Skip to main content
CVE-2026-41948 CRITICAL POC Act Now

Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and reach the Plugin Daemon's internal REST API, including debug interfaces, by smuggling unencoded dot sequences through task identifiers or filename parameters. Because Dify Cloud permits unauthenticated free self-registration, the authentication barrier collapses to trivial account creation, and publicly available exploit code exists; the attacker only needs the victim tenant's UUID to pivot. CVSS 4.0 is rated 9.2 with high confidentiality and integrity impact.

Path Traversal Dify
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-41947 CRITICAL POC PATCH Act Now

Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another tenant's LLM trace traffic - including prompts and model responses - to an attacker-controlled observability provider. Because Dify Cloud permits free self-registration, the authentication barrier is effectively trivial; publicly available exploit code exists and a vendor patch is shipped via PR #35793. The flaw is an instance of CWE-639 (insecure direct object reference) in the trace-configuration endpoints, which accepted an app_id without validating tenant ownership.

Authentication Bypass Dify
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-3220 HIGH POC PATCH This Week

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

WordPress XSS
NVD WPScan
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6379 HIGH POC PATCH This Week

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

WordPress SQLi
NVD WPScan
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-45298 HIGH POC GHSA This Week

Server-side request forgery in Dozzle (amir20/dozzle) versions through 8.14.12 allows remote unauthenticated attackers to coerce the Dozzle host into issuing arbitrary HTTP POST requests and reflects up to 1MB of the response body back. The flaw lives in POST /api/notifications/test-webhook, which is exposed without authentication in the documented default Docker quickstart deploy (DOZZLE_AUTH_PROVIDER unset). No public exploit identified at time of analysis, but a detailed proof-of-concept accompanies the GHSA advisory.

SSRF Docker CSRF
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-41949 HIGH POC PATCH This Week

{file_id}/preview endpoint. The flaw is amplified on Dify Cloud, where free self-registration makes account creation trivial, and publicly available exploit code exists via the Huntr disclosure. No CISA KEV listing has been recorded at time of analysis, but the combination of low-friction account access and a documented PoC raises practical exposure considerably.

Authentication Bypass Dify
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-46522 HIGH POC PATCH GHSA This Week

Denial of service in ImageMagick's MIFF (Magick Image File Format) decoder allows remote unauthenticated attackers to trigger an infinite loop and exhaust CPU resources by submitting a crafted MIFF file. The flaw affects Magick.NET bindings prior to version 14.13.1 across multiple platform builds (Q16, HDRI, OpenMP variants for x64/arm64/x86) and is tracked under GHSA-7gg8-qqx7-92g5. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Denial Of Service
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.5
EPSS
1.1%
CVE-2026-6381 HIGH POC PATCH This Week

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

WordPress Path Traversal
NVD WPScan
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8776 HIGH POC This Week

Stack buffer overflow in the Edimax BR-6428NS router (firmware 1.10) allows remote authenticated attackers to corrupt memory by sending an overlong pptpUserName parameter to the /goform/formPPTPSetup endpoint. Publicly available exploit code exists per VulDB disclosure, and no public exploit identified at time of analysis in CISA KEV. The vendor was reportedly contacted prior to disclosure but did not respond, leaving the device line without a confirmed fix.

Buffer Overflow Br 6428Ns
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-8775 HIGH POC This Week

Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corrupt memory by sending a crafted POST request to the formL2TPSetup handler with an oversized L2TPUserName parameter. Publicly available exploit code exists via a third-party Notion writeup, and the vendor was contacted but did not respond, leaving devices exposed without a coordinated fix. No CISA KEV listing or EPSS data is available to confirm active mass exploitation, but the combination of a public PoC and unresponsive vendor elevates real-world risk for any internet-exposed device.

Buffer Overflow Br 6428Ns
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-6495 HIGH POC PATCH This Week

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45829 CRITICAL NEWS GHSA Act Now

{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.

RCE Code Injection Python Chromadb
NVD GitHub
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-42822 CRITICAL PATCH Exploit Likely Act Now

Privilege elevation in Microsoft Azure Local Disconnected Operations allows unauthenticated network-based attackers to gain elevated rights via an improper authentication weakness (CWE-287). The flaw carries a maximum CVSS 10.0 score with scope change, and Microsoft has issued a patched build (Azure Local 2604.2.25645). No public exploit identified at time of analysis, but the trivial attack profile (AV:N/AC:L/PR:N/UI:N) makes this a top-priority fix for affected hybrid-cloud deployments.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-27130 CRITICAL PATCH Act Now

OS command injection in Dokploy self-hosted PaaS (versions <= 0.26.6) allows an authenticated low-privileged user to achieve server-level remote code execution by injecting shell metacharacters into the appName parameter when creating an application or database. The cleanAppName sanitizer only lowercases and strips spaces, leaving characters like ;, $(), backticks, |, and & to be passed directly into execAsync()/execAsyncRemote() shell interpolation when service lifecycle operations run. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, but the GitHub commit diff publicly demonstrates the vulnerable code path.

Command Injection
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-45625 CRITICAL PATCH GHSA Act Now

Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.

Authentication Bypass Gitlab Privilege Escalation Information Disclosure Denial Of Service
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-7304 CRITICAL GHSA Act Now

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-7301 CRITICAL GHSA Act Now

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

Deserialization Sglang
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45697 CRITICAL PATCH GHSA Act Now

Pre-authenticated server-side template injection in Verbb Formie (a forms plugin for Craft CMS) allows unauthenticated remote attackers to submit crafted values into Hidden fields configured with a Custom default value, which are then evaluated as Twig during submission handling. Successful exploitation can lead to arbitrary code execution and full compromise of the Craft site depending on template sandbox behavior. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-x7m9-mwc2-g6w2 and patch commit are publicly disclosed.

RCE Code Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-8785 MEDIUM POC This Month

SQL injection in projectworlds Hospital Management System in PHP 1.0 enables unauthenticated remote attackers to extract or modify patient data through the appointment_no parameter in update_info.php. The vulnerability has publicly available exploit code and affects the getAllPatientDetail function, with the vendor notified but unresponsive.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1631 MEDIUM POC PATCH This Month

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.

Authentication Bypass WordPress
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8838 CRITICAL PATCH GHSA Act Now

Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.

Code Injection Python RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-8836 CRITICAL PATCH Act Now

Stack-based buffer overflow in lwIP through 2.2.1 enables remote unauthenticated attackers to corrupt stack memory in the SNMPv3 USM handler by sending a crafted msgAuthenticationParameters field to snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c. The flaw stems from a commented-out length assertion that allowed user-controlled TLV value lengths to exceed SNMP_V3_MAX_AUTH_PARAM_LENGTH during decoding. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation against a library widely embedded in IoT and embedded TCP/IP stacks.

Stack Overflow Buffer Overflow Lwip
NVD VulDB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-4320 CRITICAL PATCH Act Now

Authorization bypass in Creartia's ICMS content management system allows remote unauthenticated attackers to gain unauthorized access to protected features and escalate privileges by manipulating HTTP redirect headers during the login process. The vulnerability has a CVSS 9.3 score and vendor patches are available through INCIBE advisory.

Authentication Bypass Privilege Escalation Icms Content Management
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-7302 CRITICAL GHSA Act Now

SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.

Path Traversal Sglang
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2023-24215 CRITICAL Act Now

Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-45363 CRITICAL PATCH GHSA Act Now

Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.

Redis Authentication Bypass OpenSSL
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-45230 HIGH This Week

Arbitrary file deletion in DumbAssets through 1.0.11 lets unauthenticated remote attackers destroy any file the Node.js process can write to by submitting `../` sequences in the `filesToDelete` array of the `POST /api/delete-file` endpoint. Because authentication on the application is optional and disabled by default, exposed instances can be rendered completely non-functional by deleting critical files such as `server.js` or `package.json`. No public exploit identified at time of analysis, and the CVE is not currently on the CISA KEV list.

Path Traversal Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-45727 HIGH PATCH GHSA This Week

Arbitrary directory deletion in CloakBrowser's cloakserve CDP multiplexer (pip package cloakbrowser <= 0.3.27) allows unauthenticated network attackers to delete directories accessible to the service user by supplying path traversal sequences in the fingerprint query parameter. The service binds to 0.0.0.0 by default, dramatically widening exposure, and no public exploit identified at time of analysis though the vulnerability is trivially reproducible from the published advisory.

Path Traversal Google Chrome
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-45495 HIGH PATCH Exploit Likely This Week

Remote code execution in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows attackers to execute arbitrary code on victim systems when a user is lured to a malicious webpage. The vulnerability stems from improper input validation (CWE-20) and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

RCE Google Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-45716 HIGH PATCH GHSA This Week

Privilege escalation in self-hosted Budibase (@budibase/worker < 3.38.1) allows any authenticated builder-level user to create a global admin account via the POST /api/global/users/onboard endpoint when SMTP is not configured, with the generated password returned directly in the HTTP response. The flaw stems from the onboard route being gated by builderOrAdmin middleware while exposing the same user-creation power as the admin-only invite endpoints, and no public exploit is identified at time of analysis although the GHSA advisory includes a complete, working proof-of-concept curl chain.

Privilege Escalation
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7498 HIGH This Week

Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.

XSS Dernekweb
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41085 HIGH This Week

Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrator-level privileges through exploitation of specific system interfaces.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-57282 HIGH GHSA This Week

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.

Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-46385 HIGH PATCH GHSA This Week

Remote unauthenticated denial-of-service in the iskorotkov/avro Go Avro decoder (and the archived upstream hamba/avro/v2) allows a malicious producer to pin a CPU core indefinitely by declaring an Avro array or map block with an attacker-controlled element count up to math.MaxInt64. The array/map decoders in codec_skip.go and reader_generic.go iterate the declared count without checking the Reader's accumulated error state, so a truncated payload triggers ~9.2×10^18 no-op iterations. No public exploit identified at time of analysis beyond the advisory's documented proof-of-concept payload; CVSS 4.0 scores this 8.7 (high) reflecting network reachability with high availability impact.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-46384 HIGH PATCH GHSA This Week

Denial-of-service in the iskorotkov/avro Go Avro decoder (a maintained fork of the archived hamba/avro) lets unauthenticated remote attackers crash or hang consumers by submitting crafted Avro streams that trigger integer narrowing, signed-integer overflow in cumulative block sizes, or unchecked-negative make() calls. All versions prior to v2.33.0 are affected; the upstream github.com/hamba/avro/v2 (all versions through v2.31.0) is also vulnerable and will not receive a fix because the module is archived. No public exploit identified at time of analysis, though the advisory itself documents concrete PoC input shapes and includes a regression test (TestDecoder_ArrayMultiBlockExceedsMaxInt) that demonstrates the cumulative-overflow path on amd64.

Integer Overflow Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-45270 HIGH PATCH GHSA This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE CSRF XSS
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-6346 HIGH PATCH GHSA This Week

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sanitization of configuration fields. System administrators or anyone with access to support packets can obtain database passwords, API keys, and other sensitive credentials by downloading support packets from the System Console. The vulnerability affects multiple version branches (10.11.x, 11.4.x, 11.5.x) and poses significant risk for credential theft and lateral movement.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-26978 HIGH PATCH This Week

Remote code execution in FreePBX versions below 16.0.71 and 17.0.6 allows authenticated low-privileged users with backup access to execute arbitrary PHP code by uploading a malicious tar archive containing a crafted manifest file. The backup module passes attacker-controlled data directly to PHP's unserialize() without class restrictions, enabling PHP object injection that runs as the asterisk or www-data web server user. No public exploit identified at time of analysis, though the upstream fix commits are public on GitHub, making patch-diff exploitation feasible.

Deserialization RCE
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-8851 HIGH PATCH This Week

SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.

SQLi Sogo Webmail
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-45302 HIGH PATCH GHSA This Week

Prototype pollution in the npm package parse-nested-form-data version 1.0.0 and earlier allows unauthenticated remote clients to mutate Object.prototype of the running Node.js process by submitting a FormData field whose name contains __proto__ in bracket or dot notation. The flaw resides in handlePathPart in src/index.ts, which walks nested path segments without filtering reserved keys, so a single crafted field name pollutes the prototype chain of every plain object in the process. No public exploit identified at time of analysis, but a working proof-of-concept is published in the GHSA advisory itself.

Path Traversal Node.js Prototype Pollution Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-46510 HIGH PATCH GHSA This Week

Prototype pollution in the npm package form-data-objectizer (<= 1.0.0) lets unauthenticated remote attackers mutate Object.prototype by submitting a single HTTP form field whose name uses bracket notation such as __proto__[polluted] or constructor[prototype][polluted]. The defect lives in treatInitial/treatSecond inside index.cjs, where an 'in' check walks the prototype chain and lets the parser write to inherited properties. CVSS is 8.2 (High) with Integrity:High; publicly available exploit code exists (working PoC published in the GHSA advisory), but there is no public exploit identified as being used in attacks and no CISA KEV listing.

Prototype Pollution Node.js Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-45327 HIGH PATCH GHSA This Week

Unauthenticated broadcast hijack in TinyIce versions 0.8.95 through 2.4.1 allows any network attacker reaching the HTTP port to inject arbitrary audio/video streams onto any mount via the WebRTC source-ingest endpoint. The POST /webrtc/source-offer handler omitted the source-password check that all other ingest paths (Icecast SOURCE/PUT, RTMP, SRT) enforce, letting attackers replace legitimate broadcasts with their own content. Publicly available exploit code exists in the form of a one-line curl probe published in the GHSA advisory, though no public exploit identified for sustained hijack at time of analysis.

Authentication Bypass CSRF
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-45325 HIGH PATCH GHSA This Week

Prototype pollution in the @tmlmobilidade/utils npm package allows remote unauthenticated attackers to inject properties into Object.prototype via the setValueAtPath() helper, leading to integrity compromise and partial availability impact in any downstream application that passes user-influenced paths into the function. The flaw is rated CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) and is fixed in version 20260509.0340.15; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Prototype Pollution
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-45627 HIGH PATCH GHSA This Week

Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.

XSS Docker
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-45135 HIGH PATCH GHSA This Week

Remote code execution in Caddy web server (versions 2.7.0 through 2.10.2) is possible when the FastCGI reverse proxy's splitPos() function mishandles non-ASCII bytes in request paths, causing non-PHP files to be routed to a FastCGI upstream like PHP-FPM as if they were scripts. Where an attacker can place file content (uploads, user-content stores, package mirrors), a single crafted URL containing Unicode lookalikes for '.php' or a non-ASCII byte after a dot yields unauthenticated RCE. Publicly available exploit code exists (detailed PoC in the GHSA advisory) and the issue inherits two bugs from FrankenPHP's adapted code; no public exploitation has been reported and EPSS data was not provided.

RCE PHP
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-45707 HIGH PATCH GHSA This Week

Cross-tenant credential fallback in n8n-mcp versions 2.51.1 and earlier allows an authenticated MCP tenant on a shared multi-tenant HTTP deployment to operate against the operator's own n8n instance instead of their assigned tenant. When ENABLE_MULTI_TENANT=true and a request omitted (or partially supplied) the x-n8n-url and x-n8n-key headers, n8n-mcp silently fell back to the process-level N8N_API_URL/N8N_API_KEY credentials, granting tenants unintended access to read/write workflows, executions, data-tables, and credential metadata. Patched in 2.51.2; no public exploit identified at time of analysis but the underlying logic is straightforward and the upstream fix commit is publicly visible.

Authentication Bypass Node.js RCE Docker
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4137 HIGH PATCH GHSA This Week

Local privilege escalation to arbitrary code execution in MLflow versions prior to 3.11.0 stems from insecure temporary directory permissions (0o777 and 0o770) created by NFS and model-download helpers. Any local user sharing the filesystem - particularly on Databricks where NFS is enabled by default - can overwrite cloudpickle-serialized model artifacts and gain code execution when another user's process deserializes them via cloudpickle.load(). No public exploit is identified at time of analysis, and the issue is a continuation of CVE-2025-10279 which was only partially fixed.

Python RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-6902 HIGH This Week

Code injection vulnerability in the Command-Line Client of P4 Server (Helix Core) prior to version 2025.2 Patch 2 allows remote attackers to execute arbitrary code. The vulnerability requires user interaction but no authentication, with a CVSS 7.7 score indicating high impact across confidentiality, integrity, and availability. Perforce has released a patch in version 2025.2 Patch 2.

RCE Code Injection P4 Helix Core
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-6347 HIGH PATCH GHSA This Week

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 exposes TURN server credentials through support packets. Administrators with support packet access can extract plaintext credentials from exported plugin configurations, potentially compromising the WebRTC infrastructure used for voice/video calls. The vulnerability requires high privileges (admin) but affects confidentiality across trust boundaries (CVSS Scope:Changed).

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-42009 HIGH PATCH This Week

Denial of service in GnuTLS affects the Datagram Transport Layer Security (DTLS) packet reordering logic, where the comparator function fails to correctly handle packets with duplicate sequence numbers. Remote unauthenticated attackers can send specially crafted DTLS packet sequences to trigger unstable ordering or undefined behavior, causing service disruption. No public exploit identified at time of analysis, and the issue is rated CVSS 7.5 (High) for availability impact only.

Denial Of Service Gnutls Hardened Images Openshift Container Platform Enterprise Linux +10
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy