Skip to main content
CVE-2026-5935 HIGH This Week

Remote code execution in IBM Total Storage Service Console (TSSC) and TS4500 IMC versions 9.2 through 9.6 allows unauthenticated attackers to execute arbitrary commands with normal user privileges via improper input validation. The vulnerability carries a CVSS score of 7.3 with network attack vector and low complexity (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation without authentication. No public exploit identified at time of analysis, and EPSS risk data is not available for this 2026 CVE.

IBM Command Injection
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-5464 HIGH This Week

Authenticated Editor-level attackers can achieve Remote Code Execution in ExactMetrics WordPress plugin (all versions ≤9.1.2) by chaining exposed onboarding credentials to install and activate arbitrary plugin ZIP files from attacker-controlled URLs. The attack exploits a missing authorization check in the 'exactmetrics_connect_process' AJAX endpoint that accepts the one-time hash token obtained via the exposed 'onboarding_key' transient-effectively bypassing plugin installation controls. EPSS and KEV status unknown; CVSS 7.2 reflects high-privilege requirement (PR:H) but direct path to RCE makes this a critical risk for multi-author WordPress sites where Editors have dashboard viewing permissions. Wordfence advisory and source code references confirm the vulnerability chain across three distinct code locations in versions through 9.1.1.

RCE Google Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-41269 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

Node.js File Upload RCE
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-3259 HIGH PATCH This Week

Information disclosure in Google BigQuery materialized view refresh allows authenticated users to extract sensitive data via crafted views that generate error messages containing confidential information. Google Cloud Platform patched this server-side vulnerability on 29 January 2026 with automatic remediation requiring no customer action. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network-accessible attack vector and low attack complexity, though no public exploit or CISA KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41272 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.

SSRF Flowise Flowise Components
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41270 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.

Node.js Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41334 HIGH PATCH This Week

OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service through excessive memory consumption.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41359 HIGH PATCH GHSA This Week

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-34488 HIGH This Week

DLL hijacking in i-PRO Co., Ltd.'s IP Setting Software enables local attackers with low privileges to execute arbitrary code with administrative privileges when victims open the application. The vulnerability stems from insecure DLL search path handling (CWE-427), allowing attackers to plant malicious DLLs that load during software execution. While exploitation requires local access and user interaction (CVSS:3.0/AV:L/AC:L/PR:L/UI:R), successful attacks achieve complete system compromise with elevated privileges. No active exploitation confirmed at time of analysis, with EPSS and KEV data unavailable for this recently published CVE.

RCE Ip Setting Software
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy