Skip to main content
CVE-2026-42811 CRITICAL PATCH GHSA Act Now

CEL injection in Apache Polaris 1.4.0 allows authenticated users to escape credential access boundaries on Google Cloud Storage. Attackers can craft namespace or table identifiers containing single quotes and CEL fragments to break out of quoted strings in Credential Access Boundary conditions, escalating temporary table-scoped GCS credentials to effectively bucket-wide access. Confirmed in private testing: attackers obtained credentials intended for one table but successfully listed, read, created, and deleted objects across unrelated tables and external prefixes within the entire configured bucket. EPSS data not yet available for this recent CVE; CVSS 9.4 reflects critical confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (scope changed).

Google Apache Information Disclosure
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42810 CRITICAL PATCH GHSA Act Now

Wildcard injection in Apache Polaris table names allows authenticated users to escalate privileges and access unauthorized S3 data across tables. By creating tables with literal asterisk characters (e.g., 'f*.t1', '*.*'), attackers bypass IAM policy scoping and obtain temporary S3 credentials that match other tables' storage paths. Confirmed exploitation scenarios include reading Iceberg metadata control files, listing table prefixes, and creating/deleting objects in victim tables' S3 locations - even when the attacker lacks direct Polaris permissions on those tables. Private testing confirmed this on both MinIO and AWS S3 against Polaris 1.4.0. The CVSS 9.4 (Critical) reflects network-accessible exploitation requiring only low privileges (namespace-scoped TABLE_CREATE), with high confidentiality, integrity, and availability impact across system and subsequent components. No public exploit code or CISA KEV listing identified at time of analysis, but the Apache advisory provides detailed attack mechanics.

Authentication Bypass Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42809 CRITICAL PATCH GHSA Act Now

Apache Polaris issues overly-permissive temporary storage credentials during staged table creation, allowing authenticated attackers to redirect vended credentials to attacker-controlled storage locations. The vulnerability stems from missing validation and overlap checks before credential issuance - attackers supply a custom 'location' parameter or 'write.data.path'/'write.metadata.path' properties that become effective immediately without verification. This enables unauthorized access to arbitrary storage resources beyond intended table boundaries, with CVSS 9.4 severity indicating high impact across confidentiality, integrity, and availability of both vulnerable and subsequent systems.

Authentication Bypass Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42812 CRITICAL PATCH GHSA Act Now

Authenticated attackers with table configuration privileges can bypass storage location validation in Apache Polaris by manipulating the write.metadata.path property during ALTER TABLE operations. This forces Polaris to write metadata files to attacker-controlled storage locations without proper validation, then subsequently issue cloud storage credentials for those locations. The vulnerability enables unauthorized access to and potential corruption of data belonging to other tables within the catalog's allowedLocations scope, particularly when polaris.config.allow.unstructured.table.location=true. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42601 CRITICAL GHSA Act Now

Remote code execution in ArchiveBox <= 0.8.6rc0 allows unauthenticated attackers to execute arbitrary commands on the server via unvalidated config injection in the /add/ endpoint. When PUBLIC_ADD_VIEW=True (common for bookmarklet usage), attackers inject malicious environment variables through the config JSON parameter that propagate to archive plugins like yt-dlp and gallery-dl, enabling command execution via --exec flags. The endpoint lacks both input validation and CSRF protection. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. Public proof-of-concept exploit exists demonstrating pre-authentication RCE. No vendor-released patch identified at time of analysis.

Python RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-7161 CRITICAL Act Now

Credential interception in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to decrypt administrator passwords from broadcast UDP packets. The application broadcasts device commands with credentials encrypted using a modified Blowfish scheme, but includes the decryption key in the same packet - reducing security to algorithm obscurity. Attackers on the same LAN can capture these broadcasts when legitimate administrators interact with GeoVision IP cameras or devices, decrypt credentials using reverse-engineered algorithms, then gain full device control to reconfigure or factory-reset equipment. EPSS and KEV data not available; CVSS 9.3 reflects network-accessible credential disclosure requiring user interaction.

Information Disclosure Gv Ip Device Utility
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-13605 CRITICAL PATCH Act Now

Command injection in 3onedata GW1101-1D(RS-485)-TB-P Modbus gateway allows authenticated high-privilege users on adjacent networks to execute arbitrary shell commands as root via malicious input in the IP address field of diagnostic test tools. Exploitation requires administrative credentials and adjacent network access (CVSS 4.0: 9.3 AV:A/AC:L/PR:H). SSVC assessment indicates no active exploitation, non-automatable attack, with total technical impact. Fixed in firmware version 3.0.59B2024080600R4353.

Command Injection Gw1101 1D Rs 485 Tb P
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-5335 MEDIUM POC PATCH This Month

Magic Export & Import WordPress plugin before version 1.2.0 stores exported CSV files in a publicly accessible web directory, allowing unauthenticated remote attackers to enumerate and download sensitive user data without authentication. The vulnerability affects all versions prior to 1.2.0, has publicly available proof-of-concept code, and carries moderate real-world risk due to the low attack complexity and high automatable nature of exploitation, though the actual severity is constrained by the fact that CSV export must first occur and require that files remain accessible.

Path Traversal WordPress Information Disclosure
NVD WPScan
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42796 CRITICAL PATCH Act Now

Remote code execution in Arelle webserver (versions prior to 2.39.10) allows unauthenticated attackers to execute arbitrary Python code by submitting malicious plugin URLs to the /rest/configure endpoint. The vulnerability stems from the webserver's plugin manager accepting and executing external Python files without authentication or URL validation. A patch is available in version 2.39.10 (GitHub PR #2320). CVSS 9.8 with network vector, no privileges required, and EPSS data not provided. No CISA KEV listing or confirmed active exploitation at time of analysis.

Authentication Bypass Python RCE
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-41258 CRITICAL PATCH GHSA Act Now

Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Apache Tomcat Java RCE Privilege Escalation +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40682 CRITICAL PATCH GHSA Act Now

XML External Entity injection in Apache OpenNLP's DictionaryEntryPersistor allows remote unauthenticated attackers to disclose local files or perform server-side request forgery when processing untrusted dictionary files. The vulnerable SAX parser initialization omits critical security features (FEATURE_SECURE_PROCESSING, DTD disablement) present elsewhere in the codebase, creating an inconsistency exploitable via the public Dictionary(InputStream) API when loading stop-word lists or domain dictionaries. With EPSS at 0.03% (8th percentile) and no active exploitation reported, this represents a code-quality issue in a specific input path rather than an imminent widespread threat, though the CVSS 9.1 reflects maximum theoretical impact given the network-accessible, unauthenticated attack vector.

XXE SSRF Apache Apache Opennlp
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-42238 CRITICAL PATCH GHSA Act Now

Remote code execution as root in nginx-ui versions before 2.3.8 via unauthenticated backup restore within 10-minute startup window. Attackers exploit the completely unauthenticated /api/restore endpoint during initial installation to upload malicious backup archives that overwrite app.ini configuration with injected OS commands in TestConfigCmd setting. After automatic application restart, command injection triggers with privileges of the nginx-ui process - typically root in Docker deployments. EPSS data not available; no active exploitation reported but publicly disclosed via GitHub Security Advisory GHSA-4pvg-prr3-9cxr. Patch released in version 2.3.8.

Command Injection Nginx RCE Docker Code Injection
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.2%
CVE-2026-7372 CRITICAL Act Now

Remote code execution in GeoVision GV-VMS V20 20.0.2 allows unauthenticated attackers to execute arbitrary code as SYSTEM via stack overflow in WebCam Server Login functionality. A specially crafted HTTP request with oversized username or password fields (exceeding 40 characters) triggers unconstrained sscanf buffer handling. CVSS 9.0 with high attack complexity reflects exploitation constraints (no null bytes allowed in payload), though network vector and lack of authentication requirements present significant risk. No active exploitation confirmed (not in CISA KEV); EPSS data unavailable for final risk assessment.

RCE Buffer Overflow Memory Corruption Gv Vms V20 0 2
NVD
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-41901 CRITICAL PATCH GHSA Act Now

Server-Side Template Injection (SSTI) in Thymeleaf 3.1.4.RELEASE and earlier allows remote attackers to execute arbitrary code via specially crafted expressions that bypass the template engine's sandbox restrictions. Applications passing unsanitized user input to sandboxed template contexts are vulnerable to full server compromise. Vendor-released patch is available in version 3.1.5.RELEASE. The CVSS 9.0 CRITICAL rating reflects the potential for remote code execution with high confidentiality, integrity, and availability impact, though the AC:H (high attack complexity) indicates exploitation requires specific application patterns where user input flows directly into sandboxed template contexts without validation.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-42571 CRITICAL PATCH GHSA Act Now

Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).

Authentication Bypass Privilege Escalation Denial Of Service Information Disclosure
NVD GitHub
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-42605 HIGH PATCH GHSA This Week

Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

Privilege Escalation PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-42364 HIGH This Week

Authenticated OS command injection in the DdnsSetting.cgi handler of GeoVision GV-LPC2011/LPC2211 license plate capture cameras (firmware 1.10) lets an attacker with low-privilege access to the device web interface execute arbitrary OS commands by writing a crafted value into the DDNS configuration. CVSS scores the issue 8.8 (high) with full confidentiality, integrity, and availability impact, and Talos has published an advisory (TALOS-2025-2326); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Command Injection Gv Lpc2011 Lpc2211
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-7482 HIGH PATCH GHSA This Week

Heap out-of-bounds read in Ollama's GGUF model loader (<0.17.1) leaks sensitive memory contents including API keys, environment variables, and concurrent user data when processing maliciously crafted model files. Attackers can trigger the vulnerability by uploading a GGUF file with tensor offsets exceeding file bounds via the unauthenticated /api/create endpoint, then exfiltrate leaked memory through /api/push to attacker-controlled registries. While default deployments bind to localhost only, the widely-adopted OLLAMA_HOST=0.0.0.0 configuration exposes instances to network exploitation. Vendor-released patch available in version 0.17.1 with GitHub commit 88d57d0483cca907e0b23a968c83627a20b21047 adding bounds validation to fs/ggml/gguf.go and server/quantization.go.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-24072 HIGH PATCH This Week

Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.

Privilege Escalation Apache Suse Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-39852 HIGH PATCH GHSA This Week

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-42372 HIGH Monitor

Hardcoded credentials in D-Link DIR-605L Hardware Revision A1 firmware grant root-level telnet access to unauthenticated attackers on adjacent networks. The telnet daemon automatically starts at boot with username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir605l', enabling complete device takeover including network traffic interception, configuration modification, and pivot attacks against internal networks. This End-of-Life product will receive no vendor patch, requiring immediate device replacement. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, with adjacent network attack vector reducing but not eliminating risk for home and small office deployments.

D-Link Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-58074 HIGH This Week

Norton Secure VPN installed via Microsoft Store allows low-privilege Windows users to escalate to SYSTEM-level privileges by replacing files during the installation process, causing arbitrary file deletion. Cisco Talos discovered this TOCTOU (Time-of-Check Time-of-Use) race condition in the installer. No public exploit code or active exploitation confirmed at time of analysis, but the local attack vector with low complexity (CVSS AC:L) makes this highly exploitable once installation details are known.

Microsoft Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0073 HIGH POC This Week

Authentication bypass in Android Debug Bridge (ADB) wireless mutual authentication allows adjacent network attackers to execute arbitrary code as the shell user without authentication. The flaw affects Android 14, 15, and 16 series, residing in the TLS certificate verification logic of adbd_tls_verify_cert. EPSS data not available, but CISA SSVC framework indicates no current exploitation evidence and non-automatable attack requiring network adjacency. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability when the wireless debugging feature is enabled.

RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25863 HIGH PATCH This Week

Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.

Denial Of Service PHP WordPress
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41893 HIGH PATCH GHSA This Week

Credential brute-forcing in Signal K Server versions ≤2.24.0 allows remote unauthenticated attackers to bypass HTTP login rate limiting by sending unlimited password guesses through the WebSocket authentication endpoint at approximately 20 attempts per second. The HTTP login endpoints are protected by express-rate-limit (default: 100 attempts per 10-minute window), but the WebSocket path processes login requests without any throttling, enabling dictionary attacks to complete in minutes. Publicly available exploit code exists demonstrating the bypass technique. Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN, increasing exposure risk.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42080 MEDIUM POC PATCH GHSA This Month

Arbitrary file write vulnerability in PPTAgent prior to commit 418491a allows authenticated users with UI interaction to write files outside the intended workspace via path traversal in the save_generated_slides function, potentially overwriting arbitrary files on the system. CVSS 4.6 (low integrity and availability impact); no public exploit code identified at time of analysis.

Path Traversal Pptagent
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-42079 HIGH PATCH GHSA This Week

Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.

RCE Python Code Injection
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-42311 HIGH PATCH GHSA This Week

Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. Attackers craft PSD images with tile dimensions that wrap around during extent sum calculations, defeating the bounds checks and triggering out-of-bounds writes in decode.c and encode.c. Pillow 12.2.0 patches this by avoiding extent addition before comparison. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists via proof-of-concept test images in the patch commit.

Integer Overflow RCE Buffer Overflow Python
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-42295 HIGH PATCH GHSA This Week

Argo Workflows executor logs artifact repository credentials in plaintext to pod logs during artifact operations, exposing S3 access/secret keys, GCS service account keys, Azure storage keys, and Git passwords. Users with Kubernetes RBAC permissions to read pod logs in the workflow namespace can extract these credentials directly from workflow execution logs. This vulnerability affects Argo Workflows v4.0.0 through v4.0.4 and represents an incomplete fix of CVE-2025-62157. Vendor-released patch (v4.0.5) is available with GitHub commit bdd40908 removing credential-bearing struct logging. No public exploit identified at time of analysis, though exploitation is trivial given the included working proof-of-concept YAML.

Kubernetes Microsoft Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42297 HIGH PATCH GHSA This Week

Missing authorization checks in Argo Workflows v4.0.0-4.0.4 allow any authenticated user-even those with fake Bearer tokens-to create, read, update, and delete Kubernetes ConfigMaps containing workflow synchronization limits. The ConfigMap-backed sync provider (server/sync/sync_cm.go) completely omits auth.CanI permission validation on all four CRUD endpoints. Publicly available exploit code exists (detailed PoC in advisory). CVSS 8.5 reflects network-accessible authentication bypass enabling high integrity/availability impact through denial-of-service and arbitrary ConfigMap manipulation. Patch released in version 4.0.5 adding checkConfigMapPermission() calls to validate Kubernetes RBAC before operations.

Authentication Bypass Denial Of Service Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-7791 HIGH NEWS This Week

Local privilege escalation in Amazon WorkSpaces for Windows versions before 2.6.2034.0 enables authenticated low-privileged users to write arbitrary files to protected system locations, achieving SYSTEM-level access. The vulnerability exploits a race condition (CWE-367) in the Skylight Workspace Config Service's log rotation mechanism. No public exploit or active exploitation confirmed at time of analysis, but local access requirement limits attack surface to compromised user accounts or insider threats.

Privilege Escalation Microsoft
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-6266 HIGH PATCH This Week

Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.

Authentication Bypass Red Hat Ansible Automation Platform 2 6 For Rhel 9
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-42313 HIGH PATCH GHSA This Week

Authenticated users with non-admin SETTINGS permission in pyload-ng ≤0.5.0b3.dev99 can redirect all outbound HTTP traffic through attacker-controlled proxies by modifying ungated proxy configuration fields (enabled, host, port, type). The vulnerability is an incomplete fix in a series of authorization bypass issues (CVE-2026-33509/-35463/-35464/-35586) where a hand-maintained allowlist in set_config_value() gates only proxy credentials (username/password) but not the proxy destination itself, allowing credential theft, traffic interception, and response injection across downloads, captcha solvers, and update checks. No public exploit identified at time of analysis, though the GitHub advisory includes a working proof-of-concept demonstrating traffic redirection via API calls. Patch confirmed in version 0.5.0b3.dev100 per vendor advisory GHSA-pg67-9wjv-mr85.

Python Information Disclosure
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-40893 HIGH PATCH GHSA This Week

Remote unauthenticated attackers can bypass ExifTool tag blocklist in Gotenberg 8.x via group-prefixed tag names (e.g., 'System:FileName' instead of 'FileName'), enabling arbitrary file renaming, relocation, and permission modification within the container filesystem. One HTTP request exploits this input validation bypass (CWE-20) to circumvent protections from a prior security fix (GHSA-qmwh-9m9c-h36m). The vulnerability affects all metadata-accepting endpoints in Gotenberg's default configuration, which typically runs without authentication. No public exploit code is confirmed, but a detailed proof-of-concept is published in the GitHub advisory (GHSA-62p3-hvxx-fxg4). CVSS 8.2 reflects network vector with no authentication required, though real-world impact depends on container isolation and shared volume configurations.

Docker Information Disclosure Google
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-40075 HIGH PATCH GHSA This Week

Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. Fix available in version 2.8.6 for the 2.8.x branch; no patch released for 2.7.x series at time of analysis. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact.

Java Path Traversal Apache Tomcat
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-42294 HIGH PATCH GHSA This Week

Memory exhaustion crashes Argo Workflows server via unauthenticated multi-gigabyte webhook requests to the publicly accessible `/api/v1/events/` endpoint. The Webhook Interceptor's `io.ReadAll` call allocates unbounded memory before signature verification, enabling remote attackers to trigger out-of-memory (OOM) conditions without authentication or credentials. Vendor-released patches enforce a 2MB body size limit via `io.LimitReader`. Publicly available exploit code exists (conceptual proof-of-concept published in GitHub security advisory GHSA-jcc8-g2q4-9fxq). No active exploitation confirmed by CISA KEV at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and public PoC create immediate risk for internet-exposed Argo Workflows deployments.

Kubernetes Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41895 HIGH PATCH GHSA This Week

XML External Entity (XXE) injection in changedetection.io version 0.54.9 and earlier allows local file disclosure when processing attacker-controlled XML or RSS feeds. The xpath_filter() function in html_tools.py creates an lxml parser without disabling external entity resolution, enabling attackers to embed DOCTYPE declarations that read sensitive files from the host system. Extracted content appears in watch output, diff history, and notification channels. No vendor-released patch identified at time of analysis. CVSS 8.2 reflects high confidentiality impact with attack complexity high due to specific runtime parser behavior requirements.

XXE
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-42075 HIGH PATCH GHSA This Week

Path traversal in Evolver's skill fetch command enables arbitrary file writes via unvalidated --out= flag. Authenticated attackers can overwrite system files or create malicious files in sensitive locations (e.g., cron directories) by using directory traversal sequences like '../../../etc/cron.d'. The vulnerability exists in index.js where user-provided paths from --out= are extracted without sanitization and passed directly to fs.mkdirSync(). Patch released in version 1.69.3. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation.

Path Traversal Evolver
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-42221 HIGH PATCH GHSA This Week

Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42222 HIGH GHSA This Week

Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42606 HIGH PATCH GHSA This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40563 HIGH PATCH GHSA This Week

Code injection in Apache Atlas DSL search endpoint allows authenticated attackers to manipulate Gremlin traversal queries and access unauthorized data. Affects versions 0.8 through 2.4.0; exploitable in 2.0+ only when non-default configuration 'atlas.dsl.executor.traversal=false' is set. EPSS score of 0.03% (9th percentile) suggests low widespread exploitation probability. No active exploitation confirmed per CISA KEV or vendor advisory. Fixed in version 2.5.0.

RCE Apache Code Injection
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42296 HIGH PATCH GHSA This Week

Argo Workflows v3 (< 3.7.14) and v4 (< 4.0.5) allow users to bypass templateReferencing Strict/Secure mode restrictions by setting WorkflowSpec fields like hostNetwork, serviceAccountName, securityContext, tolerations, and volumes. The incomplete fix for CVE-2026-31892 only blocked podSpecPatch but left other security-sensitive fields unvalidated. Authenticated users with create Workflow permission can inject host network access, switch service accounts, modify pod security contexts, or schedule on control-plane nodes despite referencing hardened WorkflowTemplates. Vendor-released patch: v3.7.14 and v4.0.5 (commit 2727f3f). No public exploit identified at time of analysis, but exploitation is straightforward given detailed reproduction steps in the advisory.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42084 HIGH PATCH GHSA This Week

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.

Information Disclosure Cosmos
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-29199 HIGH PATCH GHSA This Week

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.

Code Injection Phpbb
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-67796 HIGH PATCH GHSA This Week

Improper authorization in IKUS Rdiffweb before 2.10.5 allows authenticated attackers with low-privilege API access tokens to read or modify data belonging to other users and tenants without additional authorization checks. The API fails to validate that the authenticated token subject matches the targeted user in requests, enabling horizontal privilege escalation and cross-tenant data access. Fixed in version 2.10.6. EPSS score of 0.02% (4th percentile) indicates low current exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42301 HIGH PATCH GHSA This Week

Arbitrary code execution on RPM packagers' workstations occurs when pyp2spec generates spec files from malicious PyPI package metadata containing unescaped RPM macro directives. Affects pyp2spec versions prior to 0.14.1, primarily impacting Fedora/RHEL packagers who process untrusted PyPI packages. Attack triggers during spec file parsing (rpmbuild -bs, rpm -q --specfile) before any build step, enabling compromise via typosquatted packages or those under Fedora review. Exploited packager workstations hold dist-git SSH keys, Koji build credentials, and Bodhi update rights, creating supply chain risk. Vendor-released patch 0.14.1 available per GitHub advisory GHSA-r35x-v8p8-xvhw. No public exploit identified at time of analysis, but attack complexity is low with realistic targeting scenarios described.

Information Disclosure
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-36365 HIGH This Week

Command injection in Caesium Image Compressor (all versions through commit 02da2c6) allows local authenticated attackers to execute arbitrary OS commands via unsanitized input to shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp. The vulnerable code uses system() calls without input validation, enabling shell metacharacter injection during post-compression power management operations. Patch available via GitHub PR #376 replacing system() with QProcess::startDetached(). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. No evidence of active exploitation or public POC beyond the researcher's advisory.

Command Injection RCE Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24082 HIGH This Week

Use-after-free vulnerability in Qualcomm Snapdragon chipsets enables local privilege escalation to achieve full device compromise. Low-privilege authenticated users can trigger memory corruption during performance counter deselect operations, gaining high-integrity code execution with kernel-level access. Qualcomm has released patches in their May 2026 security bulletin. EPSS data not yet available for this future-dated CVE; no confirmed active exploitation or public exploit code identified at time of analysis.

Buffer Overflow Use After Free Memory Corruption Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47408 HIGH This Week

Memory corruption in Qualcomm Snapdragon allows local authenticated attackers with low privileges to achieve arbitrary code execution and full system compromise. The vulnerability triggers when malicious drivers invoke specific IOCTLs with intentionally malformed input/output buffers, bypassing buffer validation checks. EPSS and KEV status not available at time of analysis; advisory references May 2026 bulletin suggesting pre-disclosure analysis.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy