244 CVEs tracked today. 39 Critical, 97 High, 94 Medium, 12 Low.
-
CVE-2026-47358
CRITICAL
CVSS 9.2
Server-Side Request Forgery in Tenable Terrascan v1.18.3 and prior allows unauthenticated remote attackers to coerce the server into fetching arbitrary URLs, including file:// URIs that enable local file disclosure. The flaw is triggered when Terrascan runs in server mode and parses uploaded ARM or CloudFormation templates whose templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL fields point to attacker-controlled destinations. No public exploit identified at time of analysis, and because Terrascan was archived in August 2023, no patch will ever be released.
SSRF
Hashicorp
-
CVE-2026-47357
CRITICAL
CVSS 9.2
Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change.
SSRF
Hashicorp
-
CVE-2026-47323
CRITICAL
CVSS 9.8
Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy implementations filtering only outbound Camel-internal headers while leaving inbound traffic unfiltered, letting unauthenticated attackers inject control headers such as CamelExecCommandExecutable and CamelFileName through HTTP requests to CXF-RS, CXF-SOAP, or Knative HTTP endpoints. When such routes pipe into header-driven components like camel-exec or camel-file, the injected headers override configured values, yielding RCE or arbitrary file writes. No public exploit identified at time of analysis, but EPSS sits at only 0.04% despite the 9.8 CVSS - this is the fifth iteration of the same header-injection pattern (CVE-2025-27636, 2025-29891, 2025-30177, 2026-40453), so prior PoCs for sibling CVEs are likely portable.
RCE
Apache
Apache Camel
-
CVE-2026-46725
CRITICAL
CVSS 9.2
Remote code execution in the TYPO3 'Content Element Selector' extension allows unauthenticated attackers to execute arbitrary PHP code by sending a crafted cookie that the extension feeds directly into PHP's unserialize(). The flaw (CWE-502, CVSS 4.0 score 9.2) is exploitable only on installations where a content element is configured with 'Persistent Mode: Static'. No public exploit identified at time of analysis, though the deserialization pattern is well-understood and typically rapid to weaponize.
PHP
RCE
Deserialization
-
CVE-2026-46412
CRITICAL
CVSS 10.0
Supply-chain compromise of the npm package @beproduct/nestjs-auth (versions 0.1.2 through 0.1.19) delivered the Mini Shai-Hulud worm payload via a malicious postinstall script, harvesting npm, GitHub, AWS, and HashiCorp Vault credentials from any developer or CI host that ran npm install during a 2h37m publication window on 2026-05-11. Confirmed actively exploited during that window via an attacker-controlled npm publish token; clean version 0.1.20 republishes the original 0.1.1 source tree. CVSS 10.0 reflects the unauthenticated, network-driven supply-chain delivery and scope change into the install environment.
Information Disclosure
Node.js
Hashicorp
-
CVE-2026-46395
CRITICAL
Private key disclosure in HAXcms Node.js backend (@haxtheweb/haxcms-nodejs <= 25.0.0) allows any remote unauthenticated attacker to retrieve the system's master signing secret and forge arbitrary admin JWTs via a single GET request to /system/api/connectionSettings. The flaw stems from a broken hmacBase64() implementation that hardcodes the HMAC key to '0' and then appends the real privateKey+salt to the base64-encoded token output. No public exploit identified at time of analysis in CISA KEV, but the GitHub Security Advisory includes a complete, working proof-of-concept making weaponization trivial.
PHP
Information Disclosure
Node.js
-
CVE-2026-46354
CRITICAL
CVSS 9.1
Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.
RCE
Gitlab
Microsoft
Jwt Attack
Hashicorp
-
CVE-2026-46339
CRITICAL
CVSS 10.0
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.
Denial Of Service
Python
Docker
Command Injection
-
CVE-2026-45758
CRITICAL
CVSS 9.6
Supply chain compromise in the guardrails-ai Python package allows attackers to execute embedded malicious code on any developer or production host that installed version 0.10.1 from PyPI on May 11, 2026. The malicious release was live for roughly two hours before PyPI quarantined it, and the vendor reports no observed callbacks to Guardrails AI infrastructure, but any system that pulled 0.10.1 should be treated as compromised. No public exploit identified at time of analysis as a separate artifact - the package itself is the exploit, and exploitation requires user interaction (the install action) per the CVSS UI:R designation.
Authentication Bypass
-
CVE-2026-45721
CRITICAL
CVSS 9.0
Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).
RCE
Microsoft
Redis
Canonical
-
CVE-2026-45695
CRITICAL
CVSS 9.8
Remote code execution in Kopia backup server (≤ 0.22.3) allows unauthenticated attackers to run arbitrary OS commands as the Kopia process user via a single HTTP request to /api/v1/repo/exists when the server is launched with --without-password. Publicly available exploit code exists through the published GHSA advisory and PR diff; no public exploit identified at time of analysis as being weaponized in the wild, but the trivially exploitable vector (CVSS 9.8) and detailed write-up make weaponization straightforward. The bug stems from naive space-splitting of attacker-controlled sshArguments that is fed to exec.CommandContext("ssh"), letting an -oProxyCommand= token trigger $SHELL -c execution before any SSH transport is established.
Command Injection
SSH
-
CVE-2026-45568
CRITICAL
Server-side request forgery in the zrok Python SDK's ProxyShare component (versions 0.4.47 through 1.1.11) allows remote unauthenticated users to redirect proxied requests to arbitrary hosts by submitting absolute URLs in the request path. Because the Flask handler concatenates user input with the configured target via urllib.parse.urljoin, an attacker (Bob) can replace the share owner's (Alice's) intended target with any host including internal cloud metadata endpoints, and the response is returned to the attacker. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-jh67-hwqw-m5r7 documents the technique in detail.
Python
Path Traversal
-
CVE-2026-45434
CRITICAL
CVSS 9.8
Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact.
Authentication Bypass
RCE
Apache
Apache Ofbiz
-
CVE-2026-43633
CRITICAL
CVSS 9.5
Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.
PHP
RCE
Deserialization
Node.js
-
CVE-2026-43493
CRITICAL
CVSS 9.8
Improper handling of MAY_BACKLOG requests in the Linux kernel's pcrypt (parallel crypto) module can cause incorrect processing of EBUSY return codes and EINPROGRESS notifications, potentially leading to instability or undefined behavior in cryptographic operations. The issue affects Linux kernel versions dating back to 2.6.34 and has been resolved upstream across multiple stable branches including 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. There is no public exploit identified at time of analysis and EPSS scoring (0.02%, 5th percentile) suggests very low real-world exploitation likelihood despite the CVSS 9.8 rating.
Information Disclosure
Linux
Red Hat
Suse
-
CVE-2026-42097
CRITICAL
CVSS 9.3
Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.
Authentication Bypass
-
CVE-2026-41919
CRITICAL
CVSS 9.1
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
LDAP
Code Injection
-
CVE-2026-36829
CRITICAL
CVSS 9.8
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypas...
Authentication Bypass
Path Traversal
-
CVE-2026-34234
CRITICAL
CVSS 10.0
Unauthenticated remote code execution in CtrlPanel billing software (versions 1.1.1 and prior) allows attackers to execute arbitrary OS commands via the web-based installer endpoint, even on already-installed instances. The flaw combines a control-flow bug (install.lock gate runs after handler execution) with command injection through unsanitized user input passed into shell commands. The advisory reports active exploitation in the wild, though no CISA KEV listing is present in the supplied data.
PHP
RCE
Command Injection
-
CVE-2026-33642
CRITICAL
CVSS 9.9
Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.
Buffer Overflow
Integer Overflow
-
CVE-2026-31986
CRITICAL
CVSS 9.1
Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
Information Disclosure
-
CVE-2026-31072
CRITICAL
CVSS 9.8
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).
RCE
Python
Deserialization
Red Hat
N A
-
CVE-2026-31071
CRITICAL
CVSS 9.1
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump all user records including bcrypt password hashes, tamper with drug inventory, and read private medical prescription data. The flaw stems from missing authentication middleware on backend Express routes such as /api/user/getUserData and /api/doctorOder. Publicly available exploit code exists, though EPSS rates exploitation probability at only 0.06% (17th percentile), consistent with a low-deployment open-source project rather than mass exploitation.
Authentication Bypass
N A
-
CVE-2026-31070
CRITICAL
CVSS 9.8
Privilege escalation in LalanaChami Pharmacy Management System (commit 5c3d028) allows any remote unauthenticated attacker to register a new account with administrator privileges by simply including a role parameter in the signup request body. The /api/user/signup endpoint trusts client-supplied role values without server-side validation, granting full administrative access in a single HTTP call. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the trivial nature of the flaw means weaponization is straightforward once anyone notices the gist already documenting the issue.
Privilege Escalation
N A
-
CVE-2026-30118
CRITICAL
CVSS 9.8
Server-side request forgery in scalar/astro v0.1.13 allows remote unauthenticated attackers to coerce the backend into making HTTP requests to attacker-controlled destinations via the scalar_url query parameter of the Scalar Proxy endpoint. Exploitation can expose authentication cookies and headers forwarded by the proxy, enabling account takeover and potential privilege escalation. Publicly available exploit code exists, though EPSS is low (0.03%) suggesting limited mass exploitation at this time.
Privilege Escalation
SSRF
N A
-
CVE-2026-30117
CRITICAL
CVSS 9.8
Arbitrary code execution in Scalar Astro v0.1.13 allows remote unauthenticated attackers to upload malicious SVG files through the scalar_url query parameter of the Scalar Proxy endpoint. The flaw stems from inadequate validation in the proxy's file handling logic and, per CVSS, requires no authentication or user interaction, though EPSS rates real-world exploitation probability at only 0.02%. No public exploit identified at time of analysis, though a related XSS/Open-Redirect proof-of-concept repository is referenced.
RCE
Code Injection
File Upload
N A
-
CVE-2026-8959
CRITICAL
CVSS 9.6
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-8956
CRITICAL
CVSS 9.8
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Buffer Overflow
Integer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-8953
CRITICAL
CVSS 9.6
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Information Disclosure
Use After Free
Memory Corruption
Red Hat
Mozilla
-
CVE-2026-8950
CRITICAL
CVSS 9.3
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-8948
CRITICAL
CVSS 9.1
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.
Authentication Bypass
Mozilla
Cors Misconfiguration
Suse
-
CVE-2026-8711
CRITICAL
CVSS 9.2
Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.
RCE
Buffer Overflow
Heap Overflow
Nginx
Suse
-
CVE-2026-8604
HIGH
CVSS 8.6
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
CSRF
-
CVE-2026-8603
HIGH
CVSS 8.7
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
Command Injection
-
CVE-2026-8602
HIGH
CVSS 8.8
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
Authentication Bypass
-
CVE-2026-8495
CRITICAL
CVSS 9.8
Forceful browsing in the Drupal Date iCal contributed module (versions prior to 4.0.15) allows remote unauthenticated attackers to bypass authorization checks and access protected calendar resources. Despite a CVSS score of 9.8, the EPSS exploitation probability sits at just 0.02% (4th percentile) and no public exploit has been identified at time of analysis. The flaw is a CWE-862 missing authorization issue patched by the Drupal Security Team in version 4.0.15.
Authentication Bypass
-
CVE-2026-4885
CRITICAL
CVSS 9.8
Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.
WordPress
RCE
File Upload
-
CVE-2026-4883
CRITICAL
CVSS 9.8
Arbitrary file upload in the Piotnet Forms WordPress plugin (all versions up to and including 2.1.40) allows unauthenticated remote attackers to upload dangerous file types such as .phar and .phtml, potentially leading to remote code execution on the underlying web server. The flaw stems from an incomplete extension blacklist in the piotnetforms_ajax_form_builder AJAX handler, and exploitation requires that a form on the site include a file upload field. No public exploit identified at time of analysis, but the CVSS 9.8 severity and unauthenticated network attack vector make this a high-priority WordPress plugin issue.
WordPress
RCE
File Upload
-
CVE-2026-2611
CRITICAL
CVSS 9.6
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protections on /ajax-api endpoints when a victim visits a malicious webpage, ultimately achieving arbitrary command execution through the Claude Code sub-agent. The flaw stems from improper origin validation (CWE-346) and is fixed in version 3.10.0; no public exploit identified at time of analysis, though a detailed huntr.com report and an upstream commit are publicly available.
RCE
-
CVE-2026-2587
CRITICAL
CVSS 9.6
Remote code execution in Eclipse GlassFish allows remote attackers to evaluate arbitrary Expression Language (EL) expressions through the gadget handler's server-side template rendering of .xml files, leading to full host compromise. The vulnerability (CVSS 9.6, CWE-917) requires user interaction but no authentication, and is demonstrable by submitting payloads like #{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
RCE
-
CVE-2026-2586
CRITICAL
CVSS 9.1
Remote code execution in Eclipse GlassFish allows attackers with administrative access to the Administration Console to execute arbitrary operating system commands as the application service user. The flaw stems from improper input handling in admin panel requests (CWE-94), and while CVSS rates it 9.1 due to scope change and full CIA impact, exploitation requires high privileges (PR:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
RCE
Code Injection
-
CVE-2026-44159
CRITICAL
CVSS 9.3
Use of default administrative credentials in Tyler Identity Local (TID-L) allows remote unauthenticated attackers to gain full administrative access to affected deployments. The credentials are publicly documented and users are not forced to change them at install time, and because the product was discontinued in December 2020 and unsupported since 2021, no vendor patch is available. CVSS 4.0 rates this 9.3 (Critical); no public exploit identified at time of analysis and the issue is not in CISA KEV.
Information Disclosure
-
CVE-2026-47356
HIGH
CVSS 8.7
Server-Side Request Forgery in Terrascan up to v1.18.3 lets unauthenticated remote attackers coerce the scanner's HTTP client to POST full IaC scan results - along with an attacker-chosen Bearer token in the Authorization header - to any URL supplied via the webhook_url multipart parameter. Because Terrascan was archived by Tenable in August 2023, no vendor patch will be released, leaving every existing server-mode deployment permanently exposed. No public exploit identified at time of analysis and the CVE is not on CISA KEV, but the trivial exploit primitive (a single multipart POST) makes weaponization straightforward.
SSRF
-
CVE-2026-47314
HIGH
CVSS 7.8
Out-of-bounds write in Samsung's Escargot lightweight JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows attackers to corrupt memory by inducing buffer overflows through crafted JavaScript. Exploitation requires local execution of attacker-supplied script content with user interaction, but successful triggering yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Buffer Overflow
Memory Corruption
Samsung
-
CVE-2026-47311
HIGH
CVSS 7.8
Heap-based buffer overflow in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows remote attackers to corrupt heap memory and likely achieve arbitrary code execution when a victim processes attacker-controlled JavaScript. No public exploit identified at time of analysis, but the upstream fix (PR #1565) reveals multiple memory-safety hardening changes including integer underflow protection in TypedArray.copyWithin, fast-mode array conversion checks during spread operations, and OOM handling, indicating concrete reachable corruption paths. CVSS 7.8 with local attack vector and required user interaction reflects the engine's typical embedding context (apps, IoT, smart TV runtimes) rather than network-facing services.
Buffer Overflow
Heap Overflow
Samsung
-
CVE-2026-47310
HIGH
CVSS 7.8
Use-after-free memory corruption in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) enables pointer manipulation when processing crafted JavaScript content, with CVSS 7.8 reflecting high-impact local exploitation requiring user interaction. The affected codepaths include evaluator error handling, TypedArray copyWithin operations on resizable buffers, DataView coercion, and array fast-mode transitions - all triggerable by attacker-controlled script. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial Of Service
Use After Free
Memory Corruption
Samsung
-
CVE-2026-47107
HIGH
CVSS 8.6
Cross-tenant DNS and TLS poisoning in Windmill versions prior to 1.703.2 allows authenticated low-privilege users to write to /etc/hosts, /etc/resolv.conf, and the system CA bundle from inside nsjail script sandboxes, persisting tampered state across every subsequent job on the same worker pod. Because poisoned entries survive between executions, attackers can hijack hostname resolution, perform transparent HTTPS man-in-the-middle, and steal WM_TOKEN JWTs to escalate to workspace-admin in other tenants. Publicly available exploit code exists per SSVC (poc), and CVSS 4.0 rates this 8.6 with high confidentiality and integrity impact.
Privilege Escalation
-
CVE-2026-47100
HIGH
CVSS 8.7
Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.
WordPress
Authentication Bypass
-
CVE-2026-46586
HIGH
CVSS 8.8
Authenticated code injection in Apache OFBiz versions prior to 24.09.06 allows remote attackers with low-privileged accounts to execute arbitrary code via improperly neutralized directives in dynamically evaluated expressions. The flaw combines CWE-94 code injection with eval injection, yielding full confidentiality, integrity, and availability impact (CVSS 8.8). No public exploit identified at time of analysis, and EPSS rates near-term exploitation at 0.03% (8th percentile), but SSVC flags the issue as automatable, raising the risk of scripted abuse once a POC emerges.
RCE
Apache
Code Injection
Apache Ofbiz
-
CVE-2026-46511
HIGH
Cross-tenant account takeover in HAXcms (@haxtheweb/haxcms-nodejs <= 25.0.0) chains Stored XSS with a token-leaking `/system/api/connectionSettings` endpoint to let an authenticated low-privilege attacker hijack arbitrary user sessions. By injecting script via Stored XSS vectors (such as iframe `srcdoc` or `<video-player>`), an attacker forces a victim's browser to fetch any target user's connection settings - which dynamically returns the active session's JWT, `user_token`, `site_token`, and `appstore_token` - and exfiltrates them to an attacker-controlled webhook. A detailed PoC is published in the GHSA advisory; this is publicly available exploit code exists, with no public exploitation in the wild reported at time of analysis.
PHP
XSS
-
CVE-2026-46426
HIGH
CVSS 7.6
Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.
XSS
Docker
CSRF
Redis
File Upload
-
CVE-2026-46417
HIGH
Server-Side Request Forgery in @angular/platform-server allows remote attackers to hijack the server-side rendering (SSR) hostname by supplying an absolute-form URL, causing relative HttpClient requests and PlatformLocation.hostname references to resolve against an attacker-controlled domain. The flaw affects Angular SSR applications that pass an unvalidated request URL into renderModule or renderApplication, enabling pivoting to internal APIs or cloud metadata endpoints. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SSRF
-
CVE-2026-46415
HIGH
CVSS 8.2
IP allowlist/blocklist bypass in Caddy Defender versions prior to 0.10.1 lets attackers from blocked IP ranges evade filtering when Caddy sits behind a trusted proxy, CDN, or load balancer. The module evaluated requests against r.RemoteAddr (the proxy's IP) instead of Caddy's resolved client_ip variable, so any source whose true IP should have been blocked could reach protected backends. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Authentication Bypass
-
CVE-2026-46410
HIGH
Information disclosure in FileBrowser Quantum (gtsteffaniak/filebrowser) allows unauthenticated users to view sensitive share information including source paths through the anonymous user account. The flaw stems from default user settings being applied to the anonymous user, exposing source and path data that should remain restricted. No public exploit identified at time of analysis, but a patched version (v1.4.1) has been released by the upstream maintainer.
Information Disclosure
-
CVE-2026-46396
HIGH
Stored cross-site scripting in HAX CMS (haxtheweb) allows authenticated users to inject malicious `<iframe>` elements containing `javascript:` URIs or `srcdoc` payloads that execute in other users' browser sessions. The flaw stems from improper sanitization in the page content editor and impacts the npm packages @haxtheweb/haxcms-nodejs, @haxtheweb/video-player, and @haxtheweb/iframe-loader at versions <= 25.0.0. A working proof-of-concept demonstrating JWT theft via `window.appSettings.jwt` is published in the GitHub Security Advisory GHSA-jh3h-rpxg-fr36, though no public exploit identified at time of analysis indicates mass weaponization.
XSS
Information Disclosure
-
CVE-2026-46393
HIGH
Server-Side Request Forgery in HAXcms (haxcms-nodejs <= 25.0.0) allows authenticated users to coerce the server into fetching arbitrary URLs or local file paths via the createSite endpoint's build.files parameter, with responses written to a web-accessible directory. Exploitation yields arbitrary file read, internal network reconnaissance, and exfiltration of cloud metadata credentials such as AWS IAM tokens from 169.254.169.254. A detailed proof-of-concept is published in the GitHub Security Advisory GHSA-q862-gcgq-5m6g, though no public exploit identified at time of analysis as a standalone weaponized tool.
PHP
CSRF
SSRF
-
CVE-2026-46391
HIGH
Server-Side Request Forgery leading to credential theft affects the @haxtheweb/open-apis npm package in versions prior to 26.0.0, where substring-only hostname validation allows attackers to redirect basic authentication credentials to attacker-controlled domains. Publicly available exploit code exists in the GHSA advisory demonstrating credential capture via crafted API calls through cloudflared tunnels, and the maintainer confirmed the leaked credentials grant access to unreleased LMS content on downstream systems. No EPSS or CVSS data is available, and the vulnerability is not currently listed in CISA KEV.
Information Disclosure
-
CVE-2026-46378
HIGH
CVSS 7.5
Denial of service in dasel (Go data selector library) versions 3.0.0 through 3.10.0 allows attackers who control selector query strings to pin a CPU core at 100% indefinitely via a 2-byte payload (`r/`). The selector lexer's `matchRegexPattern` closure lacks an end-of-input bounds check, causing an infinite loop when tokenizing unterminated regex literals. No public exploit identified at time of analysis beyond the reporter's PoC, and the issue is not listed in CISA KEV.
Denial Of Service
Apple
-
CVE-2026-46377
HIGH
CVSS 7.5
Denial of service in dasel (Go data selector library) v3.0.0 through v3.10.0 allows attackers who influence selector query strings to crash the host process via a 2-byte input. A trailing backslash inside a quoted selector (e.g., `"\` or `'\`) triggers an index-out-of-range panic in the lexer's escape-sequence handler. Publicly available exploit code exists (PoC in the GHSA advisory), and no public exploit identified at time of analysis indicates in-the-wild abuse.
Denial Of Service
Apple
-
CVE-2026-46374
HIGH
CVSS 7.5
Denial of service in SQLFluff parser (pip/sqlfluff) versions prior to 4.2.0 allows remote unauthenticated attackers to exhaust CPU and memory resources by submitting an excessively long or malicious SQL query for linting. The flaw affects any application that exposes the SQLFluff parser to untrusted input. No public exploit identified at time of analysis, but the issue was responsibly reported by Imperva Threat Research.
Denial Of Service
-
CVE-2026-46373
HIGH
CVSS 7.5
Denial of service in SQLFluff (Python SQL linter/parser) below version 4.1.0 allows remote attackers to exhaust server resources by submitting SQL queries with deliberately excessive nesting, triggering uncontrolled recursion in the parser. The flaw (CWE-674) affects any application that accepts untrusted SQL input for linting and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H); no public exploit identified at time of analysis and EPSS data was not provided.
Denial Of Service
-
CVE-2026-46372
HIGH
CVSS 8.5
Server-side request forgery in SillyTavern 1.17.0 allows authenticated low-privilege users to coerce the server into making arbitrary HTTP requests against internal or loopback addresses via the /api/search/searxng endpoint's unvalidated baseUrl parameter, returning response bodies to the attacker. The flaw was addressed in 1.18.0, which introduced an opt-in Private Request Whitelisting filter (disabled by default). Publicly available exploit code exists in the GitHub Security Advisory GHSA-qg89-qwwh-5f3j, but no public exploit identified at time of analysis as actively exploited.
CSRF
SSRF
-
CVE-2026-45805
HIGH
CVSS 8.8
Unauthenticated remote code execution in Penpot MCP module's ReplServer (npm @penpot/mcp < 2.15.0) allows anyone on the adjacent network to POST arbitrary JavaScript to a `/execute` endpoint and have it executed by the Node.js process. The flaw stems from Express defaulting the listen() bind address to 0.0.0.0 instead of localhost, combined with a complete absence of authentication on the REPL endpoint. No public exploit identified at time of analysis beyond the reporter's working PoC included in the GHSA advisory.
RCE
Docker
-
CVE-2026-45799
HIGH
CVSS 7.5
Denial of service in Square Wire protobuf library (com.squareup.wire:wire-runtime before 6.3.0) allows remote unauthenticated attackers to crash any service that decodes untrusted protobuf payloads by sending a 10-byte crafted message. The flaw stems from missing negative-length validation in skipGroup(), causing an unchecked ArrayIndexOutOfBoundsException to escape Wire's documented IOException boundary. No public exploit identified at time of analysis, though the GitHub advisory includes a full reproduction payload and Java PoC code.
Denial Of Service
Java
-
CVE-2026-45793
HIGH
CVSS 7.5
Sensitive token disclosure in Composer (PHP dependency manager) versions prior to 1.10.28, 2.2.28, and 2.9.8 causes GitHub Actions GITHUB_TOKEN values to be written verbatim to stderr/CI logs whenever the token contains characters outside Composer's hardcoded validation regex. The new GitHub Actions token format (ghs_<id>_<base64url-JWT>) includes hyphens, which fail Composer's `^[.A-Za-z0-9_]+$` check and trigger an UnexpectedValueException that interpolates the raw token into its message. No public exploit identified at time of analysis, but the leak triggers automatically without unusual configuration on any pipeline using common actions like shivammathur/setup-php that auto-register GITHUB_TOKEN into Composer's auth.json.
PHP
Information Disclosure
-
CVE-2026-45783
HIGH
CVSS 7.5
Unauthenticated disk-exhaustion denial of service in @libp2p/kad-dht (versions before 16.2.6) allows any remote peer to fill the datastore of a DHT server-mode node by streaming PUT_VALUE messages with crafted keys that bypass record validation. Affected deployments include IPFS nodes (kubo, Helia), libp2p bootstrap nodes, and any application exposing a public DHT endpoint with clientMode disabled. Publicly available exploit code exists as a mocha PoC checked in alongside the package test suite; no public exploit identified as actively used at time of analysis.
RCE
Node.js
-
CVE-2026-45738
HIGH
CVSS 7.3
Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.
XSS
Privilege Escalation
Kubernetes
-
CVE-2026-45728
HIGH
CVSS 7.5
Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.
Python
Information Disclosure
Microsoft
-
CVE-2026-45713
HIGH
CVSS 7.5
Unauthenticated remote denial-of-service in Mailpit versions prior to 1.30.0 allows network-reachable attackers to exhaust memory and disk by submitting arbitrarily large messages through the SMTP listener on port 1025 or the HTTP /api/v1/send endpoint on port 8025. The Server.MaxSize field exists but is never populated in production code, and the JSON decoder lacks http.MaxBytesReader, so a single connection delivering a 100 MiB DATA payload inflates RSS roughly tenfold (≈25 MiB → ≈1 GiB), and concurrent connections drive the process to OOM-kill. Publicly available exploit code exists (working SMTP and HTTP PoCs are included in the GHSA advisory), though no CISA KEV listing or EPSS score was supplied with this input.
Denial Of Service
-
CVE-2026-45576
HIGH
Path traversal in OpenZiti zrok allows a malicious WebDAV/zrok share operator to write files outside the victim's selected destination directory when the victim runs 'zrok2 copy' against the attacker-controlled share. Affected versions include zrok v2 prior to 2.0.3 and the legacy zrok 0.4.23 through 1.1.11 (no fix released for the legacy line). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Path Traversal
-
CVE-2026-43634
HIGH
CVSS 8.7
Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.
Authentication Bypass
-
CVE-2026-42100
HIGH
CVSS 7.1
Denial of service in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated remote attackers to crash the service by submitting a specially crafted SQL query that the server fails to parse safely. The flaw, reported by CERT-PL, results in unexpected termination of the Pro Cloud Server process, and no public exploit identified at time of analysis. The vendor did not respond to disclosure, so the full vulnerable version range remains unconfirmed.
Denial Of Service
-
CVE-2026-42099
HIGH
CVSS 7.7
Remote code execution in Sparx Systems Pro Cloud Server (versions 0 through 6.1 build 167) is achievable by authenticated repository users via a race condition in the /data_api/dl_internal_artifact.php endpoint. An attacker who controls both the filename and contents of a downloaded artifact can briefly stage a malicious PHP file in the web root and execute it before cleanup, leading to full server compromise. No public exploit identified at time of analysis, but a detailed technical write-up published by CERT-PL and sploit.tech reduces the barrier to reproduction.
PHP
RCE
Race Condition
-
CVE-2026-42098
HIGH
CVSS 8.7
Privilege escalation in Sparx Enterprise Architect 17.1 and earlier allows an authenticated low-privilege user to impersonate any other user, including administrators, by tampering with the client-side application (e.g., via a debugger). Because role-based access enforcement happens in the client rather than on the server (CWE-603), an attacker who has any valid login can gain full repository control. No public exploit identified at time of analysis, although technical write-ups are referenced.
Information Disclosure
-
CVE-2026-42096
HIGH
CVSS 8.7
Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.
Authentication Bypass
-
CVE-2026-41470
HIGH
CVSS 8.2
Authorization bypass in LIVE555 RTSP server (versions before 2026.04.22) allows remote unauthenticated attackers to hijack active streaming sessions by replaying valid Session tokens over a separate TCP connection. By issuing PLAY or TEARDOWN commands with a captured token, attackers can crash the server via virtual function call errors or terminate legitimate viewers' streams. Publicly available exploit code exists, and a vendor patch has been released; no public exploit identified as actively exploited in CISA KEV at time of analysis.
Authentication Bypass
Suse
-
CVE-2026-39250
HIGH
CVSS 7.3
Authorization bypass in Innoshop 0.6.0 allows authenticated frontend users to directly invoke backend administrative interfaces, enabling privileged operations outside their intended scope. The CVSS 7.3 score reflects low-impact gains across confidentiality, integrity, and availability achievable without prior authentication to the admin panel. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.02% (5th percentile), indicating minimal observed attacker interest so far.
Authentication Bypass
-
CVE-2026-36828
HIGH
CVSS 8.8
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
Command Injection
-
CVE-2026-34358
HIGH
CVSS 8.1
Privilege escalation in CtrlPanel hosting billing software (versions ≤1.1.1) allows any authenticated low-privilege user to invoke admin write endpoints because store()/update() controller methods omit the RBAC permission checks present on their corresponding form-display methods. Successful exploitation yields effective admin control over API credentials, coupons, vouchers, partner commissions, shop pricing, server ownership, and user accounts (including roles, credits, passwords, and Pterodactyl linkages). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication Bypass
Privilege Escalation
-
CVE-2026-34241
HIGH
CVSS 8.7
Stored cross-site scripting in CtrlPanel (versions ≤1.1.1) allows a low-privileged ticket participant to inject arbitrary JavaScript into reply notifications that execute in the recipient's browser when rendered via Blade's unescaped `{!! !!}` directive. Because notifications flow bidirectionally between users and admins, a regular user can hijack an admin session - yielding privilege escalation across a scope-changed (S:C) trust boundary - and a malicious admin can pivot back to target users. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the attack path is straightforward given an authenticated low-privileged account and an admin reading the ticket queue.
XSS
-
CVE-2026-33633
HIGH
CVSS 7.5
Heap buffer overflow in Kitty terminal versions 0.46.2 and below allows any process able to write to the terminal's standard input to crash the application and potentially achieve remote code execution. The flaw lives in load_image_data() and is triggered by a single APC graphics protocol command declaring PNG format (f=100) with a payload exceeding twice the initial buffer capacity, giving the attacker control over both overflow length and content. No public exploit identified at time of analysis, but the vulnerability has been fixed upstream in version 0.47.0.
Buffer Overflow
Heap Overflow
-
CVE-2026-33233
HIGH
CVSS 7.6
Insecure deserialization in Significant-Gravitas AutoGPT platform versions 0.6.34 through 0.6.51 lets an attacker who can poison entries in the shared Redis cache achieve arbitrary command execution inside the backend container. The backend's read path invokes pickle.loads on cache bytes with no HMAC, signature, or schema gate, so any attacker-controlled value reaching that key becomes code on retrieval. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the vendor shipped a fix in autogpt-platform-beta-v0.6.52.
Deserialization
Redis
-
CVE-2026-33232
HIGH
CVSS 7.5
Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust server disk space by repeatedly invoking the download_agent_file endpoint, which creates temporary files that are never cleaned up. Once disk capacity is consumed, the backend database and dependent services fail with 'No space left on device' errors, taking the entire platform offline for all users. No public exploit identified at time of analysis, but the trivial nature of the attack (simple repeated HTTP requests) makes it readily reproducible.
Denial Of Service
-
CVE-2026-32882
HIGH
CVSS 7.1
Heap buffer over-read in libheif versions 1.21.2 and prior allows remote attackers to crash applications or potentially leak adjacent heap memory by supplying a crafted HEIF/AVIF file with an overlay image (iovl) whose alpha channel bit depth differs from its color channels. The flaw in HeifPixelImage::overlay() uses the color channel stride to index into the alpha plane, reading up to 3,123 bytes beyond the alpha buffer for a 100×50 image with 10-bit color and 8-bit alpha. No public exploit identified at time of analysis, and the issue is fixed in version 1.22.0.
Buffer Overflow
Denial Of Service
Information Disclosure
Red Hat
Suse
-
CVE-2026-32741
HIGH
CVSS 7.1
Heap buffer overflow in libheif versions 1.21.2 and below allows remote attackers to corrupt memory via a maliciously crafted HEIF file containing a mask image (mski) box. The flaw resides in MaskImageCodec::decode_mask_image(), where an attacker-controlled iloc extent length is memcpy'd into an undersized pixel buffer with no upper-bound validation, yielding heap corruption when a user opens the file. No public exploit identified at time of analysis, but the vulnerability is straightforward to trigger because the vulnerable branch is reachable under default library security limits.
Buffer Overflow
Heap Overflow
Red Hat
Suse
-
CVE-2026-32740
HIGH
CVSS 8.8
Heap buffer overflow write in libheif (versions ≤ 1.21.2) lets a crafted HEIF/AVIF file write 64 bytes of attacker-controlled data past a chroma-plane heap allocation during grid tile compositing. Any application using libheif to decode untrusted images - image viewers, file managers, browsers, mobile OS thumbnailers - is exposed, with CVSS 8.8 reflecting likely code execution after user-triggered file open. No public exploit identified at time of analysis, but the deterministic 64-byte fully-controlled overflow is highly favorable for exploitation.
Buffer Overflow
Memory Corruption
Red Hat
Suse
-
CVE-2026-32323
HIGH
CVSS 7.3
Local privilege escalation in Mullvad VPN for macOS versions 2026.1 and earlier allows a user in the admin group to gain root code execution during installation or upgrade. The installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying the bundle's integrity, enabling an admin-group attacker to pre-stage a malicious app bundle that runs as root. No public exploit identified at time of analysis, and the flaw is only triggerable when an installer is run, not on already-installed systems.
Privilege Escalation
RCE
Apple
-
CVE-2026-31910
HIGH
CVSS 7.5
Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
SSRF
-
CVE-2026-31909
HIGH
CVSS 7.5
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
Information Disclosure
-
CVE-2026-31069
HIGH
CVSS 8.8
SQL injection in BillaBear (all versions prior to January 2026) allows authenticated users holding the ROLE_ACCOUNT_MANAGER role to execute arbitrary SQL commands via the EventRepository component. The flaw stems from unsanitized filter identifier keys being concatenated into queries through sprintf(), and while no public exploit identified at time of analysis is listed in KEV, two CVE-referenced gists suggest detailed technical write-ups are publicly available. EPSS is very low (0.01%), but the high CVSS of 8.8 and clear exploitation path make this a meaningful risk for any deployed instance.
SQLi
N A
-
CVE-2026-29226
HIGH
CVSS 7.3
Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
SSRF
-
CVE-2026-27648
HIGH
CVSS 8.8
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code within pre-installed apps via an out-of-bounds write (CWE-787). The CVSS 8.8 vector reflects network-reachable exploitation with low complexity and no user interaction once minimal privileges are obtained, yielding high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
RCE
Buffer Overflow
Memory Corruption
-
CVE-2026-27173
HIGH
CVSS 8.7
JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Ai...
Information Disclosure
Kubernetes
-
CVE-2026-25781
HIGH
CVSS 8.4
Out-of-bounds write in OpenHarmony v6.0 and earlier enables a local low-privileged attacker to corrupt memory and trigger an unrecoverable denial-of-service condition on affected devices. The flaw was disclosed by the OpenHarmony project itself, and no public exploit identified at time of analysis. Although CVSS scores it 8.4 (High) due to scope change and high confidentiality/integrity impact, the vector indicates local-only access with low privileges already required.
Buffer Overflow
Memory Corruption
-
CVE-2026-24792
HIGH
CVSS 8.1
Remote code execution in OpenHarmony v6.0 and prior versions allows authenticated remote attackers to execute arbitrary code within pre-installed applications through a race condition flaw (CWE-364). The CVSS 8.1 score reflects high confidentiality and availability impact but no integrity impact, and no public exploit has been identified at time of analysis. The vulnerability requires low privileges but no user interaction, making it exploitable across OpenHarmony's distributed device ecosystem including smart devices, wearables, and IoT endpoints running the open-source operating system.
RCE
-
CVE-2026-22069
HIGH
CVSS 7.3
Local privilege escalation in OPPO's O+ Connect application stems from missing caller identity validation on a named pipe interface (CWE-266), allowing a low-privileged local user with user interaction to escalate to higher privileges with high availability impact and scope change. The CVSS 3.1 score is 7.3 and the issue was reported by OPPO itself; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Privilege Escalation
-
CVE-2026-8975
HIGH
CVSS 8.8
Memory corruption in Mozilla Firefox 150 and Firefox ESR (115.35, 140.10) allows remote attackers to potentially execute arbitrary code when a user visits a crafted web page. The flaws stem from memory safety bugs reported by Mozilla developers, some showing evidence of exploitable memory corruption. No public exploit identified at time of analysis, and EPSS scoring (0.06%) suggests low near-term exploitation likelihood despite the high CVSS rating.
RCE
Buffer Overflow
Mozilla
-
CVE-2026-8974
HIGH
CVSS 8.8
Memory corruption in Mozilla Firefox 150 and Firefox ESR 140.10 allows remote attackers to potentially execute arbitrary code when a victim visits a crafted web page. The flaw stems from multiple memory safety bugs reported by Mozilla developers, with some showing evidence of exploitable memory corruption; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 14th percentile). Mozilla has shipped fixes in Firefox 151 and Firefox ESR 140.11.
RCE
Buffer Overflow
Mozilla
-
CVE-2026-8973
HIGH
CVSS 8.8
Memory corruption vulnerabilities in Mozilla Firefox 150 could enable remote code execution when a user visits a maliciously crafted web page, with Mozilla acknowledging that some of the bugs showed evidence of memory corruption potentially exploitable for arbitrary code execution. The issue is resolved in Firefox 151 per Mozilla advisory MFSA2026-46/MFSA2026-50. No public exploit identified at time of analysis and EPSS remains low (0.04%), but SSVC rates technical impact as total and automatable.
RCE
Buffer Overflow
Mozilla
-
CVE-2026-8972
HIGH
CVSS 8.8
Privilege escalation in Mozilla Firefox's WebRTC Audio/Video component allows remote attackers to elevate privileges within the browser context when a user is lured into interacting with a malicious page. The flaw carries a CVSS 8.8 with required user interaction and was addressed in Firefox 151; no public exploit identified at time of analysis and EPSS exploitation probability sits at 0.03% (8th percentile).
Privilege Escalation
Mozilla
Suse
-
CVE-2026-8970
HIGH
CVSS 8.8
Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges.
Privilege Escalation
Red Hat
Mozilla
Suse
-
CVE-2026-8969
HIGH
CVSS 8.1
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.
Authentication Bypass
Mozilla
Suse
-
CVE-2026-8968
HIGH
CVSS 7.5
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Denial Of Service
Red Hat
Mozilla
Suse
-
CVE-2026-8967
HIGH
CVSS 7.5
Information disclosure in Mozilla Firefox's WebGPU graphics component allows remote attackers to access sensitive in-memory data from browser sessions via crafted web content rendered through the WebGPU API. The flaw affects Firefox versions prior to 151 and has been addressed by Mozilla in advisories MFSA2026-46 and MFSA2026-50. There is no public exploit identified at time of analysis, and EPSS scoring (0.02%, 4th percentile) indicates very low likelihood of near-term mass exploitation.
Information Disclosure
Mozilla
Suse
-
CVE-2026-8966
HIGH
CVSS 7.5
Information disclosure in Mozilla Firefox versions prior to 151 affects the IP Protection component, allowing remote unauthenticated attackers to obtain sensitive information over the network without user interaction. The flaw carries a CVSS score of 7.5 driven entirely by confidentiality impact (C:H/I:N/A:N), and while no public exploit is identified at time of analysis, the very low EPSS score of 0.02% (4th percentile) suggests minimal active exploitation interest. Mozilla addressed the issue in Firefox 151 via security advisories MFSA2026-46 and MFSA2026-50.
Information Disclosure
Mozilla
Suse
-
CVE-2026-8965
HIGH
CVSS 7.5
Information disclosure in Mozilla Firefox prior to version 151 allows remote attackers to leak sensitive data through a flaw in the DOM: Security component, exploitable without authentication or user interaction. The CVSS 7.5 rating reflects high confidentiality impact via network vector, though EPSS scoring at 0.02% (4th percentile) indicates very low predicted exploitation probability and no public exploit identified at time of analysis.
Information Disclosure
Mozilla
Suse
-
CVE-2026-8964
HIGH
CVSS 7.5
Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151.
Information Disclosure
Mozilla
Suse
-
CVE-2026-8963
HIGH
CVSS 7.5
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
Authentication Bypass
Mozilla
Suse
-
CVE-2026-8962
HIGH
CVSS 8.1
Mitigation bypass in Mozilla Firefox's DOM: Security component allows remote attackers to circumvent built-in browser security protections when a user visits a maliciously crafted web page. The flaw affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with CVSS 8.1 reflecting high confidentiality and integrity impact contingent on user interaction. EPSS scoring is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but the CWE-693 protection-mechanism-failure classification means defensive layers users rely on may not function as intended.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-8960
HIGH
CVSS 7.5
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.
Authentication Bypass
Mozilla
Suse
-
CVE-2026-8958
HIGH
CVSS 8.6
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information Disclosure
Red Hat
Mozilla
Suse
-
CVE-2026-8957
HIGH
CVSS 8.8
Privilege escalation in the Enterprise Policies component of Mozilla Firefox affects versions prior to Firefox 151 and Firefox ESR 140.11, allowing remote attackers who can convince a user to interact with crafted content to elevate privileges within the browser. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.03% (9th percentile). The vulnerability requires user interaction per the CVSS vector, which somewhat constrains real-world weaponization despite the high 8.8 CVSS score.
Privilege Escalation
Red Hat
Mozilla
Suse
-
CVE-2026-8955
HIGH
CVSS 8.8
Privilege escalation in Mozilla Firefox's DOM Workers component allows remote attackers to elevate privileges within the browser when a victim interacts with a malicious web page. Affects Firefox versions prior to 151 and Firefox ESR prior to 140.11, with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.03% (9th percentile).
Privilege Escalation
Red Hat
Mozilla
Suse
-
CVE-2026-8954
HIGH
CVSS 7.5
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-8952
HIGH
CVSS 8.8
Privilege escalation in Mozilla Firefox via the Application Update component allows remote attackers to gain elevated privileges when a user interacts with malicious content, fixed in Firefox 151. The flaw carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R) and is categorized under CWE-269 (Improper Privilege Management). There is no public exploit identified at time of analysis, and EPSS estimates only a 0.03% probability of exploitation in the next 30 days.
Privilege Escalation
Mozilla
Suse
-
CVE-2026-8949
HIGH
CVSS 7.5
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Buffer Overflow
Integer Overflow
Mozilla
Suse
-
CVE-2026-8947
HIGH
CVSS 7.3
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Information Disclosure
Use After Free
Memory Corruption
Red Hat
Mozilla
-
CVE-2026-8946
HIGH
CVSS 7.5
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Buffer Overflow
Red Hat
Mozilla
Suse
-
CVE-2026-8945
HIGH
CVSS 7.5
Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
Information Disclosure
Google
Mozilla
Suse
-
CVE-2026-8912
HIGH
CVSS 7.5
SQL injection in the Contest Gallery WordPress plugin (versions through 28.1.6) allows unauthenticated remote attackers to extract sensitive database contents by abusing the 'form_input' parameter handled by the 'post_cg_gallery_form_upload' AJAX action. The endpoint is gated only by a public nonce that is exposed in the page source of any public gallery page, effectively offering no protection against external attackers. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and affects a publicly reachable PHP endpoint.
PHP
WordPress
SQLi
-
CVE-2026-8827
HIGH
CVSS 8.2
SQL injection in the TYPO3 'address_list' extension's AddressRepository::getSqlQuery() method allows remote attackers to manipulate database queries when the method is called with untrusted input. The flaw is latent - the vulnerable method is not invoked anywhere within the extension itself, so default installations are not exposed, but custom or third-party extensions that reuse this method become injection sinks. No public exploit identified at time of analysis, and no EPSS or KEV signal accompanies the advisory.
SQLi
-
CVE-2026-8813
HIGH
CVSS 7.7
Denial-of-service in ExifReader (npm package mattiasw/ExifReader) before 4.39.0 allows remote attackers to exhaust memory by submitting a crafted image whose ICC profile contains a malformed mluc tag. A specially crafted record count combined with a zero record size causes the parser to loop on the same record while continuously appending entries to an array, driving memory growth until the host process crashes. CVSS 4.0 base score is 7.7 with proof-of-concept exploit maturity (E:P), and publicly available exploit code exists via the referenced gist; no active in-the-wild exploitation is indicated.
Denial Of Service
-
CVE-2026-8727
HIGH
CVSS 7.1
Remote code execution in the TYPO3 Crawler extension occurs when the X-T3Crawler-Meta response header from a crawled URL is passed unchecked to PHP's unserialize(), enabling arbitrary PHP object injection. Exploitation requires a high-privileged administrator to configure a crawler-enabled page and a Scheduler task pointing at an attacker-controlled endpoint, so while impact is full RCE on the TYPO3 host, it is gated by an unusual combination of admin access, user interaction, and externally reachable malicious URLs. No public exploit identified at time of analysis and no CISA KEV listing.
PHP
RCE
Deserialization
-
CVE-2026-8726
HIGH
CVSS 8.2
SQL injection in the TYPO3 'news' extension allows unauthenticated remote attackers to inject arbitrary SQL through a URL parameter on pages that render the 'Date Menu of news articles' plugin. The flaw stems from missing sanitization of user input before it reaches a database query, and exposure is limited to sites that both use the affected plugin and have not enabled the TypoScript/plugin setting disableOverrideDemand. No public exploit identified at time of analysis.
SQLi
-
CVE-2026-8370
HIGH
CVSS 8.5
Local privilege escalation in Broadcom Automic Automation Agent versions prior to 24.4.4 HF1 allows authenticated low-privileged users on Unix-family systems (Linux x64, Linux Power 64 BE/LE, zLinux, AIX, Solaris x64, Solaris Sparc 64) to abuse the agent's elevated privileges and target programs running with higher rights. The CVSS 4.0 score of 8.5 reflects high confidentiality, integrity, and availability impact achievable from a local foothold, with no public exploit identified at time of analysis.
Privilege Escalation
Broadcom
-
CVE-2026-8073
HIGH
CVSS 7.5
Arbitrary file read and deletion in the Kirki - Freeform Page Builder plugin for WordPress (versions through 6.0.6) allows unauthenticated remote attackers to read and delete files within the WordPress uploads base directory by abusing the 'downloadZIP' function. The flaw stems from insufficient path validation and a missing capability check, and was reported by Wordfence; no public exploit identified at time of analysis.
WordPress
Information Disclosure
-
CVE-2026-7571
HIGH
CVSS 7.1
Implicit flow bypass in Red Hat Build of Keycloak allows a low-privileged authenticated user who already knows another user's credentials and a client ID to obtain OIDC access tokens from clients where the implicit flow was explicitly disabled. Beyond the unauthorized token issuance, the resulting tokens can be written to server logs, proxy logs, and HTTP Referer headers, broadening the disclosure surface. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Information Disclosure
Red Hat
-
CVE-2026-7507
HIGH
CVSS 7.5
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.
Authentication Bypass
CSRF
Red Hat
-
CVE-2026-7504
HIGH
CVSS 8.1
Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abusing a parser discrepancy between Keycloak and Java's URI implementation during redirect URL validation. The flaw applies only to clients configured with a wildcard ('*') in the 'Valid Redirect URIs' field and requires the victim to click a crafted link, with no public exploit identified at time of analysis.
Java
Open Redirect
Red Hat
-
CVE-2026-7307
HIGH
CVSS 7.5
Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads by submitting specially crafted XML payloads to the SAML endpoint. The flaw renders the identity provider unavailable, disrupting authentication for all downstream applications relying on it. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial Of Service
Red Hat
-
CVE-2026-6009
HIGH
CVSS 8.7
Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system
RCE
Java
Deserialization
-
CVE-2026-5804
HIGH
CVSS 8.4
Authentication bypass in the Motorola Factory Test component (com.motorola.motocit) on Motorola phones lets a co-resident Android app abuse an exposed writable file descriptor in external storage to stand up a TCP server, harvest protected settings, and act with the factory-test app's elevated permissions. The flaw is locally exploitable by any installed third-party app with low privileges and carries CVSS 4.0 score 8.4 with high confidentiality and integrity impact. No public exploit identified at time of analysis and not listed in CISA KEV.
Authentication Bypass
-
CVE-2025-70950
HIGH
CVSS 7.3
An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request.
Path Traversal
-
CVE-2025-61081
HIGH
CVSS 7.5
In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.
Information Disclosure
-
CVE-2025-51427
HIGH
CVSS 7.3
An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key ['nnet']['module'].
RCE
Code Injection
-
CVE-2025-15609
HIGH
CVSS 7.5
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.
WordPress
Information Disclosure
-
CVE-2026-47317
MEDIUM
CVSS 5.5
Uncontrolled recursion in Samsung's Escargot JavaScript engine triggers excessive heap allocation, causing a denial-of-service condition with high availability impact. The vulnerability affects the specific commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung smart TV and appliance firmware. No public exploit code exists and no active exploitation is confirmed by CISA KEV; however, the fix PR reveals multiple heap exhaustion and integer underflow scenarios addressable through crafted JavaScript inputs.
Information Disclosure
Samsung
-
CVE-2026-47316
MEDIUM
CVSS 5.5
Denial of service in Samsung Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 stems from multiple improper exceptional-condition handling paths exposed during JavaScript execution: a null pointer dereference when resolving error values in nested eval/throw/finally scenarios, an integer underflow in TypedArray.copyWithin() triggered by resizable ArrayBuffer coercion, and an unguarded assertion failure when array objects transition unexpectedly from fast to slow mode. Attack vector is local and requires user interaction (UI:R), with impact confined entirely to availability - crashing the host process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Information Disclosure
Samsung
-
CVE-2026-47315
MEDIUM
CVSS 5.5
Denial-of-service in Samsung's Escargot JavaScript engine (commit 590345cc) stems from multiple unhandled exceptional conditions - including a null error-value dereference during nested eval/throw/finally sequences, integer underflow in TypedArray.copyWithin after runtime buffer resize, an unhandled out-of-memory condition in the garbage collector, and an invalid fast-mode array assertion during spread operations. Exploitation requires local access and user interaction (AV:L/UI:R per CVSS), crashing or aborting the Escargot runtime process. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available as GitHub PR #1565 but no tagged release version has been confirmed.
Information Disclosure
Samsung
-
CVE-2026-47313
MEDIUM
CVSS 5.5
Excessive memory allocation in Samsung's Escargot JavaScript engine (commit 590345cc) triggers a denial-of-service condition via integer underflow in the TypedArray.prototype.copyWithin implementation, causing the engine to request a massive heap allocation and subsequently abort the process. Affected deployments include Samsung TV and appliance firmware that embeds Escargot as a scripting runtime. No public exploit code and no CISA KEV listing are present; EPSS data was not provided in available intelligence. Risk is bounded by the local attack vector and user interaction requirement in the CVSS vector.
Information Disclosure
Samsung
-
CVE-2026-47312
MEDIUM
CVSS 5.5
Denial-of-service via invalid pointer dereference in Samsung Open Source Escargot JavaScript engine affects the specific commit 590345cc6258317c5da850d846ce6baaf2afc2d3, allowing a locally-present attacker to crash the runtime through crafted JavaScript. The root cause (CWE-763) involves unconditional dereference of a potentially invalid or null error pointer in the resultOrErrorToString path, triggerable via nested eval/throw/finally patterns that induce GC allocation during exception handling. No public exploit code exists and no CISA KEV listing is present at time of analysis.
Information Disclosure
Samsung
-
CVE-2026-47309
MEDIUM
CVSS 5.5
Uncontrolled recursion in Samsung's Escargot JavaScript engine crashes the runtime when processing oversized serialized data payloads, resulting in a high-severity availability impact. The vulnerability is confirmed at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung TV and appliance platforms. An attacker who can cause a local user to open or execute a crafted JavaScript payload can trigger a stack overflow, denying service to the affected application or device; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Information Disclosure
Samsung
-
CVE-2026-47308
MEDIUM
CVSS 5.5
NULL pointer dereference in Samsung's open-source Walrus WebAssembly runtime crashes the parser when processing malformed WASM binaries, resulting in denial of service. The vulnerability exists in the WASMBinaryReader component (WASMParser.cpp) at commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9, where multiple error-handling code paths fail to return early, allowing execution to continue past invalid state and dereference null pointers. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Denial Of Service
Null Pointer Dereference
Samsung
-
CVE-2026-47307
MEDIUM
CVSS 5.5
NULL pointer dereference in Samsung Open Source Walrus's WebAssembly binary parser causes application-level denial of service when a crafted .wasm module containing deeply nested instructions is loaded. The vulnerability affects the Walrus runtime at commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9 (CPE: cpe:2.3:a:samsung_open_source:walrus) and is classified CVSS 5.5 Medium with a local attack vector requiring user interaction. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; an upstream fix is available in GitHub PR #409 but a tagged release version has not been independently confirmed.
Denial Of Service
Null Pointer Dereference
Samsung
-
CVE-2026-46724
MEDIUM
CVSS 5.9
Path traversal in the TYPO3 'Faceted Search' extension's file indexer exposes arbitrary server filesystem content to high-privileged backend users. Because the indexer does not normalize or canonicalize the configured directory path before use, a backend user holding the specific permission to edit indexer configurations can supply path traversal sequences to redirect indexing at sensitive locations outside the intended document root. The CVSS 4.0 score of 5.9 (Medium) reflects high confidentiality impact (VC:H) constrained by the requirement for high privileges (PR:H). No public exploit or CISA KEV listing exists at time of analysis.
Path Traversal
-
CVE-2026-46723
MEDIUM
CVSS 5.9
Sensitive internal TYPO3 database content can be exfiltrated into the public search index via the Faceted Search extension's misconfigured additional_tables parameter. Backend users holding permission to edit indexer configurations can reference arbitrary internal database tables and fields - including those storing backend credentials, frontend user records, or other protected data - causing the search indexer to copy that data into the search index where it may be surfaced in search results or via API responses. No public exploit has been identified at time of analysis, and exploitation is constrained by the requirement for high-privilege backend access (PR:H per CVSS 4.0), placing this firmly in insider-threat and privilege-misuse risk scenarios.
Information Disclosure
-
CVE-2026-46722
MEDIUM
CVSS 5.9
XML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_search) allows a high-privileged authenticated attacker to cause the server to disclose local file contents or perform outbound HTTP requests (SSRF), with retrieved data written to the search index. Exploitation requires placing a crafted XLSX or PPTX document into a directory processed by the indexer. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
XXE
-
CVE-2026-46721
MEDIUM
CVSS 6.9
Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Authentication Bypass
-
CVE-2026-46496
MEDIUM
Stored cross-site scripting in HAX CMS's `<video-player>` web component allows any authenticated user to inject persistent JavaScript payloads that execute in the browsers of subsequent page visitors, including administrators. The `source` and `source-data` attributes of the `<video-player>` component accept arbitrary URI schemes - including `javascript:` - without validation, meaning attacker-controlled script runs in the victim's browser session context. A publicly available proof-of-concept demonstrates direct theft of JWT authentication tokens from `localStorage`, enabling session hijacking and full account takeover. Packages `@haxtheweb/haxcms-nodejs` and `@haxtheweb/video-player` at versions <= 25.0.0 are confirmed affected; no public exploit or KEV listing identified at time of analysis beyond the published PoC.
XSS
Information Disclosure
-
CVE-2026-46424
MEDIUM
CVSS 4.2
Missing Redis cache invalidation in Budibase's public API role unassignment endpoint allows users with revoked admin, builder, or app-level privileges to retain full access for up to 1 hour (the hardcoded Redis TTL of 3600 seconds). Affected deployments are Budibase versions prior to 3.38.2 running an enterprise license, where the `POST /api/public/v1/roles/unassign` endpoint writes revocations to CouchDB but never calls `cache.user.invalidateUser()`, leaving the authentication middleware to serve stale permissions from Redis. Publicly available exploit code exists within the GHSA-6vp2-6r7m-2jvx advisory; no confirmed active exploitation (not listed in CISA KEV at time of analysis).
Privilege Escalation
Redis
-
CVE-2026-46357
MEDIUM
CVSS 6.5
Denial of service in HAX CMS NodeJS (npm/@haxtheweb/haxcms-nodejs) allows any authenticated user to crash the entire Node.js server process with a single crafted HTTP POST to the createSite endpoint. The crash stems from a null pointer dereference (CWE-476) in HAXCMSFile.save(), where tmpFile.originalname is undefined, causing an unhandled TypeError that terminates the process immediately. Because HAX CMS permits open account self-registration, an attacker can create their own account and trigger the crash without needing to compromise existing credentials, making the effective barrier to exploitation very low despite the PR:L CVSS designation. No public exploit identified at time of analysis beyond the PoC included in the GitHub security advisory.
Denial Of Service
Null Pointer Dereference
Node.js
-
CVE-2026-46341
MEDIUM
CVSS 6.1
Domain allowlist bypass in Apify MCP Server's fetch-apify-docs tool (npm/@apify/actors-mcp-server < 0.9.21) enables prompt injection against LLM agents by allowing attacker-controlled URLs to pass a flawed string prefix check. The tool validates requested URLs with String.startsWith() rather than parsing the URL hostname, so crafted URLs like https://docs.apify.com.evil.com/ satisfy the check while resolving to an attacker-controlled server. Publicly available exploit code (PoC) exists per the GitHub advisory GHSA-jwp7-wg77-3w9v; no CISA KEV listing at time of analysis, though the prompt injection vector can escalate to Apify account compromise via injected token redirection.
SSRF
Node.js
-
CVE-2026-46338
MEDIUM
CVSS 4.3
Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.
Python
Path Traversal
Microsoft
-
CVE-2026-46337
MEDIUM
Unauthenticated path traversal in AVideo's `view/img/image404Raw.php` allows any remote attacker to read arbitrary image files accessible to the PHP process, bypassing all application-layer ACLs that normally gate private user photos, admin thumbnails, and encrypted-video poster frames. The vulnerability affects all versions through the current master branch (commit 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485) and all releases up to and including 29.0 (pkg:composer/wwbn_avideo). No vendor-released patch is currently available, and a working proof-of-concept is publicly disclosed in GHSA-w4qq-74h6-58wq, making this immediately actionable by any unauthenticated attacker with HTTP access to the deployment.
PHP
Path Traversal
-
CVE-2026-45802
MEDIUM
Memory exhaustion and endless loop in Setasign FPDI (composer package setasign/fpdi) allow remote attackers to crash PHP server-side scripts by uploading a small, specially crafted PDF file. All versions prior to 2.6.7 are affected, and any web application that exposes FPDI-based PDF processing to user-supplied input is vulnerable. Repeated submissions can sustain service unavailability; no public exploit has been identified at time of analysis, and no CISA KEV listing exists.
Denial Of Service
-
CVE-2026-45796
MEDIUM
CVSS 6.5
Unauthenticated semi-blind Server-Side Request Forgery in Coder's Azure instance identity endpoint allows any remote attacker to force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts, enabling internal network reconnaissance, cloud metadata service probing (e.g., 169.254.169.254), and error-based information disclosure of network topology. The vulnerability exists across all supported Coder release lines prior to v2.29.13/v2.30.8/v2.31.12/v2.32.2/v2.33.3/v2.24.5 (ESR), and has been patched in GitHub PR #25274. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Information Disclosure
SSRF
Microsoft
-
CVE-2026-45785
MEDIUM
CVSS 6.2
Denial of service in OpenMcdf versions up to and including 3.1.3 allows an attacker to permanently hang any thread that processes a crafted Compound File Binary (CFB) file by exploiting an unguarded infinite loop in the BST name-lookup path of DirectoryTree.TryGetDirectoryEntry. The flaw is distinct from - and unaddressed by - the Brent's-algorithm cycle detection added to DirectoryTreeEnumerator in commit 24f445a: while EnumerateEntries() now safely throws a FileFormatException on cyclic input, any subsequent call to OpenStorage(), TryOpenStorage(), OpenStream(), or TryOpenStream() enters the unprotected while-loop and spins at 100% CPU indefinitely. Publicly available proof-of-concept CFB files (5,632 and 7,936 bytes) demonstrate the hang via two distinct API paths; no public exploit identified at time of analysis that escalates beyond DoS, and the vulnerability is not listed in the CISA KEV catalog.
Denial Of Service
-
CVE-2026-45784
MEDIUM
Heap corruption in rust-openssl versions 0.10.50 through 0.10.79 allows attacker-controllable out-of-bounds writes of up to 7 bytes via the `CipherCtxRef::cipher_update_inplace` method when used with AES key-wrap-with-padding ciphers (EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad). The buffer sizing logic fails to account for AES-KWP's padding expansion when input length is not a multiple of 8, and because this occurs through FFI into native OpenSSL, Rust's memory safety guarantees do not prevent the corruption. This is a missed case from a prior fix for GHSA-xv59-967r-8726 in the same method; no public exploit has been identified at time of analysis.
Information Disclosure
OpenSSL
-
CVE-2026-45737
MEDIUM
CVSS 6.3
Information disclosure in Argo CD v3.x exposes plaintext Kubernetes Secret values to authenticated users who can view application diffs via the ServerSideDiff feature. This is an incomplete fix for a prior vulnerability (GHSA-3v3m-wc6v-x4x3): the original patch masked top-level Secret data in ServerSideDiff responses but failed to sanitize Secret content embedded in the `kubectl.kubernetes.io/last-applied-configuration` annotation on `predictedLive` objects, leaving raw `data`, `stringData`, and sensitive annotation values readable in UI and CLI diff output. A publicly available proof-of-concept exists; no KEV listing is present at time of analysis, but the Changed Scope (S:C) in the CVSS vector indicates that exposed secrets may belong to workloads beyond the Argo CD application boundary, amplifying real-world impact in multi-tenant environments.
Information Disclosure
Kubernetes
-
CVE-2026-45712
MEDIUM
CVSS 5.9
Full process crash in Mailpit before v1.30.0 is achievable by a remote unauthenticated attacker via a race condition in the /proxy endpoint's CSS rewriter cache, causing Go's unrecoverable fatal runtime panic and terminating the SMTP, POP3, and HTTP listeners simultaneously. The root cause is an unsynchronized read of a package-level assets map[string]MessageAssets cache that is written concurrently by a cleanup goroutine and re-entrant CSS-rewriting handlers - Go's runtime detects the collision and calls throw(), which bypasses http.Server's handler-panic recovery. Publicly available exploit code exists in the GHSA advisory; no CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence.
Denial Of Service
Race Condition
-
CVE-2026-45711
MEDIUM
CVSS 5.9
Arbitrary file write via path traversal in Mailpit's `dump --http` subcommand (versions < 1.30.0) allows any HTTP server impersonating a Mailpit instance to write attacker-controlled bytes to arbitrary paths outside the intended output directory. The attacker controls both the file path (via the message ID field in the JSON response) and the file contents (via the raw message body endpoint), enabling writes anywhere the dumping user has write permission - including cron jobs, shell startup files, and CI artifact directories. Publicly available exploit code exists (Python PoC published in GHSA-qx5x-85p8-vg4j); no confirmed active exploitation at time of analysis.
RCE
Python
Path Traversal
-
CVE-2026-45709
MEDIUM
CVSS 5.8
Incomplete SSRF remediation in mailpit's HTML check endpoint (>= v1.28.3, < v1.30.0) leaves `internal/htmlcheck/css.go::newSafeHTTPClient` without the IP-filtering dialer that sibling endpoints already employ, allowing the server to dial loopback, RFC1918, cloud IMDS (169.254.169.254), CGNAT, and multicast ranges. On default mailpit deployments - where SMTP auth and UI auth are both disabled - unauthenticated network-reachable attackers can trigger this by injecting one HTML email and issuing a single GET to `/api/v1/message/{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.
Java
Docker
SSRF
Redis
Oracle
-
CVE-2026-45692
MEDIUM
CVSS 5.4
Authorization bypass in Caddy's remote admin `/config` API (versions 2.4.0-2.11.2) allows a certificate-authenticated remote admin client restricted to a specific array-indexed config path (e.g., `/routes/0`) to read and modify sibling array elements (e.g., `routes[1]`) by requesting the path with a leading-zero index variant (`/routes/01`). The root cause is a semantic mismatch between two internal layers: the authorization layer performs string prefix matching (`strings.HasPrefix`), while the config traversal layer parses index components numerically via `strconv.Atoi()`, so `"01"` passes authorization as a prefix of `"0"` but resolves to integer index 1 during traversal. No public exploit is in CISA KEV, but a complete proof-of-concept with captured curl requests and server responses is publicly documented in the vendor GitHub advisory GHSA-x5w9-xh9r-mvfc.
OpenSSL
File Upload
Canonical
-
CVE-2026-45670
MEDIUM
Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run `nuxt dev --host`. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.
Authentication Bypass
Google
Node.js
-
CVE-2026-45669
MEDIUM
Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.
XSS
-
CVE-2026-45581
MEDIUM
CVSS 5.5
TLS private key password exposure in Hyperledger fabric-chaincode-java (versions 2.3.1 through 2.5.9) leaks credentials to any local user with read access to chaincode server logs when the service runs in chaincode-as-a-service (CaaS) mode with TLS enabled. The fabric-chaincode-shim runtime logs the TLS private key password in plaintext at INFO level during server startup, classified under CWE-532. A local attacker who recovers the logged password and separately obtains the TLS private key file gains the material needed to impersonate the chaincode server, potentially intercepting or injecting chaincode communications. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Information Disclosure
-
CVE-2026-45571
MEDIUM
CVSS 5.4
Path traversal in go-git allows crafted repository payloads to write files outside the intended checkout directory, including into the repository's .git directory and parent paths. The vulnerability stems from go-git failing to implement path validation checks that upstream Git adopted years ago, creating a drift-induced security gap across all supported platforms - with additional platform-specific attack vectors affecting Windows and macOS users distinctly. CVSS scores this at 5.4 medium with no public exploit identified at time of analysis and no CISA KEV listing, but the real-world risk is elevated in automated pipelines or developer tooling that processes untrusted repositories without human review.
Path Traversal
Apple
Microsoft
-
CVE-2026-45557
MEDIUM
CVSS 6.9
Technitium DNS Server performs amplified outbound DNS traffic when processing domains with missing RRSIG records or mismatched DNSKEY records - an attacker who controls any domain can exploit this behavior to force the resolver into generating excessive network queries against third-party infrastructure. All versions prior to 15.0 are affected per the vendor CPE listing (cpe:2.3:a:technitium:dns_server:*:*:*:*:*:*:*:*). The CVSS Changed Scope (S:C) confirms that impact extends beyond the vulnerable server itself, affecting downstream network resources and other systems. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Information Disclosure
-
CVE-2026-45442
MEDIUM
CVSS 4.3
Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Authentication Bypass
-
CVE-2026-45409
MEDIUM
Resource exhaustion in the Python idna library's idna.encode() function allows denial-of-service via specially crafted Unicode inputs that bypass the incomplete CVE-2024-3651 remediation. Affected versions process CONTEXTO-class codepoints - such as Arabic-Indic digit zero (U+0660) or Katakana middle dot (U+30FB) - through the valid_contexto validation function before length rejection occurs, enabling arbitrarily large inputs to consume significant CPU. Any Python application that passes unvalidated user input to idna.encode() or related per-label/codec functions without upstream length enforcement is exposed; no public exploit has been identified at time of analysis beyond the PoC payloads embedded in the advisory itself.
Denial Of Service
Suse
-
CVE-2026-45187
MEDIUM
CVSS 6.5
Improper Authorization vulnerability in Apache OFBiz Webtools.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Authentication Bypass
Apache
-
CVE-2026-44408
MEDIUM
CVSS 6.3
Improper permission control on the ZTE MU5250 web management interface allows an adjacent-network attacker with low-level credentials to modify device configuration beyond their authorized scope, resulting in high availability impact and low integrity impact. Affected firmware is confirmed as BD_FLYMODEMMU5250V1.0.0B27, self-disclosed by ZTE via their security bulletin. No public exploit code or CISA KEV listing exists at time of analysis, and exploitation is constrained to adjacent network access with some level of authenticated access per the CVSS vector.
Authentication Bypass
Information Disclosure
Zte
-
CVE-2026-42526
MEDIUM
CVSS 5.3
In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team contex...
Authentication Bypass
Apache
-
CVE-2026-37982
MEDIUM
CVSS 6.8
Token replay exploitation in Red Hat Build of Keycloak's WebAuthn flow allows an unauthenticated remote attacker who intercepts an ExecuteActionsActionToken email link to enroll their own hardware-backed WebAuthn authenticator to a victim's account. Successful exploitation bypasses authentication entirely and grants the attacker persistent, credential-backed access to the compromised account. No public exploit code has been identified at time of analysis, and CISA KEV confirmation is absent, but the High confidentiality and integrity impact from CVSS underscores the severity if the attack preconditions are met.
Authentication Bypass
Red Hat
-
CVE-2026-37981
MEDIUM
CVSS 4.3
Broken access control in Keycloak's Account Resources user lookup endpoint exposes full PII profiles of all realm users to any authenticated user who owns at least one User-Managed Access (UMA) resource. By sending crafted requests with arbitrary usernames or email values to this endpoint, the attacker receives complete profile objects for unrelated realm members - bypassing the intended per-user data isolation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and minimal privilege requirement (any UMA resource owner) make it a meaningful insider-threat and tenant-isolation risk in shared Keycloak deployments.
Information Disclosure
Red Hat
-
CVE-2026-37979
MEDIUM
CVSS 6.5
Audience restriction bypass in Keycloak's OpenID Connect token introspection endpoint exposes sensitive token claims to unauthorized confidential clients. Any attacker-controlled confidential client holding valid realm credentials can query the introspection endpoint and retrieve claims from lightweight access tokens issued to other resource servers - violating the isolation guarantees of audience-scoped tokens. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and network-accessible vector make this a realistic threat in multi-tenant or multi-service Keycloak deployments where client isolation is a security boundary.
Authentication Bypass
Red Hat
-
CVE-2026-37978
MEDIUM
CVSS 4.9
Unauthorized PII disclosure in Red Hat Build of Keycloak allows a low-privilege administrator holding only the 'view-clients' role to enumerate user identities and authorization grants across the entire realm by invoking the 'evaluate-scopes' Admin API endpoint with an arbitrary userId parameter. The vulnerability is an Insecure Direct Object Reference (CWE-639) in the Admin API layer, exploitable remotely over the network without requiring additional user interaction. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and clear abuse path make targeted insider or compromised-credential scenarios a realistic concern.
Authentication Bypass
Red Hat
-
CVE-2026-36827
MEDIUM
CVSS 5.4
Command injection in Panabit PAP-XM320 firmware up to and including V7.7 enables authenticated remote attackers with management interface access to execute arbitrary shell commands on the underlying OS. The web management interface passes user-controlled input to the backend helper /usr/sbin/pappiw, which processes arguments via eval - a classic CWE-78 pattern that causes attacker-supplied shell metacharacters to be interpreted as commands. No public exploit has been confirmed at time of analysis and this CVE is not listed in the CISA KEV catalog, though a researcher disclosure page is referenced.
Command Injection
N A
-
CVE-2026-35086
MEDIUM
CVSS 6.5
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
RCE
Apache
Code Injection
-
CVE-2026-34883
MEDIUM
CVSS 5.3
An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to ...
Privilege Escalation
Microsoft
Dell
-
CVE-2026-34600
MEDIUM
CVSS 5.7
Unauthorized note disclosure in Joplin server versions 3.5.2 and prior allows authenticated former share recipients to retrieve notes after sharing has been revoked, via two compounding logic errors in the ChangeModel delta API. The first flaw attaches full item content to delta responses without re-verifying current share status; the second incorrectly compresses create → delete event sequences into a NOOP rather than a delete, causing the API to synthesize a create event with full note content for deleted items when those events span separate delta pages. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but confidentiality impact is rated High given that full note content is returned to unauthorized recipients.
Information Disclosure
-
CVE-2026-34246
MEDIUM
CVSS 4.8
Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.
PHP
XSS
Privilege Escalation
-
CVE-2026-34233
MEDIUM
CVSS 6.5
CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.
Authentication Bypass
-
CVE-2026-34216
MEDIUM
CVSS 6.6
Remote code execution in CtrlPanel versions 1.1.1 and prior allows authenticated administrators to execute arbitrary PHP code by supplying a fully qualified class name to the admin settings update endpoint, which instantiates or invokes static methods on that class without allowlist validation. Any class resolvable by the Composer autoloader - including third-party dependencies - can be targeted, enabling gadget-chain exploitation through PHP magic methods such as __construct, __toString, or __wakeup. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the fix is confirmed in version 1.2.0, released April 2026.
PHP
RCE
-
CVE-2026-33741
MEDIUM
CVSS 6.8
Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.
XSS
-
CVE-2026-33514
MEDIUM
CVSS 6.0
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for...
Authentication Bypass
-
CVE-2026-33234
MEDIUM
CVSS 5.0
Server-side request forgery in AutoGPT Platform versions 0.1.0 through 0.6.51 allows any authenticated user on a shared deployment to conduct non-blind internal network port scanning and service fingerprinting by exploiting the SendEmailBlock's unvalidated SMTP connection handling. The block accepts user-supplied smtp_server and smtp_port inputs and passes them directly to Python's smtplib.SMTP(), completely bypassing the platform's dedicated SSRF defenses - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist in backend/util/request.py that every other block observes. Because smtplib surfaces TCP banners in exception messages that are persisted as visible block output, this is a non-blind SSRF, giving attackers readable reconnaissance data about internal hosts and services. No public exploit identified at time of analysis; vendor-released patch is confirmed in version 0.6.52.
Python
SSRF
-
CVE-2026-32994
MEDIUM
CVSS 5.3
Broken access control on the /api/v1/autotranslate.translateMessage endpoint in Rocket.Chat allows any authenticated user to retrieve the full content of messages from rooms they have no membership in - including private groups, direct messages, and channels - by supplying only a valid message ID. The vulnerability stems from the complete absence of a room-level authorization check (canAccessRoomIdAsync is never invoked) before the message fetch via Messages.findOneById(). No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) means successful exploitation exposes sensitive private communications organization-wide.
Authentication Bypass
-
CVE-2026-32814
MEDIUM
CVSS 6.5
Heap memory disclosure in strukturag libheif versions 1.21.2 and prior exposes up to 12,288+ bytes of uninitialized heap content - potentially containing auth tokens, database results, or other users' image data - when decoding crafted HEIF or AVIF grid images under the library's default settings. The decode path silently suppresses tile failures while returning heif_error_Ok, so calling applications receive heap garbage as valid pixel values with no error indication. Server-side image pipelines that ingest user-uploaded HEIF/AVIF and re-encode the output (e.g., as PNG or JPEG thumbnails for CDNs or social platforms) are at highest cross-user exposure risk; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Information Disclosure
Red Hat
Suse
-
CVE-2026-32739
MEDIUM
CVSS 6.5
Infinite CPU loop denial-of-service in libheif 1.21.2 and below allows a remote unauthenticated attacker to permanently exhaust a victim application's CPU by delivering a crafted 800-byte HEIF sequence file. The vulnerability triggers during file parsing in Box_stts::get_sample_duration() before any image decoding occurs, meaning any application that opens user-supplied HEIF files is exposed at the moment of file open. No KEV listing and no public exploit have been identified at time of analysis, but the low attack complexity and high availability impact make this a meaningful risk for deployments that process untrusted HEIF content. Vendor-released patch version 1.22.0 resolves the issue.
Denial Of Service
Red Hat
Suse
-
CVE-2026-32738
MEDIUM
CVSS 6.5
Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.
Buffer Overflow
Denial Of Service
Information Disclosure
Red Hat
Suse
-
CVE-2026-32312
MEDIUM
CVSS 5.1
Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.
Authentication Bypass
-
CVE-2026-32244
MEDIUM
CVSS 5.3
Discourse's AI summarization feature exposes removed or restricted content to anonymous and unprivileged users through stale cached summaries. Affected are all Discourse instances running versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 with AI summarization enabled. An unauthenticated attacker can read cached summaries that persist after the underlying content has been moderated or deleted, bypassing content removal controls. No public exploit code exists and no KEV listing has been issued at time of analysis.
Information Disclosure
-
CVE-2026-32134
MEDIUM
CVSS 5.9
Remote unauthenticated denial-of-service in NanoMQ MQTT Broker (versions 0.24.10 and below) crashes the broker process via a NULL pointer dereference triggered by high-concurrency MQTT reconnect traffic. The flaw occurs during session resumption for persistent-session clients (clean_start=0), where the NanoNNG transport layer's pipe_peer() function dereferences cpipe->subinfol without verifying that the new pipe's subinfol pointer is also non-NULL - a pointer that can be freed mid-race. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, CVSS AV:N/PR:N confirms remote unauthenticated triggering, and the fix has been released in version 0.24.11.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-31906
MEDIUM
CVSS 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
XSS
Apache
-
CVE-2026-31388
MEDIUM
CVSS 5.3
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Authentication Bypass
Apache
-
CVE-2026-31387
MEDIUM
CVSS 5.3
Improper Authentication vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Authentication Bypass
Apache
-
CVE-2026-31380
MEDIUM
CVSS 6.5
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
Code Injection
-
CVE-2026-31379
MEDIUM
CVSS 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.0...
XSS
Apache
Path Traversal
-
CVE-2026-31378
MEDIUM
CVSS 6.5
Improper Input Validation vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
Information Disclosure
-
CVE-2026-29220
MEDIUM
CVSS 6.5
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Apache
Path Traversal
-
CVE-2026-29207
MEDIUM
CVSS 6.5
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Please note that in the updated version, "Data Resource" records with...
Apache
Information Disclosure
Ssti
-
CVE-2026-28733
MEDIUM
CVSS 6.5
Use-After-Free memory corruption in OpenHarmony v6.0 and prior enables a local attacker with low privileges to execute arbitrary code, achieving a changed scope with high availability impact. The vulnerability is rooted in CWE-416, where freed memory regions are accessed without proper lifecycle management, a class of flaw frequently exploitable for control-flow hijacking. No public exploit code or CISA KEV listing has been identified at time of analysis, though the OpenHarmony security team has published a formal disclosure.
RCE
Use After Free
Memory Corruption
-
CVE-2026-27766
MEDIUM
CVSS 5.5
Information disclosure in OpenHarmony v6.0 and earlier enables a low-privileged local attacker to leak high-sensitivity data from the system without any user interaction. The root cause is a signal handler race condition (CWE-364), where asynchronous signal delivery can expose protected memory contents while leaving system integrity and availability unaffected. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Information Disclosure
-
CVE-2026-25850
MEDIUM
CVSS 5.5
OpenHarmony v6.0 and prior versions expose sensitive information to local low-privileged attackers due to improper preservation of permissions (CWE-281). A locally authenticated attacker with standard user privileges can exploit this flaw to leak confidential data - achieving high confidentiality impact - without requiring elevated rights or user interaction. No public exploit code or active exploitation has been identified at time of analysis, but the low complexity and no-interaction-required nature of the attack make it straightforward to exploit once access is obtained.
Information Disclosure
-
CVE-2026-8971
MEDIUM
CVSS 6.5
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.
Authentication Bypass
Mozilla
Suse
-
CVE-2026-8961
MEDIUM
CVSS 6.5
Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Authentication Bypass
Red Hat
Mozilla
Suse
-
CVE-2026-8951
MEDIUM
CVSS 6.5
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Authentication Bypass
Google
Mozilla
Suse
-
CVE-2026-8922
MEDIUM
CVSS 5.4
Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. This means an administrator's deliberate, broad-scope revocation action - typically used in incident response or forced re-authentication scenarios - is rendered ineffective for any clients that also carry a client-level notBefore setting. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Authentication Bypass
Red Hat
-
CVE-2026-8830
MEDIUM
CVSS 4.3
WebAuthn policy enforcement bypass in Red Hat Build of Keycloak allows low-privileged authenticated users to register credentials that violate administrator-configured realm security policies. The server-side processAction() method does not validate that newly registered WebAuthn credential parameters - such as public key algorithms - conform to the realm's defined WebAuthn policies, enabling a user to manipulate client-side JavaScript during the registration flow to submit non-compliant credential data. No public exploit has been identified at time of analysis; exploitation requires an authenticated session and is limited to integrity impact (policy bypass), with no direct confidentiality or availability consequence.
Authentication Bypass
Red Hat
-
CVE-2026-8814
MEDIUM
CVSS 5.5
Decompression bomb (data amplification) in ExifReader npm package before 4.39.0 allows remote unauthenticated attackers to exhaust server memory by supplying a crafted PNG file with a highly compressed zTXt metadata chunk. The vulnerable path activates only when the caller enables asynchronous parsing (`async: true`), at which point ExifReader decompresses the chunk via the Compression Streams API with no upper bound on output size. Publicly available proof-of-concept exploit code exists (E:P); this CVE is not listed in CISA KEV.
Information Disclosure
-
CVE-2026-8706
MEDIUM
CVSS 6.5
Firefox for iOS Reader mode exposed an unauthenticated local HTTP server on the device, enabling a co-installed malicious application to request arbitrary URLs through that server and receive responses rendered with the authenticated user's session cookies. Affected versions are all Firefox for iOS releases prior to 151.0, confirmed by Mozilla Security Advisory MFSA2026-49. No public exploit code has been identified and CISA SSVC rates exploitation as none at time of analysis, but successful exploitation would allow silent exfiltration of authenticated web content from the victim's active browsing session.
Information Disclosure
Apple
Mozilla
Suse
-
CVE-2026-8605
MEDIUM
CVSS 5.1
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
Authentication Bypass
-
CVE-2026-8493
MEDIUM
CVSS 5.4
Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.
XSS
-
CVE-2026-8096
MEDIUM
CVSS 6.5
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.
WordPress
Authentication Bypass
-
CVE-2026-6871
MEDIUM
CVSS 6.1
Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. No public exploit has been identified at time of analysis, and EPSS at 0.03% (8th percentile) reflects low current exploitation probability.
XSS
-
CVE-2026-6367
MEDIUM
CVSS 6.1
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.
XSS
-
CVE-2026-6366
MEDIUM
CVSS 6.6
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Code Injection
-
CVE-2026-6365
MEDIUM
CVSS 6.1
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.
XSS
-
CVE-2026-6095
MEDIUM
CVSS 6.1
Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.
XSS
-
CVE-2026-5511
MEDIUM
CVSS 4.6
Improper error handling in the TP-Link Archer AX72 (SG) v1.0 web management interface allows an authenticated administrative user to extract diagnostic command syntax by submitting invalid input to the network diagnostic feature. The disclosure is narrow - limited to command-line usage information for the underlying diagnostic utility - and does not expose credentials, configuration data, or sensitive system state. A vendor-released patch is available, no public exploit code has been identified, and the vulnerability carries no CISA KEV designation.
Information Disclosure
-
CVE-2026-5090
MEDIUM
CVSS 6.1
Cross-site scripting in Template::Plugin::HTML versions through 3.102 for Perl allows remote unauthenticated attackers to inject JavaScript event handlers into rendered HTML pages when victim users view pages containing attacker-controlled template variables. The html_filter function and HTML.escape method omitted escaping of single-quote characters, meaning variables filtered with `| html` inside single-quoted HTML attributes (e.g., `title='[% var | html %]'`) remained injectable. No public exploit has been identified at time of analysis and EPSS is 0.01% (1st percentile), indicating no observed widespread exploitation, though the attack primitive is straightforward for any attacker aware of the single-quote gap.
XSS
-
CVE-2026-4630
MEDIUM
CVSS 6.8
Keycloak's Authorization Services Protection API is vulnerable to an Insecure Direct Object Reference (IDOR) flaw that allows authenticated low-privileged clients to perform unauthorized GET, PUT, and DELETE operations on resources owned by a different Resource Server within the same realm. By supplying a resource UUID belonging to a peer Resource Server - which a client can obtain through enumeration or disclosure - the attacker bypasses Keycloak's authorization enforcement entirely. The CVSS score of 6.8 (High) reflects confirmed confidentiality and integrity impact, though High complexity (AC:H) indicates the attacker must first acquire valid cross-server UUIDs. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Authentication Bypass
Information Disclosure
Red Hat
-
CVE-2025-57798
MEDIUM
CVSS 5.5
Denial of service via unbounded memory allocation in Joplin note-taking application versions 3.6.14 and prior crashes the application by exhausting system memory when an excessively long string is provided as a note title. Authenticated local users with access to the Joplin UI, or attackers holding a compromised local API token, can trigger this Out Of Memory condition through either direct UI interaction or an HTTP POST to the local web service API (default port 41184). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, exploitation requires only low privileges and no user interaction once access is established.
Denial Of Service
-
CVE-2025-40904
MEDIUM
CVSS 5.1
Stored HTML injection in Nozomi Networks Guardian and CMC Smart Polling functionality allows authenticated users with limited privileges to embed malicious HTML into remote strategies via the sync mechanism. When a victim views the affected remote strategy in the Smart Polling UI, the injected HTML renders in their browser, enabling phishing campaigns and open redirect attacks. No public exploit has been identified at time of analysis; full JavaScript XSS is explicitly mitigated by the product's existing Content Security Policy, bounding the practical impact to social engineering vectors rather than direct session compromise.
XSS
Information Disclosure
Open Redirect
-
CVE-2025-40903
MEDIUM
CVSS 4.8
Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.
XSS
Information Disclosure
Open Redirect
-
CVE-2025-40902
MEDIUM
CVSS 4.8
Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.
XSS
Information Disclosure
Open Redirect
-
CVE-2025-40901
MEDIUM
CVSS 4.8
Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
XSS
Information Disclosure
Open Redirect
-
CVE-2025-40900
MEDIUM
CVSS 5.1
Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
XSS
Information Disclosure
Ssti
-
CVE-2025-15645
MEDIUM
CVSS 5.1
Permanent denial of service in Ledger Nano X, Flex, and Stax hardware cryptocurrency wallets allows a physically present attacker to irreversibly brick the device by supplying a crafted reset_handler address during MCU firmware flashing. The firmware update process accepts attacker-controlled pointer values without bounds checking or range validation, causing the MCU to dereference an invalid instruction pointer at boot and enter an unrecoverable hardware fault state. No public exploit code is identified at time of analysis and the device is not listed in the CISA KEV catalog; the CVSS 4.0 score of 5.1 (Medium) reflects the mandatory physical access requirement, which substantially constrains the attacker population but does not diminish the severity of permanent device loss for affected users.
Denial Of Service
-
CVE-2026-46342
LOW
Cache poisoning via the `/__nuxt_island/*` endpoint in Nuxt allows an attacker to prime a shared CDN or reverse-proxy cache with attacker-controlled rendered HTML, causing subsequent users requesting the same island path to receive the poisoned response. Affected are `nuxt` 3.1.0-3.21.5 and 4.0.0-alpha.1-4.4.5, as well as `@nuxt/nitro-server` 3.20.0-3.21.5 and 4.2.0-4.4.5. When any island component passes a prop into an unsafe HTML sink (`v-html`, `innerHTML`), the cache poisoning escalates to stored XSS persisting in the application's origin until cache expiry, exposing non-HttpOnly cookies, in-origin requests, and DOM state. No public exploit identified at time of analysis.
XSS
Information Disclosure
-
CVE-2026-45739
LOW
CVSS 3.1
Sensitive HTTP header values entered into the Strawberry GraphQL bundled GraphiQL IDE are serialized into the browser URL query string via JavaScript's history.replaceState, exposing credentials such as Authorization bearer tokens to browser history, copy-paste clipboard actions, and server/proxy/CDN access logs. Affected are strawberry-graphql versions 0.288.4 through 0.315.3 - any Python application exposing the default GraphiQL interface without explicit opt-out. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 (Low) reflects that exploitation requires user interaction; however, in developer and staging environments where the IDE is commonly left enabled, token leakage via shared URLs or log aggregation is a realistic risk.
Python
Information Disclosure
-
CVE-2026-45570
LOW
CVSS 2.3
Shell command injection in go-git's SSH transport allows attackers who control repository path values to execute arbitrary shell commands on SSH servers that evaluate exec commands through a login shell. go-git wraps repository paths in single quotes without escaping embedded single-quote characters, diverging from canonical Git's sq_quote_buf behavior. When a go-git client connects to an SSH server whose exec command passes through /bin/sh, /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND, an attacker-influenced path containing a single quote can break out of the quoted region and append arbitrary shell tokens. No public exploit identified at time of analysis.
Information Disclosure
Canonical
-
CVE-2026-43492
None
In the Linux kernel, the following vulnerability has been resolved:
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" need...
Information Disclosure
Linux
-
CVE-2026-43491
None
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: ns: Limit the maximum server registration per node
Current code does no bound checking on the number of servers added per
node. A malicious client can flood NEW_SERVER messages and exhaust memory.
Fix this issue by lim...
Information Disclosure
Linux
-
CVE-2026-34154
LOW
CVSS 2.1
Payment bypass in the discourse-subscriptions plugin allows unauthenticated users to gain membership in subscription-gated groups without completing a financial transaction. Affected are all Discourse installations running the subscriptions plugin prior to fixed versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects high attack complexity, required user interaction, and limited confidentiality impact confined to the vulnerable system.
Authentication Bypass
-
CVE-2026-33565
LOW
CVSS 3.3
Signal handler race condition in OpenHarmony v6.0 and prior enables a local, low-privileged attacker to cause a denial-of-service condition. The vulnerability (CWE-364) produces only low availability impact per the CVSS vector, with no confidentiality or integrity loss confirmed. No public exploit code or CISA KEV listing exists at time of analysis, placing this in a low-urgency tier despite the low attack complexity.
Information Disclosure
-
CVE-2026-28751
LOW
CVSS 3.3
Local denial-of-service in OpenHarmony v6.0 and prior versions exploits an improper input validation flaw (CWE-20), allowing a low-privileged local attacker to partially disrupt availability without requiring user interaction. The CVSS score of 3.3 (Low) reflects constrained impact: availability impact is rated Low (A:L), with no confidentiality or integrity loss. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the lower tier of operational urgency.
Information Disclosure
-
CVE-2026-27781
LOW
CVSS 3.3
Integer overflow in OpenHarmony v6.0 and prior versions enables a local authenticated attacker to trigger a denial-of-service condition, resulting in an availability impact. The vulnerability is low severity with a CVSS score of 3.3, requires local access with low privileges, and no public exploit or active exploitation has been identified at time of analysis. Notably, the CVE tags include 'Information Disclosure' despite the CVSS vector indicating no confidentiality impact (C:N), a discrepancy that warrants vendor clarification.
Information Disclosure
Integer Overflow
-
CVE-2026-25110
LOW
CVSS 3.3
NULL pointer dereference in OpenHarmony v6.0 and prior enables a local low-privileged attacker to crash the system or an affected process, causing a denial-of-service condition. The vulnerability is confined to local exploitation with no confidentiality or integrity impact, as reflected in the CVSS:3.1 score of 3.3 (Low). No public exploit code has been identified at time of analysis, and no active exploitation has been reported.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-8492
LOW
CVSS 2.7
Resource Location Spoofing in the Drupal 'Translate Drupal with GTranslate' module (versions 0.0.0 through before 3.0.5) allows a high-privileged authenticated attacker to modify data the module treats as immutable, enabling redirection of translation resource locations. Exploitation requires network access but demands administrator-level privileges, yielding only low integrity impact with no confidentiality or availability consequences. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating negligible exploitation interest at this time.
Information Disclosure
-
CVE-2026-8491
LOW
CVSS 3.7
Forceful browsing in the Drupal Node View Permissions module exposes restricted node content to unauthenticated network attackers under high-complexity conditions. Affected are all installations running versions 0.0.0-1.7.0 (branch 1.x) and 2.0.0-2.0.1 (branch 2.x) of the module. The vulnerability is classified as information disclosure only - no integrity or availability impact - and carries a CVSS 3.7 (Low) score; no public exploit code exists and no confirmed active exploitation has been reported (not in CISA KEV), with EPSS placing exploitation probability at 0.01%.
Information Disclosure
-
CVE-2026-7860
LOW
CVSS 1.6
Vaadin Flow's Maven and Gradle build plugins expose all process-level environment variables - including CI-injected secrets and credentials - in plaintext build logs whenever the frontend build process exits with a non-zero status code. Affected are com.vaadin:flow-maven-plugin, flow-gradle-plugin, and flow-plugin-base across Vaadin 23.0.0-23.6.9, 24.0.0-24.10.3, and 25.0.0-25.1.4. No public exploit code exists and this is not listed in CISA KEV; however, any actor with read access to CI build logs from a failed frontend build can extract plaintext registry credentials, deploy tokens, or signing keys, enabling downstream supply chain compromise consistent with the CVSS SC:H/SI:H subsequent-system impact ratings.
Information Disclosure
-
CVE-2025-14575
LOW
CVSS 1.8
Uncontrolled search path in Qt Network's OpenSSL TLS backend on Unix allows a high-privileged local attacker to inject a rogue CA certificate by placing a crafted certificate file in the application's working directory, causing Qt-based applications to treat it as a trusted system authority. Affected across multiple long-term support branches: Qt 5.x through 5.15.19, Qt 6.0-6.5.x through 6.5.9, Qt 6.6-6.8.x through 6.8.3, and Qt 6.9.x through 6.9.1 on Unix platforms. No public exploit identified at time of analysis, and CVSS 4.0 rates this at 1.8, reflecting substantial preconditions that severely limit real-world impact.
Information Disclosure
OpenSSL