Skip to main content
CVE-2026-42271 HIGH POC KEV PATCH THREAT GHSA Act Now

Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute arbitrary commands on the host system. Two MCP (Model Context Protocol) test endpoints accept stdio transport configurations including command, args, and env fields, then spawn the supplied command as a subprocess with proxy process privileges. Authentication with any valid API key, including low-privilege internal-user keys, bypasses intended PROXY_ADMIN role restrictions. Patch available in version 1.83.7. No CISA KEV listing or public exploit code identified at time of analysis, though EPSS scoring is not provided in available data.

Command Injection Litellm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
Threat
4.7
CVE-2024-45257 HIGH POC THREAT Act Now

A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 32.4%.

Command Injection
NVD GitHub
CVSS 3.1
7.3
EPSS
32.4%
CVE-2026-43284 HIGH POC PATCH CISA NEWS Act Now

Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).

Information Disclosure Use After Free Memory Corruption Linux
NVD GitHub VulDB Exploit-DB
CVSS 3.1
8.8
EPSS
0.0%
Threat
5.3
CVE-2025-67888 HIGH POC Act Now

Remote command injection in Control Web Panel allows unauthenticated attackers to execute arbitrary OS commands as root through unsanitized GET parameter. Exploitation requires Softaculous or SitePad components to be installed. Despite critical impact (root RCE), EPSS score of 6.16% (91st percentile) suggests selective targeting rather than mass exploitation, though technical barrier is low (AC:L). Public exploit code exists via Karma Insecurity disclosure and FullDisclosure mailing list, significantly increasing attack surface.

PHP Command Injection
NVD
CVSS 3.1
7.3
EPSS
6.2%
CVE-2024-53326 HIGH POC Act Now

LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization
NVD
CVSS 3.1
7.3
EPSS
2.9%
CVE-2026-44499 HIGH POC PATCH GHSA This Week

Remote denial-of-service in Zebra (Zcash node implementation) versions prior to 4.4.0 allows unauthenticated attackers to permanently halt block synchronization via a single TCP connection. The attack exploits three independent weaknesses in gossip, syncer, and download subsystems to create an irreversible block discovery deficit. Vendor patch available in version 4.4.0. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, but the technical barrier appears low given network attack vector with no authentication or complexity requirements (CVSS 4.0: AV:N/AC:L/PR:N).

Denial Of Service Zebra
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-4935 HIGH POC PATCH This Week

Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor.

SQLi WordPress
NVD WPScan
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-38361 HIGH POC PATCH This Week

Remote code execution and denial-of-service in dash-uploader Python library allows unauthenticated network attackers to execute arbitrary code or crash applications via malicious file uploads. Versions 0.1.0 through 0.7.0a2 contain flaws in HTTP request handler (httprequesthandler.py), upload function (upload.py), and max_file_size parameter processing (configure_upload.py). Confirmed public exploit code exists (GitHub: a1ohadance/CVE-2026-38361), elevating risk despite CVSS indicating only availability impact - the RCE tag contradicts the CVSS vector's C:N/I:N rating, suggesting incomplete impact assessment. EPSS data unavailable; not in CISA KEV at time of analysis. Affects popular Python file upload component with thousands of monthly downloads per PyPI statistics.

Denial Of Service RCE
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-42344 HIGH POC PATCH GHSA This Week

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE
NVD VulDB GitHub
CVSS 3.1
7.3
EPSS
1.3%
CVE-2024-27686 HIGH POC This Week

Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Mikrotik
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2023-49316 HIGH POC PATCH GHSA This Week

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8137 HIGH POC This Week

Buffer overflow in Totolink X5000R 9.1.0u.6369_B20230113 router firmware allows authenticated remote attackers to execute arbitrary code or cause denial of service via crafted submit-url parameter to /boafrm/formDdns endpoint. Public exploit code exists (GitHub). CVSS 7.4 indicates high severity but requires authenticated access (PR:L), limiting immediate risk to environments where router credentials are compromised. EPSS data not available; prioritize if router exposed to internet or untrusted networks.

Buffer Overflow X5000R
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-8138 HIGH POC This Week

Stack-based buffer overflow in Tenda CX12L router firmware 16.03.53.12 allows authenticated remote attackers to achieve full system compromise via the PPTP server configuration interface. The vulnerability resides in the formSetPPTPServer function within /goform/SetPptpServerCfg and is exploitable over the network with low attack complexity. A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier to exploitation, though CISA has not yet added this to the KEV catalog indicating no confirmed widespread active exploitation at this time.

Stack Overflow Buffer Overflow Tenda
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2024-46507 HIGH POC NEWS This Week

A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2026-44338 HIGH POC PATCH NEWS GHSA This Week

Remote unauthenticated access to PraisonAI's legacy Flask API server allows attackers to execute configured agent workflows without authentication. Versions 2.5.6 through 4.6.33 ship with authentication disabled by default on the Flask server, enabling any network-accessible caller to trigger agents.yaml workflows via the /chat endpoint and access agent configurations through /agents. Patch released in version 4.6.34. CVSS 7.3 with network vector and no privileges required (AV:N/AC:L/PR:N/UI:N) indicates this is remotely exploitable against default configurations, though impact is limited to low confidentiality, integrity, and availability (C:L/I:L/A:L).

Authentication Bypass Python
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2024-33288 HIGH POC This Week

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-42556 HIGH This Week

Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7.

XSS Postiz App
NVD GitHub VulDB
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-44127 HIGH PATCH This Week

Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secure Email Gateway versions before 15.0.4 through path traversal in the /api.app/attachment/preview endpoint. The vulnerability allows exploitation without authentication or user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), enabling attackers to exfiltrate sensitive configuration files, credentials, or email data, and selectively delete files with api.app process privileges. No active exploitation confirmed by CISA KEV at time of analysis, though the unauthenticated remote attack vector and file manipulation capabilities represent elevated risk for exposed email gateway appliances. Swiss NCSC disclosure suggests vendor-coordinated remediation.

Path Traversal Secure Email Gateway
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-5127 HIGH This Week

PHP object injection in User Frontend plugin for WordPress versions up to 4.3.1 allows authenticated attackers with Subscriber-level access or above to achieve remote code execution via unsafe deserialization of the wpuf_files parameter during form submission. The vulnerability chains input validation failures during form processing with unconditional use of maybe_unserialize() when rendering post content, enabling attackers to inject malicious PHP objects that can execute arbitrary code, delete files, or trigger other attacks through available Property-Oriented Programming (POP) chains. Wordfence disclosed detailed code references showing the vulnerable data flow across multiple plugin files including wpuf-functions.php, FieldableTrait.php, and Frontend_Form_Ajax.php, with both trunk and version 4.2.10 code paths exhibiting the flaw.

PHP RCE WordPress Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-42278 HIGH This Week

Authentication bypass in UltraDAG Core blockchain allows remote unauthenticated attackers to drain all pocket-derived sub-addresses on smart accounts, completely bypassing vault delays and daily spending limits. The StateEngine fails to resolve pocket addresses to their parent account during policy enforcement, treating virtual pocket addresses as unrestricted accounts. Confirmed actively exploited (CISA KEV). Vendor-released patch: commit fb6ef59 resolves pocket-to-parent mapping before all policy checks. EPSS data unavailable but attack vector is network-accessible with no complexity (CVSS 4.0 AV:N/AC:L/PR:N), making this a critical priority for any UltraDAG deployment using smart account pockets.

Authentication Bypass Hashicorp
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-42205 HIGH PATCH GHSA This Week

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Authentication Bypass Privilege Escalation Avo
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25077 HIGH This Week

Remote code execution in Apache CloudStack allows authenticated account users to execute arbitrary code on KVM hypervisor hosts by registering malicious templates with unsanitized filenames. Affects CloudStack 4.11.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0 when using KVM hypervisors. Despite high CVSS (8.8), EPSS exploitation probability is very low (0.04%, 11th percentile) and CISA SSVC reports no active exploitation. Vendor-released patches are available in versions 4.20.3.0 and 4.22.0.1.

Denial Of Service Apache Code Injection RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42455 HIGH This Week

Stored cross-site scripting in Linkwarden 2.14.0 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in victims' authenticated sessions by uploading malicious HTML archives. The vulnerability exists because the /api/v1/archives endpoint accepts unsanitized HTML files and serves them without Content-Security-Policy protections, enabling session hijacking and account takeover. No vendor-released patch identified at time of analysis (GHSA advisory notes no patches available). EPSS data not provided; no active exploitation (CISA KEV) or public POC identified at time of analysis.

XSS Linkwarden
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-43334 HIGH PATCH This Week

Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Information Disclosure Linux Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43403 HIGH PATCH This Week

Namespace iteration ioctl permission bypass in Linux kernel allows local privileged users to enumerate namespaces of other privileged services, potentially leaking cross-service information. Affects kernel 6.12 through 6.19.x with patches available in 6.12.78, 6.18.20, 6.19.9, and mainline 7.0. The vulnerability has low EPSS (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches deployed across stable kernel branches address the issue by enforcing stricter namespace visibility policies via the may_see_all_namespaces() helper.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43391 HIGH PATCH This Week

Insufficient permission checks in Linux kernel nsfs (namespace filesystem) allow low-privileged local users to access other processes' namespaces, potentially escalating privileges across namespace boundaries and leaking sensitive information between isolated services. The vulnerability affects kernel versions before 6.19.9 and 7.0, with patches available in stable branches d2324a9317f0 and 1797ee11451f. EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified in CISA KEV or public sources. The CVSS 8.8 (High) rating reflects scope change (S:C) indicating privilege escalation across security boundaries - a critical concern for containerized environments where namespace isolation is foundational to multi-tenant security.

Information Disclosure Linux
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43322 HIGH PATCH This Week

Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.

Information Disclosure Google Linux Use After Free Memory Corruption +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42453 HIGH This Week

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0.

Command Injection Termix
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-43967 HIGH PATCH GHSA This Week

Unauthenticated denial of service in absinthe-graphql versions 1.2.0 through 1.10.1 allows remote attackers to exhaust CPU resources via quadratic-complexity validation. Attackers submit GraphQL documents with tens of thousands of fragment definitions (~60,000 fragments in a 1 MB payload), triggering O(N²) comparisons during fragment-name uniqueness validation - approximately 3.6 billion comparisons per request. No authentication, schema knowledge, or special server configuration is required. Patch available in version 1.10.2 via GitHub commit 223600c (replaces nested loop with single-pass frequency map).

Denial Of Service Absinthe
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-44700 HIGH PATCH GHSA This Week

ex_webrtc library for Erlang/Elixir fails to validate DTLS peer certificate fingerprints when operating in client (active) role during WebRTC handshakes, breaking mutual authentication. Versions prior to 0.15.1 and 0.16.1 are affected. While not independently exploitable against standard browser peers over secure signaling, this flaw enables man-in-the-middle attacks when combined with insecure signaling channels (HTTP/plain WebSocket), compromised signaling servers, or non-compliant peer implementations. Vendor-released patches (0.15.1, 0.16.1) available with no workarounds. No public exploit identified at time of analysis, but the high CVSS score (8.7, AV:N/AC:L/PR:N/UI:N) reflects the network attack vector and low complexity when prerequisites are met.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41423 HIGH PATCH GHSA This Week

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.

SSRF Angular
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42275 HIGH PATCH GHSA This Week

Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation. Vendor-released patch available in version 2.0.2 with commit 459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e implementing symlink boundary validation.

Path Traversal Zrok
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-7807 HIGH PATCH This Week

{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. VulnCheck identified this vulnerability; vendor patch available in build 9560 or later. CVSS 8.7 reflects high confidentiality and integrity impact with low attack complexity, though requiring authenticated access (PR:L) moderates immediate risk for internet-exposed instances with strong authentication controls.

Path Traversal Smartermail
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44400 HIGH PATCH This Week

MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.

Authentication Bypass Mailenable Enterprise Premium
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44552 HIGH PATCH GHSA This Week

Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.

Redis Python Information Disclosure
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44832 HIGH PATCH GHSA This Week

{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 None.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41524 HIGH PATCH This Week

{!! !!} rendering user-supplied content without sanitization. Patched via commit 6c56603 which implements HtmlSanitizer to allowlist safe HTML tags and strip dangerous attributes before database storage.

XSS
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44340 HIGH POC PATCH GHSA This Week

Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. Affects versions prior to 4.6.37. EPSS data unavailable, no CISA KEV listing, and no public POC identified at time of analysis, suggesting limited observed exploitation despite network-accessible attack vector.

Path Traversal Praisonai
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-67486 HIGH This Week

Remote code execution in Dolibarr ERP/CRM versions ≤22.0.2 allows authenticated administrators to execute arbitrary PHP code by injecting malicious payloads into the 'computed value' field of user extrafields, which are passed unsanitized to PHP's eval() function. No vendor patch exists at time of analysis (zero-day status), but exploitation requires high-privilege administrator access, limiting immediate risk to environments with compromised admin accounts or malicious insiders. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation despite public technical disclosure.

PHP RCE
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-41690 HIGH PATCH This Week

Object.prototype pollution in i18next-http-middleware prior to 3.9.3 allows remote unauthenticated attackers to inject arbitrary properties into all JavaScript objects via crafted HTTP requests, bypassing authorization checks, causing type-confusion denial of service, or enabling remote code execution when chained with vulnerable downstream code. The vulnerability is actively exploitable through two unprotected API endpoints (getResourcesHandler and missingKeyHandler) that accept user-controlled language and namespace parameters without validation. EPSS data not provided, not listed in CISA KEV, but publicly disclosed with detailed GitHub security advisory including technical exploitation details.

Node.js Path Traversal
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-42203 HIGH PATCH GHSA This Week

Server-side template injection in LiteLLM Proxy versions 1.80.5 through 1.83.6 allows authenticated users to execute arbitrary code via the POST /prompts/test endpoint. Any user with a valid proxy API key can submit malicious prompt templates that escape sandboxing and run commands in the proxy server process, exposing environment secrets like provider API keys and database credentials. This vulnerability affects deployments using LiteLLM as an AI gateway proxy server. No active exploitation confirmed (not in CISA KEV), but GitHub advisory and patch are publicly available, increasing exploit likelihood. CVSS 8.6 (High) with network attack vector and low complexity, though PR:L requirement limits exposure to authenticated attackers only.

RCE Ssti Litellm
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-29201 HIGH PATCH This Week

Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

Information Disclosure Cpanel Wp Squared Cpanel Centos 6 Cloudlinux 6
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-44339 HIGH PATCH GHSA This Week

Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.

Information Disclosure Praisonai Praisonaiagents
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-8077 HIGH PATCH This Week

Authorization bypass in CashDro 3 web administration panel 24.01.00.26 allows authenticated attackers to escalate to full administrative privileges by manipulating client-side permission controls. The vulnerability stems from reliance on frontend-only authorization checks, with no backend validation of user permissions. Attackers with low-privileged accounts can modify the 'Permissions' field in JSON responses to grant themselves unrestricted access to cash management system controls. INCIBE-CERT has confirmed vendor patch availability, though EPSS data is not yet available for this recent CVE.

Authentication Bypass Cashdro 3 Administration Panel
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-8069 HIGH This Week

Local attackers with standard user accounts can escalate to NT AUTHORITY\SYSTEM privileges in Acer PredatorSense V3 versions 3.00.3136 through 3.00.3196. The gaming utility software exposes a misconfigured Windows Named Pipe allowing arbitrary code execution and file deletion with SYSTEM privileges. CVSS 8.5 (High) reflects severe local impact with low complexity exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the technical details provided enable development of proof-of-concept code.

Privilege Escalation Microsoft RCE Path Traversal
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-43940 HIGH PATCH GHSA This Week

Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. The vulnerability enables filesystem-wide arbitrary JavaScript file loading and execution through unsanitized path concatenation in runWidget function, bypassing Electron's process isolation. Vendor-released patch available in version 3.7.16. EPSS data not available; no confirmed active exploitation (not in CISA KEV).

RCE Path Traversal Electerm
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-42286 HIGH PATCH This Week

Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.

CSRF
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-44129 HIGH PATCH This Week

Remote code execution in SEPPmail Secure Email Gateway versions before 15.0.4 allows unauthenticated attackers to execute arbitrary template expressions through a server-side template injection flaw in the GINA UI endpoint. The vulnerability requires no authentication and has low attack complexity, but depends on specific template plugin configurations (CVSS 4.0: 8.3 High with AT:P indicating present attack conditions). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available.

RCE Ssti
NVD
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-43291 HIGH PATCH This Week

Improper packet data validation in Linux kernel NCI NFC subsystem breaks communication with NFC chips and creates potential for information disclosure. The vulnerability affects adjacent network attackers (AV:A) who can exploit variable-length packet handling without authentication (PR:N) to achieve high confidentiality impact, low integrity impact, and high availability impact. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite CVSS 8.3 severity. Vendor patches available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with upstream fixes committed to stable branches.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-29972 HIGH This Week

Stack-based buffer overflow in nanoMODBUS v1.22.0 and earlier allows malicious Modbus TCP servers to execute arbitrary code on clients via oversized responses. When client applications call nmbs_read_holding_registers() or nmbs_read_input_registers(), the library fails to validate byte_count before writing server data to the caller's buffer, enabling up to 248 bytes of controlled overflow. No active exploitation confirmed (not in CISA KEV), but proof-of-concept code is publicly available and the vulnerability is automatable (SSVC) with network attack vector (CVSS AV:N/AC:L/PR:N). EPSS data not provided, but the combination of public POC, low complexity, and RCE potential warrants immediate attention for systems using nanoMODBUS as a client.

Stack Overflow RCE Buffer Overflow
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy