Skip to main content
CVE-2026-40330 CRITICAL Act Now

SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, modify records, delete data, or potentially execute code on the database server. The vulnerability affects multiple release branches (7.2.x through 7.5.x) and stems from unsanitized concatenation of the sortDirection parameter directly into SQL queries. With CVSS 9.3 (critical severity, network-accessible, no authentication required) and no public exploit currently identified, this represents a high-priority patching scenario for internet-facing Masa CMS deployments. Vendor-released patches are available across all affected branches.

SQLi RCE Masacms
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-40329 CRITICAL PATCH Act Now

SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands via the sortBy parameter in beanFeed.cfc. The vulnerability enables database compromise including sensitive data exfiltration, record manipulation, and privilege escalation to administrative control. Fixed versions released for all affected branches (7.2.10, 7.3.15, 7.4.10, 7.5.3). CVSS 9.3 reflects network vector with no authentication required and high impact across confidentiality, integrity, and availability. No active exploitation confirmed at time of analysis, though the attack surface is fully exposed to internet-facing instances.

Information Disclosure SQLi Masacms
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-42607 CRITICAL POC PATCH GHSA Act Now

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Microsoft PHP CSRF Python RCE +2
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-43566 CRITICAL PATCH Act Now

Privilege escalation in OpenClaw npm package versions 2026.4.7 through 2026.4.13 allows remote unauthenticated attackers to preserve elevated execution context by sending malicious webhook wake events. The heartbeat owner downgrade logic incorrectly skips validation of untrusted webhook payloads, enabling attackers to maintain owner-like privileges during runs that should operate with reduced permissions. Vendor-released patch available in version 2026.4.14. EPSS data not available; no public exploit identified at time of analysis, though VulnCheck and security researchers from KeenSecurityLab have confirmed the vulnerability through coordinated disclosure.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2023-54349 MEDIUM POC This Month

AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Amazcart Cms
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-42264 CRITICAL PATCH GHSA Act Now

Prototype pollution read-side gadgets in the axios HTTP adapter (npm, versions >=1.0.0 to <1.15.2) allow an attacker who has already polluted Object.prototype in the same Node.js process to hijack every outbound request - injecting attacker-controlled Authorization headers, redirecting relative-URL requests to an external server, pointing requests at internal Unix sockets (SSRF/container escape), forcing Node's insecure HTTP parser, and even executing an attacker-supplied beforeRedirect callback. The flaw stems from five config properties (auth, baseURL, socketPath, beforeRedirect, insecureHTTPParser) being read via direct property access that traverses the prototype chain, unlike eight sibling properties already guarded by an own() helper. A working proof-of-concept is published in the GHSA advisory, but EPSS is only 0.03% and the issue is not in CISA KEV - no public exploit identified at time of analysis as a standalone attack, and it requires a separate prototype pollution primitive to fire.

SSRF RCE Prototype Pollution Docker Node.js
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43071 CRITICAL PATCH Act Now

Out-of-bounds read in Linux Kernel dentry hashtable can crash the system when dhash_entries boot parameter is set to 1. The vulnerability triggers during directory cache lookups when the hash shift calculation results in access to unallocated memory regions, causing kernel page faults. Affects Linux Kernel versions from initial commit (1da177e4c3f4) through multiple stable branches. Patches available for 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. EPSS probability of 0.02% (7th percentile) indicates very low likelihood of exploitation in the wild, and no public exploit code or CISA KEV listing exists, suggesting this remains a theoretical edge-case issue requiring specific kernel boot configuration.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34408 CRITICAL Act Now

Password reset bypass in Gambio GX4 e-commerce platform allows remote unauthenticated attackers to set arbitrary passwords for any user account when the account ID is known, leading to complete account takeover. Affects versions 4.0.0.0 through 4.9.2.0, patched in February 2024 security update (2024-02 v1.0.0). SSVC framework rates this as automatable with total technical impact despite EPSS score of 0.02%, indicating high severity for targeted attacks against Gambio installations. No active exploitation confirmed via CISA KEV, but authentication bypass primitives are frequently weaponized in e-commerce platforms.

Authentication Bypass N A
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44221 CRITICAL PATCH GHSA Act Now

Authenticated users in ArcadeDB server versions prior to 26.4.2 can bypass database-scoped authorization and perform read, write, and schema mutation operations across all databases on the same server instance. Two critical implementation flaws combine: uninitialized file access maps treated as allow-all permissions, and newly-created databases via API POST /api/v1/server silently disabling their entire record-level authorization system through omitted security factory configuration. Vendor-released patch 26.4.2 addresses both defects. No public exploit identified at time of analysis, though CVSS 9.0 reflects severe authorization breakdown requiring only low-privilege authenticated access.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-42611 HIGH PATCH GHSA This Week

Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.

PHP CSRF XSS Mozilla RCE
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-43533 HIGH PATCH GHSA This Week

Arbitrary file read in OpenClaw QQBot extension allows remote unauthenticated attackers to disclose sensitive local files by crafting malicious media tags in reply text. The vulnerability exists in OpenClaw npm package versions before 2026.4.10, where QQBot outbound media handling fails to enforce storage boundaries, enabling path traversal to read files outside the intended media directory. Publicly available patch confirmed (GitHub commit 604777e4414cc3b2ff8861f18f4fb04374c702c6). EPSS data unavailable; no CISA KEV listing indicates targeted disclosure rather than widespread exploitation. CVSS 8.9 with network vector and no authentication required, but exploitation requires the QQBot extension to be enabled and processing attacker-controlled reply text.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-6261 HIGH This Week

Remote code execution in Betheme WordPress theme versions up to 28.4 allows authenticated attackers with author-level privileges to upload malicious PHP files disguised as icon packs. The upload_icons() function extracts user-controlled ZIP files into public directories without validating extracted content, enabling arbitrary code execution. This vulnerability requires only author-level WordPress credentials (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), making it readily exploitable by compromised or malicious site contributors. No public exploit code or CISA KEV listing identified at time of analysis.

WordPress File Upload RCE
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-42608 HIGH PATCH GHSA This Week

Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.

Denial Of Service PHP Path Traversal
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-43937 HIGH PATCH GHSA This Week

Authorization bypass in YAFNET forum software (versions ≤4.0.4) allows any low-privileged authenticated user to execute arbitrary SQL commands against the backend database. The flaw stems from a misplaced ASP.NET Core filter (`PageSecurityCheckAttribute`) that validates admin privileges *after* page handlers execute, enabling attackers to inject SQL via the `/Admin/RunSql` endpoint before the 302 redirect occurs. Publicly available exploit code exists (GitHub advisory GHSA-xhw7-j96h-c3g5) demonstrating time-based blind SQL injection to extract `@@VERSION` and manipulate identity tables. CVSS 8.8 (AV:N/AC:L/PR:L) reflects network-accessible exploitation requiring only a standard forum account-trivially obtained via self-registration on most deployments. Vendor-released patch available in version 4.0.5.

Oracle SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-42266 HIGH PATCH GHSA This Week

Privilege escalation in JupyterLab 4.0.0 through 4.5.6 allows authenticated users to bypass extension allow-list controls and install arbitrary PyPI packages, enabling potential data exfiltration and lateral movement in multi-tenant deployments. The PyPI Extension Manager failed to enforce the `allowed_extensions_uris` configuration, permitting installation of packages outside the approved list. This vulnerability is particularly critical in shared educational environments (JupyterHub) and multi-tenant deployments where kernel/terminal access is restricted. Vendor-released patch available in JupyterLab v4.5.7. No public exploit identified at time of analysis, though exploitation requires only authenticated access with low complexity (CVSS AC:L).

Python Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31195 HIGH This Week

Command injection in ALTICE LABS GR140DG and GR140IG fibre routers allows authenticated remote attackers to execute arbitrary commands as root. The ping diagnostic handler in /bin/httpd_clientside accepts unsanitized user input in the destAddr parameter and passes it to a system() call, enabling shell command substitution. SSVC indicates total technical impact with no confirmed exploitation; EPSS score of 0.04% (12th percentile) suggests low observed exploitation activity, though the availability of a detailed security advisory (XEROD-2026-0001) may increase attack surface awareness among threat actors.

Command Injection N A
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31196 HIGH This Week

Authenticated command injection in ALTICE LABS GR140DG and GR140IG fiber gateways allows remote attackers with valid credentials to execute arbitrary commands as root through the traceroute diagnostic handler. The vulnerability exists in the /bin/httpd_clientside component where unsanitized destAddr parameters are passed directly to system() calls, enabling shell command substitution attacks. With CVSS 8.8 (High) but EPSS exploitation probability of only 0.04% (12th percentile), this vulnerability affects widely-deployed ISP-managed CPE devices in France (SFR network) but shows no evidence of active exploitation or public POC availability at time of analysis.

Command Injection N A
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42843 HIGH PATCH GHSA This Week

Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.

Authentication Bypass Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-34464 HIGH PATCH This Week

Stack-based buffer overflow in Sandboxie-Plus SbieSvc service enables sandboxed processes to escape isolation and execute code as SYSTEM. Affected versions 1.17.2 and earlier allow malicious sandboxed code to overflow a fixed 160-wide-character stack buffer in NamedPipeServer::OpenHandler via crafted named pipe open requests, bypassing the fundamental security boundary Sandboxie provides. Fixed in version 1.17.3. EPSS data unavailable, no CISA KEV listing or public exploit identified at time of analysis, but the security boundary violation represents a complete defeat of Sandboxie's core function.

Stack Overflow Microsoft RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-34459 HIGH PATCH This Week

Stack buffer overflow in Sandboxie-Plus SbieSvc proxy service enables SYSTEM privilege escalation from sandboxed processes, including Security Hardened Sandboxes. Attackers chain an information disclosure (returning up to 32KB uninitialized stack memory with ASLR/stack cookie bypass) with an unbounded memcpy overflow in the GetRawInputDeviceInfoSlave IPC handler. Intel CET shadow stacks block ROP exploitation but not the information leak itself. Vendor-released patch available in version 1.17.3. No public exploit identified at time of analysis, but attack complexity is rated high (AC:H) with low privilege requirements (PR:L), making this viable for motivated attackers targeting sandbox environments.

Stack Overflow Microsoft Buffer Overflow Privilege Escalation Intel
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-42435 HIGH PATCH This Week

Remote attackers with low-privilege authentication can inject environment variable assignments into OpenClaw 2026.2.22 through 2026.4.11 to bypass shell wrapper detection mechanisms. By manipulating critical shell variables like SHELLOPTS and PS4 at the argv level, attackers achieve high-impact code execution that circumvents security controls. Vendor-released patch available in version 2026.4.12. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosed this vulnerability with specific technical details and a GitHub commit fix.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-39849 HIGH PATCH This Week

Remote command execution in Pi-hole FTL versions before 6.6.1 allows network-adjacent attackers with API access to inject malicious dnsmasq directives via unvalidated newline characters in the dns.interface configuration field, achieving arbitrary code execution when DHCP leases are requested. Deployments with no admin password (a documented default configuration) expose the configuration API without authentication, enabling unauthenticated remote exploitation. The Pi-hole project released version 6.6.1 with input validation that strips newline characters, and the fix commit (0c46e4ec7f) replaced validate_stub with validate_str_no_newline.

RCE Ftldns
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-35228 HIGH This Week

SQL injection in Oracle MCP Server Helper Tool 1.0.1-1.0.156 allows low-privileged authenticated attackers to execute malicious SQL queries with high confidentiality and integrity impact across security boundaries. The vulnerability requires network access via HTTP and user interaction, affecting the helper tool component. With CVSS 8.7 and easily exploitable characteristics (AC:L), this represents significant risk for organizations running affected versions, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The changed scope (S:C) indicates potential impact beyond the vulnerable component itself.

Oracle SQLi
NVD VulDB
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-43530 HIGH PATCH GHSA This Week

{system("id")}' or 'toybox ash -c'. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:L) indicates network-accessible exploitation by low-privileged authenticated users. Vendor-released patch available in version 2026.4.12. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond vendor-disclosed commit.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42434 HIGH PATCH GHSA This Week

Sandbox escape in OpenClaw 2026.4.5 through 2026.4.9 allows low-privileged remote attackers to bypass sandbox boundaries and route code execution to arbitrary remote nodes by overriding exec routing parameters with host=node. This breaks sandboxed agent isolation, enabling privilege escalation and unauthorized access to production infrastructure. VulnCheck publicly disclosed this vulnerability with vendor patch available (commit dffad08). No active exploitation (CISA KEV) confirmed, but public disclosure increases exploitation risk for organizations running vulnerable OpenClaw agent deployments.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42856 HIGH PATCH GHSA This Week

Unauthenticated remote access to privileged management functions in Network-AI npm package (versions ≤5.1.2) allows attackers to read and mutate orchestrator configuration, enumerate and control agents, create or revoke security tokens, and adjust global budget ceilings. The MCP HTTP transport binds to 0.0.0.0 by default and accepts JSON-RPC tool invocation requests without authentication, session validation, or origin checks. Public exploit code exists demonstrating enumeration of 22 privileged tools and successful mutation of runtime configuration parameters via simple HTTP POST requests. Vendor-released patch: version 5.1.3 available per GitHub advisory GHSA-fj4g-2p96-q6m3.

Authentication Bypass Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42327 HIGH PATCH GHSA This Week

Undefined behavior in rust-openssl's X509Ref::ocsp_responders allows crafted X.509 certificates with non-UTF-8 OCSP responder URLs to violate Rust's memory safety guarantees. Applications parsing untrusted certificates (TLS handshakes, certificate validation pipelines, PKI tooling) can trigger undefined behavior through safe Rust code when processing malformed AIA extensions. CVSS 8.7 reflects network-exploitable integrity impact; no active exploitation confirmed (not in CISA KEV), but patch available in version 0.10.79 per upstream GitHub advisory GHSA-xp3w-r5p5-63rr.

Information Disclosure OpenSSL Red Hat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-43897 HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in link-preview-js npm package allows attackers to craft URLs that bypass validation to access internal network resources via IPv6 loopback addresses (::1, ::ffff:127.0.0.1) and DNS rebinding attacks using wildcard services (.internal, .local, .nip.io, .sslip.io domains). Successful exploitation enables reading internal metadata endpoints, accessing private network services, and exfiltrating sensitive data from cloud instance metadata or internal APIs. Vendor-released patch in version 4.0.1 tightens regex validation but requires users to implement DNS resolution via resolveDNSHost option for complete protection. No public exploit identified at time of analysis, though the attack techniques are well-documented SSRF methods.

SSRF
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6918 HIGH PATCH This Week

Remote unauthenticated attackers can crash Eclipse OpenJ9 JITServer instances (versions 0.21-0.58) by sending a specially crafted 32-byte TCP message, triggering a buffer over-read (CWE-125) that causes denial of service. The vulnerability requires no authentication or user interaction, affecting any exposed JITServer endpoint. CVSS 8.7 (High) reflects the severe availability impact, though EPSS data is not available for this recent CVE. Exploit code is publicly available via GitHub PR #23793, which demonstrates the bounds-checking fix, though no active exploitation is confirmed at time of analysis.

Information Disclosure Buffer Overflow Eclipse Openj9
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-32689 HIGH POC PATCH GHSA This Week

Unauthenticated remote denial-of-service in Phoenix Framework 1.7.0-1.7.21 and 1.8.0-1.8.5 allows attackers to crash Elixir BEAM nodes by sending multi-megabyte HTTP requests filled with newlines to the long-poll transport endpoint. A 1 MB payload of newline characters triggers allocation of approximately one million empty list elements, exhausting scheduler and memory resources. Session token required to trigger the vulnerability is obtainable via unauthenticated GET request, making exploitation trivial. Vendor-released patches (1.7.22, 1.8.6) enforce client-side batching limits. CVSS 8.7 (high availability impact) confirmed; no public exploit or CISA KEV listing identified at time of analysis.

Suse Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42047 HIGH PATCH GHSA This Week

Environment variable disclosure via unhandled HTTP methods in Inngest TypeScript SDK versions 3.22.0 through 3.53.1 allows unauthenticated remote attackers to exfiltrate all process environment variables, including API keys, signing keys, and credentials. Vulnerable applications must expose the serve() endpoint to PATCH, OPTIONS, or DELETE methods - common in Next.js Pages Router and Express default configurations. The vulnerability was responsibly disclosed by independent researcher Ben Hylak with no known active exploitation at time of analysis. CVSS 8.6 reflects network-accessible unauthenticated attack with high confidentiality impact and scope change. Vendor-released patch available in version 3.54.0.

Information Disclosure
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-7412 HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in Eclipse BaSyx Java Server SDK prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to force the server to execute blind HTTP POST requests to arbitrary internal or external targets via the unvalidated Operation Delegation feature. Attackers can exploit this to bypass network segmentation, pivot into isolated IT/OT infrastructure, or access Cloud Metadata services (IMDS) - enabling potential credential theft and lateral movement. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but the SSRF attack pattern is well-understood and readily exploitable.

SSRF Java
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-42612 HIGH PATCH GHSA This Week

Stored cross-site scripting in Grav CMS allows publisher-level authenticated users to execute arbitrary JavaScript in victim browsers by injecting unquoted HTML event handlers that bypass the detectXss() blacklist regex. The flawed pattern failed to detect on* event attributes without surrounding quotes, enabling payloads like <img src=x onerror=eval(...)> to persist in content fields and execute when administrators or other users view the compromised page. Vendor-released patch confirmed in commit 5a12f9be8 (Grav 2.0.0-beta.2), which tightens the on_events regex to flag unquoted attributes, adds dangerous XML namespace tags (svg, math) to the default blocklist, and hardens MediaObjectTrait::attribute() with strict identifier validation. Publicly available exploit code exists. EPSS and KEV data not provided; exploitation requires publisher-level account privileges.

XSS PHP
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-42860 HIGH PATCH GHSA This Week

Server-Side Request Forgery in edx-enterprise 7.0.2-7.0.4 enables Enterprise Admins to steal cloud credentials and scan internal networks. Authenticated users with the Enterprise Admin role-typically delegated to training managers, not platform operators-can inject arbitrary URLs into SAMLProviderConfig.metadata_source and trigger server-side HTTP requests to internal infrastructure. Publicly available exploit code exists (proof-of-concept in GitHub advisory GHSA-64cv-vxpr-j6vc). Vendor-released patch: edx-enterprise 7.0.5. This mirrors a previously patched SSRF in openedx-platform (GHSA-328g-7h4g-r2m9), indicating recurring pattern in SAML metadata handling across Open edX components.

Python SSRF Microsoft
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-33975 HIGH This Week

Server-side request forgery (SSRF) in Twenty CRM allows authenticated users to bypass IP filtering protections and access internal network resources, including cloud metadata endpoints containing IAM credentials. The vulnerability affects versions 1.18.0 and earlier through exploitation of IPv4-mapped IPv6 address normalization inconsistencies in Node.js URL parsing versus the isPrivateIp validation utility. Attackers with low-privilege authenticated access can exfiltrate sensitive credentials from cloud provider metadata services (169.254.169.254). No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis, though the technical details in the GitHub security advisory provide a clear exploitation path.

SSRF Node.js
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-43526 HIGH PATCH This Week

Server-side request forgery in OpenClaw's QQBot media URL handler allows remote unauthenticated attackers to fetch arbitrary internal or external resources and exfiltrate them through the bot's messaging channel. Attackers provide malicious media URLs in QQBot replies, triggering the server to fetch content from attacker-specified locations, which is then re-uploaded through legitimate channels. Vendor patch available as of version 2026.4.12, with fix commits published on GitHub. CVSS 8.3 reflects high confidentiality impact with low integrity impact; CVSS v4.0 vector indicates network-accessible, low complexity attack requiring no privileges or user interaction but specific attack conditions (AT:P).

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-43893 HIGH PATCH GHSA This Week

Argument injection in exiftool-vendored npm package allows remote attackers to perform unauthorized file reads or writes via newline characters in tag names, filenames, or options. The vulnerability affects applications using exiftool-vendored ≤ 35.18.0 that pass attacker-controlled strings to ExifTool APIs without sanitization. Exploitation enables attackers to manipulate ExifTool's command-line arguments by injecting newlines into supposedly single-argument strings, breaking out of intended argument boundaries. While no remote code execution has been demonstrated, the CVSS 8.2 HIGH score reflects the network attack vector, low complexity, and lack of authentication or user interaction requirements. Fixed in version 35.19.0 with dual-layer validation rejecting control characters in both tag names and the command renderer. No public exploit code or active exploitation confirmed at time of analysis.

RCE
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-42437 HIGH PATCH GHSA This Week

Remote attackers can crash OpenClaw 2026.4.9 by sending oversized WebSocket frames to the voice-call realtime webhook path, causing complete service unavailability. The vulnerability requires no authentication and affects deployments that expose the WebSocket endpoint externally. Vendor patch released in version 2026.4.10 with commit afadb7dae6738819ad9c7d2597ace0516957d20e. No active exploitation confirmed (not in CISA KEV), but public advisory with commit details provides exploitation blueprint.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-30923 HIGH PATCH This Week

Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).

Suse Denial Of Service Apache Buffer Overflow Nginx +2
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-43929 HIGH GHSA This Week

Complete SSRF protection bypass in ssrfcheck allows remote attackers to reach all private IPv4 ranges including cloud metadata endpoints (169.254.169.254) by encoding targets as IPv4-mapped IPv6 addresses (e.g., http://[::ffff:127.0.0.1]/). Node.js WHATWG URL parser normalizes these addresses to compressed hex form before the library's dot-notation-only regex executes, rendering all private IP checks ineffective. EPSS score unavailable for this recent CVE (2026), but the attack requires no authentication (PR:N), has low complexity (AC:L), and affects the latest version (1.3.0) with no vendor-released patch identified at time of analysis. Publicly available exploit code exists with complete proof-of-concept and automated verification scripts confirmed on Node.js v20.20.2.

SSRF Microsoft Node.js
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-42260 HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in open-webSearch's fetchWebContent MCP tool enables remote unauthenticated attackers to fetch arbitrary private-network URLs and receive full response bodies. Two defects in the `isPrivateOrLocalHostname` validator combine to allow bypass: bracketed IPv6 literals (e.g., `[::ffff:7f00:1]`) are never validated because Node's URL.hostname preserves brackets and Node's isIP() returns 0 for bracketed strings, and DNS resolution is never performed so attacker-controlled hostnames resolving to RFC1918 addresses pass unchecked. When deployed with HTTP transport enabled (documented configuration, active in Docker image), the MCP server binds to 0.0.0.0:3000 with CORS origin='*' and no authentication, exposing the vulnerable tool to any network attacker. Fixed in version 2.1.7. No public exploit identified at time of analysis, but vendor-supplied proof-of-concept demonstrates full exploit chain against AWS EC2 metadata and localhost services.

Microsoft SSRF Node.js Docker Apple +1
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32603 HIGH PATCH This Week

Local denial of service in Sandboxie 1.17.2 and earlier allows unprivileged processes inside Standard Sandbox configurations to crash the Windows kernel (BSOD) by sending malformed IOCTL requests to the SandboxieDriverApi kernel driver. Fixed in version 1.17.3 released by Sandboxie-Plus. Security Hardened Sandbox configurations are not affected. No active exploitation confirmed (not in CISA KEV), but the vulnerability is trivially exploitable by any process within an affected sandbox, enabling local attackers or malicious sandboxed applications to force immediate system-wide service disruption.

Denial Of Service Microsoft
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-42315 HIGH PATCH GHSA This Week

Absolute path traversal in pyLoad download manager allows authenticated users to write files to arbitrary filesystem locations via unsanitized package folder names in the set_package_data() API function. Users with Perms.MODIFY can redirect downloads to sensitive directories (e.g., /etc, /root, system directories) bypassing intended download directory restrictions, enabling configuration overwrite or denial of service through disk exhaustion. Publicly available exploit code exists with complete proof-of-concept in the GitHub security advisory. CVSS 8.1 (High) reflects high integrity and availability impact limited by low-privilege authentication requirement.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42609 HIGH PATCH GHSA This Week

Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.

Denial Of Service Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43938 HIGH PATCH GHSA This Week

Remote unauthenticated attackers can execute JavaScript in administrator sessions of YAF.NET forum software (versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4) by injecting malicious User-Agent headers via any endpoint that triggers exception logging, notably /api/Attachments/GetAttachment. The stored XSS payload fires when administrators view the Event Log admin panel, enabling full forum takeover through admin-session hijacking. A working proof-of-concept exists requiring only a single anonymous HTTP request. EPSS and KEV data not available; CVSS 8.1 (High) reflects network vector, low complexity, and no authentication requirement, though the UI:R metric indicates the admin must visit the log page for execution.

XSS CSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43060 HIGH PATCH This Week

Use-after-free in Linux kernel's netfilter nft_ct subsystem allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from stale references to conntrack zone templates, timeout policies, and helper objects in packets queued to nfqueue when these objects are removed. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no active exploitation confirmed at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0).

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43063 HIGH PATCH This Week

Use-after-free in XFS filesystem recovery code allows local attackers with user interaction to achieve high-severity impacts including potential code execution, data corruption, or denial of service. The vulnerability stems from incorrect error handling in xfs_attri_recover_work() where the code attempts to release an inode pointer that was never successfully allocated, causing a dereference of uninitialized memory. Patches are available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0), and EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability with no public exploit identified at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43070 HIGH PATCH This Week

eBPF verifier in Linux kernel allows local privilege escalation through incorrect register ID handling during byte-swap operations. When BPF_END instruction performs byte swapping, the verifier fails to reset scalar register IDs, causing it to incorrectly propagate bounds checks between linked registers. This validation bypass allows authenticated local attackers with BPF program loading privileges to craft malicious eBPF programs that pass verification but achieve out-of-bounds memory access at runtime, potentially escalating to kernel-level code execution. Vendor patches available for affected 6.18.x and 6.19.x branches with EPSS score of 0.02% indicating low observed exploitation probability.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25589 HIGH PATCH This Week

Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.

Heap Overflow Redis RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-25588 HIGH PATCH This Week

Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.

Heap Overflow Redis RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.3%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy