193 CVEs tracked today. 42 Critical, 58 High, 79 Medium, 14 Low.
-
CVE-2026-39462
CRITICAL
CVSS 9.3
Authentication bypass in SenseLive X3050 web management interface allows remote unauthenticated attackers to gain administrative access using default or previously-set credentials. After factory restore via SenseLive Config 2.0 tool, password updates fail to propagate correctly - the interface falsely reports success while the backend continues accepting old credentials. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating this affects industrial control system deployments. With CVSS 9.3 (AV:N/AC:L/PR:N) and CWE-522 (Insufficiently Protected Credentials), this represents critical risk for remotely accessible devices where administrators believe credentials have been changed but remain exploitable.
Information Disclosure
-
CVE-2026-35503
CRITICAL
CVSS 9.3
Client-side authentication bypass in SenseLive X3050's web management interface allows remote unauthenticated attackers to gain full administrative access by extracting hardcoded credentials from browser-executed JavaScript. The vulnerability enables complete compromise of device management with zero technical barriers (CVSS 9.3, AV:N/AC:L/PR:N). CISA ICS-CERT has published an advisory, indicating this affects operational technology environments where administrative access to industrial sensors could enable process manipulation or monitoring disruption.
Authentication Bypass
-
CVE-2026-27843
CRITICAL
CVSS 9.2
Remote unauthenticated attackers can permanently disable SenseLive X3050 industrial gateways and connected RS-485 downstream systems by modifying critical configuration parameters through the web management interface. The device's lack of physical reset button forces specialized console-based factory reset procedures, making this a high-impact operational disruption vector for industrial environments. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating industrial sector awareness of this authentication bypass flaw.
Authentication Bypass
-
CVE-2026-6074
CRITICAL
CVSS 9.3
A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files.
Path Traversal
-
CVE-2026-41679
CRITICAL
CVSS 10.0
Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 2026.416.0) via authentication bypass through a six-step API call chain. The attack requires no credentials, no user interaction, and succeeds against default 'authenticated' mode deployments exposed to network access. CVSS 10.0 with scope change indicates container/host escape potential. No active exploitation confirmed in CISA KEV at time of analysis, though the vendor advisory (GitHub Security Advisory GHSA-68qg-g8mg-6pr7) confirms the critical authentication bypass mechanism in both @paperclipai/server and paperclip npm packages.
Authentication Bypass
RCE
Node.js
-
CVE-2026-41460
CRITICAL
CVSS 9.3
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerabi...
Authentication Bypass
RCE
SQLi
-
CVE-2026-41274
CRITICAL
CVSS 9.3
Cypher injection in Flowise GraphCypherQAChain node allows remote unauthenticated attackers to execute arbitrary database commands against connected Neo4j instances. Attackers can exfiltrate, modify, or delete data in the graph database by injecting malicious Cypher queries through user-controlled input fields that bypass sanitization (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The vulnerability affects both Flowise core and flowise-components packages prior to version 3.1.0. CVSS 9.3 critical severity reflects network-accessible attack vector requiring no authentication or user interaction. EPSS data unavailable; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though GitHub security advisory confirms vendor awareness and patch availability.
Code Injection
Nosql Injection
-
CVE-2026-41268
CRITICAL
CVSS 9.8
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined wit...
Authentication Bypass
-
CVE-2026-41265
CRITICAL
CVSS 9.2
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt inje...
Python
Command Injection
-
CVE-2026-41229
CRITICAL
CVSS 9.1
Remote code execution in Froxlor server administration software versions prior to 2.3.6 allows authenticated administrators with change_serversettings permission to inject arbitrary PHP code through an unescaped MySQL server configuration parameter. The vulnerability enables persistent code execution on every subsequent HTTP request as the web server user due to improper input sanitization in PhpHelper::parseArrayToString(). Vendor patch available in version 2.3.6. CVSS score of 9.1 reflects the critical impact despite requiring high-privilege authentication, with scope change indicating the attacker can break out of the application's security context.
PHP
RCE
Code Injection
-
CVE-2026-41228
CRITICAL
CVSS 9.9
Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the `def_language` field via the `Customers.update` or `Admins.update` API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.
PHP
RCE
Path Traversal
LFI
-
CVE-2026-41196
CRITICAL
CVSS 9.0
Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.
RCE
Code Injection
-
CVE-2026-41137
CRITICAL
CVSS 9.4
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server...
RCE
Command Injection
Code Injection
-
CVE-2026-40623
HIGH
CVSS 7.2
Unauthorized configuration tampering in SenseLive X3050 web management interface allows authenticated attackers to set critical system parameters (IP addressing, watchdog timers, reconnect intervals, service ports) to unsafe values, causing persistent device unavailability or operational instability. CISA ICS-CERT advisory confirms impact on industrial control systems. Network-accessible with low complexity (AV:N/AC:L) but requires low-privilege authentication (PR:L). High integrity and availability impact (VI:H/VA:H) with zero confidentiality impact. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-40472
CRITICAL
CVSS 9.9
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks.
XSS
-
CVE-2026-40471
CRITICAL
CVSS 9.6
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abuse...
CSRF
-
CVE-2026-40470
CRITICAL
CVSS 9.9
A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the main hackage.haskell.org domain. As a consequence,
when a user with latent HTTP credentials browses ...
XSS
-
CVE-2026-39440
CRITICAL
CVSS 9.9
Remote code execution in FunnelFormsPro WordPress plugin (versions up to 3.8.1) allows authenticated attackers to inject and execute arbitrary code on vulnerable servers. The CVSS 9.9 Critical rating reflects the scope change (S:C) and complete system compromise (C:H/I:H/A:H). Exploitation requires low-privilege authentication (PR:L) but no user interaction, making it exploitable by subscriber-level WordPress accounts. EPSS and KEV status not provided in available data, limiting real-world exploitation confidence assessment.
RCE
Code Injection
-
CVE-2026-39087
CRITICAL
CVSS 9.8
An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function
RCE
Code Injection
-
CVE-2026-31533
CRITICAL
CVSS 9.8
In the Linux kernel, the following vulnerability has been resolved:
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to d...
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-31181
CRITICAL
CVSS 9.8
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31178
CRITICAL
CVSS 9.8
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31177
CRITICAL
CVSS 9.8
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31175
CRITICAL
CVSS 9.8
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-29198
CRITICAL
CVSS 9.8
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.
SQLi
-
CVE-2026-26210
CRITICAL
CVSS 9.3
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can s...
RCE
Deserialization
-
CVE-2026-25874
CRITICAL
CVSS 9.3
LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achiev...
RCE
Deserialization
-
CVE-2026-23751
CRITICAL
CVSS 9.3
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauth...
Authentication Bypass
RCE
Denial Of Service
-
CVE-2026-6942
CRITICAL
CVSS 9.3
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters thro...
RCE
Command Injection
-
CVE-2026-6920
CRITICAL
CVSS 9.6
Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Buffer Overflow
Information Disclosure
Google
-
CVE-2026-6919
CRITICAL
CVSS 9.6
Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-6887
CRITICAL
CVSS 9.3
SQL injection in Borg SPM 2007 allows unauthenticated remote attackers to execute arbitrary SQL commands via network requests, enabling complete database compromise including read, modify, and delete operations. This legacy product (sales ended 2008) receives a critical CVSS 9.3 score with network vector, low complexity, and no authentication required. Taiwan CERT issued advisories identifying this as a SQL injection vulnerability affecting an end-of-life business management system, though no active exploitation evidence (KEV) or public exploit code has been identified at time of analysis.
SQLi
-
CVE-2026-6886
CRITICAL
CVSS 9.3
Authentication bypass in Borg SPM 2007 allows remote unauthenticated attackers to impersonate any user and gain complete system access without credentials. This discontinued product (sales ended 2008) presents maximum network exposure (CVSS:4.0 9.3, AV:N/AC:L/PR:N) with trivial exploitation conditions. While no CISA KEV listing exists, the simplicity of exploitation combined with complete system compromise (VC:H/VI:H/VA:H) makes this critical for organizations still running this legacy software, though real-world deployment is likely minimal given the 18-year product discontinuation.
Authentication Bypass
-
CVE-2026-6885
CRITICAL
CVSS 9.3
Remote code execution in Borg SPM 2007 allows unauthenticated attackers to upload and execute web shell backdoors via unrestricted file upload vulnerability. This discontinued product (sales ended 2008) remains exploitable over the network with no authentication required, enabling full server compromise. CVSS 9.3 (Critical) with network vector, low complexity, and no privileges required. EPSS and KEV data not available for this CVE, but the trivial attack requirements (AV:N/AC:L/PR:N/UI:N) indicate high exploitability if exposed systems exist.
RCE
File Upload
-
CVE-2026-6376
HIGH
CVSS 8.7
A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who...
Authentication Bypass
Information Disclosure
-
CVE-2026-6375
HIGH
CVSS 8.7
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw s...
Authentication Bypass
-
CVE-2026-3960
CRITICAL
CVSS 9.8
Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.
RCE
PostgreSQL
Code Injection
-
CVE-2026-3844
CRITICAL
CVSS 9.8
Arbitrary file upload in Breeze Cache for WordPress allows unauthenticated remote attackers to upload malicious files and achieve remote code execution on vulnerable servers. Exploitation requires the non-default 'Host Files Locally - Gravatars' feature to be enabled. While CVSS rates this 9.8 critical, real-world exposure is limited by the disabled-by-default configuration requirement. No public exploit code or CISA KEV listing identified at time of analysis, though Wordfence threat intelligence has disclosed technical details including vulnerable code paths.
WordPress
RCE
File Upload
-
CVE-2025-70994
HIGH
CVSS 7.3
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal for...
Authentication Bypass
-
CVE-2025-62373
CRITICAL
CVSS 9.8
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` - an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integrat...
RCE
Python
Deserialization
-
CVE-2025-50229
CRITICAL
CVSS 9.8
Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
SQLi
-
CVE-2026-35431
CRITICAL
CVSS 10.0
Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.
SSRF
Microsoft
-
CVE-2026-33819
CRITICAL
CVSS 10.0
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
Deserialization
Microsoft
-
CVE-2026-33102
CRITICAL
CVSS 9.3
Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
Open Redirect
-
CVE-2026-32210
CRITICAL
CVSS 9.3
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
SSRF
Microsoft
-
CVE-2026-24303
CRITICAL
CVSS 9.6
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
Authentication Bypass
Microsoft
-
CVE-2026-41900
HIGH
CVSS 8.8
## Overview
A critical Remote Code Execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. The issue has been fixed.
RCE
Command Injection
-
CVE-2026-41564
HIGH
CVSS 7.5
PRNG state reuse across forked processes in CryptX for Perl allows remote attackers to recover private signing keys through cryptographic nonce-reuse attacks. When Crypt::PK objects are created before fork() in preforking web servers like Starman, every child process inherits identical PRNG state, causing duplicate randomness in cryptographic operations. Two ECDSA or DSA signatures generated by different worker processes are sufficient to mathematically recover the private key. EPSS exploitation probability is low (0.02%), but CISA SSVC framework confirms proof-of-concept availability and automatable exploitation. Vendor patch released in CryptX 0.088.
Information Disclosure
-
CVE-2026-41359
HIGH
CVSS 7.1
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access ...
Privilege Escalation
-
CVE-2026-41353
HIGH
CVSS 7.6
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles ...
Authentication Bypass
-
CVE-2026-41352
HIGH
CVSS 7.7
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.
Authentication Bypass
RCE
-
CVE-2026-41349
HIGH
CVSS 8.7
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.
Authentication Bypass
-
CVE-2026-41342
HIGH
CVSS 7.4
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gat...
Authentication Bypass
-
CVE-2026-41336
HIGH
CVSS 8.5
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.
RCE
-
CVE-2026-41334
HIGH
CVSS 7.1
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service through excessive memory consumption.
Denial Of Service
-
CVE-2026-41279
HIGH
CVSS 8.2
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, t...
Authentication Bypass
-
CVE-2026-41278
HIGH
CVSS 8.7
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the san...
Information Disclosure
Docker
-
CVE-2026-41277
HIGH
CVSS 7.6
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the ...
Authentication Bypass
-
CVE-2026-41276
HIGH
CVSS 7.7
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw...
Authentication Bypass
-
CVE-2026-41275
HIGH
CVSS 7.5
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MI...
Authentication Bypass
-
CVE-2026-41273
HIGH
CVSS 7.7
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow...
Authentication Bypass
-
CVE-2026-41272
HIGH
CVSS 7.1
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allo...
SSRF
-
CVE-2026-41271
HIGH
CVSS 8.3
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to...
SSRF
-
CVE-2026-41270
HIGH
CVSS 7.1
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-...
Authentication Bypass
SSRF
Node.js
-
CVE-2026-41269
HIGH
CVSS 7.1
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally all...
RCE
Node.js
File Upload
-
CVE-2026-41267
HIGH
CVSS 8.1
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested object...
Authentication Bypass
-
CVE-2026-41266
HIGH
CVSS 7.7
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of...
Information Disclosure
-
CVE-2026-41259
HIGH
CVSS 8.2
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted diffe...
Information Disclosure
-
CVE-2026-41247
HIGH
CVSS 8.9
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In co...
Command Injection
-
CVE-2026-41246
HIGH
CVSS 8.1
Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.ro...
RCE
Denial Of Service
Kubernetes
Code Injection
Red Hat
-
CVE-2026-41241
HIGH
CVSS 8.7
pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any ...
XSS
-
CVE-2026-41231
HIGH
CVSS 7.5
Symlink-based privilege escalation in Froxlor versions prior to 2.3.6 allows authenticated customers to gain ownership of arbitrary system directories. When the ExportCron executes as root, it performs 'chown -R' on user-controlled export paths that bypass symlink validation (introduced to fix CVE-2023-6069), enabling attackers to place symbolic links and hijack ownership of critical system files. This is a regression of the CVE-2023-6069 fix where DataDump.add() failed to apply the same symlink protections used elsewhere. EPSS data unavailable; no evidence of active exploitation (not in CISA KEV), but the specific vulnerability class (symlink following in privileged operations) has well-known exploitation patterns. Patch available in version 2.3.6.
Authentication Bypass
-
CVE-2026-41230
HIGH
CVSS 8.5
DNS zone file injection in Froxlor versions prior to 2.3.6 allows authenticated customers to inject arbitrary BIND directives and DNS records through unvalidated record types and unsanitized newline characters. Attackers with low-privilege customer accounts can manipulate DNS resolution for managed domains by embedding malicious directives like $INCLUDE, $ORIGIN, or $GENERATE into zone files, potentially redirecting traffic, creating unauthorized records, or disrupting DNS services. CVSS 8.5 with scope change indicates impact beyond the vulnerable component. Vendor patch released in version 2.3.6 (GitHub commit 47a8af5d). No CISA KEV listing or public exploit identified at time of analysis, but attack complexity is low (AC:L) for authenticated users.
Authentication Bypass
-
CVE-2026-41211
HIGH
CVSS 8.4
Path traversal in Vite+ downloadPackageManager() allows local attackers to write or delete arbitrary files outside the intended cache directory. The vulnerability affects Vite+ versions before 0.1.17 and stems from inadequate input validation on the version parameter, enabling directory traversal via '../' sequences or absolute paths. Attackers with local access can manipulate filesystem operations to compromise system integrity and availability (CVSS 8.4, VI:H/VA:H). No public exploit identified at time of analysis, but exploitation requires minimal technical complexity (AC:L) and no authentication (PR:N). Vendor-released patch available in version 0.1.17.
Path Traversal
-
CVE-2026-41208
HIGH
CVSS 8.8
Command injection in Paperclip @paperclipai/server (versions <2026.416.0) allows authenticated agents to execute arbitrary OS commands on the server host. Attackers with Agent API credentials can escalate from agent runtime to full server host control by injecting malicious shell commands through the adapterConfig.workspaceStrategy.provisionCommand field during workspace provisioning. CVSS 8.8 (high) with network-accessible attack vector and low complexity. Vendor patch available in version 2026.416.0. No public exploit or CISA KEV listing identified at time of analysis, but the vulnerability breaks critical trust boundaries in multi-agent AI orchestration systems.
Privilege Escalation
RCE
Command Injection
Node.js
-
CVE-2026-41205
HIGH
CVSS 7.7
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can b...
Python
Path Traversal
-
CVE-2026-41200
HIGH
CVSS 8.5
Reflected Cross-Site Scripting in STIG Manager 1.5.10 through 1.6.7 enables arbitrary JavaScript execution during OIDC authentication error handling. Attackers crafting malicious redirect URLs can exploit unsanitized error parameters written directly to DOM via innerHTML. When victims with active sessions follow these links, injected code executes in application context with access to SharedWorker-managed authentication tokens, enabling authenticated API requests to read and modify STIG assessment collection data. CVSS 8.5 reflects high confidentiality and integrity impact despite requiring user interaction. No public exploit identified at time of analysis; vendor-released patch available in version 1.6.8.
XSS
-
CVE-2026-41180
HIGH
CVSS 7.5
Path traversal in PsiTransfer versions before 2.4.3 enables remote code execution through malicious file uploads. An attacker exploits URL encoding inconsistencies in the upload validation flow to write attacker-controlled JavaScript configuration files outside the intended upload directory. When the application restarts, these injected config files execute with application privileges, granting the attacker persistent code execution. Vendor patch released in v2.4.3 addresses the encoding mismatch between validation and file-write operations. CVSS 7.5 reflects high attack complexity and required user interaction, limiting immediate mass exploitation risk despite the severe RCE impact.
Path Traversal
-
CVE-2026-41138
HIGH
CVSS 8.8
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within th...
RCE
Python
Code Injection
-
CVE-2026-41040
HIGH
CVSS 8.7
Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust server resources by submitting maliciously crafted input strings that trigger catastrophic backtracking in regex processing (CWE-1333). GROWI, Inc.'s collaboration platform is vulnerable to ReDoS with a CVSS 4.0 base score of 8.7 (High), reflecting high availability impact through network-accessible, low-complexity exploitation requiring no privileges or user interaction. No CISA KEV listing or public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability and provides remediation guidance.
Denial Of Service
-
CVE-2026-40886
HIGH
CVSS 7.7
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/po...
Denial Of Service
Kubernetes
Red Hat
-
CVE-2026-40062
HIGH
CVSS 8.7
Remote unauthenticated attackers can access sensitive operating system files in Ziostation2 medical imaging software v2.9.8.7 and earlier via path traversal, achieving high confidentiality impact. The vulnerability requires no authentication, low attack complexity, and no user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), making it easily exploitable from the network. While not currently listed in CISA KEV and lacking public exploit code at time of analysis, the trivial exploitation conditions and exposure of medical system data present significant risk to healthcare organizations using affected versions.
Path Traversal
-
CVE-2026-35225
HIGH
CVSS 8.7
An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections.
Information Disclosure
-
CVE-2026-34587
HIGH
CVSS 7.6
### TL;DR
This vulnerability affects all Kirby sites that use option fields (`checkboxes`, `color`, `multiselect`, `select`, `radio`, `tags` or `toggles`) with options from a query or API whose values may not be fully trusted. It also affects direct uses of the `OptionsApi` or `OptionsQuery` classe...
RCE
Ssti
-
CVE-2026-34488
HIGH
CVSS 7.0
DLL hijacking in i-PRO Co., Ltd.'s IP Setting Software enables local attackers with low privileges to execute arbitrary code with administrative privileges when victims open the application. The vulnerability stems from insecure DLL search path handling (CWE-427), allowing attackers to plant malicious DLLs that load during software execution. While exploitation requires local access and user interaction (CVSS:3.0/AV:L/AC:L/PR:L/UI:R), successful attacks achieve complete system compromise with elevated privileges. No active exploitation confirmed at time of analysis, with EPSS and KEV data unavailable for this recently published CVE.
RCE
-
CVE-2026-34003
HIGH
CVSS 7.8
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, lead...
Buffer Overflow
Denial Of Service
Information Disclosure
-
CVE-2026-34001
HIGH
CVSS 7.8
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially ...
Buffer Overflow
Denial Of Service
-
CVE-2026-33999
HIGH
CVSS 7.8
A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service ...
Denial Of Service
Integer Overflow
-
CVE-2026-33694
HIGH
CVSS 7.4
This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM ...
RCE
-
CVE-2026-33318
HIGH
CVSS 8.8
### Summary
Any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inac...
Authentication Bypass
Privilege Escalation
-
CVE-2026-32679
HIGH
CVSS 8.4
DLL hijacking in LiveOn Meet Client and Canon Network Camera Plugin installers allows local attackers to execute arbitrary code with installer privileges when users run vulnerable installer executables from directories containing malicious DLLs. The flaw affects four installer executables (Downloader5Installer.exe, Downloader5InstallerForAdmin.exe, CanonNWCamPlugin.exe, CanonNWCamPluginForAdmin.exe) version 1.0.0.0. No public exploit identified at time of analysis, though the attack technique is well-documented. CVSS 8.4 (High) reflects significant impact contingent on user interaction and attacker's ability to place malicious files in the installer directory before execution - real-world risk depends heavily on organizational download practices and endpoint controls preventing untrusted DLL placement.
Information Disclosure
Microsoft
-
CVE-2026-32172
HIGH
CVSS 8.0
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.
Authentication Bypass
Microsoft
-
CVE-2026-31532
HIGH
CVSS 7.8
Use-after-free in Linux kernel CAN raw socket implementation allows local authenticated attackers to corrupt memory and potentially achieve code execution. The vulnerability stems from premature deallocation of percpu uniq storage in raw_release() while raw_rcv() may still access it via deferred RCU callbacks. Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability remains low (0.02%, 5th percentile) with no active exploitation confirmed at time of analysis.
Information Disclosure
Linux
Use After Free
Memory Corruption
Red Hat
-
CVE-2026-28525
HIGH
CVSS 8.2
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attac...
Denial Of Service
Integer Overflow
-
CVE-2026-26150
HIGH
CVSS 8.6
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
SSRF
Microsoft
-
CVE-2026-6921
HIGH
CVSS 8.3
Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Information Disclosure
Google
Race Condition
Microsoft
-
CVE-2026-6903
HIGH
CVSS 8.7
Path traversal in Zurich Instruments LabOne Web Server allows unauthenticated remote attackers to read arbitrary files accessible to the LabOne process. The vulnerability combines insufficient input validation (CWE-22) with missing CORS restrictions, enabling direct exploitation or browser-based attacks via malicious websites. EPSS data not available, but the network-accessible unauthenticated attack vector (AV:N/PR:N/UI:N) combined with vendor-confirmed patch indicates active vendor response to a readily exploitable information disclosure flaw. Exploitation limited to installations running the Web Server component; API-only deployments are unaffected.
Path Traversal
-
CVE-2026-5935
HIGH
CVSS 7.3
Remote code execution in IBM Total Storage Service Console (TSSC) and TS4500 IMC versions 9.2 through 9.6 allows unauthenticated attackers to execute arbitrary commands with normal user privileges via improper input validation. The vulnerability carries a CVSS score of 7.3 with network attack vector and low complexity (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation without authentication. No public exploit identified at time of analysis, and EPSS risk data is not available for this 2026 CVE.
Command Injection
IBM
-
CVE-2026-5464
HIGH
CVSS 7.2
Authenticated Editor-level attackers can achieve Remote Code Execution in ExactMetrics WordPress plugin (all versions ≤9.1.2) by chaining exposed onboarding credentials to install and activate arbitrary plugin ZIP files from attacker-controlled URLs. The attack exploits a missing authorization check in the 'exactmetrics_connect_process' AJAX endpoint that accepts the one-time hash token obtained via the exposed 'onboarding_key' transient-effectively bypassing plugin installation controls. EPSS and KEV status unknown; CVSS 7.2 reflects high-privilege requirement (PR:H) but direct path to RCE makes this a critical risk for multi-author WordPress sites where Editors have dashboard viewing permissions. Wordfence advisory and source code references confirm the vulnerability chain across three distinct code locations in versions through 9.1.1.
WordPress
Authentication Bypass
RCE
Google
-
CVE-2026-3259
HIGH
CVSS 7.1
Information disclosure in Google BigQuery materialized view refresh allows authenticated users to extract sensitive data via crafted views that generate error messages containing confidential information. Google Cloud Platform patched this server-side vulnerability on 29 January 2026 with automatic remediation requiring no customer action. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network-accessible attack vector and low attack complexity, though no public exploit or CISA KEV listing exists at time of analysis.
Information Disclosure
Google
-
CVE-2026-41990
MEDIUM
CVSS 4.0
Libgcrypt before version 1.12.2 contains a bounds-check vulnerability in Dilithium signing operations where writes to a static array lack proper bounds validation, potentially causing memory corruption and integrity loss. The vulnerability affects local attackers with non-privileged access on systems running vulnerable versions 1.12.0 and 1.12.1. While the vulnerability does not involve attacker-controlled data in the array writes themselves, the missing bounds check creates an integrity and availability risk through uncontrolled memory modification.
Buffer Overflow
Memory Corruption
Red Hat
Suse
-
CVE-2026-41989
MEDIUM
CVSS 6.7
Heap-based buffer overflow in Libgcrypt before 1.12.2 allows local attackers to trigger denial of service and corrupt memory via crafted ECDH ciphertext passed to gcry_pk_decrypt, affecting cryptographic operations in dependent applications including GnuPG. No public exploit code or active exploitation has been identified at time of analysis; vendor has released patched versions 1.10.4, 1.11.3, and 1.12.2 to resolve the vulnerability.
Buffer Overflow
Denial Of Service
Memory Corruption
Red Hat
Suse
-
CVE-2026-41909
MEDIUM
CVSS 5.3
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same ...
Authentication Bypass
-
CVE-2026-41495
MEDIUM
CVSS 5.3
n8n-mcp v2.47.10 and earlier in HTTP transport mode logs sensitive authentication credentials and request metadata regardless of authentication outcome, allowing disclosure of bearer tokens, API keys, and JSON-RPC payloads to any system with access to server logs. While access control correctly rejects unauthenticated requests with 401 responses, the sensitive data from those rejected requests is persisted in logs before authentication is enforced, creating an information disclosure vulnerability (CWE-532) with CVSS 5.3 (low confidentiality impact). No public exploit code or active exploitation is documented; patch is available in v2.47.11.
Information Disclosure
Docker
Node.js
-
CVE-2026-41461
MEDIUM
CVSS 6.3
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can...
SSRF
-
CVE-2026-41361
MEDIUM
CVSS 5.1
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.
SSRF
-
CVE-2026-41360
MEDIUM
CVSS 5.4
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script co...
Information Disclosure
-
CVE-2026-41355
MEDIUM
CVSS 5.4
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.
RCE
-
CVE-2026-41354
MEDIUM
CVSS 6.3
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows ac...
Information Disclosure
-
CVE-2026-41351
MEDIUM
CVSS 6.3
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verificati...
Authentication Bypass
-
CVE-2026-41350
MEDIUM
CVSS 5.3
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to bypass session-policy cont...
Authentication Bypass
-
CVE-2026-41346
MEDIUM
CVSS 6.3
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing...
Denial Of Service
-
CVE-2026-41345
MEDIUM
CVSS 6.0
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials int...
Information Disclosure
-
CVE-2026-41344
MEDIUM
CVSS 5.3
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or to...
Authentication Bypass
Privilege Escalation
-
CVE-2026-41343
MEDIUM
CVSS 6.9
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade servi...
Information Disclosure
-
CVE-2026-41340
MEDIUM
CVSS 6.3
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named a...
Authentication Bypass
-
CVE-2026-41339
MEDIUM
CVSS 5.3
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
Information Disclosure
-
CVE-2026-41338
MEDIUM
CVSS 4.3
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to manipulate files between validation and execution.
Authentication Bypass
-
CVE-2026-41337
MEDIUM
CVSS 6.3
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the...
Information Disclosure
-
CVE-2026-41335
MEDIUM
CVSS 6.9
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and ag...
Information Disclosure
-
CVE-2026-41333
MEDIUM
CVSS 6.3
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute for...
Authentication Bypass
-
CVE-2026-41332
MEDIUM
CVSS 5.8
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files...
Information Disclosure
-
CVE-2026-41322
MEDIUM
CVSS 5.3
Cache poisoning in @astrojs/node versions 9.4.4 and earlier allows unauthenticated remote attackers to poison CDN caches by sending malformed if-match headers to static asset endpoints, causing the server to return 500 errors with immutable one-year cache directives instead of the correct 412 Precondition Failed response. This vulnerability affects all subsequent requests to poisoned assets until the cache expires, breaking application functionality for legitimate users. The vulnerability is not actively exploited in the wild, but proof-of-concept exploitation is straightforward and requires only a single crafted HTTP request.
Information Disclosure
Kubernetes
Mozilla
-
CVE-2026-41243
MEDIUM
CVSS 6.9
OpenLearn forum software with safeMode enabled allows unauthenticated attackers to bypass post approval restrictions and read unpublished content directly via post UUID, bypassing the public forum list filtering. The vulnerability affects all versions prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab and is remotely exploitable without authentication or user interaction. A vendor patch is available.
Authentication Bypass
-
CVE-2026-41233
MEDIUM
CVSS 5.4
Froxlor versions prior to 2.3.6 allow authenticated resellers to bypass domain quota restrictions by attributing newly created domains to arbitrary admins through unvalidated `adminid` parameter input in the `Domains.add()` function. This vulnerability enables quota exhaustion attacks against other administrators and domain creation beyond the attacker's assigned limits, with confirmed patch availability in version 2.3.6.
Authentication Bypass
-
CVE-2026-41232
MEDIUM
CVSS 5.0
Froxlor versions prior to 2.3.6 fail to validate domain ownership correctly when adding full email sender aliases, allowing authenticated customers to add sender aliases for email addresses on domains belonging to other customers and subsequently send emails as those addresses via Postfix sender_login_maps authorization. The vulnerability stems from an array indexing error in EmailSender::add() that passes the local part of an email address instead of the domain to the ownership validation function, causing the check to pass for non-existent domains. No active exploitation has been confirmed at the time of analysis.
Authentication Bypass
-
CVE-2026-41213
MEDIUM
CVSS 5.9
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the au...
Information Disclosure
Node.js
Microsoft
-
CVE-2026-41206
MEDIUM
CVSS 6.9
PySpector versions prior to 0.1.8 allow arbitrary code execution within the PySpector process when a malicious plugin is supplied and executed. The plugin security validator uses incomplete AST-based static analysis that fails to block dangerous Python constructs, permitting attackers with write access to plugin files to bypass the blocklist and achieve remote code execution. The vulnerability is fixed in version 0.1.8.
RCE
Python
-
CVE-2026-41182
MEDIUM
CVSS 5.3
LangSmith Client SDKs in JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events, allowing sensitive LLM-generated content to leak into LangSmith platform storage despite hideOutputs/hide_outputs being enabled. Unauthenticated remote attackers can intercept or access unredacted streamed tokens if they gain visibility into run events, bypassing the intended confidentiality controls.
Python
Information Disclosure
-
CVE-2026-41173
MEDIUM
CVSS 5.9
The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync ...
Denial Of Service
-
CVE-2026-40894
MEDIUM
CVSS 5.3
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet...
Denial Of Service
-
CVE-2026-40891
MEDIUM
CVSS 5.3
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could ...
Denial Of Service
-
CVE-2026-40529
MEDIUM
CVSS 5.1
SQL injection in CMS ALAYA 7.4.1.4 and earlier allows authenticated administrators to obtain or modify database information through the administrative interface. The vulnerability requires high-privilege access (PR:H) and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. No public exploit code or active exploitation has been identified at time of analysis.
SQLi
-
CVE-2026-40431
MEDIUM
CVSS 6.9
SenseLive X3050 web management interface transmits all administrative communication including authentication credentials and configuration data over unencrypted HTTP, allowing network-adjacent attackers to intercept sensitive operational information without authentication or user interaction. The vulnerability affects all versions of the X3050 and is classified as information disclosure with confirmed CISA ICS advisory coverage.
Information Disclosure
-
CVE-2026-40182
MEDIUM
CVSS 5.3
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory...
Information Disclosure
-
CVE-2026-40099
MEDIUM
CVSS 5.3
### TL;DR
This vulnerability affects all Kirby sites where users have the permission to create pages (`pages.create` permission is enabled) but not the permission to change the status of pages (`pages.changeStatus` permission is disabled). This can be due to configuration in the user blueprint(s), ...
Authentication Bypass
Privilege Escalation
-
CVE-2026-32952
MEDIUM
CVSS 5.3
A malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport.
Denial Of Service
Integer Overflow
-
CVE-2026-32870
MEDIUM
CVSS 6.9
### TL;DR
This vulnerability only affects Kirby sites that use the `Xml` data handler (e.g. `Data::encode($string, 'xml')`) or the `Xml::create()`, `Xml::tag()` or `Xml::value()` method(s) in site or plugin code. The Kirby core does not use any of the affected methods.
If consumers use an affected...
Code Injection
-
CVE-2026-31531
MEDIUM
CVSS 5.5
Denial of service in Linux kernel nexthop query handling allows local authenticated attackers to crash the kernel by querying nexthop objects with large Equal-Cost Multi-Path groups via the RTM_GETNEXTHOP netlink message. The vulnerability stems from fixed-size socket buffer allocation that overflows when processing nexthop groups exceeding approximately 512 members, triggering a kernel warning and potential system instability.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31179
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-port parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31176
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-user parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31174
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31173
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31172
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31171
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31169
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31168
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31167
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31166
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31165
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeServiceName parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31164
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31163
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31162
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31160
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-31159
MEDIUM
CVSS 6.5
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi.
Command Injection
-
CVE-2026-29197
MEDIUM
CVSS 4.3
Authenticated users in Rocket.Chat versions prior to 8.4.0, 8.3.2, 8.2.2, 8.1.3, 8.0.4, 7.13.6, 7.12.7, 7.11.7, and 7.10.10 can read application engine logs via the /api/apps/logs and /api/apps/:id/logs endpoints due to a typo in permission validation logic. The vulnerability allows authenticated attackers with insufficient privileges to bypass authorization checks and access sensitive logs containing partial information, with no public exploit confirmed at time of analysis.
Authentication Bypass
-
CVE-2026-29051
MEDIUM
CVSS 4.4
### Impact
`melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these v...
Path Traversal
-
CVE-2026-29050
MEDIUM
CVSS 6.1
### Impact
An attacker who can influence a melange configuration file - for example through pull-request-driven CI or build-as-a-service scenarios - could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compil...
Path Traversal
-
CVE-2026-28040
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in Magepeople's Taxi Booking Manager for WooCommerce plugin (versions up to 2.0.0) allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or defacement. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of the application. No public exploit code or active exploitation has been confirmed at this time.
WordPress
XSS
-
CVE-2026-6941
MEDIUM
CVSS 6.9
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a sy...
Path Traversal
-
CVE-2026-6940
MEDIUM
CVSS 6.9
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files ou...
Path Traversal
-
CVE-2026-6732
MEDIUM
CVSS 6.5
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that ca...
Denial Of Service
Memory Corruption
-
CVE-2026-5926
MEDIUM
CVSS 6.5
IBM Security Verify Access and Verify Identity Access products versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 use cryptographic algorithms weaker than expected, allowing authenticated network attackers to decrypt highly sensitive information. The vulnerability affects both containerized and non-containerized deployments across multiple major versions. CVSS 6.5 reflects high confidentiality impact with low attack complexity, though authenticated access is required.
Information Disclosure
IBM
-
CVE-2026-5039
MEDIUM
CVSS 6.1
TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized acces...
Authentication Bypass
TP-Link
-
CVE-2026-4917
MEDIUM
CVSS 4.9
Arbitrary file write vulnerability in IBM Guardium Data Protection 12.1 allows authenticated administrative users to traverse directories and write files to arbitrary locations via specially crafted URLs containing path traversal sequences (/../). The vulnerability requires high-privilege admin credentials and network access but results in integrity compromise without requiring user interaction, making it a post-authentication privilege abuse risk for organizations running this data protection platform.
Path Traversal
IBM
-
CVE-2026-4106
MEDIUM
CVSS 5.3
The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days
WordPress
Information Disclosure
-
CVE-2026-3361
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in WP Store Locator plugin for WordPress up to version 2.2.261 allows authenticated contributors and above to inject arbitrary JavaScript via the 'wpsl_address' post meta field, executing in browsers of any user who views an affected map marker info window. The vulnerability requires contributor-level access or higher and does not require user interaction beyond normal page browsing, resulting in session hijacking, credential theft, or malware distribution with CVSS 6.4 impact spanning confidentiality and integrity across security boundaries.
WordPress
XSS
-
CVE-2026-3007
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in Koollab LMS courselet feature allows authenticated users to inject arbitrary JavaScript that executes in the browsers of other users with courselet access, potentially compromising account security and enabling credential theft or malicious actions on behalf of affected users. CVSS 5.4 reflects network delivery, low complexity, and limited confidentiality/integrity impact constrained by required user interaction and authenticated access.
XSS
-
CVE-2026-2951
MEDIUM
CVSS 5.4
Stored Cross-Site Scripting in Gutentor plugin for WordPress up to version 3.5.5 allows authenticated contributors and above to inject malicious scripts into pages via insufficient input sanitization, executing arbitrary JavaScript in the browsers of users who view the compromised pages. The vulnerability requires contributor-level WordPress account access and user interaction (page view), resulting in limited but real risk to website content integrity and user session compromise.
WordPress
XSS
-
CVE-2026-1923
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Social Rocket - Social Sharing Plugin for WordPress up to version 1.3.4.2 allows authenticated Subscriber-level users to inject arbitrary JavaScript via the 'id' parameter, which executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, and exploitation requires only subscriber-level WordPress authentication with no user interaction needed beyond the initial injection.
WordPress
XSS
-
CVE-2026-1726
MEDIUM
CVSS 4.8
Improper privilege management in IBM Guardium Key Lifecycle Manager versions 4.1 through 5.1 allows remote unauthenticated attackers to achieve limited confidentiality and integrity compromise through a network attack requiring high complexity. The vulnerability stems from inadequate access control enforcement that permits elevation of privileges without authentication, affecting a widely deployed enterprise key management solution.
Privilege Escalation
IBM
-
CVE-2026-1352
MEDIUM
CVSS 6.5
Authenticated users can trigger a denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 for Linux, UNIX, and Windows through improper neutralization of special elements in database query logic, causing service unavailability without requiring user interaction or special configuration. The vulnerability affects both standalone Db2 instances and Db2 Connect Server deployments, with CVSS 6.5 reflecting network accessibility and authenticated access requirements. No public exploit code or active exploitation has been identified at the time of analysis.
Denial Of Service
IBM
Microsoft
-
CVE-2026-1274
MEDIUM
CVSS 4.9
IBM Guardium Data Protection versions 12.0, 12.1, and 12.2 contain an authentication bypass vulnerability in the access management control panel that allows high-privilege users to circumvent business logic controls and modify access policies without proper authorization constraints. The vulnerability requires administrative credentials to trigger but results in unauthorized privilege escalation or policy modification within the management interface. No public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
IBM
-
CVE-2025-66286
MEDIUM
CVSS 4.7
WebKitGTK and WPE WebKit contain an API design flaw that allows untrusted web content to bypass the WebPage::send-request signal handler and perform unapproved network operations including IP connections, DNS lookups, and HTTP requests. The vulnerability affects applications across Red Hat Enterprise Linux 6-9 that rely on this signal to control network access. A remote attacker can trigger these bypassed requests via crafted web content with only user interaction (UI:R), resulting in limited confidentiality impact (C:L) without code execution.
Authentication Bypass
Apple
Red Hat
Suse
-
CVE-2025-62110
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in Rescue Shortcodes WordPress plugin versions through 3.3 allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and other high-privilege accounts. Attack requires user interaction (UI:R) but affects the entire scope of the application (S:C), enabling privilege escalation and data theft with moderate impact.
XSS
-
CVE-2025-62104
MEDIUM
CVSS 4.3
Broken access control in Navneil Naicker ACF Galerie 4 plugin versions up to 1.4.2 allows authenticated users to modify content they should not have permission to access. The vulnerability stems from missing authorization checks in functionality protected only by authentication level, enabling privilege escalation or unauthorized data modification by low-privileged WordPress users.
Authentication Bypass
-
CVE-2025-36074
MEDIUM
CVSS 5.5
IBM Security Verify Directory (Container) versions 10.0.0 through 10.0.0.3 fails to validate uploaded file types, allowing privileged users to upload malicious files that can be distributed to victims for lateral attacks. The vulnerability requires high-privilege credentials but enables integrity compromise and partial availability impact once exploited.
IBM
File Upload
-
CVE-2025-13763
MEDIUM
CVSS 5.7
Uninitialized variable usage in OpenSC's libopensc library enables information disclosure and denial of service when processing specially crafted responses from malicious USB devices or smart cards. Attackers must physically present a crafted USB or smart card device to trigger the vulnerability, which reads uninitialized memory from the stack or heap, potentially exposing sensitive data or causing application crashes. No public exploit code has been identified at time of analysis.
Information Disclosure
Red Hat
Suse
-
CVE-2025-10549
MEDIUM
CVSS 5.1
DLL hijacking in EfficientLab Controlio before v1.3.95 allows local attackers with high privileges to achieve arbitrary code execution by placing a specially crafted DLL in the installation directory, leveraging weak folder permissions and the service's NT AUTHORITY\SYSTEM execution context. Real-world risk is constrained by the high privilege requirement (PR:H) and local-only attack vector; EPSS score of 0.01% and CISA SSVC framework marking exploitation as 'none' and technical impact as 'partial' indicate low current exploitation likelihood despite the RCE tag.
RCE
-
CVE-2026-41988
LOW
CVSS 3.2
UUID library versions before 14.0.0 make unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially corrupting adjacent memory. UUID version 4, the most commonly deployed variant, is unaffected. The vulnerability requires local access and non-default buffer configuration to exploit, resulting in integrity compromise rather than code execution or availability impact.
Information Disclosure
-
CVE-2026-41908
LOW
CVSS 2.3
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retr...
Authentication Bypass
-
CVE-2026-41358
LOW
CVSS 2.3
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
Authentication Bypass
-
CVE-2026-41357
LOW
CVSS 2.0
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables ...
Information Disclosure
-
CVE-2026-41356
LOW
CVSS 2.3
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
Authentication Bypass
-
CVE-2026-41348
LOW
CVSS 2.3
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted gr...
Authentication Bypass
-
CVE-2026-41347
LOW
CVSS 2.3
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions...
CSRF
-
CVE-2026-41341
LOW
CVSS 2.3
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or t...
Authentication Bypass
-
CVE-2026-41321
LOW
CVSS 2.2
## Summary
The `fetch()` call for remote images in `packages/integrations/cloudflare/src/utils/image-binding-transform.ts` (line 28) uses the default `redirect: 'follow'` behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the `isRemoteAllowed()` domain...
SSRF
Node.js
Open Redirect
-
CVE-2026-6878
LOW
CVSS 2.9
Sandbox bypass in ByteDance verl up to version 0.7.0 allows remote attackers to achieve limited information disclosure through manipulation of the math_equal function in prime_math/grader.py. The vulnerability requires high attack complexity and has been publicly documented with exploit code available, though the vendor has not responded to early disclosure attempts.
Information Disclosure
-
CVE-2026-6874
LOW
CVSS 2.1
Reliance on reverse DNS resolution in ericc-ch copilot-api up to version 0.7.0 allows authenticated remote attackers to manipulate the Host header in the /token endpoint, leading to information disclosure. The vulnerability affects the Header Handler component and has been publicly disclosed with exploit code available; the vendor did not respond to early disclosure notification.
Information Disclosure
-
CVE-2026-4512
LOW
CVSS 3.5
reCaptcha by WebDesignBy WordPress plugin before version 2.0 fails to sanitize the Site Key setting before injecting it into JavaScript context via the grecaptcha_js() function, enabling site administrators without unfiltered_html capability on multisite installations to inject arbitrary JavaScript that executes for all login page visitors. Publicly available exploit code exists; patch released by vendor.
WordPress
XSS
-
CVE-2026-2708
LOW
CVSS 3.7
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attac...
Information Disclosure
Request Smuggling
-
CVE-2026-1272
LOW
CVSS 2.7
IBM Guardium Data Protection 12.0 through 12.2 contains a security misconfiguration in the user access control panel that allows high-privilege administrators to modify integrity settings without proper authorization constraints. The vulnerability is remotely accessible and requires existing administrative credentials, resulting in limited integrity impact with no confidentiality or availability effect. CVSS score of 2.7 reflects the low risk profile due to required administrative authentication and minimal scope of impact.
Information Disclosure
IBM