Skip to main content
CVE-2026-8786 LOW POC Monitor

Authorization bypass in Tencent WeKnora's Config API endpoint allows authenticated attackers to access unauthorized knowledge bases by manipulating the kbId parameter in getKnowledgeBaseForInitialization function. Affects all versions up to 0.3.6. Publicly available exploit code exists via GitHub Gist, enabling low-complexity attacks with network access. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability. EPSS data not available, but public POC increases exploitation likelihood. Vendor unresponsive to disclosure, indicating no official patch timeline.

Authentication Bypass Weknora
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-29965 MEDIUM This Month

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41568 MEDIUM PATCH GHSA This Month

Race condition in Docker's `docker cp` mount setup allows a process running inside a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem as root. Affected packages include github.com/docker/docker <= 28.5.2 and github.com/moby/moby <= 28.5.2, with a patch only confirmed for the moby/moby v2 branch at 2.0.0-beta.14. The CVSS vector reflects a scope-changed (S:C), high-availability-impact flaw requiring low privileges and high complexity; no public exploit or CISA KEV listing has been identified at time of analysis, but the attack is realistic when operators use `docker cp` against containers running untrusted workloads with volume mounts.

Docker Denial Of Service Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45680 MEDIUM PATCH GHSA This Month

CPU exhaustion in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to indirectly cause availability degradation of the privileged monitoring agent by generating high-volume traffic through instrumented services. The internal Prometheus metrics exporter replays BPF probe hits in a tight loop proportional to the raw hit count rather than the number of metric series, creating unbounded CPU work per collection interval. A proof-of-concept reproducer has been confirmed and published in the GitHub Security Advisory (GHSA-89c6-vpcj-7vj4); no public exploit identified at time of analysis beyond the PoC.

Denial Of Service Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45681 MEDIUM PATCH GHSA This Month

Out-of-bounds memory read in OpenTelemetry eBPF Instrumentation (OBI) prior to 0.9.0 exposes adjacent kernel memory through the HTTP tracing telemetry pipeline. The vulnerable path arises in the per-CPU message-buffer fallback logic in `k_tracer.c` and `protocol_http.h`: when a CPU mismatch occurs between producer and consumer contexts, OBI substitutes the 256-byte `fallback_buf` as the source buffer while retaining `real_size` values of up to 8KB, causing an over-read of up to 7,936 bytes of adjacent memory that is subsequently exported in telemetry. No public exploit identified at time of analysis, though publicly available exploit code exists as a validated user-space AddressSanitizer PoC demonstrating the same size-mismatch over-read class.

Buffer Overflow Information Disclosure Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-8784 LOW POC PATCH Monitor

Symlink following in cramfs-tools 2.2 and earlier allows local privileged attackers to manipulate file ownership or timestamps on arbitrary filesystem locations during cramfs extraction. The vulnerability exists in the change_file_status function in cramfsck.c, which performs metadata operations (chown, chmod, utime) without validating that extracted paths are not symbolic links pointing outside the extraction directory. A publicly available exploit exists (GitHub issue #13), and the vendor has released patch commit b4a3a695c. EPSS data not available; not listed in CISA KEV. CVSS 4.2 reflects the local high-privilege requirement, though real-world risk depends heavily on whether cramfs extraction occurs in privileged contexts.

Information Disclosure Cramfs Tools
NVD VulDB GitHub
CVSS 4.0
1.8
EPSS
0.0%
CVE-2026-45359 MEDIUM PATCH GHSA This Month

Heap buffer over-read in Magick.NET's connected components operation exposes process memory when an attacker or untrusted input supplies a malformed `connected-components:keep-top` define value. All Magick.NET NuGet package variants (Q16, Q16-HDRI, OpenMP, arm64, x64, x86, AnyCPU) prior to version 14.13.1 are affected. Exploitation yields high confidentiality impact - enabling partial or full disclosure of heap memory contents - with low availability impact and no integrity impact; no public exploit and no CISA KEV listing have been identified at time of analysis.

Buffer Overflow Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-32849 MEDIUM This Month

Signed integer overflow in the NetBSD kernel's cryptodev subsystem (sys/opencrypto/cryptodev.c, prior to commit ec8451e) enables a local low-privileged attacker to crash the kernel via a NULL pointer dereference, causing a full denial of service. The type mismatch between a signed int local variable and an unsigned cop->dst_len source value in cryptodev_op() produces undefined behavior when dst_len exceeds INT_MAX, corrupting UIO pointer arithmetic and - when CONFIG_SVS is disabled - triggering a kernel panic. No public exploit identified at time of analysis, though a technical writeup at nasm.re documents related memory-handling issues in this subsystem.

Integer Overflow Denial Of Service
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-32848 MEDIUM This Month

Kernel heap corruption in NetBSD's opencrypto subsystem enables local privilege-adjacent attackers to crash the kernel via a double-free triggered by a race condition in cryptodev_op(). The flaw exists because mutable per-operation state - including tmp_iv, tmp_mac, iovec, and uio - was embedded directly in the shared csession struct rather than isolated per-operation, making it unsafely accessible across concurrent threads on SMP systems. An authenticated local attacker issuing simultaneous CIOCCRYPT ioctl calls on the same session identifier can race the kernel into freeing the same memory region twice, corrupting the kernel heap. No public exploit identified at time of analysis, though a technical writeup is publicly available at nasm.re/posts/uaf_netbsd_crypto/.

Race Condition Information Disclosure
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-8771 MEDIUM This Month

SQL injection in litemall WeChat API allows unauthenticated remote attackers to extract, modify, or delete database contents via crafted queries to the goods listing endpoint. Publicly available exploit code exists targeting the WxGoodsController.list() function in versions up to 1.8.0. Vendor unresponsive to disclosure. EPSS data unavailable, but public POC and network accessibility (CVSS AV:N/AC:L/PR:N) indicate moderate exploitation risk for exposed instances.

Java SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-45676 MEDIUM PATCH GHSA This Month

OBI's custom fastelf ELF parser in opentelemetry-ebpf-instrumentation crashes when processing malformed ELF binaries during routine process discovery on Linux hosts. Local users with standard execution rights can place or run a binary with corrupted section-header fields (Shoff, Shnum, or string-table offsets), causing the agent to panic inside matchExeSymbols, GetCStringUnsafe, or ReadStruct and terminate entirely. No public widespread exploitation has been identified and this is not listed in CISA KEV, but a PoC is confirmed in the GitHub Security Advisory (GHSA-wp73-mwgf-4jq9); the practical impact is a loss of observability for all workloads on the affected host.

Denial Of Service Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46521 MEDIUM PATCH GHSA This Month

Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.

Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45492 MEDIUM PATCH Exploit Likely This Month

Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Microsoft
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-45494 MEDIUM PATCH Exploit Likely This Month

Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.

Google Microsoft XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45660 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Statamic CMS's Glide image proxy allows unauthenticated remote attackers to bypass IP validation and force the server to issue HTTP requests to internal infrastructure, including loopback addresses, RFC-1918 private networks, and cloud metadata endpoints such as AWS IMDSv1 (169.254.169.254). The bypass exploits unnormalized alternative IP representations (e.g., octal, hexadecimal, decimal-encoded) that evade the public-IP allowlist check before PHP normalizes them. Only deployments running PHP below 8.3 and passing user-supplied URLs to Glide are exposed; vendor-released patches exist in versions 5.73.22 and 6.18.1. No public exploit or CISA KEV listing has been identified at time of analysis.

SSRF PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40930 MEDIUM This Month

Chunk-smuggling in libpng-apng's push-mode APNG parser allows a remote unauthenticated attacker to cause integrity violations and availability disruption when a victim processes a specially crafted APNG file. The flaw - classified under CWE-436 (Interpretation Conflict) - stems from incorrect sequencing of CRC finalization and frame sequence number validation for fcTL and fdAT chunks in pngpread.c, enabling maliciously ordered chunk boundaries to bypass expected parser state transitions. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, it represents a meaningful risk for any image-processing pipeline or application accepting user-supplied APNG data from untrusted sources.

RCE Apache SQLi PostgreSQL
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45718 MEDIUM PATCH GHSA This Month

Row action trigger endpoint in Budibase allows authenticated low-privilege users to execute automations on rows outside their authorized view scope, bypassing a documented security boundary. Any user holding BASIC-role READ access to a filtered view can supply an arbitrary `rowId` to `POST /api/tables/:sourceId/actions/:actionId/trigger` and invoke automations against rows explicitly excluded by the view's filters. Publicly available exploit code (curl PoC) is included in the GHSA advisory; this vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation has been identified at time of analysis.

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45138 MEDIUM PATCH GHSA This Month

Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.

PHP CSRF XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45664 MEDIUM PATCH GHSA This Month

Denial-of-service via policy bypass in Magick.NET's MNG coder allows remote unauthenticated attackers to exhaust server resources by submitting crafted MNG image files that circumvent the library's configured image list limit. All Magick.NET NuGet package variants (Q16, Q16-HDRI, and OpenMP/ARM64/x64/x86 flavors) below version 14.13.1 are confirmed vulnerable. No public exploit exists and the vulnerability is not in CISA KEV at time of analysis, but the network-accessible, zero-authentication attack surface makes this an accessible DoS primitive for any application accepting user-supplied image input.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45031 MEDIUM PATCH GHSA This Month

Policy bypass in Magick.NET's PSD decoder allows remote unauthenticated attackers to circumvent the configured `list-length` resource policy when processing Photoshop Document (PSD) images, resulting in partial availability impact (CWE-400 uncontrolled resource consumption). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures and quantization depths. No public exploit identified at time of analysis and no CISA KEV listing exists; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates that any internet-exposed application accepting PSD uploads is reachable without authentication or special conditions.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45620 MEDIUM GHSA This Month

User enumeration in AVideo (composer/WWBN/AVideo ≤ 29.0) exposes account metadata - names, email addresses, usernames, and channel names - to unauthenticated remote attackers through an incomplete patch for CVE-2026-43881. The original fix (commit d9cdc7024) hardened `users.json.php` but left an identical unauthenticated code path alive in `objects/mention.json.php`, which calls `User::getAllUsers()` with no `loginCheck()` or authorization gate. No public exploit is identified at time of analysis, though the trivial HTTP-based trigger and absence of authentication make this a realistic reconnaissance primitive for credential-stuffing or phishing campaigns.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-36438 MEDIUM This Month

Unauthenticated information disclosure in the Intelbras VIP-1230-D-G4 Wi-Fi dome IP camera (firmware V2.800.00IB00C.0.T) exposes sensitive data through the password reset endpoint at /OutsideCmd. Remote, unauthenticated attackers can query this endpoint directly over the network to retrieve sensitive information - likely credentials or reset tokens - without any prior authentication or user interaction. Publicly available exploit code exists on GitHub (kensh1k/CVE-2026-36438), lowering the bar for exploitation; no CISA KEV listing has been confirmed at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45231 MEDIUM PATCH This Month

Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.

XSS Dumbassets
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45358 MEDIUM PATCH GHSA This Month

Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.

Buffer Overflow Information Disclosure Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45243 MEDIUM PATCH This Month

Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.

Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45554 MEDIUM PATCH GHSA This Month

Log-volume denial of service in NiceGUI's dynamic static-asset routes allows remote unauthenticated attackers to flood server logs and exhaust disk or log-pipeline capacity. The two affected routes - the per-component resource route (introduced in v1.4.6) and the ESM module route (introduced in v3.0.0) - fail to distinguish directories from files before passing user-controlled paths to Starlette's FileResponse, triggering an unhandled RuntimeError that Uvicorn logs as a full multi-frame traceback (~100 lines per request). Versions up to and including 3.11.1 are affected; the fix is available in 3.12.0. No public exploit or CISA KEV listing has been identified at time of analysis. IMPORTANT: The provided tags (RCE, Path Traversal, Information Disclosure) are directly contradicted by the advisory, which explicitly states there is no remote code execution, no path traversal, and no data exposure - these tags should be treated as erroneous metadata.

Information Disclosure Path Traversal RCE
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-8802 MEDIUM PATCH This Month

Path traversal in opensourcepos Open Source Point of Sale versions 3.4.0 through 3.4.2 allows authenticated remote attackers to read arbitrary image files outside the intended directory via manipulated pic_filename parameters in the getPicThumb controller function. The vulnerability has CVSS 5.3 (Medium) with low attack complexity requiring only low-privilege authentication. Vendor-released patch available via GitHub commit def0c27a0e252668df8d942fc31e16d1edfd7323. No public exploit or active exploitation confirmed at time of analysis, though the fix is publicly documented with code diff showing the vulnerable parameter handling.

Path Traversal PHP
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45624 MEDIUM PATCH GHSA This Month

Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-45682 MEDIUM PATCH GHSA This Month

Heap memory exhaustion in the OpenTelemetry eBPF Instrumentation (OBI) Java agent affects all versions prior to 0.9.0 due to a memory leak in the custom CappedConcurrentHashMap used for TLS state tracking. Repeated TLS connection setup and teardown causes the internal ConcurrentLinkedQueue to grow without bound, because remove() purges keys from the backing ConcurrentHashMap but never from the queue, and the eviction logic only fires on put() when map.size() exceeds the cap. Under sustained TLS churn - a normal workload pattern for long-running instrumented services - this leads to progressive heap growth, extended GC pauses, and eventual OutOfMemoryError in the Java agent process. A proof-of-concept reproducer is publicly available, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Information Disclosure OpenSSL Java Suse
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-42326 MEDIUM PATCH GHSA This Month

Out-of-bounds single-byte heap read in Magick.NET's IPTC encoder exposes all NuGet package variants (Q16, Q16-HDRI, multi-architecture builds) before version 14.13.1 to limited confidentiality and availability impact when processing a crafted input file. The flaw resides in the IPTC output writing pathway: supplying a malicious image file triggers a one-byte over-read of the heap buffer, classified as CWE-125. No active exploitation has been identified (not in CISA KEV), no public exploit code is known, and the local attack vector (AV:L) materially constrains realistic exposure.

Buffer Overflow Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-45684 MEDIUM PATCH GHSA This Month

Out-of-bounds read and write in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows a local attacker to corrupt application memory and leak adjacent buffer contents by triggering a multi-segment writev call against a process instrumented with log enrichment enabled. The eBPF log enricher incorrectly uses the total iov_iter.count as the copy length while only resolving the first iovec segment, causing bpf_probe_read_user and bpf_probe_write_user to access memory beyond the first segment boundary. No public exploit identified at time of analysis, though a working proof-of-concept was included in the GitHub security advisory and confirmed to reproduce the out-of-bounds condition under ASan and debugger instrumentation.

Buffer Overflow Suse
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-47091 MEDIUM PATCH This Month

Path traversal in Claude HUD through version 0.0.12 permits local low-privileged attackers to read arbitrary files by supplying a crafted `transcript_path` value via stdin JSON, bypassing all path validation. Beyond direct file read access, the application writes file metadata - including the accessed paths - to a persistent cache file with insufficiently restrictive permissions, leaving a forensic record readable by other local users that survives process termination. No public exploit code has been identified at time of analysis; CVSS 4.0 scores this 4.8 (Medium) reflecting local-only reach, and a vendor patch is available at commit 234d9aa.

Path Traversal Claude Hud
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-45245 MEDIUM PATCH This Month

Server-side request forgery in the Summarize browser extension prior to version 0.15.2 allows malicious web pages to coerce the extension's hover summary feature into issuing authenticated requests to local or private-network URLs via the user's daemon. The flaw stems from the extension processing synthetic mouseover events without verifying their trustworthiness, enabling attacker-controlled links to route authenticated daemon requests using stored tokens. No public exploit identified at time of analysis, but a vendor patch is available and the issue was reported by VulnCheck.

SSRF Summarize
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-21789 MEDIUM This Month

Broken access control in HCL Connections exposes an integrity risk where an authenticated low-privileged user can update data outside their intended authorization scope under specific conditions. The CVSS vector (AV:N/AC:L/PR:L/UI:R) confirms the attack is network-reachable, requires only low-privilege credentials, and involves some form of user interaction. No public exploit code has been identified and HCL Connections is not listed in the CISA KEV catalog, placing this in a moderate-priority remediation tier for most organizations, though environments where data integrity in Connections is business-critical should treat it with elevated urgency.

Authentication Bypass Connections
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-6340 MEDIUM PATCH This Month

Memory exhaustion denial of service in Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 allows authenticated attackers to crash the server by uploading maliciously crafted 7zip archives containing excessive folder declarations. The vulnerability stems from insufficient validation of 7zip archive structure before decompression, enabling resource exhaustion attacks with low attack complexity. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2325 MEDIUM PATCH This Month

Resource exhaustion in Mattermost Server 10.11.x through 11.5.1 allows authenticated users to trigger denial of service by sending oversized HTTP POST requests to the /api/v1/meetings endpoint. The vulnerability affects three active release branches with no request size validation on the meeting start API. EPSS data not available; no confirmed active exploitation (not in CISA KEV); authentication requirement (PR:L) reduces immediate exposure to internal or compromised users. Vendor advisory MMSA-2026-00608 confirms the issue.

Mattermost Denial Of Service
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28732 MEDIUM PATCH This Month

Authenticated team members with 'Manage Own Slash Commands' permission can hijack existing slash commands in Mattermost 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 by editing their own command triggers to match already-registered system or custom commands. This privilege escalation flaw (CWE-863: Incorrect Authorization) enables command impersonation, allowing attackers to intercept and potentially manipulate user interactions with legitimate slash commands. With CVSS 4.3 (low-medium severity) and EPSS data unavailable, real-world risk depends heavily on organizational use of slash commands for sensitive operations. No public exploit identified at time of analysis, and the attack requires authenticated access with specific permissions, limiting immediate exposure compared to unauthenticated network vulnerabilities.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6341 MEDIUM This Month

Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6342 MEDIUM This Month

Authorization bypass in Mattermost Plugins allows authenticated users to subscribe to unauthorized notification groups by exploiting prefix-matching namespace validation. Affected versions (≤11.5, 11.1.5, 10.13.11, 11.3.4.0) fail to enforce group whitelisting, enabling low-privileged plugin users to create groups sharing prefixes with authorized groups and thereby receive notifications or access information from out-of-scope channels. EPSS data unavailable; not listed in CISA KEV; CVSS 4.3 reflects low-privilege network exploitation with limited integrity impact but no confidentiality or availability compromise.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3637 MEDIUM PATCH This Month

Privilege escalation in Mattermost Server allows authenticated users with revoked channel posting permissions to continue modifying their existing posts. Affected versions include 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3. Attackers bypass authorization controls by sending direct API requests to post update and patch endpoints, circumventing permission checks that should prevent post edits after privileges are revoked. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. CVSS 4.3 (Medium) reflects low integrity impact limited to existing content modification.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28759 MEDIUM PATCH This Month

Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6343 MEDIUM PATCH This Month

Unauthorized access to public playbooks in Mattermost 10.11.x through 11.5.x allows authenticated users without proper permissions to retrieve public playbooks via the /get endpoint. The vulnerability affects all versions from 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1 due to missing public/private permission validation. With CVSS 4.3 (Medium) and requiring authenticated access (PR:L), this represents a privilege escalation issue allowing disclosure of potentially sensitive playbook configurations, but is limited to low confidentiality impact without integrity or availability compromise. No active exploitation confirmed (not in CISA KEV) and EPSS data not provided.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6339 MEDIUM PATCH This Month

Authenticated Mattermost channel members can forcibly reveal burn-on-read messages without recipient consent by exploiting missing X-Requested-With header validation on the reveal endpoint through crafted Markdown image tags. This bypasses the intended ephemeral messaging security control in Mattermost versions 11.4.x through 11.4.3 and 11.5.x through 11.5.1. The CVSS vector indicates network-accessible exploitation by low-privileged authenticated users with low attack complexity. Exploitation status: no public exploit identified at time of analysis. EPSS data not provided.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46559 MEDIUM PATCH GHSA This Month

Heap buffer over-write of a single byte in Magick.NET's JP2 encoder allows local attackers to cause availability impact (crash/denial of service) by supplying a crafted JP2 image processed with certain options. All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and quantum depth configurations (Q16, Q16-HDRI). No public exploit has been identified at time of analysis, and a vendor-released patch exists at version 14.13.1.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-3495 LOW PATCH Monitor

Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). No active exploitation confirmed (not in CISA KEV). EPSS data not available for recent CVE. This is a stored XSS vulnerability affecting administrative workflows rather than end users.

Mattermost XSS
NVD VulDB
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-45683 LOW PATCH GHSA Monitor

Kernel memory disclosure in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows a local authenticated process to exfiltrate arbitrary kernel memory into the OBI telemetry pipeline by supplying a crafted kernel-space pointer to the Java TLS ioctl kprobe. The BPF probe hooks do_vfs_ioctl and incorrectly uses bpf_probe_read - which can dereference any memory address, kernel or user - instead of the boundary-enforcing bpf_probe_read_user, causing the kernel bytes to be emitted via bpf_ringbuf_output into downstream telemetry. Publicly available exploit code exists (PoC published in the GitHub security advisory); no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Information Disclosure Java
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-4273 LOW PATCH Monitor

Authenticated attackers can bypass token rotation in Mattermost's remote cluster invite confirmation process by reusing original invite tokens. The flaw affects Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13, allowing token reuse despite intended security controls. While rated low severity (CVSS 3.7), this represents an authentication bypass vulnerability (CWE-863) that undermines session management security. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-4643 LOW Monitor

Mattermost Desktop App can be crashed remotely by malicious server administrators or plugin developers exploiting insufficient isolation of server-rendered content. Authenticated attackers with low-privilege server access who can control rendered content (via compromised server, malicious plugin, or modified server responses) can invoke window.close() to terminate the desktop client, causing a client-side denial of service. EPSS data not available; no public exploit code identified at time of analysis. CVSS 3.5 (Low severity) reflects limited impact scope - disruption to individual user sessions rather than system-wide compromise.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-6333 LOW PATCH Monitor

Server-Side Request Forgery in Mattermost 10.11.x through 11.5.1 allows authenticated attackers with slash command access to redirect custom slash command responses to attacker-controlled servers by manipulating the Host header. The vulnerability requires low-privileged authentication and high attack complexity (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N), resulting in a CVSS score of 3.5. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis. Vendor advisory available at mattermost.com/security-updates provides remediation guidance.

Mattermost SSRF
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-6334 LOW PATCH Monitor

OAuth authorization code interception in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated OAuth clients to redeem authorization codes issued to different clients. An attacker controlling a malicious OAuth application can intercept and exchange authorization codes meant for legitimate applications, potentially gaining unauthorized access to user data or sessions. CVSS score of 3.1 reflects high attack complexity and required privileges, with EPSS data not provided. Vendor patch released per Mattermost advisory MMSA-2026-00570.

Mattermost Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy