THREAT ALERT

ACT NOW CVE-2026-6973 7.2 Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis. | ACT NOW CVE-2026-0300 9.3 Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. EPSS risk assessment is not provided, but the vulnerability achieves maximum impact with minimal attack complexity (CVSS 9.3, AV:N/AC:L/PR:N), making this a critical priority for immediate remediation. The attack surface is significantly reduced when access to the portal is restricted to trusted internal networks per vendor best practices. | ACT NOW CVE-2026-41940 9.3 Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites. | ACT NOW CVE-2026-31431 7.8 Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability. | ACT NOW CVE-2026-32201 6.5 Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5. | ACT NOW CVE-2026-33825 7.8 Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency. | ACT NOW CVE-2026-32202 4.3 Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector. | ACT NOW CVE-2026-34621 8.6 Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | ACT NOW CVE-2026-39987 9.3 Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis. | ACT NOW CVE-2026-34197 8.8 Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — May 07, 2026

236 CVEs tracked today. 37 Critical, 89 High, 87 Medium, 23 Low.

CVE-2026-44542 CRITICAL CVSS 9.1
Path traversal in FileBrowser allows unauthenticated attackers possessing a valid public share hash with delete permissions to delete arbitrary files anywhere within the share owner's storage scope. The vulnerability exists in both stable and development versions due to user-controlled path input being joined with trusted base paths before sanitization in middleware.go:111 and resource.go:274. Proof-of-concept exploit code is publicly available via GitHub advisory GHSA-fwj3-42wh-8673. Vendor-released patch available in commit 112740bdd41de7d5eb01e13ba49d406bfc463f69.

Path Traversal
CVE-2026-44523 CRITICAL CVSS 10.0
JWT secret validation bypass in Note Mark allows full account takeover through offline token forgery. The Go-based note-taking application accepts HS256 signing secrets shorter than RFC 7518's required 32 bytes, enabling attackers to capture a single valid JWT from network traffic or logs, brute-force the weak secret offline, and forge authentication tokens for any user including administrators. Publicly available exploit code exists (vendor-published PoC in GitHub advisory GHSA-q6mh-rqwh-g786). Vendor-released patch available in commit 18b587758667 and release v0.19.4. CVSS 10.0 reflects unauthenticated network exploitation with scope change, though real-world impact requires JWT capture as a prerequisite.

RCE Python
CVE-2026-44498 CRITICAL CVSS 9.2
Zebra's block validator fails to count transparent signature operations correctly, allowing malicious miners to create blocks that exceed the 20,000 sigop consensus limit and trigger network splits between Zebra and zcashd nodes. The vulnerability affects Zebra versions prior to 4.4.0 and stems from two distinct accounting flaws: (1) coinbase input scriptSigs were excluded from legacy sigop counts, hiding up to 98 operations, and (2) P2SH redeem script sigops were only computed during mempool validation but never aggregated during block validation. A miner could craft a single block with 1,334+ P2SH spends to exceed the limit and partition the Zcash network. Vendor-released patch: Zebra 4.4.0 (confirmed by GitHub advisory GHSA-jv4h-j224-23cc). No public exploit identified at time of analysis.

Information Disclosure
CVE-2026-44497 CRITICAL CVSS 9.3
Consensus divergence in Zebra 4.3.1 enables blockchain network partitioning through crafted transparent transactions with invalid sighash types. Insufficient error handling at the Rust-to-C++ FFI boundary causes Zebra to incorrectly accept transactions with undefined hash types by reusing stale buffer data from prior valid signature checks, while zcashd correctly rejects these transactions. Attackers can exploit this by chaining OP_CHECKSIGVERIFY with OP_CHECKSIG opcodes using invalid hash types to trigger acceptance on Zebra nodes but rejection on zcashd nodes, creating a consensus split that could enable double-spend attacks. Vendor-released patch: 4.4.0. No public exploit identified at time of analysis, but the technical mechanism is fully disclosed in the GitHub advisory GHSA-gq4h-3grw-2rhv.

Information Disclosure Jwt Attack
CVE-2026-44484 CRITICAL CVSS 9.3
Supply chain compromise in PyTorch Lightning versions 2.6.2 and 2.6.3 delivers credential-harvesting malware through the official PyPI distribution channel. Lightning AI confirmed malicious code was injected into these specific releases, targeting API keys, access tokens, SSH keys, and service account credentials. The compromised versions were quarantined from PyPI and users are directed to downgrade to known-clean version 2.6.1. The CVSS 9.3 score reflects network-accessible exploitation requiring no authentication or user interaction, though exploitation is limited to systems that specifically installed the two poisoned versions.

Information Disclosure Red Hat
CVE-2026-44007 CRITICAL CVSS 9.1
vm2 NodeVM with nesting:true silently overrides require:false, granting sandbox code unconditional access to require('vm2') and enabling remote code execution on the host via nested NodeVM construction. Applications running untrusted code in a NodeVM configured with {nesting:true, require:false} are fully compromised — attackers can execute arbitrary OS commands as the host process user. Publicly available exploit code exists (proof-of-concept demonstrated command execution via child_process). CVSS 9.1 indicates high privileges required (PR:H), meaning the host must explicitly enable nesting:true, but the severity reflects scope change (S:C) when this non-default configuration is present. Vendor-released patch in vm2 3.11.1 converts contradictory configuration into a runtime error at NodeVM construction time, preventing silent sandbox escape.

Authentication Bypass RCE Docker Command Injection Node.js
CVE-2026-44006 CRITICAL CVSS 10.0
Prototype chain manipulation in vm2 Node.js sandbox library enables complete sandbox escape and remote code execution via util.inspect handler leakage. Attackers can exploit BaseHandler.getPrototypeOf through crafted objects to access host process primitives and execute arbitrary system commands. Public exploit code exists (vendor-published PoC demonstrates child_process.execSync execution). Fixed in vm2 version 3.11.0 alongside 12 other critical sandbox escape vulnerabilities in coordinated security release.

RCE Code Injection
CVE-2026-44005 CRITICAL CVSS 10.0
vm2 npm package versions 3.9.6 through 3.10.5 allow sandbox escape through prototype pollution of host-realm intrinsic objects. Attackers execute arbitrary code by leveraging flawed proxy bridge implementation that writes sandbox mutations directly to shared host Object.prototype, Array.prototype, and Function.prototype instead of isolating changes to the sandbox realm. This vulnerability was patched in vm2 v3.11.0 as part of a coordinated release addressing 13 security advisories. Publicly available exploit code exists with minimal attack complexity (CVSS AC:L) requiring no authentication or user interaction (AV:N/PR:N/UI:N).

RCE Code Injection
CVE-2026-43999 CRITICAL CVSS 9.9
vm2's NodeVM sandbox escape allows remote code execution when applications use the common `builtin: ['*', '-child_process']` configuration pattern. An attacker with the ability to submit code to the sandbox can bypass the builtin allowlist by requiring the `module` builtin, then using `Module._load()` to load explicitly excluded modules like `child_process` in the host context. This directly leads to arbitrary command execution on the host system. The vulnerability affects vm2 version 3.10.5, with a vendor-released patch available in version 3.11.0. CVSS score of 9.9 reflects critical severity with network attack vector, low complexity, and scope change from sandbox to host. No public exploit code or active exploitation evidence identified at time of analysis.

Authentication Bypass RCE Node.js
CVE-2026-43997 CRITICAL CVSS 10.0
Remote code execution in vm2 Node.js sandbox library (versions ≤3.10.5) allows attackers to escape isolation and execute arbitrary system commands by exploiting incomplete host Object protections. Attackers leverage JavaScript prototype chain manipulation to obtain host-context symbols, enabling injection of malicious code into Node.js inspection routines. Publicly available exploit code exists with working proof-of-concept demonstrating command execution via child_process. CVSS 10.0 (Critical) with network attack vector and no authentication required. Fixed in vm2 3.11.0, part of coordinated release addressing 13 sandbox-escape vulnerabilities.

RCE Code Injection
CVE-2026-42880 CRITICAL CVSS 9.6
Kubernetes Secret extraction in Argo CD v3.2.0-3.2.10 and v3.3.0-3.3.8 allows authenticated users with read-only application permissions to retrieve plaintext credential data including service account tokens, TLS certificates, database passwords, and API keys via the ServerSideDiff endpoint. The vulnerability exists due to missing data masking in the gRPC/REST ServerSideDiff function, which returns raw Kubernetes Server-Side Apply dry-run responses containing unredacted Secret values from etcd when applications are annotated with 'IncludeMutationWebhook=true'. A functional proof-of-concept exploit exists demonstrating automated extraction of all accessible secrets. Vendor-released patches (3.2.11, 3.3.9) are available. CVSS 9.6 reflects network-exploitable, low-complexity attack requiring only low-privilege authenticated access with cross-scope high confidentiality/integrity impact.

Information Disclosure Kubernetes Red Hat
CVE-2026-42596 CRITICAL CVSS 9.4
Unauthenticated server-side request forgery (SSRF) in Gotenberg 8.30.1 and earlier allows remote attackers to force the server to make HTTP requests to internal/loopback addresses by bypassing default deny-lists with IPv4-mapped IPv6 notation (e.g., http://[::ffff:127.0.0.1]:port). The vulnerability affects both the downloadFrom file-fetching feature and the webhook delivery feature. Attackers can read content from internal HTTP endpoints and trigger state-changing requests against services bound to localhost, exposing internal APIs, cloud metadata endpoints, and admin interfaces. Fix available in version 8.32.0. No public exploit code confirmed outside the GitHub advisory PoC, not listed in CISA KEV, but CVSS 9.4 Critical rating reflects the network-accessible, unauthenticated nature and high confidentiality/integrity impact.

Python Docker Google SSRF Microsoft
CVE-2026-42589 CRITICAL CVSS 9.8
Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact.

RCE Python Docker Google Command Injection
CVE-2026-41902 CRITICAL CVSS 9.1
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access to user accounts, including admin accounts, via non-expiring invite tokens. The /user-setup/{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.

Information Disclosure
CVE-2026-41589 CRITICAL CVSS 9.6
Path traversal in Wish SSH server's SCP middleware allows authenticated attackers to read arbitrary files, write arbitrary files, and create directories outside the configured root via crafted filenames containing ../ sequences. Affects charm.land/wish/v2 versions 2.0.0 through 2.0.1 and all github.com/charmbracelet/wish v1.x versions. Vendor-released patch v2.0.1 available for v2 branch; no fix confirmed for v1 branch. CVSS 9.6 with scope change indicates potential container/host escape scenarios. No evidence of active exploitation or public POC at time of analysis.

Path Traversal
CVE-2026-41050 CRITICAL CVSS 9.9
ServiceAccount impersonation bypass in Rancher Fleet allows tenants with git push access to multi-tenant clusters to read secrets from any namespace across all downstream clusters. Two distinct code paths failed to properly apply RBAC constraints: Helm's lookup function executed with cluster-admin credentials instead of the impersonated ServiceAccount, and valuesFrom secret references in fleet.yaml bypassed namespace isolation. Confirmed active exploitation status unknown (not in CISA KEV). CVSS 9.9 with scope-change modifier reflects potential credential leakage to external services. Fleet versions 0.12.0 through 0.15.0 affected across multiple Rancher release branches. Patches available for all supported versions with detailed version matrix provided by SUSE.

Authentication Bypass Kubernetes Suse
CVE-2026-40982 CRITICAL CVSS 9.1
Directory traversal in Spring Cloud Config server module allows remote unauthenticated attackers to read arbitrary files from the file system using specially crafted URLs. Affects Spring Cloud Config versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2, with patches available across all branches. The vulnerability achieves CVSS 9.1 (Critical) due to remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N) and high confidentiality/integrity impact, though EPSS and KEV data are not available to confirm active exploitation status. VMware/Spring has released fixes for all affected versions.

Java Path Traversal
CVE-2026-37709 CRITICAL CVSS 9.8
Remote unauthenticated attackers can execute arbitrary code in Snipe-IT versions 8.4.0 and earlier by uploading malicious files through the API's UploadedFilesController component. The vulnerability stems from an authorization bypass where file upload endpoints required only 'view' permission instead of 'update' permission, allowing attackers to upload and execute code without proper authentication. Fixed in commit 676a9958 (March 10, 2026). EPSS data not available. No CISA KEV listing identified at time of analysis. Public exploit code (POC) status unknown, though GitHub security advisory GHSA-xg82-2hrv-hf64 confirms the flaw.

PHP Authentication Bypass RCE
CVE-2026-36458 CRITICAL CVSS 9.8
ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.

RCE SQLi Code Injection N A
CVE-2026-33587 CRITICAL CVSS 9.2
Server-Side Template Injection in Open Notebook v1.8.3 enables arbitrary Python code execution and OS command execution within the Docker container through unsanitized user input in transformation features. The vulnerability requires local access (CVSS AV:L) but no authentication or user interaction, making it exploitable by any application user with access to the transformation creation interface. No public exploit code identified at time of analysis, though the GitHub security advisory provides technical details for reproduction.

Python Docker Code Injection
CVE-2026-30496 CRITICAL CVSS 9.8
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightn...

Authentication Bypass Google N A
CVE-2026-8094 CRITICAL CVSS 9.8
Remote code execution in Firefox ESR's WebRTC component allows unauthenticated network attackers to achieve arbitrary code execution with complete system compromise. The vulnerability affects Firefox ESR versions prior to 140.10.2 and carries a critical CVSS score of 9.8 with network attack vector requiring no authentication or user interaction. Despite the critical severity, EPSS probability remains exceptionally low at 0.01% (0th percentile) with no evidence of active exploitation, suggesting limited awareness or exploitation complexity despite the automatable nature assessed by CISA SSVC framework.

RCE Code Injection Red Hat Mozilla Suse
CVE-2026-8091 CRITICAL CVSS 9.8
Remote code execution in Firefox ESR allows unauthenticated network attackers to achieve complete system compromise via malformed audio/video content. Mozilla has released patches in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Despite a critical CVSS 9.8 score and SSVC rating of 'total' technical impact with automatable exploitation, EPSS assigns only 0.01% exploitation probability (1st percentile), and no public exploit or active exploitation has been identified. The severity stems from the unauthenticated network attack vector against a boundary condition flaw in media playback - a user-facing feature in a widely-deployed browser component.

Information Disclosure Mozilla Suse
CVE-2026-7891 CRITICAL CVSS 9.3
Authorization bypass in Mendix Studio Pro through 11.8.0 Beta exposes all stored records to anonymous users due to undocumented role inheritance behavior. Applications built with affected Mendix versions silently grant anonymous users access to entity data despite no explicit permissions configured, allowing unauthenticated remote attackers to read and modify confidential records. DIVD discovered this architectural flaw through VerySecureApp, indicating potentially widespread impact across the Mendix application ecosystem. Exploitation confirmed as attack surface exposure (CVSS E:A modifier), though not yet listed in CISA KEV.

Information Disclosure
CVE-2026-7821 HIGH CVSS 7.4
Improper certificate validation in Ivanti Endpoint Manager Mobile (EPMM) enables remote unauthenticated attackers to enroll restricted devices without authorization, exposing appliance configuration details and compromising enrolled device identity integrity. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. CVSS 7.4 with high attack complexity suggests exploitation requires specific timing or conditions. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis, though Ivanti products have been frequent targets of nation-state actors in recent years.

Information Disclosure Ivanti
CVE-2026-7415 CRITICAL CVSS 9.8
Anonymous MQTT access in Yarbo firmware v2.3.9 allows remote unauthenticated attackers on the local network to fully control the robotic lawn mower and exfiltrate sensitive telemetry data. The embedded MQTT broker accepts connections without credentials and enforces no topic-level access controls, enabling arbitrary publish/subscribe operations. No authentication, authorization, or message validation occurs. EPSS and KEV data not available; exploitation requires only network access to the robot's MQTT port (typically TCP 1883).

Authentication Bypass
CVE-2026-7414 CRITICAL CVSS 9.8
Hardcoded administrative credentials in Yarbo firmware v2.3.9 allow remote unauthenticated attackers to gain full device administrative access across all deployed units. The CVSS 9.8 critical score reflects the complete lack of authentication barriers (AV:N/AC:L/PR:N), with identical credentials embedded in every device that cannot be changed by end users. No active exploitation has been confirmed by CISA KEV, but a public GitHub repository reference suggests potential proof-of-concept availability. EPSS data unavailable, though the trivial exploitation path (no complexity, no privileges required) indicates high weaponization potential once credentials become widely known.

Authentication Bypass
CVE-2026-6973 HIGH CVSS 7.2
Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis.

RCE Ivanti
CVE-2026-6795 CRITICAL CVSS 9.6
Open redirect vulnerability in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to redirect users to malicious sites via parameter injection, achieving high-severity impact across confidentiality, integrity, and availability with scope change. The CVSS 9.6 (Critical) score reflects cross-site scope change and combined impacts, though typical open redirect attacks involve phishing rather than direct system compromise. TR-CERT published this vulnerability with vendor coordination through Turkish national CERT.

Open Redirect
CVE-2026-6722 CRITICAL CVSS 9.5
Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. The CVSS v4.0 score of 9.5 reflects both confidentiality and integrity impact across vulnerable and subsequent systems, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, but the vendor urgency indicator (U:Red) and release coordinator emphasis (RE:M) signal critical priority for organizations running PHP 8.2.x in production environments.

PHP Information Disclosure Use After Free Memory Corruption Microsoft
CVE-2026-6508 CRITICAL CVSS 9.8
Remote unauthenticated attackers can bypass access control lists in Liderahenk 2.0.1, achieving complete system compromise with confidentiality, integrity, and availability impact. The origin validation flaw (CWE-346) allows attackers to access restricted functionality without proper authorization checks. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No EPSS data or CISA KEV status available, but the origin validation weakness combined with unrestricted network access creates high practical risk. Reported by Turkey's National Cyber Security Center (USOM), indicating potential targeting of Turkish government/organizational deployments.

Information Disclosure
CVE-2026-6411 HIGH CVSS 7.3
Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.

Authentication Bypass
CVE-2026-5788 HIGH CVSS 7.0
Remote unauthenticated attackers can invoke arbitrary methods in Ivanti Endpoint Manager Mobile (EPMM) via improper access control flaws, enabling authentication bypass and potential system compromise. Affects versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. The CVSS vector indicates network-accessible exploitation with high attack complexity, resulting in high integrity impact and limited confidentiality/availability impact. No active exploitation confirmed via CISA KEV at time of analysis, though the authentication bypass tag and Ivanti's history of targeted attacks warrant elevated monitoring.

Authentication Bypass Ivanti
CVE-2026-5787 HIGH CVSS 8.9
Certificate validation bypass in Ivanti Endpoint Manager Mobile (EPMM) allows remote unauthenticated attackers to impersonate registered Sentry hosts and fraudulently obtain CA-signed client certificates. Affects all versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. High-severity network attack (CVSS 8.9) with changed scope indicating potential pivot to additional systems. No active exploitation confirmed in CISA KEV at time of analysis, but Ivanti products are frequent targets requiring immediate patching priority.

Information Disclosure Ivanti
CVE-2026-5786 HIGH CVSS 8.8
Privilege escalation in Ivanti Endpoint Manager Mobile (EPMM) allows remote authenticated attackers with low-level credentials to gain full administrative access. Affected versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 contain an improper access control flaw (CWE-284) that enables credential-holding users to bypass authorization checks and assume administrative privileges. With CVSS 8.8 (High) and network-exploitable attack vector requiring only low privileges, this represents a significant risk for enterprise mobile device management environments, though EPSS data and active exploitation status are not available at time of analysis.

Authentication Bypass Ivanti
CVE-2025-63706 CRITICAL CVSS 9.8
NPM package next-npm-version1.0.1 is vulnerable to Command injection.

RCE Command Injection Node.js Code Injection N A
CVE-2025-63704 CRITICAL CVSS 9.8
Prototype pollution in query-string-parser 1.0.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript object prototypes via crafted query parameters, achieving arbitrary code execution, privilege escalation, or denial of service in Node.js applications. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical rating. Publicly available proof-of-concept exists (GitHub Gist), but no CISA KEV listing confirms active exploitation. SSVC framework rates this as automatable with total technical impact but currently unexploited, suggesting opportunistic future risk rather than immediate widespread targeting.

Information Disclosure Node.js Prototype Pollution
CVE-2025-63703 CRITICAL CVSS 9.8
npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

Information Disclosure Node.js Prototype Pollution
CVE-2026-42826 CRITICAL CVSS 10.0
Unauthorized information disclosure in Azure DevOps allows remote unauthenticated attackers to access sensitive data via network requests and potentially compromise the system with high confidentiality, integrity, and availability impact. The vulnerability carries a maximum CVSS 10.0 score with scope change, indicating cross-boundary impact. Microsoft has released an official patch, and no active exploitation has been reported via CISA KEV at the time of analysis.

Information Disclosure Microsoft
CVE-2026-35428 CRITICAL CVSS 9.6
Command injection in Azure Cloud Shell enables remote attackers to execute arbitrary commands and spoof user sessions when victims interact with malicious content. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), allowing network-based attackers to achieve high impact across confidentiality, integrity, and availability with scope change (S:C), indicating potential container escape or cross-tenant impact. Microsoft has released a patch per MSRC advisory. EPSS data not available, no CISA KEV listing identified, suggesting targeted rather than widespread exploitation at time of analysis.

Command Injection Microsoft
CVE-2026-33844 CRITICAL CVSS 9.0
Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code when a user interacts with a malicious payload. CVSS 9.0 (Critical) with scope change indicates container/tenant escape potential. Microsoft released a patch (MSRC update guide), and CVSS temporal metrics confirm remediation available with complete confidence, though no confirmed active exploitation or public POC identified at time of analysis.

Apache Information Disclosure Microsoft
CVE-2026-33823 CRITICAL CVSS 9.6
Authorization bypass in Microsoft Teams enables authenticated attackers to escalate privileges across security boundaries and access sensitive information from other tenants or user contexts. The CVSS score of 9.6 reflects a scope change (S:C), indicating the attacker can impact resources beyond their authorized permissions with high confidentiality and integrity impact. Vendor-released patch available from Microsoft Security Response Center. No public exploit identified at time of analysis, with CVSS temporal metrics indicating unproven exploitability (E:U).

Authentication Bypass Microsoft
CVE-2026-33109 CRITICAL CVSS 9.9
Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential.

Authentication Bypass Apache Microsoft
CVE-2026-44742 HIGH CVSS 7.2
Cross-site scripting (XSS) in Postorius mail list management interface allows unauthenticated remote attackers to inject malicious scripts via crafted email subjects in held messages. Active exploitation confirmed in May 2026 per vendor disclosure. Affects all versions through 1.3.13. Public exploit code available via GitLab merge request #972. EPSS data not yet available for this recent CVE, but confirmed in-the-wild activity elevates priority significantly despite moderate CVSS 7.2 score.

XSS
CVE-2026-44641 HIGH CVSS 7.1
Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.

Python Path Traversal Microsoft
CVE-2026-44522 HIGH CVSS 8.6
Path traversal in Note Mark's asset upload feature allows authenticated users to inject directory traversal sequences into asset filenames via the X-Name HTTP header, which are stored unsanitized in the database. When an administrator subsequently runs data export CLI commands (typically as root in Docker deployments), the malicious filenames cause arbitrary file writes anywhere on the filesystem through Go's filepath.Join() path normalization. Attackers can achieve remote code execution as root by overwriting system binaries like /bin/bash or injecting cron jobs. Publicly available exploit code exists with video proof-of-concept demonstrating full RCE chain. Vendor-released patch available in version 0.19.4. CVSS 8.6 reflects network attack vector with low complexity but requires authenticated access and administrator interaction to trigger the export process.

RCE Docker Path Traversal OpenSSL
CVE-2026-44513 HIGH CVSS 8.8
Remote code execution in Hugging Face diffusers library (all versions < 0.38.0) bypasses the trust_remote_code=False security gate when users load models via DiffusionPipeline.from_pretrained. Three distinct attack vectors exist: cross-repository custom_pipeline parameters, local snapshots combined with Hub custom_pipeline references, and local snapshots containing malicious custom component files. The vulnerability stems from implementing the trust_remote_code check in DiffusionPipeline.download() instead of at the actual dynamic module load point, allowing multiple code paths to skip the security control entirely. Vendor-released patch: diffusers 0.38.0 (confirmed by GitHub advisory GHSA-98h9-4798-4q5v and PR #13448). No public exploit identified at time of analysis; exploitation requires user interaction (loading a model from an attacker-controlled source).

RCE Code Injection
CVE-2026-44511 HIGH CVSS 7.4
Session replay vulnerability in Katalyst Koi admin authentication allows attackers with previously captured session cookies to maintain administrative access after legitimate logout. The issue affects Koi versions prior to 4.20.0 and 5.0.0-5.5.x, stemming from inadequate session invalidation that violates Rails security best practices for CookieStore session replay prevention. While the CVSS score of 7.4 reflects network-based attack potential, the AC:H rating and prerequisite of cookie interception significantly reduce real-world exploitation probability. No evidence of active exploitation or public POC exists at time of analysis, and vendor-released patches are available for both affected version ranges.

Information Disclosure
CVE-2026-44504 HIGH CVSS 8.6
Cross-tenant Insecure Direct Object Reference (IDOR) in Aegra 0.9.0-0.9.6 allows any authenticated user to execute graph runs against other users' threads, exfiltrate full checkpoint state including conversation histories, and inject malicious messages into victims' threads by supplying known thread UUIDs to POST /threads/{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.

Authentication Bypass Python Checkpoint
CVE-2026-44503 HIGH CVSS 7.0
Cross-host HTTP redirects in Microsoft Kiota HTTP client libraries leak session cookies, proxy credentials, and custom authentication headers to attacker-controlled domains. When Kiota's RedirectHandler middleware follows 3xx redirects to different hosts (e.g., trusted.example.com → evil.attacker.com), it strips the Authorization header but forwards Cookie, Proxy-Authorization, and all custom headers unchanged. Publicly available exploit code exists with a complete proof-of-concept demonstrating cookie exfiltration to malicious redirect targets. This affects all Kiota language implementations (Java, .NET, Python, TypeScript, Go) and downstream consumers including Microsoft Graph SDK for Java. The vulnerability requires user interaction to trigger the initial API request, but once triggered, credential leakage is automatic on cross-origin redirects (CVSS:4.0 AV:N/AC:L/AT:P/PR:N/UI:P). Vendor-released patches are available across all affected package ecosystems.

Python Java Open Redirect Microsoft
CVE-2026-44471 HIGH CVSS 7.8
Path traversal via symlink prefix reuse in gitoxide's gix-fs crate allows arbitrary code execution when cloning malicious repositories. Attackers can construct Git trees with duplicate symlink/directory entries that escape the worktree during checkout, writing controlled files to sensitive locations like .git/hooks or ~/.local/bin on Unix systems. Publicly available exploit code exists (PoC script provided in advisory). CVSS 7.8 reflects local attack vector with required user interaction (cloning the malicious repo), but real-world impact is high given code execution potential.

RCE
CVE-2026-44004 HIGH CVSS 7.5
Denial-of-service in vm2 Node.js sandbox allows unauthenticated remote attackers to crash host processes via unbounded Buffer.alloc() calls. The vm2 library's timeout mechanism cannot interrupt synchronous C++ native calls, enabling attackers to bypass configured timeout limits and exhaust host heap memory with a single HTTP request. Version 3.11.0 patches this flaw by introducing bufferAllocLimit controls. Publicly available exploit code exists (GHSA-6785-pvv7-mvg7 includes working POC), and while EPSS data is unavailable and the vulnerability is not listed in CISA KEV, the vendor-confirmed POC demonstrates reliable exploitation against default configurations.

Denial Of Service Docker Kubernetes Node.js
CVE-2026-44001 HIGH CVSS 8.6
Remote unauthenticated attackers can crash Node.js processes running vm2 <= 3.10.5 by triggering an unhandled Promise rejection that terminates the host application. The vulnerability exploits an incomplete fix for CVE-2026-22709 - while previous patches sanitized `.then()` and `.catch()` callback chains, they failed to intercept unhandled rejections originating from Promise constructor executors. Publicly available exploit code exists (GitHub advisory GHSA-hw58-p9xv-2mjh). The attack requires minimal resources (150-byte HTTP request) but achieves high impact by crashing entire server processes serving all concurrent users, with demonstrated persistent DoS despite container orchestration restart policies.

Denial Of Service Docker Kubernetes Node.js
CVE-2026-43998 HIGH CVSS 8.5
Remote code execution in vm2 NodeVM sandbox allows untrusted code to bypass `require.root` path restrictions and load arbitrary modules from outside the allowed root directory via symlink traversal. The vulnerability exploits a check/use path discrepancy: path validation uses `path.resolve()` which does not dereference symlinks, but module loading uses Node's native `require()` which does follow symlinks. Attackers with ability to submit code to the sandbox (the intended use case) can load host-realm modules like vm2 itself or child_process to achieve arbitrary command execution. Confirmed actively exploited (CISA KEV) with publicly available exploit code. Common in production environments using pnpm (where ALL node_modules are symlinks), npm workspaces, or npm link. Vendor-released patch: vm2 3.11.0.

RCE Node.js
CVE-2026-43510 HIGH CVSS 7.0
Privilege escalation in CISA's manage.get.gov 1.x allows organization administrators to assign domain manager privileges for domains outside their portfolio, including legacy domains not associated with any organization. The vulnerability enables cross-portfolio domain takeover scenarios where an authenticated admin can grant themselves or others unauthorized domain management access. Fixed in version 1.176.0 released April 30, 2026. No public exploit identified at time of analysis, EPSS risk assessment not available for this CVE.

Information Disclosure
CVE-2026-42594 HIGH CVSS 7.5
Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.

Denial Of Service Python Docker Kubernetes Google
CVE-2026-42591 HIGH CVSS 8.2
Server-Side Request Forgery in Gotenberg's LibreOffice conversion endpoint allows remote attackers to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Attackers upload specially crafted Office documents (DOCX, XLSX, PPTX) with embedded external URL references that LibreOffice fetches during PDF conversion, completely bypassing the SSRF protections introduced in v8.31.0. Publicly available exploit code exists with detailed proof-of-concept showing three successful HTTP requests to attacker-controlled servers. The vulnerability enables exfiltration of cloud IAM credentials from metadata services (169.254.169.254), internal service enumeration, and network reconnaissance without authentication. CVSS 8.2 with network vector and no privileges required reflects accurate real-world risk given documented exploitation method and lack of vendor-released patch.

Docker Google SSRF OpenSSL Microsoft
CVE-2026-42590 HIGH CVSS 8.2
Remote attackers can manipulate server filesystem operations in Gotenberg v8 by bypassing ExifTool metadata blocklist using group-prefix syntax (e.g., 'File:FileName' instead of 'FileName'). The vulnerability allows unauthenticated file renaming, moving, symlink/hardlink creation, and permission modification on the server. This directly bypasses the previous fix for GHSA-qmwh-9m9c-h36m. Public exploit code exists with working PoC commands. In non-containerized deployments or those with mounted volumes, attackers can achieve arbitrary file read via symlink chaining and file overwrites. CVSS 8.2 (High) with network vector, low complexity, and no authentication required.

Authentication Bypass
CVE-2026-42587 HIGH CVSS 7.5
Decompression bomb protection bypass in Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener allows remote unauthenticated attackers to trigger out-of-memory denial of service by switching Content-Encoding from gzip to brotli, zstd, or snappy. The configured maxAllocation parameter correctly limits gzip/deflate decompression but is silently ignored for these alternative encodings, enabling attackers to decompress gigabytes of data from kilobyte-sized payloads. Affects both HTTP/1.1 (netty-codec-http) and HTTP/2 (netty-codec-http2) implementations. CVSS 7.5 (High) with network vector, low complexity, and no authentication required. Vendor-released patches available: versions 4.1.133.Final and 4.2.13.Final. No active exploitation confirmed at time of analysis, but publicly disclosed proof-of-concept demonstrates trivial header-based bypass requiring only changing 'Content-Encoding: gzip' to 'Content-Encoding: br'.

Denial Of Service Python Java Suse
CVE-2026-42584 HIGH CVSS 7.3
HTTP response desynchronization in Netty's HttpClientCodec allows response body misattribution across pipelined requests when servers send 1xx informational responses. When a client pipelines GET and HEAD requests and the server responds with 103 Early Hints followed by 200 responses, the codec incorrectly pairs the HEAD request with the GET's 200 response, causing the GET response body to remain on the stream and corrupt subsequent response parsing. This enables request smuggling and information disclosure attacks. CVSS 7.3 with network-accessible, unauthenticated attack vector. Publicly available exploit code exists (PoC in GitHub advisory). EPSS data not provided, not listed in CISA KEV. Vendor-released patches available in Netty 4.1.133.Final and 4.2.13.Final.

Java Information Disclosure Request Smuggling Suse
CVE-2026-42583 HIGH CVSS 7.5
Memory exhaustion in Netty's Lz4FrameDecoder allows remote unauthenticated attackers to cause denial of service by sending minimal malicious data that triggers disproportionate server-side memory allocation. A 22-byte crafted LZ4 frame forces the decoder to allocate up to 32MB of heap memory per request, enabling resource exhaustion attacks against Java applications using Netty's compression codec. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-mj4r-2hfc-f8p6). CVSS 7.5 indicates network-exploitable high-availability impact with no authentication or complexity barriers, though real-world risk depends on whether LZ4 decompression is exposed to untrusted network inputs.

Denial Of Service Java Suse
CVE-2026-42582 HIGH CVSS 7.5
Memory exhaustion in Netty HTTP/3 codec allows remote attackers to cause server crash or denial of service through malformed QPACK headers. The vulnerability affects io.netty:netty-codec-http3 versions up to 4.2.12.Final and enables unauthenticated attackers to force gigabyte-scale memory allocations with minimal wire data-a crafted HEADERS frame of just 10 bytes can trigger ~1 GiB allocation. Publicly available exploit code exists (PoC provided in GitHub advisory GHSA-2c5c-chwr-9hqw). CVSS 7.5 (High) reflects network-accessible attack requiring no privileges or user interaction.

Denial Of Service Java Suse
CVE-2026-42579 HIGH CVSS 7.5
Input validation failures in Netty's DNS codec enable DNS cache poisoning, domain validation bypass, and denial-of-service attacks through improper handling of RFC 1035 constraints. Both encoder and decoder in io.netty.handler.codec.dns.DnsCodecUtil accept malformed domain names: the encoder permits null bytes and overlength labels (>63 bytes) that create differential interpretation between Java and native DNS libraries, while the decoder allows unbounded memory allocation from oversized labels in malicious DNS responses. Remote unauthenticated attackers can exploit the decoder via network-reachable DNS servers; encoder exploitation requires user-controlled hostname input. Proof-of-concept code exists demonstrating null byte injection, label/pointer confusion, and memory exhaustion vectors. Fixed versions 4.2.13.Final and 4.1.133.Final enforce RFC 1035 size limits and reject null bytes.

Denial Of Service Java Suse
CVE-2026-42553 HIGH CVSS 7.1
Matrix access token disclosure in the Cinny web client (versions before 4.10.3) lets a remote authenticated attacker who shares a room with a victim and can create room emotes (e.g., in a DM) exfiltrate the victim's bearer access token to an attacker-controlled server. The token is leaked when the victim opens the emoji or sticker picker in a room containing a malicious emote pack, because a crafted pack avatar URL is fetched with the user's Authorization header attached. No public exploit has been identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided; the vendor rates it CVSS 4.0 7.1 (confidentiality-only impact).

Information Disclosure
CVE-2026-42501 HIGH CVSS 7.5
The Go toolchain's module proxy validation can be bypassed by attackers controlling untrusted GOPROXY or GOSUMDB endpoints, allowing delivery of malicious toolchain versions that execute with developer privileges. When the go command downloads a different toolchain version (via GOTOOLCHAIN, go.mod, or go.work directives), a malicious proxy can serve altered toolchains by exploiting checksum database validation logic that incorrectly accepts empty responses. While EPSS indicates only 1% exploitation probability and CISA SSVC marks exploitation status as 'none', the total technical impact rating and network attack vector (AV:N) represent significant supply chain risk for organizations using non-default module proxies. Vendor patch available in Go 1.26.3 and 1.25.10.

Authentication Bypass Jwt Attack
CVE-2026-42499 HIGH CVSS 7.5
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Information Disclosure
CVE-2026-42459 HIGH CVSS 7.7
Internal infrastructure disclosure in the free5GC UDM network function (Go package github.com/free5gc/udm, versions <= v1.4.2) lets unauthenticated remote attackers leak the internal address and API layout of the UDR. Six GET handlers in the nudm-sdm Subscriber Data Management service skip the validator.IsValidSupi() check, so a SUPI path parameter containing control characters (e.g. a NULL byte) propagates into the UDM-to-UDR URL, breaks Go's net/url parser, and is echoed back inside a 500 SYSTEM_FAILURE error detail. Publicly available exploit code exists (a curl-based PoC is published in the advisory and CVSS marks exploit maturity as Proof-of-Concept), but it is not listed in CISA KEV and no EPSS score was provided; impact is limited to confidentiality of infrastructure metadata that aids further intrusion rather than direct data theft or code execution.

Code Injection
CVE-2026-42284 HIGH CVSS 8.1
Remote code execution in GitPython < 3.1.47 allows unauthenticated network attackers to inject malicious Git configuration during repository clone operations via crafted multi_options arguments. The _clone() method validates options before shlex.split transformation, enabling attackers to bypass unsafe option checks by embedding commands like '--config core.hooksPath=/attacker/path' within '--branch' strings. Git then executes attacker-controlled hooks during clone. Vendor-released patch available in version 3.1.47. CVSS 8.1 with high attack complexity; no EPSS or KEV data available, but public exploit code exists per GitHub security advisory GHSA-x2qx-6953-8485.

Python Information Disclosure Suse
CVE-2026-42239 HIGH CVSS 8.1
Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.

XSS
CVE-2026-42225 HIGH CVSS 8.2
Certificate validation bypass in PJSIP versions before 2.17 allows remote attackers to perform man-in-the-middle attacks against TLS connections when built with GnuTLS. Despite applications explicitly enabling certificate verification through verify_server or verify_client flags, the SIP TLS transport accepts connections with invalid or untrusted certificates, exposing SIP signaling to interception and manipulation. Vendor-released patch available in version 2.17 with GitHub commit ef684252. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the network attack vector and low complexity (CVSS:4.0 AV:N/AC:L/PR:N).

Information Disclosure
CVE-2026-42216 HIGH CVSS 8.8
Out-of-bounds read in OpenEXR 3.0.0-3.4.10 allows remote attackers to trigger information disclosure and denial of service by sending malformed EXR image files containing manipulated prefix-compressed strings in IDManifest structures. The vulnerability bypasses bounds checking when reconstructing strings longer than 255 bytes, reading memory outside allocated buffers. EPSS data not available; no public exploit confirmed at time of analysis. Patches released in versions 3.2.9, 3.3.11, and 3.4.11.

Buffer Overflow Information Disclosure Suse
CVE-2026-42215 HIGH CVSS 8.8
Command injection in GitPython 3.1.30-3.1.46 allows remote authenticated attackers to execute arbitrary commands via underscore-formatted kwargs that bypass unsafe option validation. Applications passing attacker-controlled kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() are vulnerable even when allow_unsafe_options=False (default). GitHub-confirmed exploit with vendor-released patch 3.1.47. CVSS 8.8 reflects network vector with low complexity and authenticated access; no EPSS/KEV data indicates exploitation not yet widespread beyond proof-of-concept demonstration.

Python Command Injection Suse
CVE-2026-42214 HIGH CVSS 7.8
Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

RCE Code Injection
CVE-2026-42083 HIGH CVSS 8.2
Authentication bypass in free5GC Policy Control Function (PCF) allows unauthenticated network attackers to access Session Management policy control APIs and exfiltrate subscriber identities (SUPI). The Npcf_SMPolicyControl service group omits RouterAuthorizationCheck middleware, permitting OAuth-less access to four policy management endpoints that should require service-to-service authentication. Publicly available exploit code exists. CVSS 8.2 reflects direct network access with no authentication barrier, high confidentiality impact from SUPI disclosure, and low integrity impact from unauthorized policy manipulation. No EPSS or KEV data available, but PoC in vendor advisory demonstrates trivial exploitation against default SBI deployments.

Authentication Bypass Ubuntu
CVE-2026-42011 HIGH CVSS 7.4
Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only excluded name constraints followed by CAs with permitted name constraints. Remote attackers can exploit this flaw (CVSS 7.4, AV:N/AC:H) to present invalid certificates that pass validation, enabling man-in-the-middle attacks or service impersonation against TLS-protected communications. The vulnerability affects Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. No public exploit or active exploitation confirmed at time of analysis, though the technical nature suggests targeted attacks against high-value certificate infrastructure are feasible.

Authentication Bypass
CVE-2026-42010 HIGH CVSS 7.1
Authentication bypass in GnuTLS RSA-PSK implementations allows remote authenticated attackers to impersonate other users by submitting usernames containing embedded NUL characters, which are incorrectly truncated during comparison. The vulnerability enables lateral privilege escalation from one authenticated account to another, including potential administrator access, on servers using the uncommon RSA-PSK key exchange mode. CVSS 7.1 (High) reflects network accessibility with low complexity, though the attack requires initial low-privilege authentication (PR:L). EPSS data not available; no CISA KEV listing or public exploit code identified at time of analysis, suggesting exploitation is not yet widespread.

Authentication Bypass
CVE-2026-41906 HIGH CVSS 7.1
Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.

Authentication Bypass
CVE-2026-41905 HIGH CVSS 7.7
Server-Side Request Forgery (SSRF) in FreeScout allows authenticated users to access internal network resources and cloud metadata services via HTTP redirect bypass. The vulnerability in Helper::sanitizeRemoteUrl() re-validates the original URL instead of the final redirect destination, enabling attackers to bypass allowlist controls and reach RFC1918 private networks, cloud metadata APIs (169.254.169.254), and internal HTTP services. FreeScout versions prior to 1.8.217 are affected. Vendor-released patch version 1.8.217 is available. No public exploit code or CISA KEV listing identified at time of analysis, but SSRF vulnerabilities are frequently exploited in cloud environments for credential theft and lateral movement.

PHP SSRF
CVE-2026-41904 HIGH CVSS 7.6
Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.

XSS
CVE-2026-41688 HIGH CVSS 7.7
DNS rebinding bypass in Wallos subscription tracker allows authenticated users to exfiltrate internal network data via SSRF on 10 of 11 HTTP endpoints. Wallos 4.8.4 and prior validate webhook URLs with gethostbyname() but fail to pin DNS resolution in cURL requests, creating a time-of-check-time-of-use race window. Attackers with low-privilege accounts can exploit this to probe internal services (databases, cloud metadata endpoints, admin panels) despite SSRF defenses. EPSS not yet available for this recent CVE. No vendor-released patch at time of analysis - upstream commit e87387f0 exists but tagged release version not confirmed.

SSRF
CVE-2026-41653 HIGH CVSS 7.0
Cross-site scripting in BentoPDF's Markdown to PDF Tool allows remote attackers to execute arbitrary JavaScript when users interact with malicious Markdown content. Affects all versions prior to 2.8.3. Vendor-released patch version 2.8.3 available with immediate upgrade recommended by maintainer. No public exploit identified at time of analysis, though vulnerability was responsibly disclosed by independent researcher. CVSS 7.0 with network attack vector but requires user interaction, reducing automation potential.

XSS
CVE-2026-41554 HIGH CVSS 7.1
Reflected cross-site scripting in Bricks Builder WordPress theme through version 1.9.2 to 2.2 enables remote attackers to execute malicious JavaScript in victim browsers by crafting URLs with unsanitized input that gets reflected into generated web pages without proper encoding. Exploitation requires victim interaction (clicking a malicious link) but no authentication, making phishing and social engineering viable delivery methods. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though Patchstack disclosure suggests security researchers have demonstrated the vulnerability.

XSS
CVE-2026-41505 HIGH CVSS 8.7
Predictable token generation in RELATE courseware allows remote attackers to forge authentication and exam access tokens. The vulnerability affects two critical security functions: make_sign_in_key() in auth.py (user authentication) and gen_ticket_code() in exam.py (exam access control). Weak pseudorandom number generation (CWE-338) enables attackers with high complexity to bypass authentication mechanisms and gain unauthorized access to exams with potential for integrity and availability compromise across security boundaries (CVSS scope change). Patched in commit 2f68e16. EPSS data not available; no public exploit identified at time of analysis.

Information Disclosure
CVE-2026-41490 HIGH CVSS 8.3
SQL injection in Dagster orchestration platform allows authenticated users with 'Add Dynamic Partitions' permission to execute arbitrary SQL against DuckDB, Snowflake, BigQuery, and DeltaLake databases via crafted partition keys. Affected I/O managers interpolate dynamic partition values into WHERE clauses without sanitization, enabling attackers to read or modify data under the I/O manager's database credentials. Only deployments using dynamic partitions are vulnerable - static and time-window partitions are unaffected. Vendor-released patches are available (Dagster Core 1.13.1, libraries 0.29.1). No public exploit code identified at time of analysis, though exploitation is straightforward for authenticated users with the specific permission.

SQLi
CVE-2026-41143 HIGH CVSS 8.8
Authenticated SQL injection in YesWiki bazar module allows low-privileged users to execute arbitrary SQL queries against the MySQL backend. The vulnerability exists in EntryManager.php line 704 where POST parameter 'id_fiche' is concatenated directly into a SELECT query without sanitization. Any authenticated user can exploit this via the /api/entries/{formId} endpoint to dump database contents, extract credentials, or manipulate data. Time-based blind SQLi confirmed via SLEEP() injection with 3-second delays, and error-based extraction confirmed via extractvalue() technique. Patched in version 4.6.1. EPSS data not available; no CISA KEV listing identified at time of analysis.

PHP SQLi
CVE-2026-41142 HIGH CVSS 8.8
Integer overflow in OpenEXR ImageChannel::resize function enables heap buffer overflow through crafted EXR files processed via the OpenEXRUtil public API. Affects OpenEXR versions 3.0.0-3.2.8, 3.3.0-3.3.10, and 3.4.0-3.4.10 from the Academy Software Foundation's motion picture image format library. Vendor-released patches in versions 3.2.9, 3.3.11, and 3.4.11 add overflow validation before pixel buffer allocation. CVSS 8.8 with network vector but requires user interaction (opening malicious file). No public exploit or active exploitation identified at time of analysis.

Buffer Overflow Integer Overflow Suse
CVE-2026-41139 HIGH CVSS 8.8
Remote code execution in Math.js expression parser allows authenticated attackers to execute arbitrary JavaScript code in versions 13.1.0 through 15.1.x. The vulnerability stems from unsafe property access controls (CWE-915) that can be exploited via crafted mathematical expressions. Patched in version 15.2.0 with comprehensive property access validation (commit bcf0da4, PR #3656). No active exploitation confirmed by CISA KEV, but public patch code reveals exploitable attack surface involving prototype pollution or unsafe property traversal. CVSS 8.8 with network vector and low complexity indicates high real-world risk for applications exposing Math.js parsing to user input.

Information Disclosure Node.js Red Hat
CVE-2026-41105 HIGH CVSS 8.1
Server-side request forgery in Azure Monitor Action Group Notification System allows authenticated attackers with low privileges to access internal Azure resources and escalate privileges over the network. Microsoft has released a patch addressing this SSRF vulnerability. The attack requires low complexity and no user interaction, enabling authenticated users to abuse the notification service to make unauthorized requests to internal services, potentially accessing high-value confidential data or performing privileged operations within the Azure environment.

SSRF Microsoft
CVE-2026-41002 HIGH CVSS 7.2
Time-of-check-time-of-use (TOCTOU) race condition in Spring Cloud Config Server's Git repository cloning mechanism allows local privileged attackers with high-privilege system access to potentially read or modify configuration data intended for other applications. Exploitation requires timing manipulation of the basedir filesystem path between validation and use, enabling symlink attacks or directory substitution. CVSS 7.2 reflects high attack complexity (AC:H) and privileged local access (AV:L/PR:H) requirements, but scope change (S:C) indicates impact beyond the vulnerable component. EPSS data not available; no public exploit identified at time of analysis.

Java Information Disclosure
CVE-2026-40981 HIGH CVSS 7.5
Remote unauthenticated attackers can access Google Secrets Manager credentials from unintended GCP projects via crafted requests to Spring Cloud Config servers using Google Secrets Manager as a backend. VMware confirmed this high-severity information disclosure vulnerability (CVSS 7.5) affecting all 3.1.x through 5.0.x versions. No CISA KEV listing or public exploit code identified at time of analysis, but the network-accessible attack vector with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N) indicates straightforward exploitation once attackers identify vulnerable Spring Cloud Config deployments with Google Secrets Manager integration.

Authentication Bypass Java Google
CVE-2026-40213 HIGH CVSS 7.4
OpenStack Cyborg allows any authenticated user to reprogram FPGA bitstreams and execute privileged operations across arbitrary compute nodes due to unconditional authorization bypass in multiple API endpoints. Versions before 16.0.1 use rule:allow as the default policy, permitting any valid Keystone token holder-even users with zero role assignments-to perform administrative actions including FPGA reconfiguration via agent RPC. EPSS data not available, but the authentication bypass combined with scope change (CVSS S:C) and hardware manipulation capabilities represents significant risk in multi-tenant OpenStack deployments.

Authentication Bypass
CVE-2026-39836 HIGH CVSS 7.5
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Denial Of Service Null Pointer Dereference Microsoft
CVE-2026-39820 HIGH CVSS 7.5
Denial of service in Go standard library net/mail package allows remote unauthenticated attackers to exhaust CPU and memory resources via maliciously crafted email addresses or dates. The vulnerability affects ParseAddress, ParseAddressList, and ParseDate functions in Go versions prior to 1.25.10 and 1.26.0-1.26.2. Confirmed actively exploited (CISA KEV status not indicated; exploitation probability 0.02% per EPSS). Vendor-released patches available in Go 1.25.10 and 1.26.3.

Denial Of Service
CVE-2026-35435 HIGH CVSS 8.6
Confidentiality breach in Azure AI Foundry M365 published agents enables remote unauthenticated attackers to access high-value data through improper access control (CWE-284). The vulnerability affects agents published through M365 integration, allowing privilege escalation over the network with no authentication required and low attack complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Microsoft has released a vendor patch per MSRC advisory. No active exploitation confirmed by CISA KEV, and EPSS data not available at time of analysis.

Authentication Bypass Microsoft
CVE-2026-34327 HIGH CVSS 8.2
Remote unauthenticated attackers can exploit a server-side request forgery (SSRF) vulnerability in Microsoft Partner Center to access internal resources and perform spoofing attacks. The vulnerability allows high-level information disclosure with limited integrity impact, requiring no user interaction or special privileges. Microsoft has released a security patch, and while CVSS rates this 8.2 (High), no active exploitation or public proof-of-concept has been identified at time of analysis.

Authentication Bypass Microsoft
CVE-2026-33814 HIGH CVSS 7.5
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Denial Of Service
CVE-2026-33811 HIGH CVSS 7.5
Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing maliciously crafted CNAME DNS responses. Remote attackers can trigger double-free of C memory in the cgo DNS resolver's LookupCNAME function by sending excessively long CNAME records, causing immediate denial of service. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity despite network-accessible attack vector and no authentication requirement. Vendor patch available via Go 1.25.10 and 1.26.3.

Denial Of Service Suse
CVE-2026-33589 HIGH CVSS 8.2
Path traversal in Open Notebook v1.8.3's file upload functionality allows unauthenticated local users to read arbitrary files from the Docker container filesystem. The vulnerability stems from insufficient input validation, enabling attackers to bypass directory restrictions and access sensitive container files including configuration data, environment variables, and application secrets. CVSS 8.2 (High severity) reflects substantial confidentiality impact across system and container scopes, though no public exploit code or active exploitation has been identified at time of analysis.

Docker Path Traversal File Upload
CVE-2026-33588 HIGH CVSS 7.0
Path traversal in Open Notebook v1.8.3's file upload allows arbitrary file creation or modification within the Docker container filesystem. Attackers with local access can write files outside intended directories, enabling container escape scenarios, configuration tampering, or privilege escalation by overwriting critical system files. No public exploit identified at time of analysis, but the vulnerability affects default configurations where file upload is accessible.

Docker Path Traversal File Upload
CVE-2026-33111 HIGH CVSS 7.5
Remote unauthenticated command injection in Microsoft's Copilot Chat for Edge browser enables information disclosure via crafted network requests. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates attackers can exploit this remotely without authentication or user interaction, though impact is limited to confidentiality (C:H/I:N/A:N). Microsoft has released a patch per MSRC advisory. No active exploitation confirmed by CISA KEV at time of analysis, though the low attack complexity and lack of authentication requirements make this readily exploitable once technical details emerge.

Command Injection Microsoft
CVE-2026-32207 HIGH CVSS 8.8
Cross-site scripting (XSS) in Azure Machine Learning enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted input, achieving complete session compromise including credential theft, workspace manipulation, and model poisoning. Attacker requires no authentication but must convince a user to interact with a malicious link or input. Microsoft has released patches per MSRC advisory. CVSS 8.8 severity reflects the high impact across confidentiality, integrity, and availability once user interaction occurs. No evidence of active exploitation (not in CISA KEV) and EPSS data not provided.

XSS Microsoft
CVE-2026-30495 HIGH CVSS 8.8
Unauthenticated remote root access on Optoma CinemaX P2 smart projectors allows network attackers to execute arbitrary code with full system privileges. The device ships with ADB enabled on TCP 5555 without authentication (ro.adb.secure=0) and contains an unrestricted su binary, enabling complete device compromise including WiFi credential theft, malware installation, and data exfiltration. EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability, though SSVC framework assesses total technical impact. No public exploit code or active exploitation confirmed at time of analysis.

Authentication Bypass Google N A
CVE-2026-28201 HIGH CVSS 8.7
Cross-site request forgery (CSRF) in Open Notebook v1.8.1 enables remote attackers to manipulate or delete database entries through social engineering attacks. The vulnerability combines input validation flaws (CWE-20) with overly permissive default CORS settings, allowing malicious sites to send authenticated requests on behalf of legitimate users. Attackers craft malicious URLs that, when clicked by authenticated users, execute unauthorized database operations including data modification, deletion, and potential exfiltration depending on deployment configuration. No public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure
CVE-2026-27891 HIGH CVSS 7.2
Remote code execution in FacturaScripts ≤2025.71 allows authenticated administrators to upload malicious ZIP files containing path traversal sequences (Zip Slip attack) through the plugin installation mechanism. The vulnerable Plugins::add() function fails to sanitize file paths within ZIP archives, enabling attackers to write arbitrary PHP files outside the plugins directory and execute system commands. A public proof-of-concept exists demonstrating full system compromise. CVSS scores this at 7.2 (High) but requires high-privilege authentication (PR:H), significantly limiting real-world attack surface to scenarios involving compromised admin credentials or malicious insiders.

PHP RCE Path Traversal
CVE-2026-26164 HIGH CVSS 7.5
Injection vulnerability in Microsoft 365 Copilot's Business Chat enables remote unauthenticated attackers to extract sensitive information through specially crafted inputs. Microsoft has released a patch addressing this CWE-74 injection flaw. With CVSS 7.5 (High), network-accessible attack vector, and no authentication required, this represents a significant exposure for organizations using Copilot Business Chat, though no active exploitation is confirmed at time of analysis.

Information Disclosure
CVE-2026-26129 HIGH CVSS 7.5
Remote unauthenticated attackers can disclose sensitive information from Microsoft 365 Copilot's Business Chat through improper input neutralization (CVSS 7.5). The vulnerability allows network-based exploitation with low complexity and no user interaction required. Vendor-released patch available via Microsoft Security Response Center (MSRC-2026-26129). No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of authentication requirements (PR:N) increase realistic exploitation risk.

Information Disclosure
CVE-2026-25705 HIGH CVSS 8.4
Path traversal in Rancher's UI Extensions mechanism allows authenticated administrators to write arbitrary files to the Rancher server filesystem, potentially overwriting binaries, tampering with cluster state in /var/lib/rancher/, or compromising the host node if hostPath volumes are mounted. This affects Rancher versions 2.10.11 through 2.14.0. While exploitation requires high privileges (administrator access by default) and user interaction to install a malicious extension, the changed scope (S:C) in CVSS 3.1 indicates potential container escape or cross-component impact. Vendor-released patches are available across all affected release branches (2.11.13, 2.12.9, 2.13.5, 2.14.1). No public exploit identified at time of analysis, though the attack technique (CAPEC-126 path traversal) is well-documented.

Path Traversal Suse
CVE-2026-8093 HIGH CVSS 8.1
Multiple memory corruption vulnerabilities in Firefox 150.0.1 enable potential remote code execution through memory safety flaws in the browser engine. Mozilla's advisory references 10 distinct bugs demonstrating memory corruption, which with sufficient exploitation effort could allow arbitrary code execution. Firefox 150.0.2 addresses these vulnerabilities. CVSS rates this 7.5 High (network-exploitable, no authentication required), though the vector indicates only availability impact, contradicting the RCE assessment in Mozilla's advisory. SSVC framework confirms no active exploitation and partial technical impact.

RCE Buffer Overflow Mozilla
CVE-2026-8092 HIGH CVSS 8.1
Multiple memory corruption vulnerabilities in Mozilla Firefox allow remote code execution through browser rendering engine flaws. Firefox ESR 115.35.1, Firefox ESR 140.10.1, and Firefox 150.0.1 contain memory safety bugs with evidence of memory corruption that could enable arbitrary code execution. Fixed versions are available (Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2). EPSS score of 0.01% indicates very low exploitation probability in the wild, and SSVC framework shows no confirmed exploitation and non-automatable attacks. Despite high CVSS 8.1, real-world exploitation requires significant complexity (AC:H), reducing immediate risk for most environments.

RCE Buffer Overflow Information Disclosure Mozilla
CVE-2026-8090 HIGH CVSS 7.3
Use-after-free memory corruption in Firefox's DOM Networking component enables remote attackers to achieve unauthorized information disclosure, data manipulation, and service disruption without authentication or user interaction. Affects Firefox mainline and both Extended Support Release (ESR) branches. Mozilla shipped patches in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2. SSVC analysis indicates no confirmed exploitation but the vulnerability is fully automatable with partial technical impact across confidentiality, integrity, and availability. EPSS data not available but the network attack vector (AV:N) with no prerequisites (AC:L/PR:N/UI:N) presents significant exposure for unpatched installations.

Information Disclosure Use After Free Memory Corruption Red Hat Mozilla
CVE-2026-8063 HIGH CVSS 7.1
MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.

Denial Of Service Null Pointer Dereference
CVE-2026-8034 HIGH CVSS 7.9
Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to access internal services and systems through URL parser confusion. The vulnerability exploits discrepancies between validation and request execution parsers, allowing crafted URLs to bypass hostname checks and target unintended internal hosts. All versions prior to 3.21 are affected, with patches available across supported release branches (3.16.18, 3.17.15, 3.18.9, 3.19.6, 3.20.2). CVSS 7.9 reflects high impact to subsequent system confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV); reported through GitHub Bug Bounty program.

SSRF
CVE-2026-7413 HIGH CVSS 7.2
Undocumented persistent backdoor in Yarbo firmware v2.3.9 grants remote privileged access that survives factory reset and firmware updates. The backdoor requires high-privilege authentication (CVSS PR:H) but provides complete system control once accessed. No public exploit identified at time of analysis, though GitHub repository reference suggests technical disclosure exists. CVSS 7.2 reflects the high-privilege requirement, but persistence across resets and undocumented nature indicate significant supply chain or insider threat risk.

Information Disclosure
CVE-2026-7252 HIGH CVSS 8.1
Arbitrary file deletion in WP-Optimize plugin versions ≤4.5.2 allows authenticated attackers with Author-level privileges to delete critical server files including wp-config.php, enabling remote code execution. The vulnerability exploits insufficient path validation in the unscheduled_original_file_deletion function combined with the non-protected 'original-file' meta key that Authors can manipulate via WordPress's Edit Media form or REST API. Wordfence discovered this CWE-22 path traversal flaw affecting the popular WordPress optimization plugin used on hundreds of thousands of sites.

PHP WordPress RCE Path Traversal
CVE-2026-6735 HIGH CVSS 7.3
Cross-site scripting (XSS) vulnerability in PHP 8.2.x (prior to 8.2.31) allows network-based attackers to inject malicious scripts that execute in victim browsers, compromising session tokens and potentially escalating to account takeover. Vendor-released patch (PHP 8.2.31) addresses this along with seven additional CVEs in a coordinated security release. CVSS 7.3 HIGH with user interaction required; exploitation status classified as POC-available per CVSS 4.0 vector (E:P), though public exploit code not independently verified at time of analysis.

PHP XSS Microsoft Red Hat Suse
CVE-2026-6692 HIGH CVSS 8.8
Remote code execution in Slider Revolution for WordPress versions 7.0.0 through 7.0.10 allows authenticated attackers with subscriber-level privileges to upload executable files via insufficient file type validation in '_get_media_url' and '_check_file_path' functions. A partial patch in 7.0.10 was insufficient, requiring upgrade to 7.0.11 for complete remediation. With CVSS 8.8 (High) and low privilege requirements (subscriber accounts are commonly available or easily created), this represents significant risk for WordPress installations using affected versions, though no active exploitation has been confirmed via CISA KEV at time of analysis.

WordPress RCE File Upload
CVE-2026-6002 HIGH CVSS 8.8
Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.

XSS
CVE-2026-5784 HIGH CVSS 8.8
Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

XSS
CVE-2026-4348 HIGH CVSS 7.5
Unauthenticated SQL injection in BetterDocs Pro for WordPress allows remote attackers to extract sensitive database contents when the Encyclopedia feature is enabled. The vulnerability affects all versions up to 3.7.0 through unsanitized 'limit' parameters in two AJAX endpoints. With CVSS 7.5 (High severity) and network-based unauthenticated attack vector, this presents significant risk to sites using the Encyclopedia feature, though no active exploitation (KEV) or public POC has been identified at time of analysis. EPSS data not available for risk calibration.

WordPress SQLi
CVE-2026-3953 HIGH CVSS 8.8
Cross-site scripting in Gosoft Proticaret E-Commerce v5.0.0 through v6.0.1767.1383 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted HTTP requests. Despite the 8.8 CVSS score indicating complete compromise (High C/I/A), the CVSS vector reveals this is a reflected XSS requiring user interaction (UI:R), not a stored or blind XSS. The vulnerability is unscoped (S:U), meaning impact is confined to the vulnerable application. No active exploitation confirmed via CISA KEV and no public exploit code identified at time of analysis. TR-CERT advisory available with remediation guidance.

XSS
CVE-2025-68060 HIGH CVSS 7.6
SQL injection in Team Member WordPress plugin versions up to 8.5 allows authenticated administrators to extract database contents via blind SQL injection. Reported by Patchstack, this vulnerability requires high-level privileges (PR:H) but enables cross-scope confidentiality breach (S:C), allowing attackers to read sensitive data beyond their normal authorization boundaries. EPSS data and KEV status not provided; no public exploit code confirmed at time of analysis.

SQLi
CVE-2025-65122 HIGH CVSS 7.5
Regular expression denial of service (ReDoS) in youtube-regex npm package versions ≤1.0.5 allows remote unauthenticated attackers to cause service-level availability degradation through network-delivered crafted inputs. Attackers can trigger catastrophic backtracking in the regex parser, causing CPU exhaustion and application hang. SSVC framework confirms proof-of-concept code exists with automatable exploitation capability. While CVSS rates this high severity (7.5) for availability impact, real-world risk depends on whether the vulnerable package processes untrusted user input in production environments.

Denial Of Service Node.js
CVE-2025-63705 HIGH CVSS 8.8
Command injection in node-ts-ocr 1.0.15 enables authenticated attackers to execute arbitrary operating system commands through the invokeImageOcr function. The vulnerability requires low-complexity exploitation with no user interaction, allowing complete compromise of confidentiality, integrity, and availability on affected systems. Public proof-of-concept code exists (GitHub Gist), though EPSS assessment indicates 0.04% probability of active exploitation within 30 days and the vulnerability is not listed in CISA KEV, suggesting targeted rather than widespread exploitation risk.

Command Injection Node.js N A
CVE-2025-14341 HIGH CVSS 8.3
Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by exploiting uncontrolled object attribute modification combined with absent resource throttling. The vulnerability permits low confidentiality impact but high integrity and availability compromise when a user interacts with attacker-controlled content. TR-CERT has issued an advisory, though no CISA KEV listing or public exploit code has been identified at time of analysis. EPSS data not available to assess exploitation probability.

Information Disclosure
CVE-2025-9661 HIGH CVSS 8.1
Remote command injection in Hitachi Virtual Storage Platform One Block versions 23, 24, 26, and 28 allows unauthenticated attackers to execute arbitrary OS commands through the management GUI maintenance utility. The vulnerability affects the DKCMAIN and ESM components prior to versions A3-04-21-40/00 and A3-04-21/00 respectively. With CVSS 8.1 (High) and network attack vector, this represents significant risk to enterprise storage infrastructure, though AC:H indicates exploitation requires specialized conditions. No active exploitation confirmed (not in CISA KEV) and EPSS data not available at time of analysis.

Command Injection
CVE-2025-1978 HIGH CVSS 8.3
Remote code execution in Hitachi Virtual Storage Platform G, F, E, and One Block series allows unauthenticated network attackers to execute arbitrary code on storage controllers and maintenance consoles with low impact across confidentiality, integrity, and availability due to changed scope (CVSS 8.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C). The vulnerability affects the Storage Navigator interface and maintenance console across multiple VSP product lines spanning enterprise and mid-range storage arrays. EPSS data not available; no evidence of active exploitation or public POC at time of analysis. Vendor-released patches available with specific firmware versions required for each product family.

RCE Code Injection
CVE-2026-44662 MEDIUM CVSS 5.1
Heap buffer overflow in rust-openssl's AES key-wrap-with-padding cipher functions allows attackers to write up to 7 bytes past allocated buffer boundaries when processing non-multiple-of-8 plaintext inputs, enabling attacker-controlled heap corruption. Affected versions 0.10.0 through 0.10.78 are vulnerable when CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, or symm::Crypter::update are used with EVP_aes_128/192/256_wrap_pad ciphers.

Buffer Overflow Heap Overflow OpenSSL
CVE-2026-44661 MEDIUM CVSS 4.7
Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where `call_tool()` and `call_tool_streaming()` reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (`localhost.evil.com` bypassing `startswith` checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).

Google SSRF Redis Elastic
CVE-2026-44544 MEDIUM CVSS 4.9
Policy rollback vulnerability in gittuf versions up to 0.13.1 allows attackers with push access to the Reference State Log (RSL) to downgrade repository policies to previously signed versions, bypassing security controls. An attacker cannot roll back to policies that would be unsigned by the current root keys, but can selectively choose any valid prior policy state. Vendor-released patch: gittuf v0.14.0 introduces monotonically increasing version numbers to all policy metadata to prevent rollback attacks.

Authentication Bypass Gitlab
CVE-2026-44520 MEDIUM CVSS 5.7
Server-Side Request Forgery in docling-graph versions up to 1.5.0 allows authenticated attackers with user interaction to bypass IP validation and reach private, loopback, and cloud metadata endpoints by supplying arbitrary URLs to the URLInputHandler class or via the --source CLI argument. The vulnerability combines missing internal IP address validation with unrestricted HTTP redirects (allow_redirects=True), enabling theft of cloud IAM credentials and access to internal services on 127.0.0.1, 10.x, 172.16.x, 192.168.x, and 169.254.169.254 address ranges. Vendor-released patch: v1.5.1.

SSRF Open Redirect
CVE-2026-44514 MEDIUM CVSS 6.5
Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.

Information Disclosure Docker Kubernetes Google Microsoft
CVE-2026-44500 MEDIUM CVSS 5.3
Allocation amplification in Zebra network deserializers allows unauthenticated remote peers to force excessive memory preallocation and parsing overhead across multiple message types (headers, blocks, transactions) by exploiting the use of generic transport/block-size ceilings instead of protocol-specific limits. An attacker can trigger 8.8x oversized header allocations, unbounded equihash solution parsing, and inflated Sapling spend vector allocations on inbound peer messages, causing denial of service through cumulative per-connection and multi-peer fan-in effects. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible, unauthenticated exploitation of default configurations; no public exploit identified at time of analysis, but vendor-released patch available in Zebra 4.4.0.

Denial Of Service Deserialization
CVE-2026-44479 MEDIUM CVSS 5.5
Vercel CLI leaks authentication tokens in JSON output when running in non-interactive mode with credentials passed via command-line arguments. Affected versions 50.16.0 through 52.0.0 expose plaintext tokens in suggested follow-up commands when operations cannot complete autonomously, allowing token capture in CI/CD logs and automation transcripts. Information disclosure risk is elevated in automated deployment pipelines where CLI output is logged.

Information Disclosure
CVE-2026-44426 MEDIUM CVSS 6.5
ShellHub Community v0.24.1 and earlier allows authenticated API Key holders to enumerate any tenant namespace and retrieve sensitive membership data (user IDs, emails, roles), settings, and device counts via GET /api/namespaces/:tenant due to a bypassed authorization check. The vulnerability exploits API Key authentication flows that fail to set the user ID header, causing the membership verification to be skipped entirely. Publicly available proof-of-concept code demonstrates validated exploitation against v0.24.1, with complete disclosure of cross-tenant namespace configuration including member lists suitable for targeted phishing campaigns.

Authentication Bypass
CVE-2026-44407 MEDIUM CVSS 4.7
Local denial-of-service vulnerability in ZTE Cloud PC client uSmartview allows authenticated local attackers to trigger memory corruption and crash the application through a use of externally-controlled format string (CWE-134). CVSS 4.7 with local attack vector and high complexity indicates limited real-world exploitability; no public exploit identified at time of analysis.

Buffer Overflow Denial Of Service Zte
CVE-2026-44406 MEDIUM CVSS 5.7
DLL hijacking in ZTE Cloud PC client uSmartView allows unauthenticated local attackers to achieve arbitrary code execution and privilege escalation by planting a malicious DLL that is loaded by uSmartViewServiceAgent.exe running with SYSTEM privileges. The vulnerability requires local access but no authentication and affects multiple ZXCloud IRAI product versions. No public exploit code or active exploitation has been confirmed at this time.

Privilege Escalation RCE Buffer Overflow Zte
CVE-2026-44312 MEDIUM CVSS 5.8
CSS Parser gem disables HTTPS certificate validation by setting OpenSSL::SSL::VERIFY_NONE, allowing man-in-the-middle attackers to inject or modify CSS content loaded via HTTPS. Any application using CSS Parser versions prior to 2.1.0 to fetch external stylesheets over HTTPS can be exploited by network-positioned attackers without authentication. A proof-of-concept using mitmproxy or Burp Suite demonstrates practical exploitation; CVSS 5.8 reflects the network attack vector and integrity impact, but real-world risk depends on whether the application loads stylesheets from untrusted or attacker-controllable URLs and whether the attacker can intercept network traffic.

OpenSSL Code Injection Suse
CVE-2026-44308 MEDIUM CVSS 6.3
Spring Cloud AWS SNS HTTP/HTTPS endpoint handlers (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) in versions 3.0.0-3.4.2, 4.0.0, and 4.0.1 fail to verify the cryptographic signature of incoming SNS messages, allowing unauthenticated attackers who know the endpoint URL to send forged SNS notifications, subscription confirmations, or unsubscribe requests. This enables attackers to trigger arbitrary message processing, auto-confirm malicious topic subscriptions, or force unsubscription from legitimate topics. Fixed in Spring Cloud AWS 4.0.2 with signature verification enabled by default; 3.x line receives no patch and must use workarounds.

Java Information Disclosure
CVE-2026-44264 MEDIUM CVSS 4.3
Cross-site scripting (XSS) via improper Markdown attribute sanitization in Weblate allows authenticated users to inject malicious HTML attributes through crafted Markdown in user comments and other user-provided content. The vulnerability affects Weblate versions prior to 5.17.1 and can be exploited by any authenticated user with the ability to submit Markdown content; however, the application's strict Content Security Policy (CSP) significantly mitigates actual exploitation risk. Vendor-released patch version 5.17.1 is available.

XSS Suse
CVE-2026-44263 MEDIUM CVSS 4.3
Weblate versions before 5.17.1 allow authenticated users to enumerate translations in projects they cannot access via the screenshots, tasks, and component link API endpoints. An attacker with valid credentials but no project access can probe these APIs to discover the existence and metadata of private translations, leading to information disclosure of project structure and language coverage that should remain hidden. The vulnerability requires authentication but has a low attack complexity, affecting confidentiality only without enabling further compromise.

Information Disclosure Suse
CVE-2026-44248 MEDIUM CVSS 5.3
Resource exhaustion in Netty's MqttDecoder allows remote unauthenticated attackers to cause denial of service via crafted MQTT 5 messages with oversized header Properties sections. The vulnerability occurs because property parsing happens before message size limits are enforced, and ReplayingDecoder repeatedly re-parses and buffers the malformed data, consuming CPU and memory until the parser completes or the connection is closed. CVSS score of 5.3 reflects low-to-medium severity with availability impact only; no active exploitation confirmed at time of analysis.

Denial Of Service Suse
CVE-2026-44216 MEDIUM CVSS 5.9
Wasmtime's on-demand instance allocator panics when attempting to allocate a WebAssembly table with an extremely large size, triggering arithmetic overflow in checked allocation logic. This denial-of-service condition is exploitable only when the memory64 WebAssembly proposal is enabled (default configuration) and affects versions 30.0.0 through 36.0.7, 37.0.0 through 43.0.1, and unpatched 44.x versions. No public exploit code or active exploitation has been identified; vendor-released patches are available in versions 36.0.8, 43.0.2, and 44.0.1.

Denial Of Service Red Hat Suse
CVE-2026-44003 MEDIUM CVSS 5.3
Security control bypass in vm2 sandbox allows direct access to internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable by exploiting a performance optimization in the code transformer that skips AST analysis when code lacks catch, import, or async keywords. Affected versions <= 3.10.5 expose internal security functions (handleException, wrapWith, import) and enable with-statement scope manipulation, creating a latent attack surface for future sandbox escapes. All applications using vm2 to execute untrusted code are affected; exploitation requires no special configuration or authentication.

Information Disclosure Node.js
CVE-2026-44002 MEDIUM CVSS 5.8
Information disclosure in vm2 allows sandboxed code to extract host absolute file paths, library locations, and internal function names via stack trace inspection, enabling attackers to map the host server's directory structure and architecture without authentication or user interaction. The vulnerability affects all versions up to 3.10.5 and is triggered through either default error.stack formatting or custom Error.prepareStackTrace handlers; vendor-released patch available in version 3.11.0.

Information Disclosure Node.js
CVE-2026-44000 MEDIUM CVSS 6.5
Host object identity crosses the vm2 sandbox boundary when Promise resolution delivers objects to sandbox callbacks, allowing sandboxed code to mutate host objects and perform identity checks via WeakMap. The vulnerability stems from Promise.prototype.then wrapping that uses ensureThis() for conversion instead of stronger cross-realm proxying; when no prototype mapping exists, ensureThis() returns the original host object unmodified. This sandbox escape affects vm2 versions up to 3.10.5 and is fixed in 3.11.0.

Information Disclosure Oracle
CVE-2026-42879 MEDIUM CVSS 6.3
Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. The vulnerability affects versions 2025.81 and earlier; publicly available proof-of-concept code exists demonstrating end-to-end exploitation.

PHP RCE CSRF Code Injection File Upload
CVE-2026-42878 MEDIUM CVSS 5.3
Unauthenticated information disclosure in FacturaScripts allows remote attackers to trigger phpinfo() output on fresh deployments via /?phpinfo=TRUE, exposing full PHP configuration, environment variables (including database credentials and API keys), filesystem paths, and loaded extensions. The vulnerability affects all versions with the Installer controller enabled and no patch has been released as of April 2026; publicly available proof-of-concept code exists demonstrating exploitation against PHP 8.1.34.

PHP Information Disclosure Path Traversal Apple
CVE-2026-42877 MEDIUM CVSS 5.4
Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

PHP XSS Privilege Escalation
CVE-2026-42597 MEDIUM CVSS 5.9
Gotenberg versions 8.31.0 and earlier allow unauthenticated remote attackers to enumerate and read arbitrary files under /tmp/ via the /forms/chromium/convert/url and /forms/chromium/screenshot/url endpoints using file:// scheme URLs. An attacker can discover in-flight conversion request directories and exfiltrate source files (HTML, Markdown, Office documents, staged PDFs) from other users' concurrent conversion requests by timing attacks to coincide with long-running conversion operations. The vulnerability exploits a logic flaw where the URL routes fail to set per-request scope guards that HTML/Markdown routes correctly apply, causing file:// access control enforcement to silently skip for URL-based conversions.

RCE Python Docker Google Microsoft
CVE-2026-42593 MEDIUM CVSS 5.3
Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.

Python Docker Path Traversal Google Microsoft
CVE-2026-42592 MEDIUM CVSS 5.3
DNS rebinding vulnerability in Gotenberg allows unauthenticated remote attackers to bypass SSRF protections and access internal services via Chromium URL conversion routes. When a URL is submitted for PDF conversion, Gotenberg validates the resolved IP address against a deny-list but discards the pinned result. Chromium then performs independent DNS resolution multiple times, creating a race condition where an attacker controlling DNS can return a public IP during validation and a private IP during connection, allowing access to loopback services, cloud metadata endpoints, or internal networks. Exploitation succeeds approximately 10% per attempt with trivial automation.

Python Information Disclosure Docker Google
CVE-2026-42586 MEDIUM CVSS 6.8
CRLF injection in Netty's RedisEncoder allows remote command injection and response poisoning by injecting carriage return and line feed characters into InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage objects. Attackers can inject arbitrary Redis commands (such as CONFIG SET, FLUSHALL, or authentication bypass) or forge fake responses when user-controlled input is placed into these message types without sanitization. The vulnerability affects Netty 4.2.12.Final and all prior versions with the codec-redis module; no active exploitation has been reported in CISA KEV, but publicly available proof-of-concept code demonstrates the vulnerability.

Authentication Bypass Java Command Injection Redis Suse
CVE-2026-42585 MEDIUM CVSS 6.5
HTTP request smuggling in Netty's HttpRequestDecoder allows remote unauthenticated attackers to inject arbitrary HTTP requests by sending malformed Transfer-Encoding headers (specifically 'Transfer-Encoding: chunked, identity'). When Netty is deployed behind a proxy that forwards such requests without rejection, an attacker can smuggle a second request inside the body of the first, bypassing security controls and accessing unintended resources. The vulnerability is confirmed by public proof-of-concept code demonstrating successful parsing of injected requests.

RCE Java Request Smuggling Suse
CVE-2026-42581 MEDIUM CVSS 5.8
HTTP request smuggling in Netty's HttpObjectDecoder allows remote attackers to bypass Content-Length sanitization for HTTP/1.0 requests carrying both Transfer-Encoding: chunked and Content-Length headers. Netty strips the conflicting Content-Length only for HTTP/1.1, leaving it intact for HTTP/1.0, causing downstream proxies that prioritize Content-Length to misinterpret message boundaries and process attacker-injected payloads as separate requests. Confirmed actively exploited (CISA KEV not indicated, but reproducible POC provided). Affects Netty 4.2.0–4.2.12 and 4.1.0–4.1.132.

Authentication Bypass Java Nginx Request Smuggling Suse
CVE-2026-42580 MEDIUM CVSS 6.5
HTTP request smuggling in Netty's chunk size parser allows remote unauthenticated attackers to inject arbitrary HTTP requests by exploiting integer overflow in the hexadecimal chunk size parsing logic. The HttpObjectDecoder.getChunkSize method accumulates the chunk size without proper overflow validation, enabling an attacker to craft a malicious chunk size header that wraps around to a valid size, causing Netty to misinterpret the request boundary and parse injected requests as separate legitimate requests. Publicly available proof-of-concept demonstrates successful parsing of an injected GET request within a chunked POST body, with CVSS score 6.5 (network-accessible, low complexity, no authentication required).

RCE Java Red Hat Request Smuggling Suse
CVE-2026-42328 MEDIUM CVSS 6.2
Denial of service in go-ipld-prime's DAG-CBOR and DAG-JSON decoders via unbounded recursion depth allows remote attackers to exhaust goroutine stack memory by sending deeply nested collection payloads, causing the Go runtime to terminate with a fatal stack overflow. A ~2 MB DAG-CBOR payload with 2 million nested arrays reliably triggers the condition. Affected versions before 0.23.0 have no depth limit; the existing allocation budget cannot prevent stack exhaustion because each nested header consumes only a few budget units.

RCE
CVE-2026-42259 MEDIUM CVSS 5.1
Open redirect in Saltcorn's post-login destination parameter validation allows attackers to redirect authenticated users to attacker-controlled domains via backslash bypass. Versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5 are vulnerable because the is_relative_url() function only blocks ':/' and '//' but fails to account for WHATWG URL parsing, which normalizes backslashes to forward slashes in special schemes. An attacker can craft a malicious login URL with a dest parameter like /\evil.com/path that bypasses validation, passes through the Location header unencoded, and causes the victim's browser to navigate cross-origin after successful authentication. This requires user interaction (clicking a crafted link) but no special configuration and affects default installations.

Open Redirect
CVE-2026-42241 MEDIUM CVSS 5.3
Stack overflow in ParquetSharp versions 18.1.0 through 23.0.0.0 allows remote unauthenticated attackers to cause denial of service by supplying a maliciously crafted Parquet file with a decimal column declaring an unreasonably large width, triggering unbounded stack allocation in the DecimalConverter.ReadDecimal method. This impacts network services that parse untrusted Parquet files. The vulnerability has been patched in version 23.0.0.1.

Buffer Overflow Apache
CVE-2026-42217 MEDIUM CVSS 6.3
OpenEXR versions 3.0.0-3.2.8, 3.3.0-3.3.10, and 3.4.0-3.4.10 suffer from unbounded shift operations in the readVariableLengthInteger() function when parsing variable-length integers from untrusted EXR files. Attackers can craft malicious EXR files with excessive continuation bytes to trigger left shifts exceeding 64 bits on a 64-bit integer, causing undefined behavior that may lead to information disclosure or denial of service. The vulnerability is remotely exploitable without authentication or user interaction against any application processing untrusted EXR input; no public exploit code has been identified at the time of analysis.

Information Disclosure Integer Overflow Red Hat Suse
CVE-2026-42081 MEDIUM CVSS 6.1
Free5GC Access and Mobility Management Function (AMF) v4.2.1 and earlier fails to verify UE Security Capabilities in NGAP PathSwitchRequest messages, allowing a malicious gNB to overwrite the AMF's stored security algorithm preferences with arbitrary values. These corrupted capabilities are then propagated in PathSwitchRequestAcknowledge and subsequent HandoverRequest messages, causing all inter-gNB handovers for affected UEs to fail due to algorithm mismatches. This results in persistent handover denial-of-service until UE re-registration. The vulnerability is directly contrary to 3GPP TS 33.501 §6.7.3.1 verification requirements and has been demonstrated with a public proof-of-concept using Free5GC v4.2.1 and UERANSIM.

Information Disclosure Docker
CVE-2026-41929 MEDIUM CVSS 5.1
Unauthenticated reflected cross-site scripting (XSS) in Vvveb before 1.0.8.2 allows remote attackers to execute arbitrary JavaScript in the context of the Vvveb origin by manipulating the r query parameter and _component_ajax POST parameter in the visual editor preview renderer. The vulnerability exploits the absence of session, role, or token verification in the isEditor() gating function combined with unsanitized injection of POST body content, requiring only user interaction to trigger but affecting all versions prior to 1.0.8.2. Active exploitation status is not confirmed, but a vendor-released patch is available.

XSS
CVE-2026-41928 MEDIUM CVSS 6.9
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allowing remote attackers to retrieve this sensitive credential and trigger scheduled tasks outside their intended execution windows. The vulnerability affects all deployments with the vulnerable cron controller accessible over the network, with CVSS 5.3 reflecting confidentiality impact from information disclosure without authentication requirements.

Information Disclosure
CVE-2026-41903 MEDIUM CVSS 5.4
FreeScout versions prior to 1.8.217 allow authenticated users with PERM_EDIT_USERS permission to read and modify notification subscriptions of any other user, including administrators, via a single POST request. This authorization bypass enables attackers to silently disable admin notifications, suppressing security alerts and conversation assignments without detection. The vulnerability is a sibling of CVE-2025-48472, indicating incomplete patching of a related code path.

Authentication Bypass
CVE-2026-41692 MEDIUM CVSS 4.7
DOM-based cross-site scripting (XSS) in i18nextify versions prior to 4.0.8 allows remote attackers to execute arbitrary JavaScript by injecting malicious URL schemes (javascript:, data:, vbscript:, file:) into translated href and src attribute values. An attacker who can compromise the translation backend, CDN, or intercept unencrypted traffic can inject payloads that execute with the origin's privileges when users interact with the affected links or embedded content. The vulnerability requires user interaction (clicking a link or loading a page with a malicious src) but affects any website using i18nextify with untrusted translation sources.

XSS
CVE-2026-41691 MEDIUM CVSS 6.5
Path traversal and URL injection in i18next-http-backend prior to version 3.0.5 allows remote attackers to manipulate request URLs by injecting unsanitized language (lng) and namespace (ns) parameters, potentially leading to server-side request forgery (SSRF), path-based authorization bypass, or arbitrary file reads in SSR deployments. The vulnerability affects all applications using the library with user-controlled language selection via query parameters, cookies, localStorage, or request headers-the default configuration. Vendor-released patch: version 3.0.5.

Path Traversal
CVE-2026-41689 MEDIUM CVSS 6.0
Wallos versions 4.8.4 and prior allow authenticated users to bypass webhook URL restrictions and send server-side requests to administrator-allowlisted internal targets by reusing the global allowlist for individual user webhooks. This enables Server-Side Request Forgery (SSRF) to internal automation services that may expose deployment or execution APIs, potentially leading to remote code execution on downstream systems. No public exploit code identified at time of analysis, and no vendor-released patch is available.

Authentication Bypass
CVE-2026-41687 MEDIUM CVSS 4.3
Blind SSRF via CGNAT address bypass in Wallos prior to version 4.8.1 allows authenticated users to probe internal services on Carrier-Grade NAT networks (100.64.0.0/10) through logo/icon URL fetching in subscription and payment endpoints. The vulnerability stems from incomplete IP range validation that fails to block RFC 6598 CGNAT addresses, enabling reconnaissance of services in Tailscale, dual-stack carrier environments, and internal infrastructure. CVSS 4.3 reflects limited confidentiality impact with authentication requirement; actively fixed in 4.8.1.

PHP SSRF
CVE-2026-41413 MEDIUM CVSS 5.0
Istio versions prior to 1.28.6 and 1.29.2 allow authenticated attackers to perform Server-Side Request Forgery (SSRF) attacks via RequestAuthentication resources with malicious jwksUri values pointing to internal services, enabling istiod to fetch sensitive data from localhost or link-local IPs and distribute it to Envoy proxies through xDS configuration. The vulnerability requires an authenticated user to create or modify a RequestAuthentication resource, limiting the attack surface to cluster administrators or users with API access. A partial mitigation was released in earlier versions (1.29.1, 1.28.5, 1.27.8) but was incomplete; the complete fix is in versions 1.28.6 and 1.29.2.

Information Disclosure SSRF
CVE-2026-41004 MEDIUM CVSS 4.4
Spring Cloud Config Server exposes sensitive information in plaintext logs when trace logging is enabled, allowing high-privilege local users to access configuration data including credentials and API keys. The vulnerability affects versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2. No public exploit identified at time of analysis; vendor-released patches are available for all affected version lines.

Java Information Disclosure
CVE-2026-40610 MEDIUM CVSS 5.5
BentoML's `bentoml build` command dereferences symlinks within the build context and copies their target file contents into the generated Bento artifact, allowing attackers to exfiltrate sensitive files from the build host. An attacker who controls a repository or build context can place symlinks pointing to sensitive local files (credentials, SSH keys, API tokens), and when a developer or CI system runs `bentoml build`, the referenced file contents are packaged into the Bento, which may then be exported, pushed, or containerized, spreading the leaked data. Publicly available exploit code demonstrates successful extraction of files outside the build directory. Affected versions through BentoML 1.4.38; patch released in 1.4.39.

Python Path Traversal
CVE-2026-40214 MEDIUM CVSS 6.3
OpenStack Cyborg before 16.0.1 fails to enforce project ownership in the Accelerator Request (ARQ) API, allowing any authenticated non-admin user to delete, modify, or access ARQs bound to other projects' instances across tenant boundaries. The vulnerability stems from a combination of unpopulated project_id columns, missing database-layer filtering, and self-referential authorization checks, enabling cross-tenant denial of service and potential information disclosure. EPSS risk is moderate (6.3 CVSS), and the vulnerability requires valid authentication but no special privileges or interaction, making it exploitable by any tenant user in multi-tenant OpenStack deployments.

Denial Of Service
CVE-2026-40004 MEDIUM CVSS 5.5
ZTE Cloud PC client uSmartview contains an OpenSSL configuration file privilege escalation vulnerability (CVE-2026-40004) that allows authenticated local attackers with user-level privileges to execute arbitrary code and escalate to higher privilege levels through a malicious openssl.cnf file. This requires physical access or local system access combined with user interaction, and affects ZTE's virtualized desktop infrastructure product. The CVSS score of 5.5 reflects the physical attack vector and additional user interaction requirement, despite the severity of code execution and cross-system scope impact.

Privilege Escalation RCE OpenSSL Zte
CVE-2026-40003 MEDIUM CVSS 5.1
Arbitrary memory writes via USB in ZTE ZX297520V3 BootROM allow physical attackers with USB access to bypass Secure Boot signature verification and achieve unauthorized code execution by exploiting missing target address validation in USB download mode. The vulnerability requires physical device access and user interaction (device boot into download mode), resulting in a CVSS score of 5.1, but enables complete bypass of cryptographic security mechanisms and Secure Boot protections.

RCE Buffer Overflow Memory Corruption Zte
CVE-2026-39826 MEDIUM CVSS 6.1
Go's html/template library incorrectly escapes data passed into <script> tags when the tag contains an empty or whitespace-only 'type' attribute, allowing a trusted template author to inadvertently expose sensitive information to client-side scripts. Affects html/template versions prior to 1.26.3 and 1.25.10. CVSS 6.1 with user interaction required; EPSS 0.01% indicates minimal real-world exploitation likelihood despite moderate base score.

Information Disclosure
CVE-2026-39825 MEDIUM CVSS 5.3
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReversePro...

Information Disclosure
CVE-2026-39823 MEDIUM CVSS 6.1
Cross-site scripting (XSS) vulnerability in Go's html/template library allows attackers to bypass URL escaping in meta tag content attributes by inserting ASCII whitespaces around the equals sign, enabling injection of malicious scripts into web applications. Affects Go 1.25.x before 1.25.10 and 1.26.x before 1.26.3. This is a regression from CVE-2026-27142 where the fix was incomplete, and exploitation requires user interaction (UI:R) but operates across security boundaries (S:C).

XSS
CVE-2026-39819 MEDIUM CVSS 5.3
The Go toolchain's 'go bug' command creates temporary files with predictable names in the system temporary directory, allowing local attackers with temporary directory access to create symlinks that cause arbitrary file overwrite. Affects Go 1.26.0 through 1.26.2 and 1.25.0 through 1.25.9. While CVSS 5.3 and EPSS 0.01% suggest moderate local impact, the vulnerability enables information disclosure and integrity compromise of arbitrary files via symlink redirection, confirmed patched in Go 1.26.3 and 1.25.10.

Information Disclosure
CVE-2026-39817 MEDIUM CVSS 5.9
The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.

Buffer Overflow Memory Corruption
CVE-2026-36388 MEDIUM CVSS 5.4
Stored Cross-Site Scripting in PHPGurukal Hospital Management System v4.0 allows authenticated patients to inject malicious scripts via the User Name parameter on the edit-profile.php page, with the payload later executed in the doctor's interface. The vulnerability requires user interaction (doctor viewing the profile) and affects confidentiality and integrity with limited scope. No public exploit code or active exploitation has been confirmed at analysis time.

PHP XSS
CVE-2026-36387 MEDIUM CVSS 6.5
Remote code execution in CODEASTRO Membership Management System v1.0 allows unauthenticated attackers to upload and execute arbitrary files via the /add_members.php endpoint due to improper file sanitization. The vulnerability enables confidentiality and integrity compromise with CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network-accessible exploitation with no authentication or user interaction required. Public exploit code is available on GitHub.

PHP RCE File Upload
CVE-2026-36341 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in Webkul Krayin CRM v2.1.5 allows authenticated users to inject malicious scripts via unsanitized input in the Activity comment field on the /admin/activities/create endpoint, which execute when viewed by other administrators. The vulnerability requires user interaction (viewing the compromised activity) and authenticated access, limiting scope to C (confidentiality) and I (integrity) with partial impact; publicly available proof-of-concept code exists but exploitation is not confirmed in the wild. Fixed in version v2.1.6 via application of input sanitization using strip_tags() across multiple vulnerable Blade templates.

XSS
CVE-2026-32686 MEDIUM CVSS 6.9
Uncontrolled resource consumption in ericmj decimal library (versions 0.1.0 before 3.0.0) allows remote denial of service via maliciously crafted decimal values with extremely large exponents. When applications parse user-supplied decimal input and subsequently perform arithmetic operations, string formatting, rounding, or comparison, the library allocates memory proportional to the exponent magnitude without bounds, exhausting available memory and crashing the BEAM virtual machine. A single malicious request is sufficient to trigger an out-of-memory crash.

Denial Of Service
CVE-2026-27892 MEDIUM CVSS 6.5
FacturaScripts fails to strip EXIF and metadata from user-uploaded images in the Library module, allowing any authenticated user with download access to extract GPS coordinates, device information, timestamps, author names, and other personally identifiable information from downloaded files. An employee uploading a photo taken at their home inadvertently discloses their precise home address to all users with Library access. This affects all image uploads retroactively, with no patched version currently available.

PHP Python Information Disclosure Google Apple
CVE-2026-27421 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users with limited privileges to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability requires user interaction (UI:R in CVSS) and is limited to users with login credentials (PR:L), but once stored, affects all visitors regardless of their privileges. An attacker with contributor or editor access can compromise website visitors, steal session cookies, or perform actions on their behalf.

XSS
CVE-2026-27416 MEDIUM CVSS 5.3
Missing authorization controls in bPlugins PDF Poster WordPress plugin versions up to 2.4.1 allow unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control. The vulnerability exposes limited confidential data without requiring authentication or user interaction, affecting all default installations of the affected plugin versions.

Authentication Bypass
CVE-2026-27415 MEDIUM CVSS 4.3
Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.

CSRF
CVE-2026-27329 MEDIUM CVSS 5.3
Authorization bypass in YITH WooCommerce Wishlist through version 4.12.0 allows unauthenticated remote attackers to modify wishlist data via user-controlled object references, exploiting improper access control validation. The vulnerability enables integrity attacks against wishlist functionality without requiring authentication or user interaction, affecting all WordPress installations using the vulnerable plugin.

WordPress Authentication Bypass
CVE-2026-25468 MEDIUM CVSS 5.3
Happy Addons for Elementor through version 3.20.8 exposes sensitive system information to unauthorized users via an information disclosure vulnerability, allowing remote unauthenticated attackers to retrieve embedded sensitive data without authentication or user interaction. The vulnerability affects all installations of the plugin up to and including version 3.20.8, with a CVSS score of 5.3 reflecting the confidentiality impact of exposed system data.

Information Disclosure
CVE-2026-25436 MEDIUM CVSS 5.3
Missing authorization in Royal Elementor Addons before version 1.7.1053 allows unauthenticated remote attackers to read sensitive information via incorrectly configured access control security levels. The vulnerability affects the WordPress plugin and exposes confidential data without requiring user authentication or interaction, impacting all installations below the patched version.

Authentication Bypass
CVE-2026-8142 MEDIUM CVSS 6.5
VINCE versions 3.0.38 and earlier fail to properly verify sender address authenticity due to encoding confusion, allowing unauthenticated remote attackers to forge email From addresses and trigger automated actions such as ticket creation or updates. The vulnerability combines information disclosure with integrity impact, affecting the reliability of ticket management workflows that depend on sender validation.

Information Disclosure Vince
CVE-2026-8115 MEDIUM CVSS 5.5
Path traversal vulnerability in gyoridavid short-video-maker up to version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server by manipulating the tmpFile parameter in REST API requests. The vulnerability exists in the REST API endpoint src/server/routers/rest.ts and has a publicly available proof-of-concept, though it is not currently confirmed as actively exploited in the wild. With a CVSS score of 5.3 (low/moderate), the vulnerability impacts confidentiality only, enabling information disclosure without requiring authentication or user interaction.

Path Traversal
CVE-2026-8106 MEDIUM CVSS 5.9
Reflected HTML injection in GitHub Enterprise Server Management Console login page allows credential theft when administrators click crafted links. The /setup/unlock endpoint reflects the redirect_to query parameter into an HTML attribute without sanitization, enabling attackers to inject malicious form elements that capture credentials. Affects versions 3.19.1-3.19.5 and 3.20.0-3.20.1; fixed in 3.19.6 and 3.20.2. Exploitation requires user interaction (administrator clicking a link), limiting real-world impact despite network-accessible attack surface.

XSS
CVE-2026-8098 MEDIUM CVSS 5.5
SQL injection in code-projects Feedback System 1.0 admin login panel allows remote unauthenticated attackers to bypass authentication and access administrative functions via crafted email parameter. Publicly available proof-of-concept exploit code exists on GitHub. CVSS 7.3 (High) with network vector and low complexity indicates straightforward exploitation requiring no special configuration. EPSS data not provided, but public POC significantly lowers exploitation barrier for opportunistic attacks against internet-exposed instances.

PHP SQLi
CVE-2026-8083 MEDIUM CVSS 5.5
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=save_user. The vulnerability has a publicly available exploit and CVSS 5.5 score reflecting limited confidentiality, integrity, and availability impact on the vulnerable component.

PHP SQLi
CVE-2026-8080 MEDIUM CVSS 6.8
Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.

XSS
CVE-2026-7568 MEDIUM CVSS 6.3
PHP 8.2.31 addresses a buffer overflow vulnerability (CVE-2026-7568) affecting PHP 8.2.x versions that results in information disclosure through out-of-bounds memory reads. The vulnerability requires specific attack preconditions (CVSS AC:H/AT:P) and unauthenticated remote access; exploitation impact is limited to partial disclosure of memory contents. No public exploit code or active exploitation has been identified at the time of analysis.

PHP Buffer Overflow Information Disclosure Microsoft Suse
CVE-2026-7541 MEDIUM CVSS 6.3
Denial of service in GitHub Enterprise Server allows unauthenticated remote attackers to disrupt service by sending deeply nested JSON payloads to an unprotected API endpoint, causing excessive CPU and memory consumption. Affected versions prior to 3.21 (specifically 3.16.0-3.20.1) lack request size and depth validation. Vendor-released patches available for all affected branches: 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.

Denial Of Service
CVE-2026-7261 MEDIUM CVSS 6.3
Use-after-free memory corruption in PHP 8.2 prior to version 8.2.31 allows remote attackers to cause information disclosure or denial of service via network requests with low attack complexity. The vulnerability is addressed in PHP 8.2.31, released as a security update bundling fixes for eight CVEs including CVE-2026-7261. Patch availability is confirmed from the PHP development team.

PHP Information Disclosure Use After Free Memory Corruption Microsoft
CVE-2026-7258 MEDIUM CVSS 6.3
A buffer over-read vulnerability in PHP 8.2 prior to version 8.2.31 allows remote attackers to disclose sensitive information through a network vector with high attack complexity and partial attack time requirements. The vulnerability (CWE-125) affects information availability and system availability, with CVSS 6.3 indicating moderate risk. Vendor-released patch available in PHP 8.2.31.

PHP Buffer Overflow Information Disclosure Microsoft Red Hat
CVE-2026-6805 MEDIUM CVSS 6.9
Cryptobox external sharing feature leaks information via sharing link URLs that enables offline brute-force attacks against access codes. Remote unauthenticated attackers with knowledge of a sharing link can retrieve sufficient data from the server to conduct offline enumeration of the associated access code, compromising the confidentiality of shared content. No public exploit code has been identified, but the low attack complexity and network accessibility make this a practical vulnerability.

Information Disclosure
CVE-2026-6736 MEDIUM CVSS 6.3
GitHub Enterprise Server versions prior to 3.21 contain an authentication bypass vulnerability that allows unauthenticated attackers to create local user accounts and establish sessions without validation by the configured external identity provider. The vulnerability affects instances with external authentication enabled, permitting account creation via the signup endpoint with default base permissions. Attack requires only network access and affects all affected versions across the 3.16-3.20 branch.

Authentication Bypass
CVE-2026-6222 MEDIUM CVSS 5.3
Missing authorization in Forminator Forms for WordPress (versions up to 1.51.1) allows authenticated users with subscriber-level access or restricted Forminator roles to perform sensitive module-management actions including export, delete, clone, and bulk status changes by bypassing capability checks. The vulnerability exists because the `processRequest()` method validates only a nonce without verifying the `manage_forminator_modules` capability, and fires during the `admin_menu` hook before WordPress enforces page-level permission checks. This enables attackers to export complete form configurations including credentials and conditional logic, delete submissions, or manipulate published modules.

PHP WordPress Authentication Bypass
CVE-2026-6214 MEDIUM CVSS 6.5
Forminator Forms plugin for WordPress versions up to 1.53.0 allows authenticated subscribers to configure scheduled exports without authorization checks, enabling attackers to exfiltrate all form submissions by redirecting them to attacker-controlled email addresses. The vulnerability exists in the listen_for_saving_export_schedule() function which lacks the capability verification present in the parallel listen_for_csv_export() function, creating a direct authorization bypass for authenticated low-privilege users to access sensitive data collection and delivery mechanisms.

PHP WordPress Authentication Bypass Information Disclosure
CVE-2026-5791 MEDIUM CVSS 6.5
Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.

CSRF
CVE-2026-4807 MEDIUM CVSS 6.5
Appointment Booking Calendar plugin for WordPress up to version 1.6.10.6 allows unauthenticated attackers to view, delete, and modify arbitrary appointments due to missing authorization checks in REST API endpoints. The plugin exposes a site-wide public nonce through an unauthenticated endpoint (/wp-json/ssa/v1/embed-inner), and the appointment deletion and modification endpoints (/wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk) accept requests with this public nonce even when standard WordPress nonce validation fails, bypassing authorization entirely. Attackers can enumerate and delete appointment records, disclose sensitive booking data, and disrupt services without any authentication.

WordPress Authentication Bypass
CVE-2026-4430 MEDIUM CVSS 5.4
Out-of-bounds write in LibreOffice 26.2 before 26.2.3 and 25.8 before 25.8.7 allows local attackers to cause memory corruption and availability impact by opening crafted OOXML documents with mismatched encryption salt parameters. The vulnerability requires user interaction to open a malicious document and affects memory integrity with elevated scope impact on availability.

Buffer Overflow Memory Corruption Red Hat Suse
CVE-2025-68604 MEDIUM CVSS 5.4
Cross-site request forgery (CSRF) in WPGraphQL plugin versions up to 2.5.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress users with user interaction (typically clicking a malicious link). The vulnerability affects the GraphQL endpoint's lack of token-based request verification, enabling attackers to craft requests that WordPress site visitors are tricked into executing without their knowledge. No public exploit code or active exploitation has been confirmed.

CSRF
CVE-2025-67202 MEDIUM CVSS 6.1
Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.

XSS Red Hat N A
CVE-2025-66105 MEDIUM CVSS 5.3
Missing authorization controls in the Magepeople Inc. Bus Ticket Booking with Seat Reservation WordPress plugin allow unauthenticated remote attackers to modify data (such as ticket bookings or seat reservations) through incorrectly configured access control security levels. The vulnerability affects versions before 5.6.8 and has a CVSS score of 5.3 (medium severity) with a network attack vector requiring no authentication or user interaction.

Authentication Bypass
CVE-2025-62127 MEDIUM CVSS 5.9
DOM-based cross-site scripting (XSS) in WEN Logo Slider WordPress plugin through version 3.4.0 allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors when the UI redirects the page, potentially compromising site integrity and user data. The vulnerability requires high-privilege administrator access and user interaction (page redirect), limiting its practical scope to insider threats or compromised admin accounts.

XSS
CVE-2025-4397 MEDIUM CVSS 6.8
Medtronic MyCareLink Patient Monitor stores per-product credentials in a recoverable (non-hashed or weakly encrypted) format, allowing physical attackers with device access to extract these credentials and modify encrypted drive data without authentication. Affected models include the 24950 and 24952 monitors. The vulnerability requires physical access to the device (CVSS AV:P) but grants full confidentiality, integrity, and availability impact to stored patient data.

Information Disclosure
CVE-2025-4386 MEDIUM CVSS 6.8
Medtronic MyCareLink Patient Monitor models 24950 and 24952 expose an unauthenticated UART login prompt via an internal serial interface, allowing attackers with physical access to potentially gain administrative control without authentication. The vulnerability achieves high confidentiality, integrity, and availability impact (CVSS 6.8) but requires direct physical access to internal hardware connections, limiting real-world exploitation to scenarios involving device tampering or insider threats.

Information Disclosure
CVE-2025-2514 MEDIUM CVSS 5.3
Improper restriction of excessive authentication attempts in Hitachi Virtual Storage Platform series (G-series, F-series, E-series, and One Block models) allows unauthenticated remote attackers to conduct brute-force credential attacks and potentially obtain sensitive information through repeated authentication probes without rate-limiting or account lockout mechanisms. The vulnerability affects multiple firmware versions across 28 distinct storage array models and is remotely exploitable without authentication from the network.

Information Disclosure
CVE-2026-44603 LOW CVSS 3.7
Out-of-bounds read by one byte in Tor before version 0.4.9.7 when processing malformed BEGIN cells allows remote unauthenticated attackers to cause a denial of service through information disclosure. The vulnerability has a low CVSS impact score (3.7) due to high attack complexity and limited availability impact, though the exact exploitation mechanics require Tor relay configuration and a specially crafted cell.

Buffer Overflow
CVE-2026-44602 LOW CVSS 3.7
Tor before version 0.4.9.7 crashes due to a NULL pointer dereference when CERT cells are received out of order, causing denial of service against relay nodes and clients. Remote unauthenticated attackers on the network can trigger this crash by sending malformed cell sequences, disabling affected Tor instances. No active exploitation confirmed, but the vulnerability affects core protocol handling in all affected versions.

Denial Of Service Null Pointer Dereference
CVE-2026-44601 LOW CVSS 3.7
Tor before version 0.4.9.7 can crash due to a double-close vulnerability in circuit handling when memory pressure conditions exist on the circuit queue, resulting in denial of service to affected clients. The vulnerability requires specific network conditions (high circuit queue load) to trigger but affects all Tor clients running vulnerable versions. A patch is available in Tor 0.4.9.7 and later.

Denial Of Service
CVE-2026-44600 LOW CVSS 3.7
Tor before version 0.4.9.7 mishandles memory accounting in the conflux out-of-order queue during queue clearing operations, leading to a denial-of-service condition through resource exhaustion. Unauthenticated remote attackers can exploit this via network-level packet manipulation to trigger improper queue state management, causing availability degradation on affected Tor relays and clients. The vulnerability has a low severity CVSS score (3.7) due to attack complexity and availability-only impact, with no confirmed active exploitation at time of analysis.

Information Disclosure
CVE-2026-44599 LOW CVSS 3.7
Tor before version 0.4.9.7 can incorrectly attempt or accept BEGIN_DIR cells over conflux legs, a Tor relay multiplexing feature, enabling potential integrity violations in circuit construction. The vulnerability has a CVSS score of 3.7 (low severity) with impact limited to integrity rather than confidentiality or availability. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure
CVE-2026-44597 LOW CVSS 3.7
Out-of-bounds read in Tor before version 0.4.9.7 occurs when END, TRUNCATE, or TRUNCATED cells lack a reason field in their payload, allowing remote unauthenticated attackers to trigger a denial of service condition. The vulnerability requires high attack complexity and results in availability impact only. CVSS score is 3.7 with no active exploitation (KEV) or public exploit code confirmed at time of analysis.

Buffer Overflow
CVE-2026-44589 LOW CVSS 3.7
Server-Side Request Forgery (SSRF) in nuxt-og-image 6.2.5 through 6.4.8 allows remote attackers to bypass the incomplete IPv6 denylist and redirect validation, reaching internal IP addresses and services through incomplete IPv6 prefix filtering and unauthenticated HTTP redirect following. The vulnerability affects the OG image rendering component used by Nuxt applications, enabling attackers to leak internal service responses by injecting crafted IPv6-mapped addresses or chaining external redirects to internal targets.

Kubernetes SSRF Node.js Microsoft Redis
CVE-2026-44283 LOW
etcd RBAC authorization bypass allows authenticated users to read unauthorized data or attach leases via PrevKv or lease attachment features in transaction Put requests, circumventing role-based access control checks. Affects etcd 3.4.x through 3.6.x before patched versions 3.4.44, 3.5.30, and 3.6.11. While Kubernetes deployments are typically not affected because the API server handles its own authorization, etcd deployments with reliance on etcd's built-in RBAC-particularly those managed directly or used outside Kubernetes-face exposure to privilege escalation and unauthorized data access by already-authenticated users.

Authentication Bypass Kubernetes
CVE-2026-42578 LOW CVSS 2.9
HTTP header injection via CRLF sequences in Netty's HttpProxyHandler allows remote attackers to inject arbitrary HTTP headers into CONNECT proxy requests by supplying malicious outbound headers, bypassing the incomplete fix for GHSA-84h7-rjj3-6jx4. The vulnerability affects Netty 4.1.x up to 4.1.132.Final and 4.2.x up to 4.2.12.Final; unauthenticated remote exploitation is possible when applications pass user-influenced headers to HttpProxyHandler without performing their own CRLF sanitization. CVSS 7.5 (high integrity impact); no public exploit code confirmed at time of analysis, but proof-of-concept source code is provided in the advisory.

Authentication Bypass Java
CVE-2026-42082 LOW CVSS 3.7
Free5GC Access and Mobility Function (AMF) versions up to 1.4.3 fail to enforce 3GPP TS 33.501 §6.9.5.1 concurrent security procedure rules, allowing NAS Security Mode Command (SMC) to execute simultaneously with N2 handover procedures. This causes security context mismatches between the UE and network when SMC activates a new KAMF while N2 HandoverRequest carries Next Hop (NH) and Next Hop Chaining Counter (NCC) derived from the old KAMF, resulting in different KgNB key derivation at the target gNB and UE and breaking access stratum (AS) security integrity. Source code analysis confirms missing cross-procedure validation in SecurityMode() and handleHandoverRequiredMain() functions; packet evidence demonstrates Rule 2 violation (SMC initiated during ongoing N2 handover).

Information Disclosure
CVE-2026-27964 LOW CVSS 3.9
Reflected cross-site scripting in FacturaScripts allows authenticated attackers to execute arbitrary JavaScript via manipulation of the fsNick cookie parameter. The application renders the cookie value directly into the HTML without sanitization, permitting script execution before session termination and logout redirection. CVSS score is 3.9 with low impact due to login requirement and single-action execution window.

XSS
CVE-2026-8116 LOW CVSS 2.1
Path traversal in xiaozhi-mcphub up to version 1.0.3 allows authenticated remote attackers to access arbitrary files via manipulation of the manifest.name argument in src/controllers/dxtController.ts, with CVSS 6.3 indicating moderate impact to confidentiality, integrity, and availability. Publicly available exploit code exists, and the project maintainer has not yet responded to early disclosure notification.

Path Traversal
CVE-2026-8114 LOW CVSS 2.1
SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the condition parameter in the /sys/dict/loadTreeData endpoint, leading to unauthorized data access with limited confidentiality impact. The vulnerability affects the JSON Object Handler component and has publicly available exploit code, though the low CVSS score (2.1) and required authentication significantly limit practical risk despite confirmed vendor awareness.

SQLi
CVE-2026-8113 LOW CVSS 2.1
Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside the intended skills directory via directory traversal sequences in the skillName or scriptFile parameters. The vulnerability affects the isPathInside function in src/kernel.ts, enabling disclosure of sensitive files with CVSS 4.3 (low confidentiality impact). Publicly available exploit code exists and a vendor patch is available via commit e8bd4e17e9428260f2161378356affc5ce90d6ed.

Path Traversal
CVE-2026-8112 LOW CVSS 2.1
OS command injection in 8421bit MiniClaw's executeCognitivePulse function allows authenticated remote attackers to inject arbitrary shell commands via unsanitized prompt input passed to external CLI tools. The vulnerability stems from unsafe string interpolation in command construction, enabling execution of system commands with the privileges of the MiniClaw process. Publicly available exploit code exists, and vendor-released patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 is available on GitHub.

Command Injection
CVE-2026-8097 LOW CVSS 2.1
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the squeryx parameter in /askquery.php, enabling unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists and the vulnerability affects the default installation with no special configuration required.

PHP SQLi
CVE-2026-8088 LOW CVSS 1.9
Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 affects the GDfieldinfo function in HDF-EOS module when processing malformed HDF4 files. A locally authenticated attacker can trigger memory disclosure by crafting a specially formatted HDF4 file. Publicly available exploit code exists. The vulnerability is fixed in GDAL 3.13.0RC1 and later.

Buffer Overflow Information Disclosure
CVE-2026-8087 LOW CVSS 1.9
Heap-based buffer overflow in OSGeo GDAL up to version 3.13.0dev-4 allows local authenticated attackers to corrupt memory and potentially execute arbitrary code via a specially crafted DataFieldName argument passed to the GDnentries function in the HDF-EOS module. The vulnerability affects string length calculation when processing quoted field names, publicly available exploit code exists, and vendor patch is available in version 3.13.0RC1.

Buffer Overflow Heap Overflow
CVE-2026-8086 LOW CVSS 1.9
Heap-based buffer overflow in OSGeo GDAL up to 3.13.0dev-4 within the SWnentries function of the HDF4-EOS module allows local authenticated attackers to cause memory corruption via crafted DimensionName arguments. The vulnerability requires local access and authenticated privileges but can be exploited with publicly available proof-of-concept code. CVSS score of 1.9 reflects limited confidentiality, integrity, and availability impact despite the buffer overflow nature, indicating the vulnerability has constrained real-world severity despite its technical classification.

Buffer Overflow Heap Overflow
CVE-2026-8084 LOW CVSS 1.9
Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 occurs in the HDF-EOS Grid File Handler when parsing malformed HDF4 files, allowing local authenticated attackers to read memory beyond buffer bounds. The vulnerability exists in the memmove operation within SWapi.c and GDapi.c that processes field information without proper bounds validation. Vendor-released patch available in version 3.13.0RC1; publicly available exploit code exists.

Buffer Overflow Information Disclosure
CVE-2026-8081 LOW CVSS 2.1
Server-side request forgery in router-for-me CLIProxyAPI 6.9.29 allows authenticated remote attackers to manipulate the url parameter in the API Interface handler to perform arbitrary network requests on behalf of the server. The vulnerability has a publicly available exploit and vendor communication attempts were unsuccessful, though the low CVSS score (2.1) and requirement for authenticated access limit real-world impact compared to unauthenticated SSRF vulnerabilities.

SSRF
CVE-2026-7262 LOW CVSS 2.9
PHP 8.2.31 addresses a null pointer dereference vulnerability (CVE-2026-7262) that can cause denial of service through remote network access without authentication. The vulnerability has a low CVSS score of 2.9 due to attack complexity factors, but the vendor has released PHP 8.2.31 as an immediate security patch addressing this and seven related CVEs. All PHP 8.2 users should upgrade to mitigate the impact.

PHP Denial Of Service Null Pointer Dereference Microsoft
CVE-2026-7259 LOW CVSS 2.1
Null pointer dereference in PHP 8.2.x causes denial of service through remote attacks requiring user interaction and persistent attack timing. CVE-2026-7259 is one of eight vulnerabilities patched in PHP 8.2.31, with a low CVSS score (2.1) reflecting the attack complexity and limited availability impact, though the null pointer dereference class (CWE-476) can escalate in severity depending on code context. No public exploit code or active exploitation has been identified at time of analysis.

PHP Denial Of Service Null Pointer Dereference Microsoft

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities