Skip to main content
CVE-2025-61311 HIGH This Week

Reflected cross-site scripting in Mercury docuForm v11.11c allows authenticated attackers to execute arbitrary JavaScript in victim browsers via crafted payloads to dfm-menu_alerts.php. Attack requires low complexity and user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:R). Public proof-of-concept exists on GitHub (ZeroBreach-GmbH gist), but no CISA KEV listing indicates targeted or low-volume exploitation. EPSS data not available, but the authentication requirement and user interaction dependency reduce attack surface compared to stored XSS.

XSS PHP
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-61312 HIGH This Week

Reflected cross-site scripting in Mercury Managed Print Services docuForm v11.11c allows authenticated attackers with low privileges to execute arbitrary JavaScript in victim browsers via the acc-menu_pricess.php component. Public proof-of-concept exploit code exists on GitHub (ZeroBreach-GmbH). EPSS data not available, not listed in CISA KEV. Attack requires user interaction (phishing/social engineering to click malicious link), limiting automated exploitation but enabling credential theft and session hijacking for authenticated users.

XSS PHP
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-61313 HIGH This Week

Reflected cross-site scripting in Mercury docuForm (Managed Print Services) v11.11c enables authenticated attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability exists in dfm-menu_markeralerts.php due to unfiltered variable handling. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. No public exploit confirmed, but proof-of-concept code published by ZeroBreach GmbH demonstrates feasibility. EPSS data unavailable; not in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

XSS PHP
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-5172 HIGH PATCH This Week

Remote denial-of-service and limited information disclosure in dnsmasq's extract_addresses() function allows attackers controlling or able to inject DNS responses to crash the daemon by sending a malformed DNS record whose declared rdlen pushes extract_name() past the record boundary, triggering a heap out-of-bounds read. The flaw affects dnsmasq 2.93 and downstream packages from Red Hat, SUSE, Ubuntu, and Pi-hole FTL. No public exploit identified at time of analysis, EPSS exploitation probability is 0.03% (9th percentile), and CISA SSVC rates exploitation as 'none' with only partial technical impact.

Buffer Overflow Dnsmasq Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-2291 HIGH PATCH This Week

Heap buffer overflow in dnsmasq's extract_name() function allows remote attackers to write out-of-bounds on the heap, enabling DNS cache poisoning that redirects lookups to attacker-controlled IP addresses or causes denial of service. The flaw stems from a bigname namebuffer sized for wire-form domain names (MAXDNAME) instead of the larger escaped internal representation (MAXDNAME*2 + 1). EPSS is low (0.03%, 9th percentile) with no public exploit identified at time of analysis, but multiple major distributions (Red Hat, SUSE, Ubuntu) have shipped patches reflecting widespread downstream exposure.

Buffer Overflow Dnsmasq
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-10908 HIGH PATCH This Week

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Authentication Bypass Information Disclosure Wso2 Identity Server Wso2 Carbon Magiclink Authenticator Module
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2022-4988 HIGH This Week

Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Alien
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-43656 HIGH PATCH This Week

Out-of-bounds write in Apple's file parsing component across iOS, iPadOS, and macOS enables remote code execution or denial of service via maliciously crafted files with no user interaction required. Exploitation probability is extremely low (EPSS 0.02%, 6th percentile) with no public exploit identified at time of analysis, despite the critical CVSS 7.3 score and network-based attack vector. Vendor patches available for all affected platforms (iOS/iPadOS 18.7.9, 26.5; macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). The CVSS vector indicating AV:N/PR:N/UI:N suggests automatic exploitation without user interaction, which contradicts the description's 'parsing a file' language - verify whether this requires user action to open/download the file or if background processes parse untrusted files automatically.

Apple Memory Corruption Buffer Overflow
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31251 HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious model files within a directory. When a victim starts the gRPC server pointing to this directory, arbitrary code is executed on the victim's system during server initialization.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31249 HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31250 HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.

Checkpoint Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31253 HIGH GHSA This Week

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

Checkpoint Deserialization Python RCE Code Injection +1
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-37630 HIGH This Week

Remote code execution in QuickJS-NG 0.12.1 allows unauthenticated network attackers to execute arbitrary code through the js_mapped_arguments_mark function. The vulnerability enables attackers to achieve code injection with low confidentiality, integrity, and availability impact via network-accessible JavaScript engine exploitation. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability, and no active exploitation has been publicly reported at time of analysis.

Code Injection RCE
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31254 HIGH This Week

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python eval() function as a Hydra configuration resolver under the name eval. This allows configuration files to execute arbitrary Python code via the ${eval:...} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.

Python Code Injection RCE N A
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-43655 HIGH PATCH This Week

Out-of-bounds read in Apple operating systems allows malicious applications to crash the system or leak kernel memory across iOS/iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and watchOS 26.5. The vulnerability requires local application execution but no user interaction, enabling information disclosure and denial-of-service attacks. Despite high CVSS 7.3 scoring, the EPSS probability is very low (0.02%, 5th percentile), indicating minimal observed exploitation activity. Vendor-released patches are available for all affected platforms.

Apple Information Disclosure Buffer Overflow
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-42071 HIGH PATCH GHSA This Week

A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. ### Impact - REPORTER (access level 25) can view file attachments that were uploaded to private bugnotes by DEVELOPER/MANAGER/ADMIN users - Private bugnotes are intended for internal developer discussion; their attachments (logs, screenshots, patches) should be equally protected - The web UI is NOT affected - it filters through bugnote_get_all_visible_bugnotes() first ### Patches - 029d9d203d9e4ae96b3e59d552fa7395cc1e5071 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security - Tang Cheuk Hei (@siunam321) This advisory's contents was largely copied from Tristan's well-written report.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-7819 HIGH PATCH GHSA This Week

Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.

Path Traversal Pgadmin 4
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-2393 HIGH PATCH GHSA This Week

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints (e.g., AWS EC2 metadata at 169.254.169.254). Affects MLflow versions prior to 3.9.0. The webhook creation endpoint accepts unvalidated user-controlled URLs that are later used in HTTP POST requests, enabling cloud credential theft, internal network reconnaissance, and data exfiltration. Vendor-released patch available in MLflow 3.9.0, confirmed by GitHub commit 64aa0ab. No active exploitation confirmed (not in CISA KEV), but publicly disclosed with detailed technical analysis from huntr.com.

SSRF Mlflow Mlflow Red Hat
NVD GitHub
CVSS 3.0
7.1
EPSS
0.0%
CVE-2026-7817 HIGH PATCH GHSA This Week

Authenticated users in pgAdmin 4 before version 9.15 can read arbitrary server-side files or trigger server-side request forgery (SSRF) attacks via unvalidated LLM API configuration endpoints. The vulnerabilities exist in the chat and model-list endpoints where user-supplied api_key_file and api_url parameters are passed directly to LLM provider clients without sanitization, enabling attackers to exfiltrate sensitive files (database credentials, private keys) readable by the pgAdmin process or coerce internal requests to cloud metadata services and private infrastructure.

SSRF Path Traversal Information Disclosure Pgadmin 4
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44569 HIGH PATCH GHSA This Week

Insecure Direct Object Reference (IDOR) in Open WebUI allows authenticated users with read-only channel access to modify or delete any message in those channels, bypassing frontend ownership controls through direct API calls. The vulnerability affects the channels feature in Open WebUI versions ≤0.6.18, exploiting missing message ownership validation in backend FastAPI endpoints despite correct frontend access control implementation. Publicly available exploit code exists with detailed proof-of-concept demonstrating privilege escalation from read to write/delete permissions. Vendor-released patch available in version 0.6.19.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28941 HIGH PATCH This Week

The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Tahoe 26.5. Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents.

Apple Buffer Overflow
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-34960 HIGH PATCH This Week

barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type() function that fails to verify the options pointer remains within received packet bounds. An attacker on the same broadcast domain can send a crafted DHCP Offer or ACK packet without a proper 0xff end marker to cause the parser to read past valid packet data and potentially crash the system.

Information Disclosure Buffer Overflow Barebox
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44473 HIGH PATCH GHSA This Week

User equipment (UE) downlink traffic can be redirected to attacker-controlled radios in Ella Core (5G AMF software) versions prior to 1.10.0. A malicious radio with a valid NG Setup connection can forge PDUSessionResourceSetupResponse messages using arbitrary AMF-UE-NGAP-IDs, causing Ella Core to create GTP tunnels that misdirect victim UE downlink packets to the attacker's radio. This enables traffic interception and denial of service against targeted UEs. The vulnerability stems from missing validation that NGAP messages arrive on the correct SCTP association for the UE context. No public exploit identified at time of analysis, and EPSS data not available. Vendor-released patch: version 1.10.0.

Information Disclosure
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45022 HIGH PATCH GHSA This Week

Commit and tag signature confusion in go-git (the pure-Go implementation of Git) lets a crafted Git object carry a signature that validates while its effective metadata differs from what was actually signed. Because go-git parses ambiguous or malformed object headers differently from canonical Git, and because its signing/verification path operates over a reconstructed representation rather than the raw object bytes, an attacker with contributor access can create commits whose displayed author/committer/metadata diverges from the signed payload - undermining downstream trust decisions (the issue was originally surfaced through sigstore/gitsign). Affected releases are go-git v5 before 5.19.0 and v6 alpha builds 6.0.0-alpha.1 through 6.0.0-alpha.2. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided in the source data.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-42888 MEDIUM PATCH This Month

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.

Path Traversal Audiobookshelf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-8275 LOW POC PATCH Monitor

Integer coercion error in bettercap's zerogod IPP service allows remote attackers to trigger information disclosure via malformed chunked HTTP requests. Versions up to 2.41.5 are affected. The vulnerability exists in the ippReadChunkedBody function where integer type conversions lack proper bounds validation, enabling attackers to cause memory access violations that leak sensitive data. Publicly available exploit code exists, and while CVSS 2.9 indicates low severity, the attack requires high complexity and has limited impact; however, the vulnerability is confirmed remotely exploitable without authentication.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-42871 MEDIUM PATCH This Month

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiar_docfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the backend infrastructure and expanding the attack surface. This vulnerability is fixed in 3.7.0.

PHP Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-7820 MEDIUM PATCH This Month

pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.

Authentication Bypass Python
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-34962 MEDIUM PATCH This Month

barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesystem image with a crafted directory entry containing a direntlen value of 0 to cause an infinite loop during directory listing or path resolution, resulting in the boot process hanging indefinitely.

Denial Of Service Barebox
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-34961 MEDIUM PATCH This Month

barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.

Information Disclosure Buffer Overflow Barebox
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45222 MEDIUM PATCH This Month

Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local attackers with user-level access to read bearer tokens and API credentials from ~/.summarize/daemon.json. The vulnerability enables unauthorized daemon access or recovery of sensitive provider API keys through insecure file permissions on Unix-like systems.

Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45026 MEDIUM PATCH This Month

Stored Cross-Site Scripting in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Processo de Aceitação page that executes when any user accesses the vulnerable endpoint, enabling session hijacking and account takeover. The vulnerability is confined to high-privilege authenticated access (PR:H) with no user interaction required on the victim side, though scope is changed (S:C) indicating cross-context impact. No public exploit code or active exploitation has been identified.

XSS PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-45025 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Etapas de um Processo page, which executes when other users access the page, enabling session hijacking and account takeover. The vulnerability requires high-privilege authentication (PR:H) but affects all users who subsequently visit the injected page, with no public exploit identified at time of analysis.

XSS PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-43911 MEDIUM PATCH This Month

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.

Information Disclosure Vaultwarden
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-45224 MEDIUM PATCH This Month

Path traversal in Crabbox <0.9.0 allows local attackers to delete or overwrite arbitrary files via malicious .crabbox.yaml configuration. When a user executes Crabbox commands with a crafted workspace configuration containing directory traversal sequences (e.g., '../../../'), the Islo provider performs rm -rf and mkdir -p on attacker-controlled paths outside /workspace. Patch available in v0.9.0 (commit 6b07193). No KEV listing or public POC identified, but exploitation requires only user interaction (opening/running a malicious project), not authentication or special privileges.

Path Traversal Crabbox
NVD GitHub
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-42866 MEDIUM PATCH This Month

Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.

Path Traversal Tookie Osint
NVD GitHub VulDB
CVSS 4.0
6.7
EPSS
0.0%
CVE-2026-26946 MEDIUM PATCH This Month

Improper privilege management in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 allows high-privileged local attackers to escalate privileges and gain full system access, affecting confidentiality, integrity, and availability. No public exploit code or active exploitation has been identified at the time of analysis.

Dell Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-8264 LOW POC Monitor

Remote authenticated command injection in Tenda AC6 router firmware version 15.03.06.23 allows authenticated attackers to execute arbitrary OS commands via manipulation of the wl2g.public.country or wl5g.public.country parameters in the /goform/WifiApScan endpoint. The vulnerability affects the httpd component's formWifiApScan function and has publicly available exploit code, presenting moderate risk to affected deployments.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-31246 MEDIUM This Month

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.

Command Injection RCE
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-43889 MEDIUM PATCH This Month

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each-skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.

Authentication Bypass Outline
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44353 MEDIUM PATCH GHSA This Month

Streamlink versions 8.3.0 and earlier allow arbitrary local file read via unvalidated URI schemes in HLS and DASH parsers. A remote attacker hosting a malicious `.m3u8` or `.mpd` manifest can trick streamlink clients into reading local files (such as SSH keys, AWS credentials, or `/etc/passwd`) and writing their contents to the output stream. Requires user interaction (clicking/running streamlink against attacker-controlled playlist), but no authentication needed. CVSS 6.5 reflects the information disclosure risk; affected deployments with automated processing or cloud sync pose material exfiltration risk.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28920 MEDIUM PATCH This Month

Information leakage in Apple operating systems allows remote attackers to extract sensitive data by crafting and hosting malicious websites that users visit. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Exploitation requires user interaction (UI:R) to visit a malicious website but does not require authentication, with an EPSS score of 0.03 percent indicating low real-world exploitation probability despite the information disclosure impact.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28903 MEDIUM PATCH This Month

Memory corruption in Apple's WebKit web content processing engine causes an unexpected process crash (denial-of-service) across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS when a victim processes attacker-controlled web content. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H confirms network-reachable, unauthenticated exploitation limited to availability impact within the affected process - no code execution or data exfiltration is indicated. No public exploit code has been identified at time of analysis, and EPSS scoring at 0.03% (10th percentile) combined with SSVC Exploitation status of 'none' signal low current exploitation pressure.

Apple Buffer Overflow Ios And Ipados Tvos Visionos +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42883 MEDIUM PATCH This Month

Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they do not have access to by directly specifying item IDs in the GET /api/libraries/:id/download endpoint, bypassing library access controls. An attacker with valid credentials and access to any single library can exfiltrate complete file contents from restricted libraries, including those explicitly denied to them.

Authentication Bypass Audiobookshelf
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7010 MEDIUM PATCH This Month

HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP request lines and header values, allowing attackers who control input URLs or headers to inject additional HTTP headers and smuggle requests to upstream servers. Remote unauthenticated attackers can exploit this via crafted URLs passed to webhook or URL fetch endpoints, achieving limited information disclosure and integrity compromise. EPSS score of 0.03% (percentile 7%) indicates low practical exploitation probability despite network-vector accessibility.

Code Injection Http Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44571 MEDIUM PATCH GHSA This Month

Improper authorization in Open WebUI versions up to 0.8.5 allows authenticated users to modify messages in standard channels by exploiting a read-permission check that should require write permission. The vulnerability affects the POST /api/v1/channels/{channel_id}/messages/{message_id}/update endpoint when access_control is set to None, enabling message tampering without ownership verification. Patch available in version 0.8.6.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28956 MEDIUM PATCH This Month

Memory corruption in Apple operating systems allows remote attackers to trigger unexpected app termination or corrupt process memory by delivering a maliciously crafted media file to users, requiring user interaction to open the file. Affects iOS/iPadOS 26.4 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. No public exploit identified at time of analysis; vendor-released patches are available across all affected platforms.

Apple Information Disclosure Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28972 MEDIUM PATCH This Month

Out-of-bounds write in Apple operating systems allows network-based unauthenticated attackers to corrupt kernel memory or cause denial of service without user interaction. The vulnerability affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms, though the extremely low EPSS score (0.02%) suggests real-world exploitation risk is minimal despite the network attack vector.

Apple Memory Corruption Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42316 MEDIUM PATCH This Month

KQL injection in kafka-sink-azure-kusto Kafka Connect plugin prior to 5.2.3 allows authenticated administrators with Kafka Connect configuration permissions to inject arbitrary KQL management commands by embedding metacharacters in the kusto.tables.topics.mapping configuration fields (db, table, mapping, format). An attacker with connector configuration privileges could enumerate or modify schemas, tamper with ingestion mappings, or alter streaming and retention policies on the target Azure Data Explorer database using the connector's service principal credentials. The vulnerability is fixed in version 5.2.3 and has not been observed in active exploitation at the time of this analysis.

Microsoft Information Disclosure Nosql Injection
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28918 MEDIUM PATCH This Month

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.

Apple Information Disclosure Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 4 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy