THREAT ALERT

ACT NOW CVE-2026-41940 9.3 Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites. | ACT NOW CVE-2026-31431 7.8 Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability. | ACT NOW CVE-2026-32201 6.5 Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5. | ACT NOW CVE-2026-33825 7.8 Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency. | ACT NOW CVE-2026-32202 4.3 Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector. | ACT NOW CVE-2026-34621 8.6 Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | ACT NOW CVE-2026-39987 9.3 Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis. | ACT NOW CVE-2026-34197 8.8 Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — May 04, 2026

225 CVEs tracked today. 43 Critical, 71 High, 72 Medium, 39 Low.

CVE-2026-42812 CRITICAL CVSS 9.4
Authenticated attackers with table configuration privileges can bypass storage location validation in Apache Polaris by manipulating the write.metadata.path property during ALTER TABLE operations. This forces Polaris to write metadata files to attacker-controlled storage locations without proper validation, then subsequently issue cloud storage credentials for those locations. The vulnerability enables unauthorized access to and potential corruption of data belonging to other tables within the catalog's allowedLocations scope, particularly when polaris.config.allow.unstructured.table.location=true. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass Apache
CVE-2026-42811 CRITICAL CVSS 9.4
CEL injection in Apache Polaris 1.4.0 allows authenticated users to escape credential access boundaries on Google Cloud Storage. Attackers can craft namespace or table identifiers containing single quotes and CEL fragments to break out of quoted strings in Credential Access Boundary conditions, escalating temporary table-scoped GCS credentials to effectively bucket-wide access. Confirmed in private testing: attackers obtained credentials intended for one table but successfully listed, read, created, and deleted objects across unrelated tables and external prefixes within the entire configured bucket. EPSS data not yet available for this recent CVE; CVSS 9.4 reflects critical confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (scope changed).

Apache Information Disclosure Google
CVE-2026-42810 CRITICAL CVSS 9.4
Wildcard injection in Apache Polaris table names allows authenticated users to escalate privileges and access unauthorized S3 data across tables. By creating tables with literal asterisk characters (e.g., 'f*.t1', '*.*'), attackers bypass IAM policy scoping and obtain temporary S3 credentials that match other tables' storage paths. Confirmed exploitation scenarios include reading Iceberg metadata control files, listing table prefixes, and creating/deleting objects in victim tables' S3 locations - even when the attacker lacks direct Polaris permissions on those tables. Private testing confirmed this on both MinIO and AWS S3 against Polaris 1.4.0. The CVSS 9.4 (Critical) reflects network-accessible exploitation requiring only low privileges (namespace-scoped TABLE_CREATE), with high confidentiality, integrity, and availability impact across system and subsequent components. No public exploit code or CISA KEV listing identified at time of analysis, but the Apache advisory provides detailed attack mechanics.

Authentication Bypass Apache
CVE-2026-42809 CRITICAL CVSS 9.4
Apache Polaris issues overly-permissive temporary storage credentials during staged table creation, allowing authenticated attackers to redirect vended credentials to attacker-controlled storage locations. The vulnerability stems from missing validation and overlap checks before credential issuance - attackers supply a custom 'location' parameter or 'write.data.path'/'write.metadata.path' properties that become effective immediately without verification. This enables unauthorized access to arbitrary storage resources beyond intended table boundaries, with CVSS 9.4 severity indicating high impact across confidentiality, integrity, and availability of both vulnerable and subsequent systems.

Authentication Bypass Apache
CVE-2026-42796 CRITICAL CVSS 9.2
Remote code execution in Arelle webserver (versions prior to 2.39.10) allows unauthenticated attackers to execute arbitrary Python code by submitting malicious plugin URLs to the /rest/configure endpoint. The vulnerability stems from the webserver's plugin manager accepting and executing external Python files without authentication or URL validation. A patch is available in version 2.39.10 (GitHub PR #2320). CVSS 9.8 with network vector, no privileges required, and EPSS data not provided. No CISA KEV listing or confirmed active exploitation at time of analysis.

Authentication Bypass RCE Python
CVE-2026-42601 CRITICAL CVSS 9.3
Remote code execution in ArchiveBox <= 0.8.6rc0 allows unauthenticated attackers to execute arbitrary commands on the server via unvalidated config injection in the /add/ endpoint. When PUBLIC_ADD_VIEW=True (common for bookmarklet usage), attackers inject malicious environment variables through the config JSON parameter that propagate to archive plugins like yt-dlp and gallery-dl, enabling command execution via --exec flags. The endpoint lacks both input validation and CSRF protection. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. Public proof-of-concept exploit exists demonstrating pre-authentication RCE. No vendor-released patch identified at time of analysis.

RCE Python
CVE-2026-42571 CRITICAL CVSS 9.0
Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).

Authentication Bypass Privilege Escalation Denial Of Service Information Disclosure
CVE-2026-42569 CRITICAL CVSS 9.4
Unauthenticated remote attackers can trigger complete database wipes and data deletion in phpVMS 7.x through 7.0.5 by accessing an exposed legacy importer endpoint at /importer. The vulnerability stems from deprecated import functionality that remained publicly accessible without authentication checks, allowing remote data modification or destruction. Vendor-released patch (v7.0.6) confirmed via GitHub advisory GHSA-fv26-4939-62fh. No CISA KEV listing or public exploit code identified at time of analysis, but trivial exploitation (CVSS AV:N/AC:L/PR:N/UI:N) makes active targeting likely.

Authentication Bypass
CVE-2026-42370 CRITICAL CVSS 9.0
Stack buffer overflow in GeoVision GV-VMS V20 20.0.2 WebCam Server Login functionality enables remote unauthenticated code execution via crafted HTTP requests. CVSS 9.0 with scope change reflects potential for full system compromise beyond the vulnerable component. High attack complexity (AC:H) suggests exploit requires precise memory manipulation techniques, though no authentication barrier exists. No public exploit identified at time of analysis, and EPSS data unavailable to assess weaponization probability.

RCE Buffer Overflow Memory Corruption
CVE-2026-42369 CRITICAL CVSS 10.0
Remote unauthenticated code execution in GeoVision GV-VMS V20 WebCam Server allows attackers to execute arbitrary code as SYSTEM via stack buffer overflow. The `gvapi` endpoint bypasses standard authentication and copies base64-decoded HTTP Authorization headers into a 256-byte stack buffer without bounds checking, enabling full stack control. The WebCam Server binary is compiled without ASLR, significantly lowering exploitation complexity. CVSS 10.0 with network vector, no prerequisites, and changed scope reflecting system-level compromise. Publicly disclosed by Cisco Talos and vendor advisory available from GeoVision.

RCE Buffer Overflow Memory Corruption
CVE-2026-42368 CRITICAL CVSS 9.9
Privilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute privileged operations via crafted HTTP requests. The vulnerability enables scope change (S:C) indicating potential escape from restricted web interface contexts to underlying system privileges. CVSS 9.9 (Critical) with low attack complexity and no user interaction required, making this exploitable by any authenticated user through simple web requests. No public exploit identified at time of analysis.

Privilege Escalation
CVE-2026-42364 CRITICAL CVSS 9.9
OS command injection in GeoVision LPC2011/LPC2211 version 1.10 allows authenticated remote attackers to execute arbitrary commands with system privileges by crafting malicious DDNS configuration values in the DdnsSetting.cgi component. The vulnerability (CVSS 9.9, Critical) requires only low-level authentication and enables full system compromise with scope change, indicating potential lateral movement to other network segments. No public exploit identified at time of analysis, but the attack vector is straightforward for authenticated users with configuration access.

Command Injection
CVE-2026-42238 CRITICAL CVSS 9.0
Remote code execution as root in nginx-ui versions before 2.3.8 via unauthenticated backup restore within 10-minute startup window. Attackers exploit the completely unauthenticated /api/restore endpoint during initial installation to upload malicious backup archives that overwrite app.ini configuration with injected OS commands in TestConfigCmd setting. After automatic application restart, command injection triggers with privileges of the nginx-ui process - typically root in Docker deployments. EPSS data not available; no active exploitation reported but publicly disclosed via GitHub Security Advisory GHSA-4pvg-prr3-9cxr. Patch released in version 2.3.8.

RCE Docker Command Injection Code Injection Nginx
CVE-2026-42090 CRITICAL CVSS 9.6
Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation.

XSS RCE Google Apple
CVE-2026-42088 CRITICAL CVSS 9.6
Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.

Privilege Escalation Python Docker Redis
CVE-2026-42087 CRITICAL CVSS 9.6
SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privileges to execute arbitrary SQL commands against the QuestDB time-series database. Attackers can exfiltrate all telemetry data, drop tables, or manipulate historical records via the get_tlm_values RPC endpoint by injecting malicious SQL into the start_time parameter. Vendor-released patch available in version 7.0.0-rc3 (commit 9ba60c0). No active exploitation confirmed (not in CISA KEV), but GitHub advisory includes working proof-of-concept payloads demonstrating both data extraction and table deletion.

SQLi
CVE-2026-42076 CRITICAL CVSS 9.8
Remote code execution in Evolver versions before 1.69.3 allows unauthenticated network attackers to execute arbitrary shell commands via command injection in the _extractLLM() function. Attackers exploit unsanitized corpus parameters passed to execSync() through string concatenation in a curl command, achieving full system compromise. GitHub security advisory GHSA-j5w5-568x-rq53 confirms the vulnerability with proof-of-concept demonstrating shell command substitution bypass. CVSS score of 9.8 reflects no authentication or user interaction requirements. No CISA KEV listing or EPSS data provided, suggesting exploitation status remains uncertain beyond confirmed POC availability.

RCE Command Injection
CVE-2026-42027 CRITICAL CVSS 9.8
Apache OpenNLP's model loading mechanism executes arbitrary static initializers through crafted manifest entries, enabling attackers to trigger side effects in any classpath class before type validation occurs. Affects OpenNLP versions before 2.5.9 and 3.0.0-M3. While not direct RCE, exploitation becomes viable when third-party models from untrusted sources (community repositories, model-sharing platforms) are loaded in environments containing classes with JNDI lookups, network I/O, or filesystem operations in static initializers. EPSS score of 0.29% suggests low widespread exploitation probability despite CVSS 9.8, though attack surface grows with model-sharing ecosystem adoption. No public exploit identified at time of analysis; vendor-released patches available.

RCE Apache Red Hat Suse
CVE-2026-41926 CRITICAL CVSS 9.3
Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitrary OS commands with device privileges via five vulnerable firewall.cgi handlers without authentication. Injected commands persist in NVRAM and automatically re-execute on every subsequent firewall request, creating a self-sustaining backdoor. Public exploit code exists per VulnCheck, making this an immediate weaponization risk for exposed devices. CVSS 9.3 reflects network attack vector with no complexity or authentication barriers (AV:N/AC:L/PR:N), though real-world impact depends on whether management interfaces are internet-exposed.

Command Injection
CVE-2026-41925 CRITICAL CVSS 9.3
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated attackers to execute arbitrary OS commands via the adm.cgi binary's reboot_time parameter. The vulnerability stems from unsanitized input handling in the reboot scheduling function, exploitable by sending crafted POST requests with shell metacharacters when reboot_enabled=1. Public exploit code exists (CVSS 9.3, SSVC: automatable/total impact), making this a critical priority for affected deployments despite no confirmed CISA KEV listing at time of analysis.

RCE Command Injection
CVE-2026-41924 CRITICAL CVSS 9.3
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated network attackers to execute arbitrary OS commands via the makeRequest.cgi binary. Exploitation requires no user interaction and has CVSS:4.0 score of 9.3. Publicly available exploit code exists (confirmed by VulnCheck and CISA SSVC framework), enabling automated attacks against exposed devices. SSVC designates this as automatable with total technical impact, representing immediate operational risk to internet-facing extenders.

Command Injection
CVE-2026-41923 CRITICAL CVSS 9.3
OS command injection in WDR201A WiFi Extender firmware v1.02 allows unauthenticated remote attackers to execute arbitrary shell commands via the gateway parameter in internet.cgi. Exploitation requires no user interaction or authentication against internet-exposed devices. Public exploit code exists (VulnCheck advisory), demonstrating active security research interest. CVSS 9.3 reflects maximum network exploitability (AV:N/AC:L/PR:N/UI:N) with high confidentiality, integrity, and availability impact on the device itself. No vendor patch identified at time of analysis for this discontinued consumer IoT product.

Command Injection
CVE-2026-41922 CRITICAL CVSS 9.3
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) allows unauthenticated network attackers to execute arbitrary shell commands via OS command injection in the wireless.cgi binary. Attackers exploit unsanitized sz11gChannel or PIN POST parameters in set_wifi_basic and set_wifi_do_wps functions to achieve root-level code execution without authentication. Publicly available exploit code exists. CVSS v4.0 score of 9.3 reflects the critical nature: network-accessible, no complexity, no authentication required, with high confidentiality, integrity, and availability impact. SSVC assessment confirms POC availability, full automatable exploitation, and total technical impact-making this a high-priority remediation target despite no confirmed active exploitation (not CISA KEV-listed).

RCE Command Injection
CVE-2026-41901 CRITICAL CVSS 9.0
Server-Side Template Injection (SSTI) in Thymeleaf 3.1.4.RELEASE and earlier allows remote attackers to execute arbitrary code via specially crafted expressions that bypass the template engine's sandbox restrictions. Applications passing unsanitized user input to sandboxed template contexts are vulnerable to full server compromise. Vendor-released patch is available in version 3.1.5.RELEASE. The CVSS 9.0 CRITICAL rating reflects the potential for remote code execution with high confidentiality, integrity, and availability impact, though the AC:H (high attack complexity) indicates exploitation requires specific application patterns where user input flows directly into sandboxed template contexts without validation.

Authentication Bypass
CVE-2026-41258 CRITICAL CVSS 9.1
Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Privilege Escalation RCE Apache Java Code Injection
CVE-2026-40682 CRITICAL CVSS 9.1
XML External Entity injection in Apache OpenNLP's DictionaryEntryPersistor allows remote unauthenticated attackers to disclose local files or perform server-side request forgery when processing untrusted dictionary files. The vulnerable SAX parser initialization omits critical security features (FEATURE_SECURE_PROCESSING, DTD disablement) present elsewhere in the codebase, creating an inconsistency exploitable via the public Dictionary(InputStream) API when loading stop-word lists or domain dictionaries. With EPSS at 0.03% (8th percentile) and no active exploitation reported, this represents a code-quality issue in a specific input path rather than an imminent widespread threat, though the CVSS 9.1 reflects maximum theoretical impact given the network-accessible, unauthenticated attack vector.

Apache SSRF XXE Suse
CVE-2026-40076 CRITICAL CVSS 9.4
Path traversal (Zip Slip) vulnerability in OpenMRS Core ≤ 2.7.8 and 2.8.0-2.8.5 allows authenticated administrators to achieve remote code execution by uploading a malicious .omod module archive to the REST API endpoint POST /openmrs/ws/rest/v1/module. Attackers can write arbitrary JSP files to the Tomcat webroot via crafted ZIP entries containing directory traversal sequences (e.g., web/module/../../../../malicious.jsp), which bypass incomplete path validation in WebModuleUtil.startModule(). The vulnerability also bypasses the module.allow_web_admin security control, as the REST API does not enforce this restriction despite Legacy UI being protected. No vendor-released patch identified at time of analysis for either affected version range.

RCE Java Path Traversal Tomcat
CVE-2026-29200 CRITICAL CVSS 9.9
Tenant administrators in Comet Backup 20.11.0 through 26.1.1 and 26.2.1 can impersonate any end-user account across different tenants on the same server through an insecure direct object reference (IDOR) in an API endpoint. The vulnerability enables complete cross-tenant authentication bypass in multi-tenant deployments, allowing unauthorized access to backup data, configurations, and operations of arbitrary users. With CVSS 9.9 (Critical) rating and network-accessible exploitation requiring no privileges, this represents an immediate risk to managed service providers and multi-tenant Comet Backup installations, though no active exploitation has been confirmed via CISA KEV at time of analysis.

Authentication Bypass
CVE-2026-26956 CRITICAL CVSS 9.8
Full sandbox escape with arbitrary code execution allows remote attackers to break out of vm2's Node.js sandbox environment (version 3.10.4) and execute commands on the host system. Attacker-controlled code running inside VM.run() can obtain the host process object and execute arbitrary host commands without any cooperation from the host application. EPSS data not available, but this represents complete failure of the sandbox security boundary. Patch released in version 3.10.5 addresses eleven distinct escape vectors including Function constructor leakage, proxy unwrapping, util.inspect exposure, and WebAssembly exception handling.

RCE Node.js Red Hat
CVE-2026-26332 CRITICAL CVSS 9.8
Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated network attackers to escape the sandbox and execute arbitrary code on the host system. The SuppressedError vulnerability (GHSA-55hx-c926-fr95) is one of 13 full sandbox-escape primitives patched in this coordinated security release. CVSS 9.8 Critical reflects network-accessible, unauthenticated exploitation with no complexity barriers. No CISA KEV listing or public POC data at time of analysis, but vendor explicitly warns 'embedders running untrusted code should upgrade,' indicating active risk to production deployments using vm2 for sandboxing untrusted JavaScript execution.

RCE Node.js Code Injection Red Hat
CVE-2026-25293 CRITICAL CVSS 9.6
Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unauthenticated attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability stems from incorrect authorization logic (CWE-863) that fails to prevent buffer overflow conditions. CVSS score of 9.6 reflects adjacent network attack vector with low complexity and no required privileges or user interaction, with scope change indicating container/hypervisor escape or lateral movement potential. No CISA KEV listing or public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.

Authentication Bypass Buffer Overflow
CVE-2026-24781 CRITICAL CVSS 9.8
Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated attackers to escape the sandbox environment via the inspect function and execute arbitrary system commands. The vulnerability exploits handler leakage through util.inspect's showProxy option to reconstruct host-realm objects and break isolation guarantees. CRITICAL: This is a complete sandbox bypass affecting all deployments using vm2 for untrusted code execution. Vendor-released patch available in version 3.11.0 with multiple commits addressing eight distinct exploitation primitives discovered during iterative disclosure.

RCE Node.js Code Injection Red Hat
CVE-2026-24120 CRITICAL CVSS 9.8
Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. The vulnerability represents an insufficient fix for CVE-2023-37466, enabling attackers to circumvent sandbox protections through multiple attack vectors including Function constructor extraction, proxy unwrapping, property descriptor manipulation, and WebAssembly JSTag exploitation. CVSS 9.8 (Critical) with EPSS data unavailable, but the existence of a detailed security advisory and comprehensive patch from GitHub indicates active vendor awareness and rapid response. Patched in version 3.10.5 with eleven distinct fixes addressing various bypass techniques.

RCE Node.js Red Hat
CVE-2026-24118 CRITICAL CVSS 9.8
Remote code execution in VM2 sandbox (npm package) versions ≤3.10.4 allows attackers to escape the JavaScript isolation boundary and execute arbitrary system commands on the host. The vulnerability exploits prototype chain traversal through Buffer.apply and __lookupGetter__ to access the host Function constructor, bypassing VM2's context isolation. Publicly available exploit code exists, and vendor-released patch version 3.11.0 addresses the issue. This is a complete sandbox escape requiring no authentication or user interaction, making it critical for environments executing untrusted code within VM2 contexts.

RCE Code Injection Red Hat
CVE-2026-7372 CRITICAL CVSS 9.0
Remote code execution in GeoVision GV-VMS V20 20.0.2 allows unauthenticated attackers to execute arbitrary code as SYSTEM via stack overflow in WebCam Server Login functionality. A specially crafted HTTP request with oversized username or password fields (exceeding 40 characters) triggers unconstrained sscanf buffer handling. CVSS 9.0 with high attack complexity reflects exploitation constraints (no null bytes allowed in payload), though network vector and lack of authentication requirements present significant risk. No active exploitation confirmed (not in CISA KEV); EPSS data unavailable for final risk assessment.

RCE Buffer Overflow Memory Corruption
CVE-2026-7161 CRITICAL CVSS 9.3
Credential interception in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to decrypt administrator passwords from broadcast UDP packets. The application broadcasts device commands with credentials encrypted using a modified Blowfish scheme, but includes the decryption key in the same packet - reducing security to algorithm obscurity. Attackers on the same LAN can capture these broadcasts when legitimate administrators interact with GeoVision IP cameras or devices, decrypt credentials using reverse-engineered algorithms, then gain full device control to reconfigure or factory-reset equipment. EPSS and KEV data not available; CVSS 9.3 reflects network-accessible credential disclosure requiring user interaction.

Information Disclosure
CVE-2025-70067 CRITICAL CVSS 9.8
Heap buffer overflow in Assimp's FBX importer allows remote code execution when processing malicious FBX files. The vulnerability affects Assimp versions up to 6.0.2 through unsafe strcpy() operations in aiMaterial::AddBinaryProperty, enabling attackers to achieve arbitrary code execution with high CVSS severity (9.8). A proof-of-concept exploit is publicly available via GitHub Gist, though EPSS indicates only 0.02% exploitation probability and no CISA KEV listing exists, suggesting limited active exploitation despite the theoretical severity.

Buffer Overflow Heap Overflow Red Hat Suse
CVE-2025-14320 CRITICAL CVSS 9.8
Remote code execution via reflected XSS in Tegsoft Online Support Application V3 through build 31122025 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers with full application privileges. Despite being classified as CWE-79 (XSS), the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates critical impact typically reserved for RCE vulnerabilities, suggesting severe exploitation potential beyond typical XSS. Reported by TR-CERT (Turkish national CERT) with advisory published at USOM, indicating regional significance. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis.

XSS
CVE-2025-13605 CRITICAL CVSS 9.3
Command injection in 3onedata GW1101-1D(RS-485)-TB-P Modbus gateway allows authenticated high-privilege users on adjacent networks to execute arbitrary shell commands as root via malicious input in the IP address field of diagnostic test tools. Exploitation requires administrative credentials and adjacent network access (CVSS 4.0: 9.3 AV:A/AC:L/PR:H). SSVC assessment indicates no active exploitation, non-automatable attack, with total technical impact. Fixed in firmware version 3.0.59B2024080600R4353.

Command Injection
CVE-2026-42376 CRITICAL CVSS 9.8
Hardcoded telnet backdoor in D-Link DIR-456U Hardware Revision A1 firmware grants remote unauthenticated attackers root shell access using static credentials ('Alphanetworks' / 'whdrv01_dlob_dir456U'). The telnet daemon launches automatically at boot via /etc/init0.d/S80telnetd.sh and validates credentials through strcmp() comparison against hardcoded values in /etc/config/image_sign. Device is End-of-Life with no patches forthcoming. CVSS 9.8 reflects network-accessible unauthenticated remote code execution, though exploitation requires local network access to telnet service.

Authentication Bypass D-Link
CVE-2026-42375 CRITICAL CVSS 9.8
Remote root shell access via hardcoded telnet backdoor in D-Link DIR-600L Hardware Revision A1 allows network-adjacent attackers to authenticate with publicly known credentials ('Alphanetworks' / 'wrgn35_dlwbr_dir600l') and obtain full administrative control. The backdoor telnet daemon launches automatically at boot with static credentials stored in /etc/alpha_config/image_sign. The device is End-of-Life with no patches forthcoming, creating permanent exposure for deployed units. EPSS data not available; no CISA KEV listing identified, though the trivial exploitation complexity (CVSS AC:L, PR:N) and public disclosure make exploitation highly likely once details are disseminated.

Authentication Bypass D-Link
CVE-2026-42374 CRITICAL CVSS 9.8
D-Link DIR-600L Hardware Revision B1 routers expose a hardcoded telnet backdoor granting unauthenticated remote attackers root shell access via static credentials ('Alphanetworks' / 'wrgn61_dlwbr_dir600L'). The vulnerability affects End-of-Life devices that will never receive patches, making permanent network isolation or replacement the only remediation options. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and publicly documented credentials, this represents critical risk for any exposed device, though exploitation requires local network access despite the 'Network' attack vector classification.

Authentication Bypass D-Link
CVE-2026-42373 CRITICAL CVSS 9.8
Hardcoded telnet backdoor in D-Link DIR-605L Hardware Revision B2 firmware enables unauthenticated root access for remote attackers on the local network using static credentials 'Alphanetworks:wrgn76_dlwbr_dir605L'. The telnet daemon starts automatically at boot, validating credentials via strcmp() against hardcoded values in /etc/alpha_config/image_sign, granting complete administrative control to anyone who knows the password. This End-of-Life device will receive no security patches. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted disclosure rather than widespread exploitation campaigns.

Authentication Bypass D-Link
CVE-2026-42606 HIGH CVSS 8.1
Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

PHP Docker CSRF Nginx
CVE-2026-42605 HIGH CVSS 8.8
Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

PHP Privilege Escalation RCE Path Traversal
CVE-2026-42575 HIGH CVSS 7.5
Package substitution in Chainguard apko allows network-positioned attackers to inject arbitrary APK packages into container images during build. apko verifies APKINDEX.tar.gz signatures but fails to validate individual downloaded .apk packages against signed index checksums, accepting mismatched packages silently. Attackers controlling download responses (compromised mirrors, HTTP repositories, poisoned CDN caches) can replace legitimate packages with malicious ones. Fixed in version 1.2.7. CVSS 7.5 with network vector and no authentication required. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.

Information Disclosure
CVE-2026-42574 HIGH CVSS 7.5
Symlink-following path traversal in apko (versions 0.14.8 through <1.2.5) allows malicious APK archives to write arbitrary files to host paths during build operations. A crafted .apk can install a symlink entry pointing outside the build root, then traverse that symlink via subsequent file-write or directory-creation operations to reach any path writable by the build user. Affects disk-backed operations in apko build-cpio and downstream tools like melange; in-memory tarfs paths (apko build, apko publish) are not vulnerable. Vendor-released patch available in apko v1.2.5. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates network-reachable unauthenticated exploitation, though practical attack requires convincing a target to process the malicious APK during a build. No EPSS or KEV data available; publicly available exploit code exists in the form of regression tests demonstrating each primitive.

Path Traversal
CVE-2026-42440 HIGH CVSS 7.5
Remote denial of service in Apache OpenNLP versions before 2.5.9 and 3.0.0-M3 allows unauthenticated attackers to crash JVM processes by uploading malicious .bin model files that trigger OutOfMemoryError through unbounded array allocation. Exploitation requires no authentication (AV:N/AC:L/PR:N) and affects any code path deserializing binary model files from untrusted sources. EPSS score of 0.02% (5th percentile) suggests low widespread exploitation risk, and no active exploitation or public POC has been identified at time of analysis. Vendor-released patches are available with default safeguards limiting count fields to 10 million entries.

Denial Of Service Apache Deserialization Suse
CVE-2026-42372 HIGH CVSS 8.8
Hardcoded credentials in D-Link DIR-605L Hardware Revision A1 firmware grant root-level telnet access to unauthenticated attackers on adjacent networks. The telnet daemon automatically starts at boot with username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir605l', enabling complete device takeover including network traffic interception, configuration modification, and pivot attacks against internal networks. This End-of-Life product will receive no vendor patch, requiring immediate device replacement. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, with adjacent network attack vector reducing but not eliminating risk for home and small office deployments.

Authentication Bypass D-Link
CVE-2026-42366 HIGH CVSS 7.4
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 1.10 web interface (ssi.cgi) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability achieves scope change (S:C in CVSS), enabling access to high-confidentiality data across security contexts despite requiring user interaction. No public exploit code or CISA KEV listing identified at time of analysis, though vendor advisory confirms the flaw. EPSS data not available. The RCE tag appears to be a mislabeling - this is strictly client-side JavaScript execution (XSS), not server-side remote code execution.

XSS RCE
CVE-2026-42365 HIGH CVSS 8.6
Session cookie predictability in GeoVision LPC2011/LPC2211 1.10 web interface allows remote attackers to bypass authentication via brute-force enumeration of session tokens. Successful exploitation grants unauthorized access to the camera management interface with full privileges of valid users. CVSS 8.6 severity reflects the network-accessible attack vector requiring no authentication or user interaction, though EPSS and exploitation status data not available. Cisco Talos and GeoVision have documented this vulnerability, classified as CWE-341 (predictable from observable state).

Information Disclosure
CVE-2026-42313 HIGH CVSS 8.3
Authenticated users with non-admin SETTINGS permission in pyload-ng ≤0.5.0b3.dev99 can redirect all outbound HTTP traffic through attacker-controlled proxies by modifying ungated proxy configuration fields (enabled, host, port, type). The vulnerability is an incomplete fix in a series of authorization bypass issues (CVE-2026-33509/-35463/-35464/-35586) where a hand-maintained allowlist in set_config_value() gates only proxy credentials (username/password) but not the proxy destination itself, allowing credential theft, traffic interception, and response injection across downloads, captcha solvers, and update checks. No public exploit identified at time of analysis, though the GitHub advisory includes a working proof-of-concept demonstrating traffic redirection via API calls. Patch confirmed in version 0.5.0b3.dev100 per vendor advisory GHSA-pg67-9wjv-mr85.

Python Information Disclosure
CVE-2026-42311 HIGH CVSS 8.6
Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. Attackers craft PSD images with tile dimensions that wrap around during extent sum calculations, defeating the bounds checks and triggering out-of-bounds writes in decode.c and encode.c. Pillow 12.2.0 patches this by avoiding extent addition before comparison. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists via proof-of-concept test images in the patch commit.

RCE Buffer Overflow Python Integer Overflow
CVE-2026-42301 HIGH CVSS 7.8
Arbitrary code execution on RPM packagers' workstations occurs when pyp2spec generates spec files from malicious PyPI package metadata containing unescaped RPM macro directives. Affects pyp2spec versions prior to 0.14.1, primarily impacting Fedora/RHEL packagers who process untrusted PyPI packages. Attack triggers during spec file parsing (rpmbuild -bs, rpm -q --specfile) before any build step, enabling compromise via typosquatted packages or those under Fedora review. Exploited packager workstations hold dist-git SSH keys, Koji build credentials, and Bodhi update rights, creating supply chain risk. Vendor-released patch 0.14.1 available per GitHub advisory GHSA-r35x-v8p8-xvhw. No public exploit identified at time of analysis, but attack complexity is low with realistic targeting scenarios described.

Information Disclosure
CVE-2026-42297 HIGH CVSS 8.5
Missing authorization checks in Argo Workflows v4.0.0-4.0.4 allow any authenticated user-even those with fake Bearer tokens-to create, read, update, and delete Kubernetes ConfigMaps containing workflow synchronization limits. The ConfigMap-backed sync provider (server/sync/sync_cm.go) completely omits auth.CanI permission validation on all four CRUD endpoints. Publicly available exploit code exists (detailed PoC in advisory). CVSS 8.5 reflects network-accessible authentication bypass enabling high integrity/availability impact through denial-of-service and arbitrary ConfigMap manipulation. Patch released in version 4.0.5 adding checkConfigMapPermission() calls to validate Kubernetes RBAC before operations.

Authentication Bypass Denial Of Service Information Disclosure Kubernetes
CVE-2026-42296 HIGH CVSS 8.1
Argo Workflows v3 (< 3.7.14) and v4 (< 4.0.5) allow users to bypass templateReferencing Strict/Secure mode restrictions by setting WorkflowSpec fields like hostNetwork, serviceAccountName, securityContext, tolerations, and volumes. The incomplete fix for CVE-2026-31892 only blocked podSpecPatch but left other security-sensitive fields unvalidated. Authenticated users with create Workflow permission can inject host network access, switch service accounts, modify pod security contexts, or schedule on control-plane nodes despite referencing hardened WorkflowTemplates. Vendor-released patch: v3.7.14 and v4.0.5 (commit 2727f3f). No public exploit identified at time of analysis, but exploitation is straightforward given detailed reproduction steps in the advisory.

Authentication Bypass Kubernetes
CVE-2026-42295 HIGH CVSS 8.5
Argo Workflows executor logs artifact repository credentials in plaintext to pod logs during artifact operations, exposing S3 access/secret keys, GCS service account keys, Azure storage keys, and Git passwords. Users with Kubernetes RBAC permissions to read pod logs in the workflow namespace can extract these credentials directly from workflow execution logs. This vulnerability affects Argo Workflows v4.0.0 through v4.0.4 and represents an incomplete fix of CVE-2025-62157. Vendor-released patch (v4.0.5) is available with GitHub commit bdd40908 removing credential-bearing struct logging. No public exploit identified at time of analysis, though exploitation is trivial given the included working proof-of-concept YAML.

Information Disclosure Kubernetes Microsoft Red Hat
CVE-2026-42294 HIGH CVSS 8.2
Memory exhaustion crashes Argo Workflows server via unauthenticated multi-gigabyte webhook requests to the publicly accessible `/api/v1/events/` endpoint. The Webhook Interceptor's `io.ReadAll` call allocates unbounded memory before signature verification, enabling remote attackers to trigger out-of-memory (OOM) conditions without authentication or credentials. Vendor-released patches enforce a 2MB body size limit via `io.LimitReader`. Publicly available exploit code exists (conceptual proof-of-concept published in GitHub security advisory GHSA-jcc8-g2q4-9fxq). No active exploitation confirmed by CISA KEV at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and public PoC create immediate risk for internet-exposed Argo Workflows deployments.

Denial Of Service Kubernetes
CVE-2026-42246 HIGH CVSS 7.6
Man-in-the-middle attackers can strip TLS protection from Ruby net-imap STARTTLS connections by injecting a premature tagged OK response with a predictable tag. The vulnerability allows attackers to bypass TLS encryption, forcing the client to transmit credentials and email content in cleartext while the application believes the connection is secure. Vendor-released patches (net-imap 0.6.4, 0.5.14, 0.4.24, 0.3.10) are available. CVSS 7.6 severity reflects network-accessible attack with low complexity but requires man-in-the-middle positioning. No public exploit code identified at time of analysis, though the attack mechanism is well-documented in security research (NO STARTTLS project).

Information Disclosure
CVE-2026-42222 HIGH CVSS 8.1
Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances.

Authentication Bypass Nginx
CVE-2026-42221 HIGH CVSS 8.1
Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing.

Authentication Bypass Nginx
CVE-2026-42154 HIGH CVSS 7.5
Memory exhaustion in Prometheus remote read endpoint allows unauthenticated attackers to crash the monitoring server via maliciously crafted snappy-compressed payloads. The /api/v1/read endpoint in versions prior to 3.5.3 and 3.11.3 accepts compressed request bodies without validating the declared decoded length, enabling a 5-byte payload claiming 256 MiB decoded size to trigger massive heap allocations. Concurrent requests can exhaust memory and crash the Prometheus process. EPSS data not provided; no evidence of active exploitation (not in CISA KEV). Vendor-released patches available in versions 3.5.3 and 3.11.3.

Denial Of Service Suse
CVE-2026-42151 HIGH CVSS 7.5
Prometheus monitoring system exposes Azure AD OAuth client secrets in plaintext via its /-/config HTTP API endpoint. Versions prior to 3.5.3 and 3.11.3 incorrectly type the client_secret field as a plain string instead of Prometheus's redacted Secret type, allowing remote unauthenticated attackers to retrieve sensitive Azure credentials from any exposed Prometheus instance configured for Azure AD remote write. The vulnerability has low exploitation complexity (CVSS AV:N/AC:L/PR:N) with 7.5 severity. Vendor-confirmed patches available in versions 3.5.3 and 3.11.3 (GitHub releases confirmed). EPSS data not provided; no CISA KEV listing indicating targeted exploitation campaigns at time of analysis.

Information Disclosure Microsoft Suse
CVE-2026-42084 HIGH CVSS 8.1
OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.

Information Disclosure
CVE-2026-42079 HIGH CVSS 8.6
Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.

RCE Python Code Injection
CVE-2026-42075 HIGH CVSS 8.1
Path traversal in Evolver's skill fetch command enables arbitrary file writes via unvalidated --out= flag. Authenticated attackers can overwrite system files or create malicious files in sensitive locations (e.g., cron directories) by using directory traversal sequences like '../../../etc/cron.d'. The vulnerability exists in index.js where user-provided paths from --out= are extracted without sanitization and passed directly to fs.mkdirSync(). Patch released in version 1.69.3. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation.

Path Traversal
CVE-2026-42069 HIGH CVSS 7.1
Missing authorization in Kirby CMS allows authenticated Panel users to access sensitive site configuration, user data, and role information regardless of configured permission restrictions. Authenticated attackers with low-privilege Panel accounts can enumerate all users, access the site model, and view role configurations including permission settings-even when site administrators explicitly disabled these capabilities via wildcard permission denial ('*': false). Vendor-released patches in versions 4.9.0 and 5.4.0 add missing permission gates for site.access, user.access/users.access, user.list/users.list, and role information. No public exploit identified at time of analysis, but exploitation requires only authenticated Panel access with network connectivity.

Authentication Bypass
CVE-2026-41927 HIGH CVSS 8.3
Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenticated attackers to execute arbitrary code through crafted POST requests with oversized Content-Length headers. The vulnerability affects hardware version 2.1 running firmware LFMZX28040922V1.02, with publicly available proof-of-concept exploit code documented via AI-assisted vulnerability research. CVSS 8.3 with high attack complexity indicates exploitation requires advanced technical skills, though the network vector and lack of authentication requirements make this a significant risk for exposed IoT devices.

RCE Buffer Overflow Stack Overflow
CVE-2026-41895 HIGH CVSS 8.2
XML External Entity (XXE) injection in changedetection.io version 0.54.9 and earlier allows local file disclosure when processing attacker-controlled XML or RSS feeds. The xpath_filter() function in html_tools.py creates an lxml parser without disabling external entity resolution, enabling attackers to embed DOCTYPE declarations that read sensitive files from the host system. Extracted content appears in watch output, diff history, and notification channels. No vendor-released patch identified at time of analysis. CVSS 8.2 reflects high confidentiality impact with attack complexity high due to specific runtime parser behavior requirements.

XXE
CVE-2026-41893 HIGH CVSS 8.7
Credential brute-forcing in Signal K Server versions ≤2.24.0 allows remote unauthenticated attackers to bypass HTTP login rate limiting by sending unlimited password guesses through the WebSocket authentication endpoint at approximately 20 attempts per second. The HTTP login endpoints are protected by express-rate-limit (default: 100 attempts per 10-minute window), but the WebSocket path processes login requests without any throttling, enabling dictionary attacks to complete in minutes. Publicly available exploit code exists demonstrating the bypass technique. Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN, increasing exposure risk.

Authentication Bypass
CVE-2026-41471 HIGH CVSS 8.2
Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

PHP WordPress Authentication Bypass Information Disclosure
CVE-2026-40893 HIGH CVSS 8.2
Remote unauthenticated attackers can bypass ExifTool tag blocklist in Gotenberg 8.x via group-prefixed tag names (e.g., 'System:FileName' instead of 'FileName'), enabling arbitrary file renaming, relocation, and permission modification within the container filesystem. One HTTP request exploits this input validation bypass (CWE-20) to circumvent protections from a prior security fix (GHSA-qmwh-9m9c-h36m). The vulnerability affects all metadata-accepting endpoints in Gotenberg's default configuration, which typically runs without authentication. No public exploit code is confirmed, but a detailed proof-of-concept is published in the GitHub advisory (GHSA-62p3-hvxx-fxg4). CVSS 8.2 reflects network vector with no authentication required, though real-world impact depends on container isolation and shared volume configurations.

Information Disclosure Docker Google
CVE-2026-40563 HIGH CVSS 8.1
Code injection in Apache Atlas DSL search endpoint allows authenticated attackers to manipulate Gremlin traversal queries and access unauthorized data. Affects versions 0.8 through 2.4.0; exploitable in 2.0+ only when non-default configuration 'atlas.dsl.executor.traversal=false' is set. EPSS score of 0.03% (9th percentile) suggests low widespread exploitation probability. No active exploitation confirmed per CISA KEV or vendor advisory. Fixed in version 2.5.0.

RCE Apache Code Injection
CVE-2026-40251 HIGH CVSS 7.1
Denial of service in Incus prior to version 7.0.0 allows authenticated users to crash the Incus daemon by importing a maliciously crafted backup archive with physical snapshot directories but tampered metadata arrays. The vulnerability stems from an incorrect bounds check (len(slice) >= i-1 instead of len(slice) > i) in the backup restore and migration code paths, enabling out-of-bounds array access that triggers a runtime panic. Repeated exploitation keeps the Incus service offline, confirmed by a publicly available proof-of-concept.

Buffer Overflow Denial Of Service Information Disclosure Suse
CVE-2026-40197 HIGH CVSS 7.1
Nil-pointer dereference in Incus daemon's custom volume backup import logic allows authenticated users to crash the service by supplying a malformed backup archive containing null entries in the volume_snapshots array, enabling repeated denial of service attacks. The vulnerability exists in the CreateCustomVolumeFromBackup function which fails to validate snapshot pointers before dereferencing them during import operations. CVSS 6.5 (authenticated network access, high availability impact); no public exploit code or active exploitation reported at analysis time, but proof-of-concept demonstration included in advisory.

Denial Of Service Null Pointer Dereference Suse
CVE-2026-40195 HIGH CVSS 7.1
Nil-pointer dereference in Incus daemon's storage bucket import logic allows authenticated users to crash the daemon by submitting a malformed bucket backup archive with a missing config section in index.yaml, enabling denial of service through repeated exploitation. The vulnerability affects Incus versions prior to 7.0.0 and requires valid storage bucket feature access but no special privileges beyond authenticated user status.

Denial Of Service Python Null Pointer Dereference Suse
CVE-2026-40075 HIGH CVSS 8.2
Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. Fix available in version 2.8.6 for the 2.8.x branch; no patch released for 2.7.x series at time of analysis. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact.

Apache Java Path Traversal Tomcat
CVE-2026-39852 HIGH CVSS 8.8
Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Authentication Bypass Red Hat
CVE-2026-38751 HIGH CVSS 7.2
Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.

PHP File Upload
CVE-2026-37461 HIGH CVSS 7.5
Remote attackers can crash GoBGP v4.3.0 by sending a malformed BGP UPDATE message that triggers an out-of-bounds read in IPv6 extended community parsing. The flaw allows unauthenticated denial of service against default configurations with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, and EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability. Upstream fixes available via GitHub commits 362cce3e and 9ce8936.

Buffer Overflow Denial Of Service Information Disclosure Suse
CVE-2026-37459 HIGH CVSS 7.5
Denial of Service in FRRouting 10.0 through 10.6 allows remote unauthenticated attackers to crash the BGP daemon via a malformed BGP UPDATE message exploiting an integer underflow in next-hop capability processing. Upstream fix available in commit 693a2e0 but released patched version not independently confirmed. No public exploit identified at time of analysis, with EPSS score not provided suggesting low observed exploitation activity.

Denial Of Service Red Hat Suse
CVE-2026-36365 HIGH CVSS 7.8
Command injection in Caesium Image Compressor (all versions through commit 02da2c6) allows local authenticated attackers to execute arbitrary OS commands via unsanitized input to shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp. The vulnerable code uses system() calls without input validation, enabling shell metacharacter injection during post-compression power management operations. Patch available via GitHub PR #376 replacing system() with QProcess::startDetached(). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. No evidence of active exploitation or public POC beyond the researcher's advisory.

RCE Command Injection Suse
CVE-2026-34059 HIGH CVSS 7.5
Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.

Buffer Overflow Apache Red Hat Suse
CVE-2026-33846 HIGH CVSS 7.5
Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.

Buffer Overflow Red Hat Suse
CVE-2026-32834 HIGH CVSS 8.7
Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

WordPress Authentication Bypass
CVE-2026-29514 HIGH CVSS 8.7
Remote code execution in NetBox 4.3.5-4.5.4 allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary Python code as the NetBox service user by injecting malicious callables into Jinja2 template environment parameters. Attackers bypass SandboxedEnvironment protections by setting the finalize parameter to dangerous imports like subprocess.getoutput, which executes on every rendered expression outside sandbox call interception. Public proof-of-concept exploit exists (chocapikk.com), and upstream patch available via GitHub PR #22078 implements an allowlist-based validation mechanism that blocks unauthorized callable resolution at both save-time and render-time.

RCE Python
CVE-2026-29199 HIGH CVSS 8.1
Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.

Code Injection
CVE-2026-29169 HIGH CVSS 7.5
Remote attackers can crash Apache HTTP Server 2.4.66 and earlier by sending malicious requests that trigger a NULL pointer dereference in mod_dav_lock, causing denial of service. The vulnerability affects only servers with mod_dav_lock enabled, a legacy module whose primary use-case (Apache Subversion < 1.2.0) is obsolete in modern deployments. CISA SSVC indicates no active exploitation, but the attack is automatable against susceptible configurations. CVSS 7.5 (High) reflects network-accessible, unauthenticated denial of service, though real-world impact is limited to the small subset of servers still running mod_dav_lock.

Denial Of Service Apache Null Pointer Dereference Red Hat
CVE-2026-29004 HIGH CVSS 7.2
Heap buffer overflow in BusyBox udhcpc6 (DHCPv6 client) allows network-adjacent attackers to achieve remote code execution or denial of service on embedded systems. The vulnerability stems from incorrect heap buffer allocation in option_to_env() when parsing D6_OPT_DNS_SERVERS options in DHCPv6 responses. Particularly dangerous on embedded devices lacking heap hardening protections. Fixed in commit 42202bf. No active exploitation confirmed (not in CISA KEV), but publicly available proof-of-concept from VulnCheck disclosure increases real-world risk for IoT and embedded deployments.

RCE Buffer Overflow Denial Of Service Heap Overflow
CVE-2026-25863 HIGH CVSS 8.7
Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.

PHP WordPress Denial Of Service
CVE-2026-24082 HIGH CVSS 7.8
Use-after-free vulnerability in Qualcomm Snapdragon chipsets enables local privilege escalation to achieve full device compromise. Low-privilege authenticated users can trigger memory corruption during performance counter deselect operations, gaining high-integrity code execution with kernel-level access. Qualcomm has released patches in their May 2026 security bulletin. EPSS data not yet available for this future-dated CVE; no confirmed active exploitation or public exploit code identified at time of analysis.

Buffer Overflow Use After Free Memory Corruption
CVE-2026-24072 HIGH CVSS 8.8
Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.

Privilege Escalation Apache Red Hat Suse
CVE-2026-23918 HIGH CVSS 8.8
Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential.

Apache Information Disclosure Red Hat Suse
CVE-2026-7791 HIGH CVSS 8.5
Local privilege escalation in Amazon WorkSpaces for Windows versions before 2.6.2034.0 enables authenticated low-privileged users to write arbitrary files to protected system locations, achieving SYSTEM-level access. The vulnerability exploits a race condition (CWE-367) in the Skylight Workspace Config Service's log rotation mechanism. No public exploit or active exploitation confirmed at time of analysis, but local access requirement limits attack surface to compromised user accounts or insider threats.

Privilege Escalation Microsoft
CVE-2026-7776 HIGH CVSS 7.5
Network-accessible denial-of-service in HashiCorp Boundary workers allows unauthenticated remote attackers to block legitimate worker connections by manipulating TLS handshake timing during node enrollment. Attackers can connect to the worker authentication listener and intentionally delay or withhold client certificates, causing connection handlers to block and preventing legitimate workers from enrolling or routing traffic. Both Community Edition and Enterprise versions prior to 0.21.3, 0.20.3, and 0.19.5 are vulnerable. EPSS data not provided; no CISA KEV listing indicating limited observed exploitation. Vendor-confirmed vulnerability with patches released across three active release branches.

Denial Of Service
CVE-2026-7768 HIGH CVSS 7.5
Unbounded cache growth in @fastify/accepts-serializer versions ≤6.0.3 allows remote unauthenticated attackers to exhaust Node.js heap memory by sending numerous distinct Accept header variants, crashing the application. The plugin caches serializer selections keyed by Accept header without size limits, enabling trivial memory exhaustion attacks against any exposed Fastify endpoint. Fix available in version 6.0.4, which implements an LRU cache with 100-entry default limit. No public exploit code identified at time of analysis, but attack is straightforward to execute with basic HTTP tools.

Denial Of Service Node.js
CVE-2026-7750 HIGH CVSS 7.4
Remote authenticated attackers can execute arbitrary code on Totolink N300RH 3.2.4-B20220812 routers via buffer overflow in the setMacFilterRules function. Exploitation requires low-privilege authentication to the router's web interface, then sending a crafted POST request with an oversized mac_address parameter to /cgi-bin/cstecgi.cgi. Public exploit code is available (documented on Notion), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, publicly available POC, and vulnerable IoT device suggest moderate real-world risk for internet-exposed routers with default or weak credentials.

Buffer Overflow
CVE-2026-7749 HIGH CVSS 7.4
Buffer overflow in Totolink N300RH router firmware 3.2.4-B20220812 allows authenticated remote attackers to achieve complete device compromise via crafted DNS parameter in WAN configuration requests. The vulnerability exists in the setWanConfig function within /cgi-bin/cstecgi.cgi POST handler, exploitable by manipulating the priDns argument. Public exploit code is available (CVSS E:P), and CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact on the vulnerable device with no cross-scope effects.

Buffer Overflow
CVE-2026-7748 HIGH CVSS 7.4
Buffer overflow in Totolink N300RH router firmware 3.2.4-B20220812 enables authenticated remote attackers to achieve code execution via crafted FileName parameter to the setUpgradeFW function in /cgi-bin/cstecgi.cgi. Public exploit code is available (documented in Notion). CVSS 7.4 with CVSS 4.0 Exploit maturity 'Proof-of-concept' confirms POC exists. Not listed in CISA KEV, suggesting limited real-world exploitation despite public POC.

Buffer Overflow
CVE-2026-7747 HIGH CVSS 8.9
Remote unauthenticated attackers can execute arbitrary code on Totolink N300RH routers version 3.2.4-B20220812 by sending crafted Password parameter values to the loginauth authentication function in /cgi-bin/cstecgi.cgi, triggering a stack-based buffer overflow. Exploitation probability is moderate (EPSS score not provided, but publicly available exploit code exists per VulDB reference). This affects consumer-grade wireless routers often deployed in home/SOHO environments with default internet-facing management interfaces, creating significant remote compromise risk despite the device's end-of-life status.

Buffer Overflow
CVE-2026-7719 HIGH CVSS 8.9
Remote unauthenticated buffer overflow in Totolink WA300 wireless repeater firmware version 5.2cu.7112_B20190227 enables complete device compromise via crafted HTTP POST requests to the login authentication handler. The vulnerability resides in the loginauth function within /cgi-bin/cstecgi.cgi, where insufficient validation of the http_host parameter allows attackers to overflow memory and achieve arbitrary code execution with device privileges. Publicly available exploit code exists (documented via Notion), enabling trivial exploitation with EPSS probability assessment pending but attack complexity rated low (AC:L) with no authentication barrier (PR:N).

Buffer Overflow
CVE-2026-7717 HIGH CVSS 7.4
Buffer overflow in Totolink WA300 wireless range extender firmware 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary code or crash the device via crafted File parameter to the UploadCustomModule function in /cgi-bin/cstecgi.cgi. Public proof-of-concept exploit exists (documented in Notion page), enabling low-skill exploitation. EPSS data not available, but low attack complexity (AC:L) and network attack vector (AV:N) combined with public POC indicate elevated real-world risk for affected devices exposed to untrusted authenticated users.

Buffer Overflow
CVE-2026-7482 HIGH CVSS 8.8
Heap out-of-bounds read in Ollama's GGUF model loader (<0.17.1) leaks sensitive memory contents including API keys, environment variables, and concurrent user data when processing maliciously crafted model files. Attackers can trigger the vulnerability by uploading a GGUF file with tensor offsets exceeding file bounds via the unauthenticated /api/create endpoint, then exfiltrate leaked memory through /api/push to attacker-controlled registries. While default deployments bind to localhost only, the widely-adopted OLLAMA_HOST=0.0.0.0 configuration exposes instances to network exploitation. Vendor-released patch available in version 0.17.1 with GitHub commit 88d57d0483cca907e0b23a968c83627a20b21047 adding bounds validation to fs/ggml/gguf.go and server/quantization.go.

Buffer Overflow Information Disclosure Red Hat Suse
CVE-2026-7371 HIGH CVSS 7.4
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 Web Interface enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs targeting the ssi.cgi error handler. The vulnerability chains through social engineering (requires user interaction) but achieves high confidentiality impact through changed scope (S:C), allowing session hijacking and credential theft from authenticated administrators. EPSS data not provided; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild. Publicly available exploit code status unknown but detailed technical disclosure exists from Cisco Talos Intelligence.

XSS RCE
CVE-2026-6321 HIGH CVSS 7.5
Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.

Path Traversal Red Hat Suse
CVE-2026-6266 HIGH CVSS 8.3
Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.

Authentication Bypass Red Hat
CVE-2026-3120 HIGH CVSS 7.2
Remote code execution in SambaBox 5.1-5.2 allows authenticated administrators to inject and execute arbitrary OS commands through improper input sanitization. Attackers with high-privilege access can achieve full system compromise with confidentiality, integrity, and availability impact. Reported by Turkish national CERT (TR-CERT/USOM), no CISA KEV listing or public exploit code identified at time of analysis, indicating limited observed exploitation activity.

RCE Command Injection Code Injection
CVE-2026-0073 HIGH CVSS 8.8
Authentication bypass in Android Debug Bridge (ADB) wireless mutual authentication allows adjacent network attackers to execute arbitrary code as the shell user without authentication. The flaw affects Android 14, 15, and 16 series, residing in the TLS certificate verification logic of adbd_tls_verify_cert. EPSS data not available, but CISA SSVC framework indicates no current exploitation evidence and non-automatable attack requiring network adjacency. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability when the wireless debugging feature is enabled.

RCE
CVE-2025-70069 HIGH CVSS 7.5
Assimp 6.0.2 crashes when processing malformed FBX files due to unchecked resource consumption in the FBX multi-material mesh converter. Remote attackers can trigger denial of service (application crash) via network-delivered malicious 3D model files without authentication, requiring no user interaction beyond normal file processing. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Publicly documented proof-of-concept exists via GitHub Gist, enabling straightforward reproduction.

Denial Of Service Red Hat Suse
CVE-2025-67796 HIGH CVSS 8.1
Improper authorization in IKUS Rdiffweb before 2.10.5 allows authenticated attackers with low-privilege API access tokens to read or modify data belonging to other users and tenants without additional authorization checks. The API fails to validate that the authenticated token subject matches the targeted user in requests, enabling horizontal privilege escalation and cross-tenant data access. Fixed in version 2.10.6. EPSS score of 0.02% (4th percentile) indicates low current exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
CVE-2025-58074 HIGH CVSS 8.8
Norton Secure VPN installed via Microsoft Store allows low-privilege Windows users to escalate to SYSTEM-level privileges by replacing files during the installation process, causing arbitrary file deletion. Cisco Talos discovered this TOCTOU (Time-of-Check Time-of-Use) race condition in the installer. No public exploit code or active exploitation confirmed at time of analysis, but the local attack vector with low complexity (CVSS AC:L) makes this highly exploitable once installation details are known.

Privilege Escalation Microsoft
CVE-2025-47408 HIGH CVSS 7.8
Memory corruption in Qualcomm Snapdragon allows local authenticated attackers with low privileges to achieve arbitrary code execution and full system compromise. The vulnerability triggers when malicious drivers invoke specific IOCTLs with intentionally malformed input/output buffers, bypassing buffer validation checks. EPSS and KEV status not available at time of analysis; advisory references May 2026 bulletin suggesting pre-disclosure analysis.

Buffer Overflow
CVE-2025-47407 HIGH CVSS 7.8
Local privilege escalation in Qualcomm Snapdragon chipsets allows authenticated users to corrupt kernel memory during digital signal processor (DSP) process creation, leading to arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability exploits allocation failure handling at kernel level. Qualcomm has published a security bulletin with remediation details for the May 2026 bulletin cycle. No active exploitation or public exploit code identified at time of analysis, though EPSS data not available to assess probabilistic risk.

Buffer Overflow
CVE-2025-47405 HIGH CVSS 7.8
Memory corruption in Qualcomm Snapdragon camera subsystem allows local authenticated users to execute arbitrary code with high privileges through crafted input/output control (ioctl) calls targeting camera sensor interfaces with malformed output buffers. CVSS score of 7.8 reflects local attack vector requiring low-privilege account access. No EPSS data or KEV listing at time of analysis, suggesting exploitation has not been publicly observed. Qualcomm security bulletin scheduled for May 2026 indicates vendor-coordinated disclosure with patches expected in that timeframe.

Buffer Overflow
CVE-2026-43616 MEDIUM CVSS 6.8
Path traversal in Detect-It-Easy archive extraction allows local attackers to write arbitrary files outside intended directories and achieve persistent code execution by overwriting user startup scripts. Affects all versions prior to 3.21. Exploitation requires user interaction to open a specially crafted archive file. Vendor-released patch available in version 3.21, with fixes applied across multiple repository components (DIE-engine, Formats, XArchive). No public exploit identified at time of analysis, though the vulnerability class is well-understood and exploitation techniques are documented.

RCE Path Traversal
CVE-2026-42576 MEDIUM CVSS 6.5
Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. No patch is currently available, though the issue is confirmed and acknowledged by the apko maintainers.

Denial Of Service
CVE-2026-42367 MEDIUM CVSS 6.5
Privilege escalation in GeoVision LPC2011/LPC2211 Web Interface allows authenticated attackers to leak stored credentials via specially crafted HTTP requests to the ssi.cgi endpoint. The vulnerability affects firmware version 1.10 and requires low-privilege user access but no additional user interaction, enabling unauthenticated credential disclosure on affected devices.

Privilege Escalation
CVE-2026-42333 MEDIUM CVSS 6.3
Quarkus OpenAPI Generator versions before 2.16.0-lts and 2.16.0 (fixed in 2.17.0) send authentication credentials to unintended API endpoints due to overly broad path-parameter regex matching. The generated authentication filter treats OpenAPI path-template placeholders like {param} as .* patterns, allowing a single parameter to consume forward slashes and match multiple distinct operations. This causes bearer tokens, OAuth tokens, API keys, and basic credentials configured for one protected operation to be leaked to different, unprotected operations on the same service when a client invokes them through normal generated-code paths. No public exploit code has been identified, but the vulnerability is trivial to trigger and affects all authentication schemes relying on the shared path-matching logic.

Python Apache Java Information Disclosure
CVE-2026-42312 MEDIUM CVSS 6.8
Non-admin users holding the SETTINGS permission in pyload-ng can disable TLS peer and hostname verification by setting general.ssl_verify=off via the set_config_value() API, enabling man-in-the-middle attacks on all outbound HTTPS requests including downloads, captcha fetches, and plugin calls. This is an incomplete fix for a series of prior allowlist bypasses (CVE-2026-33509, CVE-2026-35463, CVE-2026-35464, CVE-2026-35586) in which security-sensitive configuration options were omitted from the ADMIN_ONLY_CORE_OPTIONS allowlist.

Privilege Escalation Python SSRF
CVE-2026-42310 MEDIUM CVSS 5.1
Pillow's PDF parser enters an infinite loop when processing maliciously crafted PDF files with circular Prev pointer references in trailer sections, causing 100% CPU consumption and application hang. All versions from 4.2.0 through 12.1.x are affected. The vulnerability is a denial-of-service condition affecting any application using Pillow to parse untrusted PDFs. Vendor-released patch: version 12.2.0.

Denial Of Service Python Red Hat Suse
CVE-2026-42309 MEDIUM CVSS 5.1
Heap buffer overflow in Pillow 11.2.1 through 12.1.x allows local attackers to cause denial of service or potentially execute arbitrary code by passing deeply nested list structures as coordinates to ImagePath.Path, ImageDraw.polygon, or ImageDraw.line APIs, which recursively unpack coordinates beyond allocated buffer boundaries.

Buffer Overflow Heap Overflow Red Hat Suse
CVE-2026-42308 MEDIUM CVSS 5.1
Integer overflow in Pillow's font glyph processing allows remote code execution or denial of service when handling maliciously crafted fonts with extremely large glyph advance values. Pillow versions before 12.2.0 are affected. The vulnerability is triggered during font rendering operations where position tracking accumulates glyph advances without proper bounds checking, leading to wraparound arithmetic that can corrupt memory or crash the interpreter.

Buffer Overflow Integer Overflow Red Hat Suse
CVE-2026-42258 MEDIUM CVSS 5.8
Net::IMAP command injection via unvalidated Symbol arguments allows remote attackers to inject arbitrary IMAP commands by passing user-controlled input as Symbol flags, enabling attackers to append CRLF sequences followed by malicious commands like DELETE mailbox. The vulnerability affects Net::IMAP versions 0.4.23 and earlier, 0.5.0-0.5.13, and 0.6.0-0.6.3, and is remedied in versions 0.4.24, 0.5.14, and 0.6.4 respectively. No public exploit code or active exploitation has been reported at the time of analysis.

Command Injection
CVE-2026-42257 MEDIUM CVSS 5.8
Command injection in net-imap library allows attackers to inject arbitrary IMAP commands by supplying unvalidated user input to multiple methods that send raw, unescaped strings to the IMAP server. The #search, #uid_search, #fetch, #uid_fetch, #store, #uid_store, and #setquota methods accept string arguments that bypass normal validation and encoding, enabling CRLF injection to break command context. Applications that dynamically construct search criteria, fetch attributes, or quota limits from user input are at significant risk; a developer passing unsanitized input could allow an attacker to append malicious IMAP commands such as DELETE or other state-modifying operations.

Authentication Bypass Command Injection CSRF
CVE-2026-42256 MEDIUM CVSS 6.0
Denial of service in net-imap SCRAM-SHA1/SHA256 authentication allows a hostile IMAP server to freeze the entire Ruby VM by sending an arbitrarily large PBKDF2 iteration count, blocking all threads for several minutes due to the blocking nature of OpenSSL::KDF.pbkdf2_hmac and its retention of the Global VM Lock. Patched versions 0.4.24, 0.5.14, and 0.6.4 introduce a max_iterations parameter that users must explicitly configure to prevent exploitation.

Denial Of Service OpenSSL Red Hat Suse
CVE-2026-42223 MEDIUM CVSS 6.5
nginx-ui versions prior to 2.3.8 expose 40+ protected configuration fields through the GetSettings API to authenticated users, including JwtSecret (auth token forgery), NodeSecret (cluster impersonation), and OIDC ClientSecret (OAuth takeover). The protected tag is enforced only during writes but completely ignored during reads, allowing authenticated attackers to extract sensitive secrets and IP whitelist configurations without requiring additional privileges or user interaction.

Information Disclosure Nginx
CVE-2026-42220 MEDIUM CVSS 6.5
nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication.

Information Disclosure Nginx
CVE-2026-42174 MEDIUM CVSS 5.3
Missing authorization in Kirby CMS allows authenticated users with file permissions to create, replace, or delete user avatars regardless of whether they hold the required user.update or users.update permissions. This authorization bypass affects Kirby versions up to 4.8.0 and 5.0.0 through 5.3.3, with patches available in Kirby 4.9.0 and 5.4.0. No public exploit code has been identified, and active exploitation is not confirmed.

Authentication Bypass
CVE-2026-42146 MEDIUM CVSS 5.5
Denial of service in CImg Library prior to version 3.7.5 allows local attackers to crash applications via crafted BMP files with oversized nb_colors header fields. The vulnerability stems from unchecked allocation of memory based on user-supplied file header data, causing out-of-memory conditions when loading untrusted BMP files. No authentication or network access required; user interaction (file opening) is the sole prerequisite.

Denial Of Service
CVE-2026-42144 MEDIUM CVSS 6.1
Integer overflow in CImg Library's _load_pnm() function allows crafted PNM/PGM/PPM image files to bypass memory allocation guards via undersized buffer allocation, potentially triggering heap buffer overflow with local file access and user interaction. CVSS 6.1 (local, user-required interaction). Patch available in commit 4ca26bc and v.3.7.5.

Buffer Overflow Integer Overflow
CVE-2026-42140 MEDIUM CVSS 4.4
Server-Side Request Forgery (SSRF) in PlantUML Macro for XWiki prior to version 2.4.1 allows authenticated users with UI interaction to specify arbitrary PlantUML servers via the server parameter without validation. An attacker can redirect the XWiki server to connect to internal IP addresses or malicious external URLs, enabling reconnaissance of internal infrastructure or attacks on internal services. The vulnerability requires authenticated access and user interaction but operates across scope boundaries (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C). Vendor-released patch available in version 2.4.1.

SSRF
CVE-2026-42138 MEDIUM CVSS 6.9
Unauthenticated users can upload SVG files containing XSS payloads via POST /api/files/upload in Dify prior to version 1.13.1, allowing cross-site scripting attacks against application users. The authenticated endpoint POST /v1/files/upload is similarly vulnerable. This vulnerability enables attackers to execute arbitrary JavaScript in the context of victim browsers, potentially compromising user sessions or stealing sensitive data without requiring any authentication or user interaction.

XSS
CVE-2026-42092 MEDIUM CVSS 6.5
titra 0.99.52 leaks sensitive global configuration settings to any authenticated user via an unprotected Meteor DDP publication, exposing API keys and OAuth secrets without administrative checks. Authenticated attackers can subscribe to the globalsettings publication and retrieve plaintext credentials including google_secret, openai_apikey, and google_clientid. No public patch is available at time of publication.

Information Disclosure
CVE-2026-42091 MEDIUM CVSS 6.5
goshs SimpleHTTPServer versions prior to 2.0.2 allow arbitrary file write via cross-origin PUT requests due to missing CSRF token validation on the PUT handler combined with permissive wildcard CORS headers. An attacker can trick a victim into visiting a malicious website which then writes arbitrary files to a goshs instance running on localhost or an internal network, bypassing network isolation protections. Publicly available exploit code exists, and the vulnerability affects all v2.x releases before 2.0.2 and all v1.x releases (no patch available for v1.x).

CSRF Suse
CVE-2026-42086 MEDIUM CVSS 4.6
Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaScript in their own browser session via unsafe eval() processing of array parameters. An attacker can exploit this through phishing or by convincing a victim to send a malicious command, potentially stealing session tokens or modifying authenticated data. Patch available in version 7.0.0.

XSS
CVE-2026-42085 MEDIUM CVSS 4.3
OpenC3 COSMOS before versions 6.10.5 and 7.0.0-rc3 allows authenticated users to write arbitrary files to the shared /plugins directory via path traversal sequences in tool configuration filenames, potentially overwriting other plugins' configuration files. The vulnerability exists in the save_tool_config() function which canonicalizes filenames but does not restrict writes to plugin-specific subdirectories, enabling lateral movement between plugins. CVSS 4.3 reflects low severity due to authentication requirement and limited scope (integrity only), though real-world impact depends on whether plugin configurations contain sensitive data.

Path Traversal
CVE-2026-42080 MEDIUM CVSS 4.6
Arbitrary file write vulnerability in PPTAgent prior to commit 418491a allows authenticated users with UI interaction to write files outside the intended workspace via path traversal in the save_generated_slides function, potentially overwriting arbitrary files on the system. CVSS 4.6 (low integrity and availability impact); no public exploit code identified at time of analysis.

Path Traversal
CVE-2026-42078 MEDIUM CVSS 4.6
PPTAgent prior to commit 418491a allows authenticated users to write arbitrary files and create directories outside intended workspace boundaries via path traversal in the markdown_table_to_image function. An attacker with login access can supply crafted file paths containing directory traversal sequences to escape the configured workspace and write malicious files to arbitrary locations on the system. The vulnerability requires user interaction (UI:R in CVSS vector) and affects confidentiality and availability, with no public exploit code identified at time of analysis.

Path Traversal
CVE-2026-42077 MEDIUM CVSS 5.2
Prototype pollution in EvoMap Evolver versions prior to 1.69.3 allows local attackers with high privileges to inject malicious properties into Object.prototype via unfiltered Object.assign() calls in the mailbox store module, potentially modifying the behavior of all JavaScript objects and causing information disclosure or denial of service. The vulnerability requires file system write access to the messages.jsonl persistence file and high privileges, limiting real-world exploitability to insider or local compromise scenarios.

Code Injection Prototype Pollution
CVE-2026-42051 MEDIUM CVSS 5.3
Missing authorization in Kirby CMS allows authenticated Panel users without access.system permission to retrieve sensitive system information including installed Kirby version and license data via the /api/system REST API endpoint. This information can be leveraged for reconnaissance during subsequent attacks. Vendor-released patches: Kirby 4.9.0 and 5.4.0.

Authentication Bypass
CVE-2026-41891 MEDIUM CVSS 5.3
Deactivated user accounts in CI4MS retain full backend access until session expiration because the authentication filter fails to re-check the active status field for existing sessions. When an administrator sets a user's active field to 0, the user's session cookie remains valid and auth()->loggedIn() continues returning true, allowing the deactivated user to access protected resources for up to 7200 seconds (default session timeout). The vulnerability exists because code to enforce this check was commented out since the filter's initial commit and never activated.

Information Disclosure
CVE-2026-41890 MEDIUM CVSS 6.9
Arbitrary database table drop in CI4MS theme deletion allows authenticated administrators with theme.delete permission to craft malicious POST requests to the `/backend/themes/delete-process/` endpoint and drop any table in the database, including critical tables such as ci4ms_users and ci4ms_auth_identities. The vulnerability exists because the deleteProcess() action accepts user-supplied table names without validating them against the theme's own migration files, violating the principle of least privilege even within the admin trust model. Vendor-released patch 0.31.8.0 implements migration-based whitelist validation to restrict deletions to declared theme tables.

PHP RCE
CVE-2026-41888 MEDIUM CVSS 6.3
Authorization bypass in Docker Distribution Registry allows remote clients to delete image tags via the DELETE /v2/<name>/manifests/<tag> endpoint even when the operator has explicitly configured storage.delete.enabled: false. The tag deletion code path in registry/handlers/manifests.go bypasses the deletion authorization check present in digest-based manifest deletion, enabling attackers with network access to cause denial of service by removing tags and disrupting supply chain integrity of registries intended to be immutable.

Authentication Bypass Denial Of Service Docker Red Hat Suse
CVE-2026-41685 MEDIUM CVSS 4.3
Incus before version 7.0.0 allows authenticated users to exhaust host disk space through unbounded uploads via instance backup import, storage bucket import, storage volume backup import, and storage volume ISO import endpoints. The daemon streams HTTP request bodies directly into temporary files using io.Copy without enforcing maximum request size limits, enabling denial of service on the host system or shared storage in multi-tenant deployments. Public proof-of-concept code demonstrates sustained disk exhaustion by streaming null bytes through application/octet-stream endpoints.

Denial Of Service Suse
CVE-2026-41684 MEDIUM CVSS 6.5
Denial of service in Incus daemon via nil pointer dereference when restoring backup archives with valid inline backup/index.yaml but malformed legacy backup/container/backup.yaml omitting the container section. An authenticated user with backup import permissions can crash the daemon by crafting a backup archive that passes preflight validation but triggers nil dereference during the restore phase after archive extraction. CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) - confirmed by 7asecurity with proof-of-concept test cases.

Denial Of Service Null Pointer Dereference Suse
CVE-2026-41648 MEDIUM CVSS 5.3
Incus versions up to 6.23.0 allow authenticated users to trigger denial of service by uploading crafted image or backup tarballs containing oversized YAML metadata files that consume excessive server memory during parsing. When metadata.yaml or backup/index.yaml entries declare large sizes in the tar header, the YAML decoder reads and allocates 5-6x the input size without limits, potentially exhausting memory on constrained daemons; a 200 MB YAML entry may trigger 1.2 GB of heap allocations. Vendor-released patch available in v7.0.0.

Denial Of Service Suse
CVE-2026-41647 MEDIUM CVSS 6.5
Nil-pointer dereference in Incus daemon S3 storage bucket import allows authenticated users to crash the daemon by uploading a truncated or corrupted tar backup file. The TransferManager.UploadAllFiles function fails to handle non-EOF errors from tar parsing, causing a panic when hdr is nil. Vendor-released patch available in v7.0.0.

Denial Of Service Null Pointer Dereference Suse
CVE-2026-41181 MEDIUM CVSS 6.9
Traefik's errors middleware discloses sensitive HTTP headers including Authorization and Cookie to separate error page services when backends return configured error status codes. Affected versions are Traefik v2.11.43 and earlier, v3.6.14 and earlier, and v3.7.0-rc.0 through v3.7.0-rc.2. The vulnerability allows credentials meant only for backend services to be forwarded to distinct error page infrastructure, expanding exposure across service boundaries. Vendor-released patches are available; actively exploited status not confirmed.

Python Information Disclosure Docker
CVE-2026-38669 MEDIUM CVSS 6.1
Stored cross-site scripting (XSS) in wCMS v.1.4 allows remote attackers to inject malicious scripts when creating new blog entries, which are executed in the browsers of other users who view the affected blog. The vulnerability requires user interaction (victim visiting the compromised blog) and affects site confidentiality and integrity. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS
CVE-2026-37458 MEDIUM CVSS 6.5
Missing input validation in FRRouting stable/10.0 through 10.6 allows authenticated BGP peers to trigger a Denial of Service by sending a crafted UPDATE message with invalid martian addresses in the MP_REACH_NLRI component. An authenticated attacker can crash or severely degrade the BGP routing daemon by exploiting insufficient validation of next-hop addresses, with an EPSS score of 0.02% indicating low real-world exploitation probability despite moderate CVSS scoring.

Denial Of Service Red Hat Suse
CVE-2026-35527 MEDIUM CVSS 5.3
Blind server-side request forgery in Incus allows authenticated users to trigger arbitrary HEAD requests to internal or external endpoints during image import preflight validation, bypassing the restricted.images.servers project restriction. While the actual image download is blocked by project policies, the preflight HEAD request executes before validation occurs, enabling attackers to probe internal services, cloud metadata endpoints, or unroutable address space reachable from the Incus host. No public exploit code identified at time of analysis, though proof-of-concept reproduction is documented in the advisory.

SSRF Debian Suse
CVE-2026-34032 MEDIUM CVSS 5.3
Improper null termination and out-of-bounds read vulnerability in Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to trigger information disclosure with low complexity exploitation. The vulnerability has a CVSS score of 5.3 (medium) with network-accessible attack vector and no user interaction required, though technical impact is limited to confidentiality (partial information disclosure). Vendor-released patch: version 2.4.67 addresses the issue.

Buffer Overflow Apache Red Hat Suse
CVE-2026-33857 MEDIUM CVSS 5.3
Out-of-bounds read in mod_proxy_ajp of Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to disclose sensitive information via a crafted AJP protocol request. The vulnerability has a CVSS score of 5.3 (moderate) with no active exploitation confirmed. Upgrade to version 2.4.67 to remediate.

Buffer Overflow Apache Information Disclosure Red Hat Suse
CVE-2026-33523 MEDIUM CVSS 6.5
HTTP response splitting in Apache HTTP Server 2.4.0 through 2.4.66 allows remote attackers to inject arbitrary HTTP headers and content when the server acts as a proxy to untrusted or compromised backend servers, enabling cache poisoning, session fixation, and cross-site scripting attacks. CVSS 6.5 (moderate) with network attack vector, no authentication required, and confirmed automatable exploitation per CISA SSVC framework. Vendor-released patch: version 2.4.67.

Apache Information Disclosure Red Hat Suse
CVE-2026-33007 MEDIUM CVSS 5.3
Null pointer dereference in mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows unauthenticated remote attackers to crash child processes in caching forward proxy configurations, resulting in denial of service. The vulnerability has CVSS 5.3 (medium) with network accessibility and no authentication required, but is limited to partial availability impact affecting only specific proxy deployments. Vendor-released patch: version 2.4.67.

Denial Of Service Apache Null Pointer Dereference Red Hat Suse
CVE-2026-33006 MEDIUM CVSS 4.8
Timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows remote unauthenticated attackers to bypass Digest authentication with high attack complexity. The vulnerability exploits measurable timing differences in digest credential validation, enabling credential compromise without valid authentication. Apache has released patched version 2.4.67; no active exploitation has been confirmed, but CISA SSVC framework indicates automatable exploitation is not feasible due to the timing attack's sensitivity requirements.

Authentication Bypass Apache Red Hat Suse
CVE-2026-31205 MEDIUM CVSS 5.7
Stored cross-site scripting in Pluck CMS before v4.7.21dev allows authenticated high-privilege users to inject arbitrary JavaScript via the page editor, escalating privileges through the sanitizePageContent function in editpage.php. The vulnerability requires attacker authentication with administrative role and user interaction (UI:R), limiting spontaneous exploitation but enabling privilege escalation attacks within compromised admin accounts.

PHP XSS
CVE-2026-25266 MEDIUM CVSS 5.5
Memory corruption in Qualcomm Snapdragon SDK occurs when processing IOCTL commands while the device is in power-save state, allowing local authenticated attackers to trigger a denial of service. The vulnerability affects all versions of Snapdragon and requires local access with user-level privileges; no authentication bypass or privilege escalation is possible, but successful exploitation causes system crash or hang. EPSS and KEV status not provided; no public exploit code has been identified at time of analysis.

Buffer Overflow
CVE-2026-20451 MEDIUM CVSS 6.7
Out-of-bounds write in MediaTek's slbc (secure local buffer component) due to type confusion allows local privilege escalation to full system compromise when an attacker already holds System privilege. The vulnerability requires no user interaction and affects 32 MediaTek chipset models. CISA SSVC framework rates technical impact as total; however, EPSS score of 0.02% suggests limited real-world exploitation despite the high CVSS score of 6.7, likely due to the requirement for pre-existing System privilege.

Privilege Escalation Buffer Overflow Memory Corruption
CVE-2026-20450 MEDIUM CVSS 6.5
Remote denial of service in MediaTek modem firmware across 47+ chipset variants allows attackers to crash the modem via incorrect error handling when a user equipment device connects to a rogue base station, requiring no authentication or user interaction. The vulnerability affects a broad range of MediaTek cellular chipsets (MT6855, MT6985, MT8793, and others) and carries a CVSS 6.5 score reflecting network-adjacent attack vector and high availability impact. Patch MSV-6100 / MOLY01753620 is available from MediaTek.

Denial Of Service
CVE-2026-20449 MEDIUM CVSS 6.5
Heap buffer overflow in MediaTek modem firmware allows remote denial of service when a device connects to an attacker-controlled base station. The vulnerability affects a wide range of MediaTek chipsets and can crash the modem without requiring user interaction or special privileges. No public exploit code has been identified, and CISA has not listed this in the Known Exploited Vulnerabilities catalog, though the low EPSS score (0.07%) suggests limited real-world exploitation likelihood despite the attack vector requiring only adjacent network access.

Buffer Overflow Denial Of Service
CVE-2026-20448 MEDIUM CVSS 6.7
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission checks in geniezone allows attackers with System privilege to escalate their access without user interaction. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but EPSS score of 0.02% (4th percentile) and SSVC 'none' exploitation status indicate this vulnerability has not been observed in active, widespread exploitation despite the low barrier to exploitation from privileged context.

Privilege Escalation
CVE-2026-20447 MEDIUM CVSS 6.7
Local privilege escalation in MediaTek geniezone component due to missing bounds check allows System-privileged actors to achieve total system compromise across multiple chipset models. The vulnerability requires prior System-level access and affects 17 MediaTek chipset variants (MT6899, MT8791T, MT8786, MT6789, MT8367, MT6768, MT8766, MT6993, MT6991, MT6877, MT8788E, MT8781, MT8768, MT6989, MT8910, MT8196, MT8793). No public exploit code identified at time of analysis; exploitation remains unconfirmed in active systems despite SSVC indicating total technical impact potential.

Privilege Escalation Buffer Overflow Information Disclosure
CVE-2026-7785 MEDIUM CVSS 5.5
OS command injection in wireshark-mcp's quick_capture function allows remote unauthenticated attackers to execute arbitrary operating system commands with publicly available exploit code. The vulnerability affects all versions of the rolling-release project through commit 400c3da70074f22f3cce7ccb65304cafc7089c89, with CVSS 5.5 reflecting low confidentiality, integrity, and availability impact but network-accessible exploitation vector. Active public exploit availability increases real-world risk despite moderate CVSS score.

Command Injection
CVE-2026-7737 MEDIUM CVSS 6.9
Out-of-bounds read in GoBGP BMP parser allows remote attackers to trigger information disclosure via malformed BMP messages to the BMPPeerUpNotification.ParseBody and BMPStatisticsReport.ParseBody functions. Affected versions are up to 4.3.0; patch available in version 4.4.0. CVSS 6.9 reflects availability impact. No public exploit code or active exploitation has been identified.

Buffer Overflow Information Disclosure Red Hat
CVE-2026-7736 MEDIUM CVSS 6.9
Integer underflow in osrg GoBGP up to version 4.3.0 allows remote attackers to trigger a crash or information disclosure via crafted MRT (Multi-Threaded Routing Toolkit) packet data in the parseRibEntry function. The vulnerability arises from improper bounds checking when processing RIB (Routing Information Base) entries, enabling network-based exploitation without authentication. Vendor-released patch version 4.4.0 addresses this issue; no active exploitation has been confirmed at time of analysis.

Information Disclosure Integer Overflow Red Hat
CVE-2026-7735 MEDIUM CVSS 6.9
Buffer overflow in GoBGP's AIGP Attribute Parser allows remote unauthenticated attackers to manipulate the PathAttributeAigp.DecodeFromBytes function via malformed BGP UPDATE messages, potentially causing memory corruption. Versions up to 4.3.0 are affected. GoBGP 4.4.0 includes a vendor-released patch that adds proper bounds checking and validation of TLV length fields.

Buffer Overflow
CVE-2026-7734 MEDIUM CVSS 6.9
Denial of service in osrg GoBGP up to version 4.3.0 allows remote attackers to trigger an infinite loop via malformed SRv6 L3 Service attributes in BGP packets. The vulnerability exists in the SRv6L3ServiceAttribute.DecodeFromBytes function, which incorrectly advances a loop variable when processing unknown sub-TLV types, causing the parser to never exit the loop and exhaust system resources. Vendor-released patch available in version 4.4.0.

Denial Of Service Suse
CVE-2026-7733 MEDIUM CVSS 5.5
Unrestricted file upload in funadmin up to version 7.1.0-rc6 allows remote attackers to upload arbitrary files via the Frontend Chunked Upload Endpoint (UploadService::chunkUpload function). The vulnerability stems from insufficient validation of the File parameter and can be exploited without authentication; publicly available exploit code exists and a patch (PR #59) has been released by the vendor.

PHP File Upload
CVE-2026-7727 MEDIUM CVSS 6.9
SQL injection in Shandong Hoteam PDM Product Data Management System versions ≤8.3.9 allows remote unauthenticated attackers to execute arbitrary SQL commands via the SortOrder parameter in the GetQueryMachineGridOnePageData function of /Base/BaseService.asmx/DataService endpoint. The vulnerability enables unauthorized data access, modification, and potential service disruption (CVSS 7.3: C:L/I:L/A:L). Vendor-released patch available in version 8.3.10. EPSS data not available; no CISA KEV listing or public exploit code identified at time of analysis.

SQLi
CVE-2026-7723 MEDIUM CVSS 5.5
Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send events without valid credentials in versions up to 3.6.13. The vulnerability exploits missing authentication validation on the WebSocket connection handshake, allowing attackers to interact with the events API when authentication is configured. A publicly available exploit exists; vendor patch version 3.6.14 addresses this by implementing mandatory subprotocol-based authentication handshake.

Authentication Bypass
CVE-2026-7722 MEDIUM CVSS 5.5
Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check API endpoint by manipulating the request path suffix matching logic. The vulnerability affects the /api/health endpoint's improper authentication validation using the endswith() function, enabling attackers to craft requests that bypass authentication checks. Publicly available exploit code exists and the vendor has released patch version 3.6.22.

Authentication Bypass
CVE-2026-7714 MEDIUM CVSS 5.5
Authentication bypass in Calibre-Web-Automated up to version 4.0.6 allows remote unauthenticated attackers to access admin endpoints in the cps/cwa_functions.py component, specifically affecting Convert Library and EPUB Fixer administrative functions. Multiple endpoints lacking required authentication decorators (@login_required_if_no_ano and @admin_required) permit unauthorized users to trigger book conversions, manage conversion jobs, download logs, and manipulate EPUB files. Publicly available exploit code exists and patch is available from vendor.

Authentication Bypass
CVE-2026-7711 MEDIUM CVSS 5.5
MindsDB versions up to 26.01 allow remote unauthenticated attackers to bypass authentication and perform unrestricted file uploads via manipulation of the exec function in the BYOM (Bring Your Own Model) handler's proc_wrapper.py component. Publicly available exploit code exists, and the vendor has not responded to early disclosure, leaving deployed instances vulnerable to remote code execution through malicious model uploads.

Authentication Bypass File Upload
CVE-2026-7710 MEDIUM CVSS 5.5
Authentication bypass in YunaiV yudao-cloud up to version 3.8.0 allows remote unauthenticated attackers to manipulate the mock-token argument in JwtAuthenticationTokenFilter.java, circumventing JWT authentication mechanisms and gaining unauthorized access. The vulnerability affects the Ruoyi-Vue-Pro component, has publicly available exploit code, and impacts confidentiality, integrity, and availability of protected resources with low severity per CVSS 4.0 scoring (CVSS:5.5, AV:N/AC:L/PR:N/UI:N, VC:L/VI:L/VA:L). The vendor has not responded to early disclosure notification.

Authentication Bypass Java
CVE-2026-6948 MEDIUM CVSS 4.9
Velociraptor server versions before 0.76.4 are vulnerable to denial of service via resource exhaustion when a compromised or rogue client sends specially crafted messages through the agent control channel, causing out-of-memory conditions and server crashes. The vulnerability requires authenticated client access but can be triggered by any authenticated agent, making it a realistic threat in environments where client integrity cannot be guaranteed. CVSS score of 4.9 reflects high privileges required (PR:H) but complete availability impact.

Denial Of Service Suse
CVE-2026-6501 MEDIUM CVSS 5.3
XML external entity (XXE) injection in jOpenDocument 1.5 allows authenticated remote attackers to trigger denial of service through XML bomb attacks (billion laughs) by submitting specially crafted documents. The vulnerability affects document parsing functionality and requires valid user authentication, limiting but not eliminating real-world risk in multi-tenant or collaborative document processing environments. EPSS and KEV status not provided, but SSVC framework indicates automatable exploitation with partial technical impact.

XXE
CVE-2026-6500 MEDIUM CVSS 4.8
ILM Informatique OpenConcerto 1.7.5 stores sensitive passwords in plaintext, allowing authenticated local users to retrieve embedded credentials with low complexity. The vulnerability enables information disclosure of authentication data accessible via local file access, confirmed by CISA SSVC framework as having partial technical impact but no evidence of active exploitation.

Information Disclosure
CVE-2026-5335 MEDIUM CVSS 5.3
Magic Export & Import WordPress plugin before version 1.2.0 stores exported CSV files in a publicly accessible web directory, allowing unauthenticated remote attackers to enumerate and download sensitive user data without authentication. The vulnerability affects all versions prior to 1.2.0, has publicly available proof-of-concept code, and carries moderate real-world risk due to the low attack complexity and high automatable nature of exploitation, though the actual severity is constrained by the fact that CSV export must first occur and require that files remain accessible.

WordPress Information Disclosure Path Traversal
CVE-2025-70072 MEDIUM CVSS 6.5
Assimp version 6.0.2 is vulnerable to denial of service through improper buffer handling in the FBXConverter::ConvertMeshMultiMaterial() function when processing crafted FBX model files. A remote attacker can trigger a crash by supplying a malicious FBX file via network or local file access, causing the application to become unavailable. Publicly available exploit code exists, though the vulnerability requires user interaction to process the malicious file.

Buffer Overflow Denial Of Service Information Disclosure Red Hat Suse
CVE-2025-70071 MEDIUM CVSS 5.9
Denial of service in Assimp 6.0.2 allows remote attackers to crash the application by sending specially crafted FBX files that trigger memory exhaustion or infinite loops in the FBXParser ParseVectorDataArray() function. The vulnerability requires network access but involves high attack complexity, indicating the attacker must precisely craft malformed input. Public exploit code exists; CISA SSVC analysis indicates the vulnerability is not automatable and results in partial technical impact (availability loss only), suggesting targeted rather than mass-scale exploitation.

Denial Of Service Red Hat Suse
CVE-2025-70070 MEDIUM CVSS 6.5
Denial of service vulnerability in Assimp 6.0.2 via null pointer dereference in FBXMeshGeometry.cpp MeshGeometry constructor allows remote attackers to crash applications processing malicious FBX files. Requires user interaction (opening/processing a crafted file) but affects any application using the vulnerable library version. Publicly available exploit code exists; CVSS 6.5 reflects network attack vector with user interaction requirement.

Denial Of Service Null Pointer Dereference Red Hat Suse
CVE-2025-47406 MEDIUM CVSS 6.1
Information disclosure in Qualcomm Snapdragon firmware allows local authenticated attackers to read sensitive kernel memory via malformed IOCTL handler callbacks that bypass buffer size validation. The vulnerability affects multiple Snapdragon chipset versions and requires local access with limited privileges; exploitation results in confidentiality breach without direct system compromise. No active exploitation has been confirmed at the time of analysis.

Buffer Overflow Information Disclosure
CVE-2025-47404 MEDIUM CVSS 6.5
Memory corruption in Qualcomm Snapdragon occurs when dynamically resizing a previously allocated buffer while its contents are being concurrently modified, enabling local authenticated attackers with user-level privileges to achieve high confidentiality and integrity impact with CVSS 6.5. No active exploitation has been confirmed at the time of analysis, and patch availability details require verification against the May 2026 Qualcomm security bulletin.

Buffer Overflow
CVE-2025-47403 MEDIUM CVSS 6.5
Denial of service in Qualcomm Snapdragon wireless chipsets allows unauthenticated attackers in wireless range to crash the device by sending a malformed Fast Transition response frame during roaming operations. The vulnerability triggers a buffer overflow in the 802.11 frame parser when processing an invalid header structure, resulting in temporary denial of service. No authentication is required and exploitation requires only network adjacency.

Buffer Overflow
CVE-2025-47401 MEDIUM CVSS 6.5
Transient denial of service in Qualcomm Snapdragon occurs during target power rate table processing when configuring wireless channels, caused by a buffer over-read vulnerability. The vulnerability affects all Snapdragon versions and requires adjacent network access with no authentication or user interaction, resulting in service interruption but no data compromise or unauthorized access.

Buffer Overflow
CVE-2026-43964 LOW CVSS 3.7
Postfix versions before 3.8.16, 3.9.10, and 3.10.9 are vulnerable to a buffer over-read and process crash when processing specially crafted enhanced status codes lacking text after the third numeric digit. Remote unauthenticated attackers can trigger a denial of service by sending malformed SMTP responses, causing the Postfix process to crash. The attack requires specific SMTP conditions (AC:H) but no authentication or user interaction, with low availability impact.

Denial Of Service
CVE-2026-43864 LOW CVSS 2.5
Mutt mail client before version 2.3.2 crashes due to a null pointer dereference in the show_sig_summary function when processing GPG signatures, causing denial of service. The vulnerability requires local access and user interaction to trigger (viewing a malicious email with a crafted signature), resulting in application termination with minimal real-world impact. CVSS score of 2.5 reflects low severity; no public exploit or active exploitation confirmed.

Denial Of Service Null Pointer Dereference
CVE-2026-43863 LOW CVSS 3.7
Mutt before version 2.3.2 contains an infinite loop in the data_object_to_stream function within crypt-gpgme.c that can be triggered during GPG encryption operations, leading to denial of service. The vulnerability affects remote attackers under high-complexity conditions (requiring specific GPG-encrypted message handling), and is publicly documented via a GitHub commit but has no active exploitation confirmed. The fix changes the loop condition from checking non-zero read results to explicitly checking for positive read values (> 0), preventing infinite iteration when gpgme_data_read returns zero or negative values.

Denial Of Service
CVE-2026-43862 LOW CVSS 3.7
Mutt before 2.3.2 mishandles the IMAP GSS security level due to improper integer casting and insufficient bounds checking, allowing remote attackers to trigger memory corruption and information disclosure via a crafted IMAP server response during GSS-API authentication. The vulnerability requires high attack complexity (malicious IMAP server) but affects all versions prior to 2.3.2.

Information Disclosure Memory Corruption
CVE-2026-43861 LOW CVSS 3.7
mutt before version 2.3.2 fails to validate null bytes during URL percent-decoding, allowing remote attackers to inject embedded null characters into decoded URLs, potentially causing information disclosure through truncation of validation checks or bypassing of security filters that rely on string length.

Information Disclosure
CVE-2026-43860 LOW CVSS 3.7
mutt before version 2.3.2 truncates the IMAP CRAM-MD5 authentication hash by one byte due to incorrect use of strfcpy instead of memcpy, potentially allowing attackers to bypass or weaken authentication on IMAP connections through off-by-one string handling errors.

Information Disclosure
CVE-2026-43859 LOW CVSS 3.7
Mutt before 2.3.2 uses an unsafe string copy function (strfcpy) instead of memcpy when handling MD5 digest data in IMAP CRAM authentication, allowing attackers to potentially forge IMAP credentials by triggering buffer manipulation during the authentication handshake. The vulnerability requires manual connection attempt to a malicious IMAP server and affects network IMAP authentication flows, though the low CVSS score (3.7) reflects high attack complexity and integrity impact only.

Information Disclosure
CVE-2026-42245 LOW CVSS 2.3
net-imap ResponseReader exhibits quadratic time complexity O(n²) when parsing IMAP responses containing multiple string literals, allowing hostile IMAP servers to exhaust client CPU and block other threads via denial of service. A maliciously crafted response can consume 100-200ms per regex scan repeated hundreds of thousands of times per megabyte, holding the Global VM lock and starving concurrent threads despite staying within max_response_size limits. Vendor-released patches available in versions 0.4.24, 0.5.14, and 0.6.4.

Denial Of Service
CVE-2026-42183 LOW CVSS 2.3
Denial of service via nil pointer dereference in Argo Workflows 4.0.0-4.0.4 affects SSO users with RBAC namespace delegation enabled when their identity claims match a namespace-level RBAC rule but not an SSO-namespace rule. The gatekeeper.go rbacAuthorization() function unconditionally dereferences a nil serviceAccount pointer when comparing rule precedence, causing an HTTP 500 panic on every API request from the affected user. Live-tested exploit confirmed on v4.0.4 with Dex OIDC provider; vendor patch released as v4.0.5.

Denial Of Service Null Pointer Dereference
CVE-2026-40243 LOW CVSS 2.3
Broken TLS certificate verification in Incus OVN database connections accepts peer-supplied certificate roots instead of anchoring trust in the configured CA certificate, allowing an attacker positioned on the management network to impersonate the OVN northbound or southbound database. While mTLS prevents full man-in-the-middle attacks and OVN control planes typically run on the same servers as Incus (limiting network attack surface), the flaw collapses the intended CA-based authentication boundary on critical control-plane database connections. Affected versions below 7.0.0 are vulnerable; no active exploitation confirmed in CISA KEV at time of analysis.

Authentication Bypass
CVE-2026-7783 LOW CVSS 2.1
SQL injection in CodeCanyon Perfex CRM up to version 3.4.1 allows authenticated remote attackers to execute arbitrary SQL queries via the Admin Kanban Endpoint's AbstractKanban::applySortQuery function. The vulnerability stems from improper sanitization of the sort query argument and can lead to unauthorized data access, modification, and potential system compromise. Publicly available exploit code exists, increasing real-world risk.

PHP SQLi
CVE-2026-7782 LOW CVSS 2.1
Authorization bypass in CodeCanyon Perfex CRM up to 3.4.1 allows authenticated remote attackers to access projects belonging to other tenants via manipulation of the ID parameter in the Clients::project function. The vulnerability requires valid user credentials but grants access to cross-tenant data with low confidentiality, integrity, and availability impact. Publicly available exploit code exists for this flaw.

PHP Authentication Bypass
CVE-2026-7781 LOW CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 affects the AMF 3GPP access endpoint handler (udm_nudm_uecm_handle_amf_registration_update function), allowing authenticated remote attackers to crash the UDM service via malformed registration update messages. Publicly available exploit code exists, and the vendor was notified early but has not released a patch as of the analysis date.

Denial Of Service
CVE-2026-7780 LOW CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 affects the udm_state_operational function in the smf-registrations endpoint, allowing authenticated remote attackers to manipulate the function and cause service unavailability. The vulnerability has publicly available exploit code and carries a low CVSS score of 2.1 due to required authentication and limited availability impact, though the project has not yet responded to early disclosure.

Denial Of Service
CVE-2026-7779 LOW CVSS 2.1
Denial of service in Open5GS up to version 2.7.7 affects the authentication-subscription endpoint handler, allowing authenticated remote attackers to manipulate the udm_nudr_dr_handle_subscription_authentication function and cause service unavailability. Public exploit code exists and the vulnerability has been reported to the project without a confirmed vendor response or patch release.

Denial Of Service
CVE-2026-7746 LOW CVSS 2.1
SQL injection in SourceCodester Web-based Pharmacy Product Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /product_expiry/edit-admin.php, enabling unauthorized data access, modification, and deletion. The vulnerability has a publicly available exploit and CVSS 6.3 base score reflects moderate impact with low attack complexity; however, authentication is required, limiting exposure to users with valid credentials.

PHP SQLi
CVE-2026-7745 LOW CVSS 2.1
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via a crafted deleteid parameter in the /OnlineClassroom/facultydetails endpoint, enabling data exfiltration and potential database manipulation. The vulnerability has public exploit code available and CVSS 6.3 (medium severity) reflects the requirement for prior authentication and limited scope, though the exploitation probability is rated probable by scoring metadata.

SQLi
CVE-2026-7744 LOW CVSS 2.1
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the fname parameter in the /OnlineClassroom/addnewstudent endpoint, resulting in unauthorized data access, modification, and denial of service. Public exploit code is available and the vulnerability carries a CVSS score of 6.3 with proof-of-concept code confirmed accessible on GitHub.

SQLi
CVE-2026-7743 LOW CVSS 2.1
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the deleteid parameter in the /OnlineClassroom/studentdetails endpoint, enabling unauthorized data access, modification, and potential denial of service. The vulnerability has publicly available exploit code and confirmed exploitation potential, affecting all versions up to 1.0.

SQLi
CVE-2026-7742 LOW CVSS 2.1
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in the /OnlineClassroom/facultylogin endpoint, leading to unauthorized data access, modification, and denial of service. The vulnerability has a publicly available proof-of-concept exploit and is likely to be actively exploited given the moderate CVSS score (6.3) and confirmed POC availability.

SQLi
CVE-2026-7741 LOW CVSS 2.1
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in the /OnlineClassroom/studentlogin endpoint, enabling data exfiltration and modification with low complexity exploitation. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.3.

SQLi
CVE-2026-7740 LOW CVSS 1.9
Denial of service in tsMuxer up to version 2.7.0 via improper handling of the track_id argument in the VvcVpsUnit::setFPS function allows local authenticated attackers to trigger an availability impact. Publicly available exploit code exists; however, the vulnerability affects only unsupported legacy versions and requires local access with user-level privileges, limiting real-world exposure.

Denial Of Service
CVE-2026-7739 LOW CVSS 1.9
Denial of service in tsMuxer up to version 2.7.0 via improper input validation in the HevcVpsUnit::setFPS function allows local authenticated attackers to crash the application by manipulating the track_id argument. The vulnerability affects only unsupported product versions and carries a very low CVSS score (1.9), though publicly available exploit code exists.

Denial Of Service
CVE-2026-7738 LOW CVSS 2.1
Path traversal in puchunjie doc-tools-mcp 1.0.18 MCP Interface allows authenticated remote attackers to access arbitrary files on the system via manipulation of the filePath argument in create_document and open_document functions. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists. The vendor has not responded to the early disclosure.

Path Traversal
CVE-2026-7732 LOW CVSS 2.1
Unrestricted file upload in code-projects BloodBank Managing System 1.0 via request_blood.php allows authenticated remote attackers to upload arbitrary files with limited impact. The vulnerability requires valid user credentials (PR:L per CVSS vector) but has low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists; however, the low CVSS score (2.1) and confined impact scope suggest this poses minimal risk despite public disclosure.

PHP File Upload
CVE-2026-7731 LOW CVSS 2.1
SQL injection in code-projects BloodBank Managing System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the G_STATE_ID parameter in get_state.php, potentially exfiltrating sensitive patient or blood bank data. The vulnerability has low confidentiality and integrity impact but carries exploitability risk (E:P in CVSS 4.0) and publicly available exploit code, making it a practical concern for deployed instances despite the low CVSS score of 2.1.

PHP SQLi
CVE-2026-7730 LOW CVSS 2.1
OS command injection in privsim mcp-test-runner 0.2.0 allows authenticated remote attackers to execute arbitrary operating system commands via manipulation of the command argument passed to child_process.spawn in the MCP Interface component. The vulnerability affects version 0.2.0 with CVSS 6.3 (network-exploitable, low attack complexity, low-privileged access required). Publicly available exploit code exists and the vendor has not yet responded to early disclosure notification.

Command Injection
CVE-2026-7729 LOW CVSS 2.1
Server-side request forgery (SSRF) in pixelsock directus-mcp 1.0.0 allows authenticated remote attackers to manipulate the fileUrl argument in the validateUrl function, enabling requests to internal resources including cloud metadata services and private networks. Publicly available exploit code exists and a patch awaiting acceptance is available on GitHub. CVSS 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects moderate impact with authentication requirement.

SSRF
CVE-2026-7728 LOW CVSS 2.1
Path traversal in ryanjoachim mcp-rtfm 0.1.0 allows authenticated remote attackers to read, write, and delete arbitrary files by manipulating the docFile parameter in the get_doc_content, read_doc, update_doc, and related MCP interface functions. Publicly available exploit code exists, and the vulnerability affects all versions of the product without a patched release identifier provided. An authenticated user can exploit this with no user interaction required via network access to escape the intended .handoff_docs directory and access files outside the designated documentation scope.

Path Traversal
CVE-2026-7725 LOW CVSS 2.1
Argument injection in Prefect up to 3.6.25.dev6 allows authenticated attackers to execute arbitrary git commands via specially crafted commit_sha or directories parameters in the GitRepository Pull Handler (src/prefect/runner/storage.py). An attacker can inject git flags like --upload-pack or --config to achieve remote code execution with the privileges of the Prefect runner process. Publicly available exploit code exists, and the vendor has released a patched version (3.6.25.dev7) that validates commit SHA format and adds command-line argument separators to block injection.

Code Injection
CVE-2026-7724 LOW CVSS 1.3
Time-of-check time-of-use (TOCTOU) vulnerability in Prefect's validate_restricted_url function allows remote attackers with low privileges to bypass Server-Side Request Forgery (SSRF) protections via DNS rebinding attacks during webhook and notification delivery. Publicly available exploit code exists. The vulnerability affects Prefect versions up to 3.6.28.dev1 and is fixed in 3.6.28.dev2.

Information Disclosure
CVE-2026-7721 LOW CVSS 2.1
Command injection in Totolink WA300 firmware version 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary commands via the hostTime parameter in the NTPSyncWithHost function accessible through /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, though actual real-world exploitation risk is mitigated by the requirement for authenticated access and the low impact scope (limited to confidentiality, integrity, and availability of the application itself, with no system-wide impact).

Command Injection
CVE-2026-7720 LOW CVSS 2.1
Command injection in Totolink WA300 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary commands via the langType parameter in the setLanguageCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, though the low CVSS 2.1 score reflects limited scope (only low confidentiality and integrity impact, no system integrity or availability impact) and authentication requirement, reducing real-world attack surface.

Command Injection
CVE-2026-7718 LOW CVSS 2.1
Command injection in Totolink WA300 firmware version 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary commands via the webWlanIdx parameter in the setWebWlanIdx function of /cgi-bin/cstecgi.cgi. The vulnerability requires valid user credentials but no user interaction, with publicly available exploit code demonstrating the attack.

Command Injection
CVE-2026-7716 LOW CVSS 2.1
SQL injection in code-projects Gym Management System in PHP allows authenticated remote attackers to manipulate the 'day' parameter in /index.php, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 2.1 and requires prior authentication (PR:L); publicly available exploit code exists but active exploitation confirmation is absent from CISA KEV data.

PHP SQLi Microsoft
CVE-2026-7715 LOW CVSS 2.1
Path traversal in ravenwits mcp-server-arangodb up to version 0.4.7 allows authenticated remote attackers to manipulate the outputDir argument in the arango_backup function, enabling unauthorized file system access with limited confidentiality and integrity impact. The vulnerability affects the MCP Interface component and has publicly available exploit code; however, the low CVSS score (2.1) reflects constrained real-world risk due to the requirement for authenticated access and limited technical impact scope.

Path Traversal
CVE-2026-7713 LOW CVSS 2.1
Improper authorization in Calibre-Web-Automated versions up to 4.0.6 allows authenticated remote attackers to generate or revoke Kobo authentication tokens for arbitrary users via an Insecure Direct Object Reference (IDOR) vulnerability in the kobo_auth.py component. An attacker with valid login credentials can request /kobo_auth/generate_auth_token/<victim_user_id> to obtain tokens authorizing Kobo sync as any other user, or revoke their tokens to deny service. Publicly available exploit code exists and the vulnerability is confirmed patched in version 4.0.7.

Information Disclosure
CVE-2026-7712 LOW CVSS 2.1
Unsafe deserialization in MindsDB pickle.loads function allows authenticated remote attackers to achieve limited information disclosure and integrity compromise via crafted serialized objects. The vulnerability affects MindsDB up to version 26.01, requires valid credentials (PR:L), and has publicly available exploit code; however, the low CVSS score (2.1) and limited scope indicate restricted real-world impact despite network accessibility.

Deserialization
CVE-2026-6499 LOW CVSS 2.4
Incorrect permission assignment in OpenConcerto 1.7.5 enables local authenticated users with UI interaction to modify critical binary files, potentially allowing privilege escalation or persistent code execution through binary replacement. CVSS score of 2.4 (Low) reflects the local-only attack vector and requirement for user interaction, though the vulnerability creates a persistent integrity risk for affected deployments.

Information Disclosure

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities