170 CVEs tracked today. 7 Critical, 57 High, 92 Medium, 14 Low.
-
CVE-2026-42560
CRITICAL
CVSS 9.1
Identity collision in the go-pkgz/auth Patreon OAuth provider allows any Patreon-authenticated user to impersonate every other Patreon user in the same application. The Patreon provider hashes an uninitialized variable instead of the actual Patreon account ID, assigning the constant value patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709 to all users. Applications using token.User.ID as the stable account key can experience cross-account access, privilege escalation, and data leakage. Vendor-released patch available in versions 1.25.2 and 2.1.2. No evidence of active exploitation or public POC beyond the vendor's disclosure, but the vulnerability is trivially exploitable with remote unauthenticated access to any affected application.
Authentication Bypass
-
CVE-2026-42354
CRITICAL
CVSS 9.1
Account takeover via SAML SSO authentication bypass in Sentry allows attackers to hijack arbitrary user accounts when controlling a malicious SAML Identity Provider within multi-organization instances. Attackers with permissions to configure SSO settings in one organization can link a victim's email address to their malicious IdP, then authenticate as that victim across the instance. The vulnerability was responsibly disclosed via bug bounty, patched in version 26.4.1 (deployed to SaaS in April 2026), and requires knowledge of the victim's email address plus multi-organization deployment (SENTRY_SINGLE_ORGANIZATION = False). No public exploit identified at time of analysis, though technical details and patch code are public via GitHub advisory GHSA-rcmw-7mc7-3rj7.
Authentication Bypass
-
CVE-2026-40281
CRITICAL
CVSS 10.0
Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q.
RCE
Docker
Google
-
CVE-2026-36767
CRITICAL
CVSS 10.0
Unauthenticated remote file write in Shopizer v3.2.5 allows attackers to upload arbitrary files to any writable system path via path traversal in the /content/images/add endpoint. With CVSS 10.0 and network-based exploitation requiring no authentication or user interaction, this enables immediate remote code execution by uploading malicious executables or web shells. No public exploit confirmed at time of analysis, though the attack vector is straightforward for a path traversal vulnerability. EPSS data not available, but the technical characteristics (AV:N/PR:N/AC:L) indicate high exploitability once details become widely known.
Path Traversal
-
CVE-2026-36760
CRITICAL
CVSS 9.6
Path traversal in JeeSite 5.15.1 allows authenticated users with file upload permissions to write arbitrary files to any filesystem location during chunked uploads by manipulating the fileMd5 parameter in /a/file/upload. Attackers can bypass directory restrictions to plant webshells, modify configuration files, or overwrite executables with whitelisted extensions, achieving remote code execution and full system compromise. Scope change in CVSS vector indicates container escape or cross-tenant impact in multi-tenant deployments. No active exploitation confirmed (not in CISA KEV) but vulnerability disclosed via GitHub issue #530.
Path Traversal
File Upload
-
CVE-2026-4670
CRITICAL
CVSS 9.8
Authentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. Affects all versions before 2025.0.9, all 2024.x versions before 2024.1.8, and all versions prior to 2024.0.0. Progress Software has released patches for all supported versions. CVSS 9.8 critical severity with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit or active exploitation confirmed at time of analysis, though the authentication bypass nature and MOVEit's history as a high-value target make this a priority remediation candidate.
Authentication Bypass
-
CVE-2025-71284
CRITICAL
CVSS 9.3
Remote code execution in Synway SMG Gateway Management Software allows unauthenticated attackers to execute arbitrary OS commands via command injection in the RADIUS configuration endpoint. The vulnerability exploits unsanitized POST parameters (radius_address, radius_address2, shared_secret2, source_ip, timeout, retry) that are directly interpolated into sed commands at /en/9-2radius.php. Shadowserver Foundation confirmed active exploitation beginning July 11, 2025, with publicly available exploit code and Nuclei templates enabling widespread automated attacks. CVSS 9.3 critical severity reflects the combination of network accessibility, zero authentication requirements, and complete system compromise potential.
PHP
RCE
Command Injection
-
CVE-2026-42800
HIGH
CVSS 7.4
NULL pointer dereference in ASR Lapwing Linux's IMS client (sipuri.c) allows authenticated remote attackers to trigger service crashes and potentially execute code with changed scope. The vulnerability exists in the SIP URI parsing logic of the ASR1903 hardware platform's ims_client module. With CVSS 7.4 and scope change to Container, successful exploitation enables lateral impact beyond the vulnerable component. No CISA KEV listing or public exploit code identified at time of analysis, though EPSS data unavailable.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-42799
HIGH
CVSS 7.4
Out-of-bounds read in ASR Kestrel's nr_fw power control module enables authenticated remote attackers to trigger buffer overflow conditions, potentially disclosing sensitive information and compromising system integrity with low-to-moderate impact across security boundaries. Exploitable over the network with low complexity by attackers holding low-privilege credentials. EPSS data unavailable; not currently listed in CISA KEV. Vendor advisory confirms patch released February 10, 2026.
Buffer Overflow
Information Disclosure
-
CVE-2026-42512
HIGH
CVSS 8.1
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.
RCE
Buffer Overflow
Heap Overflow
-
CVE-2026-42511
HIGH
CVSS 8.1
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanitized BOOTP file field in DHCP responses. When dhclient writes lease data without escaping embedded double-quotes and later re-parses it (e.g., after system restart), injected dhclient.conf directives execute through dhclient-script. EPSS score is notably low (0.02%, 5th percentile) with SSVC indicating no observed exploitation and partial technical impact, suggesting limited real-world targeting despite the high-severity nature of root code execution. No public exploit code identified at time of analysis.
RCE
-
CVE-2026-42461
HIGH
CVSS 8.7
Arcane's Huma backend exposes four GET endpoints (`/api/templates*`) without authentication, allowing remote unauthenticated attackers to read all stored Docker Compose templates including plaintext environment files containing database passwords, API keys, and OAuth secrets. The vulnerability affects Arcane backend versions prior to 1.18.0. Because Arcane's "Save as Template" workflow persists production secrets verbatim into these templates, this is not theoretical information disclosure but direct credential theft. The frontend correctly treats these paths as authenticated, revealing a backend authorization gap (CWE-862). Vendor-released patch available in version 1.18.0. No active exploitation or public exploit code identified at time of analysis, though the attack is trivial (CVSS:4.0 AV:N/AC:L/PR:N).
Authentication Bypass
-
CVE-2026-42449
HIGH
CVSS 8.5
Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory.
Docker
SSRF
Node.js
Microsoft
Oracle
-
CVE-2026-42349
HIGH
CVSS 7.6
Authorization bypass in Clerk JavaScript SDKs allows authenticated users to proceed past combined authorization checks they should fail. When developers use has() or auth.protect() with multiple authorization dimensions (e.g., role + reverification, permission + billing feature, or billing plan + permission), the predicate incorrectly returns true for users who satisfy only a subset of the required conditions. Sessions and authentication remain secure, but gated actions may execute for under-privileged users. Patches released across all affected SDK packages (Core 2 and Core 3) with no API changes. No public exploit code identified at time of analysis, but the vulnerability is straightforward to trigger in production code patterns explicitly outlined in the vendor advisory.
Information Disclosure
Node.js
-
CVE-2026-42137
HIGH
CVSS 7.1
Authenticated users with restricted permissions in Kirby CMS can access pages and files they should not be able to view, bypassing configured access controls in the Panel and REST API. This affects Kirby installations where administrators have explicitly disabled `pages.access`, `pages.list`, `files.access`, or `files.list` permissions for specific user roles through blueprints. The vulnerability allows information disclosure of content models that should be hidden, though write operations remain protected. Patched versions 4.9.0 and 5.4.0 are available from the vendor. No public exploit identified at time of analysis, with EPSS data unavailable for this recent disclosure.
Authentication Bypass
-
CVE-2026-41882
HIGH
CVSS 7.4
Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.
Information Disclosure
-
CVE-2026-40950
HIGH
CVSS 7.1
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.
Buffer Overflow
Stack Overflow
-
CVE-2026-40904
HIGH
CVSS 8.1
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, data requests, and database connections belonging to other projects within the same team. Attackers with credentials to any single project can read, modify, create, and delete data assets across all sibling projects by exploiting missing project-level authorization checks on multiple API endpoints. This enables cross-project data exfiltration and unauthorized execution of victim database queries remotely with low complexity (EPSS not provided, no CISA KEV listing, vendor-patched in v5.0.0).
Authentication Bypass
-
CVE-2026-40601
HIGH
CVSS 7.5
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoint. The POST /api/chart/:chart_id/query endpoint lacks authentication checks and fails to validate whether charts belong to public reports or if sharing policies permit access. Attackers possessing a chart identifier can retrieve sensitive data from private dashboards without credentials. EPSS data not available. Not listed in CISA KEV. Vendor-confirmed vulnerability with patch released in version 5.0.0.
Authentication Bypass
-
CVE-2026-40600
HIGH
CVSS 8.1
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own due to insufficient authorization checks. An attacker with legitimate access to one project can manipulate SharePolicy records (visibility settings, passwords, allowed parameters, expiration dates) for dashboards in any other project within the same Chartbrew instance. While CVSS rates this 8.1 HIGH, real-world risk depends heavily on multi-tenancy deployment: single-organization instances face lower insider threat exposure than multi-tenant SaaS scenarios. EPSS data not available. No public exploit identified at time of analysis, though exploitation requires only basic authenticated API access.
Authentication Bypass
-
CVE-2026-40595
HIGH
CVSS 7.5
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart export routes. Attackers who know a chart identifier in any public project can read or export charts that were intentionally excluded from public reports, bypassing SharePolicy access controls. The vulnerability requires only network access and a valid chart ID, with no authentication or user interaction needed. Patched in version 5.0.0 per vendor advisory GHSA-mq7q-6xh6-5649. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L).
Authentication Bypass
-
CVE-2026-40280
HIGH
CVSS 7.8
Gotenberg versions up to 8.30.1 allow Server-Side Request Forgery (SSRF) against internal networks and cloud metadata endpoints via case-variation bypass of webhook and downloadFrom deny-lists. Remote unauthenticated attackers can use uppercase URL schemes (HTTP://, HTTPS://) to circumvent the default case-sensitive regex (^https?://) protecting private IP ranges; Go's net/url.Parse() normalizes schemes to lowercase during connection establishment, completing the bypass. The flaw affects two features added in commit 3f01ca1 (April 2026): webhook callback URLs and downloadFrom file fetching. Vendor-released patch version 8.31.0 available. CVSS 9.1 (Critical) with Changed Scope reflects potential access to instance metadata services (e.g., AWS 169.254.169.254) and internal APIs that return sensitive data in Content-Disposition headers. This is a regression of the pattern previously fixed in CVE-2026-27018 for the Chromium deny-list.
Docker
Google
SSRF
-
CVE-2026-40171
HIGH
CVSS 8.4
Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.
XSS
RCE
Nvidia
Suse
-
CVE-2026-39457
HIGH
CVSS 7.8
Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.
Buffer Overflow
Stack Overflow
-
CVE-2026-36960
HIGH
CVSS 8.8
Cross-site request forgery in U-SPEED N300 Router V1.0.0 allows remote attackers to execute administrative actions through victim browsers when authenticated administrators visit attacker-controlled webpages. The router's web management interface lacks CSRF tokens and Origin/Referer validation, enabling attackers to craft malicious pages that trigger state-changing operations using the victim's valid session cookie. A proof-of-concept exploit exists (GitHub repository linked), though no active exploitation is confirmed in CISA KEV at time of analysis. CVSS 8.8 severity reflects high impact across confidentiality, integrity, and availability when exploitation succeeds.
CSRF
N A
-
CVE-2026-36959
HIGH
CVSS 7.5
Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.
Authentication Bypass
-
CVE-2026-36958
HIGH
CVSS 7.5
Remote unauthenticated attackers can crash the U-SPEED N300 V1.0.0 wireless router by flooding its web management interface with concurrent HTTP requests to random or non-existent endpoints, exhausting resources in the embedded Boa HTTP server until manual reboot is required. SSVC framework confirms proof-of-concept exploit code exists and the attack is fully automatable. CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is trivially exploitable from the internet without authentication, though impact is limited to availability disruption with no data compromise.
Denial Of Service
-
CVE-2026-36957
HIGH
CVSS 7.5
Remote attackers can crash Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 and disable all routing functionality by flooding the boa web server with HTTP GET requests to non-existent URIs. The attack exhausts file descriptors and memory buffers, causing kernel deadlock that kills both the web management interface and core routing services. SSVC framework confirms proof-of-concept exploit exists and the attack is fully automatable against default router configurations with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N).
Denial Of Service
-
CVE-2026-36956
HIGH
CVSS 8.8
Cross-site request forgery in Dbit N300 T1 Pro wireless router V1.0.0 allows remote unauthenticated attackers to execute arbitrary administrative actions by convincing an authenticated administrator to visit a malicious webpage. The router lacks anti-CSRF tokens and Origin/Referer validation on configuration endpoints like /api/setWlan, enabling complete router compromise through social engineering. Publicly available exploit code exists (SSVC: poc status) with EPSS data not provided, indicating proof-of-concept demonstration but no confirmed active exploitation at time of analysis.
CSRF
-
CVE-2026-36765
HIGH
CVSS 8.8
XML external entity injection in SpringBlade v4.8.0's /designer/loadReport endpoint enables authenticated attackers to execute arbitrary code remotely. The vulnerability requires low-privilege authentication (PR:L) but no other special conditions (AC:L, UI:N), allowing attackers with basic credentials to compromise confidentiality, integrity, and availability. EPSS probability is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No CISA KEV listing confirms this is not yet widely exploited in the wild, though a GitHub issue documents the flaw suggesting proof-of-concept details may exist.
RCE
XXE
N A
-
CVE-2026-36762
HIGH
CVSS 8.8
Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.
Path Traversal
File Upload
N A
-
CVE-2026-36340
HIGH
CVSS 8.1
Remote code execution in Krayin CRM 2.1.5 allows authenticated attackers to execute arbitrary code through the compose email function via code injection. The vulnerability was patched in version 2.1.6 released by the vendor. A public proof-of-concept exploit exists on GitHub (cybercrewinc/CVE-2026-36340), significantly lowering the barrier to exploitation. With CVSS 8.1 (High) and network accessibility requiring only low-privilege authentication, this presents immediate risk to organizations running unpatched Krayin CRM instances, particularly those exposing the CRM to internal users or external partners.
RCE
Code Injection
N A
-
CVE-2026-35547
HIGH
CVSS 8.1
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.
Buffer Overflow
Heap Overflow
-
CVE-2026-33845
HIGH
CVSS 7.5
Integer underflow in GnuTLS DTLS handshake reassembly allows remote unauthenticated attackers to trigger denial of service or information disclosure via crafted zero-length fragments with non-zero offsets. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a clear remote attack surface requiring no authentication, though the CVSS vector indicates availability impact only (A:H) with no confidentiality or integrity impact confirmed, contradicting the description's mention of information disclosure. No CISA KEV listing or public exploit identified at time of analysis.
Buffer Overflow
Denial Of Service
Information Disclosure
Integer Overflow
Red Hat
-
CVE-2026-33451
HIGH
CVSS 8.5
Local privilege escalation in Absolute Secure Access Windows client versions prior to 14.50 allows authenticated local attackers to escalate privileges to SYSTEM level by sending malformed API data. The vulnerability stems from an arbitrary read/write flaw in the client's API handling. Vendor patch is available (version 14.50). EPSS score not available for this recent CVE; no public exploit identified at time of analysis, and not currently listed in CISA KEV.
Buffer Overflow
Information Disclosure
Microsoft
-
CVE-2026-32148
HIGH
CVSS 8.9
Silent dependency checksum bypass in hexpm/hex package manager (versions 0.16.0 through 2.4.1) allows attackers to substitute malicious dependencies without detection. The Hex.RemoteConverger module fails to verify lockfile checksums due to a string-versus-atom type mismatch in the verification logic, causing the security check to be silently skipped. Attackers who can poison local package caches or compromise registry responses can deliver modified packages that overwrite mix.lock without raising alerts. SSVC framework indicates proof-of-concept exists, attack is non-automatable (requires user interaction and precise timing), with total technical impact. Fixed in version 2.4.2 (commit d7528c8).
Authentication Bypass
-
CVE-2026-31787
HIGH
CVSS 7.8
Double-free vulnerability in Linux kernel Xen privcmd driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause denial of service. When userspace performs partial munmap() on privcmd mappings, VMA splitting creates duplicate pointers to the same memory pages array, leading to kvfree() being called twice on the same allocation during VMA cleanup. Xen Security Advisory XSA-487 confirms this issue affects virtualization hosts running Xen paravirtualized domains. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating low predicted exploitation probability. Vendor-released patches available for stable kernel versions 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, and 7.0.3.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-31786
HIGH
CVSS 7.8
Buffer overflow in Linux kernel Xen hypervisor interface allows local authenticated users to achieve arbitrary code execution with high privilege escalation impact. The vulnerability stems from improper handling of non-NUL-terminated build ID data from HYPERVISOR_xen_version(XENVER_build_id) in drivers/xen/sys-hypervisor.c, where sprintf reads past buffer boundaries seeking a NUL terminator. Affects Linux kernel versions from 5.10 through 7.0 series when running as Xen domain. Vendor-released patches available across all affected stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, 7.0.3). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation despite high CVSS 7.8, reflecting specialized Xen-only attack surface. No public exploit identified at time of analysis.
Buffer Overflow
Linux
Memory Corruption
Red Hat
Suse
-
CVE-2026-31693
HIGH
CVSS 7.8
Uninitialized variable use in Linux kernel CIFS replay logic allows local authenticated attackers to potentially access sensitive kernel memory, corrupt data, or trigger denial of service. The vulnerability exists in CIFS request replay code paths where certain local variables lack proper reinitialization after replay labels, potentially causing undefined behavior during SMB session recovery operations. Patches available for kernel versions 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates minimal observed exploitation activity, consistent with the local access requirement and specialized triggering conditions.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-22070
HIGH
CVSS 7.1
Path traversal in ColorOS Assistant allows local attackers to manipulate file downloads and cause high availability impact via an unauthenticated download channel. The vulnerability (CWE-23) enables writing files to arbitrary paths when a user is socially engineered to trigger the malicious download. OPPO has published a security advisory. No active exploitation confirmed; EPSS data not available for this recent 2026 CVE.
Path Traversal
-
CVE-2026-7551
HIGH
CVSS 8.7
Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system commands via the /bridge slash command. Attackers with remote sender privileges can invoke '/bridge spawn' with malicious command arguments that bypass input validation and execute directly through the shell subprocess helper, granting access to local files, credentials, workspace state, and repository contents. Vendor-released patch available (commit 438e373) that restricts /bridge to local-only invocation by default.
RCE
Command Injection
-
CVE-2026-7503
HIGH
CVSS 7.4
Buffer overflow in TOTOLINK A800R router firmware 4.1.2cu.5137 enables authenticated remote attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in the setWiFiMultipleConfig function of the wireless configuration module (wireless.so) within the cstecgi.cgi web interface, exploitable via malformed wepkey2 parameter. Public proof-of-concept exploit code is available on GitHub. EPSS data not provided, CISA KEV status not listed, indicating exploitation is demonstrated but not yet observed in widespread campaigns.
Buffer Overflow
-
CVE-2026-7470
HIGH
CVSS 7.4
Stack-based buffer overflow in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01 allows authenticated remote attackers to execute arbitrary code with elevated privileges via crafted SafeMacFilter requests. The vulnerability resides in function sub_427C3C at endpoint /goform/SafeMacFilter, where insufficient input validation of the 'page' parameter enables memory corruption. Public exploit code exists on GitHub (Axelioc/CVE), significantly lowering the barrier to exploitation for attackers with valid router credentials. CVSS 7.4 reflects high confidentiality, integrity, and availability impact requiring only low-privilege authentication.
Buffer Overflow
Stack Overflow
Tenda
-
CVE-2026-7461
HIGH
CVSS 7.5
Command injection in Amazon ECS Agent on Windows allows authenticated attackers with task definition permissions to execute arbitrary shell commands with SYSTEM privileges on the underlying host. The vulnerability exists in the FSx Windows File Server volume mounting component (versions prior to 1.103.0), where username field input is not properly sanitized before being passed to OS commands. This affects AWS customers running Windows-based ECS container workloads with FSx volumes - exploitation requires IAM permissions to register ECS task definitions or write to credential stores (Secrets Manager/SSM Parameter Store) used by FSx configurations. Vendor-released patch: version 1.103.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Command Injection
Microsoft
-
CVE-2026-7435
HIGH
CVSS 8.6
SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.
Authentication Bypass
SQLi
-
CVE-2026-7402
HIGH
CVSS 8.1
Remote authenticated attackers can flood PDKS (Personnel and Document Tracking System) through uncontrolled interaction frequency, achieving high integrity and availability impacts without confidentiality breach. This workforce management software by MeWare Software Development Inc. is vulnerable to denial-of-service conditions and potential data integrity compromise through rate-limiting bypass. Affects versions from V16.20200313 through VMYR_3.5.2025117. TR-CERT advisory available, EPSS data not provided, no CISA KEV listing identified.
Information Disclosure
-
CVE-2026-7399
HIGH
CVSS 8.1
Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation, enabling privilege escalation to access and modify sensitive data without proper permissions. Affecting PDKS versions from V16.20200313 to VMYR_3.5.2025117, this vulnerability allows low-privileged users to abuse authorization mechanisms via network access without user interaction. No confirmed active exploitation or public exploit code identified at time of analysis, with EPSS data unavailable for risk quantification.
Authentication Bypass
-
CVE-2026-7270
HIGH
CVSS 7.8
Local privilege escalation in FreeBSD kernel allows authenticated users to gain root privileges through buffer overflow in execve(2) argument handling. The vulnerability stems from an operator precedence bug causing attacker-controlled data to overwrite adjacent execution argument buffers. CISA SSVC framework indicates no active exploitation detected, though the technical impact enables complete system compromise. EPSS probability remains very low (0.02%, 5th percentile), suggesting targeted rather than widespread threat. FreeBSD has released patches across all supported release branches.
Buffer Overflow
-
CVE-2026-7246
HIGH
CVSS 7.2
Command injection in Pallets Click's click.edit() function (versions ≤8.3.2) allows local attackers with high privileges to execute arbitrary OS commands via shell metacharacters. The vulnerability stems from unsafe use of shell=True in subprocess calls, fixed in version 8.3.3 by switching to shlex.split for command parsing. Attack complexity is high (AC:H) and requires user interaction (UI:R), limiting real-world exploitation despite CVSS 7.2 score. Public proof-of-concept exists (SSVC: exploitation=poc) but no evidence of active exploitation (not in CISA KEV). EPSS data not provided but expected low given local-only access vector and multiple exploitation constraints.
Command Injection
Red Hat
Suse
-
CVE-2026-7164
HIGH
CVSS 7.5
Remote denial-of-service in FreeBSD packet filter (pf) allows unauthenticated attackers to crash systems via malformed SCTP packets. Unbounded recursion in SCTP chunk parameter parsing triggers stack overflow, causing kernel panic on any FreeBSD system with pf enabled, regardless of firewall ruleset configuration. EPSS score of 0.06% (17th percentile) suggests low broad exploitation probability, but impact is critical for exposed FreeBSD firewalls. Official patch released by FreeBSD covering versions 13.5, 14.3, 14.4, and 15.0.
Buffer Overflow
-
CVE-2026-6543
HIGH
CVSS 8.8
Remote code execution in IBM Langflow Desktop 1.0.0 through 1.8.4 allows authenticated attackers to execute arbitrary commands at the privilege level of the Langflow process. Attackers can exfiltrate API keys and database credentials from environment variables, modify application files, or pivot to internal network targets. IBM has released a vendor patch addressing this code injection vulnerability. No active exploitation confirmed by CISA KEV at time of analysis, though CVSS 8.8 severity and low attack complexity indicate high exploitability once authenticated access is obtained.
RCE
IBM
Code Injection
-
CVE-2026-6389
HIGH
CVSS 8.8
Privilege escalation in IBM Turbonomic prometurbo agent allows compromised service accounts to exfiltrate cluster-wide Kubernetes secrets and achieve full cluster takeover. Affects versions 8.16.0 through 8.17.6 deployed in Kubernetes environments. The operator grants excessive RBAC permissions enabling unrestricted read access to all secrets cluster-wide. CVSS 8.8 indicates high severity with scope change to container/cluster level. No active exploitation confirmed (not in CISA KEV), but the attack path from service account compromise to cluster admin is well-understood in Kubernetes threat models.
Privilege Escalation
IBM
-
CVE-2026-5656
HIGH
CVSS 7.0
Path traversal in Wireshark's profile import feature enables local attackers to achieve denial of service and potentially execute arbitrary code on Windows, macOS, and Linux systems running versions 4.6.0-4.6.4 or 4.4.0-4.4.14. The vulnerability (CWE-22) requires user interaction to import a maliciously crafted profile configuration file, with attack complexity rated high due to specific exploitation prerequisites. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data not available for comprehensive risk assessment.
RCE
Denial Of Service
Path Traversal
Red Hat
Suse
-
CVE-2026-5405
HIGH
CVSS 7.8
Heap-based buffer overflow in Wireshark's RDP protocol dissector allows local attackers to cause denial of service or execute arbitrary code via maliciously crafted capture files. Affects Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14. The vulnerability requires user interaction (opening a malicious .pcap file) but no authentication, making it effective for social engineering attacks against network analysts. No active exploitation confirmed in CISA KEV, but proof-of-concept details available via GitLab issue tracker. EPSS data not available for risk prioritization.
RCE
Buffer Overflow
Denial Of Service
Heap Overflow
Red Hat
-
CVE-2026-5403
HIGH
CVSS 7.8
Heap buffer overflow in Wireshark's SBC codec handler enables local code execution when processing malicious capture files. Affects Wireshark versions 4.4.0-4.4.14 and 4.6.0-4.6.4. The vulnerability requires user interaction (opening a crafted packet capture file) but no authentication, posing significant risk to network analysts who routinely process captures from untrusted sources. Wireshark Foundation has published security advisory WNPA-sec-2026-16 with remediation details. EPSS probability data not available; no evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
RCE
Buffer Overflow
Denial Of Service
Heap Overflow
Red Hat
-
CVE-2026-5402
HIGH
CVSS 8.8
Heap overflow in Wireshark 4.6.0 through 4.6.4 TLS protocol dissector enables remote code execution when a user opens a malicious capture file or inspects crafted network traffic. The vulnerability requires user interaction (UI:R) but no authentication, making it exploitable via social engineering. No public exploit code identified at time of analysis, though the technical details are disclosed in vendor advisory wnpa-sec-2026-14 and tracked in GitLab issue #21090. CVSS 8.8 reflects the combination of network vector, low complexity, and potential for complete system compromise despite the user interaction requirement.
RCE
Buffer Overflow
Denial Of Service
Heap Overflow
Red Hat
-
CVE-2026-5174
HIGH
CVSS 7.7
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privileges and cause high-impact denial of service across container boundaries. Affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, this network-accessible vulnerability with low attack complexity allows attackers to disrupt availability system-wide. Progress issued a Critical Security Alert Bulletin addressing this issue alongside CVE-2026-4670 in their April 2026 advisory. No public exploit identified at time of analysis, but the straightforward attack path (AV:N/AC:L/PR:L) and Changed scope indicate significant real-world risk for organizations running unpatched instances.
Privilege Escalation
-
CVE-2026-4503
HIGH
CVSS 7.5
Unauthenticated remote disclosure of user-uploaded images in IBM Langflow Desktop 1.0.0-1.8.4 allows network attackers to enumerate and access other users' private images through predictable object references. With CVSS 7.5 (High) reflecting unauthenticated network exploitation, and EPSS data not provided, risk depends on whether installations expose the vulnerable endpoint to untrusted networks. No KEV listing or public exploit code identified at time of analysis, suggesting discovery through vendor security review rather than active exploitation.
Authentication Bypass
IBM
-
CVE-2026-2892
HIGH
CVSS 7.5
Unauthenticated attackers can bypass Stripe payment gates in Otter Blocks for WordPress ≤3.1.4 by forging the 'o_stripe_data' cookie with publicly visible product IDs from checkout block HTML source, gaining unauthorized access to premium content. The plugin's 'get_customer_data' method accepts unsigned cookie data without server-side Stripe API verification for one-time purchases, enabling trivial exploitation with no authentication required. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from accessing gated content. EPSS data unavailable; no active exploitation or POC confirmed at time of analysis, but the attack requires only basic HTTP cookie manipulation skills.
WordPress
Authentication Bypass
-
CVE-2025-56568
HIGH
CVSS 7.5
Denial of service in Open5GS SMF component (versions before v2.7.5) allows unauthenticated remote attackers to crash the 5G core network Session Management Function by sending NGAP messages with malformed Protocol Configuration Options containing invalid length fields. The vulnerability triggers assertion failures in the PCO parser (CWE-617), causing service termination. With CVSS 7.5 (High) severity and network-accessible attack vector requiring no authentication, this poses significant operational risk to 5G networks, though the low EPSS score (0.07%, 22nd percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV). Upstream fix available via commit d770787 incorporated in v2.7.5 release.
Denial Of Service
N A
-
CVE-2025-51846
HIGH
CVSS 8.7
Remote denial-of-service in CryptPad 2025.3.1 allows unauthenticated attackers to flood WebSocket frames and degrade or deny service for all users of an instance. The vulnerability stems from unbounded WebSocket connection handling without rate limiting. Fixed in version 2026.2.2 via nginx rate limiting configuration (30 requests/minute with burst=5). CVSS 8.7 (High) reflects network-accessible, low-complexity attack requiring no authentication. No CISA KEV listing or public exploit identified at time of analysis, but low technical barrier suggests high exploitability.
Denial Of Service
-
CVE-2025-46115
HIGH
CVSS 7.5
Remote denial of service in Open5GS 2.7.3 allows unauthenticated attackers to crash the 5G core network by sending malformed PDU Session Modification Request messages. The vulnerability stems from improper input validation (CWE-20) in session management functions. EPSS score of 0.07% indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. However, the attack requires no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), making it trivially exploitable against exposed 5G core deployments, potentially disrupting mobile network services for enterprise or carrier environments.
Denial Of Service
N A
-
CVE-2025-14576
HIGH
CVSS 7.4
Code injection in Qt SVG module allows attackers to execute arbitrary QML/JavaScript when applications load malicious SVG files through Qt Quick's VectorImage component. Exploitation requires local file access and user interaction (opening crafted SVG). While QML execution is more restricted than native code, attackers can still trigger denial of service, exfiltrate application data, or manipulate UI logic depending on the victim application's privilege context. No active exploitation confirmed (not in CISA KEV), but patch available from Qt Project reduces urgency for immediate emergency response.
RCE
Denial Of Service
Information Disclosure
Code Injection
Red Hat
-
CVE-2025-14543
HIGH
CVSS 8.8
XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers to exfiltrate sensitive data and cause denial of service through maliciously crafted XML documents processed by the DDS middleware. Affects versions 4.3x through 7.6.x across all major release branches (4.3x-7.4.0), with vendor patch available but no public exploit identified at time of analysis. CVSS 8.8 (High) reflects network attack vector with high confidentiality and availability impact but no integrity compromise, consistent with typical XXE data exfiltration and resource exhaustion scenarios. SSVC assessment indicates non-automatable exploitation with partial technical impact, suggesting targeted attack scenarios rather than mass exploitation.
XXE
-
CVE-2026-42798
MEDIUM
CVSS 4.0
Integer overflow in Little CMS color engine versions 2.16 through 2.18 allows local attackers to trigger integer overflow in the ParseCube function when processing specially crafted color lookup table (LUT) input files, potentially resulting in buffer overflow and denial of service or information disclosure. The vulnerability affects the CGATS parser used for loading ICC color profiles and LUT data. No public exploit code identified at time of analysis, though upstream fix is available in version 2.19.
Buffer Overflow
Integer Overflow
Suse
-
CVE-2026-42191
MEDIUM
CVSS 6.5
OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2 allow local attackers to inject malicious telemetry data, disclose stored telemetry payloads, or exhaust system resources by exploiting an insecure default disk retry directory that falls back to the shared system temporary path when the required directory configuration is not explicitly set. On multi-user systems, this enables attackers with read or write access to the temp directory to craft blob files that the exporter will forward to the OTLP endpoint under the application's identity, or to read exported telemetry data between transient export failures.
Denial Of Service
Microsoft
-
CVE-2026-42032
MEDIUM
CVSS 6.7
Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.
Authentication Bypass
PostgreSQL
-
CVE-2026-41654
MEDIUM
CVSS 5.3
Authenticated Server-Side Request Forgery (SSRF) in Weblate before 5.17.1 allows users with project.add permission to import crafted project backup ZIPs containing malicious repository URLs pointing to private addresses or using non-allowlisted schemes (file://, git://) that bypass URL validation. The vulnerability exists because bulk_create() circumvents Django's full_clean() validator; attackers can write arbitrary URLs into .git/config, enabling SSRF attacks against internal systems or protocol exploitation.
Authentication Bypass
Python
Suse
-
CVE-2026-41519
MEDIUM
CVSS 4.2
Weblate fails to revoke Django REST Framework API tokens when users change their passwords, allowing attackers with knowledge of a user's old credentials to continue accessing APIs indefinitely even after password changes. The vulnerability affects authenticated users on Weblate versions prior to 5.17.1 and requires high attack complexity due to the need for legitimate account access, but carries meaningful risk in multi-user translation environments where password compromise may go undetected.
Information Disclosure
Suse
-
CVE-2026-41226
MEDIUM
CVSS 5.1
Open redirect vulnerability in Ricoh Web Image Monitor affects multiple laser printers and multifunction printers, allowing unauthenticated remote attackers to redirect users to arbitrary websites via specially crafted URLs. Successful exploitation enables phishing attacks by deceiving users into visiting malicious sites while appearing to originate from trusted printer interfaces. No active exploitation has been confirmed, but the vulnerability requires only user interaction (clicking a malicious link) and affects all configurations by default.
Open Redirect
-
CVE-2026-41016
MEDIUM
CVSS 5.9
Apache Airflow's SmtpHook performs STARTTLS upgrades without SSL certificate validation, allowing man-in-the-middle attackers to intercept SMTP credentials. Remote unauthenticated attackers positioned between an Airflow worker and SMTP server can present a self-signed certificate, complete the TLS handshake, and capture login credentials sent after the upgrade. The vulnerability affects apache-airflow-providers-smtp versions 2.0.0 through 2.x and is patched in version 3.0.0 or later. No public exploit code identified at time of analysis, but EPSS score of 0.01% indicates low real-world exploitation probability despite confidentiality impact.
Python
Apache
Information Disclosure
-
CVE-2026-40951
MEDIUM
CVSS 6.8
Memory corruption in Absolute Secure Access Windows clients prior to version 14.50 allows local authenticated attackers to trigger denial of service by sending malformed data to an exposed API. The vulnerability requires local system access and authenticated privileges but can completely disable the security client, creating a critical availability risk for endpoint protection.
Buffer Overflow
Denial Of Service
Microsoft
-
CVE-2026-40949
MEDIUM
CVSS 6.8
Buffer overflow in Absolute Secure Access Windows client versions prior to 14.50 allows local attackers with high privileges to trigger denial of service by exploiting improper memory handling. The vulnerability requires local access and elevated administrative privileges, limiting exploitation to authenticated users already possessing administrative control of the affected system. Vendor-released patch: version 14.50 or later.
Buffer Overflow
Denial Of Service
Microsoft
Stack Overflow
-
CVE-2026-40687
MEDIUM
CVSS 4.8
Out-of-bounds write in Exim before 4.99.2 SPA authentication driver allows remote attackers to crash the mail server connection or leak uninitialized heap memory when processing adversarial SPA authentication resources, affecting confidentiality and availability of the mail service.
Buffer Overflow
Suse
-
CVE-2026-40685
MEDIUM
CVSS 6.5
Out-of-bounds heap write in Exim before 4.99.2 allows unauthenticated remote attackers to cause denial of service and potentially corrupt memory when the JSON lookup feature is enabled and malformed JSON is present in untrusted email headers, due to incorrect backslash escape sequence handling in the JSON operator.
Buffer Overflow
Suse
-
CVE-2026-40684
MEDIUM
CVSS 5.9
Denial of service in Exim before 4.99.2 on musl libc systems allows remote attackers to crash mail server connection instances by sending malformed DNS PTR records that trigger an octal printing bug in the dn_expand function. The vulnerability requires high network complexity to exploit but results in service unavailability for affected connections. No patch version confirmation available from provided references.
Denial Of Service
Suse
-
CVE-2026-40603
MEDIUM
CVSS 6.5
Chartbrew 4.9.0 fails to properly enforce project-level access controls on a legacy dashboard route, allowing any authenticated team member to read another team member's project report data and extract stored report passwords. The vulnerability affects users without explicit project access but with team membership, who can leverage the unprotected endpoint to view sensitive dashboard configurations and credentials. Patched in version 5.0.0.
Authentication Bypass
-
CVE-2026-39383
MEDIUM
CVSS 6.9
Server-Side Request Forgery in Gotenberg 8.29.1 Docker image enables remote unauthenticated attackers to probe internal networks and trigger POST requests to arbitrary internal/external endpoints via the Gotenberg-Webhook-Url header. CVSS 8.6 High with Changed Scope (S:C) reflects the ability to pivot from the Gotenberg container to internal services. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-5vh4-rgv7-p9g4). Vendor-released patch 8.31.0 implements IP resolution and non-public address blocking to prevent DNS rebinding and RFC1918/link-local targeting.
Docker
Google
SSRF
-
CVE-2026-38940
MEDIUM
CVSS 6.1
Cross-site scripting (XSS) in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser via the detail_produk.php component when a user visits a malicious link. The vulnerability requires user interaction (clicking a link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been confirmed in CISA KEV, but a proof-of-concept payload exists in public repositories.
PHP
XSS
RCE
N A
-
CVE-2026-38939
MEDIUM
CVSS 6.1
Cross-site scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers and exfiltrate sensitive information through the product_catalogue.php component. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but affects all users due to stored or reflected XSS impact across site sessions. CVSS 6.1 reflects moderate risk with network-based attack vector and low complexity, though no active exploitation in CISA KEV has been confirmed at time of analysis.
PHP
XSS
RCE
N A
-
CVE-2026-36766
MEDIUM
CVSS 5.4
Authenticated cross-site scripting (XSS) vulnerabilities in Shopizer v3.2.5's XssHttpServletRequestWrapper class allow authenticated attackers to execute arbitrary web scripts or HTML by injecting crafted payloads into the getInputStream() or getReader() functions. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting exploitation to logged-in users who can be socially engineered into clicking malicious links or submitting forms. No public exploit code or active exploitation has been confirmed at time of analysis.
XSS
N A
-
CVE-2026-36764
MEDIUM
CVSS 5.0
Server-side request forgery in SpringBlade v4.8.0 allows authenticated network attackers to scan internal resources by sending crafted GET requests to the /ureport/datasource/testConnection endpoint, enabling reconnaissance of non-routable or restricted-access network segments. The vulnerability affects confidentiality but requires valid authentication credentials to exploit.
SSRF
-
CVE-2026-36763
MEDIUM
CVSS 6.1
Stored cross-site scripting (XSS) in SpringBlade v4.8.0 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the /api/blade-desk/notice/submit endpoint's content parameter, executing malicious code in the browsers of subsequent users who view the injected notice. The vulnerability requires user interaction (viewing the stored payload) to trigger, affecting the confidentiality and integrity of affected applications. No public exploit code or active exploitation has been confirmed at the time of analysis.
XSS
N A
-
CVE-2026-36761
MEDIUM
CVSS 6.1
Stored cross-site scripting (XSS) in JeeSite v5.15.1 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the msgContent parameter in the /msg/msgInner/save endpoint, affecting any user who views a message containing the malicious payload. The vulnerability requires user interaction (viewing the crafted message) but can impact confidentiality and integrity of user sessions through script execution in the victim's browser context. No public exploit code or active exploitation has been confirmed at this time.
XSS
N A
-
CVE-2026-36759
MEDIUM
CVSS 6.5
Server-side request forgery (SSRF) in Halo v2.22.14's /themes/{name}/upgrade-from-uri endpoint allows authenticated attackers to scan internal network resources and services by submitting crafted GET requests, enabling reconnaissance of backend infrastructure without direct network access.
SSRF
N A
-
CVE-2026-36758
MEDIUM
CVSS 4.3
Server-side request forgery in Halo v2.22.14 /themes/-/install-from-uri endpoint allows authenticated attackers to scan internal resources and access sensitive network information via crafted GET requests. The vulnerability requires valid authentication credentials but operates with low attack complexity and results in confidentiality impact through information disclosure of internal network topology and services.
SSRF
N A
-
CVE-2026-36757
MEDIUM
CVSS 4.3
Server-Side Request Forgery (SSRF) in Halo v2.22.14's /plugins/{name}/upgrade-from-uri endpoint permits authenticated attackers to scan internal network resources and retrieve sensitive data via crafted GET requests, potentially enabling reconnaissance of internal infrastructure. The vulnerability requires valid authentication credentials but operates with low attack complexity, affecting the confidentiality of internal resources without requiring user interaction or administrative privileges.
SSRF
N A
-
CVE-2026-36756
MEDIUM
CVSS 5.4
Server-Side Request Forgery (SSRF) in Halo v2.22.14's /plugins/-/install-from-uri endpoint enables authenticated attackers to scan internal resources and potentially access sensitive information via crafted GET requests. The vulnerability requires valid authentication credentials but operates with low attack complexity over the network, exposing internal network topology and services to enumeration attacks.
SSRF
N A
-
CVE-2026-35514
MEDIUM
CVSS 6.5
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create a fully active account with valid JWT via the unprotected POST /user/invited endpoint, circumventing the signupRestricted configuration that normally blocks new registrations. An attacker receives a functional JWT token immediately without email verification, granting full authenticated access even when the instance restricts signups to invited users only. The vulnerability was patched in version 5.0.0.
Authentication Bypass
-
CVE-2026-33452
MEDIUM
CVSS 5.9
Buffer overflow in Absolute Secure Access Windows client prior to version 14.50 allows local attackers to cause denial of service by triggering a system blue screen. The vulnerability requires local access to the affected system and can be exploited without user interaction or authentication. A vendor patch is available.
Buffer Overflow
Microsoft
Stack Overflow
-
CVE-2026-33448
MEDIUM
CVSS 4.8
Format string vulnerability in Secure Access client for macOS prior to version 14.50 allows authenticated local attackers to leak sensitive data from process memory via crafted logging input, potentially exposing secrets through log files. The vulnerability requires local access and valid user privileges but no user interaction. Patch is available from the vendor.
Information Disclosure
Apple
-
CVE-2026-31692
MEDIUM
CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved:
rtnetlink: add missing netlink_ns_capable() check for peer netns
rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer
network namespace when creating paired devices (veth, vxcan,
netkit). This allows an unprivileged u...
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-28909
MEDIUM
CVSS 6.5
Credential exposure in Apple container allows unauthenticated remote attackers to steal registry credentials in plaintext when users connect to malicious registries with hostnames matching specific bypass patterns. The vulnerability affects container versions prior to 0.12.3 and requires user interaction to establish a connection to a malicious registry. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.
Authentication Bypass
-
CVE-2026-28532
MEDIUM
CVSS 6.0
FRRouting before version 10.5.3 contains an integer overflow vulnerability in OSPF Traffic Engineering and Segment Routing TLV parser functions that allows attackers with an established OSPF adjacency to send a malicious Type 10 or Type 11 Opaque LSA and trigger out-of-bounds memory reads, crashing all affected routers in the OSPF area. The vulnerability results from a uint16_t accumulator variable truncating uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. This is a denial-of-service attack requiring OSPF neighbor status but no user interaction or additional privileges.
Denial Of Service
Integer Overflow
Red Hat
Suse
-
CVE-2026-22726
MEDIUM
CVSS 5.0
Route Services in Cloud Foundry Routing Release v0.118.0-v0.371.0 and CF Deployment v0.0.2-v54.14.0 allow authenticated malicious developers to bypass application egress rules by configuring route-services that redirect traffic to internal network destinations otherwise unreachable from external networks or the application itself. This affects the scope of the routing infrastructure, enabling information disclosure and potential lateral movement within the Gorouter network.
Information Disclosure
-
CVE-2026-7506
MEDIUM
CVSS 5.5
SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.
PHP
SQLi
-
CVE-2026-7505
MEDIUM
CVSS 5.5
Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.
Authentication Bypass
-
CVE-2026-7500
MEDIUM
CVSS 5.4
Keycloak's Account REST API remains partially accessible even when explicitly disabled via the `--features-disabled=account,account-api` flag, allowing authenticated users to read and modify account data through five unprotected endpoints under `/account/v1alpha1/` that lack the required `checkAccountApiEnabled()` access control gate present in four sibling endpoints within the same service class.
Information Disclosure
Red Hat
-
CVE-2026-7468
MEDIUM
CVSS 5.5
Improper access controls in 1024-lab smart-admin up to version 3.30.0 allow remote unauthenticated attackers to gain unauthorized access to the Druid demo interface at /smart-admin-api/druid/index.html, potentially exposing sensitive data or administrative functionality. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 (low confidentiality/integrity impact), though the vendor has not yet acknowledged or patched the issue despite early notification.
Authentication Bypass
-
CVE-2026-7446
MEDIUM
CVSS 5.5
OS command injection in VetCoders mcp-server-semgrep 1.0.0 allows remote unauthenticated attackers to execute arbitrary commands via unsanitized ID arguments passed to multiple analysis functions (analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule) in src/index.ts. The vulnerability stems from unsafe use of child_process.exec() which interpolates user input into shell command strings. Publicly available exploit code exists, and vendor-released patch version 1.0.1 is available.
Command Injection
-
CVE-2026-7382
MEDIUM
CVSS 6.5
Authenticated remote attackers can access sensitive personal information in MeWare PDKS versions 16.20200313 through before VMYR_3.5.2025117 due to improper access controls. The vulnerability allows disclosure of private data without authorization, affecting confidentiality. CVSS score of 6.5 reflects moderate severity with network accessibility and low attack complexity, though authentication is required. No active exploitation or public proof-of-concept has been confirmed at time of analysis.
Information Disclosure
-
CVE-2026-7379
MEDIUM
CVSS 5.5
Memory leak in Wireshark sharkd service versions 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers with user interaction to trigger denial of service through exhaustion of system memory. The vulnerability stems from improper resource cleanup (CWE-401) during packet processing, enabling a local attacker with non-privileged access to crash the sharkd daemon or degrade system performance by repeatedly invoking operations that leak memory. No active exploitation has been confirmed at time of analysis, and exploitation requires local file system access combined with user interaction.
Denial Of Service
Suse
-
CVE-2026-7378
MEDIUM
CVSS 5.5
Denial of service in Wireshark sharkd versions 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers with user interaction to crash the application via a heap buffer overflow. The vulnerability requires local access and user interaction (opening a malicious file or network capture), making it a low-to-moderate priority for networked analyst workstations but not a remote code execution risk.
Buffer Overflow
Denial Of Service
Heap Overflow
Red Hat
Suse
-
CVE-2026-7376
MEDIUM
CVSS 5.5
Null pointer dereference in Wireshark sharkd 4.4.0-4.4.14 and 4.6.0-4.6.4 causes denial of service when processing crafted input, crashing the daemon. Local attackers with low privileges can trigger the crash via user interaction, rendering the packet analysis service unavailable. No authentication required, and publicly available exploit code does not appear to exist at time of analysis.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-7375
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via infinite loop in the UDS protocol dissector allows local attackers to crash the application by opening a specially crafted packet capture file. The vulnerability requires user interaction (opening a malicious file) and is triggered during packet dissection, affecting the availability of the analysis tool but not confidentiality or integrity.
Denial Of Service
Red Hat
Suse
-
CVE-2026-7163
MEDIUM
CVSS 6.1
Authenticated users with minimal namespace-scoped privileges can obtain administrative credentials for arbitrary OpenShift clusters provisioned through the MCE hub via the assisted-service REST API. The vulnerability exists in AUTH_TYPE=local mode (the only mode available in on-premises deployments), where the local authenticator grants full administrative access to any request bearing a valid JWT with no per-endpoint restrictions. A valid JWT is embedded as plaintext in the InfraEnvStatus.ISODownloadURL, readable by any user with get rights on an InfraEnv object, enabling extraction of kubeadmin passwords and kubeconfigs for all spoke clusters.
Information Disclosure
Red Hat
-
CVE-2026-6870
MEDIUM
CVSS 5.5
Denial of service via crash in the GSM RP protocol dissector affects Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14. A local attacker with user privileges can trigger a dissector crash by crafting a malicious GSM RP packet and inducing a user to open it, causing application termination and loss of packet capture session. CVSS 5.5 reflects local attack vector and user interaction requirement; no remote exploitation path identified.
Denial Of Service
Memory Corruption
Red Hat
Suse
-
CVE-2026-6869
MEDIUM
CVSS 5.5
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed WebSocket protocol packets, enabling local denial of service. An attacker with the ability to trigger packet dissection-either by crafting a malicious PCAP file or intercepting traffic on a local network-can force the application to crash by supplying a WebSocket frame that triggers an unhandled error condition in the protocol dissector. The vulnerability requires user interaction (opening a file or navigating to a network interface) and operates at local scope, resulting in application unavailability rather than code execution.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6868
MEDIUM
CVSS 5.5
Stack buffer overflow in Wireshark HTTP protocol dissector (versions 4.6.0-4.6.4 and 4.4.0-4.4.14) causes application crash when processing malformed HTTP packets, resulting in denial of service. Local attackers with ability to trigger packet analysis via user interaction can crash the application and disrupt network traffic inspection workflows.
Buffer Overflow
Denial Of Service
Stack Overflow
Red Hat
Suse
-
CVE-2026-6867
MEDIUM
CVSS 5.5
Wireshark SMB2 protocol dissector crashes when processing malformed packets, causing denial of service in versions 4.6.0-4.6.4 and 4.4.0-4.4.14. A local attacker with low privileges can trigger the crash by crafting a malicious SMB2 packet and inducing the user to open it in Wireshark, resulting in application termination and loss of packet capture capability. No public exploit code or active exploitation in the wild has been identified at the time of analysis.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6542
MEDIUM
CVSS 6.5
IBM Langflow OSS 1.0.0 through 1.8.4 allows authenticated users to read transaction logs and vertex build data from other users' flows via direct flow_id manipulation, enabling unauthorized information disclosure and deletion of other users' persisted build data. The vulnerability requires valid user authentication (PR:L) but no additional complexity, affecting all deployments of affected versions.
Authentication Bypass
IBM
-
CVE-2026-6539
MEDIUM
CVSS 4.6
Format string injection in Notepad++ 8.9.3 Find Results panel handler allows local attackers to cause denial of service and disclose stack memory by distributing malicious nativeLang.xml language pack files that trigger unsafe format string interpretation during search operations. User interaction is required to load the poisoned language pack and perform a search. No active exploitation confirmed, but patch is available from vendor.
Denial Of Service
Information Disclosure
-
CVE-2026-6538
MEDIUM
CVSS 5.5
Stack buffer overflow in Wireshark's BEEP protocol dissector causes denial of service when processing malformed network packets. Versions 4.6.0-4.6.4 and 4.4.0-4.4.14 are vulnerable; a local user with the ability to interact with Wireshark or supply crafted BEEP traffic can trigger a crash via a specially crafted packet that requires user interaction to open or process. No public exploit code or active exploitation has been identified at time of analysis.
Buffer Overflow
Denial Of Service
Stack Overflow
Red Hat
Suse
-
CVE-2026-6537
MEDIUM
CVSS 5.5
Stack buffer overflow in Wireshark's ZigBee protocol dissector (versions 4.6.0-4.6.4 and 4.4.0-4.4.14) causes application crash and denial of service when processing malformed ZigBee packets. An attacker must trick a user into opening a crafted packet capture file or visiting a malicious webpage serving the packet, since the vulnerability requires local file access and user interaction. No active exploitation has been publicly reported.
Buffer Overflow
Denial Of Service
Stack Overflow
Red Hat
Suse
-
CVE-2026-6536
MEDIUM
CVSS 5.5
Wireshark versions 4.6.0 through 4.6.4 contain an infinite loop vulnerability in the DLMS/COSEM protocol dissector that causes denial of service when processing malformed packets. A local attacker with user privileges can trigger the infinite loop by opening a crafted DLMS/COSEM packet capture file, freezing the application and rendering it unresponsive without requiring authentication or special configuration.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6535
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes application crash during zlib decompression in the packet dissection engine when processing malformed compressed traffic. Local attackers with user privileges can trigger the crash by opening a specially crafted pcap file or receiving a malicious packet capture, requiring user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6534
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via infinite loop in the USB HID protocol dissector allows local attackers to crash the application by opening a maliciously crafted packet capture file. The vulnerability requires user interaction (opening a file) on a local system, making it suitable for targeted attacks against security analysts and network administrators who routinely inspect suspicious network traffic.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6533
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers to crash the application by triggering an unhandled exception in the LZ77 decompression engine when processing malformed compressed packet data. The vulnerability requires user interaction (opening a crafted packet capture file or receiving a malicious packet) but causes immediate application termination, impacting network analysis workflows.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6532
MEDIUM
CVSS 5.5
Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed Kismet protocol packets due to a buffer overflow in the Kismet dissector, allowing unauthenticated remote denial of service via a crafted network capture file or live traffic. User interaction (opening a malicious capture file or capturing traffic) is required. No public exploit code or active exploitation has been identified at the time of analysis.
Buffer Overflow
Denial Of Service
Red Hat
Suse
-
CVE-2026-6531
MEDIUM
CVSS 5.5
Infinite loop in the SANE protocol dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes denial of service when processing malformed SANE packets. A local attacker with user privileges can trigger the infinite loop by crafting a specially formatted SANE network capture or injecting malicious packets, causing Wireshark to hang and become unresponsive, denying analysts access to packet analysis.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6530
MEDIUM
CVSS 5.5
Heap buffer overflow in Wireshark's DCP-ETSI protocol dissector causes denial of service when processing malformed network packets in versions 4.6.0-4.6.4 and 4.4.0-4.4.14. A local user can trigger a crash by opening a crafted packet file or live network capture, rendering the packet analysis tool unresponsive. No remote exploitation or data exfiltration is possible; impact is limited to availability.
Buffer Overflow
Denial Of Service
Heap Overflow
Red Hat
Suse
-
CVE-2026-6529
MEDIUM
CVSS 5.5
Heap buffer overflow in the iLBC audio codec dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers with user interaction to trigger a denial of service crash by supplying a malformed iLBC packet. The vulnerability requires user interaction to open a crafted packet capture file and does not enable code execution.
Buffer Overflow
Denial Of Service
Heap Overflow
Red Hat
Suse
-
CVE-2026-6528
MEDIUM
CVSS 5.5
Infinite loop in the TLS protocol dissector of Wireshark 4.6.0 through 4.6.4 causes denial of service when processing malformed TLS packets. Local attackers can trigger the infinite loop by crafting packets and opening them with Wireshark, causing the application to hang or consume excessive CPU resources. User interaction is required to open the malicious packet capture, limiting the attack to scenarios where a victim is tricked into opening untrusted network traffic files.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6527
MEDIUM
CVSS 5.5
Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed ASN.1 PER protocol packets, enabling local denial of service against users opening crafted capture files. The vulnerability requires user interaction (opening a file or receiving a live packet capture) but allows an attacker to hang or crash the application without authentication. No active exploitation has been confirmed in public sources.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6526
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0 through 4.6.4 via null pointer dereference in the RTSP protocol dissector causes application crash when processing malformed RTSP traffic. Local attackers with network access to a Wireshark instance can trigger the crash by supplying a specially crafted RTSP packet, resulting in availability impact. No public exploit code or active in-the-wild exploitation has been identified; patch availability status requires verification from vendor.
Denial Of Service
Null Pointer Dereference
Red Hat
Suse
-
CVE-2026-6524
MEDIUM
CVSS 5.5
Denial of service via MySQL protocol dissector crash in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local users with no privileges to crash the application through a crafted malicious pcap file or network capture, requiring only user interaction to open the file. The vulnerability stems from improper memory access in the MySQL dissector parser (CWE-824: Access of Uninitialized Pointer), resulting in application termination and loss of packet analysis capability. No public exploit code or active exploitation has been identified at time of analysis.
Denial Of Service
Memory Corruption
Red Hat
Suse
-
CVE-2026-6523
MEDIUM
CVSS 5.5
Infinite loop in the GNW protocol dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes denial of service when processing malformed packets. Local attackers with user interaction can craft malicious GNW traffic or files to exhaust CPU resources and freeze the application, preventing legitimate packet analysis and potentially disrupting network troubleshooting workflows.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6522
MEDIUM
CVSS 5.5
Infinite loop in the RPKI-Router protocol dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes denial of service when processing malformed packets. Local attackers with user privileges can trigger the vulnerability through crafted network traffic or pcap files opened in Wireshark, rendering the application unresponsive. No authentication required; user interaction (opening a file or capturing packets) is necessary. No public exploit code or active exploitation in CISA KEV identified at time of analysis.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6521
MEDIUM
CVSS 5.5
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 are vulnerable to denial of service via infinite loops in the OpenFlow v5 protocol dissector when processing maliciously crafted packets. An attacker can trigger CPU exhaustion and application hang by delivering a specially crafted OpenFlow v5 packet to a user running an affected version, requiring user interaction (opening a capture file or live packet capture). No public exploit code has been identified, but the vulnerability is straightforward to trigger once the root cause is known.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6520
MEDIUM
CVSS 5.5
Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14 are vulnerable to a denial of service attack via an infinite loop in the OpenFlow v6 protocol dissector, triggered when processing malformed OpenFlow traffic. A local attacker with user interaction can crash the Wireshark application by crafting a malicious packet capture file or live traffic stream, rendering packet analysis unavailable until the process is restarted. No authentication is required, and the CVSS score of 5.5 reflects local attack vector with high availability impact.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6519
MEDIUM
CVSS 5.5
Infinite loop in the MBIM protocol dissector of Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes denial of service when processing specially crafted MBIM packets. A local user with normal privileges can trigger the infinite loop via user interaction (opening a malicious packet capture file), causing the application to hang and become unresponsive. No code execution or data access is possible; impact is strictly availability.
Denial Of Service
Red Hat
Suse
-
CVE-2026-6498
MEDIUM
CVSS 5.3
Five Star Restaurant Reservations plugin for WordPress versions up to 2.7.16 allows unauthenticated attackers to bypass payment verification through PHP type juggling in the valid_payment() function. The vulnerability exists in the rtb_stripe_pmt_succeed AJAX handler, which uses loose comparison (==) between attacker-supplied payment_id and the booking's stripe_payment_intent_id. When the intent ID is null (before Stripe intent creation), an empty payment_id parameter passes validation, enabling attackers to mark payment-pending bookings as paid without completing actual Stripe payments. This permits unauthorized order fulfillment and revenue loss for affected WordPress sites.
PHP
WordPress
Authentication Bypass
-
CVE-2026-5657
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via crafted iLBC codec packets allows local attackers with user interaction to crash the application and interrupt service. The vulnerability stems from a use-after-free condition in the iLBC codec parser, triggered when Wireshark processes malformed audio codec data, causing an application crash without code execution.
Denial Of Service
Red Hat
Suse
-
CVE-2026-5655
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0 through 4.6.4 via crafted SDP protocol packets allows local attackers with user interaction to crash the application through a use-after-free memory corruption vulnerability in the SDP protocol dissector. EPSS and KEV status not available at analysis time; no public exploit code identified.
Denial Of Service
Use After Free
Memory Corruption
Red Hat
Suse
-
CVE-2026-5654
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via stack buffer overflow in the AMR-NB codec decoder allows local attackers with user interaction to crash the application. The vulnerability requires opening a specially crafted network capture file, making it exploitable in scenarios where users are tricked into opening untrusted PCAP files or when Wireshark auto-opens recent captures.
Buffer Overflow
Denial Of Service
Stack Overflow
Red Hat
Suse
-
CVE-2026-5653
MEDIUM
CVSS 5.5
Heap buffer overflow in the DCP-ETSI protocol dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes denial of service when a user opens a malicious packet capture file. The vulnerability requires user interaction (opening a crafted .pcap or similar file locally) and crashes the application, preventing further packet analysis. No public exploit code or active exploitation has been confirmed at this time.
Buffer Overflow
Denial Of Service
Heap Overflow
Red Hat
Suse
-
CVE-2026-5409
MEDIUM
CVSS 5.5
Denial of service in Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 via malformed Monero protocol packets causes application crash through unbounded recursion in the protocol dissector. Local attackers with user-level privileges can trigger the crash by opening a crafted pcap file or receiving a malicious network packet during live capture, requiring user interaction to open the malicious file but resulting in complete unavailability of the packet analysis tool.
Denial Of Service
Red Hat
Suse
-
CVE-2026-5408
MEDIUM
CVSS 5.5
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed BT-DHT protocol packets, enabling local denial of service against users who open crafted capture files or sniff untrusted network traffic. The vulnerability requires local access and user interaction (opening a file or viewing live capture), but no authentication is required. EPSS exploitation probability is moderate given the low attack complexity and the prevalence of Wireshark in security operations.
Denial Of Service
Red Hat
Suse
-
CVE-2026-5407
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via infinite loop in SMB2 protocol dissector allows local attackers to crash the application when processing malicious or malformed SMB2 network traffic. Exploitation requires user interaction (opening a crafted capture file or live capture), and causes high availability impact with no data confidentiality or integrity compromise. CVSS 5.5 reflects local attack vector but potential for widespread impact given Wireshark's role in network analysis workflows.
Denial Of Service
Red Hat
Suse
-
CVE-2026-5406
MEDIUM
CVSS 5.5
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed FC-SWILS (Fibre Channel Switch InterLink Service) protocol packets, enabling denial of service via local or remote delivery of a crafted packet file. The vulnerability requires user interaction (opening a malicious capture file), and no active exploitation has been confirmed at time of analysis.
Denial Of Service
Red Hat
Suse
-
CVE-2026-5404
MEDIUM
CVSS 4.7
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers to crash the application by parsing malformed K12 RF5 files with user interaction. The vulnerability stems from a buffer overflow in the K12 RF5 file parser, requiring an attacker to trick a user into opening a crafted file. No public exploit code or active exploitation has been identified at time of analysis.
Buffer Overflow
Denial Of Service
Red Hat
Suse
-
CVE-2026-5401
MEDIUM
CVSS 5.5
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed AFP Spotlight protocol packets, causing denial of service. An attacker can trigger the crash by delivering a crafted packet to a user running a vulnerable version, disrupting packet analysis and network monitoring. The vulnerability requires local or direct network access and user interaction to open a malicious capture file or receive the packet during live capture, but no authentication is needed.
Denial Of Service
Red Hat
Suse
-
CVE-2026-5299
MEDIUM
CVSS 5.5
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via malformed ICMPv6 PvD (Prefix Validation Data) packets crashes the protocol dissector, requiring user interaction to open a crafted capture file. The vulnerability affects local users only (AV:L) and does not enable code execution, information disclosure, or integrity compromise.
Denial Of Service
Red Hat
Suse
-
CVE-2026-5080
MEDIUM
CVSS 5.9
Dancer::Session::Abstract through version 1.3522 generates cryptographically weak session identifiers by combining predictable inputs (file path, process ID, epoch time) with an insufficiently-seeded Perl rand() function, allowing remote attackers to predict valid session IDs and hijack user sessions without authentication. The vulnerability affects Perl-based web applications using Dancer framework's default session handling; active exploitation is not confirmed but the attack requires only guessing a session ID, making it practically exploitable.
Information Disclosure
-
CVE-2026-4502
MEDIUM
CVSS 6.5
Authenticated attackers can exploit a path traversal vulnerability in IBM Langflow Desktop 1.2.0 through 1.8.4 to write arbitrary files to the system by crafting URLs containing directory traversal sequences (/../). The vulnerability requires prior authentication but allows complete bypass of file system restrictions, enabling file overwrite or creation outside intended directories with no integrity protections.
Path Traversal
IBM
-
CVE-2026-3833
MEDIUM
CVSS 6.5
GnuTLS performs case-sensitive comparisons of nameConstraints labels in DNS and email certificate constraints, allowing remote attackers to bypass certificate policy validation by crafting leaf certificates with differing character casing in the Subject Alternative Name field. This policy bypass could result in acceptance of certificates that should be rejected, potentially enabling unauthorized access or information disclosure. The vulnerability affects GnuTLS across Red Hat Enterprise Linux 6 through 10 and Red Hat OpenShift Container Platform 4, with no confirmed active exploitation at time of analysis.
Authentication Bypass
Information Disclosure
-
CVE-2026-3346
MEDIUM
CVSS 6.4
Stored cross-site scripting in IBM Langflow Desktop 1.6.0 through 1.8.4 allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially altering application functionality and disclosing session credentials to other users of the same instance. The vulnerability requires valid authentication but no user interaction from the target, affecting confidentiality and integrity of the application.
XSS
SQLi
IBM
-
CVE-2026-3345
MEDIUM
CVSS 6.5
Path traversal in IBM Langflow Desktop versions 1.8.4 and earlier allows authenticated remote attackers to read arbitrary files on the system by crafting URLs containing directory traversal sequences (/../). The vulnerability affects the file handling mechanism and could expose sensitive configuration, source code, or other confidential files accessible to the Langflow process. A vendor-released patch is available.
Path Traversal
IBM
-
CVE-2026-3340
MEDIUM
CVSS 6.5
Server-side request forgery (SSRF) in IBM Langflow Desktop 1.0.0 through 1.8.4 permits unauthenticated remote attackers to send arbitrary HTTP requests from the vulnerable system, enabling network enumeration, internal service probing, and facilitation of secondary attacks against backend infrastructure. CVSS 6.5 reflects moderate confidentiality and integrity impact without authentication barriers despite PR:N in vector.
SSRF
IBM
-
CVE-2026-2311
MEDIUM
CVSS 6.4
IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.
Authentication Bypass
Privilege Escalation
IBM
-
CVE-2026-1577
MEDIUM
CVSS 6.5
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows authenticated users to crash the database server via improper neutralization of special elements in query logic. An attacker with valid database credentials can trigger the vulnerability remotely without user interaction, resulting in service unavailability. No active exploitation has been confirmed at time of analysis.
Denial Of Service
IBM
Microsoft
-
CVE-2026-1493
MEDIUM
CVSS 4.6
DOM-based cross-site scripting in LEX Baza Dokumentów through version 1.3.3 allows attackers to execute arbitrary JavaScript in victim browsers via unsafe processing of the 'em' cookie parameter on the client side. Exploitation requires local access and user interaction, and the attacker must have the ability to set a cookie, significantly limiting real-world attack surface. The vendor has released patch version 1.3.4 to address this vulnerability.
XSS
-
CVE-2025-36335
MEDIUM
CVSS 6.2
IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.3.0, and 5.3.1 store user credentials in plain text within local filesystem locations, allowing any local user to read sensitive authentication material without authentication. This information disclosure vulnerability affects confidentiality but not integrity or availability, and requires local filesystem access to exploit.
Information Disclosure
IBM
-
CVE-2025-36180
MEDIUM
CVSS 5.3
IBM watsonx.data versions 2.2 through 2.3 fail to enforce proper network segmentation between Kubernetes pods in the Lakehouse component, allowing attackers with network access to the cluster to transfer data between pods without authentication or authorization controls. This integrity vulnerability has a moderate CVSS score of 5.3 and requires adjacent network access and specific configuration conditions to exploit.
Information Disclosure
IBM
-
CVE-2025-36122
MEDIUM
CVSS 6.5
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 for Linux, UNIX, and Windows allows authenticated users to crash the database server by submitting a specially crafted SQL query that triggers improper system resource allocation. An attacker with valid database credentials can exhaust resources and render the database unavailable to legitimate users without leaving data corruption or unauthorized access. No public exploit code has been identified, though the vulnerability requires only valid authentication and a standard SQL interface.
Denial Of Service
IBM
Microsoft
-
CVE-2025-14688
MEDIUM
CVSS 5.3
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 allows authenticated users to crash the database server via improper neutralization of special elements in query logic when specific configurations are present. Attack requires valid database credentials and high attack complexity, limiting exploitation to insiders or users with legitimate access. Vendor has released patches addressing the underlying query parsing flaw.
Denial Of Service
IBM
Microsoft
-
CVE-2026-40686
LOW
CVSS 3.7
Out-of-bounds read in Exim before 4.99.2 when UTF-8 operators are enabled allows remote unauthenticated attackers to leak sensitive information through error messages by sending email with malformed UTF-8 trailing characters in headers. The vulnerability has high attack complexity due to the requirement for UTF-8 operator enablement and specific malformed input crafting, but requires no user interaction and operates over the network on default deployments.
Buffer Overflow
Information Disclosure
-
CVE-2026-33450
LOW
CVSS 2.3
Out-of-bounds read in Absolute Secure Access macOS client prior to version 14.50 allows remote attackers with control of a modified server to send malformed packets triggering denial of service. The vulnerability requires high attack complexity (modified server infrastructure and user interaction) and results in availability impact only, with a low CVSS score of 2.3 reflecting limited real-world severity despite network accessibility.
Buffer Overflow
Information Disclosure
Apple
-
CVE-2026-33449
LOW
CVSS 2.3
Buffer overflow in Absolute Secure Access prior to version 14.50 allows remote attackers to cause denial of service by sending a cryptographically valid message to the client, potentially overwriting memory. The vulnerability requires network access and user interaction (UI:P), making it a moderate-complexity attack with low availability impact. Vendor has released a patch available as of the CVE disclosure.
Buffer Overflow
Denial Of Service
Stack Overflow
-
CVE-2026-33447
LOW
CVSS 2.3
Buffer overflow in Secure Access message parsing prior to version 14.50 allows remote attackers with control of a modified server to send specially crafted packets that corrupt memory, potentially causing denial of service or limited information disclosure. Attack requires network access, high complexity, and user interaction; CVSS 2.3 reflects limited real-world impact despite the vulnerability class.
Buffer Overflow
Stack Overflow
-
CVE-2026-33446
LOW
CVSS 2.3
Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.
Buffer Overflow
-
CVE-2026-7510
LOW
CVSS 2.1
Authorization bypass in OWASP DefectDojo up to version 2.55.4 allows authenticated users to manipulate objects in Benchmark, Engagement, Product, and Survey components by directly accessing resources via unvalidated object IDs, bypassing ownership checks. The vulnerability affects multiple endpoints that retrieve objects without verifying the requesting user has authorization to access the specific resource, enabling lateral privilege escalation and unauthorized data modification. Publicly disclosed exploit code exists, and the vulnerability requires network access with valid authentication credentials to exploit.
Authentication Bypass
-
CVE-2026-7508
LOW
CVSS 2.1
Code injection in Bootstrap CMS 0.9.0-alpha page creation handler allows authenticated remote attackers to inject arbitrary code via the body parameter in resources/views/pages/show.blade.php, with publicly available exploit code and a CVSS score of 2.1 reflecting low confidentiality/integrity impact. The vulnerability affects an unmaintained product with an inactive code repository, limiting real-world exposure but enabling opportunistic exploitation of legacy deployments.
PHP
Code Injection
-
CVE-2026-7502
LOW
CVSS 2.1
LinkStack up to version 4.8.6 contains an authorization bypass vulnerability in the saveLink function of UserController.php that allows authenticated attackers to modify links belonging to other users via insecure direct object references (IDOR). The vulnerability affects the Management Endpoint and enables remote attackers with valid credentials to manipulate or delete arbitrary user links, with publicly available exploit code and an unmerged patch awaiting acceptance.
PHP
Authentication Bypass
-
CVE-2026-7501
LOW
CVSS 2.0
Stored cross-site scripting (XSS) in LinkStack up to version 4.8.6 allows authenticated users to inject malicious scripts via the pageDescription parameter in the editPage function, which are then stored and executed in the browsers of users viewing the affected page. The vulnerability requires user interaction (victim must view the page) and authenticated access, limiting its scope to authenticated attackers, but publicly available exploit code exists and the vendor has provided a fix via pull request #974.
PHP
XSS
-
CVE-2026-7469
LOW
CVSS 2.1
Command injection in Tenda 4G300 US version 1.01.42 allows authenticated remote attackers to execute arbitrary system commands via the delflag parameter in the /goform/DelFil endpoint. The vulnerability affects the sub_425A28 function and has publicly available exploit code; CVSS 6.3 reflects authenticated access requirement but moderate impact scope.
Command Injection
Tenda
-
CVE-2026-7447
LOW
CVSS 2.1
SQL injection in SourceCodester Pet Grooming Management Software 1.0 allows authenticated remote attackers to manipulate the type, length, or business parameters in /admin/update_customer.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires login credentials (PR:L) but carries low overall severity (CVSS 2.1); however, publicly available exploit code exists and the attack vector is network-accessible, making it a practical risk for multi-tenant or shared hosting deployments.
PHP
SQLi
-
CVE-2026-7429
LOW
CVSS 2.1
Reflected cross-site scripting in SSCMS v7.4.0 allows authenticated attackers to inject arbitrary JavaScript through crafted STL template payloads in the /api/stl/actions/dynamic endpoint. The vulnerability arises from improper output encoding when decrypted STL templates are returned in JSON responses, enabling session hijacking, credential theft via phishing, and unauthorized user actions. User interaction is required to trigger the payload, limiting but not eliminating real-world risk.
XSS
-
CVE-2026-3832
LOW
CVSS 3.7
GnuTLS with OCSP verification enabled incorrectly accepts revoked server certificates when presented with specially crafted multi-record OCSP responses during TLS handshakes, allowing attackers to bypass certificate revocation checks and establish connections to compromised servers. The vulnerability requires high attack complexity and specific OCSP configuration, affecting Red Hat Enterprise Linux 6-10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code or active exploitation has been identified at the time of analysis.
Information Disclosure
-
CVE-2025-13030
LOW
CVSS 2.0
Remote code execution in django-mdeditor (all versions prior to commit 3e80f9e) allows unauthenticated attackers to upload malicious files via the image upload endpoint. The vulnerability combines missing authentication (CWE-306) with insufficient filename sanitization, enabling arbitrary code execution when uploaded files are accessed. Exploit code is publicly available (CVSS E:P), though user interaction is required (UI:R). EPSS data not available, not listed in CISA KEV at time of analysis.
Authentication Bypass
RCE
Python