Skip to main content
CVE-2026-8785 MEDIUM POC This Month

SQL injection in projectworlds Hospital Management System in PHP 1.0 enables unauthenticated remote attackers to extract or modify patient data through the appointment_no parameter in update_info.php. The vulnerability has publicly available exploit code and affects the getAllPatientDetail function, with the vendor notified but unresponsive.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1631 MEDIUM POC PATCH This Month

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.

Authentication Bypass WordPress
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45731 MEDIUM GHSA This Month

Authenticated arbitrary file read in WWBN/AVideo's view/update.php exposes any text file readable by the web-server process to admin-level users via path traversal. The $_POST['updateFile'] parameter is concatenated directly into a filesystem path under updatedb/ without sanitization, allowing an authenticated administrator to supply sequences like '../../../../etc/passwd' and have PHP's file() function return the contents line-by-line in the migration-runner HTML response. A proof-of-concept exploit is publicly documented in GitHub Security Advisory GHSA-3mjv-375j-6h92; no patched release has been issued for any version through 29.0 as of analysis time, and no public exploit identified at time of analysis as actively exploited by CISA KEV.

Path Traversal PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-45577 MEDIUM PATCH GHSA This Month

Authentication bypass in Neotoma (npm package for Node.js data exploration) versions 0.6.0 through 0.11.0 allows unauthenticated remote attackers to access production Inspector UI and API endpoints when deployed behind reverse proxies. The vulnerability stems from CWE-288 authentication logic flaw where the REST middleware incorrectly treats reverse-proxied public requests as local development traffic when received over loopback sockets without Bearer tokens, granting unauthorized local-user privileges. Fixed in version 0.11.1 released April 2025, which implements X-Forwarded-For validation and fails closed in production environments. No public exploit code identified at time of analysis, though exploitation is straightforward for attackers who identify affected deployments.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45701 MEDIUM PATCH GHSA This Month

Weak cryptographic algorithm usage in Sulu CMS exposes password reset tokens and API keys to prediction or brute-force attacks, potentially enabling unauthorized account takeover or API access. The flaw resides in the SecurityBundle's User.php and ResettingController.php, affecting all Sulu 2.x releases up to 2.6.22 and all 3.x releases from the first alpha through 3.0.5. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the cryptographic weakness (CWE-327) is structurally exploitable by a motivated attacker with network access to the application.

PHP Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45246 MEDIUM PATCH This Month

Insecure file permission assignment in the @steipete/summarize CLI tool exposes configuration files containing API keys and provider credentials to other local users on shared Unix-like systems. All versions prior to 0.15.1 (CPE: cpe:2.3:a:steipete:summarize) are affected via a specific code path - the refresh-free configuration rewrite - that creates replacement config files using the process default umask rather than preserving original file permissions. No public exploit code exists and this is not listed in the CISA KEV catalog; however, the high-confidentiality CVSS signal (C:H) reflects the real sensitivity of what is exposed (API keys, provider credentials) when Summarize is used on multi-user Unix environments.

Information Disclosure Summarize
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-41119 MEDIUM PATCH This Month

Improper SSL/TLS certificate validation in Dell Live Optics Windows and Personal Edition collectors allows remote attackers to intercept and modify data transmitted by the collector. The vulnerability requires network positioning (man-in-the-middle) and user interaction, making exploitation moderately complex but enabling complete compromise of data confidentiality and integrity for collector communications. Dell has released patches in version 27.1.10.1 to address the certificate validation flaw.

Information Disclosure Dell Microsoft
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-3471 MEDIUM This Month

Mattermost Desktop App can be repeatedly crashed by malicious server administrators through JavaScript URL injection in pop-up windows. Attackers controlling a Mattermost server can force connected desktop clients to become unusable by exploiting improper URL validation, requiring user interaction (connecting to the malicious server). No public exploit code identified at time of analysis, though the attack method is trivial to implement given the disclosed details.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20685 MEDIUM PATCH This Month

An attacker in a privileged network position may be able to leak sensitive information. A path handling issue was addressed with improved validation. This issue is fixed in PCC Release 5E290.3.

Information Disclosure Private Cloud Compute Server Software
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27737 MEDIUM PATCH This Month

Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. No public exploit identified at time of analysis; not listed in CISA KEV.

XSS Bigbluebutton Scalite Bbb Playback
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45582 MEDIUM PATCH GHSA This Month

Incomplete telemetry sanitization in n8n-mcp (all versions before 2.51.3) caused the WorkflowSanitizer to transmit partial URL paths and query strings - including customer IDs, tenant identifiers, signed-request parameters, and short tokens below the 20-character generic-token threshold - to the project's anonymous Supabase-hosted telemetry backend. Any operator with read access to the telemetry_workflows or workflow_mutations Supabase tables could retrieve these fragments from workflow definitions, contrary to the privacy guarantees documented in PRIVACY.md. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS confidentiality impact is rated High (C:H), reflecting the potential sensitivity of the leaked parameters.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3117 MEDIUM This Month

{option}` or `/gitlab webhook {option}`, resulting in availability impact (A:H) to the Gitlab plugin infrastructure. CVSS 6.5 reflects moderate risk, with EPSS data and active exploitation status not available at time of analysis.

Mattermost Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45679 MEDIUM PATCH GHSA This Month

OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.

Redis Docker Information Disclosure Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45719 MEDIUM PATCH GHSA This Month

CouchDB reduce injection in Budibase's V1 Views API (POST /api/views) allows authenticated Builder-role users to embed arbitrary JavaScript into CouchDB design document reduce functions via the unsanitized `calculation` parameter, resulting in code execution within CouchDB's SpiderMonkey sandbox on every subsequent view query. Affected versions are all releases of @budibase/server prior to 3.38.1, confirmed by GHSA-363w-hvwh-w7m6. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, though the advisory includes detailed reproduction steps that substantially lower the exploitation barrier for users who already hold Builder privileges.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45139 MEDIUM PATCH GHSA This Month

Destructive file operations in the CI4MS Fileeditor module (composer/ci4-cms-erp/ci4ms ≤ v0.31.8.0) allow an authenticated backend user to delete or rename arbitrary framework files - including the front controller, routing config, and authentication filter pipeline - producing a persistent denial of service that requires filesystem-level redeployment to recover. The root cause is an inconsistent application of the existing extension allowlist: while saveFile and createFile correctly gate writes through allowedFileTypes(), the deleteFileOrFolder and renameFile endpoints apply no such check to the source path, meaning any file inside ROOTPATH not named in the narrow $hiddenItems blocklist is reachable. A working curl-based proof-of-concept is publicly available via GitHub advisory GHSA-245j-xjvr-xvm5; no CISA KEV listing is present at time of analysis.

PHP CSRF Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6345 MEDIUM PATCH This Month

Password disclosure in Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3 allows high-privilege administrators to view newly created user credentials, enabling impersonation attacks. The CVSS score of 6.5 reflects medium severity, requiring high-privilege access (PR:H) but offering network-based exploitation (AV:N) with low complexity (AC:L). While not currently listed in CISA KEV and no public exploit identified at time of analysis, the vendor-confirmed vulnerability (Mattermost Advisory MMSA-2026-00614) presents real risk in environments where privileged accounts are compromised or insider threats exist.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5163 MEDIUM PATCH This Month

Authenticated Mattermost users can read private channel threads and direct messages they lack access to by exploiting the AI post rewrite endpoint. Versions 11.5.0 and 11.5.1 fail to verify channel membership before processing AI-assisted message rewrites, enabling privilege escalation from low-privileged authenticated users to access confidential communications. CVSS 6.5 reflects network-accessible attack with low complexity requiring only basic authentication. EPSS data not available; no public exploit or KEV listing identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45626 MEDIUM GHSA This Month

{id}/volumes/{volumeName}/browse`. The path sanitizer at `volume_service.go:1448-1467` blocks only `../` traversal and passes shell substitution sequences through unchanged; `strconv.Quote` wraps the path in Go-style double quotes, which POSIX `sh` still interprets as a command-substitutable string, causing the injected command to execute and its output to be reflected in the HTTP 500 error body. No vendor-released patch exists at time of analysis; publicly available exploit code is embedded in the GHSA advisory (GHSA-9mvm-4gwg-v8mp) and no confirmed active exploitation (CISA KEV) has been reported.

Docker Path Traversal Command Injection
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-8803 MEDIUM This Month

Weak password hashing in opensourcepos Open Source Point of Sale through version 3.4.2 exposes a legacy code path in the Employee Login component (app/Models/Employee.php) that retains an older, cryptographically weak hash function. The vendor has disputed the severity of this issue, clarifying that the weak hash function persists solely to support an upgrade migration path - default-seeded passwords use the legacy hash but are migrated to a stronger algorithm upon first login, meaning actively managed accounts on updated installations face reduced practical exposure. No public exploit code has been identified at time of analysis, and the vulnerability's real-world impact is currently in question pending independent verification.

Information Disclosure PHP
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-46557 MEDIUM PATCH GHSA This Month

Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.

Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-46523 MEDIUM PATCH GHSA This Month

Heap-use-after-free in Magick.NET's MSL (Magick Scripting Language) decoder causes a denial-of-service condition when processing a crafted MSL image file. All Magick.NET NuGet package variants across Q16, Q16-HDRI, and multi-architecture builds prior to version 14.13.1 are affected. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis; the CVSS vector indicates local-only access with availability-only impact, classifying this as a crasher rather than a code execution or data exposure issue.

Memory Corruption Information Disclosure Use After Free
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-38719 MEDIUM This Month

OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply an attacker-controlled item_count value that is not consistently validated against the remaining data_length of the CPF slice

Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-29964 MEDIUM This Month

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29965 MEDIUM This Month

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41568 MEDIUM PATCH GHSA This Month

Race condition in Docker's `docker cp` mount setup allows a process running inside a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem as root. Affected packages include github.com/docker/docker <= 28.5.2 and github.com/moby/moby <= 28.5.2, with a patch only confirmed for the moby/moby v2 branch at 2.0.0-beta.14. The CVSS vector reflects a scope-changed (S:C), high-availability-impact flaw requiring low privileges and high complexity; no public exploit or CISA KEV listing has been identified at time of analysis, but the attack is realistic when operators use `docker cp` against containers running untrusted workloads with volume mounts.

Docker Denial Of Service Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45680 MEDIUM PATCH GHSA This Month

CPU exhaustion in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to indirectly cause availability degradation of the privileged monitoring agent by generating high-volume traffic through instrumented services. The internal Prometheus metrics exporter replays BPF probe hits in a tight loop proportional to the raw hit count rather than the number of metric series, creating unbounded CPU work per collection interval. A proof-of-concept reproducer has been confirmed and published in the GitHub Security Advisory (GHSA-89c6-vpcj-7vj4); no public exploit identified at time of analysis beyond the PoC.

Denial Of Service Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45681 MEDIUM PATCH GHSA This Month

Out-of-bounds memory read in OpenTelemetry eBPF Instrumentation (OBI) prior to 0.9.0 exposes adjacent kernel memory through the HTTP tracing telemetry pipeline. The vulnerable path arises in the per-CPU message-buffer fallback logic in `k_tracer.c` and `protocol_http.h`: when a CPU mismatch occurs between producer and consumer contexts, OBI substitutes the 256-byte `fallback_buf` as the source buffer while retaining `real_size` values of up to 8KB, causing an over-read of up to 7,936 bytes of adjacent memory that is subsequently exported in telemetry. No public exploit identified at time of analysis, though publicly available exploit code exists as a validated user-space AddressSanitizer PoC demonstrating the same size-mismatch over-read class.

Buffer Overflow Information Disclosure Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45359 MEDIUM PATCH GHSA This Month

Heap buffer over-read in Magick.NET's connected components operation exposes process memory when an attacker or untrusted input supplies a malformed `connected-components:keep-top` define value. All Magick.NET NuGet package variants (Q16, Q16-HDRI, OpenMP, arm64, x64, x86, AnyCPU) prior to version 14.13.1 are affected. Exploitation yields high confidentiality impact - enabling partial or full disclosure of heap memory contents - with low availability impact and no integrity impact; no public exploit and no CISA KEV listing have been identified at time of analysis.

Buffer Overflow Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-32849 MEDIUM This Month

Signed integer overflow in the NetBSD kernel's cryptodev subsystem (sys/opencrypto/cryptodev.c, prior to commit ec8451e) enables a local low-privileged attacker to crash the kernel via a NULL pointer dereference, causing a full denial of service. The type mismatch between a signed int local variable and an unsigned cop->dst_len source value in cryptodev_op() produces undefined behavior when dst_len exceeds INT_MAX, corrupting UIO pointer arithmetic and - when CONFIG_SVS is disabled - triggering a kernel panic. No public exploit identified at time of analysis, though a technical writeup at nasm.re documents related memory-handling issues in this subsystem.

Integer Overflow Denial Of Service
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-32848 MEDIUM This Month

Kernel heap corruption in NetBSD's opencrypto subsystem enables local privilege-adjacent attackers to crash the kernel via a double-free triggered by a race condition in cryptodev_op(). The flaw exists because mutable per-operation state - including tmp_iv, tmp_mac, iovec, and uio - was embedded directly in the shared csession struct rather than isolated per-operation, making it unsafely accessible across concurrent threads on SMP systems. An authenticated local attacker issuing simultaneous CIOCCRYPT ioctl calls on the same session identifier can race the kernel into freeing the same memory region twice, corrupting the kernel heap. No public exploit identified at time of analysis, though a technical writeup is publicly available at nasm.re/posts/uaf_netbsd_crypto/.

Race Condition Information Disclosure
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-8771 MEDIUM This Month

SQL injection in litemall WeChat API allows unauthenticated remote attackers to extract, modify, or delete database contents via crafted queries to the goods listing endpoint. Publicly available exploit code exists targeting the WxGoodsController.list() function in versions up to 1.8.0. Vendor unresponsive to disclosure. EPSS data unavailable, but public POC and network accessibility (CVSS AV:N/AC:L/PR:N) indicate moderate exploitation risk for exposed instances.

Java SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-45676 MEDIUM PATCH GHSA This Month

OBI's custom fastelf ELF parser in opentelemetry-ebpf-instrumentation crashes when processing malformed ELF binaries during routine process discovery on Linux hosts. Local users with standard execution rights can place or run a binary with corrupted section-header fields (Shoff, Shnum, or string-table offsets), causing the agent to panic inside matchExeSymbols, GetCStringUnsafe, or ReadStruct and terminate entirely. No public widespread exploitation has been identified and this is not listed in CISA KEV, but a PoC is confirmed in the GitHub Security Advisory (GHSA-wp73-mwgf-4jq9); the practical impact is a loss of observability for all workloads on the affected host.

Denial Of Service Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46521 MEDIUM PATCH GHSA This Month

Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.

Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45492 MEDIUM PATCH Exploit Likely This Month

Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Microsoft
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-45494 MEDIUM PATCH Exploit Likely This Month

Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.

Google Microsoft XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45660 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Statamic CMS's Glide image proxy allows unauthenticated remote attackers to bypass IP validation and force the server to issue HTTP requests to internal infrastructure, including loopback addresses, RFC-1918 private networks, and cloud metadata endpoints such as AWS IMDSv1 (169.254.169.254). The bypass exploits unnormalized alternative IP representations (e.g., octal, hexadecimal, decimal-encoded) that evade the public-IP allowlist check before PHP normalizes them. Only deployments running PHP below 8.3 and passing user-supplied URLs to Glide are exposed; vendor-released patches exist in versions 5.73.22 and 6.18.1. No public exploit or CISA KEV listing has been identified at time of analysis.

SSRF PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40930 MEDIUM This Month

Chunk-smuggling in libpng-apng's push-mode APNG parser allows a remote unauthenticated attacker to cause integrity violations and availability disruption when a victim processes a specially crafted APNG file. The flaw - classified under CWE-436 (Interpretation Conflict) - stems from incorrect sequencing of CRC finalization and frame sequence number validation for fcTL and fdAT chunks in pngpread.c, enabling maliciously ordered chunk boundaries to bypass expected parser state transitions. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, it represents a meaningful risk for any image-processing pipeline or application accepting user-supplied APNG data from untrusted sources.

RCE Apache SQLi PostgreSQL
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45718 MEDIUM PATCH GHSA This Month

Row action trigger endpoint in Budibase allows authenticated low-privilege users to execute automations on rows outside their authorized view scope, bypassing a documented security boundary. Any user holding BASIC-role READ access to a filtered view can supply an arbitrary `rowId` to `POST /api/tables/:sourceId/actions/:actionId/trigger` and invoke automations against rows explicitly excluded by the view's filters. Publicly available exploit code (curl PoC) is included in the GHSA advisory; this vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation has been identified at time of analysis.

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45138 MEDIUM PATCH GHSA This Month

Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.

PHP CSRF XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45664 MEDIUM PATCH GHSA This Month

Denial-of-service via policy bypass in Magick.NET's MNG coder allows remote unauthenticated attackers to exhaust server resources by submitting crafted MNG image files that circumvent the library's configured image list limit. All Magick.NET NuGet package variants (Q16, Q16-HDRI, and OpenMP/ARM64/x64/x86 flavors) below version 14.13.1 are confirmed vulnerable. No public exploit exists and the vulnerability is not in CISA KEV at time of analysis, but the network-accessible, zero-authentication attack surface makes this an accessible DoS primitive for any application accepting user-supplied image input.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45031 MEDIUM PATCH GHSA This Month

Policy bypass in Magick.NET's PSD decoder allows remote unauthenticated attackers to circumvent the configured `list-length` resource policy when processing Photoshop Document (PSD) images, resulting in partial availability impact (CWE-400 uncontrolled resource consumption). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures and quantization depths. No public exploit identified at time of analysis and no CISA KEV listing exists; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates that any internet-exposed application accepting PSD uploads is reachable without authentication or special conditions.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45620 MEDIUM GHSA This Month

User enumeration in AVideo (composer/WWBN/AVideo ≤ 29.0) exposes account metadata - names, email addresses, usernames, and channel names - to unauthenticated remote attackers through an incomplete patch for CVE-2026-43881. The original fix (commit d9cdc7024) hardened `users.json.php` but left an identical unauthenticated code path alive in `objects/mention.json.php`, which calls `User::getAllUsers()` with no `loginCheck()` or authorization gate. No public exploit is identified at time of analysis, though the trivial HTTP-based trigger and absence of authentication make this a realistic reconnaissance primitive for credential-stuffing or phishing campaigns.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-36438 MEDIUM This Month

Unauthenticated information disclosure in the Intelbras VIP-1230-D-G4 Wi-Fi dome IP camera (firmware V2.800.00IB00C.0.T) exposes sensitive data through the password reset endpoint at /OutsideCmd. Remote, unauthenticated attackers can query this endpoint directly over the network to retrieve sensitive information - likely credentials or reset tokens - without any prior authentication or user interaction. Publicly available exploit code exists on GitHub (kensh1k/CVE-2026-36438), lowering the bar for exploitation; no CISA KEV listing has been confirmed at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45231 MEDIUM PATCH This Month

Stored cross-site scripting in DumbAssets through version 1.0.11 allows script injection via asset fields - name, description, modelNumber, serialNumber, and tags - which are persisted without server-side sanitization and rendered into the DOM via innerHTML without escaping. When a victim navigates to the asset list dashboard, injected JavaScript executes in their browser; the CVE explicitly notes that with Content-Security-Policy absent or disabled, those scripts can make unrestricted connections to internal network services, escalating the impact beyond typical XSS. No public exploit identified at time of analysis, and no KEV listing exists, but the CVSS 4.0 score of 5.3 with a network attack vector and no required privileges represents a meaningful exposure for any internet-accessible or intranet-facing deployment.

XSS Dumbassets
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45358 MEDIUM PATCH GHSA This Month

Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.

Buffer Overflow Information Disclosure Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45243 MEDIUM PATCH This Month

Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.

Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45554 MEDIUM PATCH GHSA This Month

Log-volume denial of service in NiceGUI's dynamic static-asset routes allows remote unauthenticated attackers to flood server logs and exhaust disk or log-pipeline capacity. The two affected routes - the per-component resource route (introduced in v1.4.6) and the ESM module route (introduced in v3.0.0) - fail to distinguish directories from files before passing user-controlled paths to Starlette's FileResponse, triggering an unhandled RuntimeError that Uvicorn logs as a full multi-frame traceback (~100 lines per request). Versions up to and including 3.11.1 are affected; the fix is available in 3.12.0. No public exploit or CISA KEV listing has been identified at time of analysis. IMPORTANT: The provided tags (RCE, Path Traversal, Information Disclosure) are directly contradicted by the advisory, which explicitly states there is no remote code execution, no path traversal, and no data exposure - these tags should be treated as erroneous metadata.

Information Disclosure Path Traversal RCE
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-8802 MEDIUM PATCH This Month

Path traversal in opensourcepos Open Source Point of Sale versions 3.4.0 through 3.4.2 allows authenticated remote attackers to read arbitrary image files outside the intended directory via manipulated pic_filename parameters in the getPicThumb controller function. The vulnerability has CVSS 5.3 (Medium) with low attack complexity requiring only low-privilege authentication. Vendor-released patch available via GitHub commit def0c27a0e252668df8d942fc31e16d1edfd7323. No public exploit or active exploitation confirmed at time of analysis, though the fix is publicly documented with code diff showing the vulnerable parameter handling.

Path Traversal PHP
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45624 MEDIUM PATCH GHSA This Month

Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-45682 MEDIUM PATCH GHSA This Month

Heap memory exhaustion in the OpenTelemetry eBPF Instrumentation (OBI) Java agent affects all versions prior to 0.9.0 due to a memory leak in the custom CappedConcurrentHashMap used for TLS state tracking. Repeated TLS connection setup and teardown causes the internal ConcurrentLinkedQueue to grow without bound, because remove() purges keys from the backing ConcurrentHashMap but never from the queue, and the eviction logic only fires on put() when map.size() exceeds the cap. Under sustained TLS churn - a normal workload pattern for long-running instrumented services - this leads to progressive heap growth, extended GC pauses, and eventual OutOfMemoryError in the Java agent process. A proof-of-concept reproducer is publicly available, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Information Disclosure OpenSSL Java Suse
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy