Skip to main content
CVE-2025-14870 HIGH PATCH This Week

Denial of service in GitLab Community and Enterprise Editions (versions 18.5 through 18.11.2) allows remote unauthenticated attackers to exhaust resources by submitting specially crafted JSON payloads that bypass input validation. The flaw is network-reachable with low complexity and no authentication required, but only impacts availability (CVSS 7.5, A:H). No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (11th percentile), though CISA SSVC flags the issue as automatable.

Denial Of Service Gitlab
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45398 HIGH PATCH GHSA This Week

Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).

Authentication Bypass Python Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1659 HIGH PATCH This Week

Denial of service in GitLab CE/EE allows unauthenticated remote attackers to disrupt service availability by sending specially crafted requests that exploit insufficient input validation. Affected versions span 9.0 through 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 across both Community and Enterprise editions, with no public exploit identified at time of analysis and a low EPSS score (0.04%) indicating limited near-term exploitation likelihood despite the network-reachable attack surface.

Denial Of Service Gitlab
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8585 HIGH PATCH This Week

Out-of-bounds memory read in Google Chrome on iOS versions before 148.0.7778.168 enables remote attackers to access sensitive memory contents through a compromised renderer process. The vulnerability requires user interaction to visit a malicious webpage and exploitation of a prior renderer compromise. With EPSS at 0.03% and no known active exploitation, this represents a moderate risk primarily in targeted attack chains.

Google Information Disclosure Apple Suse Chrome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8521 HIGH PATCH This Week

Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14869 HIGH PATCH This Week

Denial of service in GitLab Community and Enterprise Edition versions 18.5 through 18.11.2 allows unauthenticated remote attackers to disrupt service availability by sending specially crafted payloads to certain API endpoints. The flaw maps to CWE-1284 (improper validation of specified quantity in input) and has been patched in 18.9.7, 18.10.6, and 18.11.3. No public exploit identified at time of analysis and EPSS probability is very low (0.03%, 9th percentile), but the SSVC framework flags the attack as automatable with partial technical impact.

Denial Of Service Gitlab
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68420 HIGH PATCH This Week

Memory dump attacks against Comarch ERP Optima client expose hardcoded high-privilege database credentials, allowing local attackers with process control to bypass application-level access controls and gain direct database access with elevated privileges. Exploitation requires a configured client installation but no user login, creating persistent risk on shared workstations. CERT-PL publicly disclosed this credential management flaw (CWE-266) with patch available in version 2026.4, though no active exploitation or public POC has been confirmed.

Information Disclosure Erp Optima
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-46419 HIGH PATCH This Week

Authentication bypass in Yubico java-webauthn-server (webauthn-server-core) 2.8.0 through 2.8.1 allows an attacker holding any valid registered credential to impersonate other users during the second-factor flow. The flaw stems from an unchecked return value in finishAssertion that accepts a successful authentication result even when the authenticated credential belongs to a different user than the one named in StartAssertionOptions.username. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but CISA SSVC rates the technical impact as total.

Information Disclosure Webauthn Server Core
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4029 HIGH This Week

Unauthenticated attackers can export complete database tables from WordPress Multisite installations running Database Backup for WordPress plugin ≤2.5.2, exposing credentials, user data, and site content. The vulnerability stems from improper enforcement of authorization check return values, bypassing security controls. Exploitation is limited to legacy WordPress Multisite environments using the deprecated is_site_admin() function. CVSS 7.5 (High) with network attack vector and no authentication required. No CISA KEV listing indicates limited widespread exploitation, though the unauthenticated remote access vector presents significant risk for affected configurations.

Authentication Bypass Information Disclosure WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4031 HIGH This Week

Authorization bypass in Database Backup for WordPress plugin (≤2.5.2) enables unauthenticated attackers to redirect scheduled backup files to publicly accessible directories and retrieve them before cleanup. By poisoning the wp_db_temp_dir parameter via wp-cron.php, attackers can intercept database backups containing credentials, password hashes, and PII. Backup filenames follow predictable patterns (database name, table prefix, date, Swatch Internet Time), making interception reliable. Exploitation requires administrator-configured scheduled backups but no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS and KEV data not provided; Wordfence-reported vulnerability with publicly accessible source code references enabling attack reproduction.

Authentication Bypass PHP Information Disclosure WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45314 HIGH PATCH GHSA This Week

Stored cross-site scripting in Open WebUI versions 0.9.2 and earlier allows authenticated low-privileged users to persist malicious SVG payloads through the channel webhook profile_image_url field, which the server later serves verbatim as image/svg+xml. Any verified user who loads the resulting profile image URL executes attacker-controlled JavaScript in the application origin, enabling session theft and account takeover. Publicly available exploit code exists in the form of a working Python PoC published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild.

XSS
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-45310 HIGH PATCH GHSA This Week

HTTP redirect bypass in DeepSeek TUI's fetch_url tool allows Server-Side Request Forgery (SSRF) against cloud metadata endpoints and internal services. The tool validates only the initial URL against restricted IP blocklists but automatically follows up to 5 HTTP redirects without re-validation, enabling attackers to exfiltrate AWS/GCP/Azure IAM credentials and instance metadata via prompt injection attacks. Vendor-released patch available in version 0.8.22. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in public advisory demonstrating successful bypass of SSRF protections.

SSRF Microsoft
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-45373 HIGH PATCH GHSA This Week

Server-Side Request Forgery in DeepSeek-TUI's fetch_url tool allows remote attackers to bypass IPv6 SSRF protections and access local restricted resources. The vulnerability exists in versions prior to 0.8.26 where supplying IPv6 addresses in bracket notation (http://[::1]) circumvents hostname-based validation that only checks resolved addresses, not literal IPv6 URLs. Public exploit code exists with a working proof-of-concept requiring only user interaction to trigger via a malicious prompt. CVSS score of 7.4 reflects high confidentiality impact with scope change, though EPSS data is not available for this recently disclosed vulnerability.

SSRF
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-3290 HIGH PATCH This Week

Hardware random number generator (HRNG) in Silicon Labs RS9116 SDK versions up to 2.13.1 produces predictable cryptographic values when the wireless module operates in power save mode, enabling adjacent attackers with user interaction to compromise encrypted communications and authentication mechanisms. Vendor patch available via GitHub; no active exploitation confirmed but cryptographic weakness poses high risk to WiFi/Bluetooth IoT deployments relying on the affected module's entropy source.

Information Disclosure Rs9116 Sdk
NVD GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-44636 HIGH PATCH This Week

Heap buffer overflow in libsixel 1.8.7-r1 and earlier allows local attackers to execute arbitrary code or crash the application when encoding images with dimensions exceeding 2.15 billion pixels. The sixel_encode_highcolor function contains a signed integer overflow in allocation size calculation that wraps to a small value, causing malloc to succeed with an undersized buffer that the encoder subsequently overflows. Fixed in version 1.8.7-r2. No CISA KEV listing or public exploit code identified at time of analysis, with EPSS exploitation probability presumably low given the highly specific triggering conditions.

Heap Overflow Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-24712 HIGH This Week

Command injection in CFEngine Enterprise and Community editions before versions 3.21.8, 3.24.3, and 3.27.0 enables remote unauthenticated attackers to execute arbitrary commands on the system. The vulnerability has an EPSS score of 0.15% indicating relatively low exploitation probability, and no public exploit identified at time of analysis. SSVC framework rates this as automatable with total technical impact, suggesting high potential severity if exploited.

Command Injection
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-45011 HIGH GHSA This Week

Stored cross-site scripting in ApostropheCMS 4.29.0 allows authenticated editors to inject arbitrary JavaScript via image widget URL fields, affecting administrators and public visitors. The vulnerability permits execution of malicious payloads when victims click crafted image links on published pages. No vendor-released patch identified at time of analysis, and CVSS 7.3 (High) reflects the authenticated nature and required user interaction, though impact on administrator sessions elevates real-world risk.

XSS
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-3718 HIGH This Week

Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.

XSS WordPress Managewp Worker
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-45395 HIGH PATCH GHSA This Week

Privilege escalation in Open WebUI allows authenticated users with 'write' access grants on tools to execute arbitrary server-side Python code without the required workspace.tools permission. The tool update endpoint (POST /api/v1/tools/id/{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.

Microsoft Python RCE Privilege Escalation Docker
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-6476 HIGH PATCH This Week

SQL injection in PostgreSQL's pg_createsubscriber utility escalates privileges from pg_create_subscription to superuser, enabling arbitrary SQL execution. Affects PostgreSQL versions 17.0-17.9 and 18.0-18.3; exploitation requires high-privilege access (pg_create_subscription rights) but occurs remotely without additional complexity. Attack triggers when pg_createsubscriber next executes. Fixed in PostgreSQL 18.4 and 17.10. No CISA KEV listing or public exploit identified at time of analysis, but the technical simplicity (AC:L) and privilege escalation nature present moderate risk for multi-tenant or hosted PostgreSQL environments where subscription management permissions are delegated.

PostgreSQL SQLi Suse
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-45350 HIGH PATCH GHSA This Week

Low-privileged authenticated users in Open WebUI <=0.8.5 can invoke admin-restricted external tools (MCP servers, GitHub integrations, etc.) via the chat completion API by supplying arbitrary tool_ids or tool_servers parameters. Exploited tools execute with server-stored credentials, enabling unauthorized data access or actions through third-party integrations. Publicly available exploit code exists (PoC in GitHub advisory GHSA-4pcg-253r-rf9w). EPSS data not provided; CVSS 7.1 indicates network-accessible authenticated exploitation with high confidentiality impact. Vendor-released patches: v0.7.0 (partial, local tools) and v0.8.6 (complete fix for MCP servers). Users on >=0.8.6 are not affected.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-44647 HIGH PATCH This Week

Path traversal in OneDev Git server allows authenticated users with repository push permissions to read arbitrary files accessible to the server process. The vulnerability exploits improper validation of repository-controlled LFS (Large File Storage) metadata to break expected path boundaries, enabling file reads outside intended repository storage. A vendor-released patch is available in version 15.0.2. CVSS 7.1 reflects high confidentiality impact via network-based attack with low complexity requiring only low-privilege authentication.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44678 HIGH This Week

Unauthorized deletion of preview resources in Tuist API allows authenticated attackers to delete arbitrary project previews regardless of ownership. An attacker with valid credentials can manipulate the DELETE endpoint's URL path to pass authorization checks against a project they control, while supplying any preview UUID to delete resources belonging to other users' projects. No public exploit code identified at time of analysis, but exploitation requires only low-complexity API manipulation with standard HTTP tools.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41935 HIGH PATCH This Week

Infinite recursion in Vvveb admin controller exhausts PHP memory through repeated permission checks when low-privilege users access forbidden admin URLs. Sustained requests deplete worker memory causing site-wide denial of service. Fixed in version 1.0.8.3 via commit c766e84b which removes Base class inheritance from Error403 controller to break the dispatch cycle. No evidence of active exploitation but trivial to reproduce with authenticated low-privilege account.

Denial Of Service PHP Information Disclosure
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-45399 HIGH PATCH GHSA This Week

Broken object-level authorization in Open WebUI allows any authenticated low-privilege user to enumerate and terminate background tasks belonging to other users via GET /api/tasks and POST /api/tasks/stop/{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Authentication Bypass Redis Privilege Escalation Python
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-42847 HIGH PATCH This Week

SQL injection in ClipBucket v5's admin panel allows authenticated administrators to exfiltrate database contents via the action_logs.php endpoint. The type parameter is directly concatenated into SQL queries without parameterization, enabling UNION-based attacks to extract sensitive data including user credentials, video metadata, and system configuration. Affects all versions prior to 5.5.3 - #122. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given the straightforward injection point and admin access requirement.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-45349 HIGH PATCH GHSA This Week

Broken access control in Open WebUI's `/api/chat/completions` endpoint allows any authenticated user to read and continue other users' private conversations by supplying a known Chat ID. The API fails to verify chat ownership before granting access, exposing sensitive conversation data across multi-user deployments with shared AI models. Fixed in v0.9.0 via commit cf4218e68, which enforces ownership validation through `Chats.is_chat_owner()` checks. Exploitation requires low-privilege authentication (PR:L) and network access (AV:N), but no user interaction (UI:N) or special configuration-any default multi-user instance with shared pipelines is vulnerable. CVSS 7.1 (High) reflects network-accessible confidentiality breach (C:H) with limited integrity impact (I:L). No public exploit identified at time of analysis, but proof-of-concept published in GitHub advisory GHSA-gfm2-xm6c-37qc demonstrates trivial exploitation via legitimate API key usage.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46446 HIGH PATCH This Week

SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their password, provided the deployment uses PostgreSQL or MariaDB as the user backend and stores cleartext passwords. The flaw resides in the changePasswordForLogin routine where the new password value is interpolated directly into an UPDATE statement (c_password = '%@'). No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as 'none' - but the patched upstream code (PR #379, fixed in 5.12.7) confirms the vulnerability.

SQLi PostgreSQL Sogo
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46445 HIGH PATCH This Week

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queries when the groupware is deployed against a PostgreSQL backend. The flaw stems from improper quoting in the SQLSource authentication and contact-lookup paths, which an attacker can leverage to read or modify data with high confidentiality and integrity impact. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor patch and upstream code fix are available.

SQLi PostgreSQL Sogo
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43905 HIGH PATCH This Week

Heap overflow in OpenImageIO's JPEG 2000 decoder allows local attackers with malicious image files to execute arbitrary code. Affects versions before 3.0.18.0 and 3.1.x before 3.1.13.0 when compiled with USE_OPENJPH flag. Integer overflow in buffer size calculation causes undersized heap allocation, leading to memory corruption during pixel writes. No public exploit identified at time of analysis, but SSVC framework indicates POC exists. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0.

Integer Overflow Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44637 HIGH PATCH This Week

Heap buffer overflow in libsixel versions up to 1.8.7-r1 enables local attackers to corrupt memory and potentially execute code by supplying maliciously crafted SIXEL image data. A signed integer overflow in the SIXEL parser's buffer resizing logic bypasses allocation size checks, allowing out-of-bounds writes with attacker-controlled offsets. The vulnerability requires user interaction to process a malicious SIXEL file but does not require authentication. Fixed in version 1.8.7-r2. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.

Integer Overflow Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-5798 HIGH This Week

Insecure Direct Object Reference (IDOR) in Stel Order v3.25.1 and earlier allows authenticated attackers with low privileges to access confidential employee information across the organization by manipulating the 'employeeID' parameter in requests to the '/app/FrontController' endpoint. Attackers can enumerate and retrieve personal data including names, roles, job titles, and vacation records for any employee regardless of authorization level. EPSS data not available; no confirmed active exploitation (not in CISA KEV). CVSS 7.1 reflects high confidentiality impact but requires authentication, limiting immediate exposure to insider threats or compromised accounts.

Authentication Bypass Stel Order
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44541 HIGH PATCH GHSA This Week

DOM-based cross-site scripting in Fides consent banner (fides.js) allows remote unauthenticated attackers to execute arbitrary JavaScript in the embedding site's origin via crafted URL parameters, JavaScript globals, or cookies. The vulnerability affects Fides Enterprise deployments using the consent management platform with HTML-formatted banner descriptions enabled (FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=true), though only when the non-default HTML description feature is active. Cookie-based payload delivery enables persistent XSS across all subdomains until cookies are cleared. Vendor-released patch available in ethyca-fides 2.84.5 (OSS) and fidesplus 2.84.6 (Enterprise). No public exploit identified at time of analysis beyond the vendor's proof-of-concept test snippet.

XSS
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-62628 HIGH This Week

Arbitrary code execution in AMD optional tools occurs through DLL injection during unsafe OpenSSL initialization, allowing local authenticated attackers with low-privilege user access and user interaction to execute malicious code with high impact to confidentiality, integrity, and availability. The vulnerability stems from insecure library loading (CWE-427) where the affected AMD utilities fail to validate DLL search paths during OpenSSL library initialization. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once local access is obtained.

Amd RCE OpenSSL
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-24000 MEDIUM PATCH GHSA This Month

Fleet trusts untrusted client-supplied IP address headers (X-Forwarded-For, X-Real-IP, True-Client-IP) when determining source IP for incoming requests, allowing both authenticated and unauthenticated attackers to spoof their apparent IP address and bypass per-IP rate limiting controls. This enables brute-force and password-spraying attacks against authentication endpoints to scale without triggering rate-limit protections, though the vulnerability does not itself enable authentication bypass, privilege escalation, data exposure, or remote code execution.

Authentication Bypass Privilege Escalation Information Disclosure RCE
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-45248 MEDIUM This Month

Hedera Guardian through version 3.5.1 allows unauthenticated attackers to retrieve sensitive user information via the GET /api/v1/demo/registered-users endpoint, which lacks proper authentication controls. Attackers can access this endpoint without credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. The vulnerability affects confidentiality with a CVSS score of 5.3 and has been fixed in the upstream repository via GitHub PR #6076.

Authentication Bypass Guardian
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-46356 MEDIUM PATCH GHSA This Month

Fleet instances fail to validate the origin of client IP headers (True-Client-IP, X-Real-IP, X-Forwarded-For) before using them for API rate limiting, allowing unauthenticated attackers to bypass per-IP brute-force protections on sensitive endpoints such as login by rotating header values across requests. This vulnerability primarily affects Fleet deployments directly exposed to the internet without a reverse proxy that overwrites forwarded headers; instances behind properly configured proxies or WAFs have reduced exposure.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-44679 MEDIUM PATCH This Month

Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes of unwanted email and consume downstream email delivery resources. This vulnerability is fixed in 1.180.10.

Denial Of Service
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-8295 MEDIUM PATCH This Month

Integer overflow in simdjson's string_builder::escape_and_append() function allows out-of-bounds memory reads in SIMD routines when processing very large input strings on 32-bit platforms, potentially resulting in information disclosure or memory corruption. The vulnerability affects all versions before 4.6.4 and has been patched by the vendor.

Integer Overflow Information Disclosure Buffer Overflow Red Hat
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41933 MEDIUM PATCH This Month

Vvveb before 1.0.8.3 allows unauthenticated remote attackers to enumerate sensitive files and directories through directory listing information disclosure. Multiple directories including admin, plugins, themes, and media folders lack proper index directives in .htaccess files, permitting attackers to view filenames, file sizes, modification timestamps, and unrendered admin templates that expose sensitive route maps. No active exploitation has been confirmed, but the vulnerability is trivial to exploit with network access and no authentication.

Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42598 MEDIUM PATCH This Month

Path traversal in Pode PowerShell web framework versions 2.4.0 through 2.12.x allows high-privileged authenticated users to read arbitrary files from the server filesystem via crafted static route requests. An attacker with high privilege can request paths like http://localhost:8080/c:/Windows/System32/drivers/etc/hosts to retrieve sensitive file contents. The vulnerability is fixed in version 2.13.0.

Microsoft Path Traversal
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45078 MEDIUM PATCH GHSA This Month

Matrix Synapse homeserver versions prior to 1.152.1 allow authenticated local users to trigger CPU starvation that denies service to other users by exploiting unbounded lock timeout intervals in the WorkerLock implementation. Synapse deployments that do not trust all local users face service availability risk from malicious authenticated accounts. Vendor-released patch available in version 1.152.1 (GitHub commit 3f58bc50dfba5768ee43ce48c5e74c25ba0b078a confirms fix). No public exploit identified at time of analysis, though the attack mechanism is straightforward for any authenticated user.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-6332 MEDIUM CISA This Month

Source code disclosure vulnerability in Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 allows authorized users with local access to view protected source code stored in cleartext, resulting in loss of confidentiality and potential exposure of proprietary logic. The vulnerability requires local authenticated access and is rooted in improper protection of sensitive information at rest; no active exploitation or public exploit code has been identified.

Information Disclosure Ecostruxure Machine Expert Hvac
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-6008 MEDIUM This Month

Authorization bypass in DijiDemi v4.5.12.1 through v4.5.13.0 allows authenticated high-privilege users to escalate permissions through user-controlled cryptographic key manipulation. An attacker with high privileges can abuse the authorization mechanism by controlling session or authentication keys, bypassing intended access restrictions and potentially modifying data or executing unauthorized operations, though exploitation requires user interaction and high-privilege account access.

Authentication Bypass Dijidemi
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-6670 MEDIUM This Month

Path traversal in the Media Sync WordPress plugin (versions ≤1.4.9) enables authenticated attackers with Author-level access or above to read arbitrary files outside the intended uploads directory by injecting traversal sequences into the 'sub_dir' and 'media_items' parameters. The CVSS vector (C:H/I:N/A:N) confirms the impact is limited to confidentiality - file read only, with no write or deletion capability indicated. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation as none with partial technical impact, consistent with the low EPSS probability of 0.45%.

Path Traversal WordPress Media Sync
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-8280 MEDIUM PATCH This Month

GitLab CE and EE are vulnerable to authenticated denial of service through excessive memory consumption, affecting all installations from version 8.3 up to the patched releases. An authenticated user with minimal privileges can submit maliciously crafted input that bypasses proper validation, causing the server to allocate memory without adequate bounds until service degradation or outage occurs. EPSS is low at 0.06% (18th percentile), no active exploitation is confirmed (CISA KEV absent, SSVC exploitation status: none), and a vendor patch was released on May 13, 2026.

Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-45667 MEDIUM PATCH GHSA This Month

Unauthenticated attackers can invoke the GET `/api/v1/memories/ef` endpoint in Open WebUI versions ≤0.7.2 to trigger arbitrary embedding generation without authentication, enabling cost-based attacks against paid embedding providers (OpenAI, Azure) and denial-of-service via resource exhaustion. The endpoint executes `request.app.state.EMBEDDING_FUNCTION()` without any authentication check, allowing unlimited free API calls to downstream embedding services. Vendor-released patch available in v0.8.0 (February 2026) that removes the vulnerable endpoint entirely.

Authentication Bypass Microsoft
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5486 MEDIUM This Month

SQL Injection in the Unlimited Elements for Elementor WordPress plugin (versions up to and including 2.0.7) allows authenticated attackers holding at least Contributor-level access to extract sensitive database contents by injecting arbitrary SQL into the 'data[filter_search]' parameter of the get_cat_addons AJAX action. The vulnerability is the product of two chained weaknesses: the plugin's normalizeAjaxInputData() function actively undoes WordPress's built-in magic-quote protection via stripslashes(), and the deprecated wpdb->_escape() method then fails to safely handle the exposed input before it is concatenated directly into a LIKE clause. Reported by Wordfence and tracked as EUVD-2026-30214, no public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, though the confidentiality impact is rated High, enabling full database read access for a successful attacker.

SQLi WordPress Unlimited Elements For Elementor Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6478 MEDIUM PATCH This Month

Timing-channel attack in PostgreSQL MD5 password authentication enables remote unauthenticated attackers to extract user credentials through statistical analysis of authentication response times, affecting versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. The vulnerability exploits variable-time comparison operations during MD5 password hash verification, but does not impact the default scram-sha-256 authentication method. Databases migrated from PostgreSQL 13 or earlier may retain MD5-hashed passwords and remain vulnerable despite running newer versions.

Information Disclosure PostgreSQL
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45351 MEDIUM PATCH GHSA This Month

Open WebUI versions up to 0.8.8 expose admin-configured system prompts to authenticated regular (non-admin) users through the /api/models API endpoint, allowing information disclosure of sensitive model instructions and internal configuration details. The vulnerability requires valid user authentication but no administrative privileges, enabling any authenticated user to retrieve confidential system prompts via a simple HTTP GET request. This is confirmed actively exploited in production deployments with a publicly available proof-of-concept.

Mozilla Apple Information Disclosure Google Chrome
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 4 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy