Skip to main content
CVE-2026-41567 HIGH PATCH GHSA This Week

Container-to-host privilege escalation in Docker/moby daemon allows a malicious container image to execute arbitrary code as host root when a user uploads a compressed (xz or gzip) archive into the container via `PUT /containers/{id}/archive` or `docker cp -`. The daemon resolves the decompression binary (e.g., `unpigz`, `xz`) from the container's filesystem rather than the host's, so a trojanized binary baked into the image runs with daemon privileges. No public exploit identified at time of analysis, and the issue is not in the CISA KEV catalog.

RCE Docker
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-45242 HIGH PATCH GHSA This Week

Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint write slide_*.png and slides.json files to arbitrary directories by supplying an absolute path or traversal sequences in the slidesDir parameter, and subsequently delete matching files via repeat extraction. The flaw, reported by VulnCheck and patched in v0.15.2, enables file write and limited destructive impact across the filesystem; no public exploit identified at time of analysis.

Path Traversal Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-30950 HIGH PATCH This Week

Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user to take over another user's session via an IDOR flaw in the PATCH /sessions/{session_id}/assign-user endpoint. An attacker who can guess or otherwise learn a target session_id can reassign that session to themselves, read its conversation contents, and lock the legitimate owner out. No public exploit identified at time of analysis, and the issue is fixed in 0.6.51 per the upstream GHSA-q58p-v9r9-7gqj advisory.

Authentication Bypass Autogpt
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-8843 HIGH PATCH This Week

Denial of service in MongoDB Server 7.0, 8.0, and 8.2 allows authenticated remote attackers to crash the database by inserting documents that trigger updates to a maliciously created '2dsphere_bucket' or 'queryable_encrypted_range' index on a non-timeseries bucket collection. The flaw stems from a reachable assertion (CWE-617) and is reported by MongoDB itself with a vendor patch available; no public exploit identified at time of analysis.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-0983 HIGH PATCH This Week

Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated remote attacker to crash the MFserver process, disrupting document management services for all connected users. The flaw is reachable over the network with low privileges and no user interaction, but has no impact on confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Denial Of Service M Files Server
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy