Skip to main content
CVE-2026-7747 HIGH POC This Week

Remote unauthenticated attackers can execute arbitrary code on Totolink N300RH routers version 3.2.4-B20220812 by sending crafted Password parameter values to the loginauth authentication function in /cgi-bin/cstecgi.cgi, triggering a stack-based buffer overflow. Exploitation probability is moderate (EPSS score not provided, but publicly available exploit code exists per VulDB reference). This affects consumer-grade wireless routers often deployed in home/SOHO environments with default internet-facing management interfaces, creating significant remote compromise risk despite the device's end-of-life status.

Buffer Overflow N300Rh
NVD VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-7719 HIGH POC This Week

Remote unauthenticated buffer overflow in Totolink WA300 wireless repeater firmware version 5.2cu.7112_B20190227 enables complete device compromise via crafted HTTP POST requests to the login authentication handler. The vulnerability resides in the loginauth function within /cgi-bin/cstecgi.cgi, where insufficient validation of the http_host parameter allows attackers to overflow memory and achieve arbitrary code execution with device privileges. Publicly available exploit code exists (documented via Notion), enabling trivial exploitation with EPSS probability assessment pending but attack complexity rated low (AC:L) with no authentication barrier (PR:N).

Buffer Overflow Wa300
NVD VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-23918 HIGH POC PATCH NEWS This Week

Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential.

Apache Information Disclosure Apache Http Server
NVD VulDB Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32834 HIGH POC Monitor

Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-29514 HIGH POC This Week

Remote code execution in NetBox 4.3.5-4.5.4 allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary Python code as the NetBox service user by injecting malicious callables into Jinja2 template environment parameters. Attackers bypass SandboxedEnvironment protections by setting the finalize parameter to dangerous imports like subprocess.getoutput, which executes on every rendered expression outside sandbox call interception. Public proof-of-concept exploit exists (chocapikk.com), and upstream patch available via GitHub PR #22078 implements an allowlist-based validation mechanism that blocks unauthorized callable resolution at both save-time and render-time.

Python RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41927 HIGH POC This Week

Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenticated attackers to execute arbitrary code through crafted POST requests with oversized Content-Length headers. The vulnerability affects hardware version 2.1 running firmware LFMZX28040922V1.02, with publicly available proof-of-concept exploit code documented via AI-assisted vulnerability research. CVSS 8.3 with high attack complexity indicates exploitation requires advanced technical skills, though the network vector and lack of authentication requirements make this a significant risk for exposed IoT devices.

Stack Overflow RCE Buffer Overflow Wdr201A Wifi Extender
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-41471 HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-34059 HIGH POC PATCH This Week

Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.

Red Hat Suse Apache Buffer Overflow Apache HTTP Server
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-6321 HIGH POC PATCH GHSA This Week

Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.

Path Traversal Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42154 HIGH POC PATCH GHSA This Week

Memory exhaustion in Prometheus remote read endpoint allows unauthenticated attackers to crash the monitoring server via maliciously crafted snappy-compressed payloads. The /api/v1/read endpoint in versions prior to 3.5.3 and 3.11.3 accepts compressed request bodies without validating the declared decoded length, enabling a 5-byte payload claiming 256 MiB decoded size to trigger massive heap allocations. Concurrent requests can exhaust memory and crash the Prometheus process. EPSS data not provided; no evidence of active exploitation (not in CISA KEV). Vendor-released patches available in versions 3.5.3 and 3.11.3.

Denial Of Service Prometheus
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42151 HIGH POC PATCH GHSA This Week

Prometheus monitoring system exposes Azure AD OAuth client secrets in plaintext via its /-/config HTTP API endpoint. Versions prior to 3.5.3 and 3.11.3 incorrectly type the client_secret field as a plain string instead of Prometheus's redacted Secret type, allowing remote unauthenticated attackers to retrieve sensitive Azure credentials from any exposed Prometheus instance configured for Azure AD remote write. The vulnerability has low exploitation complexity (CVSS AV:N/AC:L/PR:N) with 7.5 severity. Vendor-confirmed patches available in versions 3.5.3 and 3.11.3 (GitHub releases confirmed). EPSS data not provided; no CISA KEV listing indicating targeted exploitation campaigns at time of analysis.

Microsoft Information Disclosure Prometheus
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7750 HIGH POC This Week

Remote authenticated attackers can execute arbitrary code on Totolink N300RH 3.2.4-B20220812 routers via buffer overflow in the setMacFilterRules function. Exploitation requires low-privilege authentication to the router's web interface, then sending a crafted POST request with an oversized mac_address parameter to /cgi-bin/cstecgi.cgi. Public exploit code is available (documented on Notion), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, publicly available POC, and vulnerable IoT device suggest moderate real-world risk for internet-exposed routers with default or weak credentials.

Buffer Overflow N300Rh
NVD VulDB
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-7749 HIGH POC This Week

Buffer overflow in Totolink N300RH router firmware 3.2.4-B20220812 allows authenticated remote attackers to achieve complete device compromise via crafted DNS parameter in WAN configuration requests. The vulnerability exists in the setWanConfig function within /cgi-bin/cstecgi.cgi POST handler, exploitable by manipulating the priDns argument. Public exploit code is available (CVSS E:P), and CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact on the vulnerable device with no cross-scope effects.

Buffer Overflow N300Rh
NVD VulDB
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-7748 HIGH POC This Week

Buffer overflow in Totolink N300RH router firmware 3.2.4-B20220812 enables authenticated remote attackers to achieve code execution via crafted FileName parameter to the setUpgradeFW function in /cgi-bin/cstecgi.cgi. Public exploit code is available (documented in Notion). CVSS 7.4 with CVSS 4.0 Exploit maturity 'Proof-of-concept' confirms POC exists. Not listed in CISA KEV, suggesting limited real-world exploitation despite public POC.

Buffer Overflow N300Rh
NVD VulDB
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-7717 HIGH POC This Week

Buffer overflow in Totolink WA300 wireless range extender firmware 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary code or crash the device via crafted File parameter to the UploadCustomModule function in /cgi-bin/cstecgi.cgi. Public proof-of-concept exploit exists (documented in Notion page), enabling low-skill exploitation. EPSS data not available, but low attack complexity (AC:L) and network attack vector (AV:N) combined with public POC indicate elevated real-world risk for affected devices exposed to untrusted authenticated users.

Buffer Overflow Wa300
NVD VulDB
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-38751 HIGH POC GHSA This Week

Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.

PHP File Upload
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-42605 HIGH PATCH GHSA This Week

Path traversal in AzuraCast's Flow.js media upload endpoint allows authenticated users with media management permissions to write arbitrary PHP files outside designated storage directories, achieving remote code execution. The vulnerability exists in versions ≤0.23.5 where the unsanitized `currentDirectory` parameter bypasses filename sanitization, and a `finally` block writes uploaded files before MIME validation completes. Only local filesystem storage (default configuration) is affected-remote S3/cloud backends are not vulnerable. Vendor-confirmed patch available in version 0.23.6. No public exploit or CISA KEV listing identified at time of analysis, but detailed proof-of-concept exists in GitHub advisory GHSA-vp2f-cqqp-478j demonstrating webshell upload to web root.

Privilege Escalation PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-42364 HIGH This Week

Authenticated OS command injection in the DdnsSetting.cgi handler of GeoVision GV-LPC2011/LPC2211 license plate capture cameras (firmware 1.10) lets an attacker with low-privilege access to the device web interface execute arbitrary OS commands by writing a crafted value into the DDNS configuration. CVSS scores the issue 8.8 (high) with full confidentiality, integrity, and availability impact, and Talos has published an advisory (TALOS-2025-2326); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Command Injection Gv Lpc2011 Lpc2211
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-7482 HIGH PATCH GHSA This Week

Heap out-of-bounds read in Ollama's GGUF model loader (<0.17.1) leaks sensitive memory contents including API keys, environment variables, and concurrent user data when processing maliciously crafted model files. Attackers can trigger the vulnerability by uploading a GGUF file with tensor offsets exceeding file bounds via the unauthenticated /api/create endpoint, then exfiltrate leaked memory through /api/push to attacker-controlled registries. While default deployments bind to localhost only, the widely-adopted OLLAMA_HOST=0.0.0.0 configuration exposes instances to network exploitation. Vendor-released patch available in version 0.17.1 with GitHub commit 88d57d0483cca907e0b23a968c83627a20b21047 adding bounds validation to fs/ggml/gguf.go and server/quantization.go.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-24072 HIGH PATCH This Week

Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.

Privilege Escalation Apache Suse Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-39852 HIGH PATCH GHSA This Week

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-42372 HIGH Monitor

Hardcoded credentials in D-Link DIR-605L Hardware Revision A1 firmware grant root-level telnet access to unauthenticated attackers on adjacent networks. The telnet daemon automatically starts at boot with username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir605l', enabling complete device takeover including network traffic interception, configuration modification, and pivot attacks against internal networks. This End-of-Life product will receive no vendor patch, requiring immediate device replacement. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, with adjacent network attack vector reducing but not eliminating risk for home and small office deployments.

D-Link Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-58074 HIGH This Week

Norton Secure VPN installed via Microsoft Store allows low-privilege Windows users to escalate to SYSTEM-level privileges by replacing files during the installation process, causing arbitrary file deletion. Cisco Talos discovered this TOCTOU (Time-of-Check Time-of-Use) race condition in the installer. No public exploit code or active exploitation confirmed at time of analysis, but the local attack vector with low complexity (CVSS AC:L) makes this highly exploitable once installation details are known.

Microsoft Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0073 HIGH POC This Week

Authentication bypass in Android Debug Bridge (ADB) wireless mutual authentication allows adjacent network attackers to execute arbitrary code as the shell user without authentication. The flaw affects Android 14, 15, and 16 series, residing in the TLS certificate verification logic of adbd_tls_verify_cert. EPSS data not available, but CISA SSVC framework indicates no current exploitation evidence and non-automatable attack requiring network adjacency. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability when the wireless debugging feature is enabled.

RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25863 HIGH PATCH This Week

Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.

Denial Of Service PHP WordPress
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41893 HIGH PATCH GHSA This Week

Credential brute-forcing in Signal K Server versions ≤2.24.0 allows remote unauthenticated attackers to bypass HTTP login rate limiting by sending unlimited password guesses through the WebSocket authentication endpoint at approximately 20 attempts per second. The HTTP login endpoints are protected by express-rate-limit (default: 100 attempts per 10-minute window), but the WebSocket path processes login requests without any throttling, enabling dictionary attacks to complete in minutes. Publicly available exploit code exists demonstrating the bypass technique. Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN, increasing exposure risk.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42079 HIGH PATCH GHSA This Week

Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.

RCE Python Code Injection
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-42311 HIGH PATCH GHSA This Week

Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. Attackers craft PSD images with tile dimensions that wrap around during extent sum calculations, defeating the bounds checks and triggering out-of-bounds writes in decode.c and encode.c. Pillow 12.2.0 patches this by avoiding extent addition before comparison. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists via proof-of-concept test images in the patch commit.

Integer Overflow RCE Buffer Overflow Python
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-42295 HIGH PATCH GHSA This Week

Argo Workflows executor logs artifact repository credentials in plaintext to pod logs during artifact operations, exposing S3 access/secret keys, GCS service account keys, Azure storage keys, and Git passwords. Users with Kubernetes RBAC permissions to read pod logs in the workflow namespace can extract these credentials directly from workflow execution logs. This vulnerability affects Argo Workflows v4.0.0 through v4.0.4 and represents an incomplete fix of CVE-2025-62157. Vendor-released patch (v4.0.5) is available with GitHub commit bdd40908 removing credential-bearing struct logging. No public exploit identified at time of analysis, though exploitation is trivial given the included working proof-of-concept YAML.

Kubernetes Microsoft Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42297 HIGH PATCH GHSA This Week

Missing authorization checks in Argo Workflows v4.0.0-4.0.4 allow any authenticated user-even those with fake Bearer tokens-to create, read, update, and delete Kubernetes ConfigMaps containing workflow synchronization limits. The ConfigMap-backed sync provider (server/sync/sync_cm.go) completely omits auth.CanI permission validation on all four CRUD endpoints. Publicly available exploit code exists (detailed PoC in advisory). CVSS 8.5 reflects network-accessible authentication bypass enabling high integrity/availability impact through denial-of-service and arbitrary ConfigMap manipulation. Patch released in version 4.0.5 adding checkConfigMapPermission() calls to validate Kubernetes RBAC before operations.

Authentication Bypass Denial Of Service Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-7791 HIGH NEWS This Week

Local privilege escalation in Amazon WorkSpaces for Windows versions before 2.6.2034.0 enables authenticated low-privileged users to write arbitrary files to protected system locations, achieving SYSTEM-level access. The vulnerability exploits a race condition (CWE-367) in the Skylight Workspace Config Service's log rotation mechanism. No public exploit or active exploitation confirmed at time of analysis, but local access requirement limits attack surface to compromised user accounts or insider threats.

Privilege Escalation Microsoft
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-6266 HIGH PATCH This Week

Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.

Authentication Bypass Red Hat Ansible Automation Platform 2 6 For Rhel 9
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-42313 HIGH PATCH GHSA This Week

Authenticated users with non-admin SETTINGS permission in pyload-ng ≤0.5.0b3.dev99 can redirect all outbound HTTP traffic through attacker-controlled proxies by modifying ungated proxy configuration fields (enabled, host, port, type). The vulnerability is an incomplete fix in a series of authorization bypass issues (CVE-2026-33509/-35463/-35464/-35586) where a hand-maintained allowlist in set_config_value() gates only proxy credentials (username/password) but not the proxy destination itself, allowing credential theft, traffic interception, and response injection across downloads, captcha solvers, and update checks. No public exploit identified at time of analysis, though the GitHub advisory includes a working proof-of-concept demonstrating traffic redirection via API calls. Patch confirmed in version 0.5.0b3.dev100 per vendor advisory GHSA-pg67-9wjv-mr85.

Python Information Disclosure
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-40893 HIGH PATCH GHSA This Week

Remote unauthenticated attackers can bypass ExifTool tag blocklist in Gotenberg 8.x via group-prefixed tag names (e.g., 'System:FileName' instead of 'FileName'), enabling arbitrary file renaming, relocation, and permission modification within the container filesystem. One HTTP request exploits this input validation bypass (CWE-20) to circumvent protections from a prior security fix (GHSA-qmwh-9m9c-h36m). The vulnerability affects all metadata-accepting endpoints in Gotenberg's default configuration, which typically runs without authentication. No public exploit code is confirmed, but a detailed proof-of-concept is published in the GitHub advisory (GHSA-62p3-hvxx-fxg4). CVSS 8.2 reflects network vector with no authentication required, though real-world impact depends on container isolation and shared volume configurations.

Docker Information Disclosure Google
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-40075 HIGH PATCH GHSA This Week

Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. Fix available in version 2.8.6 for the 2.8.x branch; no patch released for 2.7.x series at time of analysis. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact.

Java Path Traversal Apache Tomcat
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-42294 HIGH PATCH GHSA This Week

Memory exhaustion crashes Argo Workflows server via unauthenticated multi-gigabyte webhook requests to the publicly accessible `/api/v1/events/` endpoint. The Webhook Interceptor's `io.ReadAll` call allocates unbounded memory before signature verification, enabling remote attackers to trigger out-of-memory (OOM) conditions without authentication or credentials. Vendor-released patches enforce a 2MB body size limit via `io.LimitReader`. Publicly available exploit code exists (conceptual proof-of-concept published in GitHub security advisory GHSA-jcc8-g2q4-9fxq). No active exploitation confirmed by CISA KEV at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and public PoC create immediate risk for internet-exposed Argo Workflows deployments.

Kubernetes Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41895 HIGH PATCH GHSA This Week

XML External Entity (XXE) injection in changedetection.io version 0.54.9 and earlier allows local file disclosure when processing attacker-controlled XML or RSS feeds. The xpath_filter() function in html_tools.py creates an lxml parser without disabling external entity resolution, enabling attackers to embed DOCTYPE declarations that read sensitive files from the host system. Extracted content appears in watch output, diff history, and notification channels. No vendor-released patch identified at time of analysis. CVSS 8.2 reflects high confidentiality impact with attack complexity high due to specific runtime parser behavior requirements.

XXE
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-42075 HIGH PATCH GHSA This Week

Path traversal in Evolver's skill fetch command enables arbitrary file writes via unvalidated --out= flag. Authenticated attackers can overwrite system files or create malicious files in sensitive locations (e.g., cron directories) by using directory traversal sequences like '../../../etc/cron.d'. The vulnerability exists in index.js where user-provided paths from --out= are extracted without sanitization and passed directly to fs.mkdirSync(). Patch released in version 1.69.3. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation.

Path Traversal Evolver
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-42221 HIGH PATCH GHSA This Week

Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42222 HIGH GHSA This Week

Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42606 HIGH PATCH GHSA This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40563 HIGH PATCH GHSA This Week

Code injection in Apache Atlas DSL search endpoint allows authenticated attackers to manipulate Gremlin traversal queries and access unauthorized data. Affects versions 0.8 through 2.4.0; exploitable in 2.0+ only when non-default configuration 'atlas.dsl.executor.traversal=false' is set. EPSS score of 0.03% (9th percentile) suggests low widespread exploitation probability. No active exploitation confirmed per CISA KEV or vendor advisory. Fixed in version 2.5.0.

RCE Apache Code Injection
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42296 HIGH PATCH GHSA This Week

Argo Workflows v3 (< 3.7.14) and v4 (< 4.0.5) allow users to bypass templateReferencing Strict/Secure mode restrictions by setting WorkflowSpec fields like hostNetwork, serviceAccountName, securityContext, tolerations, and volumes. The incomplete fix for CVE-2026-31892 only blocked podSpecPatch but left other security-sensitive fields unvalidated. Authenticated users with create Workflow permission can inject host network access, switch service accounts, modify pod security contexts, or schedule on control-plane nodes despite referencing hardened WorkflowTemplates. Vendor-released patch: v3.7.14 and v4.0.5 (commit 2727f3f). No public exploit identified at time of analysis, but exploitation is straightforward given detailed reproduction steps in the advisory.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42084 HIGH PATCH GHSA This Week

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attackers with hijacked tokens to lock out legitimate users and maintain persistent access to compromised accounts including administrator accounts. Publicly available exploit code demonstrates the attack chain. All versions prior to 6.10.5 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The vendor has released patched versions 6.10.5 and 7.0.0-rc3 that enforce password-only verification during password change operations.

Information Disclosure Cosmos
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-29199 HIGH PATCH GHSA This Week

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.

Code Injection Phpbb
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-67796 HIGH PATCH GHSA This Week

Improper authorization in IKUS Rdiffweb before 2.10.5 allows authenticated attackers with low-privilege API access tokens to read or modify data belonging to other users and tenants without additional authorization checks. The API fails to validate that the authenticated token subject matches the targeted user in requests, enabling horizontal privilege escalation and cross-tenant data access. Fixed in version 2.10.6. EPSS score of 0.02% (4th percentile) indicates low current exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42301 HIGH PATCH GHSA This Week

Arbitrary code execution on RPM packagers' workstations occurs when pyp2spec generates spec files from malicious PyPI package metadata containing unescaped RPM macro directives. Affects pyp2spec versions prior to 0.14.1, primarily impacting Fedora/RHEL packagers who process untrusted PyPI packages. Attack triggers during spec file parsing (rpmbuild -bs, rpm -q --specfile) before any build step, enabling compromise via typosquatted packages or those under Fedora review. Exploited packager workstations hold dist-git SSH keys, Koji build credentials, and Bodhi update rights, creating supply chain risk. Vendor-released patch 0.14.1 available per GitHub advisory GHSA-r35x-v8p8-xvhw. No public exploit identified at time of analysis, but attack complexity is low with realistic targeting scenarios described.

Information Disclosure
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-36365 HIGH This Week

Command injection in Caesium Image Compressor (all versions through commit 02da2c6) allows local authenticated attackers to execute arbitrary OS commands via unsanitized input to shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp. The vulnerable code uses system() calls without input validation, enabling shell metacharacter injection during post-compression power management operations. Patch available via GitHub PR #376 replacing system() with QProcess::startDetached(). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. No evidence of active exploitation or public POC beyond the researcher's advisory.

Command Injection RCE Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24082 HIGH This Week

Use-after-free vulnerability in Qualcomm Snapdragon chipsets enables local privilege escalation to achieve full device compromise. Low-privilege authenticated users can trigger memory corruption during performance counter deselect operations, gaining high-integrity code execution with kernel-level access. Qualcomm has released patches in their May 2026 security bulletin. EPSS data not yet available for this future-dated CVE; no confirmed active exploitation or public exploit code identified at time of analysis.

Buffer Overflow Use After Free Memory Corruption Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47408 HIGH This Week

Memory corruption in Qualcomm Snapdragon allows local authenticated attackers with low privileges to achieve arbitrary code execution and full system compromise. The vulnerability triggers when malicious drivers invoke specific IOCTLs with intentionally malformed input/output buffers, bypassing buffer validation checks. EPSS and KEV status not available at time of analysis; advisory references May 2026 bulletin suggesting pre-disclosure analysis.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy