
NVD GitHub VulDB
CVSS 4.0
8.1
EPSS
0.0%
CVE-2026-1354 MEDIUM CISA This Month

Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update.

Information Disclosure Zero Motorcycles Firmware
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-38834 HIGH This Week

Command injection in Tenda W30E router firmware V16.01.0.21 allows unauthenticated remote attackers to execute arbitrary system commands via the 'hostName' parameter in the diagnostic ping function. Attack requires only network access to the router's web interface with no authentication or user interaction. Proof-of-concept exploit code is publicly available (SSVC exploitation status: POC). EPSS data not available, but SSVC framework marks this as automatable with partial technical impact, making it suitable for mass scanning campaigns targeting exposed Tenda routers.

Tenda Command Injection
NVD GitHub
CVSS 3.1
7.3
EPSS
2.6%
CVE-2026-35243 HIGH This Week

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Oracle Authentication Bypass
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31368 HIGH This Week

Local privilege escalation in Honor AiAssistant (all versions) allows authenticated users with low privileges to gain full system control (high impact on confidentiality, integrity, and availability) through authentication bypass. Vendor advisory confirmed by Honor with CVSS 7.8. No active exploitation confirmed; EPSS data not yet available as this is a recently disclosed 2026 CVE.

Privilege Escalation Aiassistant
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-6776 HIGH PATCH This Week

Buffer overflow in Firefox WebRTC networking component allows local attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. No public exploit identified at time of analysis. CVSS 7.8 reflects high severity but requires local access and user interaction, limiting remote attack surface. Mozilla has released patches in Firefox 150 and Firefox ESR 140.10.

Mozilla Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-39861 HIGH POC PATCH GHSA This Week

Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting symlink handling between sandboxed and unsandboxed processes, potentially leading to code execution. The vulnerability requires prompt injection to trigger malicious sandboxed code execution, creating an exploitable chain where neither component can independently breach the sandbox but their interaction does. EPSS score of 0.08% (23rd percentile) suggests limited real-world exploitation likelihood, and CISA SSVC indicates no known exploitation with non-automatable attack requirements. Version 2.1.64 patches this issue, auto-deployed to standard installations.

Path Traversal RCE Claude Code
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-34839 HIGH PATCH GHSA This Week

Cross-origin data exfiltration in Glances web server allows remote unauthenticated attackers to read sensitive system information (CPU, memory, processes, network stats) through the REST API endpoint /api/4/* via malicious websites exploiting permissive CORS policy. Affects all versions prior to 4.5.4. EPSS score of 0.06% (18th percentile) suggests low widespread exploitation probability despite proof-of-concept availability, though the network-accessible, unauthenticated attack vector (AV:N/PR:N) combined with high confidentiality impact (VC:H) makes this a priority for internet-exposed instances.

Information Disclosure Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-40161 HIGH PATCH GHSA This Week

Credential leakage in Tekton Pipelines git resolver allows authenticated users to exfiltrate system-configured Git API tokens (GitHub PAT, GitLab tokens) by directing the resolver to attacker-controlled endpoints. Affects versions 1.0.0 through 1.10.0 when users omit the token parameter in TaskRun or PipelineRun configurations. CVSS 7.7 with scope change reflects cross-tenant credential theft potential in multi-tenant Kubernetes environments. No active exploitation confirmed (not in CISA KEV), but exploitation is straightforward for authenticated cluster users with TaskRun/PipelineRun creation privileges.

Information Disclosure Kubernetes Gitlab
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41060 HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.

PHP SSRF
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-24177 HIGH This Week

Authorization bypass in NVIDIA KAI Scheduler allows authenticated network attackers to access protected API endpoints and disclose sensitive information across security boundaries. The vulnerability (CWE-306: Missing Authentication for Critical Function) enables low-privileged authenticated users to read high-value data outside their intended scope (CVSS scope changed to 'C', high confidentiality impact). NVIDIA has published advisory 5818 with remediation guidance. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

Authentication Bypass Information Disclosure Nvidia
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-40589 HIGH PATCH This Week

Privilege escalation in FreeScout versions prior to 1.8.214 allows low-privileged agents to hijack hidden customer email addresses across mailbox boundaries, disclosing confidential customer names, profile URLs, and reassigning conversations from restricted mailboxes to attacker-controlled customer records. The vulnerability enables authenticated agents to bypass mailbox isolation controls and access data they should not see. CVSS score of 7.6 (High) reflects network-exploitable access with high integrity impact; EPSS and KEV data not provided in intelligence sources.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
Prev Page 2 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy