Skip to main content
CVE-2026-0257 HIGH POC KEV PATCH THREAT Act Now

Authentication bypass in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS allows remote attackers to establish unauthorized VPN connections without valid credentials. The flaw is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, though EPSS remains low at 0.05%, suggesting targeted rather than mass exploitation. Panorama and Cloud NGFW deployments are not affected, but PAN-OS firewalls and Prisma Access tenants running vulnerable trains are exposed.

Paloalto Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
7.8
EPSS
0.1%
Threat
4.6
CVE-2026-46300 HIGH POC PATCH CISA NEWS Act Now

Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.

Privilege Escalation Linux
NVD VulDB GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
Threat
5.1
CVE-2020-37218 HIGH POC This Week

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2020-37219 HIGH POC This Week

Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Com Fabrik
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2020-37220 HIGH POC This Week

Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Huawei Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2020-37221 HIGH POC This Week

Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Stack Overflow Atomic Alarm Clock
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2020-37223 HIGH POC This Week

IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Iobit Uninstaller
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37226 HIGH POC This Week

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi J2 Jobs
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2020-37224 HIGH POC This Week

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi J2 Jobs
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41957 HIGH PATCH NEWS This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-44447 HIGH PATCH This Week

SQL injection in ERPNext versions prior to 16.9.0 allows authenticated remote attackers to extract sensitive data by sending specially crafted requests to vulnerable endpoints. The Frappe-maintained ERP platform requires low-privileged authentication (PR:L) but has high impact on confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%).

SQLi Erpnext
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44446 HIGH PATCH This Week

SQL injection in ERPNext (Frappe's open-source ERP platform) prior to 15.104.3 and 16.14.0 allows authenticated remote attackers to extract sensitive database contents by sending crafted requests to vulnerable endpoints. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though EPSS sits at 0.04% and SSVC reports no observed exploitation, indicating this is a high-severity but currently unexploited issue. No public exploit identified at time of analysis.

SQLi Erpnext
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-62624 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Heap Overflow Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-62623 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-3425 HIGH This Week

Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI RCE WordPress Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-39806 HIGH PATCH GHSA This Week

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

Denial Of Service Nginx
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-39803 HIGH PATCH GHSA This Week

{:ok, body, ...}, so callers cannot interpose a 413 response. Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer. The content-length path in the same function correctly enforces the limit and is not affected. This issue affects bandit: from 1.4.0 before 1.11.1.

Denial Of Service Bandit
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-39455 HIGH PATCH This Week

Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor exhaustion in the httpd process when LDAP authentication is enabled. The attack achieves complete denial of service (CVSS A:H) through network-accessible undisclosed traffic patterns. F5 has released patches addressing this vulnerability. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42409 HIGH PATCH This Week

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via undisclosed malformed HTTP/2 requests when virtual servers are configured with both an HTTP/2 profile and iRules using HTTP::redirect or HTTP::respond commands. Exploitation requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N) and results in complete service disruption. Vendor patch available via F5 K000159034. EPSS data not provided, but the specific configuration requirement limits exposure to organizations using HTTP/2 with custom iRule redirects or responses.

Denial Of Service Null Pointer Dereference Big Ip Big Ip Next Spk Big Ip Next Cnf +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40423 HIGH PATCH This Week

Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote attackers to cause complete service disruption when a SIP profile is configured on a virtual server. The vulnerability requires specific configuration (SIP profile deployment) and enables denial of service through undisclosed malformed SIP traffic. EPSS data not available; no active exploitation confirmed by CISA KEV at time of analysis. Vendor patch available across all affected version branches with specific fix versions identified.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-39458 HIGH PATCH This Week

Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles on virtual servers. Remote unauthenticated attackers can crash TMM using undisclosed malicious traffic patterns, causing complete service disruption. CVSS 7.5 High severity with network vector and low complexity. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. Vendor patch available per F5 K000160945.

Information Disclosure Memory Corruption Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40060 HIGH PATCH This Week

F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when processing specially crafted requests against virtual servers with active security policies. Undisclosed malformed requests cause the bd process to terminate, disrupting service availability. Remote unauthenticated attackers can exploit this with low complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N) achieving high availability impact (CVSS 7.5). EPSS data not provided, no active exploitation confirmed via CISA KEV at time of analysis. Vendor patch available per F5 advisory K000160727.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41227 HIGH PATCH This Week

Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Protection receives undisclosed malformed traffic. Unauthenticated remote attackers can reliably terminate TMM processes, disrupting application delivery services. CVSS 7.5 (High) with network-exploitable, low-complexity characteristics and EPSS data not provided. Vendor patch available via F5 K000158979.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40618 HIGH PATCH This Week

Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.

Intel Information Disclosure Big Ip Big Ip Next Spk Big Ip Next Cnf +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41956 HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) by sending specially crafted UDP requests to virtual servers with classification profiles enabled. The vulnerability affects BIG-IP, BIG-IP Next CNF, and BIG-IP Next for Kubernetes platforms. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available per F5 advisory K000158038.

Stack Overflow Buffer Overflow Big Ip Big Ip Next Cnf Big Ip Next For Kubernetes
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42920 HIGH PATCH This Week

Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual servers configured with Client SSL profiles having Allow Dynamic Record Sizing enabled. Remote unauthenticated attackers can trigger complete service denial by sending crafted traffic, causing TMM process crashes. F5 has released patches per advisory K000160901.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40629 HIGH PATCH This Week

Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust connection processing via undisclosed traffic patterns, forcing affected servers to reject new client connections. The vulnerability affects multiple BIG-IP product lines including classic BIG-IP and all BIG-IP Next variants (SPK, CNF, Kubernetes). F5 has released vendor patches (K000158978), and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), this represents a straightforward network-based DoS attack requiring no authentication or special complexity.

Denial Of Service Big Ip Big Ip Next Spk Big Ip Next Cnf Big Ip Next For Kubernetes
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41218 HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) via undisclosed traffic patterns when PEM-specific iRules are configured on a virtual server. The vulnerability is a use-after-free memory corruption issue (CWE-416) affecting CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and urlcatquery iRule commands. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates straightforward remote exploitation with high availability impact. EPSS data not provided, but F5 has released a vendor patch (K000160875). No public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Use After Free Memory Corruption Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40067 HIGH PATCH This Week

Remote denial of service in F5 BIG-IP Access Policy Manager (APM) allows unauthenticated attackers to crash the apmd process by sending specially crafted traffic to virtual servers with APM access policies configured. The vulnerability stems from a buffer overflow (CWE-120) and requires no authentication or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. F5 has released vendor patches per advisory K000161056.

Buffer Overflow Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-45229 HIGH PATCH This Week

Mass assignment in Quark Auto Save (also referenced as Quark Drive) before version 0.8.5 lets authenticated users overwrite administrator credentials by posting an arbitrary 'webui' object to the config_data dictionary through the POST /update endpoint. Successful exploitation locks out legitimate administrators and grants persistent control over scheduled tasks, cloud storage tokens, and notification integrations. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.05% (16th percentile), though a vendor patch is available in release v0.8.5.

Information Disclosure Quark Auto Save
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-33583 HIGH PATCH This Week

Sensitive key material disclosure in Arqit Symmetric Key Agreement Platform versions before 26.03 allows remote unauthenticated attackers to retrieve the QKEY (a critical input to the OTA-Quantum device registration process) along with internal system keys via a plain HTTP GET request. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%), but the high CVSS of 8.7 with scope-change reflects the severe downstream cryptographic compromise possible once these keys leak. A vendor patch is available in version 26.03.

Information Disclosure Symmetric Key Agreement Platform
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44418 HIGH This Week

SQL injection in EcclesiaCRM 8.0.0 and earlier allows authenticated remote attackers to execute arbitrary SQL queries through the query view feature. The flaw stems from an incomplete fix for CVE-2026-35184: the ValidateInput() function's default case passes user-supplied POST parameters directly into str_replace-based SQL construction without sanitization when non-standard validation types are used. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at just 0.03%.

SQLi Ecclesiacrm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6281 HIGH PATCH This Week

Remote command execution in Lenovo Personal Cloud Storage devices (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20) allows authenticated users on the local network to execute arbitrary commands via OS command injection (CWE-78). The CVSS v4.0 score of 8.7 reflects complete system compromise potential (VC:H/VI:H/VA:H) through network attack with low complexity but requiring low-privilege authentication (AV:N/AC:L/PR:L). No evidence of active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Lenovo has issued advisories including end-of-life notices for certain models (T1), indicating some affected products may not receive patches.

Command Injection Lenovo
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-41225 HIGH PATCH NEWS This Week

F5 BIG-IP iControl REST allows authenticated attackers with Manager role or higher to execute arbitrary commands through malicious configuration objects. This authenticated remote code execution vulnerability carries a CVSS score of 7.2 but requires high privileges (Manager role), significantly limiting the attack surface to insider threats or compromised administrator accounts. No public exploitation or proof-of-concept has been identified at time of analysis, and F5 has released vendor patches per advisory K000160916.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-39459 HIGH PATCH This Week

Authenticated attackers with Manager role or higher in F5 BIG-IP can execute arbitrary commands via malicious configuration objects in iControl REST API and TMOS Shell (tmsh). This privilege escalation vulnerability allows administrators to break out of their intended access boundaries and achieve full system control. CVSS 7.2 (High) reflects network accessibility with high privileges required. No public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-44380 HIGH PATCH This Week

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to reset authentication keys of site administrator accounts within the same organization, yielding cross-tier access takeover. The flaw stems from missing authorization checks in the auth key reset workflow, enabling an org-admin to harvest a freshly generated site-admin API key. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.06%, but a vendor-released patch (2.5.37) is available.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-29205 HIGH PATCH This Week

Arbitrary file read in cPanel & WHM's cpdavd service allows remote unauthenticated attackers to retrieve sensitive files from the server through attachment download endpoints that fail to properly filter paths and enforce privilege boundaries. The flaw affects multiple supported cPanel release tiers (11.120 through 11.136) and WP Squared 11.120.1.0-11.136.1.12, scoring CVSS 8.6 due to network reach without authentication, though EPSS exploitation probability is only 0.04% and no public exploit identified at time of analysis.

Privilege Escalation
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-44697 HIGH PATCH GHSA This Week

Remote unauthenticated attackers can crash Klever-Go blockchain validators by sending a single 48 KiB compressed gossip packet that decompresses to multi-gigabyte allocations, killing the process via out-of-memory condition. The vulnerability in Batch.Decompress performs unbounded gzip decompression before anti-flood checks execute, enabling a single malicious peer to OOM-kill validators and disrupt chain liveness. Proof-of-concept demonstrates 45,604× amplification (48 KiB wire → 2.1 GiB heap). No public exploit identified at time of analysis, but vendor confirms internal discovery and patch development in progress.

Apple Information Disclosure
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-42463 HIGH PATCH This Week

Cross-workspace IDOR in SQLBot (DataEase) versions prior to 1.8.0 allows authenticated low-privilege users to read and modify database schemas and data sources belonging to other tenants via the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema endpoints. The flaw breaks multi-tenant isolation in a Text-to-SQL platform that brokers access to backend databases, meaning a tenant can pivot to another tenant's data sources. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%), but SSVC rates technical impact as total.

Authentication Bypass Sqlbot
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-21019 HIGH This Week

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with system-level privileges by exploiting improper input validation in the FacAtFunction component. Affects Galaxy Watch devices running Android Watch 14 and 16 prior to Samsung's May 2026 security release (SMR May-2026 Release 1). EPSS score of 0.03% indicates low automated exploitation probability, and no active exploitation or public POC has been identified at time of analysis. Attack requires physical or ADB access to the device.

RCE Samsung Mobile Devices
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-45136 HIGH PATCH GHSA This Week

Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.

Python Node.js Command Injection RCE
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-6282 HIGH PATCH This Week

Path traversal in Lenovo Personal Cloud Storage devices allows authenticated remote attackers to move or access files belonging to other users on the same device, enabling unauthorized data disclosure and modification across user boundaries. Affects multiple product lines including Personal Cloud (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S) and Home Storage Hub (T20, X20). CVSS 8.6 reflects high confidentiality and integrity impact with low attack complexity. No active exploitation confirmed in CISA KEV at time of analysis, and EPSS data not available for this 2026 CVE identifier.

Path Traversal Lenovo
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-35506 HIGH This Week

OS command injection in ELECOM wireless LAN access point devices allows authenticated administrators to execute arbitrary system commands via a crafted ping_ip_addr parameter. Affects multiple ELECOM WRC-series models including WRC-BE72XSD-B (v1.1.1 and earlier), WRC-BE65QSD-B (v1.1.0 and earlier), and WRC-W702-B (v1.1.0 and earlier). Despite the high CVSS 8.6 score, exploitation requires high-privilege (administrator) credentials, significantly limiting real-world risk to scenarios involving compromised admin accounts or malicious insiders. No active exploitation (KEV) or public POC has been identified at time of analysis. Vendor advisory available from ELECOM with remediation guidance.

Command Injection Wrc Be72Xsd B Wrc Be72Xsd Ba Wrc Be65Qsd B Wrc W702 B
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-34176 HIGH PATCH This Week

Remote command injection in F5 BIG-IP Appliance mode allows high-privilege authenticated attackers to execute arbitrary OS commands through an undisclosed iControl REST endpoint, crossing security boundaries between management and administrative contexts. CVSS 8.7 with scope change (S:C) indicates container escape or privilege domain breach. F5 has released vendor patches per advisory K000160857. No public exploit code or CISA KEV listing identified at time of analysis, limiting immediate mass-exploitation risk despite network attack vector.

Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-41953 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrator users to elevate privileges through configuration object manipulation. The command injection flaw (CWE-77) enables attackers with existing high-privilege access to gain administrative control over the BIG-IP system. CVSS score of 8.7 reflects high impact due to scope change (compromising beyond the vulnerable component), though exploitation requires existing Resource Administrator credentials (PR:H). EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation.

Privilege Escalation Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40698 HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-42924 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators or Administrators to execute arbitrary OS commands by creating malicious SNMP configuration objects via the legacy iControl SOAP API. Attackers with high-level administrative credentials can break out of their role constraints to gain full system control. F5 has released patches addressing this command injection flaw (CWE-78). No active exploitation confirmed at time of analysis, but the CVSS:3.1 Changed Scope indicator and attack complexity of Low make this exploitable by any administrator with SOAP API access.

Privilege Escalation Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40061 HIGH PATCH This Week

Authenticated attackers with Resource Administrator or Administrator role can execute arbitrary system commands via undisclosed iControl REST or BIG-IP TMOS Shell (tmsh) commands, potentially escalating privileges and crossing security boundaries in Appliance mode deployments. CVSS 6.5 reflects high privileges required (PR:H) but high confidentiality and integrity impact. No public exploit code identified at time of analysis.

Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-32673 HIGH PATCH This Week

Authenticated administrators with Resource Administrator or Administrator role can execute arbitrary system commands with elevated privileges in F5 BIG-IP scripted monitors, potentially crossing security boundaries in appliance mode deployments. The vulnerability requires high privilege level and network access but allows complete command execution with no user interaction, affecting confidentiality and integrity.

Privilege Escalation Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40631 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators to gain full Administrator privileges by exploiting insecure iControl SOAP API configuration handling. Attackers with high-privilege Resource Administrator access can modify configuration objects to escalate to Administrator level, achieving cross-scope access to confidential data and integrity compromise. EPSS risk assessment unavailable, but exploitation requires legitimate Resource Administrator credentials and network access to management interface, limiting attack surface to insider threats or compromised administrative accounts.

Privilege Escalation Information Disclosure Path Traversal Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy