Skip to main content
CVE-2026-8968 HIGH PATCH This Week

Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Mozilla Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8949 HIGH PATCH This Week

Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Mozilla Buffer Overflow Integer Overflow Suse Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46374 HIGH PATCH GHSA This Week

Denial of service in SQLFluff parser (pip/sqlfluff) versions prior to 4.2.0 allows remote unauthenticated attackers to exhaust CPU and memory resources by submitting an excessively long or malicious SQL query for linting. The flaw affects any application that exposes the SQLFluff parser to untrusted input. No public exploit identified at time of analysis, but the issue was responsibly reported by Imperva Threat Research.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46373 HIGH PATCH GHSA This Week

Denial of service in SQLFluff (Python SQL linter/parser) below version 4.1.0 allows remote attackers to exhaust server resources by submitting SQL queries with deliberately excessive nesting, triggering uncontrolled recursion in the parser. The flaw (CWE-674) affects any application that accepts untrusted SQL input for linting and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H); no public exploit identified at time of analysis and EPSS data was not provided.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8946 HIGH PATCH This Week

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.

Mozilla Buffer Overflow
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7507 HIGH PATCH GHSA This Week

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.

CSRF Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8963 HIGH PATCH This Week

Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8960 HIGH PATCH This Week

Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8964 HIGH PATCH This Week

Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151.

Information Disclosure Mozilla Suse Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31909 HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Information Disclosure Apache
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8967 HIGH PATCH This Week

Information disclosure in Mozilla Firefox's WebGPU graphics component allows remote attackers to access sensitive in-memory data from browser sessions via crafted web content rendered through the WebGPU API. The flaw affects Firefox versions prior to 151 and has been addressed by Mozilla in advisories MFSA2026-46 and MFSA2026-50. There is no public exploit identified at time of analysis, and EPSS scoring (0.02%, 4th percentile) indicates very low likelihood of near-term mass exploitation.

Information Disclosure Mozilla Suse Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8966 HIGH PATCH This Week

Information disclosure in Mozilla Firefox versions prior to 151 affects the IP Protection component, allowing remote unauthenticated attackers to obtain sensitive information over the network without user interaction. The flaw carries a CVSS score of 7.5 driven entirely by confidentiality impact (C:H/I:N/A:N), and while no public exploit is identified at time of analysis, the very low EPSS score of 0.02% (4th percentile) suggests minimal active exploitation interest. Mozilla addressed the issue in Firefox 151 via security advisories MFSA2026-46 and MFSA2026-50.

Information Disclosure Mozilla Suse Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8965 HIGH PATCH This Week

Information disclosure in Mozilla Firefox prior to version 151 allows remote attackers to leak sensitive data through a flaw in the DOM: Security component, exploitable without authentication or user interaction. The CVSS 7.5 rating reflects high confidentiality impact via network vector, though EPSS scoring at 0.02% (4th percentile) indicates very low predicted exploitation probability and no public exploit identified at time of analysis.

Information Disclosure Mozilla Suse Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31910 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache SSRF
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45799 HIGH PATCH GHSA This Week

Denial of service in Square Wire protobuf library (com.squareup.wire:wire-runtime before 6.3.0) allows remote unauthenticated attackers to crash any service that decodes untrusted protobuf payloads by sending a 10-byte crafted message. The flaw stems from missing negative-length validation in skipGroup(), causing an unchecked ArrayIndexOutOfBoundsException to escape Wire's documented IOException boundary. No public exploit identified at time of analysis, though the GitHub advisory includes a full reproduction payload and Java PoC code.

Denial Of Service Java
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8073 HIGH This Week

Arbitrary file read and deletion in the Kirki - Freeform Page Builder plugin for WordPress (versions through 6.0.6) allows unauthenticated remote attackers to read and delete files within the WordPress uploads base directory by abusing the 'downloadZIP' function. The flaw stems from insufficient path validation and a missing capability check, and was reported by Wordfence; no public exploit identified at time of analysis.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33633 HIGH PATCH This Week

Heap buffer overflow in Kitty terminal versions 0.46.2 and below allows any process able to write to the terminal's standard input to crash the application and potentially achieve remote code execution. The flaw lives in load_image_data() and is triggered by a single APC graphics protocol command declaring PNG format (f=100) with a payload exceeding twice the initial buffer capacity, giving the attacker control over both overflow length and content. No public exploit identified at time of analysis, but the vulnerability has been fixed upstream in version 0.47.0.

Buffer Overflow Heap Overflow Kitty
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45713 HIGH PATCH GHSA This Week

Unauthenticated remote denial-of-service in Mailpit versions prior to 1.30.0 allows network-reachable attackers to exhaust memory and disk by submitting arbitrarily large messages through the SMTP listener on port 1025 or the HTTP /api/v1/send endpoint on port 8025. The Server.MaxSize field exists but is never populated in production code, and the JSON decoder lacks http.MaxBytesReader, so a single connection delivering a 100 MiB DATA payload inflates RSS roughly tenfold (≈25 MiB → ≈1 GiB), and concurrent connections drive the process to OOM-kill. Publicly available exploit code exists (working SMTP and HTTP PoCs are included in the GHSA advisory), though no CISA KEV listing or EPSS score was supplied with this input.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45728 HIGH PATCH GHSA This Week

Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.

Microsoft Information Disclosure Python
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8954 HIGH PATCH This Week

Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Mozilla Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8912 HIGH This Week

SQL injection in the Contest Gallery WordPress plugin (versions through 28.1.6) allows unauthenticated remote attackers to extract sensitive database contents by abusing the 'form_input' parameter handled by the 'post_cg_gallery_form_upload' AJAX action. The endpoint is gated only by a public nonce that is exposed in the page source of any public gallery page, effectively offering no protection against external attackers. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and affects a publicly reachable PHP endpoint.

WordPress PHP SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61081 HIGH This Week

In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8947 HIGH PATCH This Week

Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.

Information Disclosure Mozilla Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-45738 HIGH PATCH GHSA This Week

Stored XSS in Argo CD allows developer-role users to inject javascript: URIs via link.argocd.argoproj.io/* annotations, which render unvalidated in the Application Summary tab's URLs section. When an admin clicks the disguised link, arbitrary JavaScript executes in the ArgoCD same-origin context with the victim's session, enabling API exfiltration and developer-to-admin privilege escalation. No public exploit identified at time of analysis beyond the detailed vendor PoC, and the issue is not currently listed in CISA KEV.

Kubernetes XSS Privilege Escalation
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-51427 HIGH PATCH GHSA This Week

An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key ['nnet']['module'].

RCE Code Injection N A
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-39250 HIGH This Week

Authorization bypass in Innoshop 0.6.0 allows authenticated frontend users to directly invoke backend administrative interfaces, enabling privileged operations outside their intended scope. The CVSS 7.3 score reflects low-impact gains across confidentiality, integrity, and availability achievable without prior authentication to the admin panel. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.02% (5th percentile), indicating minimal observed attacker interest so far.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-29226 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache SSRF
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-22069 HIGH This Week

Local privilege escalation in OPPO's O+ Connect application stems from missing caller identity validation on a named pipe interface (CWE-266), allowing a low-privileged local user with user interaction to escalate to higher privileges with high availability impact and scope change. The CVSS 3.1 score is 7.3 and the issue was reported by OPPO itself; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Privilege Escalation O Connect
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-32323 HIGH PATCH This Week

Local privilege escalation in Mullvad VPN for macOS versions 2026.1 and earlier allows a user in the admin group to gain root code execution during installation or upgrade. The installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying the bundle's integrity, enabling an admin-group attacker to pre-stage a malicious app bundle that runs as root. No public exploit identified at time of analysis, and the flaw is only triggerable when an installer is run, not on already-installed systems.

Privilege Escalation Apple RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-70950 HIGH GHSA This Week

An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request.

Path Traversal
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-8727 HIGH PATCH GHSA This Week

Remote code execution in the TYPO3 Crawler extension occurs when the X-T3Crawler-Meta response header from a crawled URL is passed unchecked to PHP's unserialize(), enabling arbitrary PHP object injection. Exploitation requires a high-privileged administrator to configure a crawler-enabled page and a Scheduler task pointing at an attacker-controlled endpoint, so while impact is full RCE on the TYPO3 host, it is gated by an unusual combination of admin access, user interaction, and externally reachable malicious URLs. No public exploit identified at time of analysis and no CISA KEV listing.

Deserialization PHP RCE
NVD
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-42100 HIGH This Week

Denial of service in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated remote attackers to crash the service by submitting a specially crafted SQL query that the server fails to parse safely. The flaw, reported by CERT-PL, results in unexpected termination of the Pro Cloud Server process, and no public exploit identified at time of analysis. The vendor did not respond to disclosure, so the full vulnerable version range remains unconfirmed.

Denial Of Service Pro Cloud Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-8605 MEDIUM CISA This Month

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

Authentication Bypass Scadabr
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-46393 HIGH PATCH GHSA This Week

Server-Side Request Forgery in HAXcms (versions <= 25.0.0 of @haxtheweb/haxcms-nodejs, with PoC against v11.0.6) allows authenticated low-privileged users to coerce the server into fetching arbitrary URLs or local file paths via the createSite endpoint's build.files parameter, with responses written to a web-accessible directory. This produces arbitrary file read, internal network reconnaissance, and cloud metadata credential theft. Publicly available exploit code exists in the GHSA advisory, though no CISA KEV listing is present.

PHP CSRF SSRF
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-32741 HIGH PATCH This Week

Heap buffer overflow in libheif versions 1.21.2 and below allows remote attackers to corrupt memory via a maliciously crafted HEIF file containing a mask image (mski) box. The flaw resides in MaskImageCodec::decode_mask_image(), where an attacker-controlled iloc extent length is memcpy'd into an undersized pixel buffer with no upper-bound validation, yielding heap corruption when a user opens the file. No public exploit identified at time of analysis, but the vulnerability is straightforward to trigger because the vulnerable branch is reachable under default library security limits.

Buffer Overflow Heap Overflow Libheif
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32882 HIGH PATCH This Week

Heap buffer over-read in libheif versions 1.21.2 and prior allows remote attackers to crash applications or potentially leak adjacent heap memory by supplying a crafted HEIF/AVIF file with an overlay image (iovl) whose alpha channel bit depth differs from its color channels. The flaw in HeifPixelImage::overlay() uses the color channel stride to index into the alpha plane, reading up to 3,123 bytes beyond the alpha buffer for a 100×50 image with 10-bit color and 8-bit alpha. No public exploit identified at time of analysis, and the issue is fixed in version 1.22.0.

Information Disclosure Buffer Overflow Denial Of Service Libheif
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-7571 HIGH PATCH GHSA This Week

Implicit flow bypass in Red Hat Build of Keycloak allows a low-privileged authenticated user who already knows another user's credentials and a client ID to obtain OIDC access tokens from clients where the implicit flow was explicitly disabled. Beyond the unauthorized token issuance, the resulting tokens can be written to server logs, proxy logs, and HTTP Referer headers, broadening the disclosure surface. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46337 MEDIUM GHSA This Month

Unauthenticated path traversal in AVideo's `view/img/image404Raw.php` allows any remote attacker to read arbitrary image files accessible to the PHP process, bypassing all application-layer ACLs that normally gate private user photos, admin thumbnails, and encrypted-video poster frames. The vulnerability affects all versions through the current master branch (commit 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485) and all releases up to and including 29.0 (pkg:composer/wwbn_avideo). No vendor-released patch is currently available, and a working proof-of-concept is publicly disclosed in GHSA-w4qq-74h6-58wq, making this immediately actionable by any unauthenticated attacker with HTTP access to the deployment.

PHP Path Traversal
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-46721 MEDIUM PATCH This Month

Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Extension Frontend User Registration
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2023-7345 MEDIUM PATCH This Month

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45409 MEDIUM PATCH GHSA This Month

Resource exhaustion in the Python idna library's idna.encode() function allows denial-of-service via specially crafted Unicode inputs that bypass the incomplete CVE-2024-3651 remediation. Affected versions process CONTEXTO-class codepoints - such as Arabic-Indic digit zero (U+0660) or Katakana middle dot (U+30FB) - through the valid_contexto validation function before length rejection occurs, enabling arbitrarily large inputs to consume significant CPU. Any Python application that passes unvalidated user input to idna.encode() or related per-label/codec functions without upstream length enforcement is exposed; no public exploit has been identified at time of analysis beyond the PoC payloads embedded in the advisory itself.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45557 MEDIUM PATCH This Month

Technitium DNS Server performs amplified outbound DNS traffic when processing domains with missing RRSIG records or mismatched DNSKEY records - an attacker who controls any domain can exploit this behavior to force the resolver into generating excessive network queries against third-party infrastructure. All versions prior to 15.0 are affected per the vendor CPE listing (cpe:2.3:a:technitium:dns_server:*:*:*:*:*:*:*:*). The CVSS Changed Scope (S:C) confirms that impact extends beyond the vulnerable server itself, affecting downstream network resources and other systems. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Information Disclosure Dns Server
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-37982 MEDIUM PATCH This Month

Token replay exploitation in Red Hat Build of Keycloak's WebAuthn flow allows an unauthenticated remote attacker who intercepts an ExecuteActionsActionToken email link to enroll their own hardware-backed WebAuthn authenticator to a victim's account. Successful exploitation bypasses authentication entirely and grants the attacker persistent, credential-backed access to the compromised account. No public exploit code has been identified at time of analysis, and CISA KEV confirmation is absent, but the High confidentiality and integrity impact from CVSS underscores the severity if the attack preconditions are met.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-4630 MEDIUM PATCH This Month

Keycloak's Authorization Services Protection API is vulnerable to an Insecure Direct Object Reference (IDOR) flaw that allows authenticated low-privileged clients to perform unauthorized GET, PUT, and DELETE operations on resources owned by a different Resource Server within the same realm. By supplying a resource UUID belonging to a peer Resource Server - which a client can obtain through enumeration or disclosure - the attacker bypasses Keycloak's authorization enforcement entirely. The CVSS score of 6.8 (High) reflects confirmed confidentiality and integrity impact, though High complexity (AC:H) indicates the attacker must first acquire valid cross-server UUIDs. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-34216 MEDIUM PATCH This Month

Remote code execution in CtrlPanel versions 1.1.1 and prior allows authenticated administrators to execute arbitrary PHP code by supplying a fully qualified class name to the admin settings update endpoint, which instantiates or invokes static methods on that class without allowlist validation. Any class resolvable by the Composer autoloader - including third-party dependencies - can be targeted, enabling gadget-chain exploitation through PHP magic methods such as __construct, __toString, or __wakeup. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the fix is confirmed in version 1.2.0, released April 2026.

PHP RCE
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.3%
CVE-2026-6366 MEDIUM PATCH This Month

Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.

Code Injection Drupal Core
NVD VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-46357 MEDIUM PATCH GHSA This Month

Denial of service in HAX CMS NodeJS (npm/@haxtheweb/haxcms-nodejs) allows any authenticated user to crash the entire Node.js server process with a single crafted HTTP POST to the createSite endpoint. The crash stems from a null pointer dereference (CWE-476) in HAXCMSFile.save(), where tmpFile.originalname is undefined, causing an unhandled TypeError that terminates the process immediately. Because HAX CMS permits open account self-registration, an attacker can create their own account and trigger the crash without needing to compromise existing credentials, making the effective barrier to exploitation very low despite the PR:L CVSS designation. No public exploit identified at time of analysis beyond the PoC included in the GitHub security advisory.

Node.js Null Pointer Dereference Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-45796 MEDIUM PATCH GHSA This Month

Unauthenticated semi-blind Server-Side Request Forgery in Coder's Azure instance identity endpoint allows any remote attacker to force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts, enabling internal network reconnaissance, cloud metadata service probing (e.g., 169.254.169.254), and error-based information disclosure of network topology. The vulnerability exists across all supported Coder release lines prior to v2.29.13/v2.30.8/v2.31.12/v2.32.2/v2.33.3/v2.24.5 (ESR), and has been patched in GitHub PR #25274. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Microsoft Information Disclosure SSRF
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32739 MEDIUM PATCH This Month

Infinite CPU loop denial-of-service in libheif 1.21.2 and below allows a remote unauthenticated attacker to permanently exhaust a victim application's CPU by delivering a crafted 800-byte HEIF sequence file. The vulnerability triggers during file parsing in Box_stts::get_sample_duration() before any image decoding occurs, meaning any application that opens user-supplied HEIF files is exposed at the moment of file open. No KEV listing and no public exploit have been identified at time of analysis, but the low attack complexity and high availability impact make this a meaningful risk for deployments that process untrusted HEIF content. Vendor-released patch version 1.22.0 resolves the issue.

Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32738 MEDIUM PATCH This Month

Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.

Information Disclosure Buffer Overflow Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy