THREAT ALERT

ACT NOW CVE-2026-8398 9.3 Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window. | ACT NOW CVE-2026-42897 8.1 Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed. | EMERGENCY CVE-2026-20182 10.0 Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments. | ACT NOW CVE-2026-45321 9.6 Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actions exploitation. Attackers combined pull_request_target misconfiguration, Actions cache poisoning, and OIDC token memory extraction to publish malicious code under the legitimate TanStack identity. Installing any affected version executes a 2.3 MB obfuscated payload that exfiltrates AWS/GCP/Kubernetes credentials, npm tokens, GitHub secrets, SSH keys, and HashiCorp Vault tokens over encrypted Session/Oxen messenger infrastructure. The payload propagates by republishing victim-maintained packages with identical injection. Socket.dev and the TanStack team confirmed the incident via GHSA-g7cv-rxg3-hmpx. No EPSS or CISA KEV data available for this recent supply-chain attack. CVSS 9.6 reflects the cross-scope credential theft impact (S:C/C:H/I:H), though exploitation requires user-initiated package installation (UI:R). | ACT NOW CVE-2026-42208 9.3 SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab. | ACT NOW CVE-2026-6973 7.2 Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis. | ACT NOW CVE-2026-0300 9.3 Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. EPSS risk assessment is not provided, but the vulnerability achieves maximum impact with minimal attack complexity (CVSS 9.3, AV:N/AC:L/PR:N), making this a critical priority for immediate remediation. The attack surface is significantly reduced when access to the portal is restricted to trusted internal networks per vendor best practices. | ACT NOW CVE-2026-41940 9.3 Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites. | ACT NOW CVE-2026-31431 7.8 Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — May 17, 2026

42 CVEs tracked today. 2 Critical, 3 High, 15 Medium, 22 Low.

CVE-2026-8721 CRITICAL CVSS 9.8
Silent password truncation in the Perl module Crypt::OpenSSL::PKCS12 versions up to and including 1.94 causes any password bytes at or after the first embedded NULL byte to be dropped without warning. The flaw stems from password parameters being declared as char* in PKCS12.xs, routing through Perl's default typemap to SvPV_nolen and discarding the Perl-known length before C strlen() truncates the buffer. The result is severe entropy loss for binary, KDF-derived, or HMAC-derived passwords used to protect PKCS12 keystores, with no public exploit identified at time of analysis.

Information Disclosure OpenSSL
CVE-2026-8507 CRITICAL CVSS 9.8
Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.

RCE Buffer Overflow Memory Corruption OpenSSL
CVE-2026-46720 HIGH CVSS 8.2
Metric injection in the Perl module Net::Statsd::Tiny before version 0.3.8 allows remote attackers to inject arbitrary statsd metrics by smuggling newline, colon, or pipe characters through untrusted metric names or set values. The CVSS 8.2 score reflects high integrity impact from forged telemetry, and while a vendor patch is available, no public exploit has been identified at time of analysis.

Code Injection
CVE-2026-8764 HIGH CVSS 7.3
Remote buffer overflow in H3C Magic B3 routers (firmware up to 100R002) allows attackers with high privileges to corrupt memory via the UpdateWanParams function in /goform/aspForm by manipulating the param argument. Publicly available exploit code exists per VulDB disclosure, though the vendor did not respond to coordinated disclosure attempts. With CVSS 4.0 score of 7.3 and PR:H requirement, exploitation hinges on prior administrative access to the device's web interface.

Buffer Overflow
CVE-2026-8719 HIGH CVSS 8.8
Authenticated attackers can escalate privileges to Administrator in AI Engine WordPress plugin version 3.4.9 through improper authorization in the MCP OAuth bearer-token implementation. The plugin accepts any valid OAuth token for Model Context Protocol (MCP) access without verifying administrator privileges, allowing low-privileged users (Subscriber+) to execute admin-level MCP tools. No public exploit or active exploitation identified at time of analysis.

WordPress Privilege Escalation
CVE-2026-8768 MEDIUM CVSS 5.5
Server-side request forgery in Vercel AI SDK versions up to 3.0.97 allows remote unauthenticated attackers to forge requests from the server to arbitrary internal or external resources via the validateDownloadUrl function in provider-utils. Publicly available exploit code exists (CVSS E:P). EPSS data not available, not listed in CISA KEV. Vendor unresponsive to disclosure, indicating no official patch or advisory at time of analysis. Organizations using affected versions for AI model downloads or blob handling should implement immediate compensating controls.

SSRF
CVE-2026-8759 MEDIUM CVSS 5.5
Expression language injection in Beetl template engine versions up to 3.20.2 enables remote attackers to execute arbitrary expressions through the SpELFunction component. The vulnerability stems from improper neutralization of special elements in Spring Expression Language (SpEL) processing, with publicly available exploit code and no vendor response despite early notification. CVSS 7.3 indicates moderate severity with confirmed remote exploitability.

Java Information Disclosure
CVE-2026-8758 MEDIUM CVSS 5.5
Unrestricted file upload in Metasoft MetaCRM (versions up to 6.4.0 Beta06) allows remote unauthenticated attackers to upload arbitrary files via the /common/jsp/upload3.jsp endpoint. A publicly disclosed exploit exists (CVSS E:P), enabling attackers to upload malicious files without authentication (PR:N), potentially leading to remote code execution. The vendor did not respond to coordinated disclosure, leaving users vulnerable. EPSS data not available, but the combination of network accessibility, no authentication requirement, and public exploit code indicates elevated real-world risk despite the moderate 5.5 CVSS score.

File Upload
CVE-2026-8757 MEDIUM CVSS 5.5
Path traversal in adenhq Hive versions up to 0.11.0 allows unauthenticated remote attackers to read arbitrary files via the _read_events_tail function in the Delete Request Handler. This network-accessible vulnerability requires no user interaction and has a publicly available proof-of-concept exploit. The vendor has not responded to disclosure attempts, leaving users without an official patch. EPSS data unavailable; CVSS 5.5 reflects limited confidentiality/integrity impact but ease of exploitation warrants prioritization for internet-facing deployments.

Path Traversal
CVE-2026-8756 MEDIUM CVSS 5.5
Path traversal in fishaudio Bert-VITS2's Gradio web interface allows remote unauthenticated attackers to read or write arbitrary files on the server filesystem via the generate_config function's data_dir parameter. Public exploit code exists (disclosed via VulDB and GitHub Gist). EPSS data unavailable; CVSS 5.5 (Medium) but CVSS 4.0 vector shows network-accessible, no authentication required (AV:N/PR:N), making this readily exploitable against any internet-exposed instance. Vendor non-responsive to early disclosure attempt, indicating no official patch available.

Path Traversal
CVE-2026-8755 MEDIUM CVSS 5.5
Path traversal in fishaudio Bert-VITS2's hiyoriUI.py allows unauthenticated remote attackers to access arbitrary files outside the intended model directory via the _get_all_models function. Public exploit code exists (GitHub Gist). The project uses rolling releases with no versioned patches, and the vendor has not responded to disclosure attempts. EPSS data unavailable; not listed in CISA KEV, suggesting limited real-world exploitation despite public POC.

Path Traversal
CVE-2026-8752 MEDIUM CVSS 5.5
Improper access controls in H2O-3's Rapids setproperty primitive allow remote unauthenticated attackers to modify system properties via the AstSetProperty.java exec function. The vulnerability permits low-impact integrity violations through manipulation of configuration settings accessible via the Rapids API. Public exploit code is available (VulDB 364379), increasing exploitation risk, though no active exploitation confirmed by CISA KEV at time of analysis. EPSS data not provided. Vendor unresponsive to disclosure attempts.

Authentication Bypass Java
CVE-2026-8751 MEDIUM CVSS 5.5
Deserialization vulnerability in H2O-3 machine learning platform versions up to 7402 enables remote code execution through the importBinaryModel function when processing malicious JAR files. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with publicly available exploit code (CVSS 7.3, EPSS not provided). The vendor failed to respond to disclosure attempts, leaving users without an official patch.

Java Deserialization
CVE-2026-8750 MEDIUM CVSS 5.5
Information disclosure in h2oai h2o-3 through version 7402 allows remote unauthenticated attackers to read arbitrary files from the server filesystem via the ImportFile API endpoint. The vulnerability resides in the importFiles function of PersistNFS.java and is confirmed actively exploited with publicly available exploit code (CVSS:4.0 E:P). Despite early vendor notification, h2oai has not responded or issued a patch, leaving deployments at risk of credential theft, source code exposure, or configuration file access.

Java Information Disclosure
CVE-2026-8739 MEDIUM CVSS 5.5
Hard-coded cryptographic key in Sanluan PublicCMS 5.202506.d allows remote attackers to compromise data integrity through the SafeConfigComponent's getSignKey function. The vulnerability (CWE-321) enables manipulation of the privatefile_key argument, permitting unauthenticated network-based attacks with low complexity. Public exploit code is available per VulDB submission 809917, significantly lowering the skill barrier for exploitation despite the medium CVSS 5.5 score. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation at time of analysis.

Java Information Disclosure
CVE-2026-8738 MEDIUM CVSS 5.5
Business logic flaws in PublicCMS 5.202506.d trade payment controller allow unauthenticated remote attackers to manipulate payment processing workflows, potentially enabling payment bypass or unauthorized transaction modifications. Publicly available exploit code exists demonstrating the attack. The vulnerability affects three payment-related functions (TradeOrderController.pay, TradePaymentController.pay, AccountGatewayComponent.pay) in the publiccms-trade module. Vendor was notified but did not respond, and no patch has been announced.

Java Information Disclosure
CVE-2026-8737 MEDIUM CVSS 5.5
Authentication bypass in Sanluan PublicCMS 5.202506.d allows remote unauthenticated attackers to access arbitrary user trade address data via manipulation of userId/id parameters in the TradeAddressListDirective component. Public exploit code exists (CVSS E:P), enabling unauthorized disclosure of confidential address information including names, phone numbers, and shipping details. EPSS data unavailable; not listed in CISA KEV. Vendor non-responsive to disclosure.

Authentication Bypass Java
CVE-2026-8734 MEDIUM CVSS 5.5
SQL injection in Oinone Pamirs versions up to 7.2.0 allows remote unauthenticated attackers to read, modify, or delete database records via the queryListByWrapper interface. The RSQLToSQLNodeConnector.makeVariable function fails to properly sanitize input, enabling direct database manipulation. A publicly available proof-of-concept exploit exists (GitHub issue #12), and the vendor has not responded to disclosure attempts. EPSS data unavailable, not listed in CISA KEV. CVSS 5.5 (Medium) reflects confidentiality, integrity, and availability impacts all rated Low with network-accessible, low-complexity exploitation requiring no authentication.

SQLi
CVE-2026-8725 MEDIUM CVSS 5.5
Server-side request forgery in CoreWorxLab CAAL versions up to 1.6.0 enables unauthenticated remote attackers to make arbitrary HTTP requests from the server through the test-hass endpoint in webhooks.py. The vulnerability has publicly available exploit code and allows attackers to access internal resources, potentially leading to data exposure or further compromise of internal systems. EPSS data not available, not currently in CISA KEV despite public exploit availability.

SSRF
CVE-2026-8723 MEDIUM CVSS 6.3
The qs Node.js library (versions 6.11.1 through 6.15.1) crashes with a synchronous TypeError when stringify is called with both arrayFormat: 'comma' and encodeValuesOnly: true on arrays containing null or undefined elements. Applications using these non-default options together will experience request failures (typically 500 errors in web frameworks) when processing user input with null array values. The vulnerability was introduced in commit 4c4b23d (PR #463, January 2023) and patched in v6.15.2 (commit 21f80b3). No public exploit or CISA KEV listing identified at time of analysis, though exploitation requires only crafting JSON input with null array elements.

Denial Of Service Null Pointer Dereference Node.js
CVE-2026-8770 LOW CVSS 1.9
Path traversal in Continue 1.2.22 and earlier allows local authenticated attackers to read arbitrary files on the host system via crafted dirPath parameters to the lsTool function in the JSON-RPC server. The vulnerability has a publicly available exploit (GitHub Gist) but CVSS base score of 3.3 (Low) reflects limited impact due to local access requirement, low privilege requirement, and confidentiality-only impact with no integrity or availability consequences. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation.

Path Traversal
CVE-2026-8769 LOW CVSS 2.1
Resource exhaustion in Vercel AI SDK's provider-utils package (versions ≤3.0.97) allows authenticated remote attackers to consume excessive system resources via specially crafted requests to JSON response handlers. Public proof-of-concept exists. EPSS data not available. Not listed in CISA KEV. CVSS 4.0 score of 2.1 reflects low availability impact (VA:L) with authenticated network access (PR:L). Vendor non-responsive to initial disclosure.

Denial Of Service
CVE-2026-8767 LOW CVSS 1.3
OS command injection in Vercel AI SDK versions up to 3.0.97 allows authenticated remote attackers with pull request creation privileges to execute arbitrary commands on CI/CD runners through malicious branch names. The vulnerability resides in the prettier-on-automerge GitHub Actions workflow, which insecurely interpolates PR branch names into shell commands. A public proof-of-concept exploit exists (disclosed via GitHub Gist), demonstrating feasibility despite CVSS 4.0 rating the complexity as high (AC:H) and exploitability as difficult. The vendor (Vercel) was notified but has not responded, and no patch availability is confirmed from vendor sources at time of analysis.

Command Injection
CVE-2026-8766 LOW CVSS 2.1
Information disclosure in Kilo-Org Kilocode versions up to 7.0.47 allows authenticated remote attackers to access sensitive configuration data by manipulating the KILO_CONFIG_CONTENT environment variable through the config.ts Load function. Public exploit code exists (EPSS probability data not provided), enabling low-complexity attacks that expose confidential information without requiring user interaction. The vendor has been unresponsive to disclosure attempts, and no patch release has been confirmed.

Information Disclosure
CVE-2026-8765 LOW CVSS 2.1
Path traversal in Kilo-Org kilocode's File Diff API Endpoint allows authenticated remote attackers to read arbitrary files outside intended directories. Affecting versions up to 7.0.47, the vulnerability exploits insufficient validation of file path arguments in the Bun.file function within the worktree-diff component. Public exploit code exists (EPSS probability and KEV status not provided), and the vendor has not responded to disclosure attempts, leaving users without vendor-confirmed remediation guidance.

Path Traversal
CVE-2026-8754 LOW CVSS 2.1
Path traversal in AstrBot dashboard file upload allows authenticated remote attackers to write files outside intended directories via manipulated filenames. Affected versions through 4.23.5 fail to sanitize user-supplied filenames in the post_file function, enabling directory traversal sequences (../, ..\ ) to bypass access controls. Publicly available exploit code exists (GitHub Gist by YLChen-007). Vendor-released patch in version 4.23.6 implements filename sanitization using PurePosixPath normalization and path validation to prevent traversal. CVE assigned CVSS 6.3 (Medium) with low-privilege remote exploitation confirmed. No CISA KEV listing indicates exploitation remains targeted rather than widespread.

Path Traversal File Upload
CVE-2026-8753 LOW CVSS 2.1
Remote command injection in Kodbox fileThumb plugin (versions up to 1.64) allows authenticated attackers to execute arbitrary system commands by manipulating the ffmpegBin parameter in video processing functions. Publicly available exploit code increases immediate risk. EPSS data not available, but CVSS temporal metrics indicate confirmed proof-of-concept exploitation (E:P). Vendor has not responded to disclosure, leaving patch status uncertain.

PHP Command Injection
CVE-2026-8747 LOW CVSS 2.1
Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.

PHP Authentication Bypass
CVE-2026-8746 LOW CVSS 2.1
Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.

Denial Of Service Use After Free Memory Corruption
CVE-2026-8745 LOW CVSS 2.1
Remote authenticated denial of service in Open5GS versions up to 2.7.7 allows attackers to crash the AUSF (Authentication Server Function) component via crafted timer manipulation. The vulnerability resides in ogs_timer_add function within nausf-handler.c. Public exploit code exists via GitHub issue #4472, though vendor has not responded to disclosure. EPSS data unavailable; CVSS 4.0 scores only 2.1 due to low availability impact and authenticated requirement, but the existence of public exploit elevates practical risk for exposed 5G core deployments.

Denial Of Service
CVE-2026-8744 LOW CVSS 2.1
Denial of service in Open5GS NRF (Network Repository Function) allows authenticated remote attackers to crash the service by exhausting the nf_service resource pool. Open5GS versions up to 2.7.7 fail to validate pool allocation during NF service registration, triggering assertion failures that terminate the process. Publicly available exploit code exists (GitHub issue #4466). EPSS data not available, not listed in CISA KEV. Patch released via commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged in PR #4534.

Denial Of Service
CVE-2026-8743 LOW CVSS 2.1
Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.

Authentication Bypass
CVE-2026-8741 LOW CVSS 1.3
Race condition in EMQX MQTT broker versions up to 6.2.0 allows authenticated remote attackers to cause limited availability impact through malformed QoS 2 PUBLISH packet handling in persistent sessions. The vulnerability exploits timing windows in the emqx_persistent_session_ds.erl module, though successful exploitation is marked as difficult with high attack complexity. A proof-of-concept exploit is publicly available on GitHub (Pathfind-tama/Report_EMQX_MQTT), demonstrating QoS 2 message duplication attacks. CVSS 3.1, exploitability requires low-privilege authentication and precise timing, limiting real-world risk despite public POC.

Information Disclosure Race Condition
CVE-2026-8740 LOW CVSS 2.1
Server-Side Template Injection in PublicCMS 5.202506.d allows authenticated remote attackers to execute arbitrary code and access sensitive information via the templateResult API endpoint. The vulnerability exists in the TemplateResultDirective.java component, where the templateContent parameter lacks proper sanitization, enabling template engine injection attacks. Publicly available exploit code exists (VulnPlus disclosure), and the vendor has not responded to coordinated disclosure attempts, leaving users without an official patch.

Java Information Disclosure Ssti
CVE-2026-8736 LOW CVSS 0.9
Path traversal in Oinone Pamirs versions up to 7.2.0 allows authenticated local attackers with physical device access to read, write, or delete arbitrary files via manipulated uniqueFileName parameter in LocalFileClient.java RestController endpoint. Publicly available exploit code exists (GitHub POC published). Despite low CVSS 4.0 score (0.9), the physical access requirement and low attack complexity make this exploitable in scenarios where attackers have direct device access or console privileges. EPSS data not available for this CVE. Vendor unresponsive to disclosure.

Java Path Traversal
CVE-2026-8735 LOW CVSS 2.1
Unsafe deserialization in Oinone Pamirs versions up to 7.2.0 allows authenticated remote attackers to potentially execute arbitrary code via crafted JSON payloads to the appConfigQuery interface. The vulnerability exists in JsonUtils.parseMap within PamirsParserConfig.java, where attacker-controlled data is deserialized without proper validation. Public exploit code is available on GitHub, though EPSS and KEV data are not provided. CVSS 4.0 score of 2.1 reflects limited scope impact (VC:L/VI:L/VA:L with SC:N/SI:N/SA:N), requiring low-privilege authentication (PR:L) but featuring low attack complexity (AC:L) and network attack vector (AV:N). Vendor non-responsive to disclosure.

Java Deserialization
CVE-2026-8733 LOW CVSS 2.1
Stack-based buffer overflow in Investintech SlimPDFReader ≤2.0.13 enables remote code execution when victims open malicious PDF files. The vulnerability exists in the sub_3B4610 function of SlimPDFReader.exe and requires no authentication but depends on user interaction (opening crafted PDF). Public exploit code is available via Fraunhofer SIT, significantly lowering attacker barrier. The vendor has discontinued the product with no remediation planned, leaving users with no official patch and requiring migration to alternative PDF readers.

Buffer Overflow Stack Overflow
CVE-2026-8731 LOW CVSS 2.1
Denial of service vulnerability in Open5GS NRF client management (versions ≤2.7.7) allows authenticated remote attackers to crash the Network Repository Function service via malformed client pool arguments. Public exploit code exists (GitHub issue #4464), but vendor has not responded to disclosure. CVSS base score of 4.3 reflects low severity due to limited availability impact and authentication requirement. EPSS data not provided; KEV status not applicable for this unpatched issue.

Denial Of Service
CVE-2026-8730 LOW CVSS 2.1
Denial of service in Open5GS versions up to 2.7.6 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via crafted nfInstanceId parameter manipulation in the ogs_sbi_nf_instance_set_id function. Publicly available exploit code exists (GitHub issue #4462), but vendor has not responded to early responsible disclosure. EPSS data not available, not listed in CISA KEV. CVSS 4.3 (Medium) reflects low impact (availability only) and authenticated attack vector.

Denial Of Service
CVE-2026-8729 LOW CVSS 2.1
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component by manipulating service-names or snssais parameters in SBI messages. A public proof-of-concept exploit exists via GitHub issue #4460, and the vendor has not responded to the early disclosure. EPSS data unavailable, but the low CVSS 4.3 score reflects limited impact (availability only, authenticated access required), reducing real-world urgency for most deployments.

Denial Of Service
CVE-2026-8728 LOW CVSS 2.1
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via malformed target-plmn-list parameters. The vulnerability targets a parsing function in the Service-Based Interface (SBI) library and has publicly available exploit code (GitHub issue #4458). CVSS 4.3 reflects low severity, but the vendor has not responded to early disclosure attempts, leaving no confirmed patch timeline. EPSS and KEV data unavailable - exploitation likelihood beyond POC unknown.

Denial Of Service
CVE-2026-8724 LOW CVSS 2.0
SQL injection in Dataease 2.10.20's Data Dashboard component allows authenticated high-privilege attackers to execute arbitrary SQL queries via the SqlparserUtils.transFilter function. The vulnerability requires administrative access (CVSS PR:H) but enables database manipulation including data exfiltration, modification, and potential service disruption. Public exploit code exists on GitHub (xpp3901/CVE_APPLY), lowering the barrier for exploitation despite the high privilege requirement. The CVSS base score of 4.7 reflects limited scope due to authentication requirements, though real-world impact depends on admin credential security.

Java SQLi

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities