Skip to main content
CVE-2026-44260 HIGH PATCH This Week

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.

Authentication Bypass Efw4 X
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44548 HIGH This Week

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.

PHP CSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44291 HIGH PATCH GHSA This Week

Prototype pollution in protobuf.js type lookup tables enables remote code execution via code injection into generated encode/decode functions. Affects npm package protobuf.js versions ≤7.5.5 and 8.0.0-8.0.1. Exploitation requires chaining with a separate prototype pollution vulnerability-applications must first allow Object.prototype pollution, then invoke protobufjs code generation on attacker-influenced schemas. Vendor-released patches available (v7.5.6, v8.0.2). CVSS 8.1 (High) reflects network vector but high attack complexity (AC:H) due to multi-step prerequisite. No evidence of active exploitation (not in CISA KEV), public exploit code not identified at time of analysis.

Code Injection RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34332 HIGH PATCH This Week

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-35416 HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows low-privileged authenticated users to execute arbitrary code with SYSTEM privileges via use-after-free memory corruption. Microsoft has released patches addressing Windows 10 (versions 1607 through 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2012. CVSS base score is 7.0 (High) with local attack vector and high attack complexity. EPSS data not available; no CISA KEV listing at time of analysis, suggesting exploitation has not been observed in the wild despite public disclosure.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-34340 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-34345 HIGH PATCH Exploit Unlikely This Week

Race condition in Windows Ancillary Function Driver for WinSock (AFD.sys) enables local privilege escalation for low-privileged authenticated users across Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2016. Microsoft confirmed the vulnerability and released patches via their March 2026 security updates. The flaw requires high attack complexity (CVSS AC:H), suggesting exploitation depends on winning a narrow timing window in concurrent socket operations. EPSS data unavailable, no CISA KEV listing at time of analysis, but Microsoft's rapid patch indicates credible exploit risk.

Microsoft Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2023-27753 HIGH This Week

An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload RCE
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-44184 HIGH PATCH This Week

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin - including the admin's permanent API key. This vulnerability is fixed in 2.9.10.

Information Disclosure
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-35417 HIGH PATCH Exploit Likely This Week

Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.

Microsoft Information Disclosure Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-31221 HIGH GHSA This Week

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Checkpoint Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-40397 HIGH PATCH Exploit Likely This Week

Integer underflow (wrap or wraparound) in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Integer Overflow Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-42896 HIGH PATCH Exploit Unlikely This Week

Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

Integer Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-40399 HIGH PATCH Exploit Unlikely This Week

Stack-based buffer overflow in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Stack Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-35415 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Storage Spaces Controller enables authenticated users with low-level access to gain SYSTEM-level privileges by exploiting an integer overflow that leads to memory corruption. Affects Windows 10 (1607 through 22H2), Windows 11 (all versions through 26H1), and Windows Server 2012 R2. Microsoft has released security updates through their March 2026 Patch Tuesday. No active exploitation confirmed in CISA KEV at time of analysis, though the combination of low attack complexity (AC:L) and no user interaction requirement (UI:N) makes post-compromise exploitation straightforward for attackers who have already obtained initial access.

Integer Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-34333 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Win32K graphics subsystem affects Windows 10 (1607 through 22H2), Windows 11 (all versions including 26H1 preview), and Windows Server 2012 through authenticated low-privileged local users exploiting a use-after-free memory corruption flaw. Microsoft has released security updates addressing this CWE-416 vulnerability with CVSS 7.8 severity. The local attack vector and low complexity (AC:L) indicate straightforward exploitation once local access is achieved, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-34330 HIGH PATCH This Week

Local privilege escalation in Windows Win32K graphics subsystem allows authenticated users to gain SYSTEM-level access via integer overflow exploitation. Affects all supported Windows 10, Windows 11, and Windows Server 2012 versions. Microsoft has released patches through their March 2026 security update (MSRC guide confirms vendor-released fix). CVSS 7.8 reflects high impact across confidentiality, integrity, and availability. No public exploit code identified at time of analysis, and not listed in CISA KEV, indicating limited or no active exploitation despite the severity of potential impact.

Integer Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33837 HIGH PATCH Exploit Likely This Week

Heap-based buffer overflow in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33835 HIGH PATCH Exploit Likely This Week

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33840 HIGH PATCH Exploit Likely This Week

Privilege escalation in Windows Win32K ICOMP component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 via a use-after-free memory corruption flaw. Low-privileged authenticated local attackers can exploit this to gain SYSTEM-level privileges with low attack complexity and no user interaction required. Microsoft has released patches addressing this vulnerability, tracked under MSRC guidance. No active exploitation or public exploit code has been identified at time of analysis, with EPSS data not yet available for this recent CVE.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-35421 HIGH PATCH NEWS This Week

Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33838 HIGH PATCH Exploit Unlikely This Week

Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.

Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40418 HIGH PATCH This Week

Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40382 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34338 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34336 HIGH PATCH This Week

Buffer over-read in Windows DWM Core Library allows an authorized attacker to disclose information locally.

Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40408 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40407 HIGH PATCH This Week

Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40377 HIGH PATCH Exploit Unlikely This Week

Heap-based buffer overflow in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34337 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34334 HIGH PATCH This Week

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Microsoft Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-35418 HIGH PATCH This Week

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34351 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows TCP/IP stack affects Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2012 through a race condition vulnerability. Low-complexity exploitation requires only low-privilege authenticated access with no user interaction (CVSS 7.8, AV:L/AC:L/PR:L/UI:N). Vendor-released patch available from Microsoft Security Response Center. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity and local vector suggest feasibility for post-compromise privilege escalation in enterprise environments.

Microsoft Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-33834 HIGH PATCH Exploit Unlikely This Week

Windows Event Logging Service privilege escalation allows local authenticated attackers with low-level privileges to gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2012+ environments. The vulnerability requires no user interaction and has low attack complexity (AC:L), making exploitation straightforward once initial access is obtained. Microsoft has released patches via their March 2026 security updates, and exploitation requires only standard user credentials on vulnerable systems. CVSS 7.8 HIGH severity with complete compromise of confidentiality, integrity, and availability upon successful exploitation.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34638 HIGH This Week

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Denial Of Service Use After Free Memory Corruption RCE Premiere Pro
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34684 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34683 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34682 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34681 HIGH This Week

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance3D Designer
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34644 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Integer Overflow RCE After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34643 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34642 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Heap Overflow RCE Buffer Overflow After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34640 HIGH This Week

Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Integer Overflow RCE Media Encoder
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34639 HIGH This Week

Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Media Encoder
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34637 HIGH This Week

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Premiere Pro
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34636 HIGH This Week

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Premiere Pro
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42290 HIGH PATCH GHSA This Week

Command injection in protobufjs-cli pbts tool allows arbitrary shell command execution when processing file paths with shell metacharacters. The pbts utility builds JSDoc commands by concatenating unsanitized file paths into shell strings executed via child_process.exec. Affects protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1. Vendor-released patches available (1.2.1 and 2.0.2). CVSS 7.8 (High) but requires local access with user interaction (AV:L/UI:R), limiting remote exploitation. No EPSS data or KEV listing indicates this is not yet widely exploited despite public disclosure and available fixes.

Command Injection
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34690 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Stack Overflow RCE Buffer Overflow After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34687 HIGH This Week

Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Heap Overflow RCE Buffer Overflow Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34676 HIGH This Week

Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Memory Corruption Buffer Overflow RCE Substance 3d Painter
NVD
CVSS 3.1
7.8
EPSS
0.0%
Prev Page 5 of 11 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy