Skip to main content
CVE-2026-42214 HIGH PATCH This Week

Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Code Injection RCE Notepadnext
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44471 HIGH PATCH GHSA This Week

Path traversal via symlink prefix reuse in gitoxide's gix-fs crate allows arbitrary code execution when cloning malicious repositories. Attackers can construct Git trees with duplicate symlink/directory entries that escape the worktree during checkout, writing controlled files to sensitive locations like .git/hooks or ~/.local/bin on Unix systems. Publicly available exploit code exists (PoC script provided in advisory). CVSS 7.8 reflects local attack vector with required user interaction (cloning the malicious repo), but real-world impact is high given code execution potential.

RCE
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42459 HIGH PATCH GHSA This Week

Internal infrastructure disclosure in the free5GC UDM network function (Go package github.com/free5gc/udm, versions <= v1.4.2) lets unauthenticated remote attackers leak the internal address and API layout of the UDR. Six GET handlers in the nudm-sdm Subscriber Data Management service skip the validator.IsValidSupi() check, so a SUPI path parameter containing control characters (e.g. a NULL byte) propagates into the UDM-to-UDR URL, breaks Go's net/url parser, and is echoed back inside a 500 SYSTEM_FAILURE error detail. Publicly available exploit code exists (a curl-based PoC is published in the advisory and CVSS marks exploit maturity as Proof-of-Concept), but it is not listed in CISA KEV and no EPSS score was provided; impact is limited to confidentiality of infrastructure metadata that aids further intrusion rather than direct data theft or code execution.

Code Injection
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-41905 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in FreeScout allows authenticated users to access internal network resources and cloud metadata services via HTTP redirect bypass. The vulnerability in Helper::sanitizeRemoteUrl() re-validates the original URL instead of the final redirect destination, enabling attackers to bypass allowlist controls and reach RFC1918 private networks, cloud metadata APIs (169.254.169.254), and internal HTTP services. FreeScout versions prior to 1.8.217 are affected. Vendor-released patch version 1.8.217 is available. No public exploit code or CISA KEV listing identified at time of analysis, but SSRF vulnerabilities are frequently exploited in cloud environments for credential theft and lateral movement.

SSRF PHP
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41688 HIGH This Week

DNS rebinding bypass in Wallos subscription tracker allows authenticated users to exfiltrate internal network data via SSRF on 10 of 11 HTTP endpoints. Wallos 4.8.4 and prior validate webhook URLs with gethostbyname() but fail to pin DNS resolution in cURL requests, creating a time-of-check-time-of-use race window. Attackers with low-privilege accounts can exploit this to probe internal services (databases, cloud metadata endpoints, admin panels) despite SSRF defenses. EPSS not yet available for this recent CVE. No vendor-released patch at time of analysis - upstream commit e87387f0 exists but tagged release version not confirmed.

SSRF Wallos
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-68060 HIGH This Week

SQL injection in Team Member WordPress plugin versions up to 8.5 allows authenticated administrators to extract database contents via blind SQL injection. Reported by Patchstack, this vulnerability requires high-level privileges (PR:H) but enables cross-scope confidentiality breach (S:C), allowing attackers to read sensitive data beyond their normal authorization boundaries. EPSS data and KEV status not provided; no public exploit code confirmed at time of analysis.

SQLi Team Member
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-41904 HIGH PATCH This Week

Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.

XSS Freescout
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-33111 HIGH PATCH NEWS NO ACTION HOSTED Exploit Unlikely Monitor

Remote unauthenticated command injection in Microsoft's Copilot Chat for Edge browser enables information disclosure via crafted network requests. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates attackers can exploit this remotely without authentication or user interaction, though impact is limited to confidentiality (C:H/I:N/A:N). Microsoft has released a patch per MSRC advisory. No active exploitation confirmed by CISA KEV at time of analysis, though the low attack complexity and lack of authentication requirements make this readily exploitable once technical details emerge.

Microsoft Command Injection
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26164 HIGH PATCH NEWS NO ACTION HOSTED Exploit Unlikely Monitor

Injection vulnerability in Microsoft 365 Copilot's Business Chat enables remote unauthenticated attackers to extract sensitive information through specially crafted inputs. Microsoft has released a patch addressing this CWE-74 injection flaw. With CVSS 7.5 (High), network-accessible attack vector, and no authentication required, this represents a significant exposure for organizations using Copilot Business Chat, though no active exploitation is confirmed at time of analysis.

Information Disclosure Microsoft 365 Copilot S Business Chat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26129 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Remote unauthenticated attackers can disclose sensitive information from Microsoft 365 Copilot's Business Chat through improper input neutralization (CVSS 7.5). The vulnerability allows network-based exploitation with low complexity and no user interaction required. Vendor-released patch available via Microsoft Security Response Center (MSRC-2026-26129). No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of authentication requirements (PR:N) increase realistic exploitation risk.

Information Disclosure Microsoft 365 Copilot S Business Chat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-44004 HIGH PATCH GHSA This Week

Denial-of-service in vm2 Node.js sandbox allows unauthenticated remote attackers to crash host processes via unbounded Buffer.alloc() calls. The vm2 library's timeout mechanism cannot interrupt synchronous C++ native calls, enabling attackers to bypass configured timeout limits and exhaust host heap memory with a single HTTP request. Version 3.11.0 patches this flaw by introducing bufferAllocLimit controls. Publicly available exploit code exists (GHSA-6785-pvv7-mvg7 includes working POC), and while EPSS data is unavailable and the vulnerability is not listed in CISA KEV, the vendor-confirmed POC demonstrates reliable exploitation against default configurations.

Kubernetes Denial Of Service Docker Node.js
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42587 HIGH PATCH GHSA This Week

Decompression bomb protection bypass in Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener allows remote unauthenticated attackers to trigger out-of-memory denial of service by switching Content-Encoding from gzip to brotli, zstd, or snappy. The configured maxAllocation parameter correctly limits gzip/deflate decompression but is silently ignored for these alternative encodings, enabling attackers to decompress gigabytes of data from kilobyte-sized payloads. Affects both HTTP/1.1 (netty-codec-http) and HTTP/2 (netty-codec-http2) implementations. CVSS 7.5 (High) with network vector, low complexity, and no authentication required. Vendor-released patches available: versions 4.1.133.Final and 4.2.13.Final. No active exploitation confirmed at time of analysis, but publicly disclosed proof-of-concept demonstrates trivial header-based bypass requiring only changing 'Content-Encoding: gzip' to 'Content-Encoding: br'.

Denial Of Service Java Python
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42583 HIGH PATCH GHSA This Week

Memory exhaustion in Netty's Lz4FrameDecoder allows remote unauthenticated attackers to cause denial of service by sending minimal malicious data that triggers disproportionate server-side memory allocation. A 22-byte crafted LZ4 frame forces the decoder to allocate up to 32MB of heap memory per request, enabling resource exhaustion attacks against Java applications using Netty's compression codec. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-mj4r-2hfc-f8p6). CVSS 7.5 indicates network-exploitable high-availability impact with no authentication or complexity barriers, though real-world risk depends on whether LZ4 decompression is exposed to untrusted network inputs.

Denial Of Service Java Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42582 HIGH PATCH GHSA This Week

Memory exhaustion in Netty HTTP/3 codec allows remote attackers to cause server crash or denial of service through malformed QPACK headers. The vulnerability affects io.netty:netty-codec-http3 versions up to 4.2.12.Final and enables unauthenticated attackers to force gigabyte-scale memory allocations with minimal wire data-a crafted HEADERS frame of just 10 bytes can trigger ~1 GiB allocation. Publicly available exploit code exists (PoC provided in GitHub advisory GHSA-2c5c-chwr-9hqw). CVSS 7.5 (High) reflects network-accessible attack requiring no privileges or user interaction.

Denial Of Service Java
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44248 HIGH PATCH GHSA This Week

Memory and CPU exhaustion in the Netty MQTT codec (io.netty:netty-codec-mqtt) lets remote unauthenticated attackers send oversized MQTT 5 header Properties that are decoded and buffered before the message size limit is enforced. Because MqttDecoder extends ReplayingDecoder, the enormous Properties section is repeatedly re-parsed and re-buffered until parsing completes, driving an application-availability denial of service. There is no public exploit identified at time of analysis, and EPSS is very low (0.04%), but the flaw is automatable and trivial to trigger against any MQTT 5 broker or client built on Netty.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42594 HIGH PATCH GHSA This Week

Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.

Kubernetes Denial Of Service Python Race Condition Docker +1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4348 HIGH This Week

Unauthenticated SQL injection in BetterDocs Pro for WordPress allows remote attackers to extract sensitive database contents when the Encyclopedia feature is enabled. The vulnerability affects all versions up to 3.7.0 through unsanitized 'limit' parameters in two AJAX endpoints. With CVSS 7.5 (High severity) and network-based unauthenticated attack vector, this presents significant risk to sites using the Encyclopedia feature, though no active exploitation (KEV) or public POC has been identified at time of analysis. EPSS data not available for risk calibration.

SQLi WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40981 HIGH PATCH GHSA This Week

Remote unauthenticated attackers can access Google Secrets Manager credentials from unintended GCP projects via crafted requests to Spring Cloud Config servers using Google Secrets Manager as a backend. VMware confirmed this high-severity information disclosure vulnerability (CVSS 7.5) affecting all 3.1.x through 5.0.x versions. No CISA KEV listing or public exploit code identified at time of analysis, but the network-accessible attack vector with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N) indicates straightforward exploitation once attackers identify vulnerable Spring Cloud Config deployments with Google Secrets Manager integration.

Authentication Bypass Java Google Spring Cloud Config
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42501 HIGH PATCH This Week

The Go toolchain's module proxy validation can be bypassed by attackers controlling untrusted GOPROXY or GOSUMDB endpoints, allowing delivery of malicious toolchain versions that execute with developer privileges. When the go command downloads a different toolchain version (via GOTOOLCHAIN, go.mod, or go.work directives), a malicious proxy can serve altered toolchains by exploiting checksum database validation logic that incorrectly accepts empty responses. While EPSS indicates only 1% exploitation probability and CISA SSVC marks exploitation status as 'none', the total technical impact rating and network attack vector (AV:N) represent significant supply chain risk for organizations using non-default module proxies. Vendor patch available in Go 1.26.3 and 1.25.10.

Authentication Bypass Jwt Attack
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-65122 HIGH GHSA This Week

Regular expression denial of service (ReDoS) in youtube-regex npm package versions ≤1.0.5 allows remote unauthenticated attackers to cause service-level availability degradation through network-delivered crafted inputs. Attackers can trigger catastrophic backtracking in the regex parser, causing CPU exhaustion and application hang. SSVC framework confirms proof-of-concept code exists with automatable exploitation capability. While CVSS rates this high severity (7.5) for availability impact, real-world risk depends on whether the vulnerable package processes untrusted user input in production environments.

Denial Of Service Node.js
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40213 HIGH PATCH GHSA This Week

OpenStack Cyborg allows any authenticated user to reprogram FPGA bitstreams and execute privileged operations across arbitrary compute nodes due to unconditional authorization bypass in multiple API endpoints. Versions before 16.0.1 use rule:allow as the default policy, permitting any valid Keystone token holder-even users with zero role assignments-to perform administrative actions including FPGA reconfiguration via agent RPC. EPSS data not available, but the authentication bypass combined with scope change (CVSS S:C) and hardware manipulation capabilities represents significant risk in multi-tenant OpenStack deployments.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-42011 HIGH PATCH This Week

Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only excluded name constraints followed by CAs with permitted name constraints. Remote attackers can exploit this flaw (CVSS 7.4, AV:N/AC:H) to present invalid certificates that pass validation, enabling man-in-the-middle attacks or service impersonation against TLS-protected communications. The vulnerability affects Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. No public exploit or active exploitation confirmed at time of analysis, though the technical nature suggests targeted attacks against high-value certificate infrastructure are feasible.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +3
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-44511 HIGH PATCH GHSA This Week

Session replay vulnerability in Katalyst Koi admin authentication allows attackers with previously captured session cookies to maintain administrative access after legitimate logout. The issue affects Koi versions prior to 4.20.0 and 5.0.0-5.5.x, stemming from inadequate session invalidation that violates Rails security best practices for CookieStore session replay prevention. While the CVSS score of 7.4 reflects network-based attack potential, the AC:H rating and prerequisite of cookie interception significantly reduce real-world exploitation probability. No evidence of active exploitation or public POC exists at time of analysis, and vendor-released patches are available for both affected version ranges.

Information Disclosure
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-6735 HIGH PATCH This Week

Cross-site scripting (XSS) vulnerability in PHP 8.2.x (prior to 8.2.31) allows network-based attackers to inject malicious scripts that execute in victim browsers, compromising session tokens and potentially escalating to account takeover. Vendor-released patch (PHP 8.2.31) addresses this along with seven additional CVEs in a coordinated security release. CVSS 7.3 HIGH with user interaction required; exploitation status classified as POC-available per CVSS 4.0 vector (E:P), though public exploit code not independently verified at time of analysis.

XSS Microsoft PHP Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-8090 HIGH PATCH This Week

Use-after-free memory corruption in Firefox's DOM Networking component enables remote attackers to achieve unauthorized information disclosure, data manipulation, and service disruption without authentication or user interaction. Affects Firefox mainline and both Extended Support Release (ESR) branches. Mozilla shipped patches in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2. SSVC analysis indicates no confirmed exploitation but the vulnerability is fully automatable with partial technical impact across confidentiality, integrity, and availability. EPSS data not available but the network attack vector (AV:N) with no prerequisites (AC:L/PR:N/UI:N) presents significant exposure for unpatched installations.

Mozilla Information Disclosure Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-27891 HIGH PATCH GHSA This Week

Remote code execution in FacturaScripts ≤2025.71 allows authenticated administrators to upload malicious ZIP files containing path traversal sequences (Zip Slip attack) through the plugin installation mechanism. The vulnerable Plugins::add() function fails to sanitize file paths within ZIP archives, enabling attackers to write arbitrary PHP files outside the plugins directory and execute system commands. A public proof-of-concept exists demonstrating full system compromise. CVSS scores this at 7.2 (High) but requires high-privilege authentication (PR:H), significantly limiting real-world attack surface to scenarios involving compromised admin credentials or malicious insiders.

PHP RCE Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-7413 HIGH This Week

Undocumented persistent backdoor in Yarbo firmware v2.3.9 grants remote privileged access that survives factory reset and firmware updates. The backdoor requires high-privilege authentication (CVSS PR:H) but provides complete system control once accessed. No public exploit identified at time of analysis, though GitHub repository reference suggests technical disclosure exists. CVSS 7.2 reflects the high-privilege requirement, but persistence across resets and undocumented nature indicate significant supply chain or insider threat risk.

Information Disclosure Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-44742 HIGH GHSA This Week

Cross-site scripting (XSS) in Postorius mail list management interface allows unauthenticated remote attackers to inject malicious scripts via crafted email subjects in held messages. Active exploitation confirmed in May 2026 per vendor disclosure. Affects all versions through 1.3.13. Public exploit code available via GitLab merge request #972. EPSS data not yet available for this recent CVE, but confirmed in-the-wild activity elevates priority significantly despite moderate CVSS 7.2 score.

XSS Postorius
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-41002 HIGH PATCH GHSA This Week

Time-of-check-time-of-use (TOCTOU) race condition in Spring Cloud Config Server's Git repository cloning mechanism allows local privileged attackers with high-privilege system access to potentially read or modify configuration data intended for other applications. Exploitation requires timing manipulation of the basedir filesystem path between validation and use, enabling symlink attacks or directory substitution. CVSS 7.2 reflects high attack complexity (AC:H) and privileged local access (AV:L/PR:H) requirements, but scope change (S:C) indicates impact beyond the vulnerable component. EPSS data not available; no public exploit identified at time of analysis.

Information Disclosure Java
NVD VulDB HeroDevs
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-42553 HIGH PATCH GHSA This Week

Matrix access token disclosure in the Cinny web client (versions before 4.10.3) lets a remote authenticated attacker who shares a room with a victim and can create room emotes (e.g., in a DM) exfiltrate the victim's bearer access token to an attacker-controlled server. The token is leaked when the victim opens the emoji or sticker picker in a room containing a malicious emote pack, because a crafted pack avatar URL is fetched with the user's Authorization header attached. No public exploit has been identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided; the vendor rates it CVSS 4.0 7.1 (confidentiality-only impact).

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-44641 HIGH PATCH GHSA This Week

Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.

Python Microsoft Path Traversal
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-8063 HIGH PATCH This Week

MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41906 HIGH PATCH This Week

Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.

Authentication Bypass Freescout
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41554 HIGH This Week

Reflected cross-site scripting in Bricks Builder WordPress theme through version 1.9.2 to 2.2 enables remote attackers to execute malicious JavaScript in victim browsers by crafting URLs with unsanitized input that gets reflected into generated web pages without proper encoding. Exploitation requires victim interaction (clicking a malicious link) but no authentication, making phishing and social engineering viable delivery methods. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though Patchstack disclosure suggests security researchers have demonstrated the vulnerability.

XSS Bricks Builder
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33588 HIGH This Week

Path traversal in Open Notebook v1.8.3's file upload allows arbitrary file creation or modification within the Docker container filesystem. Attackers with local access can write files outside intended directories, enabling container escape scenarios, configuration tampering, or privilege escalation by overwriting critical system files. No public exploit identified at time of analysis, but the vulnerability affects default configurations where file upload is accessible.

Docker File Upload Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-41653 HIGH PATCH This Week

Cross-site scripting in BentoPDF's Markdown to PDF Tool allows remote attackers to execute arbitrary JavaScript when users interact with malicious Markdown content. Affects all versions prior to 2.8.3. Vendor-released patch version 2.8.3 available with immediate upgrade recommended by maintainer. No public exploit identified at time of analysis, though vulnerability was responsibly disclosed by independent researcher. CVSS 7.0 with network attack vector but requires user interaction, reducing automation potential.

XSS Bentopdf
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-44503 HIGH PATCH GHSA MAL This Week

Cross-host HTTP redirects in Microsoft Kiota HTTP client libraries leak session cookies, proxy credentials, and custom authentication headers to attacker-controlled domains. When Kiota's RedirectHandler middleware follows 3xx redirects to different hosts (e.g., trusted.example.com → evil.attacker.com), it strips the Authorization header but forwards Cookie, Proxy-Authorization, and all custom headers unchanged. Publicly available exploit code exists with a complete proof-of-concept demonstrating cookie exfiltration to malicious redirect targets. This affects all Kiota language implementations (Java, .NET, Python, TypeScript, Go) and downstream consumers including Microsoft Graph SDK for Java. The vulnerability requires user interaction to trigger the initial API request, but once triggered, credential leakage is automatic on cross-origin redirects (CVSS:4.0 AV:N/AC:L/AT:P/PR:N/UI:P). Vendor-released patches are available across all affected package ecosystems.

Python Microsoft Java Open Redirect
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy