Skip to main content
CVE-2026-34336 HIGH PATCH This Week

Buffer over-read in Windows DWM Core Library allows an authorized attacker to disclose information locally.

Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40408 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40407 HIGH PATCH This Week

Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40377 HIGH PATCH Exploit Unlikely This Week

Heap-based buffer overflow in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34337 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34334 HIGH PATCH This Week

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Microsoft Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-35418 HIGH PATCH This Week

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34351 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows TCP/IP stack affects Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2012 through a race condition vulnerability. Low-complexity exploitation requires only low-privilege authenticated access with no user interaction (CVSS 7.8, AV:L/AC:L/PR:L/UI:N). Vendor-released patch available from Microsoft Security Response Center. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity and local vector suggest feasibility for post-compromise privilege escalation in enterprise environments.

Microsoft Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-33834 HIGH PATCH Exploit Unlikely This Week

Windows Event Logging Service privilege escalation allows local authenticated attackers with low-level privileges to gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2012+ environments. The vulnerability requires no user interaction and has low attack complexity (AC:L), making exploitation straightforward once initial access is obtained. Microsoft has released patches via their March 2026 security updates, and exploitation requires only standard user credentials on vulnerable systems. CVSS 7.8 HIGH severity with complete compromise of confidentiality, integrity, and availability upon successful exploitation.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34638 HIGH This Week

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Denial Of Service Use After Free Memory Corruption RCE Premiere Pro
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34684 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34683 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34682 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34681 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34644 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Integer Overflow RCE After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34643 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34642 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Heap Overflow RCE Buffer Overflow After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34640 HIGH This Week

Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Integer Overflow RCE Media Encoder
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34639 HIGH This Week

Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Media Encoder
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34637 HIGH This Week

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Premiere Pro
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34636 HIGH This Week

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Premiere Pro
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42290 HIGH PATCH GHSA This Week

Command injection in protobufjs-cli pbts tool allows arbitrary shell command execution when processing file paths with shell metacharacters. The pbts utility builds JSDoc commands by concatenating unsanitized file paths into shell strings executed via child_process.exec. Affects protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1. Vendor-released patches available (1.2.1 and 2.0.2). CVSS 7.8 (High) but requires local access with user interaction (AV:L/UI:R), limiting remote exploitation. No EPSS data or KEV listing indicates this is not yet widely exploited despite public disclosure and available fixes.

Command Injection
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34690 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Stack Overflow RCE Buffer Overflow After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34687 HIGH This Week

Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Heap Overflow RCE Buffer Overflow Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34676 HIGH This Week

Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance 3d Painter
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34675 HIGH This Week

Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance 3d Painter
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34661 HIGH This Week

Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-8110 HIGH This Week

Local privilege escalation in Ivanti Endpoint Manager agent allows authenticated users to gain SYSTEM-level privileges via incorrect file or registry permissions. Affects all versions prior to 2024 SU6. Vendor has released a patch (version 2024 SU6). No evidence of active exploitation or public POC identified at time of analysis, though EPSS data not available. Organizations running EPM agents on managed endpoints should prioritize patching given the high CVSS score (7.8) and potential for lateral movement across enterprise environments.

Privilege Escalation Ivanti
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7432 HIGH This Week

Race condition in Ivanti Secure Access Client enables local privilege escalation to SYSTEM from low-privileged accounts. Affects versions before 22.8R6. An authenticated local user can exploit timing vulnerabilities in the client software to gain complete system control. While limited to local attack vector (requires existing access to the target system), the low attack complexity (AC:L) and lack of user interaction requirement (UI:N) make this exploitable once local access is achieved. No public exploit code identified at time of analysis, and EPSS risk scoring not yet available for this 2026 CVE.

Privilege Escalation Race Condition Ivanti
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44293 HIGH PATCH GHSA This Week

Remote code execution in protobufjs (npm package) versions ≤7.5.5 and 8.0.0-8.0.1 allows attackers to inject and execute arbitrary JavaScript by supplying a malicious protobuf schema with crafted default values in bytes fields. When applications load untrusted protobuf descriptors and call toObject() with defaults enabled, attacker-controlled expressions are emitted into generated conversion functions and executed in the application context. Vendor-released patches are available in versions 7.5.6 and 8.0.2. No public exploit code identified at time of analysis, though the vulnerability is straightforward to weaponize given the clear preconditions in the advisory.

Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-42141 HIGH PATCH This Week

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. This vulnerability is fixed in 4.4.1.

SSRF Microsoft
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45218 HIGH This Week

Blind SQL injection in WP Travel plugin versions ≤11.4.0 allows authenticated attackers with low-level privileges to extract sensitive database contents through time-based or boolean queries. The vulnerability enables cross-scope confidentiality breach with high impact (CVSS:C:H), permitting unauthorized access to all WordPress database information including user credentials, private travel booking details, and payment data. EPSS data unavailable; no CISA KEV listing indicates exploitation remains targeted rather than widespread. Patchstack's inclusion in their vulnerability database suggests active researcher interest and potential proof-of-concept development.

SQLi Wp Travel
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45226 HIGH PATCH This Week

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

Authentication Bypass Heym
NVD GitHub
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-45213 HIGH This Week

Blind SQL injection in BEAR woo-bulk-editor plugin for WordPress up to version 1.1.7.1 allows high-privilege authenticated administrators to extract database contents through specially crafted SQL queries. The scope change in CVSS (S:C) indicates potential impact beyond the plugin itself, enabling access to other WordPress data or resources. No public exploit code or active exploitation indicators identified at time of analysis, but Patchstack public disclosure increases weaponization risk.

SQLi Bear
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-30808 HIGH This Week

Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).

Session Fixation Information Disclosure
NVD
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-34187 HIGH This Week

SQL injection in Pandora FMS versions 777-800 allows authenticated attackers with low privileges to exfiltrate or manipulate database contents via the graph container parameter. Attack complexity is high with present attack techniques, requiring specific timing conditions. No active exploitation confirmed per CISA KEV, and EPSS data not provided. Vendor advisory available from PandoraFMS confirms the vulnerability affecting a narrow version range spanning approximately builds 777 through 800.

SQLi Pandora Fms
NVD
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-7287 HIGH Monitor

Remote unauthenticated attackers can crash Zyxel NWA1100-N access points running customized firmware version 1.00(AACE.1)C0 by sending malformed HTTP requests that trigger buffer overflows in five distinct web server functions (formWep, formWlAc, formPasswordSetup, formUpgradeCert, formDelcert). The vulnerability enables denial-of-service attacks with high CVSS 7.5 severity but is limited to an end-of-life product according to Zyxel's reference documentation. No public exploit code identified at time of analysis, and EPSS data is unavailable for this recent CVE.

Zyxel Buffer Overflow
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-40405 HIGH PATCH Exploit Unlikely This Week

Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service over a network.

Denial Of Service Microsoft Null Pointer Dereference
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23827 HIGH This Week

A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code as a privileged user on the underlying operating system, potentially leading to a system compromise. Exploitation may also result in a denial-of-service (DoS) condition affecting the impacted system process.

RCE Buffer Overflow Heap Overflow Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2993 HIGH This Week

SQL injection in the AIWU AI Chatbot WordPress plugin (versions ≤1.4.17) allows remote unauthenticated attackers to extract sensitive database contents via the getListForTbl() function due to unsanitized user input in SQL queries. Partial mitigation exists in version 1.4.11+ through administrator-only nonce protection, but the underlying SQL injection vulnerability persists. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact. Wordfence provides detailed vulnerable code references across multiple plugin files including controller.php, req.php, and model.php. No evidence of active exploitation (not in CISA KEV) at time of analysis.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-34645 HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-34646 HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23826 HIGH This Week

A vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker to exploit this vulnerability by sending specially crafted network packets to the affected device, potentially resulting in a denial-of-service condition. Successful exploitation could cause the affected service process to terminate unexpectedly, disrupting normal device operations.

Denial Of Service Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-35424 HIGH PATCH This Week

Missing release of memory after effective lifetime in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-34652 HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Adobe
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32161 HIGH PATCH NEWS Exploit Unlikely This Week

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.

Authentication Bypass Microsoft Race Condition
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1250 HIGH This Week

The Court Reservation - Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40406 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows TCP/IP allows an unauthorized attacker to disclose information over a network.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-31240 HIGH GHSA This Week

Unauthenticated remote attackers can modify or delete arbitrary memory records in mem0 1.0.0 server by directly calling unprotected API endpoints including PUT /memories/{memory_id}. The vulnerability stems from complete absence of authentication and authorization controls on critical memory management functions, allowing data manipulation and loss without any verification of requester identity. EPSS score of 0.06% (18th percentile) indicates low exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-44289 HIGH PATCH GHSA This Week

Remote denial of service in protobuf.js (npm package) allows unauthenticated attackers to crash Node.js processes by sending crafted protobuf payloads with deeply nested structures. The vulnerability affects the binary decoding path where unbounded recursion exhausts the JavaScript call stack. Version 7.5.6 and 8.0.2 patches are available. Applications decoding untrusted protobuf data over network APIs, message queues, or file uploads are at immediate risk. CVSS 7.5 (High) reflects network attack vector with no authentication required.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 4 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy