Skip to main content
CVE-2026-44498 CRITICAL PATCH GHSA Act Now

Zebra's block validator fails to count transparent signature operations correctly, allowing malicious miners to create blocks that exceed the 20,000 sigop consensus limit and trigger network splits between Zebra and zcashd nodes. The vulnerability affects Zebra versions prior to 4.4.0 and stems from two distinct accounting flaws: (1) coinbase input scriptSigs were excluded from legacy sigop counts, hiding up to 98 operations, and (2) P2SH redeem script sigops were only computed during mempool validation but never aggregated during block validation. A miner could craft a single block with 1,334+ P2SH spends to exceed the limit and partition the Zcash network. Vendor-released patch: Zebra 4.4.0 (confirmed by GitHub advisory GHSA-jv4h-j224-23cc). No public exploit identified at time of analysis.

Information Disclosure
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-44542 CRITICAL PATCH GHSA Act Now

Path traversal in FileBrowser allows unauthenticated attackers possessing a valid public share hash with delete permissions to delete arbitrary files anywhere within the share owner's storage scope. The vulnerability exists in both stable and development versions due to user-controlled path input being joined with trusted base paths before sanitization in middleware.go:111 and resource.go:274. Proof-of-concept exploit code is publicly available via GitHub advisory GHSA-fwj3-42wh-8673. Vendor-released patch available in commit 112740bdd41de7d5eb01e13ba49d406bfc463f69.

Path Traversal
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-40982 CRITICAL PATCH GHSA Act Now

Directory traversal in Spring Cloud Config server module allows remote unauthenticated attackers to read arbitrary files from the file system using specially crafted URLs. Affects Spring Cloud Config versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2, with patches available across all branches. The vulnerability achieves CVSS 9.1 (Critical) due to remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N) and high confidentiality/integrity impact, though EPSS and KEV data are not available to confirm active exploitation status. VMware/Spring has released fixes for all affected versions.

Java Path Traversal Spring Cloud Config
NVD HeroDevs
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-41105 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Server-side request forgery in Azure Monitor Action Group Notification System allows authenticated attackers with low privileges to access internal Azure resources and escalate privileges over the network. Microsoft has released a patch addressing this SSRF vulnerability. The attack requires low complexity and no user interaction, enabling authenticated users to abuse the notification service to make unauthorized requests to internal services, potentially accessing high-value confidential data or performing privileged operations within the Azure environment.

SSRF Microsoft
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42579 CRITICAL PATCH GHSA Act Now

Improper enforcement of RFC 1035 domain-name constraints in Netty's DNS codec (io.netty.handler.codec.dns.DnsCodecUtil) lets attacker-influenced names bypass validation in both directions: the decoder accepts oversized labels (>63 bytes) and total names (>255 bytes) from malicious DNS responses, growing an unbounded StringBuilder, while the encoder passes through null bytes and over-length labels and silently truncates on empty labels. This affects any Java application using netty-codec-dns or netty-resolver-dns (e.g. DnsNameResolver) up to 4.2.12.Final and 4.1.132.Final, enabling DNS cache poisoning, domain allowlist/validation bypass, and memory-exhaustion denial of service. Publicly available exploit code exists (vendor-supplied encoder and decoder PoCs verified on 4.2.12.Final), but EPSS is very low (0.04%, 13th percentile) and it is not in CISA KEV.

Denial Of Service Java
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-7891 CRITICAL Act Now

Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.

Information Disclosure Verysecureapp
NVD VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-42584 CRITICAL PATCH GHSA Act Now

HTTP response desynchronization in Netty's HttpClientCodec (netty-codec-http 4.1.x through 4.1.132.Final and 4.2.0.Alpha1 through 4.2.12.Final) lets a malicious or misbehaving server cause one request's response body to be parsed as another's. Because the codec polls its request queue once per inbound response — including for informational 1xx — a pipelined GET+HEAD sequence preceded by a 103 mispairs the HEAD with the GET's 200, leaving GET entity bytes on the wire so the following response is parsed from the wrong offset. Rated CVSS 9.1 (I:H/A:H), publicly available exploit code exists (a vendor PoC ships in the advisory), though EPSS is very low (0.04%) and it is not on CISA KEV.

Request Smuggling Information Disclosure Java
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44007 CRITICAL PATCH GHSA Act Now

{nesting:true, require:false} are fully compromised — attackers can execute arbitrary OS commands as the host process user. Publicly available exploit code exists (proof-of-concept demonstrated command execution via child_process). CVSS 9.1 indicates high privileges required (PR:H), meaning the host must explicitly enable nesting:true, but the severity reflects scope change (S:C) when this non-default configuration is present. Vendor-released patch in vm2 3.11.1 converts contradictory configuration into a runtime error at NodeVM construction time, preventing silent sandbox escape.

Command Injection Authentication Bypass RCE Docker Node.js
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41902 CRITICAL PATCH Act Now

{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.

Information Disclosure Freescout
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44513 HIGH PATCH GHSA This Week

Remote code execution in Hugging Face diffusers library (all versions < 0.38.0) bypasses the trust_remote_code=False security gate when users load models via DiffusionPipeline.from_pretrained. Three distinct attack vectors exist: cross-repository custom_pipeline parameters, local snapshots combined with Hub custom_pipeline references, and local snapshots containing malicious custom component files. The vulnerability stems from implementing the trust_remote_code check in DiffusionPipeline.download() instead of at the actual dynamic module load point, allowing multiple code paths to skip the security control entirely. Vendor-released patch: diffusers 0.38.0 (confirmed by GitHub advisory GHSA-98h9-4798-4q5v and PR #13448). No public exploit identified at time of analysis; exploitation requires user interaction (loading a model from an attacker-controlled source).

Code Injection RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-6692 HIGH This Week

Remote code execution in Slider Revolution for WordPress versions 7.0.0 through 7.0.10 allows authenticated attackers with subscriber-level privileges to upload executable files via insufficient file type validation in '_get_media_url' and '_check_file_path' functions. A partial patch in 7.0.10 was insufficient, requiring upgrade to 7.0.11 for complete remediation. With CVSS 8.8 (High) and low privilege requirements (subscriber accounts are commonly available or easily created), this represents significant risk for WordPress installations using affected versions, though no active exploitation has been confirmed via CISA KEV at time of analysis.

WordPress File Upload RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-42215 HIGH POC PATCH GHSA This Week

Command injection in GitPython 3.1.30-3.1.46 allows remote authenticated attackers to execute arbitrary commands via underscore-formatted kwargs that bypass unsafe option validation. Applications passing attacker-controlled kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() are vulnerable even when allow_unsafe_options=False (default). GitHub-confirmed exploit with vendor-released patch 3.1.47. CVSS 8.8 reflects network vector with low complexity and authenticated access; no EPSS/KEV data indicates exploitation not yet widespread beyond proof-of-concept demonstration.

Python Command Injection Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41139 HIGH PATCH GHSA This Week

Remote code execution in Math.js expression parser allows authenticated attackers to execute arbitrary JavaScript code in versions 13.1.0 through 15.1.x. The vulnerability stems from unsafe property access controls (CWE-915) that can be exploited via crafted mathematical expressions. Patched in version 15.2.0 with comprehensive property access validation (commit bcf0da4, PR #3656). No active exploitation confirmed by CISA KEV, but public patch code reveals exploitable attack surface involving prototype pollution or unsafe property traversal. CVSS 8.8 with network vector and low complexity indicates high real-world risk for applications exposing Math.js parsing to user input.

Node.js Information Disclosure Mathjs
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-42216 HIGH PATCH This Week

Out-of-bounds read in OpenEXR 3.0.0-3.4.10 allows remote attackers to trigger information disclosure and denial of service by sending malformed EXR image files containing manipulated prefix-compressed strings in IDManifest structures. The vulnerability bypasses bounds checking when reconstructing strings longer than 255 bytes, reading memory outside allocated buffers. EPSS data not available; no public exploit confirmed at time of analysis. Patches released in versions 3.2.9, 3.3.11, and 3.4.11.

Information Disclosure Buffer Overflow Openexr
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-3953 HIGH This Week

Cross-site scripting in Gosoft Proticaret E-Commerce v5.0.0 through v6.0.1767.1383 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted HTTP requests. Despite the 8.8 CVSS score indicating complete compromise (High C/I/A), the CVSS vector reveals this is a reflected XSS requiring user interaction (UI:R), not a stored or blind XSS. The vulnerability is unscoped (S:U), meaning impact is confined to the vulnerable application. No active exploitation confirmed via CISA KEV and no public exploit code identified at time of analysis. TR-CERT advisory available with remediation guidance.

XSS Proticaret E Commerce
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-63705 HIGH GHSA This Week

Command injection in node-ts-ocr 1.0.15 enables authenticated attackers to execute arbitrary operating system commands through the invokeImageOcr function. The vulnerability requires low-complexity exploitation with no user interaction, allowing complete compromise of confidentiality, integrity, and availability on affected systems. Public proof-of-concept code exists (GitHub Gist), though EPSS assessment indicates 0.04% probability of active exploitation within 30 days and the vulnerability is not listed in CISA KEV, suggesting targeted rather than widespread exploitation risk.

Node.js Command Injection N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41142 HIGH PATCH This Week

Integer overflow in OpenEXR ImageChannel::resize function enables heap buffer overflow through crafted EXR files processed via the OpenEXRUtil public API. Affects OpenEXR versions 3.0.0-3.2.8, 3.3.0-3.3.10, and 3.4.0-3.4.10 from the Academy Software Foundation's motion picture image format library. Vendor-released patches in versions 3.2.9, 3.3.11, and 3.4.11 add overflow validation before pixel buffer allocation. CVSS 8.8 with network vector but requires user interaction (opening malicious file). No public exploit or active exploitation identified at time of analysis.

Integer Overflow Buffer Overflow Openexr
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41143 HIGH PATCH GHSA This Week

{formId} endpoint to dump database contents, extract credentials, or manipulate data. Time-based blind SQLi confirmed via SLEEP() injection with 3-second delays, and error-based extraction confirmed via extractvalue() technique. Patched in version 4.6.1. EPSS data not available; no CISA KEV listing identified at time of analysis.

PHP SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30495 HIGH This Week

Unauthenticated remote root access on Optoma CinemaX P2 smart projectors allows network attackers to execute arbitrary code with full system privileges. The device ships with ADB enabled on TCP 5555 without authentication (ro.adb.secure=0) and contains an unrestricted su binary, enabling complete device compromise including WiFi credential theft, malware installation, and data exfiltration. EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability, though SSVC framework assesses total technical impact. No public exploit code or active exploitation confirmed at time of analysis.

Authentication Bypass Google N A
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5784 HIGH PATCH This Week

Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

XSS Divvydrive
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6002 HIGH PATCH This Week

Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.

XSS Divvydrive
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44522 HIGH PATCH GHSA This Week

Path traversal in Note Mark's asset upload feature allows authenticated users to inject directory traversal sequences into asset filenames via the X-Name HTTP header, which are stored unsanitized in the database. When an administrator subsequently runs data export CLI commands (typically as root in Docker deployments), the malicious filenames cause arbitrary file writes anywhere on the filesystem through Go's filepath.Join() path normalization. Attackers can achieve remote code execution as root by overwriting system binaries like /bin/bash or injecting cron jobs. Publicly available exploit code exists with video proof-of-concept demonstrating full RCE chain. Vendor-released patch available in version 0.19.4. CVSS 8.6 reflects network attack vector with low complexity but requires authenticated access and administrator interaction to trigger the export process.

Docker RCE OpenSSL Path Traversal
NVD GitHub
CVSS 4.0
8.6
EPSS
0.8%
CVE-2026-28201 HIGH This Week

Cross-site request forgery (CSRF) in Open Notebook v1.8.1 enables remote attackers to manipulate or delete database entries through social engineering attacks. The vulnerability combines input validation flaws (CWE-20) with overly permissive default CORS settings, allowing malicious sites to send authenticated requests on behalf of legitimate users. Attackers craft malicious URLs that, when clicked by authenticated users, execute unauthorized database operations including data modification, deletion, and potential exfiltration depending on deployment configuration. No public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Open Notebook
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41505 HIGH PATCH This Week

Predictable token generation in RELATE courseware allows remote attackers to forge authentication and exam access tokens. The vulnerability affects two critical security functions: make_sign_in_key() in auth.py (user authentication) and gen_ticket_code() in exam.py (exam access control). Weak pseudorandom number generation (CWE-338) enables attackers with high complexity to bypass authentication mechanisms and gain unauthorized access to exams with potential for integrity and availability compromise across security boundaries (CVSS scope change). Patched in commit 2f68e16. EPSS data not available; no public exploit identified at time of analysis.

Information Disclosure Relate
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44001 HIGH PATCH GHSA This Week

Remote unauthenticated attackers can crash Node.js processes running vm2 <= 3.10.5 by triggering an unhandled Promise rejection that terminates the host application. The vulnerability exploits an incomplete fix for CVE-2026-22709 - while previous patches sanitized `.then()` and `.catch()` callback chains, they failed to intercept unhandled rejections originating from Promise constructor executors. Publicly available exploit code exists (GitHub advisory GHSA-hw58-p9xv-2mjh). The attack requires minimal resources (150-byte HTTP request) but achieves high impact by crashing entire server processes serving all concurrent users, with demonstrated persistent DoS despite container orchestration restart policies.

Kubernetes Denial Of Service Docker Node.js
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-44504 HIGH PATCH GHSA This Week

{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.

Authentication Bypass Checkpoint Python
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-43998 HIGH PATCH GHSA This Week

Remote code execution in vm2 NodeVM sandbox allows untrusted code to bypass `require.root` path restrictions and load arbitrary modules from outside the allowed root directory via symlink traversal. The vulnerability exploits a check/use path discrepancy: path validation uses `path.resolve()` which does not dereference symlinks, but module loading uses Node's native `require()` which does follow symlinks. Attackers with ability to submit code to the sandbox (the intended use case) can load host-realm modules like vm2 itself or child_process to achieve arbitrary command execution. Confirmed actively exploited (CISA KEV) with publicly available exploit code. Common in production environments using pnpm (where ALL node_modules are symlinks), npm workspaces, or npm link. Vendor-released patch: vm2 3.11.0.

Node.js RCE
NVD GitHub
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-25705 HIGH PATCH GHSA This Week

Path traversal in Rancher's UI Extensions mechanism allows authenticated administrators to write arbitrary files to the Rancher server filesystem, potentially overwriting binaries, tampering with cluster state in /var/lib/rancher/, or compromising the host node if hostPath volumes are mounted. This affects Rancher versions 2.10.11 through 2.14.0. While exploitation requires high privileges (administrator access by default) and user interaction to install a malicious extension, the changed scope (S:C) in CVSS 3.1 indicates potential container escape or cross-component impact. Vendor-released patches are available across all affected release branches (2.11.13, 2.12.9, 2.13.5, 2.14.1). No public exploit identified at time of analysis, though the attack technique (CAPEC-126 path traversal) is well-documented.

Path Traversal Suse
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-1978 HIGH This Week

Remote code execution in Hitachi Virtual Storage Platform G, F, E, and One Block series allows unauthenticated network attackers to execute arbitrary code on storage controllers and maintenance consoles with low impact across confidentiality, integrity, and availability due to changed scope (CVSS 8.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C). The vulnerability affects the Storage Navigator interface and maintenance console across multiple VSP product lines spanning enterprise and mid-range storage arrays. EPSS data not available; no evidence of active exploitation or public POC at time of analysis. Vendor-released patches available with specific firmware versions required for each product family.

Code Injection RCE Hitachi Virtual Storage Platform G130 G150 G350 G370 G700 G900 F350 F370 F700 F900 Hitachi Virtual Storage Platform E390 E590 E790 E990 E1090 E390H E590H E790H E1090H Hitachi Virtual Storage Platform One Block 23 One Block 24 One Block 26 One Block 28
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-41490 HIGH PATCH GHSA This Week

SQL injection in Dagster orchestration platform allows authenticated users with 'Add Dynamic Partitions' permission to execute arbitrary SQL against DuckDB, Snowflake, BigQuery, and DeltaLake databases via crafted partition keys. Affected I/O managers interpolate dynamic partition values into WHERE clauses without sanitization, enabling attackers to read or modify data under the I/O manager's database credentials. Only deployments using dynamic partitions are vulnerable - static and time-window partitions are unaffected. Vendor-released patches are available (Dagster Core 1.13.1, libraries 0.29.1). No public exploit code identified at time of analysis, though exploitation is straightforward for authenticated users with the specific permission.

SQLi Dagster
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-14341 HIGH PATCH This Week

Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by exploiting uncontrolled object attribute modification combined with absent resource throttling. The vulnerability permits low confidentiality impact but high integrity and availability compromise when a user interacts with attacker-controlled content. TR-CERT has issued an advisory, though no CISA KEV listing or public exploit code has been identified at time of analysis. EPSS data not available to assess exploitation probability.

Information Disclosure Divvydrive
NVD
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-42083 HIGH PATCH GHSA This Week

Authentication bypass in free5GC Policy Control Function (PCF) allows unauthenticated network attackers to access Session Management policy control APIs and exfiltrate subscriber identities (SUPI). The Npcf_SMPolicyControl service group omits RouterAuthorizationCheck middleware, permitting OAuth-less access to four policy management endpoints that should require service-to-service authentication. Publicly available exploit code exists. CVSS 8.2 reflects direct network access with no authentication barrier, high confidentiality impact from SUPI disclosure, and low integrity impact from unauthorized policy manipulation. No EPSS or KEV data available, but PoC in vendor advisory demonstrates trivial exploitation against default SBI deployments.

Authentication Bypass Ubuntu
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-42590 HIGH PATCH GHSA This Week

Remote attackers can manipulate server filesystem operations in Gotenberg v8 by bypassing ExifTool metadata blocklist using group-prefix syntax (e.g., 'File:FileName' instead of 'FileName'). The vulnerability allows unauthenticated file renaming, moving, symlink/hardlink creation, and permission modification on the server. This directly bypasses the previous fix for GHSA-qmwh-9m9c-h36m. Public exploit code exists with working PoC commands. In non-containerized deployments or those with mounted volumes, attackers can achieve arbitrary file read via symlink chaining and file overwrites. CVSS 8.2 (High) with network vector, low complexity, and no authentication required.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-42591 HIGH PATCH GHSA This Week

Server-Side Request Forgery in Gotenberg's LibreOffice conversion endpoint allows remote attackers to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Attackers upload specially crafted Office documents (DOCX, XLSX, PPTX) with embedded external URL references that LibreOffice fetches during PDF conversion, completely bypassing the SSRF protections introduced in v8.31.0. Publicly available exploit code exists with detailed proof-of-concept showing three successful HTTP requests to attacker-controlled servers. The vulnerability enables exfiltration of cloud IAM credentials from metadata services (169.254.169.254), internal service enumeration, and network reconnaissance without authentication. CVSS 8.2 with network vector and no privileges required reflects accurate real-world risk given documented exploitation method and lack of vendor-released patch.

SSRF Microsoft Docker Google OpenSSL
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33589 HIGH This Week

Path traversal in Open Notebook v1.8.3's file upload functionality allows unauthenticated local users to read arbitrary files from the Docker container filesystem. The vulnerability stems from insufficient input validation, enabling attackers to bypass directory restrictions and access sensitive container files including configuration data, environment variables, and application secrets. CVSS 8.2 (High severity) reflects substantial confidentiality impact across system and container scopes, though no public exploit code or active exploitation has been identified at time of analysis.

Docker File Upload Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-42225 HIGH PATCH This Week

Certificate validation bypass in PJSIP versions before 2.17 allows remote attackers to perform man-in-the-middle attacks against TLS connections when built with GnuTLS. Despite applications explicitly enabling certificate verification through verify_server or verify_client flags, the SIP TLS transport accepts connections with invalid or untrusted certificates, exposing SIP signaling to interception and manipulation. Vendor-released patch available in version 2.17 with GitHub commit ef684252. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the network attack vector and low complexity (CVSS:4.0 AV:N/AC:L/PR:N).

Information Disclosure Pjproject
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-7252 HIGH This Week

Arbitrary file deletion in WP-Optimize plugin versions ≤4.5.2 allows authenticated attackers with Author-level privileges to delete critical server files including wp-config.php, enabling remote code execution. The vulnerability exploits insufficient path validation in the unscheduled_original_file_deletion function combined with the non-protected 'original-file' meta key that Authors can manipulate via WordPress's Edit Media form or REST API. Wordfence discovered this CWE-22 path traversal flaw affecting the popular WordPress optimization plugin used on hundreds of thousands of sites.

PHP RCE WordPress Path Traversal
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-9661 HIGH This Week

Remote command injection in Hitachi Virtual Storage Platform One Block versions 23, 24, 26, and 28 allows unauthenticated attackers to execute arbitrary OS commands through the management GUI maintenance utility. The vulnerability affects the DKCMAIN and ESM components prior to versions A3-04-21-40/00 and A3-04-21/00 respectively. With CVSS 8.1 (High) and network attack vector, this represents significant risk to enterprise storage infrastructure, though AC:H indicates exploitation requires specialized conditions. No active exploitation confirmed (not in CISA KEV) and EPSS data not available at time of analysis.

Command Injection Hitachi Virtual Storage Platform One Block 23 Hitachi Virtual Storage Platform One Block 24 Hitachi Virtual Storage Platform One Block 26 Hitachi Virtual Storage Platform One Block 28
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42284 HIGH PATCH GHSA This Week

Remote code execution in GitPython < 3.1.47 allows unauthenticated network attackers to inject malicious Git configuration during repository clone operations via crafted multi_options arguments. The _clone() method validates options before shlex.split transformation, enabling attackers to bypass unsafe option checks by embedding commands like '--config core.hooksPath=/attacker/path' within '--branch' strings. Git then executes attacker-controlled hooks during clone. Vendor-released patch available in version 3.1.47. CVSS 8.1 with high attack complexity; no EPSS or KEV data available, but public exploit code exists per GitHub security advisory GHSA-x2qx-6953-8485.

Python Information Disclosure Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42239 HIGH PATCH GHSA This Week

Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.

XSS Budibase
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-8093 HIGH PATCH This Week

Multiple memory corruption vulnerabilities in Firefox 150.0.1 enable potential remote code execution through memory safety flaws in the browser engine. Mozilla's advisory references 10 distinct bugs demonstrating memory corruption, which with sufficient exploitation effort could allow arbitrary code execution. Firefox 150.0.2 addresses these vulnerabilities. CVSS rates this 7.5 High (network-exploitable, no authentication required), though the vector indicates only availability impact, contradicting the RCE assessment in Mozilla's advisory. SSVC framework confirms no active exploitation and partial technical impact.

Mozilla RCE Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-8092 HIGH PATCH This Week

Multiple memory corruption vulnerabilities in Mozilla Firefox allow remote code execution through browser rendering engine flaws. Firefox ESR 115.35.1, Firefox ESR 140.10.1, and Firefox 150.0.1 contain memory safety bugs with evidence of memory corruption that could enable arbitrary code execution. Fixed versions are available (Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2). EPSS score of 0.01% indicates very low exploitation probability in the wild, and SSVC framework shows no confirmed exploitation and non-automatable attacks. Despite high CVSS 8.1, real-world exploitation requires significant complexity (AC:H), reducing immediate risk for most environments.

Mozilla Information Disclosure RCE Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2024-43384 HIGH PATCH This Week

A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Fl Mguard 2102 Fl Mguard 2105 Fl Mguard 4102 Pci Fl Mguard 4102 Pcie +32
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-8034 HIGH This Week

Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to access internal services and systems through URL parser confusion. The vulnerability exploits discrepancies between validation and request execution parsers, allowing crafted URLs to bypass hostname checks and target unintended internal hosts. All versions prior to 3.21 are affected, with patches available across supported release branches (3.16.18, 3.17.15, 3.18.9, 3.19.6, 3.20.2). CVSS 7.9 reflects high impact to subsequent system confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV); reported through GitHub Bug Bounty program.

SSRF Enterprise Server
NVD GitHub VulDB
CVSS 4.0
7.9
EPSS
0.0%
CVE-2026-42214 HIGH PATCH This Week

Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Code Injection RCE Notepadnext
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44471 HIGH PATCH GHSA This Week

Path traversal via symlink prefix reuse in gitoxide's gix-fs crate allows arbitrary code execution when cloning malicious repositories. Attackers can construct Git trees with duplicate symlink/directory entries that escape the worktree during checkout, writing controlled files to sensitive locations like .git/hooks or ~/.local/bin on Unix systems. Publicly available exploit code exists (PoC script provided in advisory). CVSS 7.8 reflects local attack vector with required user interaction (cloning the malicious repo), but real-world impact is high given code execution potential.

RCE
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42459 HIGH PATCH GHSA This Week

Internal infrastructure disclosure in the free5GC UDM network function (Go package github.com/free5gc/udm, versions <= v1.4.2) lets unauthenticated remote attackers leak the internal address and API layout of the UDR. Six GET handlers in the nudm-sdm Subscriber Data Management service skip the validator.IsValidSupi() check, so a SUPI path parameter containing control characters (e.g. a NULL byte) propagates into the UDM-to-UDR URL, breaks Go's net/url parser, and is echoed back inside a 500 SYSTEM_FAILURE error detail. Publicly available exploit code exists (a curl-based PoC is published in the advisory and CVSS marks exploit maturity as Proof-of-Concept), but it is not listed in CISA KEV and no EPSS score was provided; impact is limited to confidentiality of infrastructure metadata that aids further intrusion rather than direct data theft or code execution.

Code Injection
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-41905 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in FreeScout allows authenticated users to access internal network resources and cloud metadata services via HTTP redirect bypass. The vulnerability in Helper::sanitizeRemoteUrl() re-validates the original URL instead of the final redirect destination, enabling attackers to bypass allowlist controls and reach RFC1918 private networks, cloud metadata APIs (169.254.169.254), and internal HTTP services. FreeScout versions prior to 1.8.217 are affected. Vendor-released patch version 1.8.217 is available. No public exploit code or CISA KEV listing identified at time of analysis, but SSRF vulnerabilities are frequently exploited in cloud environments for credential theft and lateral movement.

SSRF PHP
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41688 HIGH This Week

DNS rebinding bypass in Wallos subscription tracker allows authenticated users to exfiltrate internal network data via SSRF on 10 of 11 HTTP endpoints. Wallos 4.8.4 and prior validate webhook URLs with gethostbyname() but fail to pin DNS resolution in cURL requests, creating a time-of-check-time-of-use race window. Attackers with low-privilege accounts can exploit this to probe internal services (databases, cloud metadata endpoints, admin panels) despite SSRF defenses. EPSS not yet available for this recent CVE. No vendor-released patch at time of analysis - upstream commit e87387f0 exists but tagged release version not confirmed.

SSRF Wallos
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-68060 HIGH This Week

SQL injection in Team Member WordPress plugin versions up to 8.5 allows authenticated administrators to extract database contents via blind SQL injection. Reported by Patchstack, this vulnerability requires high-level privileges (PR:H) but enables cross-scope confidentiality breach (S:C), allowing attackers to read sensitive data beyond their normal authorization boundaries. EPSS data and KEV status not provided; no public exploit code confirmed at time of analysis.

SQLi Team Member
NVD
CVSS 3.1
7.6
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy