Skip to main content
CVE-2026-41679 CRITICAL POC PATCH GHSA Act Now

Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 2026.416.0) via authentication bypass through a six-step API call chain. The attack requires no credentials, no user interaction, and succeeds against default 'authenticated' mode deployments exposed to network access. CVSS 10.0 with scope change indicates container/host escape potential. No active exploitation confirmed in CISA KEV at time of analysis, though the vendor advisory (GitHub Security Advisory GHSA-68qg-g8mg-6pr7) confirms the critical authentication bypass mechanism in both @paperclipai/server and paperclip npm packages.

Node.js Authentication Bypass RCE
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-3844 CRITICAL POC Act Now

Arbitrary file upload in Breeze Cache for WordPress allows unauthenticated remote attackers to upload malicious files and achieve remote code execution on vulnerable servers. Exploitation requires the non-default 'Host Files Locally - Gravatars' feature to be enabled. While CVSS rates this 9.8 critical, real-world exposure is limited by the disabled-by-default configuration requirement. No public exploit code or CISA KEV listing identified at time of analysis, though Wordfence threat intelligence has disclosed technical details including vulnerable code paths.

WordPress File Upload RCE
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6942 CRITICAL POC PATCH Act Now

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.

Command Injection RCE Radare2
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-23751 CRITICAL POC Act Now

Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.

Denial Of Service Authentication Bypass RCE Kofax Capture
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-26210 CRITICAL POC PATCH Act Now

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.

Deserialization RCE Ktransformers
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-6074 CRITICAL CISA Emergency

A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files.

Path Traversal 911 Emergency Gateway
NVD VulDB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-35503 CRITICAL CISA Emergency

Client-side authentication bypass in SenseLive X3050's web management interface allows remote unauthenticated attackers to gain full administrative access by extracting hardcoded credentials from browser-executed JavaScript. The vulnerability enables complete compromise of device management with zero technical barriers (CVSS 9.3, AV:N/AC:L/PR:N). CISA ICS-CERT has published an advisory, indicating this affects operational technology environments where administrative access to industrial sensors could enable process manipulation or monitoring disruption.

Authentication Bypass X3050
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-39462 CRITICAL CISA Emergency

Authentication bypass in SenseLive X3050 web management interface allows remote unauthenticated attackers to gain administrative access using default or previously-set credentials. After factory restore via SenseLive Config 2.0 tool, password updates fail to propagate correctly - the interface falsely reports success while the backend continues accepting old credentials. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating this affects industrial control system deployments. With CVSS 9.3 (AV:N/AC:L/PR:N) and CWE-522 (Insufficiently Protected Credentials), this represents critical risk for remotely accessible devices where administrators believe credentials have been changed but remain exploitable.

Information Disclosure X3050
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-27843 CRITICAL CISA Emergency

Remote unauthenticated attackers can permanently disable SenseLive X3050 industrial gateways and connected RS-485 downstream systems by modifying critical configuration parameters through the web management interface. The device's lack of physical reset button forces specialized console-based factory reset procedures, making this a high-impact operational disruption vector for industrial environments. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating industrial sector awareness of this authentication bypass flaw.

Authentication Bypass X3050
NVD GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-6940 MEDIUM POC PATCH This Month

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.

Path Traversal Radare2
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-6941 MEDIUM POC PATCH This Month

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

Path Traversal Radare2
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-6376 HIGH CISA Act Now

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.

Information Disclosure Authentication Bypass Online Booking System
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-6375 HIGH CISA Act Now

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

Authentication Bypass Online Booking System
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-33819 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

Microsoft Deserialization
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-35431 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.

Microsoft SSRF
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-41228 CRITICAL PATCH GHSA Act Now

Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the `def_language` field via the `Customers.update` or `Admins.update` API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.

PHP Path Traversal LFI RCE
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-40472 CRITICAL Act Now

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.

XSS
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-40470 CRITICAL Act Now

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

XSS
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-39440 CRITICAL Act Now

Remote code execution in FunnelFormsPro WordPress plugin (versions up to 3.8.1) allows authenticated attackers to inject and execute arbitrary code on vulnerable servers. The CVSS 9.9 Critical rating reflects the scope change (S:C) and complete system compromise (C:H/I:H/A:H). Exploitation requires low-privilege authentication (PR:L) but no user interaction, making it exploitable by subscriber-level WordPress accounts. EPSS and KEV status not provided in available data, limiting real-world exploitation confidence assessment.

Code Injection RCE Funnelformspro
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-62373 CRITICAL PATCH GHSA Act Now

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` - an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class's `deserialize()` method uses Python's `pickle.loads()` on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in `src/pipecat/serializers/livekit.py` (around line 73), where untrusted WebSocket message data is passed directly into `pickle.loads()` for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload. Version 0.0.94 contains a fix. Users of Pipecat should avoid or replace unsafe deserialization and improve network security configuration. The best mitigation is to stop using the vulnerable LivekitFrameSerializer altogether. Those who require LiveKit functionality should upgrade to the latest Pipecat version and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, always follow secure coding practices: never trust client-supplied data, and avoid Python pickle (or similar unsafe deserialization) in network-facing components.

Python Deserialization RCE
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-3960 CRITICAL PATCH Act Now

Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.

PostgreSQL Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-41268 CRITICAL PATCH GHSA Act Now

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-31177 CRITICAL Act Now

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31181 CRITICAL Act Now

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31178 CRITICAL Act Now

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31175 CRITICAL Act Now

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31533 CRITICAL PATCH Act Now

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.

Linux Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-29198 CRITICAL Act Now

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

SQLi Rocket Chat
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-50229 CRITICAL Act Now

Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.

SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-6920 CRITICAL PATCH Act Now

Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-24303 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.

Microsoft Authentication Bypass
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-6919 CRITICAL PATCH Act Now

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service Use After Free Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-40471 CRITICAL Act Now

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

CSRF
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-41137 CRITICAL PATCH GHSA Act Now

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Command Injection Code Injection RCE Flowise Flowise Components
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.6%
CVE-2026-4106 MEDIUM POC PATCH This Month

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

Information Disclosure WordPress Elementor
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.8%
CVE-2026-6885 CRITICAL Act Now

Remote code execution in Borg SPM 2007 allows unauthenticated attackers to upload and execute web shell backdoors via unrestricted file upload vulnerability. This discontinued product (sales ended 2008) remains exploitable over the network with no authentication required, enabling full server compromise. CVSS 9.3 (Critical) with network vector, low complexity, and no privileges required. EPSS and KEV data not available for this CVE, but the trivial attack requirements (AV:N/AC:L/PR:N/UI:N) indicate high exploitability if exposed systems exist.

File Upload RCE Borg Spm 2007
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-41460 CRITICAL Act Now

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.

SQLi Authentication Bypass RCE Socialengine
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-6886 CRITICAL Act Now

Authentication bypass in Borg SPM 2007 allows remote unauthenticated attackers to impersonate any user and gain complete system access without credentials. This discontinued product (sales ended 2008) presents maximum network exposure (CVSS:4.0 9.3, AV:N/AC:L/PR:N) with trivial exploitation conditions. While no CISA KEV listing exists, the simplicity of exploitation combined with complete system compromise (VC:H/VI:H/VA:H) makes this critical for organizations still running this legacy software, though real-world deployment is likely minimal given the 18-year product discontinuation.

Authentication Bypass Borg Spm 2007
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-6887 CRITICAL Act Now

SQL injection in Borg SPM 2007 allows unauthenticated remote attackers to execute arbitrary SQL commands via network requests, enabling complete database compromise including read, modify, and delete operations. This legacy product (sales ended 2008) receives a critical CVSS 9.3 score with network vector, low complexity, and no authentication required. Taiwan CERT issued advisories identifying this as a SQL injection vulnerability affecting an end-of-life business management system, though no active exploitation evidence (KEV) or public exploit code has been identified at time of analysis.

SQLi Borg Spm 2007
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-41274 CRITICAL PATCH GHSA Act Now

Cypher injection in Flowise GraphCypherQAChain node allows remote unauthenticated attackers to execute arbitrary database commands against connected Neo4j instances. Attackers can exfiltrate, modify, or delete data in the graph database by injecting malicious Cypher queries through user-controlled input fields that bypass sanitization (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The vulnerability affects both Flowise core and flowise-components packages prior to version 3.1.0. CVSS 9.3 critical severity reflects network-accessible attack vector requiring no authentication or user interaction. EPSS data unavailable; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though GitHub security advisory confirms vendor awareness and patch availability.

Code Injection Nosql Injection Flowise Flowise Components
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-25874 CRITICAL Act Now

LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

Deserialization RCE Lerobot
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-33102 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

Open Redirect
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32210 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.

Microsoft SSRF
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-70994 HIGH CISA Act Now

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-41265 CRITICAL PATCH GHSA Act Now

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.

Python Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-40623 HIGH CISA Act Now

Unauthorized configuration tampering in SenseLive X3050 web management interface allows authenticated attackers to set critical system parameters (IP addressing, watchdog timers, reconnect intervals, service ports) to unsafe values, causing persistent device unavailability or operational instability. CISA ICS-CERT advisory confirms impact on industrial control systems. Network-accessible with low complexity (AV:N/AC:L) but requires low-privilege authentication (PR:L). High integrity and availability impact (VI:H/VA:H) with zero confidentiality impact. No public exploit identified at time of analysis.

Authentication Bypass X3050
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-41229 CRITICAL PATCH GHSA Act Now

Remote code execution in Froxlor server administration software versions prior to 2.3.6 allows authenticated administrators with change_serversettings permission to inject arbitrary PHP code through an unescaped MySQL server configuration parameter. The vulnerability enables persistent code execution on every subsequent HTTP request as the web server user due to improper input sanitization in PhpHelper::parseArrayToString(). Vendor patch available in version 2.3.6. CVSS score of 9.1 reflects the critical impact despite requiring high-privilege authentication, with scope change indicating the attacker can break out of the application's security context.

PHP Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41196 CRITICAL PATCH Act Now

Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.

Code Injection RCE Luanti
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.1%
CVE-2026-41247 HIGH PATCH GHSA This Week

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.

Command Injection Elfinder
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.4%
CVE-2026-40431 MEDIUM CISA This Month

SenseLive X3050 web management interface transmits all administrative communication including authentication credentials and configuration data over unencrypted HTTP, allowing network-adjacent attackers to intercept sensitive operational information without authentication or user interaction. The vulnerability affects all versions of the X3050 and is classified as information disclosure with confirmed CISA ICS advisory coverage.

Information Disclosure X3050
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy