Skip to main content
CVE-2026-44514 MEDIUM PATCH GHSA This Month

Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.

Kubernetes Microsoft Docker Information Disclosure Google +1
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6736 MEDIUM This Month

GitHub Enterprise Server versions prior to 3.21 contain an authentication bypass vulnerability that allows unauthenticated attackers to create local user accounts and establish sessions without validation by the configured external identity provider. The vulnerability affects instances with external authentication enabled, permitting account creation via the signup endpoint with default base permissions. Attack requires only network access and affects all affected versions across the 3.16-3.20 branch.

Authentication Bypass Enterprise Server
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-7541 MEDIUM This Month

Denial of service in GitHub Enterprise Server allows unauthenticated remote attackers to disrupt service by sending deeply nested JSON payloads to an unprotected API endpoint, causing excessive CPU and memory consumption. Affected versions prior to 3.21 (specifically 3.16.0-3.20.1) lack request size and depth validation. Vendor-released patches available for all affected branches: 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.

Denial Of Service Enterprise Server
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-7261 MEDIUM PATCH This Month

Use-after-free memory corruption in PHP 8.2 prior to version 8.2.31 allows remote attackers to cause information disclosure or denial of service via network requests with low attack complexity. The vulnerability is addressed in PHP 8.2.31, released as a security update bundling fixes for eight CVEs including CVE-2026-7261. Patch availability is confirmed from the PHP development team.

Microsoft PHP Use After Free Memory Corruption Information Disclosure +2
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7568 MEDIUM PATCH This Month

PHP 8.2.31 addresses a buffer overflow vulnerability (CVE-2026-7568) affecting PHP 8.2.x versions that results in information disclosure through out-of-bounds memory reads. The vulnerability requires specific attack preconditions (CVSS AC:H/AT:P) and unauthenticated remote access; exploitation impact is limited to partial disclosure of memory contents. No public exploit code or active exploitation has been identified at the time of analysis.

Microsoft Information Disclosure Buffer Overflow PHP
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-42217 MEDIUM PATCH This Month

OpenEXR versions 3.0.0-3.2.8, 3.3.0-3.3.10, and 3.4.0-3.4.10 suffer from unbounded shift operations in the readVariableLengthInteger() function when parsing variable-length integers from untrusted EXR files. Attackers can craft malicious EXR files with excessive continuation bytes to trigger left shifts exceeding 64 bits on a 64-bit integer, causing undefined behavior that may lead to information disclosure or denial of service. The vulnerability is remotely exploitable without authentication or user interaction against any application processing untrusted EXR input; no public exploit code has been identified at the time of analysis.

Integer Overflow Information Disclosure Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-40214 MEDIUM PATCH This Month

OpenStack Cyborg before 16.0.1 fails to enforce project ownership in the Accelerator Request (ARQ) API, allowing any authenticated non-admin user to delete, modify, or access ARQs bound to other projects' instances across tenant boundaries. The vulnerability stems from a combination of unpopulated project_id columns, missing database-layer filtering, and self-referential authorization checks, enabling cross-tenant denial of service and potential information disclosure. EPSS risk is moderate (6.3 CVSS), and the vulnerability requires valid authentication but no special privileges or interaction, making it exploitable by any tenant user in multi-tenant OpenStack deployments.

Denial Of Service
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-7258 MEDIUM PATCH This Month

A buffer over-read vulnerability in PHP 8.2 prior to version 8.2.31 allows remote attackers to disclose sensitive information through a network vector with high attack complexity and partial attack time requirements. The vulnerability (CWE-125) affects information availability and system availability, with CVSS 6.3 indicating moderate risk. Vendor-released patch available in PHP 8.2.31.

Microsoft Information Disclosure Buffer Overflow PHP Suse +1
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-42879 MEDIUM GHSA This Month

Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. The vulnerability affects versions 2025.81 and earlier; publicly available proof-of-concept code exists demonstrating end-to-end exploitation.

PHP CSRF File Upload RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-44308 MEDIUM PATCH GHSA This Month

Spring Cloud AWS SNS HTTP/HTTPS endpoint handlers (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) in versions 3.0.0-3.4.2, 4.0.0, and 4.0.1 fail to verify the cryptographic signature of incoming SNS messages, allowing unauthenticated attackers who know the endpoint URL to send forged SNS notifications, subscription confirmations, or unsubscribe requests. This enables attackers to trigger arbitrary message processing, auto-confirm malicious topic subscriptions, or force unsubscription from legitimate topics. Fixed in Spring Cloud AWS 4.0.2 with signature verification enabled by default; 3.x line receives no patch and must use workarounds.

Information Disclosure Java
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-8112 LOW POC PATCH Monitor

OS command injection in 8421bit MiniClaw's executeCognitivePulse function allows authenticated remote attackers to inject arbitrary shell commands via unsanitized prompt input passed to external CLI tools. The vulnerability stems from unsafe string interpolation in command construction, enabling execution of system commands with the privileges of the MiniClaw process. Publicly available exploit code exists, and vendor-released patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 is available on GitHub.

Command Injection Miniclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2026-42328 MEDIUM PATCH GHSA This Month

Denial of service in go-ipld-prime's DAG-CBOR and DAG-JSON decoders via unbounded recursion depth allows remote attackers to exhaust goroutine stack memory by sending deeply nested collection payloads, causing the Go runtime to terminate with a fatal stack overflow. A ~2 MB DAG-CBOR payload with 2 million nested arrays reliably triggers the condition. Affected versions before 0.23.0 have no depth limit; the existing allocation budget cannot prevent stack exhaustion because each nested header consumes only a few budget units.

RCE
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-8116 LOW POC Monitor

Path traversal in xiaozhi-mcphub up to version 1.0.3 allows authenticated remote attackers to access arbitrary files via manipulation of the manifest.name argument in src/controllers/dxtController.ts, with CVSS 6.3 indicating moderate impact to confidentiality, integrity, and availability. Publicly available exploit code exists, and the project maintainer has not yet responded to early disclosure notification.

Path Traversal Xiaozhi Mcphub
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-8113 LOW POC PATCH Monitor

Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside the intended skills directory via directory traversal sequences in the skillName or scriptFile parameters. The vulnerability affects the isPathInside function in src/kernel.ts, enabling disclosure of sensitive files with CVSS 4.3 (low confidentiality impact). Publicly available exploit code exists and a vendor patch is available via commit e8bd4e17e9428260f2161378356affc5ce90d6ed.

Path Traversal Miniclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8081 LOW POC Monitor

Server-side request forgery in router-for-me CLIProxyAPI 6.9.29 allows authenticated remote attackers to manipulate the url parameter in the API Interface handler to perform arbitrary network requests on behalf of the server. The vulnerability has a publicly available exploit and vendor communication attempts were unsuccessful, though the low CVSS score (2.1) and requirement for authenticated access limit real-world impact compared to unauthenticated SSRF vulnerabilities.

SSRF Cliproxyapi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8097 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the squeryx parameter in /askquery.php, enabling unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists and the vulnerability affects the default installation with no special configuration required.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-42081 MEDIUM PATCH GHSA This Month

Free5GC Access and Mobility Management Function (AMF) v4.2.1 and earlier fails to verify UE Security Capabilities in NGAP PathSwitchRequest messages, allowing a malicious gNB to overwrite the AMF's stored security algorithm preferences with arbitrary values. These corrupted capabilities are then propagated in PathSwitchRequestAcknowledge and subsequent HandoverRequest messages, causing all inter-gNB handovers for affected UEs to fail due to algorithm mismatches. This results in persistent handover denial-of-service until UE re-registration. The vulnerability is directly contrary to 3GPP TS 33.501 §6.7.3.1 verification requirements and has been demonstrated with a public proof-of-concept using Free5GC v4.2.1 and UERANSIM.

Docker Information Disclosure
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-39826 MEDIUM PATCH This Month

Go's html/template library incorrectly escapes data passed into <script> tags when the tag contains an empty or whitespace-only 'type' attribute, allowing a trusted template author to inadvertently expose sensitive information to client-side scripts. Affects html/template versions prior to 1.26.3 and 1.25.10. CVSS 6.1 with user interaction required; EPSS 0.01% indicates minimal real-world exploitation likelihood despite moderate base score.

Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-39823 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Go's html/template library allows attackers to bypass URL escaping in meta tag content attributes by inserting ASCII whitespaces around the equals sign, enabling injection of malicious scripts into web applications. Affects Go 1.25.x before 1.25.10 and 1.26.x before 1.26.3. This is a regression from CVE-2026-27142 where the fix was incomplete, and exploitation requires user interaction (UI:R) but operates across security boundaries (S:C).

XSS Html Template Red Hat
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-67202 MEDIUM PATCH This Month

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.

XSS N A Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41689 MEDIUM This Month

Wallos versions 4.8.4 and prior allow authenticated users to bypass webhook URL restrictions and send server-side requests to administrator-allowlisted internal targets by reusing the global allowlist for individual user webhooks. This enables Server-Side Request Forgery (SSRF) to internal automation services that may expose deployment or execution APIs, potentially leading to remote code execution on downstream systems. No public exploit code identified at time of analysis, and no vendor-released patch is available.

Authentication Bypass Wallos
NVD GitHub
CVSS 3.1
6.0
EPSS
0.1%
CVE-2026-8106 MEDIUM This Month

Reflected HTML injection in GitHub Enterprise Server Management Console login page allows credential theft when administrators click crafted links. The /setup/unlock endpoint reflects the redirect_to query parameter into an HTML attribute without sanitization, enabling attackers to inject malicious form elements that capture credentials. Affects versions 3.19.1-3.19.5 and 3.20.0-3.20.1; fixed in 3.19.6 and 3.20.2. Exploitation requires user interaction (administrator clicking a link), limiting real-world impact despite network-accessible attack surface.

XSS Enterprise Server
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-44216 MEDIUM PATCH GHSA This Month

Wasmtime's on-demand instance allocator panics when attempting to allocate a WebAssembly table with an extremely large size, triggering arithmetic overflow in checked allocation logic. This denial-of-service condition is exploitable only when the memory64 WebAssembly proposal is enabled (default configuration) and affects versions 30.0.0 through 36.0.7, 37.0.0 through 43.0.1, and unpatched 44.x versions. No public exploit code or active exploitation has been identified; vendor-released patches are available in versions 36.0.8, 43.0.2, and 44.0.1.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-42597 MEDIUM PATCH GHSA This Month

Gotenberg versions 8.31.0 and earlier allow unauthenticated remote attackers to enumerate and read arbitrary files under /tmp/ via the /forms/chromium/convert/url and /forms/chromium/screenshot/url endpoints using file:// scheme URLs. An attacker can discover in-flight conversion request directories and exfiltrate source files (HTML, Markdown, Office documents, staged PDFs) from other users' concurrent conversion requests by timing attacks to coincide with long-running conversion operations. The vulnerability exploits a logic flaw where the URL routes fail to set per-request scope guards that HTML/Markdown routes correctly apply, causing file:// access control enforcement to silently skip for URL-based conversions.

Microsoft Python RCE Docker Google
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62127 MEDIUM This Month

DOM-based cross-site scripting (XSS) in WEN Logo Slider WordPress plugin through version 3.4.0 allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors when the UI redirects the page, potentially compromising site integrity and user data. The vulnerability requires high-privilege administrator access and user interaction (page redirect), limiting its practical scope to insider threats or compromised admin accounts.

XSS Wen Logo Slider
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39817 MEDIUM PATCH This Month

The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.

Buffer Overflow Memory Corruption Cmd Go
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-8087 LOW POC PATCH Monitor

Heap-based buffer overflow in OSGeo GDAL up to version 3.13.0dev-4 allows local authenticated attackers to corrupt memory and potentially execute arbitrary code via a specially crafted DataFieldName argument passed to the GDnentries function in the HDF-EOS module. The vulnerability affects string length calculation when processing quoted field names, publicly available exploit code exists, and vendor patch is available in version 3.13.0RC1.

Heap Overflow Buffer Overflow Gdal
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8084 LOW POC PATCH Monitor

Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 occurs in the HDF-EOS Grid File Handler when parsing malformed HDF4 files, allowing local authenticated attackers to read memory beyond buffer bounds. The vulnerability exists in the memmove operation within SWapi.c and GDapi.c that processes field information without proper bounds validation. Vendor-released patch available in version 3.13.0RC1; publicly available exploit code exists.

Information Disclosure Buffer Overflow Gdal
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8086 LOW POC PATCH Monitor

Heap-based buffer overflow in OSGeo GDAL up to 3.13.0dev-4 within the SWnentries function of the HDF4-EOS module allows local authenticated attackers to cause memory corruption via crafted DimensionName arguments. The vulnerability requires local access and authenticated privileges but can be exploited with publicly available proof-of-concept code. CVSS score of 1.9 reflects limited confidentiality, integrity, and availability impact despite the buffer overflow nature, indicating the vulnerability has constrained real-world severity despite its technical classification.

Heap Overflow Buffer Overflow Gdal
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8088 LOW POC PATCH Monitor

Out-of-bounds read in OSGeo GDAL up to version 3.13.0dev-4 affects the GDfieldinfo function in HDF-EOS module when processing malformed HDF4 files. A locally authenticated attacker can trigger memory disclosure by crafting a specially formatted HDF4 file. Publicly available exploit code exists. The vulnerability is fixed in GDAL 3.13.0RC1 and later.

Information Disclosure Buffer Overflow Gdal
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-44002 MEDIUM PATCH GHSA This Month

Information disclosure in vm2 allows sandboxed code to extract host absolute file paths, library locations, and internal function names via stack trace inspection, enabling attackers to map the host server's directory structure and architecture without authentication or user interaction. The vulnerability affects all versions up to 3.10.5 and is triggered through either default error.stack formatting or custom Error.prepareStackTrace handlers; vendor-released patch available in version 3.11.0.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-44312 MEDIUM PATCH GHSA This Month

CSS Parser gem disables HTTPS certificate validation by setting OpenSSL::SSL::VERIFY_NONE, allowing man-in-the-middle attackers to inject or modify CSS content loaded via HTTPS. Any application using CSS Parser versions prior to 2.1.0 to fetch external stylesheets over HTTPS can be exploited by network-positioned attackers without authentication. A proof-of-concept using mitmproxy or Burp Suite demonstrates practical exploitation; CVSS 5.8 reflects the network attack vector and integrity impact, but real-world risk depends on whether the application loads stylesheets from untrusted or attacker-controllable URLs and whether the attacker can intercept network traffic.

Code Injection OpenSSL Suse
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-44406 MEDIUM This Month

DLL hijacking in ZTE Cloud PC client uSmartView allows unauthenticated local attackers to achieve arbitrary code execution and privilege escalation by planting a malicious DLL that is loaded by uSmartViewServiceAgent.exe running with SYSTEM privileges. The vulnerability requires local access but no authentication and affects multiple ZXCloud IRAI product versions. No public exploit code or active exploitation has been confirmed at this time.

Zte Privilege Escalation RCE Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-44520 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in docling-graph versions up to 1.5.0 allows authenticated attackers with user interaction to bypass IP validation and reach private, loopback, and cloud metadata endpoints by supplying arbitrary URLs to the URLInputHandler class or via the --source CLI argument. The vulnerability combines missing internal IP address validation with unrestricted HTTP redirects (allow_redirects=True), enabling theft of cloud IAM credentials and access to internal services on 127.0.0.1, 10.x, 172.16.x, 192.168.x, and 169.254.169.254 address ranges. Vendor-released patch: v1.5.1.

SSRF Open Redirect
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-40004 MEDIUM This Month

ZTE Cloud PC client uSmartview contains an OpenSSL configuration file privilege escalation vulnerability (CVE-2026-40004) that allows authenticated local attackers with user-level privileges to execute arbitrary code and escalate to higher privilege levels through a malicious openssl.cnf file. This requires physical access or local system access combined with user interaction, and affects ZTE's virtualized desktop infrastructure product. The CVSS score of 5.5 reflects the physical attack vector and additional user interaction requirement, despite the severity of code execution and cross-system scope impact.

Zte Privilege Escalation RCE OpenSSL
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-44479 MEDIUM PATCH GHSA This Month

Vercel CLI leaks authentication tokens in JSON output when running in non-interactive mode with credentials passed via command-line arguments. Affected versions 50.16.0 through 52.0.0 expose plaintext tokens in suggested follow-up commands when operations cannot complete autonomously, allowing token capture in CI/CD logs and automation transcripts. Information disclosure risk is elevated in automated deployment pipelines where CLI output is logged.

Information Disclosure Vercel
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-40610 MEDIUM PATCH GHSA This Month

BentoML's `bentoml build` command dereferences symlinks within the build context and copies their target file contents into the generated Bento artifact, allowing attackers to exfiltrate sensitive files from the build host. An attacker who controls a repository or build context can place symlinks pointing to sensitive local files (credentials, SSH keys, API tokens), and when a developer or CI system runs `bentoml build`, the referenced file contents are packaged into the Bento, which may then be exported, pushed, or containerized, spreading the leaked data. Publicly available exploit code demonstrates successful extraction of files outside the build directory. Affected versions through BentoML 1.4.38; patch released in 1.4.39.

Python Path Traversal
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-42877 MEDIUM GHSA This Month

Stored XSS in FacturaScripts product search modal allows authenticated warehouse users to inject malicious JavaScript via product reference field, which executes in the browser of any user opening the search modal in sales or purchase documents. An attacker with warehouse write access can escalate privileges by executing arbitrary authenticated requests in an administrator's session, including creation of new admin accounts, without requiring the admin's password. The vulnerability exploits improper output encoding combined with HTML parser re-interpretation during innerHTML assignment.

XSS PHP Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36388 MEDIUM This Month

Stored Cross-Site Scripting in PHPGurukal Hospital Management System v4.0 allows authenticated patients to inject malicious scripts via the User Name parameter on the edit-profile.php page, with the payload later executed in the doctor's interface. The vulnerability requires user interaction (doctor viewing the profile) and affects confidentiality and integrity with limited scope. No public exploit code or active exploitation has been confirmed at analysis time.

XSS PHP N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68604 MEDIUM This Month

Cross-site request forgery (CSRF) in WPGraphQL plugin versions up to 2.5.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress users with user interaction (typically clicking a malicious link). The vulnerability affects the GraphQL endpoint's lack of token-based request verification, enabling attackers to craft requests that WordPress site visitors are tricked into executing without their knowledge. No public exploit code or active exploitation has been confirmed.

CSRF Wpgraphql
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4430 MEDIUM PATCH This Month

Out-of-bounds write in LibreOffice 26.2 before 26.2.3 and 25.8 before 25.8.7 allows local attackers to cause memory corruption and availability impact by opening crafted OOXML documents with mismatched encryption salt parameters. The vulnerability requires user interaction to open a malicious document and affects memory integrity with elevated scope impact on availability.

Memory Corruption Buffer Overflow Suse Red Hat
NVD VulDB
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-41903 MEDIUM PATCH This Month

FreeScout versions prior to 1.8.217 allow authenticated users with PERM_EDIT_USERS permission to read and modify notification subscriptions of any other user, including administrators, via a single POST request. This authorization bypass enables attackers to silently disable admin notifications, suppressing security alerts and conversation assignments without detection. The vulnerability is a sibling of CVE-2025-48472, indicating incomplete patching of a related code path.

Authentication Bypass Freescout
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36341 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Webkul Krayin CRM v2.1.5 allows authenticated users to inject malicious scripts via unsanitized input in the Activity comment field on the /admin/activities/create endpoint, which execute when viewed by other administrators. The vulnerability requires user interaction (viewing the compromised activity) and authenticated access, limiting scope to C (confidentiality) and I (integrity) with partial impact; publicly available proof-of-concept code exists but exploitation is not confirmed in the wild. Fixed in version v2.1.6 via application of input sanitization using strip_tags() across multiple vulnerable Blade templates.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42593 MEDIUM PATCH GHSA This Month

Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.

Microsoft Python Oracle Docker Google +1
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42878 MEDIUM GHSA This Month

Unauthenticated information disclosure in FacturaScripts allows remote attackers to trigger phpinfo() output on fresh deployments via /?phpinfo=TRUE, exposing full PHP configuration, environment variables (including database credentials and API keys), filesystem paths, and loaded extensions. The vulnerability affects all versions with the Installer controller enabled and no patch has been released as of April 2026; publicly available proof-of-concept code exists demonstrating exploitation against PHP 8.1.34.

Path Traversal Apple Information Disclosure PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44003 MEDIUM PATCH GHSA This Month

Security control bypass in vm2 sandbox allows direct access to internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable by exploiting a performance optimization in the code transformer that skips AST analysis when code lacks catch, import, or async keywords. Affected versions <= 3.10.5 expose internal security functions (handleException, wrapWith, import) and enable with-statement scope manipulation, creating a latent attack surface for future sandbox escapes. All applications using vm2 to execute untrusted code are affected; exploitation requires no special configuration or authentication.

Node.js Information Disclosure Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-2514 MEDIUM This Month

Improper restriction of excessive authentication attempts in Hitachi Virtual Storage Platform series (G-series, F-series, E-series, and One Block models) allows unauthenticated remote attackers to conduct brute-force credential attacks and potentially obtain sensitive information through repeated authentication probes without rate-limiting or account lockout mechanisms. The vulnerability affects multiple firmware versions across 28 distinct storage array models and is remotely exploitable without authentication from the network.

Information Disclosure Hitachi Virtual Storage Platform G130 G150 G350 G370 G700 G900 F350 F370 F700 F900 Hitachi Virtual Storage Platform E390 E590 E790 E990 E1090 E390H E590H E790H E1090H Hitachi Virtual Storage Platform One Block 23 One Block 24 One Block 26 One Block 28
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27416 MEDIUM This Month

Missing authorization controls in bPlugins PDF Poster WordPress plugin versions up to 2.4.1 allow unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control. The vulnerability exposes limited confidential data without requiring authentication or user interaction, affecting all default installations of the affected plugin versions.

Authentication Bypass Pdf Poster
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66105 MEDIUM PATCH This Month

Missing authorization controls in the Magepeople Inc. Bus Ticket Booking with Seat Reservation WordPress plugin allow unauthenticated remote attackers to modify data (such as ticket bookings or seat reservations) through incorrectly configured access control security levels. The vulnerability affects versions before 5.6.8 and has a CVSS score of 5.3 (medium severity) with a network attack vector requiring no authentication or user interaction.

Authentication Bypass Bus Ticket Booking With Seat Reservation
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25468 MEDIUM This Month

Happy Addons for Elementor through version 3.20.8 exposes sensitive system information to unauthorized users via an information disclosure vulnerability, allowing remote unauthenticated attackers to retrieve embedded sensitive data without authentication or user interaction. The vulnerability affects all installations of the plugin up to and including version 3.20.8, with a CVSS score of 5.3 reflecting the confidentiality impact of exposed system data.

Information Disclosure Happy Addons For Elementor Elementor
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy