Skip to main content
CVE-2026-0257 HIGH POC KEV PATCH THREAT Act Now

Authentication bypass in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS allows remote attackers to establish unauthorized VPN connections without valid credentials. The flaw is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, though EPSS remains low at 0.05%, suggesting targeted rather than mass exploitation. Panorama and Cloud NGFW deployments are not affected, but PAN-OS firewalls and Prisma Access tenants running vulnerable trains are exposed.

Paloalto Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
7.8
EPSS
0.1%
Threat
4.6
CVE-2026-42945 CRITICAL POC PATCH CISA NEWS Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.

Heap Overflow RCE Buffer Overflow Nginx Nginx Plus +1
NVD GitHub VulDB HeroDevs
CVSS 4.0
9.2
EPSS
0.2%
Threat
5.3
CVE-2026-45411 CRITICAL POC PATCH GHSA Act Now

Sandbox escape in vm2 (patriksimek/vm2) versions prior to 3.11.3 enables remote code execution on the host Node.js process by abusing async generator `yield*` semantics to smuggle a host-realm exception into sandbox code, where the attacker pivots through `.constructor.constructor` to reach `process` and `child_process.execSync`. The flaw is exploitable by any attacker who can run JavaScript inside the sandbox, has publicly available exploit code, and carries SSVC technical impact 'total' with automatable=yes, though EPSS remains low at 0.05% (17th percentile) and the CVE is not listed in CISA KEV.

Information Disclosure Node.js Vm2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-46300 HIGH POC PATCH CISA NEWS Act Now

Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.

Privilege Escalation Linux
NVD VulDB GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
Threat
5.1
CVE-2020-37168 CRITICAL POC Act Now

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Ecommerce Systempay
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-44381 CRITICAL POC PATCH Act Now

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to manipulate ORDER BY clauses in event and shadow attribute listing endpoints by supplying crafted ordering parameters. The CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability, though EPSS exploitation probability sits at just 0.04% and no public exploit identified at time of analysis. Given MISP's role as a repository of sensitive threat-intelligence data shared between organizations, successful exploitation could expose IOCs, attribution data, and partner-shared intelligence.

Authentication Bypass SQLi Misp
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2020-37218 HIGH POC This Week

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2020-37219 HIGH POC This Week

Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Com Fabrik
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2020-37220 HIGH POC This Week

Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Huawei Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2020-37221 HIGH POC This Week

Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Stack Overflow Atomic Alarm Clock
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2020-37223 HIGH POC This Week

IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Uninstaller
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37226 HIGH POC This Week

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi J2 Jobs
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2020-37224 HIGH POC This Week

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi J2 Jobs
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2020-37169 MEDIUM POC This Month

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI
NVD Exploit-DB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-44376 MEDIUM POC PATCH This Month

Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.

PHP XSS V6
NVD GitHub Exploit-DB VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44442 CRITICAL PATCH Act Now

Privilege escalation in ERPNext versions prior to 16.9.1 allows authenticated low-privileged users to modify data outside their assigned role due to missing authorization checks on certain endpoints. The flaw carries a CVSS 9.9 score with scope change, but EPSS is only 0.04% and CISA SSVC reports no observed exploitation, indicating no public exploit identified at time of analysis. The vendor (Frappe) has released a patched version 16.9.1 alongside GHSA-cg5w-7g26-p3w9.

Authentication Bypass Erpnext
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-8500 CRITICAL Act Now

Remote code execution in Web::Passwd 0.03 and earlier allows unauthenticated network attackers to execute arbitrary system commands with web server privileges via command injection in the user parameter. The CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication or user interaction. EPSS score is low (0.04%, 12th percentile), suggesting limited real-world exploitation observed to date. No active exploitation confirmed by CISA KEV at time of analysis, though publicly available exploit code exists per oss-security disclosure.

Command Injection Web
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45083 CRITICAL PATCH GHSA Act Now

Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote attackers to fully read, modify, or delete the backend Solr index by posting arbitrary expressions to the `/api/v1/index/stream` endpoint. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable with CVSS 9.8 and bypasses access-condition protections such as moving walls and licence restrictions. EPSS is currently low (0.04%) reflecting the niche audience rather than technical difficulty.

Authentication Bypass Apache Tomcat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-32661 CRITICAL Act Now

Remote code execution in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud allows unauthenticated network attackers to execute arbitrary code via stack-based buffer overflow when pop3wallpasswd runs with grdnwww user privileges. Canon Marketing Japan has released patches for both on-premises (versions 1.4.00-2.4.26 affected) and SaaS deployments (pre-April 30, 2026 maintenance). CVSS 9.3 indicates critical severity with network vector and no authentication required, though EPSS score of 0.14% (33rd percentile) suggests limited real-world exploitation probability at time of analysis. SSVC assessment marks this as automatable with total technical impact but no confirmed exploitation.

Stack Overflow RCE Buffer Overflow Guardianwall Mailsuite On Premises Version Guardianwall Mail Security Cloud Saas Version
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-22599 CRITICAL PATCH GHSA Act Now

{ isRaw: true }]` tuple, which is passed directly into Knex's `db.connection.raw()` without sanitization. Affected versions are @strapi/content-type-builder <=5.33.1 (v5) and @strapi/plugin-content-type-builder <=4.26.0 (v4), with impact ranging from arbitrary file read and denial of service to remote code execution on database engines that permit external program execution. No public exploit identified at time of analysis; EPSS is low at 0.13% and CISA SSVC notes exploitation status of 'none', though vendor-confirmed remediation is available.

Denial Of Service SQLi RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-44672 CRITICAL PATCH GHSA Act Now

Unauthenticated remote code execution in Mapfish Print (org.mapfish.print) allows attackers to execute arbitrary code via a code injection flaw in the Dynamic table feature. The vulnerability carries a CVSS 4.0 score of 9.3 with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the GHSA advisory and four parallel patched release lines indicate vendor-confirmed severity.

Code Injection RCE
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-27851 CRITICAL Act Now

Cross-site WebSocket hijacking in Garmin WDU v1 1.4.6 and v2 5.0 allows remote attackers to gain full administrative control of the marine network device. Exploitation requires the victim to browse a malicious website while connected to both the Garmin Marine Network and another network simultaneously. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, but CVSS 9.3 reflects severe potential impact when conditions are met - this is a high-impact, low-probability threat primarily relevant to maritime environments with dual-network configurations.

CSRF
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-42062 CRITICAL Act Now

OS command injection in ELECOM wireless LAN access points (WRC-BE72XSD, WRC-BE65QSD, WRC-W702 series) allows unauthenticated remote attackers to execute arbitrary system commands via crafted username parameter without authentication. The vulnerability affects multiple enterprise and consumer access point models running firmware v1.1.0-1.1.1, with public disclosure by JPCERT/CC and vendor advisory available from ELECOM. CVSS 4.0 score of 9.3 reflects critical severity with network attack vector, low complexity, and no privilege requirements, enabling complete system compromise of affected wireless infrastructure devices.

Command Injection Wrc Be72Xsd B Wrc Be72Xsd Ba Wrc Be65Qsd B Wrc W702 B
NVD
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-40621 CRITICAL Act Now

Unauthenticated remote access to ELECOM wireless LAN access points (WRC-BE72XSD, WRC-BE65QSD, WRC-W702 models) allows attackers to perform administrative operations via specific URLs that bypass authentication (CWE-288). With CVSS 4.0 score 9.3 (AV:N/AC:L/PR:N), this represents a critical access control failure enabling complete device compromise over the network. EPSS data not available; no confirmed active exploitation (not in CISA KEV) or public POC identified at time of analysis, though the vendor advisory from ELECOM and JPCERT coordination suggests real-world discovery.

Information Disclosure Wrc Be72Xsd B Wrc Be72Xsd Ba Wrc Be65Qsd B Wrc W702 B
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-45158 CRITICAL PATCH Act Now

Remote code execution in OPNsense firewall (core versions prior to 26.1.8) allows authenticated administrators to execute arbitrary commands as root by injecting shell metacharacters into DHCP interface configuration fields that are passed unsanitized to an underlying shell script. The flaw carries a 9.1 CVSS score with scope change reflecting privilege escalation from the web UI context to OS root, though no public exploit has been identified at time of analysis and EPSS estimates only a 0.23% probability of near-term exploitation.

RCE Opnsense
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-44193 CRITICAL PATCH Act Now

Remote code execution in OPNsense firewall versions prior to 26.1.7 allows authenticated high-privileged users to execute arbitrary code via the opnsense.restore_config_section XMLRPC method, which fails to sanitize user-supplied input. The flaw carries a CVSS 9.1 with scope change and total impact, and while publicly available exploit code exists per SSVC, EPSS rates real-world exploitation probability at only 0.23%, suggesting niche rather than mass-scale risk. The vendor has shipped a fix in 26.1.7 and the issue is tracked as GHSA-xxp9-93cr-x54p and EUVD-2026-30183.

RCE Opnsense
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-45053 CRITICAL PATCH Act Now

Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. No public exploit identified at time of analysis, though SSVC notes a POC and EPSS sits at 0.19% (40th percentile).

PHP File Upload RCE V6
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-44377 CRITICAL PATCH Act Now

Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.

PHP Information Disclosure Code Injection RCE V6
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-44194 CRITICAL PATCH Act Now

Authenticated remote code execution in OPNsense firewall versions prior to 26.1.8 allows a user with user-management privileges to execute arbitrary commands as root by smuggling shell payloads inside an email-address-formatted field processed by the local user synchronization script. Publicly available exploit code exists per SSVC, though EPSS scoring (0.13%) indicates low predicted mass exploitation; SSVC classifies technical impact as total but automation as no. No active exploitation has been confirmed in CISA KEV at time of analysis.

PHP RCE Command Injection Opnsense
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2020-37222 MEDIUM POC This Month

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-11159 CRITICAL PATCH Act Now

Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC driver. Authenticated data source administrators can execute arbitrary external scripts during database connection creation, achieving complete system compromise with potential container escape (CVSS scope changed). EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor advisory indicates patches available in versions 10.2.0.7 and 11.0.0.0.

Information Disclosure Pentaho Data Integration And Analytics
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-45714 CRITICAL PATCH Act Now

Authenticated server-side template injection in CubeCart v6 prior to 6.7.0 allows administrative users to achieve remote code execution by injecting Smarty template syntax into multiple admin-facing modules including Email Templates, Invoices, Documents, and Contact Forms. The flaw stems from evaluating user-supplied content through the Smarty engine without enabling Smarty Security Policies, granting OS-level command execution on the underlying server. Currently no public exploit identified at time of analysis, EPSS is very low at 0.04%, and the issue is not on CISA KEV.

Code Injection RCE V6
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2020-37225 MEDIUM POC This Month

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37217 MEDIUM POC This Month

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-45375 CRITICAL GHSA Act Now

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions ≤ 3.6.5) escalates to arbitrary OS command execution on the Electron desktop client because the kernel sanitizer in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description while passing Name and Version straight to innerHTML sinks. Any attacker who can publish a plugin/theme/template/widget/icon manifest to the public Bazaar - or otherwise drop a malicious plugin.json into the workspace - triggers zero-click code execution the moment a victim opens Settings → Marketplace → Downloaded → Plugins. A detailed POC against b3log/siyuan:v3.6.5 is published in the GHSA advisory; publicly available exploit code exists, though EPSS remains low at 0.04%.

XSS Command Injection Canonical Docker Node.js
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-41957 HIGH PATCH NEWS This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-44447 HIGH PATCH This Week

SQL injection in ERPNext versions prior to 16.9.0 allows authenticated remote attackers to extract sensitive data by sending specially crafted requests to vulnerable endpoints. The Frappe-maintained ERP platform requires low-privileged authentication (PR:L) but has high impact on confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%).

SQLi Erpnext
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44446 HIGH PATCH This Week

SQL injection in ERPNext (Frappe's open-source ERP platform) prior to 15.104.3 and 16.14.0 allows authenticated remote attackers to extract sensitive database contents by sending crafted requests to vulnerable endpoints. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though EPSS sits at 0.04% and SSVC reports no observed exploitation, indicating this is a high-severity but currently unexploited issue. No public exploit identified at time of analysis.

SQLi Erpnext
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2020-37174 MEDIUM POC This Month

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress
NVD Exploit-DB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-62624 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Heap Overflow Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-62623 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-3425 HIGH This Week

Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI RCE WordPress Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-39806 HIGH PATCH GHSA This Week

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

Denial Of Service Nginx
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-39803 HIGH PATCH GHSA This Week

{:ok, body, ...}, so callers cannot interpose a 413 response. Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer. The content-length path in the same function correctly enforces the limit and is not affected. This issue affects bandit: from 1.4.0 before 1.11.1.

Denial Of Service Bandit
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-39455 HIGH PATCH This Week

Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor exhaustion in the httpd process when LDAP authentication is enabled. The attack achieves complete denial of service (CVSS A:H) through network-accessible undisclosed traffic patterns. F5 has released patches addressing this vulnerability. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42409 HIGH PATCH This Week

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via undisclosed malformed HTTP/2 requests when virtual servers are configured with both an HTTP/2 profile and iRules using HTTP::redirect or HTTP::respond commands. Exploitation requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N) and results in complete service disruption. Vendor patch available via F5 K000159034. EPSS data not provided, but the specific configuration requirement limits exposure to organizations using HTTP/2 with custom iRule redirects or responses.

Denial Of Service Null Pointer Dereference Big Ip Big Ip Next Spk Big Ip Next Cnf +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40423 HIGH PATCH This Week

Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote attackers to cause complete service disruption when a SIP profile is configured on a virtual server. The vulnerability requires specific configuration (SIP profile deployment) and enables denial of service through undisclosed malformed SIP traffic. EPSS data not available; no active exploitation confirmed by CISA KEV at time of analysis. Vendor patch available across all affected version branches with specific fix versions identified.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-39458 HIGH PATCH This Week

Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles on virtual servers. Remote unauthenticated attackers can crash TMM using undisclosed malicious traffic patterns, causing complete service disruption. CVSS 7.5 High severity with network vector and low complexity. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. Vendor patch available per F5 K000160945.

Information Disclosure Memory Corruption Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40060 HIGH PATCH This Week

F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when processing specially crafted requests against virtual servers with active security policies. Undisclosed malformed requests cause the bd process to terminate, disrupting service availability. Remote unauthenticated attackers can exploit this with low complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N) achieving high availability impact (CVSS 7.5). EPSS data not provided, no active exploitation confirmed via CISA KEV at time of analysis. Vendor patch available per F5 advisory K000160727.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41227 HIGH PATCH This Week

Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Protection receives undisclosed malformed traffic. Unauthenticated remote attackers can reliably terminate TMM processes, disrupting application delivery services. CVSS 7.5 (High) with network-exploitable, low-complexity characteristics and EPSS data not provided. Vendor patch available via F5 K000158979.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy