Skip to main content
CVE-2026-6973 HIGH POC KEV THREAT Act Now

Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis.

RCE Ivanti
NVD VulDB
CVSS 3.1
7.2
EPSS
5.0%
Threat
5.5
CVE-2026-42589 CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact.

Command Injection Python RCE Docker Google
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6722 CRITICAL POC PATCH NEWS Act Now

Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. The CVSS v4.0 score of 9.5 reflects both confidentiality and integrity impact across vulnerable and subsequent systems, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, but the vendor urgency indicator (U:Red) and release coordinator emphasis (RE:M) signal critical priority for organizations running PHP 8.2.x in production environments.

Microsoft PHP Use After Free Memory Corruption Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.3%
CVE-2026-5787 HIGH Act Now

Certificate validation bypass in Ivanti Endpoint Manager Mobile (EPMM) allows remote unauthenticated attackers to impersonate registered Sentry hosts and fraudulently obtain CA-signed client certificates. Affects all versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. High-severity network attack (CVSS 8.9) with changed scope indicating potential pivot to additional systems. No active exploitation confirmed in CISA KEV at time of analysis, but Ivanti products are frequent targets requiring immediate patching priority.

Information Disclosure Ivanti
NVD VulDB
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-5786 HIGH Act Now

Privilege escalation in Ivanti Endpoint Manager Mobile (EPMM) allows remote authenticated attackers with low-level credentials to gain full administrative access. Affected versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 contain an improper access control flaw (CWE-284) that enables credential-holding users to bypass authorization checks and assume administrative privileges. With CVSS 8.8 (High) and network-exploitable attack vector requiring only low privileges, this represents a significant risk for enterprise mobile device management environments, though EPSS data and active exploitation status are not available at time of analysis.

Authentication Bypass Ivanti
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39820 HIGH POC PATCH This Week

Denial of service in Go standard library net/mail package allows remote unauthenticated attackers to exhaust CPU and memory resources via maliciously crafted email addresses or dates. The vulnerability affects ParseAddress, ParseAddressList, and ParseDate functions in Go versions prior to 1.25.10 and 1.26.0-1.26.2. Confirmed actively exploited (CISA KEV status not indicated; exploitation probability 0.02% per EPSS). Vendor-released patches available in Go 1.25.10 and 1.26.3.

Denial Of Service Net Mail
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42499 HIGH POC PATCH This Week

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Information Disclosure Net Mail
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33814 HIGH POC PATCH This Week

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Denial Of Service Golang Org X Net Http2 Net Http
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33811 HIGH POC PATCH This Week

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing maliciously crafted CNAME DNS responses. Remote attackers can trigger double-free of C memory in the cgo DNS resolver's LookupCNAME function by sending excessively long CNAME records, causing immediate denial of service. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity despite network-accessible attack vector and no authentication requirement. Vendor patch available via Go 1.25.10 and 1.26.3.

Denial Of Service Net
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39836 HIGH POC PATCH This Week

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Microsoft Null Pointer Dereference Denial Of Service
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7821 HIGH Act Now

Improper certificate validation in Ivanti Endpoint Manager Mobile (EPMM) enables remote unauthenticated attackers to enroll restricted devices without authorization, exposing appliance configuration details and compromising enrolled device identity integrity. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. CVSS 7.4 with high attack complexity suggests exploitation requires specific timing or conditions. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis, though Ivanti products have been frequent targets of nation-state actors in recent years.

Information Disclosure Ivanti
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-5788 HIGH Act Now

Remote unauthenticated attackers can invoke arbitrary methods in Ivanti Endpoint Manager Mobile (EPMM) via improper access control flaws, enabling authentication bypass and potential system compromise. Affects versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. The CVSS vector indicates network-accessible exploitation with high attack complexity, resulting in high integrity impact and limited confidentiality/availability impact. No active exploitation confirmed via CISA KEV at time of analysis, though the authentication bypass tag and Ivanti's history of targeted attacks warrant elevated monitoring.

Authentication Bypass Ivanti
NVD VulDB
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-42826 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Unauthorized information disclosure in Azure DevOps allows remote unauthenticated attackers to access sensitive data via network requests and potentially compromise the system with high confidentiality, integrity, and availability impact. The vulnerability carries a maximum CVSS 10.0 score with scope change, indicating cross-boundary impact. Microsoft has released an official patch, and no active exploitation has been reported via CISA KEV at the time of analysis.

Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-33109 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential.

Authentication Bypass Microsoft Apache
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-35428 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Command injection in Azure Cloud Shell enables remote attackers to execute arbitrary commands and spoof user sessions when victims interact with malicious content. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), allowing network-based attackers to achieve high impact across confidentiality, integrity, and availability with scope change (S:C), indicating potential container escape or cross-tenant impact. Microsoft has released a patch per MSRC advisory. EPSS data not available, no CISA KEV listing identified, suggesting targeted rather than widespread exploitation at time of analysis.

Microsoft Command Injection
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-33823 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Authorization bypass in Microsoft Teams enables authenticated attackers to escalate privileges across security boundaries and access sensitive information from other tenants or user contexts. The CVSS score of 9.6 reflects a scope change (S:C), indicating the attacker can impact resources beyond their authorized permissions with high confidentiality and integrity impact. Vendor-released patch available from Microsoft Security Response Center. No public exploit identified at time of analysis, with CVSS temporal metrics indicating unproven exploitability (E:U).

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-33844 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code when a user interacts with a malicious payload. CVSS 9.0 (Critical) with scope change indicates container/tenant escape potential. Microsoft released a patch (MSRC update guide), and CVSS temporal metrics confirm remediation available with complete confidence, though no confirmed active exploitation or public POC identified at time of analysis.

Microsoft Apache Information Disclosure
NVD VulDB
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-43997 CRITICAL PATCH GHSA Act Now

Remote code execution in vm2 Node.js sandbox library (versions ≤3.10.5) allows attackers to escape isolation and execute arbitrary system commands by exploiting incomplete host Object protections. Attackers leverage JavaScript prototype chain manipulation to obtain host-context symbols, enabling injection of malicious code into Node.js inspection routines. Publicly available exploit code exists with working proof-of-concept demonstrating command execution via child_process. CVSS 10.0 (Critical) with network attack vector and no authentication required. Fixed in vm2 3.11.0, part of coordinated release addressing 13 sandbox-escape vulnerabilities.

Code Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-44006 CRITICAL PATCH GHSA Act Now

Prototype chain manipulation in vm2 Node.js sandbox library enables complete sandbox escape and remote code execution via util.inspect handler leakage. Attackers can exploit BaseHandler.getPrototypeOf through crafted objects to access host process primitives and execute arbitrary system commands. Public exploit code exists (vendor-published PoC demonstrates child_process.execSync execution). Fixed in vm2 version 3.11.0 alongside 12 other critical sandbox escape vulnerabilities in coordinated security release.

Code Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-44005 CRITICAL PATCH GHSA Act Now

vm2 npm package versions 3.9.6 through 3.10.5 allow sandbox escape through prototype pollution of host-realm intrinsic objects. Attackers execute arbitrary code by leveraging flawed proxy bridge implementation that writes sandbox mutations directly to shared host Object.prototype, Array.prototype, and Function.prototype instead of isolating changes to the sandbox realm. This vulnerability was patched in vm2 v3.11.0 as part of a coordinated release addressing 13 security advisories. Publicly available exploit code exists with minimal attack complexity (CVSS AC:L) requiring no authentication or user interaction (AV:N/PR:N/UI:N).

Code Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-44523 CRITICAL PATCH GHSA Act Now

JWT secret validation bypass in Note Mark allows full account takeover through offline token forgery. The Go-based note-taking application accepts HS256 signing secrets shorter than RFC 7518's required 32 bytes, enabling attackers to capture a single valid JWT from network traffic or logs, brute-force the weak secret offline, and forge authentication tokens for any user including administrators. Publicly available exploit code exists (vendor-published PoC in GitHub advisory GHSA-q6mh-rqwh-g786). Vendor-released patch available in commit 18b587758667 and release v0.19.4. CVSS 10.0 reflects unauthenticated network exploitation with scope change, though real-world impact requires JWT capture as a prerequisite.

Python RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-43999 CRITICAL PATCH GHSA Act Now

vm2's NodeVM sandbox escape allows remote code execution when applications use the common `builtin: ['*', '-child_process']` configuration pattern. An attacker with the ability to submit code to the sandbox can bypass the builtin allowlist by requiring the `module` builtin, then using `Module._load()` to load explicitly excluded modules like `child_process` in the host context. This directly leads to arbitrary command execution on the host system. The vulnerability affects vm2 version 3.10.5, with a vendor-released patch available in version 3.11.0. CVSS score of 9.9 reflects critical severity with network attack vector, low complexity, and scope change from sandbox to host. No public exploit code or active exploitation evidence identified at time of analysis.

Authentication Bypass Node.js RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-41050 CRITICAL PATCH GHSA Act Now

ServiceAccount impersonation bypass in Rancher Fleet allows tenants with git push access to multi-tenant clusters to read secrets from any namespace across all downstream clusters. Two distinct code paths failed to properly apply RBAC constraints: Helm's lookup function executed with cluster-admin credentials instead of the impersonated ServiceAccount, and valuesFrom secret references in fleet.yaml bypassed namespace isolation. Confirmed active exploitation status unknown (not in CISA KEV). CVSS 9.9 with scope-change modifier reflects potential credential leakage to external services. Fleet versions 0.12.0 through 0.15.0 affected across multiple Rancher release branches. Patches available for all supported versions with detailed version matrix provided by SUSE.

Authentication Bypass Kubernetes Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-37709 CRITICAL PATCH GHSA Act Now

Remote unauthenticated attackers can execute arbitrary code in Snipe-IT versions 8.4.0 and earlier by uploading malicious files through the API's UploadedFilesController component. The vulnerability stems from an authorization bypass where file upload endpoints required only 'view' permission instead of 'update' permission, allowing attackers to upload and execute code without proper authentication. Fixed in commit 676a9958 (March 10, 2026). EPSS data not available. No CISA KEV listing identified at time of analysis. Public exploit code (POC) status unknown, though GitHub security advisory GHSA-xg82-2hrv-hf64 confirms the flaw.

Authentication Bypass PHP RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-42010 CRITICAL PATCH Act Now

Authentication bypass in GnuTLS affects servers that enable the RSA-PSK key exchange, where the PSK identity comparison treats a username containing an embedded NUL byte as equal to a legitimate truncated username. Remote attackers can send a crafted username to circumvent pre-shared-key authentication and gain unauthorized access. There is no public exploit identified at time of analysis, the EPSS probability is low (0.15%), and CISA SSVC scores exploitation as none - indicating high theoretical severity but no observed real-world abuse.

Authentication Bypass Gnutls Hardened Images Openshift Container Platform Enterprise Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32207 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Cross-site scripting (XSS) in Azure Machine Learning enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted input, achieving complete session compromise including credential theft, workspace manipulation, and model poisoning. Attacker requires no authentication but must convince a user to interact with a malicious link or input. Microsoft has released patches per MSRC advisory. CVSS 8.8 severity reflects the high impact across confidentiality, integrity, and availability once user interaction occurs. No evidence of active exploitation (not in CISA KEV) and EPSS data not provided.

XSS Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7415 CRITICAL Act Now

Anonymous MQTT access in Yarbo firmware v2.3.9 allows remote unauthenticated attackers on the local network to fully control the robotic lawn mower and exfiltrate sensitive telemetry data. The embedded MQTT broker accepts connections without credentials and enforces no topic-level access controls, enabling arbitrary publish/subscribe operations. No authentication, authorization, or message validation occurs. EPSS and KEV data not available; exploitation requires only network access to the robot's MQTT port (typically TCP 1883).

Authentication Bypass Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63706 CRITICAL GHSA Act Now

NPM package next-npm-version1.0.1 is vulnerable to Command injection.

Command Injection Node.js Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-42581 CRITICAL PATCH GHSA Act Now

HTTP request smuggling in Netty's netty-codec-http (HttpObjectDecoder) lets remote attackers desynchronize message boundaries by sending an HTTP/1.0 request carrying both Transfer-Encoding: chunked and Content-Length. Netty's anti-smuggling sanitization that strips the conflicting Content-Length header only runs for HTTP/1.1, so on HTTP/1.0 Netty parses the body as chunked while leaving Content-Length intact for any downstream Content-Length-first proxy, which then treats trailing chunk bytes as a new request. Publicly available exploit code exists (a working EmbeddedChannel PoC test), but EPSS is very low (0.03%, 8th percentile) and it is not in CISA KEV.

Authentication Bypass Request Smuggling Java Nginx
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30496 CRITICAL Act Now

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication.

Authentication Bypass Google N A
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63703 CRITICAL GHSA Act Now

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

Node.js Prototype Pollution Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63704 CRITICAL GHSA Act Now

Prototype pollution in query-string-parser 1.0.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript object prototypes via crafted query parameters, achieving arbitrary code execution, privilege escalation, or denial of service in Node.js applications. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical rating. Publicly available proof-of-concept exists (GitHub Gist), but no CISA KEV listing confirms active exploitation. SSVC framework rates this as automatable with total technical impact but currently unexploited, suggesting opportunistic future risk rather than immediate widespread targeting.

Node.js Prototype Pollution Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7414 CRITICAL Act Now

Hardcoded administrative credentials in Yarbo firmware v2.3.9 allow remote unauthenticated attackers to gain full device administrative access across all deployed units. The CVSS 9.8 critical score reflects the complete lack of authentication barriers (AV:N/AC:L/PR:N), with identical credentials embedded in every device that cannot be changed by end users. No active exploitation has been confirmed by CISA KEV, but a public GitHub repository reference suggests potential proof-of-concept availability. EPSS data unavailable, though the trivial exploitation path (no complexity, no privileges required) indicates high weaponization potential once credentials become widely known.

Authentication Bypass Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8091 CRITICAL PATCH Act Now

Remote code execution in Firefox ESR allows unauthenticated network attackers to achieve complete system compromise via malformed audio/video content. Mozilla has released patches in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Despite a critical CVSS 9.8 score and SSVC rating of 'total' technical impact with automatable exploitation, EPSS assigns only 0.01% exploitation probability (1st percentile), and no public exploit or active exploitation has been identified. The severity stems from the unauthenticated network attack vector against a boundary condition flaw in media playback - a user-facing feature in a widely-deployed browser component.

Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8094 CRITICAL PATCH Act Now

Remote code execution in Firefox ESR's WebRTC component allows unauthenticated network attackers to achieve arbitrary code execution with complete system compromise. The vulnerability affects Firefox ESR versions prior to 140.10.2 and carries a critical CVSS score of 9.8 with network attack vector requiring no authentication or user interaction. Despite the critical severity, EPSS probability remains exceptionally low at 0.01% (0th percentile) with no evidence of active exploitation, suggesting limited awareness or exploitation complexity despite the automatable nature assessed by CISA SSVC framework.

Mozilla Code Injection RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-36458 CRITICAL Act Now

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.

SQLi Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-6508 CRITICAL PATCH Act Now

Remote unauthenticated attackers can bypass access control lists in Liderahenk 2.0.1, achieving complete system compromise with confidentiality, integrity, and availability impact. The origin validation flaw (CWE-346) allows attackers to access restricted functionality without proper authorization checks. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No EPSS data or CISA KEV status available, but the origin validation weakness combined with unrestricted network access creates high practical risk. Reported by Turkey's National Cyber Security Center (USOM), indicating potential targeting of Turkish government/organizational deployments.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-35435 HIGH PATCH NEWS NO ACTION HOSTED Exploit Likely Monitor

Confidentiality breach in Azure AI Foundry M365 published agents enables remote unauthenticated attackers to access high-value data through improper access control (CWE-284). The vulnerability affects agents published through M365 integration, allowing privilege escalation over the network with no authentication required and low attack complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Microsoft has released a vendor patch per MSRC advisory. No active exploitation confirmed by CISA KEV, and EPSS data not available at time of analysis.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-41589 CRITICAL PATCH GHSA Act Now

Path traversal in Wish SSH server's SCP middleware allows authenticated attackers to read arbitrary files, write arbitrary files, and create directories outside the configured root via crafted filenames containing ../ sequences. Affects charm.land/wish/v2 versions 2.0.0 through 2.0.1 and all github.com/charmbracelet/wish v1.x versions. Vendor-released patch v2.0.1 available for v2 branch; no fix confirmed for v1 branch. CVSS 9.6 with scope change indicates potential container/host escape scenarios. No evidence of active exploitation or public POC at time of analysis.

Path Traversal Wish
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-42880 CRITICAL PATCH GHSA Act Now

Kubernetes Secret extraction in Argo CD v3.2.0-3.2.10 and v3.3.0-3.3.8 allows authenticated users with read-only application permissions to retrieve plaintext credential data including service account tokens, TLS certificates, database passwords, and API keys via the ServerSideDiff endpoint. The vulnerability exists due to missing data masking in the gRPC/REST ServerSideDiff function, which returns raw Kubernetes Server-Side Apply dry-run responses containing unredacted Secret values from etcd when applications are annotated with 'IncludeMutationWebhook=true'. A functional proof-of-concept exploit exists demonstrating automated extraction of all accessible secrets. Vendor-released patches (3.2.11, 3.3.9) are available. CVSS 9.6 reflects network-exploitable, low-complexity attack requiring only low-privilege authenticated access with cross-scope high confidentiality/integrity impact.

Kubernetes Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-6795 CRITICAL PATCH Act Now

Open redirect vulnerability in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to redirect users to malicious sites via parameter injection, achieving high-severity impact across confidentiality, integrity, and availability with scope change. The CVSS 9.6 (Critical) score reflects cross-site scope change and combined impacts, though typical open redirect attacks involve phishing rather than direct system compromise. TR-CERT published this vulnerability with vendor coordination through Turkish national CERT.

Open Redirect
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-8115 MEDIUM POC This Month

Path traversal vulnerability in gyoridavid short-video-maker up to version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server by manipulating the tmpFile parameter in REST API requests. The vulnerability exists in the REST API endpoint src/server/routers/rest.ts and has a publicly available proof-of-concept, though it is not currently confirmed as actively exploited in the wild. With a CVSS score of 5.3 (low/moderate), the vulnerability impacts confidentiality only, enabling information disclosure without requiring authentication or user interaction.

Path Traversal Short Video Maker
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8098 MEDIUM POC This Month

SQL injection in code-projects Feedback System 1.0 admin login panel allows remote unauthenticated attackers to bypass authentication and access administrative functions via crafted email parameter. Publicly available proof-of-concept exploit code exists on GitHub. CVSS 7.3 (High) with network vector and low complexity indicates straightforward exploitation requiring no special configuration. EPSS data not provided, but public POC significantly lowers exploitation barrier for opportunistic attacks against internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8083 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=save_user. The vulnerability has a publicly available exploit and CVSS 5.5 score reflecting limited confidentiality, integrity, and availability impact on the vulnerable component.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-42596 CRITICAL PATCH GHSA Act Now

Unauthenticated server-side request forgery (SSRF) in Gotenberg 8.30.1 and earlier allows remote attackers to force the server to make HTTP requests to internal/loopback addresses by bypassing default deny-lists with IPv4-mapped IPv6 notation (e.g., http://[::ffff:127.0.0.1]:port). The vulnerability affects both the downloadFrom file-fetching feature and the webhook delivery feature. Attackers can read content from internal HTTP endpoints and trigger state-changing requests against services bound to localhost, exposing internal APIs, cloud metadata endpoints, and admin interfaces. Fix available in version 8.32.0. No public exploit code confirmed outside the GitHub advisory PoC, not listed in CISA KEV, but CVSS 9.4 Critical rating reflects the network-accessible, unauthenticated nature and high confidentiality/integrity impact.

SSRF Microsoft Python Docker Google
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-44484 CRITICAL GHSA Act Now

Supply chain compromise in PyTorch Lightning versions 2.6.2 and 2.6.3 delivers credential-harvesting malware through the official PyPI distribution channel. Lightning AI confirmed malicious code was injected into these specific releases, targeting API keys, access tokens, SSH keys, and service account credentials. The compromised versions were quarantined from PyPI and users are directed to downgrade to known-clean version 2.6.1. The CVSS 9.3 score reflects network-accessible exploitation requiring no authentication or user interaction, though exploitation is limited to systems that specifically installed the two poisoned versions.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-6411 HIGH PATCH CISA Act Now

Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. CISA ICS-CERT disclosure indicates this affects operational technology environments where MAXHUB collaboration devices are deployed. No active exploitation confirmed in CISA KEV at time of analysis, though the attack vector is trivially exploitable (AV:N/AC:L/PR:N/UI:N) once the hardcoded key is extracted via reverse engineering.

Authentication Bypass Maxhub Pivot Client Application
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44497 CRITICAL PATCH GHSA Act Now

Consensus divergence in Zebra 4.3.1 enables blockchain network partitioning through crafted transparent transactions with invalid sighash types. Insufficient error handling at the Rust-to-C++ FFI boundary causes Zebra to incorrectly accept transactions with undefined hash types by reusing stale buffer data from prior valid signature checks, while zcashd correctly rejects these transactions. Attackers can exploit this by chaining OP_CHECKSIGVERIFY with OP_CHECKSIG opcodes using invalid hash types to trigger acceptance on Zebra nodes but rejection on zcashd nodes, creating a consensus split that could enable double-spend attacks. Vendor-released patch: 4.4.0. No public exploit identified at time of analysis, but the technical mechanism is fully disclosed in the GitHub advisory GHSA-gq4h-3grw-2rhv.

Jwt Attack Information Disclosure
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-34327 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Remote unauthenticated attackers can exploit a server-side request forgery (SSRF) vulnerability in Microsoft Partner Center to access internal resources and perform spoofing attacks. The vulnerability allows high-level information disclosure with limited integrity impact, requiring no user interaction or special privileges. Microsoft has released a security patch, and while CVSS rates this 8.2 (High), no active exploitation or public proof-of-concept has been identified at time of analysis.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-33587 CRITICAL Act Now

Server-Side Template Injection in Open Notebook v1.8.3 enables arbitrary Python code execution and OS command execution within the Docker container through unsanitized user input in transformation features. The vulnerability requires local access (CVSS AV:L) but no authentication or user interaction, making it exploitable by any application user with access to the transformation creation interface. No public exploit code identified at time of analysis, though the GitHub security advisory provides technical details for reproduction.

Python Docker Code Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy