Skip to main content
CVE-2026-34415 CRITICAL POC PATCH Act Now

Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.

PHP Authentication Bypass Path Traversal Xerteonlinetoolkits
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2018-25270 CRITICAL POC Act Now

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass RCE
NVD Exploit-DB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2018-25272 CRITICAL POC Act Now

ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Elba5
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-41468 CRITICAL POC Act Now

Template injection combined with AngularJS 1.5.2 sandbox escape primitives in Beghelli Sicuro24 SicuroWeb enables arbitrary JavaScript execution in operator browsers, leading to session hijacking and persistent compromise. Network-adjacent attackers can exploit this via MITM on plaintext HTTP deployments requiring only passive user interaction. Publicly available POC exists (CVE-2026-22191 exploit chain documented by BoffSec Services and kmkz), confirming weaponization risk. CVSS 9.3 reflects adjacent-network access requirement (AV:A), but SSVC indicates total technical impact with POC-confirmed exploitation status.

Code Injection Sicuroweb Sicuro24
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-41179 CRITICAL POC PATCH GHSA Act Now

Remote code execution via unauthenticated command injection in rclone's remote control API allows network attackers to execute arbitrary commands on the host system through a single HTTP request. The vulnerability affects rclone deployments with the RC API enabled (--rc or rclone rcd) that are network-accessible and lack global HTTP authentication. An attacker exploits the unprotected operations/fsinfo endpoint by crafting a WebDAV backend definition with a malicious bearer_token_command parameter, which executes during backend initialization. Confirmed exploitable on master branch (commit bf55d5e6) and release v1.73.4 with public proof-of-concept available. CVSS 9.2 reflects critical severity with network attack vector and no authentication required, though exploitation requires specific deployment configuration (AT:P). No CISA KEV listing or EPSS data available at time of analysis.

Ubuntu Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-41176 CRITICAL POC PATCH GHSA Act Now

Authentication bypass in rclone's remote control (RC) API allows network attackers to disable authorization checks via unauthenticated configuration mutation, enabling full administrative access to RC endpoints. The `options/set` endpoint lacks authentication requirements and permits setting `rc.NoAuth=true`, which disables protection for all RC methods marked `AuthRequired: true`. Affects rclone v1.45 onward when RC is network-accessible without HTTP authentication. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub security advisory provides detailed proof-of-concept reproduction steps. CVSS 9.2 reflects critical severity with network vector and no authentication required, though CVSS:4.0 AT:P (Attack Requirements: Present) indicates specific deployment prerequisites limit automatic exploitation.

Authentication Bypass Ubuntu
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-33656 CRITICAL POC PATCH Act Now

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. Publicly available exploit code exists. Vendor-released patch version 9.3.4 addresses this critical issue. Despite the 9.1 CVSS score and Changed scope indicating potential container escape or cross-tenant impact, EPSS data was not provided to assess real-world exploitation likelihood.

Path Traversal Espocrm
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-41070 CRITICAL PATCH GHSA Act Now

Complete authentication bypass in openvpn-auth-oauth2 plugin mode (v1.26.3-1.27.2) grants VPN access to unauthenticated clients. Legacy OpenVPN clients lacking WebAuth/SSO support bypass OIDC authentication entirely and gain full network access due to incorrect plugin return codes. Only the experimental shared-library plugin deployment is affected; the default management-interface mode is not vulnerable. Vendor patch released in v1.27.3 with confirmed fix commits. No active exploitation reported, but trivial to exploit with standard Linux openvpn CLI against vulnerable deployments.

Authentication Bypass
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-31478 CRITICAL PATCH Act Now

In the Linux kernel, the following vulnerability has been resolved: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-6235 CRITICAL Act Now

Authorization bypass in Sendmachine for WordPress plugin (versions ≤1.0.20) allows unauthenticated remote attackers to overwrite SMTP configuration settings without authentication. Attackers can redirect all outbound emails from WordPress sites - including password reset tokens and sensitive communications - to attacker-controlled servers, enabling credential theft and account takeover. CVSS 9.8 (Critical) reflects network attack vector with no authentication or user interaction required. No active exploitation confirmed at time of analysis, though the straightforward attack path (single HTTP request to exposed admin function) makes this a high-priority remediation target for sites using this plugin.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31501 CRITICAL PATCH Act Now

Use-after-free in Linux kernel ICSSG PRU Ethernet driver allows remote code execution with CVSS 9.8 scoring. Affects TI ICSSG network driver in kernels 6.15 through 7.0 (patched in 6.19.11 and 7.0). The flaw causes CPPI descriptors to be freed before timestamp processing completes on every received packet, creating a exploitable memory corruption condition. Despite critical CVSS scoring, EPSS probability is very low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. The network attack vector (AV:N) combined with zero-day timing suggests this may be scored for worst-case remote exploitation scenario, but actual exploitability via network packets requires deeper investigation of ICSSG hardware context and packet processing pipeline.

Information Disclosure Linux Use After Free Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31463 CRITICAL PATCH Act Now

Use-after-free vulnerability in Linux kernel iomap subsystem allows memory corruption when filesystem block size differs from I/O granularity. The flaw occurs during buffered read operations when ctx->cur_folio is accessed after ownership transfers to the I/O helper, potentially leading to data corruption, information disclosure, or system crashes. Affects Linux kernel 6.19.x series. CVSS 9.8 critical severity, but EPSS exploitation probability is very low (0.02%, 5th percentile). Vendor patches available via mainline kernel commits. No active exploitation or public POC identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31444 CRITICAL PATCH Act Now

Use-after-free and NULL pointer dereference vulnerabilities in Linux kernel's ksmbd SMB server allow remote unauthenticated attackers to achieve arbitrary code execution, information disclosure, or denial of service. The flaws occur during oplock (opportunistic lock) publication when error handling frees memory still referenced by concurrent readers, and when global lease lists are accessed before critical pointers are initialized. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), this represents a critical remote attack surface, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches are available across affected kernel versions 6.6.130-6.19.9.

Information Disclosure Linux Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31436 CRITICAL PATCH Act Now

Use-after-free and descriptor management error in Linux kernel's Intel IDXD DMA engine driver allows NULL pointer dereferences, double completion, or descriptor leaks. The llist_abort_desc() function completes the wrong descriptor object due to a loop cursor bug introduced in commit aa8d18becc0c. Patches released for kernel 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no active exploitation or public exploit code identified. Despite CVSS 9.8 critical rating with network vector, the actual attack surface requires local access to DMA engine subsystems, making the CVSS vector likely inaccurate or context-dependent.

Denial Of Service Linux Null Pointer Dereference
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-6356 CRITICAL Act Now

Privilege escalation in Augmentt 1.0 allows authenticated low-privilege users to manipulate HTTP parameters and gain super administrator access, exposing all tenant data and configurations to unauthorized modification. CVSS 9.6 critical severity with scope change indicates cross-tenant impact potential. Public proof-of-concept code exists on GitHub (PENGUINSECQ repository). SSVC framework rates this as proof-of-concept exploitation with partial technical impact, not automatable due to authentication requirement.

Information Disclosure Augmentt
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-33471 CRITICAL PATCH GHSA Act Now

Integer truncation in Nimiq core-rs-albatross's skip block proof verification allows authenticated validators to forge consensus quorum with insufficient signatures. Prior to v1.3.0, attackers exploit usize-to-u16 casting during BitSet iteration by inserting indices spaced at 65536 intervals - these inflate the quorum count via len() but collapse onto identical u16 slots during BLS signature aggregation, enabling a single malicious validator to masquerade as 2f+1 signers and pass verification. CVSS 9.6 (Critical) reflects network vector with low complexity and changed scope impacting integrity and availability of the Proof-of-Stake consensus. No EPSS or KEV data available; vendor-released patch confirmed in v1.3.0 via GitHub advisory and commit d020590.

Information Disclosure Core Rs Albatross
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-41203 CRITICAL PATCH GHSA Act Now

Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.

RCE PHP Python Path Traversal
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-41202 CRITICAL PATCH GHSA Act Now

Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.

RCE PHP Python Path Traversal
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-31448 CRITICAL PATCH Act Now

Denial of service in Linux kernel ext4 filesystem allows remote attackers to trigger infinite loops and system hangs (143+ second inode lock blocking) via crafted mkdir/mknod operations. The vulnerability stems from incomplete cleanup when extent insertion fails - ext4_ext_map_blocks() reclaims physical blocks without deleting stale extent tree entries, causing reuse of blocks already allocated to xattrs. This triggers infinite loops in ext4_xattr_block_set() that hold inode locks indefinitely. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) but EPSS only 0.02% (percentile 7), the network attack vector rating appears inconsistent with typical local filesystem exploitation. Patches available across stable kernel branches 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. No active exploitation confirmed (not in CISA KEV), but tagged for denial-of-service impact.

Denial Of Service Linux
NVD VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-41167 CRITICAL PATCH Act Now

SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.

Docker SQLi PostgreSQL
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-41201 CRITICAL PATCH GHSA Act Now

Remote code execution and full account takeover in CI4MS (CodeIgniter 4 CMS/ERP) allows authenticated high-privilege users to escalate to superadmin and compromise all accounts via stored DOM XSS in backup module filename fields. Attackers craft malicious SQL backup files containing hidden JavaScript payloads that execute when administrators view backup listings. Vendor-released patch available in version 0.31.5.0, addressing XSS via output escaping in DataTables rendering. No CISA KEV listing or public POC identified at time of analysis, but CVSS 9.1 Critical reflects scope change and multi-stage exploitation potential.

XSS Privilege Escalation
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-4119 CRITICAL Act Now

Authorization bypass in Create DB Tables WordPress plugin allows any authenticated user, including Subscribers, to execute arbitrary database operations including DROP TABLE commands against critical WordPress core tables. Wordfence reported this vulnerability affecting all versions through 1.2.1, where admin_post hooks lack both capability checks and nonce verification. Attackers with minimal Subscriber-level credentials can destroy entire WordPress installations by deleting wp_users, wp_options, or other core tables. CVSS vector indicates network-based attack (AV:N) with no authentication required (PR:N), though the description confirms authentication IS required at Subscriber level - this discrepancy suggests the CVSS vector may be incorrectly scored. No active exploitation confirmed via CISA KEV at time of analysis, but the vulnerability is trivially exploitable given the code is publicly viewable in WordPress plugin repository.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy