Skip to main content
CVE-2026-42281 CRITICAL POC PATCH GHSA Act Now

Unauthenticated SSRF in MagicMirror ≤2.35.0 allows remote attackers to proxy arbitrary HTTP requests through the server, accessing cloud metadata services (AWS/GCP/Azure IMDSv1), internal network resources, and localhost services via the unrestricted `/cors` endpoint. The vulnerability is compounded by environment variable expansion: attackers can exfiltrate server-side secrets (API keys, database credentials) by embedding placeholders like `**SECRET_API_KEY**` in URLs, which the server resolves from `process.env` before making the request. Vendor-released patch version 2.36.0 disables the CORS proxy by default and implements IP blocklisting when enabled. Publicly available exploit code exists (PoC provided in GitHub advisory GHSA-ph6f-2cvq-79hq). No active exploitation confirmed at time of analysis.

SSRF Microsoft
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.8%
CVE-2023-54344 CRITICAL POC Act Now

Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Osgi
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54342 CRITICAL POC Act Now

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java RCE
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-36356 CRITICAL POC Act Now

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-STD.PROD-1 allows attackers to execute arbitrary system commands via the /action/SetRemoteAccessCfg endpoint in the GoAhead web server. CVSS 9.1 reflects critical impact with network-accessible attack vector requiring no authentication or user interaction. GitHub repository suggests publicly available exploit code exists (CVE-2026-36356), significantly lowering exploitation barrier for attackers targeting industrial IoT and cellular gateway deployments.

Command Injection N A
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-7823 HIGH POC This Week

Remote unauthenticated command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows attackers to execute arbitrary OS commands via the 'enable' parameter in the setAppFilterCfg function. Exploitation requires no authentication or user interaction, with a publicly available proof-of-concept exploit published on GitHub. CVSS 8.9 reflects critical impact across confidentiality, integrity, and availability, though EPSS data is unavailable to assess real-world exploitation probability. Not currently listed in CISA KEV, suggesting targeted rather than widespread exploitation at time of analysis.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7854 HIGH POC This Week

Remote unauthenticated buffer overflow in D-Link DI-8100 firmware 16.07.26A1 enables attackers to execute arbitrary code, compromise device integrity, and cause denial of service via crafted POST requests to /url_rule.asp. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS 9.8 critical score reflects network-based remote attack requiring no authentication or user interaction, though no active exploitation has been confirmed via CISA KEV at time of analysis.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-7853 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests to /auto_reboot.asp. The vulnerability exploits unsafe sprintf calls handling the 'enable' and 'time' parameters in the auto-reboot feature's HTTP handler. A public proof-of-concept exploit is available on GitHub, significantly lowering the barrier to exploitation. CVSS 8.9 with EPSS and attack complexity both low indicate high real-world risk for internet-facing devices running this firmware version.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-7834 HIGH POC This Week

Stack-based buffer overflow in EFM ipTIME NAS1dual 1.5.24 allows remote unauthenticated attackers to achieve complete system compromise via the get_csrf_whites function in /cgi/advanced/misc_main.cgi. Public exploit code exists on GitHub, demonstrating practical exploitability despite lack of vendor response to responsible disclosure. CVSS 8.9 (Critical) with EPSS data unavailable; attack requires no authentication, low complexity, and no user interaction (AV:N/AC:L/PR:N/UI:N), making this a high-priority remote attack surface.

Stack Overflow Buffer Overflow Iptime Nas1Dual
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2023-54347 HIGH POC This Week

OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Openemr
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2023-54345 HIGH POC This Week

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Frappe Framework Erpnext
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2023-54348 HIGH POC This Week

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Erpgo Saas
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2023-54346 HIGH POC This Week

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44331 HIGH POC PATCH This Week

SQL injection in ProFTPD 1.3.9a and earlier allows remote attackers to execute arbitrary SQL commands when the 'UseReverseDNS on' configuration is enabled. The vulnerability exists in mod_wrap2_sql.c where attacker-controlled reverse DNS hostnames are passed unescaped into SQL queries during client access control checks. Exploitation complexity is high due to DNS character restrictions and specific configuration requirements. No active exploitation confirmed (not in CISA KEV), but upstream fix is available via GitHub commit 7666224. EPSS risk data not provided.

SQLi Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-23479 HIGH POC PATCH This Week

Use-after-free in Redis 7.2.0 through 8.6.2 allows authenticated attackers to achieve remote code execution by exploiting error handling in the unblock client flow. When a blocked client is evicted during command re-execution, the server fails to handle the error return from processCommandAndResetClient, triggering memory corruption. Redis has released version 8.6.3 with a security fix. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the critical RCE impact.

Redis Use After Free Memory Corruption RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-36355 HIGH POC This Week

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to access and modify kernel memory through debug ioctl handlers (0x89F5/0x89F6) that were left enabled in production builds. All known SDK versions through v3.4.14B are affected. A publicly available exploit exists (GitHub repository CVE-2026-36355), enabling privilege escalation and data exfiltration on devices using the vulnerable rtl8192cd driver. EPSS data unavailable; not currently in CISA KEV.

Information Disclosure N A
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-6322 HIGH POC PATCH GHSA This Week

Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. The normalize() function improperly decodes percent-encoded at-signs (%40) in hostnames, then re-serializes them as raw userinfo delimiters, causing URLs like 'http://trusted.com%40evil.com' to resolve to 'evil.com' instead of 'trusted.com'. Applications using fast-uri to validate URLs against allowlists or for redirect validation can be tricked into connecting to attacker-controlled domains. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor patch released in version 3.1.2.

Information Disclosure Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7855 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router (firmware 16.07.26A1) allows authenticated remote attackers to execute arbitrary code or crash the device via crafted HTTP requests to the /tggl.asp endpoint. The vulnerability affects the tggl_asp function's Name parameter handling. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation for attackers with valid router credentials.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7857 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 enables authenticated remote code execution via crafted input to the /user_group.asp CGI handler. Attackers with high-privilege (administrator) credentials can exploit the unsafe sprintf function to achieve arbitrary code execution with complete system compromise. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation despite the high-privilege requirement.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-7856 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated administrators to execute arbitrary code via crafted 'Name' parameter to /url_member.asp in the web management interface. Public exploit code exists on GitHub, demonstrating active proof-of-concept availability. EPSS data unavailable; CVSS 7.2 reflects high impact but limited by requirement for high-privilege (admin) authentication, reducing real-world urgency for most organizations unless admin credentials are compromised or insider threat exists.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-7851 HIGH POC This Week

Stack-based buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated remote attackers with high privileges to execute arbitrary code via malformed ID parameter to yyxz.asp administrative interface. Public exploit code exists on GitHub, demonstrating reliable exploitation. CVSS 7.3 (High) reflects network attack vector but requires admin-level authentication, limiting real-world exposure to compromised credentials or insider scenarios.

Stack Overflow D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-7833 HIGH POC This Week

Remote command injection in EFM ipTIME C200 camera firmware (versions up to 1.092) allows authenticated administrators to execute arbitrary system commands via malicious file upload to the ApplyRestore endpoint. The vulnerability exists in the sub_408F90 function processing the RestoreFile parameter in /cgi/iux_set.cgi. Exploitation probability is elevated by publicly available proof-of-concept code demonstrating the attack technique, though no active exploitation has been confirmed by CISA KEV at time of analysis. Vendor has been unresponsive to disclosure attempts, indicating no official patch timeline.

Command Injection Iptime C200
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-7832 MEDIUM POC This Month

IObit Advanced SystemCare 19 contains a symlink following vulnerability in the ASC.exe Service component that allows local authenticated attackers to achieve high-impact confidentiality and integrity violations. The vulnerability requires local access and elevated privileges (PR:L) but has high attack complexity (AC:H), making real-world exploitation difficult despite public exploit availability. CVSS 6.4 reflects the local-only attack vector and privilege requirement, though the confidentiality and integrity impacts are rated high.

Information Disclosure Advanced Systemcare
NVD VulDB GitHub
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-44166 MEDIUM POC PATCH GHSA This Month

PocketBase versions before 0.22.42 and 0.30.0-0.37.3 allow account pre-hijacking via OAuth2 autolinking, where an attacker knowing a victim's email can create an unverified account linked to one OAuth2 provider, then retain access when the victim authenticates with a different provider and the accounts are auto-merged, because previous OAuth2 links are not cleared during the upgrade from unverified to verified status. Publicly available exploit code exists; vendor recommends immediate upgrade to v0.37.4 or v0.22.42.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-7411 CRITICAL PATCH GHSA Act Now

Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.

RCE Java Path Traversal File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-41950 MEDIUM POC PATCH This Month

Dify before version 1.14.0 allows authenticated users to bypass authorization controls and read arbitrary files uploaded by other users within the same tenant by supplying unauthorized file UUIDs in chat-messages API requests. The vulnerability exploits insufficient permission verification on file access endpoints, enabling attackers to circumvent workspace separation and signed URL protections to retrieve sensitive file contents processed through workflows. Publicly available exploit code exists, and a vendor-released patch (version 1.14.0) is available.

Authentication Bypass Dify
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-42196 CRITICAL PATCH GHSA Act Now

Path traversal in django-s3file's S3FileMiddleware allows attackers to manipulate HTTP requests and force Django applications to load arbitrary files from unintended S3 locations into request.FILES, bypassing pre-signed upload location restrictions. Affects all versions <=7.0.1. Vendor-confirmed vulnerability with patch released in version 7.0.2. No active exploitation confirmed (not in CISA KEV). CVSS metrics not available, but path traversal combined with file handling operations presents moderate confidentiality and integrity risk depending on application-specific file processing logic.

Python Path Traversal
NVD GitHub
CVSS 4.0
9.9
EPSS
0.1%
CVE-2026-42864 CRITICAL PATCH GHSA Act Now

Server-side request forgery combined with missing authentication in firefighter-incident Python package allows unauthenticated remote attackers to exfiltrate AWS IAM credentials from cloud metadata endpoints. The `/api/v2/firefighter/raid/jira_bot` endpoint accepts arbitrary URLs in the `attachments` parameter, fetches them server-side without validation, and uploads responses as Jira attachments — enabling SSRF against internal services including `http://169.254.169.254/` (AWS EC2 Instance Metadata Service). Vendor-released patch (version 0.0.54) enforces authentication and validates attachment URLs to block private/link-local/loopback addresses. No public exploit identified at time of analysis, but exploitation is trivial given detailed advisory with exact vulnerable code paths.

Authentication Bypass SSRF Atlassian
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-5722 CRITICAL Act Now

Authentication bypass in MoreConvert Pro for WordPress allows remote unauthenticated attackers to hijack any user account, including administrators, by exploiting token reuse in the guest waitlist verification flow. Attackers obtain a verification token for their own email, change the guest customer email to the target victim's email via the public waitlist API, then use the original token to authenticate as the victim. This critical vulnerability (CVSS 9.8) affects all versions through 1.9.14, with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-5294 CRITICAL Act Now

Remote code execution in Geeky Bot WordPress plugin versions ≤1.2.2 allows unauthenticated attackers to install arbitrary plugins and execute code on affected sites. The vulnerability exploits a missing authorization check in a nopriv AJAX handler that permits attacker-controlled function dispatch to a plugin installer, enabling download and extraction of malicious ZIP files directly into wp-content/plugins/. With CVSS 9.8 (critical), network-exploitable without authentication, and EPSS data unavailable, this represents a severe risk to all WordPress sites running vulnerable versions until patched.

Authentication Bypass RCE WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-13618 CRITICAL Act Now

Privilege escalation in Mentoring theme for WordPress (all versions ≤1.2.8) allows unauthenticated remote attackers to create administrator accounts via broken registration role validation in mentoring_process_registration(). The flaw bypasses normal WordPress role restrictions, enabling complete site takeover without requiring any authentication or user interaction. CVSS 9.8 (critical) with network attack vector and no complexity barriers. EPSS and KEV data not provided, but the combination of unauthenticated admin account creation represents an imminent site compromise risk for all installations with registration enabled.

Privilege Escalation WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27960 CRITICAL PATCH Act Now

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.

Authentication Bypass Privilege Escalation Opencti
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-38429 CRITICAL Act Now

XML External Entity injection in OpenCMS (versions through v20) allows remote unauthenticated attackers to achieve information disclosure, server-side request forgery, or arbitrary code execution via malicious .zip files uploaded to the Admin Import DB feature. The vulnerability stems from unsafe XML parsing of manifest.xml files within these archives. Despite a maximum CVSS 9.8 score, the real-world risk is limited by the administrative-only attack surface - exploitation requires access to privileged admin import functionality. No active exploitation confirmed (not in CISA KEV), and EPSS score of 0.03% (7th percentile) indicates minimal observed threat activity. Upstream fix available via GitHub commit e3e41e5a, though a tagged release version has not been independently verified.

XXE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43067 CRITICAL PATCH Act Now

Linux kernel ext4 filesystem improperly handles block group wraparound in ext4_mb_scan_groups(), allowing allocation of blocks beyond 32-bit limits for indirect-mapped files when stream allocation selects unsupported groups. While CVSS assigns network vector (9.8), this is a local kernel memory corruption issue requiring local filesystem access. EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. Patches available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.80, 6.18.21, 6.19.11). No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-28780 CRITICAL PATCH Act Now

Remote heap buffer overflow in Apache HTTP Server's mod_proxy_ajp module allows complete system compromise when proxying to attacker-controlled AJP backends. Affects all versions through 2.4.66; attackers can achieve remote code execution by sending malicious AJP protocol responses that overflow a heap buffer with 4 controlled bytes. Apache released patch in version 2.4.67. Despite critical CVSS 9.8, EPSS probability remains very low (0.02%, 5th percentile) indicating minimal observed exploitation attempts, and no CISA KEV listing confirms active in-the-wild abuse. Exploitation requires specific proxy_ajp deployment configuration connecting to malicious AJP servers.

Heap Overflow Apache Buffer Overflow Apache Http Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-38431 CRITICAL Act Now

Server-Side Template Injection in ERPNext v15.103.1 and earlier allows remote code execution through malicious email templates. Attackers with email template editing permissions can inject Jinja2 expressions that execute arbitrary Python code on the server when templates are rendered. SSVC framework confirms POC availability and automatable exploitation with total technical impact. CVSS 9.8 reflects network-reachable critical severity, though the 0.02% EPSS score (5th percentile) suggests limited real-world exploitation attempts to date, likely due to the permission prerequisite.

Code Injection RCE
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-38428 CRITICAL Act Now

SQL injection in Kestra workflow orchestration platform versions 1.3.3 and earlier enables remote unauthenticated attackers to execute arbitrary SQL commands and fully compromise the application database. The vulnerability stems from unsanitized GET parameters directly concatenated into SQL queries, allowing complete data exfiltration, modification, and potential database server compromise. Despite critical CVSS 9.8 severity, EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation attempts, though GitHub security advisory publication indicates vendor acknowledgment and likely patch availability.

SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7812 MEDIUM POC This Month

Command injection in code-mcp's git_operation function allows remote attackers to execute arbitrary system commands by manipulating the operation argument. The vulnerability affects all versions up to commit 4cfc4643541a110c906d93635b391bf7e357f4a8 and has publicly available exploit code. Continuous delivery model means no versioned releases exist, complicating patching timelines.

Command Injection Code Mcp
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
1.0%
CVE-2026-42048 CRITICAL POC PATCH GHSA Act Now

Path traversal in Langflow's Knowledge Bases API allows authenticated attackers to delete arbitrary directories on the server filesystem via crafted DELETE requests to /api/v1/knowledge_bases. The vulnerability (CVSS 9.6, Critical) stems from insufficient input validation in the delete_knowledge_bases_bulk function, which passes user-supplied knowledge base names directly to shutil.rmtree() without path containment checks. Publicly available exploit code exists (PoC disclosed in GHSA-9whx-c884-c68q), enabling cross-tenant data destruction and service disruption. Fixed in version 1.9.0 via PR #12243.

Path Traversal
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-7811 MEDIUM POC This Month

Path traversal vulnerability in 54yyyu code-mcp's MCP File Handler (function is_safe_path in src/code_mcp/server.py) allows remote unauthenticated attackers to access files outside intended directories with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the project uses rolling releases without versioned releases, and the vendor has not yet responded to early disclosure.

Path Traversal Code Mcp
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7810 MEDIUM POC This Month

Path traversal in UsamaK98 python-notebook-mcp allows remote unauthenticated attackers to read, write, and manipulate notebook files outside their intended directory via crafted input to the create_notebook, read_notebook, edit_cell, and add_cell functions in server.py. Public exploit code is available. The project uses rolling releases with no versioning, and the vendor has not yet responded to the initial issue report despite early notification.

Python Path Traversal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7788 MEDIUM POC This Month

Path traversal in Axle-Bucamp MCP-Docusaurus document handling functions allows remote unauthenticated attackers to manipulate the DOCS_DIR path parameter in update_document, continue_document, delete_document, and get_content endpoints, enabling unauthorized file access and manipulation. The vulnerability affects all versions up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0, with publicly available exploit code disclosed via GitHub issues.

Path Traversal Mcp Docusaurus
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-33324 CRITICAL PATCH Act Now

Prompt injection in SQLBot 1.7.0 and earlier allows authenticated attackers to execute arbitrary SQL statements through the Text2SQL chat interface, escalating to remote code execution when connected to PostgreSQL databases via COPY FROM PROGRAM. The vulnerability stems from unsanitized user input being directly concatenated into LLM prompts, with resulting SQL executed without validation. CVSS 9.4 (Critical) reflects network-based attack with low complexity requiring only low-privilege authentication. SSVC framework confirms proof-of-concept availability and total technical impact, though exploitation is not fully automatable. Vendor-released patch 1.7.1 addresses the issue.

PostgreSQL SQLi RCE
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-42882 CRITICAL PATCH GHSA Act Now

Path traversal and authentication bypass in s3-proxy allows remote unauthenticated attackers to read, write, or delete objects in protected S3 namespaces via percent-encoded slashes (%2F) and dot-segment traversal. Three distinct bypass mechanisms exploit mismatches between encoded/decoded path handling: (1) wildcard glob patterns lacking path separators match across directory boundaries, (2) percent-encoded slashes collapse into decoded paths after authentication checks, and (3) dot-segment sequences bypass prefix-based access controls. Vendor-released patches available in commits 1320e4abd and af5ff57d. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible unauthenticated access, though exploitation requires specific resource path configurations using wildcards or prefix patterns.

Authentication Bypass Path Traversal
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-42613 CRITICAL PATCH GHSA Act Now

Unauthenticated privilege escalation in Grav CMS Login plugin 3.8.0 allows remote attackers to self-register with admin.super privileges via missing server-side validation of groups and access fields. When administrators configure user registration with groups or access in allowed fields (a permitted UI action), attackers inject these fields into registration POST requests to bypass config-level defaults and gain full administrative access. Vendor-released patch: Login plugin 3.8.2 / Grav 2.0.0-beta.2 (commit 3d419a0). No public exploit identified at time of analysis, but the GitHub security advisory includes detailed proof-of-concept code demonstrating the attack.

Privilege Escalation PHP
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-42300 CRITICAL PATCH GHSA Act Now

DevGuard versions prior to 1.2.2 allow complete authentication bypass and privilege escalation through manipulation of the `X-Admin-Token` HTTP header. Unauthenticated remote attackers can impersonate any user - including organization admins and owners - by providing a known or guessed Kratos identity UUID in this header, gaining full control over DevGuard resources. This is a critical authentication bypass requiring no special configuration or privileges. Vendor-released patch: v1.2.2 (commit 6f38310b). No public exploit identified at time of analysis, but exploitation is trivial.

Information Disclosure
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-42155 CRITICAL PATCH GHSA Act Now

Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.

PHP Adobe Information Disclosure
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-34458 CRITICAL PATCH Act Now

INI injection in Sandboxie-Plus versions 1.17.2 and earlier enables any local low-privilege user to bypass EditAdminOnly and ConfigPassword protections, inject malicious directives into the global Sandboxie.ini file, create unrestricted sandbox sections, and escalate to SYSTEM privileges. The background service fails to authorize IPC messages for UserSettings_* sections and does not sanitize CRLF characters in MSGID_SBIE_INI_ADD_SETTING and MSGID_SBIE_INI_SET_SETTING parameters, allowing section header injection. Fixed in version 1.17.3 released by the vendor. No CISA KEV listing or public exploit identified at time of analysis, but technical details in GitHub advisory provide sufficient information for exploit development.

Privilege Escalation Microsoft
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-43534 CRITICAL PATCH Act Now

Remote unauthenticated trust boundary violation in OpenClaw npm package before 2026.4.10 allows attackers to escalate untrusted external hook input into trusted system events. By supplying malicious hook metadata, adversaries can inject arbitrary content into the agent context with elevated privileges, bypassing security boundaries intended to isolate external input from system-level operations. Vendor-released patch available (version 2026.4.10+), with no evidence of active exploitation or public exploit code at time of analysis.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-40797 CRITICAL Act Now

Blind SQL injection in WebinarIgnition WordPress plugin allows remote unauthenticated attackers to extract sensitive database contents including user credentials and private webinar data. The vulnerability affects all versions through 4.08.253 and requires no special configuration. Patchstack publicly disclosed this vulnerability with database reference, though no active exploitation has been confirmed via CISA KEV at time of analysis. The CVSS 9.3 critical rating reflects network-accessible attack vector with scope change, indicating potential for lateral movement beyond the vulnerable component.

SQLi Webinarignition
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-40331 CRITICAL Act Now

SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database contents including administrative credentials and password reset tokens. The JSON API accepts unsanitized altTable parameters that are directly interpolated into SQL FROM clauses, enabling arbitrary subquery injection via feedGateway.cfc in a single HTTP request. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. No public exploit or CISA KEV listing identified at time of analysis, but the technical details disclosed in the GitHub Security Advisory provide sufficient information for weaponization.

Information Disclosure SQLi Masacms
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy