Skip to main content
CVE-2026-5347 MEDIUM This Month

Unauthenticated attackers can modify the custom post type slug for the HM Books Gallery plugin in WordPress versions up to 4.8.0 by submitting a crafted POST request to the admin_init hook, bypassing all capability and nonce checks. This vulnerability allows modification of the 'wbg_cpt_slug' option without authentication, changing the URL structure for all book entries, breaking existing links, and degrading SEO rankings. No public exploit code or active exploitation has been identified at the time of analysis.

PHP WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6810 MEDIUM This Month

Insecure Direct Object Reference in Booking Calendar Contact Form plugin for WordPress (all versions up to 1.2.63) allows authenticated attackers with Subscriber-level privileges to hijack other users' calendars and access associated user data by exploiting missing validation on user-controlled keys in the dex_bccf_admin_int_calendar_list.inc.php file. The CVSS score of 5.3 reflects network-accessible exploitation without user interaction, though the vulnerability requires valid WordPress authentication at Subscriber level or higher.

PHP WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31052 MEDIUM This Month

Denial of service in Hostbill versions 2025-11-24 and 2025-12-01 allows remote unauthenticated attackers to degrade service availability through the Checkout Authentication Flow component via uncontrolled resource consumption (likely improper rate limiting). The vulnerability has a low-to-moderate CVSS score (5.3) reflecting limited impact scope, but exploitation requires no authentication or user interaction and can be triggered over the network.

Denial Of Service
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-31955 MEDIUM PATCH This Month

Server-Side Request Forgery in Xibo CMS prior to version 4.4.1 allows high-privilege authenticated users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external resources, enabling infrastructure reconnaissance, cloud metadata access (e.g., AWS IMDS), and potential data exfiltration. Exploitation requires both 'Add DataSet' privilege and DataSet management capabilities, which are not default non-admin permissions, limiting the attack surface to trusted insiders or compromised administrative accounts.

Microsoft SSRF
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-31050 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Hostbill versions 2025-11-24 and 2025-12-01 allows high-privilege remote attackers to execute arbitrary code in admin and client interface contexts without user interaction. The CVSS score of 4.9 reflects the requirement for authenticated high-privilege access, but the presence of publicly available exploit code and the vulnerability's presence in both admin and client interfaces increase real-world risk beyond the base score. The discrepancy between the CWE-79 classification (XSS) and tags indicating RCE capability suggests stored XSS enabling indirect code execution or privilege escalation within the application.

XSS RCE
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-41174 MEDIUM PATCH GHSA This Month

Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2 fail to enforce cross-namespace isolation for middleware references nested inside Chain middlewares, allowing actors with permission to create CRDs in their own namespace to bypass the allowCrossNamespace=false restriction and apply middleware from arbitrary namespaces. This authorization bypass affects Kubernetes clusters relying on namespace isolation controls and can enable unauthorized reuse of security-sensitive middleware policies across namespace boundaries.

Kubernetes Information Disclosure RCE Red Hat Suse
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-31572 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: i2c: designware: amdisp: Fix resume-probe race condition issue Identified resume-probe race condition in kernel v7.0 with the commit 38fa29b01a6a ("i2c: designware: Combine the init functions"),but this issue existed from the beginning though not detected. The amdisp i2c device requires ISP to be in power-on state for probe to succeed. To meet this requirement, this device is added to genpd to control ISP power using runtime PM. The pm_runtime_get_sync() called before i2c_dw_probe() triggers PM resume, which powers on ISP and also invokes the amdisp i2c runtime resume before the probe completes resulting in this race condition and a NULL dereferencing issue in v7.0 Fix this race condition by using the genpd APIs directly during probe: - Call dev_pm_genpd_resume() to Power ON ISP before probe - Call dev_pm_genpd_suspend() to Power OFF ISP after probe - Set the device to suspended state with pm_runtime_set_suspended() - Enable runtime PM only after the device is fully initialized

Information Disclosure Race Condition Linux Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-31535 MEDIUM PATCH This Month

A race condition in the Linux kernel SMB client's recv_io credit management allows local authenticated users to cause a denial of service through timing-sensitive credit accounting between incoming data reception and completion processing. The vulnerability affects SMBDirect socket credit handling where credits may be granted to peers before corresponding recv buffers are actually posted, creating a window where credit accounting becomes inconsistent. Exploitation requires local access and moderate complexity but is not confirmed as actively exploited (not listed in CISA KEV).

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-41244 MEDIUM PATCH This Month

Mojic prior to version 2.1.4 allows attackers to bypass HMAC-SHA256 file integrity verification through a timing attack against the CipherEngine's comparison function. The vulnerability stems from use of a standard equality operator (!=== in JavaScript) instead of constant-time comparison during decryption, enabling an attacker with local file access to forge or tamper with emoji-encoded files. While CVSS score is moderate (4.7), the attack requires user interaction and local access, limiting real-world exploitability.

Authentication Bypass Mojic
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-59308 MEDIUM This Month

Institution administrators with Site staff role in Mahara can impersonate institution members in other institutions where they lack administrative privileges, bypassing intended access controls on multi-tenanted deployments. Affects Mahara versions before 24.04.10 and 25.x before 25.04.1. This requires high-privilege authentication (Site staff role) and does not involve network exploitation of unauthenticated services, limiting real-world attack surface to insider threats within organizations running affected versions.

Authentication Bypass N A
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-31620 MEDIUM PATCH This Month

Null pointer dereference in the ALSA TASCAM US-144MKII USB audio driver allows local attackers with physical access to a malicious USB device to cause a kernel panic and denial of service. The vulnerability exists because the driver fails to validate that USB interface 0 exists before dereferencing it, and attackers can craft a malicious USB configuration that includes only interface 1, triggering the crash when the device is connected.

Null Pointer Dereference Linux Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-38743 MEDIUM PATCH This Month

Apache Airflow versions prior to 3.2.1 fail to enforce per-DAG access control on the /ui/dags endpoint, allowing authenticated users with read access to at least one DAG to retrieve Human-in-the-Loop prompts and full TaskInstance details for DAGs outside their authorized scope. This information disclosure bypasses the intended per-DAG RBAC boundary, exposing operator parameters and task context data to all authenticated users regardless of their assigned DAG permissions.

Information Disclosure Airflow
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-11762 MEDIUM This Month

HubSpot All-In-One Marketing plugin for WordPress (versions up to 11.3.32) exposes sensitive information via the class-adminconstants.php file, allowing authenticated users with Contributor-level access or higher to retrieve a complete list of installed plugins and their versions. This information disclosure enables reconnaissance for follow-on attacks targeting vulnerable plugins, though exploitation requires valid WordPress authentication and contributor-level privileges.

Information Disclosure PHP WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-31956 MEDIUM PATCH This Month

Xibo CMS before version 4.4.1 allows authenticated users to bypass access controls and view campaigns, regions, and reports belonging to other users by manually constructing preview URLs. The vulnerability affects any authenticated user with Layout Management, Campaign Management, or Report viewing privileges and results in unauthorized information disclosure with no impact on data integrity or availability.

Microsoft Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6393 MEDIUM This Month

BetterDocs plugin for WordPress versions up to 4.3.11 allows authenticated subscribers and higher to trigger arbitrary OpenAI API calls using the site's configured API key due to missing capability checks in the generate_openai_content_callback() function. An attacker with subscriber-level access can supply arbitrary prompts to exhaust the site owner's paid AI API quota without authorization, resulting in unauthorized financial impact and service degradation. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Authentication Bypass Elementor
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40690 MEDIUM PATCH This Month

Apache Airflow versions prior to 3.2.1 allow authenticated users with read access to at least one directed acyclic graph (DAG) to enumerate and discover the names and existence of all other DAGs and assets in the deployment, regardless of their assigned permissions. This information disclosure vulnerability enables privilege escalation reconnaissance by revealing the complete asset topology to users with limited scope authorization. The vulnerability requires valid user credentials but no elevated privileges, and has no known public exploit code at time of analysis.

Information Disclosure Airflow
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3565 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Taqnix WordPress plugin versions up to 1.0.3 allows unauthenticated attackers to trick logged-in users into deleting their own accounts via a forged request. The vulnerability stems from a commented-out nonce verification check in the taqnix_delete_my_account() function, making account deletion unprotected against CSRF attacks. No public exploit code or active exploitation has been identified, though the attack requires user interaction (clicking a malicious link or visiting a compromised page).

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41079 MEDIUM PATCH This Month

OpenPrinting CUPS before version 2.4.17 allows network-adjacent attackers to read up to 176 bytes of stack memory via a crafted SNMP response sent to the CUPS SNMP backend, with leaked data visible to authenticated users through IPP Get-Printer-Attributes responses and the web interface. The vulnerability requires adjacency on the network but no authentication, making it a low-severity information disclosure risk in environments where SNMP-enabled printers are accessible from untrusted networks.

Buffer Overflow Information Disclosure Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40254 MEDIUM PATCH This Month

FreeRDP versions prior to 3.25.0 allow path traversal attacks through an off-by-one error in the drive redirection filter, enabling rogue RDP servers to read, list, or write files one directory above the client's shared folder via RDPDR requests. Exploitation requires the victim to connect with drive redirection enabled and interact with a malicious RDP server, making this a user-interaction-dependent remote attack with moderate CVSS score (4.2) but real-world impact limited by connection and configuration requirements.

Path Traversal Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-42095 MEDIUM PATCH This Month

KDE Arianna's bookserver before version 26.04.1 allows local attackers to read arbitrary files over socket connections by guessing URLs without authentication, exploiting missing input validation on the bookserver endpoint. The vulnerability requires local access and does not affect confidentiality of other system components; no public exploit code or active exploitation has been identified.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-31051 LOW Monitor

Denial of service via improper resource handling in the Client Balance component of Hostbill v.2025-11-24 and v.2025-12-01 allows high-privileged remote attackers to disrupt service availability and trigger limited integrity impacts. The vulnerability stems from insufficient input validation in CWE-400 (Uncontrolled Resource Consumption), requiring administrator-level access but presenting moderate real-world risk due to the low attack complexity and network accessibility of the affected component.

Denial Of Service
NVD GitHub
CVSS 3.1
3.8
EPSS
0.1%
CVE-2026-42040 LOW POC PATCH GHSA Monitor

Axios versions prior to 1.15.1 and 0.31.1 contain a character mapping flaw in the AxiosURLSearchParams.encode() function that reverses safe percent-encoding of null bytes, converting %00 back to raw null bytes. While the standard axios request flow remains unaffected, this vulnerability could enable integrity compromise in edge-case scenarios where encoded parameters are processed by downstream systems expecting percent-encoded values. No public exploit code or active exploitation has been identified.

Node.js Information Disclosure
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-41498 LOW PATCH GHSA Monitor

Kimai's Team API endpoints fail to validate entity-level ownership due to incorrect Symfony IsGranted attribute syntax, allowing users with the edit_team permission to modify any team regardless of membership. The vulnerability arises because API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing the TeamVoter to abstain and fall back to role-only permission checks. In default configurations this is unexploitable since only admins hold edit_team permission, but if administrators grant edit_team to lower-privilege roles (such as ROLE_TEAMLEAD) via the permissions UI, those users can modify team memberships, customer assignments, project assignments, and activity assignments for any team without authorization. No public exploit code or active exploitation has been identified.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-41488 LOW PATCH Monitor

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.

SSRF Langchain Openai
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-4313 LOW PATCH Monitor

Stored XSS in AdaptiveGRC text-type form fields allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers, potentially leading to theft of administrator authentication tokens and privilege escalation. The vulnerability affects multiple versions released before December 2025 due to improper server-side parameter validation. User interaction is required for exploitation, and the attacker must first authenticate to the application.

XSS Adaptivegrc
NVD VulDB
CVSS 4.0
2.4
EPSS
0.1%
CVE-2026-41430 LOW PATCH Monitor

Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.

XSS Press
NVD GitHub
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-31534 PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: smb: client: let send_done handle a completion without IB_SEND_SIGNALED With smbdirect_send_batch processing we likely have requests without IB_SEND_SIGNALED, which will be destroyed in the final request that has IB_SEND_SIGNALED set. If the connection is broken all requests are signaled even without explicit IB_SEND_SIGNALED.

Information Disclosure Linux
NVD VulDB
CVE-2026-3865 Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/11. ions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass (Stig Palmquist <stig@...g.io>) CVE-2026-40199: Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypas… (Stig Palmquist <stig@...g.io>) [kubernetes] CVE-2026-3865: CSI Driver for SMB path traversal via subDir may delete unintended directories on the SMB s… (Vinayak Goyal <vinayakankugoyal@...il.c…) CPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF (Alan Coopersmith <alan.coopersmith@...cle.com>) CPython [CVE-2026-3446] Base64 d

Kubernetes Path Traversal
NVD
CVE-2026-34884 Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/04/13. erates session ids insecurely (Robert Rothenberg <rrwo@...nsec.org>) CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability (Zhenxu Ke <kezhenxu94@...che.org>) CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>) CVE-2026-34884: Apache SkyWalking MCP: SSRF via set_skywalking_url Tool and GraphQL Expression Injection in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>) CVE-2025-66236: Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI (Rahul Vats <rahulvats@...che.org>) CVE-2026-33858: Ap

SSRF XSS Apache
NVD
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy