Skip to main content
CVE-2026-43500 HIGH POC PATCH NEWS Act Now

Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.

Memory Corruption Buffer Overflow Linux
NVD VulDB GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43639 HIGH POC PATCH This Week

{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.

Authentication Bypass Server
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-43640 HIGH POC PATCH This Week

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management privileges to retrieve or rotate organization SCIM API keys without master password re-authentication. An attacker with valid session credentials and SCIM management rights can obtain sensitive API keys that enable user provisioning control, potentially leading to unauthorized account creation, modification, or deletion within the organization. Public exploit code exists, and vendor patch v2026.4.1 addresses the issue via GitHub PR #7403.

Information Disclosure Server
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-44578 HIGH POC PATCH GHSA This Week

Server-side request forgery in Next.js allows remote unauthenticated attackers to proxy requests to arbitrary internal or external destinations through crafted WebSocket upgrade requests in self-hosted applications using the built-in Node.js server. Attackers can access internal services and cloud metadata endpoints (AWS, GCP, Azure instance metadata) without authentication. This affects Next.js versions 13.4.13 through 15.5.15 and 16.0.0 through 16.2.4. Vendor-released patches available in versions 15.5.16 and 16.2.5. Vercel-hosted deployments are explicitly not affected.

SSRF Node.js
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-44738 HIGH POC PATCH GHSA This Week

Information disclosure in Grav CMS versions prior to 2.0.0-rc.2 allows authenticated users with admin.pages role to extract all site configuration secrets via Twig sandbox bypass. Attackers can invoke config.toArray() from page content to dump SMTP passwords, AWS keys, OAuth client secrets, and API tokens into rendered HTML. CVSS 7.7 (High) with confirmed scope change reflects cross-tenant impact in multi-admin environments. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Information Disclosure Grav
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-44573 HIGH POC PATCH GHSA This Week

Middleware bypass in Next.js Pages Router applications allows unauthenticated access to protected server-side rendered JSON data when i18n is configured. Attackers can retrieve SSR page data through locale-less `/_next/data/<buildId>/<page>.json` requests without triggering middleware authorization checks. This affects Next.js versions 12.2.0 through 15.5.15 and 16.0.0 through 16.2.4. Vercel released patches in versions 15.5.16 and 16.2.5 as part of a coordinated disclosure addressing multiple security issues. CVSS 7.5 (High) with network-accessible, low-complexity exploitation requiring no authentication. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8260 HIGH POC This Week

Buffer overflow in D-Link DCS-935L camera firmware versions up to 1.10.01 allows authenticated remote attackers to achieve complete system compromise via crafted AdminPassword parameter to the HNAP service. Public exploit code exists on GitHub (0xcc12138/DCS-935L-HNAP-Service-CVE), demonstrating weaponization of this vulnerability. CVSS 4.0 score of 7.4 with CVSS:4.0/E:P confirms proof-of-concept exploitation. While authentication is required (PR:L), the low attack complexity (AC:L) and network attack vector (AV:N) combined with publicly available exploit code make this a practical remote exploitation risk for devices exposed to untrusted networks or compromised accounts.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-6433 HIGH POC This Week

Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).

PHP RCE WordPress
NVD WPScan VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44432 HIGH PATCH GHSA This Week

Decompression bomb safeguards in urllib3 2.6.0 can be bypassed during streaming API operations, causing excessive CPU and memory consumption on client systems. Applications using urllib3 versions 2.6.0 through 2.6.x that stream Brotli-compressed responses with multiple read() calls, or invoke drain_conn() after partial decompression, may decompress entire payloads instead of requested chunks. This allows malicious servers to trigger resource exhaustion attacks against urllib3 clients. Vendor-released patch (version 2.7.0) confirmed by GitHub advisory GHSA-mf9v-mfxr-j63j. No public exploit identified at time of analysis, but exploitation requires only a malicious HTTP server delivering compressed responses - a low-complexity attack scenario.

Information Disclosure Google
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-36734 HIGH This Week

Command injection in EDIMAX BR-6428nS V3 wireless router firmware 1.15 allows authenticated attackers to execute arbitrary system commands via crafted input to WLAN configuration interface. The vulnerability requires low-privilege network authentication but no user interaction, enabling complete device compromise including credential theft, traffic interception, and pivot attacks into connected networks. EPSS score of 0.17% suggests low probability of mass exploitation, though a proof-of-concept is publicly available on GitHub, lowering the barrier for targeted attacks against exposed management interfaces.

Command Injection N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-42603 HIGH PATCH This Week

Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly disclosed via GitHub Security Advisory GHSA-cgvj-qg2h-cqfh.

Code Injection RCE Blt
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44346 HIGH PATCH GHSA This Week

Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44345 HIGH PATCH GHSA This Week

Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28847 HIGH PATCH This Week

Memory-corruption crash in Apple's WebKit web-content engine lets a malicious website terminate the content-rendering process across iOS/iPadOS, macOS, tvOS, visionOS and watchOS prior to the 26.5 (and 18.7.9) releases. The flaw is triggered simply by viewing attacker-controlled web content, requiring no authentication but one user action (opening a page). There is no public exploit identified at time of analysis and SSVC rates exploitation as none, though the assigned CVSS 8.8 reflects worst-case memory-corruption potential rather than the crash-only behavior Apple documents.

Apple Buffer Overflow Ios And Ipados Tvos Visionos +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28955 HIGH PATCH This Week

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

Apple Buffer Overflow Ios And Ipados Tvos Visionos +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44521 HIGH PATCH GHSA This Week

Authenticated SQL injection in elFinder's MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including those with read-only access, to inject malicious SQL via crafted file hash parameters. The vulnerability stems from improper validation of decoded file hashes before use in SQL queries, enabling attackers to manipulate query logic through the target parameter. This affects only installations using the non-default MySQL volume driver (versions <=2.1.67); the default LocalFileSystem driver is not vulnerable. Vendor-released patch available in version 2.1.68. CVSS 8.8 with network vector and low attack complexity indicates straightforward exploitation for authenticated attackers.

Denial Of Service Information Disclosure SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28995 HIGH PATCH This Week

Sandbox escape vulnerability in Apple operating systems allows malicious apps with low privileges to break out of application sandbox and execute code with elevated privileges on the host system. Affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation in the wild, though the CVSS 8.8 score reflects significant potential impact if successfully weaponized. No active exploitation confirmed at time of analysis.

Privilege Escalation Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28947 HIGH PATCH This Week

Use-after-free in WebKit allows remote attackers to trigger Safari crashes and potentially achieve arbitrary code execution across Apple's entire ecosystem (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) via maliciously crafted web content. Users must visit or be tricked into visiting a malicious webpage (UI:R). Despite CVSS 8.8 (High) with theoretical code execution impact (C:H/I:H/A:H), EPSS probability is extremely low (0.02%, 5th percentile), indicating minimal observed exploitation activity. No public exploit identified at time of analysis, and vendor patches are available across all platforms as of version 26.5.

Denial Of Service Apple Use After Free Memory Corruption Ios And Ipados +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28923 HIGH PATCH This Week

Sandbox escape in macOS logging subsystem allows malicious applications with low privileges to break containment and access system resources beyond sandbox boundaries. The vulnerability stems from improper data redaction in logging mechanisms (CWE-532), affecting macOS Tahoe 26.x, Sequoia 15.x, and Sonoma 14.x prior to their May 2026 updates. Apple has released patches for all affected versions. EPSS score of 0.02% (4th percentile) indicates minimal widespread exploitation likelihood, with no confirmed active exploitation or public POC at time of analysis. CVSS 8.8 HIGH reflects the scope change (S:C) allowing escape from sandboxed context to system-level access with complete confidentiality, integrity, and availability impact.

Apple Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28978 HIGH PATCH This Week

Sandbox escape in macOS Sequoia, Sonoma, and Tahoe allows malicious applications with low privileges to break containment and gain elevated system access. Apple fixed this permissions handling flaw in macOS 15.7.7, 14.8.7, and 26.5 after addressing inadequate sandbox restrictions. No active exploitation confirmed (CISA KEV absent), but the CVSS scope change (S:C) indicates complete sandbox bypass with high impact to confidentiality, integrity, and availability. EPSS score of 0.01% suggests low probability of mass exploitation despite the severity, likely due to the requirement for local app installation and low-privilege authenticated access.

Authentication Bypass Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41489 HIGH PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

Privilege Escalation Pi Hole
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7816 HIGH PATCH GHSA This Week

Authenticated remote code execution in pgAdmin 4 versions before 9.15 allows low-privilege users to execute arbitrary OS commands on the pgAdmin server via unsanitized input in the Import/Export query export feature. Attackers inject malicious payloads into psql \copy metacommand templates to break out of the query context and invoke PROGRAM directives or write arbitrary files. No public exploit code identified at time of analysis, but exploitation requires only low-privilege authenticated access with no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). EPSS data not provided; KEV status not confirmed.

Command Injection SQLi Pgadmin 4
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-7790 HIGH PATCH GHSA This Week

Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.

Denial Of Service Cowlib
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-7815 HIGH PATCH GHSA This Week

SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. Attackers can break out of option syntax, inject SQL statements, and leverage PostgreSQL's COPY ... TO PROGRAM to achieve OS-level code execution. Fixed in version 9.15 via server-side allow-listing and proper input sanitization using qtIdent filter. EPSS data not available; no public exploit identified at time of analysis.

SQLi PostgreSQL
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-43888 HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.

Path Traversal Outline
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-43912 HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.

Authentication Bypass Hashicorp
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44543 HIGH PATCH GHSA This Week

Template injection in Rancher Local Path Provisioner allows Kubernetes cluster operators with ConfigMap edit permissions to escalate privileges to node-level root access. Attackers with write access to the local-path-config ConfigMap can inject malicious Pod templates that bypass security controls, creating privileged containers with full host filesystem access. This enables theft of ServiceAccount tokens from co-located pods, access to other tenants' persistent volume data, and arbitrary modification of host node files. Vendor-released patch: v0.0.36. CVSS 8.7 (High) reflects the high-privilege prerequisite (PR:H) but scope change to container escape (S:C). No public exploit identified at time of analysis, though exploitation is straightforward for authenticated cluster operators.

Kubernetes Docker Information Disclosure Ssti
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44985 HIGH GHSA This Week

Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.

Python Docker RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42595 HIGH PATCH GHSA This Week

Server-side request forgery in Gotenberg's Chromium URL-to-PDF endpoint allows unauthenticated remote attackers to exfiltrate cloud credentials and access internal services. The primary `/forms/chromium/convert/url` endpoint ships with no default deny-list for HTTP/HTTPS targets - only blocking file:// URIs - enabling direct access to AWS/GCP/Azure metadata endpoints at 169.254.169.254, RFC 1918 private networks, and localhost services. Even when administrators configure custom deny-lists, attackers bypass validation via HTTP 302 redirects, as Chromium follows redirects without re-validating destinations. Vendor-confirmed public exploit code exists (PoC in GHSA-chwh-f6gm-r836). Patch available in version 8.32.0.

SSRF Microsoft Python Docker Google
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-10470 HIGH PATCH This Week

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated attackers to crash the authentication service by flooding invalid login requests without rate limiting. The vulnerability affects deployments using the Magic Link authentication flow and has an EPSS score indicating moderate exploitation likelihood. WSO2 has published a security advisory (WSO2-2025-4469) with remediation guidance for affected Identity Server and Carbon MagicLink Authenticator Module installations.

Denial Of Service Wso2 Identity Server Wso2 Carbon Magiclink Authenticator Module
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-41951 HIGH This Week

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.

Path Traversal Growi
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-44655 HIGH PATCH GHSA This Week

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution. - 5cb4b469295889f5d2b01677c9bf82c143e0fdaa None

XSS
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-34463 HIGH PATCH GHSA This Week

Stored HTML injection and cross-site scripting in MantisBT versions 2.28.1 and earlier allows a privileged user (manager or administrator) to inject HTML through a Project's name field, which is later rendered unescaped on the issue clone form (bug_report_page.php) when cloning issues across projects. The flaw is mitigated by MantisBT's default Content Security Policy, which blocks inline script execution, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high confidentiality, integrity, and availability impacts on the vulnerable component despite requiring high privileges.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33362 HIGH This Week

Remote unauthenticated attackers can decrypt user credentials and hijack IoT device sessions in Meari SDK-based mobile applications (CloudEdge, Arenti, white-label apps) by exploiting hardcoded cryptographic keys shared across all installations. The SDK embeds API signing secrets, password-transport encryption keys, and service access tokens in application binaries, enabling adversaries to intercept and decrypt account credentials in transit, forge authenticated API requests, and potentially access cloud services without user authentication. No public exploit code identified at time of analysis, but EPSS scoring and exploitation complexity are low given the static nature of hardcoded secrets.

Information Disclosure Google
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-34963 HIGH PATCH This Week

barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.

Integer Overflow RCE Buffer Overflow Barebox
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-45033 HIGH PATCH GHSA This Week

Remote code execution in GitHub Copilot CLI versions prior to 1.0.43 allows attackers to execute arbitrary commands via malicious bare git repositories embedded in project directories. When the CLI agent performs routine git operations, git's automatic bare repository discovery triggers execution of commands specified in config keys like core.fsmonitor. Attackers can deliver the malicious repository through pull requests, compromised dependencies, or pre-existing cloned repositories. No public exploit identified at time of analysis, though the attack technique leverages well-documented git behavior. The vendor-released patch (version 1.0.43) sets safe.bareRepository=explicit to block automatic bare repository discovery.

RCE Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42858 HIGH PATCH This Week

Server-side request forgery (SSRF) in Open edX Platform allows authenticated Enterprise Admin users to force the application server to make HTTP requests to arbitrary internal network resources, cloud metadata endpoints (AWS 169.254.169.254), or external attacker-controlled hosts via the sync_provider_data SAML configuration endpoint. The unvalidated metadata_url parameter is passed directly to requests.get() without IP filtering or URL scheme enforcement, enabling internal network reconnaissance, credential theft from cloud metadata services, and potential lateral movement. Fixed in commits 6fda1f120ff and 70a56246dd9. EPSS data not available; no confirmed active exploitation at time of analysis.

SSRF Openedx Platform
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-45004 HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw via CWD-based setup-api.js injection allows local attackers to run malicious JavaScript when users execute OpenClaw commands from attacker-controlled directories. Affects all OpenClaw versions before 2026.4.23. Vendor-released patch available in version 2026.4.23. Exploitation requires user interaction (running OpenClaw commands from a malicious repository) but no authentication. CVSS 7.8 reflects local attack vector with user interaction requirement, mitigating remote exploitation risk.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-4892 HIGH PATCH This Week

Heap-based buffer overflow in dnsmasq's DHCPv6 implementation enables local attackers to execute arbitrary code with root privileges. Affects dnsmasq 2.93 (and potentially earlier 2.92 branch based on NixOS patching activity). CERT/CC issued VU#471747, and upstream published CVE-specific advisory at thekelleys.org.uk/dnsmasq/CVE/. NixOS patch activity (PR #519082, #519093) indicates real-world remediation effort. No CISA KEV listing or public POC identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.4 score.

RCE Buffer Overflow Heap Overflow Dnsmasq
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-44570 HIGH PATCH GHSA This Week

Authenticated low-privilege users in Open WebUI (pip package versions prior to 0.6.19) can access, delete, and restore other users' memory data through inconsistent authorization controls in the memories API. The /api/v1/memories/query endpoint allows any authenticated user to query all memories across the system regardless of ownership, while the DELETE and update endpoints enable unauthorized manipulation of other users' memory objects. A publicly available exploit code exists with three detailed proof-of-concept demonstrations published in the GitHub security advisory GHSA-hmjq-crxp-7rjw. The vulnerability carries a CVSS score of 8.3 with High confidentiality and integrity impact, exploitable remotely with low attack complexity requiring only low-privilege authentication (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-45017 HIGH PATCH GHSA This Week

{% include %} and {% render %} Liquid tags. The built-in FileSystemLoader and CachingFileSystemLoader failed to reject absolute paths, escaping the configured search path; no public exploit identified at time of analysis but the vendor advisory (GHSA-8p4x-wr7x-3788) publicly documents the bypass mechanism.

Python Path Traversal
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-42564 HIGH PATCH This Week

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.

Path Traversal Jotty
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-44483 HIGH PATCH GHSA This Week

Prototype pollution in @rvf/set-get allows remote attackers to modify Object.prototype on Node.js servers processing form data via Remix or React Router applications. The setPath function fails to block dangerous property keys (__proto__, constructor, prototype) when flattening form submissions, enabling unauthenticated attackers to inject arbitrary properties into all JavaScript objects across the server process with a single malformed HTTP request. Working proof-of-concept code is publicly available demonstrating property injection via field names like '__proto__[polluted]'. The vulnerability affects default configurations with no special setup required - any endpoint using parseFormData or createValidator is exploitable. CVSS 8.2 High severity driven by network attack vector (AV:N), low complexity (AC:L), and no authentication requirement (PR:N), with high integrity impact from the ability to alter application logic process-wide.

Denial Of Service Node.js Prototype Pollution
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-44431 HIGH PATCH GHSA This Week

Sensitive authentication headers (Authorization, Cookie, Proxy-Authorization) leak to unintended domains when urllib3's low-level ProxyManager API follows cross-origin redirects. Applications using ProxyManager.connection_from_url().urlopen() with assert_same_host=False on urllib3 versions 1.23 through 2.6.x inadvertently forward credentials across origins, potentially exposing user sessions or API tokens to third-party servers. Vendor-released patch available in urllib3 2.7.0.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-44971 HIGH GHSA This Week

Server-side request forgery (SSRF) in GuardDog 1.0.0 through 2.9.0 allows remote attackers to exfiltrate GitHub personal access tokens and probe internal networks via malicious repository URLs. The vulnerability stems from blind string replacement in ProjectScanner.scan_remote() that fails to validate hostnames before appending authentication credentials. No vendor-released patch identified at time of analysis. Publicly available exploit code exists via GitHub advisory reproduction steps. CVSS 8.2 (High) with network vector and no authentication required.

Python SSRF
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43886 HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.

Privilege Escalation Outline
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-44413 HIGH PATCH This Week

Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to server APIs. Despite the CVE description stating 'authenticated users could expose server API,' the CVSS vector (PR:N) confirms no authentication is required for exploitation, enabling direct unauthorized API access with high confidentiality impact and limited integrity impact. JetBrains has released patches in versions 2026.1 and 2025.11.5. EPSS and KEV status not available at time of analysis.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-30635 HIGH GHSA This Week

Remote code execution in automagik-genie 2.5.27 MCP Server occurs when processing transcripts from attacker-controlled external FORGE_BASE_URL endpoints. Exploitation chains command injection in the readTranscriptFromCommit function's view_task parameter to execute arbitrary system commands on the server. A proof-of-concept exploit exists, though active exploitation has not been confirmed by CISA KEV at time of analysis.

Command Injection
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-42859 HIGH PATCH This Week

Remote code execution and denial of service in Neat VNC library version <0.9.6 allows unauthenticated network attackers to overflow a 1024-byte stack buffer during RSA-AES security handshake. An attacker sends a crafted VNC security type 5 or 129 message with an oversized client RSA public key, triggering a stack buffer overflow in rsa_aes_send_challenge() when the server encrypts its challenge response. CVSS 8.1 (High) with network attack vector, low complexity, and no authentication required. No public exploit identified at time of analysis, though the vulnerability is trivial to trigger based on the patch diff showing a simple size validation check addition.

Denial Of Service Buffer Overflow Neatvnc
NVD GitHub
CVSS 4.0
8.1
EPSS
0.1%
CVE-2026-44565 HIGH PATCH GHSA This Week

Path traversal in Open WebUI's file upload mechanism allows authenticated attackers to write and subsequently delete arbitrary files on the server filesystem. Discovered by Taylor Pennington of KoreLogic, this vulnerability affects the /ollama/models/upload API endpoint where unsanitized filename parameters enable directory traversal using dot-segments. The vulnerability requires low-privilege authentication (PR:L) and has straightforward exploitation (AC:L), confirmed by a published GitHub security advisory (GHSA-j3fw-wc48-29g3) with working proof-of-concept code. Vendor-released patch available in version 0.6.10. No evidence of active exploitation (not in CISA KEV) at time of analysis.

Python Path Traversal Debian
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy