Skip to main content
CVE-2026-45054 MEDIUM PATCH This Month

SQL injection in CubeCart v6 prior to 6.7.0 allows an authenticated administrator to execute arbitrary SQL against the store database via the unsanitized ORDER BY clause on the admin transactions listing page. The admin.php orders-transactions endpoint passes attacker-controlled GET parameters directly into a raw SQL fragment, bypassing the platform's sqlSafe() function which only escapes quote characters - none of which are required for ORDER BY injection. An attacker with at minimum CC_PERM_READ permission on orders can leverage time-based blind SQL injection to extract admin password hashes, customer PII, and integrated payment-gateway credentials. No public exploit identified at time of analysis, though SSVC data indicates POC code exists; the EPSS score of 0.03% (9th percentile) reflects limited observed exploitation interest.

PHP SQLi V6
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-0239 MEDIUM This Month

Unauthenticated information disclosure in Palo Alto Networks' Chronosphere Chronocollector exposes sensitive data to any attacker with adjacent network access to the collector service endpoint. All versions from 0.0.0 up to v0.116.0 are affected, with the fix released in v0.116.0. No public exploit code has been identified at time of analysis and CISA has not added this to the KEV catalog, but the CVSS 4.0 Value Density modifier of 'Concentrated' (V:C) suggests the data at risk may include high-value material such as credentials or configuration secrets.

Information Disclosure Chronosphere Chronocollector
NVD VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-0249 MEDIUM PATCH This Month

Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.

Apple Paloalto Microsoft Authentication Bypass Globalprotect App
NVD VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-0258 MEDIUM PATCH This Month

Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attackers to coerce the firewall into issuing outbound network requests to arbitrary destinations or to trigger a denial-of-service condition. Affected are PAN-OS 10.2, 11.1, 11.2, and 12.1 branch trains; Panorama, Cloud NGFW, and Prisma Access are explicitly confirmed unaffected. No public exploit code has been identified and SSVC assessment confirms no current exploitation, though a vendor-released patch is available across all impacted branches.

Denial Of Service Paloalto SSRF Cloud Ngfw Pan Os +1
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-39428 MEDIUM PATCH This Month

Stored Cross-Site Scripting in CubeCart v6.x (prior to 6.6.0) allows an authenticated administrator to inject persistent malicious JavaScript into product creation or modification fields, which then executes in the browsers of any user - customer or fellow administrator - who views the affected product pages. The attack requires high-privilege access (PR:H) and victim interaction (UI:R), limiting its realistic threat surface to compromised or malicious admin accounts. No public exploit identified at time of analysis via KEV, though SSVC data indicates proof-of-concept code exists; EPSS stands at 0.03% (8th percentile), reflecting low observed exploitation pressure.

XSS V6
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-8200 MEDIUM PATCH This Month

MongoDB Server fails to fully redact user data in local server log messages when schema validation is enabled and an update or insert operation violates the collection schema, allowing authenticated administrators to access sensitive information through log inspection. This information disclosure affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. The vulnerability requires high-privilege administrative access and has a low CVSS score of 2.7, indicating limited real-world impact despite confirmed patch availability.

Information Disclosure Mongodb Server
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-8367 MEDIUM This Month

aria2c fails to properly validate Extended Key Usage (EKU) constraints in TLS server certificates, allowing attackers who possess a compromised certificate issued for a different purpose to impersonate legitimate servers. This undermines certificate-based authentication and enables man-in-the-middle attacks against aria2c downloads over HTTPS, potentially leading to delivery of malicious files or interception of sensitive data.

Information Disclosure Aria2C
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-42948 MEDIUM This Month

Stored cross-site scripting vulnerability in ELECOM wireless LAN access point devices (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows authenticated administrators to inject malicious scripts that execute in other administrators' web browsers when they access the device management interface. Exploitation requires high-privilege administrative credentials and user interaction (victim must visit the admin panel), limiting real-world risk despite network-accessible attack surface.

XSS Wab Be187 M Wab Be72 M Wab Be36 M Wab Be36 S
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-0240 MEDIUM PATCH This Month

Sensitive vault credential disclosure in Palo Alto Networks Trust Protection Foundation allows an authenticated, adjacent-network attacker with low privileges to read secrets from the server's underlying vault (indicated by the HashiCorp tag), then leverage those secrets to impersonate any user in the environment and arbitrarily modify platform configuration. Affected across four active release branches (24.1.x, 24.3.x, 25.1.x, 25.3.x), with fixed versions available from the vendor. No public exploit code exists and CISA has not listed this in KEV; EPSS exploitation probability is 0.01%, reflecting low current threat activity.

Information Disclosure Hashicorp Trust Protection Foundation
NVD VulDB
CVSS 4.0
4.5
EPSS
0.0%
CVE-2026-0256 MEDIUM PATCH This Month

Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator to inject persistent JavaScript payloads that execute in the browsers of other users who view the affected pages. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series) running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x branches. No active exploitation is confirmed - EPSS stands at 0.04% (13th percentile), SSVC exploitation status is 'none', and no public exploit code has been identified at time of analysis. Vendor-released patches are available for all affected branches.

Paloalto XSS Cloud Ngfw Pan Os Prisma Access
NVD VulDB
CVSS 4.0
4.4
EPSS
0.0%
CVE-2025-9989 MEDIUM This Month

Stored Cross-Site Scripting in Broadstreet plugin for WordPress versions up to 1.53.1 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes for all users viewing affected pages. The vulnerability requires administrator-level access, high attack complexity due to disabled unfiltered_html or multi-site configuration restrictions, and impacts confidentiality and integrity with limited scope. No active exploitation confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-9988 MEDIUM This Month

Broadstreet WordPress plugin up to version 1.53.1 allows authenticated attackers with Subscriber-level access to create advertisers via missing capability checks on the create_advertiser AJAX action, enabling privilege escalation and unauthorized modification of advertising data.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28374 MEDIUM PATCH This Month

Improper access control in Grafana OSS allows authenticated Editor-role users to delete any annotation instance-wide, regardless of whether they hold read or create permissions on that annotation. The flaw affects a broad version range from 8.5.0 through 13.0.1, exposing organizations to unauthorized data destruction by low-privileged internal users. No active exploitation has been identified at time of analysis (SSVC: none; EPSS: 0.03%, 8th percentile), and no public exploit code exists; real-world risk is constrained by the authentication prerequisite and partial integrity-only impact.

Authentication Bypass Grafana Oss
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45147 MEDIUM PATCH GHSA This Month

Broken access control in SiYuan's `/api/tag/getTag` endpoint (versions prior to 3.7.0) allows any authenticated low-privilege user - including publish-service `RoleReader` accounts and `RoleEditor` accounts on read-only workspaces - to mutate the global `Conf.Tag.Sort` configuration value and trigger a full rewrite of the workspace `conf.json` file. The handler silently executes a privileged write operation (`model.Conf.Save()`) when a `sort` argument is present, despite the endpoint being registered with only `model.CheckAuth` middleware, omitting the `model.CheckAdminRole` and `model.CheckReadonly` guards that sibling write endpoints correctly enforce. Publicly available exploit code exists per SSVC assessment, though no active exploitation has been confirmed (not in CISA KEV; EPSS 0.03%).

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45148 MEDIUM PATCH GHSA This Month

Broken access control in SiYuan's publish-service API allows authenticated RoleReader principals to enumerate workspace metadata from notebooks explicitly marked as private or publish-ignored. Four search endpoints - `/api/search/searchTag`, `/api/search/searchAsset`, `/api/search/searchWidget`, and `/api/search/searchTemplate` - pass the `CheckAuth` middleware that a publish-service RoleReader JWT satisfies, but never apply the `IsReadOnlyRoleContext` filtering logic that sibling endpoints in the same file correctly implement, returning unscoped global workspace results. A proof-of-concept exploit exists per SSVC assessment and is documented in the advisory; the vulnerability is not currently listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0245 MEDIUM PATCH This Month

Prisma Access Agent on Windows and macOS exposes sensitive configuration data and credentials to local low-privileged users through multiple information disclosure weaknesses. Palo Alto Networks has confirmed these vulnerabilities affect agent versions prior to 26.2.1; Linux, ChromeOS, Android, and iOS deployments are explicitly out of scope. No public exploit has been identified at time of analysis, and SSVC classifies exploitation status as none, making this a low-urgency but real credential-hygiene risk on affected desktop platforms.

Apple Information Disclosure Google Prisma Access Agent
NVD
CVSS 4.0
4.3
EPSS
0.0%
CVE-2026-4607 MEDIUM This Month

Authentication bypass in ProfileGrid - User Profiles, Groups and Communities WordPress plugin up to version 5.9.8.4 allows authenticated Subscriber-level users to modify site-wide group settings through unprotected AJAX actions (pm_set_group_order, pm_set_group_items, pm_set_field_order). Attackers can alter group menu order, list order, icon display, and field ordering without authorization checks. No public exploit code or active exploitation has been identified; CVSS 4.3 (low-moderate severity) reflects limited impact scope to integrity without confidentiality or availability impact.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3426 MEDIUM This Month

RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers with Author-level access or higher to modify or reset site-wide widget configurations due to missing capability checks in the save_widget() and reset_all_widgets() functions. This privilege escalation vulnerability affects all versions up to 2.0.2 and enables unauthorized modification of widget data across the entire WordPress site, impacting site integrity and user experience.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33585 LOW PATCH Monitor

Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.

Information Disclosure Symmetric Key Agreement Platform
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-45028 LOW PATCH GHSA Monitor

Astro versions prior to 6.1.10 fail to bind encrypted server island parameters to their intended component and purpose, allowing attackers to replay encrypted props as slots or vice versa. This cryptographic binding failure could lead to cross-site scripting (XSS) when applications use server islands with overlapping prop and slot names where an attacker controls prop values. The vulnerability requires very specific application architecture (shared key names, dynamically rendered pages, attacker-controlled props) making real-world exploitation unlikely, but the underlying encryption design flaw is significant.

XSS
NVD GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-22706 LOW PATCH GHSA Monitor

Insufficient session expiration in Strapi versions prior to 5.33.3 allows an authenticated attacker who has previously obtained a valid refresh token to maintain persistent unauthorized access even after the account owner resets their password. Both the admin panel (@strapi/admin) and the API-facing users-permissions plugin (@strapi/plugin-users-permissions) are affected, covering all Strapi deployments up to and including 5.33.2. Because the refresh-token invalidation logic was gated on a caller-supplied deviceId parameter, a password reset without that parameter left all prior refresh sessions alive - meaning credential rotation failed to evict an attacker for up to 30 days by default. No public exploit has been identified at time of analysis, and SSVC confirms exploitation status as none.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-30904 LOW PATCH Monitor

Information disclosure in Zoom Workplace for iOS before version 7.0.0 allows an authenticated user with physical access to the device to read limited confidential data by exploiting a failed protection mechanism. The vulnerability is constrained by both physical proximity and high privilege requirements, yielding a CVSS score of 1.8 - among the lowest possible. No active exploitation has been identified, and Zoom has released a fix in version 7.0.0 per their security bulletin ZSB-26006.

Apple Information Disclosure Zoom Workplace
NVD VulDB
CVSS 3.1
1.8
EPSS
0.0%
CVE-2026-0238 LOW PATCH Monitor

Content injection in Palo Alto Networks Broker VM 30.0 (versions prior to 30.0.24) allows an authenticated administrator with local access to inject arbitrary content into certain administrative fields within the appliance. The vulnerability carries a CVSS 4.0 score of 1.1, reflecting its highly constrained exploitation prerequisites: local access, low-privilege authentication, and limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation, making this a low-urgency finding for most organizations.

Paloalto Code Injection Broker Vm
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy