Skip to main content
CVE-2026-31378 MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Information Disclosure Apache
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32814 MEDIUM PATCH This Month

Heap memory disclosure in strukturag libheif versions 1.21.2 and prior exposes up to 12,288+ bytes of uninitialized heap content - potentially containing auth tokens, database results, or other users' image data - when decoding crafted HEIF or AVIF grid images under the library's default settings. The decode path silently suppresses tile failures while returning heif_error_Ok, so calling applications receive heap garbage as valid pixel values with no error indication. Server-side image pipelines that ingest user-uploaded HEIF/AVIF and re-encode the output (e.g., as PNG or JPEG thumbnails for CDNs or social platforms) are at highest cross-user exposure risk; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-37979 MEDIUM PATCH This Month

Audience restriction bypass in Keycloak's OpenID Connect token introspection endpoint exposes sensitive token claims to unauthorized confidential clients. Any attacker-controlled confidential client holding valid realm credentials can query the introspection endpoint and retrieve claims from lightweight access tokens issued to other resource servers - violating the isolation guarantees of audience-scoped tokens. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and network-accessible vector make this a realistic threat in multi-tenant or multi-service Keycloak deployments where client isolation is a security boundary.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-35086 MEDIUM PATCH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Code Injection RCE
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31380 MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-34233 MEDIUM PATCH This Month

CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.

Authentication Bypass Panel
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8951 MEDIUM PATCH This Month

Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.

Mozilla Google Authentication Bypass Suse Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-29207 MEDIUM PATCH This Month

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well.

Ssti Apache Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-29220 MEDIUM PATCH This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8961 MEDIUM PATCH This Month

Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Mozilla Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45187 MEDIUM PATCH This Month

Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8706 MEDIUM PATCH This Month

Firefox for iOS Reader mode exposed an unauthenticated local HTTP server on the device, enabling a co-installed malicious application to request arbitrary URLs through that server and receive responses rendered with the authenticated user's session cookies. Affected versions are all Firefox for iOS releases prior to 151.0, confirmed by Mozilla Security Advisory MFSA2026-49. No public exploit code has been identified and CISA SSVC rates exploitation as none at time of analysis, but successful exploitation would allow silent exfiltration of authenticated web content from the victim's active browsing session.

Information Disclosure Mozilla Apple Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8971 MEDIUM PATCH This Month

Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Suse Red Hat
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28733 MEDIUM This Month

Use-After-Free memory corruption in OpenHarmony v6.0 and prior enables a local attacker with low privileges to execute arbitrary code, achieving a changed scope with high availability impact. The vulnerability is rooted in CWE-416, where freed memory regions are accessed without proper lifecycle management, a class of flaw frequently exploitable for control-flow hijacking. No public exploit code or CISA KEV listing has been identified at time of analysis, though the OpenHarmony security team has published a formal disclosure.

Memory Corruption Use After Free RCE Openharmony
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8096 MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45737 MEDIUM PATCH GHSA This Month

Information disclosure in Argo CD v3.x exposes plaintext Kubernetes Secret values to authenticated users who can view application diffs via the ServerSideDiff feature. This is an incomplete fix for a prior vulnerability (GHSA-3v3m-wc6v-x4x3): the original patch masked top-level Secret data in ServerSideDiff responses but failed to sanitize Secret content embedded in the `kubectl.kubernetes.io/last-applied-configuration` annotation on `predictedLive` objects, leaving raw `data`, `stringData`, and sensitive annotation values readable in UI and CLI diff output. A publicly available proof-of-concept exists; no KEV listing is present at time of analysis, but the Changed Scope (S:C) in the CVSS vector indicates that exposed secrets may belong to workloads beyond the Argo CD application boundary, amplifying real-world impact in multi-tenant environments.

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-44408 MEDIUM This Month

Improper permission control on the ZTE MU5250 web management interface allows an adjacent-network attacker with low-level credentials to modify device configuration beyond their authorized scope, resulting in high availability impact and low integrity impact. Affected firmware is confirmed as BD_FLYMODEMMU5250V1.0.0B27, self-disclosed by ZTE via their security bulletin. No public exploit code or CISA KEV listing exists at time of analysis, and exploitation is constrained to adjacent network access with some level of authenticated access per the CVSS vector.

Information Disclosure Zte Authentication Bypass
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-46377 MEDIUM PATCH GHSA This Month

Denial of service in dasel (Go data selector library) v3.0.0 through v3.10.0 allows attackers who influence selector query strings to crash the host process via a 2-byte input. A trailing backslash inside a quoted selector (e.g., `"\` or `'\`) triggers an index-out-of-range panic in the lexer's escape-sequence handler. Publicly available exploit code exists (PoC in the GHSA advisory), and no public exploit identified at time of analysis indicates in-the-wild abuse.

Denial Of Service Apple
NVD GitHub
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-46378 MEDIUM PATCH GHSA This Month

Denial of service in dasel (Go data selector library) versions 3.0.0 through 3.10.0 allows attackers who control selector query strings to pin a CPU core at 100% indefinitely via a 2-byte payload (`r/`). The selector lexer's `matchRegexPattern` closure lacks an end-of-input bounds check, causing an infinite loop when tokenizing unterminated regex literals. No public exploit identified at time of analysis beyond the reporter's PoC, and the issue is not listed in CISA KEV.

Denial Of Service Apple
NVD GitHub
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-45785 MEDIUM PATCH GHSA This Month

Denial of service in OpenMcdf versions up to and including 3.1.3 allows an attacker to permanently hang any thread that processes a crafted Compound File Binary (CFB) file by exploiting an unguarded infinite loop in the BST name-lookup path of DirectoryTree.TryGetDirectoryEntry. The flaw is distinct from - and unaddressed by - the Brent's-algorithm cycle detection added to DirectoryTreeEnumerator in commit 24f445a: while EnumerateEntries() now safely throws a FileFormatException on cyclic input, any subsequent call to OpenStorage(), TryOpenStorage(), OpenStream(), or TryOpenStream() enters the unprotected while-loop and spins at 100% CPU indefinitely. Publicly available proof-of-concept CFB files (5,632 and 7,936 bytes) demonstrate the hang via two distinct API paths; no public exploit identified at time of analysis that escalates beyond DoS, and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-46341 MEDIUM PATCH GHSA This Month

Domain allowlist bypass in Apify MCP Server's fetch-apify-docs tool (npm/@apify/actors-mcp-server < 0.9.21) enables prompt injection against LLM agents by allowing attacker-controlled URLs to pass a flawed string prefix check. The tool validates requested URLs with String.startsWith() rather than parsing the URL hostname, so crafted URLs like https://docs.apify.com.evil.com/ satisfy the check while resolving to an attacker-controlled server. Publicly available exploit code (PoC) exists per the GitHub advisory GHSA-jwp7-wg77-3w9v; no CISA KEV listing at time of analysis, though the prompt injection vector can escalate to Apify account compromise via injected token redirection.

Node.js SSRF
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31379 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Path Traversal Apache XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6871 MEDIUM PATCH This Month

Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. No public exploit has been identified at time of analysis, and EPSS at 0.03% (8th percentile) reflects low current exploitation probability.

XSS Obfuscate
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6367 MEDIUM PATCH This Month

Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.

XSS Drupal Core
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6365 MEDIUM PATCH This Month

Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.

XSS Drupal Core
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6095 MEDIUM PATCH This Month

Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.

XSS Orejime
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31906 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-5090 MEDIUM This Month

Cross-site scripting in Template::Plugin::HTML versions through 3.102 for Perl allows remote unauthenticated attackers to inject JavaScript event handlers into rendered HTML pages when victim users view pages containing attacker-controlled template variables. The html_filter function and HTML.escape method omitted escaping of single-quote characters, meaning variables filtered with `| html` inside single-quoted HTML attributes (e.g., `title='[% var | html %]'`) remained injectable. No public exploit has been identified at time of analysis and EPSS is 0.01% (1st percentile), indicating no observed widespread exploitation, though the attack primitive is straightforward for any attacker aware of the single-quote gap.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33514 MEDIUM PATCH This Month

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

Authentication Bypass Discourse
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-45802 MEDIUM PATCH GHSA This Month

Memory exhaustion and endless loop in Setasign FPDI (composer package setasign/fpdi) allow remote attackers to crash PHP server-side scripts by uploading a small, specially crafted PDF file. All versions prior to 2.6.7 are affected, and any web application that exposes FPDI-based PDF processing to user-supplied input is vulnerable. Repeated submissions can sustain service unavailability; no public exploit has been identified at time of analysis, and no CISA KEV listing exists.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-46724 MEDIUM PATCH This Month

Path traversal in the TYPO3 'Faceted Search' extension's file indexer exposes arbitrary server filesystem content to high-privileged backend users. Because the indexer does not normalize or canonicalize the configured directory path before use, a backend user holding the specific permission to edit indexer configurations can supply path traversal sequences to redirect indexing at sensitive locations outside the intended document root. The CVSS 4.0 score of 5.9 (Medium) reflects high confidentiality impact (VC:H) constrained by the requirement for high privileges (PR:H). No public exploit or CISA KEV listing exists at time of analysis.

Path Traversal Extension Faceted Search
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-46722 MEDIUM PATCH This Month

XML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_search) allows a high-privileged authenticated attacker to cause the server to disclose local file contents or perform outbound HTTP requests (SSRF), with retrieved data written to the search index. Exploitation requires placing a crafted XLSX or PPTX document into a directory processed by the indexer. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XXE Extension Faceted Search
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-46723 MEDIUM PATCH This Month

Sensitive internal TYPO3 database content can be exfiltrated into the public search index via the Faceted Search extension's misconfigured additional_tables parameter. Backend users holding permission to edit indexer configurations can reference arbitrary internal database tables and fields - including those storing backend credentials, frontend user records, or other protected data - causing the search indexer to copy that data into the search index where it may be surfaced in search results or via API responses. No public exploit has been identified at time of analysis, and exploitation is constrained by the requirement for high-privilege backend access (PR:H per CVSS 4.0), placing this firmly in insider-threat and privilege-misuse risk scenarios.

Information Disclosure Extension Faceted Search
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-45670 MEDIUM PATCH GHSA This Month

Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run `nuxt dev --host`. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.

Node.js Google Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-32134 MEDIUM PATCH This Month

Remote unauthenticated denial-of-service in NanoMQ MQTT Broker (versions 0.24.10 and below) crashes the broker process via a NULL pointer dereference triggered by high-concurrency MQTT reconnect traffic. The flaw occurs during session resumption for persistent-session clients (clean_start=0), where the NanoNNG transport layer's pipe_peer() function dereferences cpipe->subinfol without verifying that the new pipe's subinfol pointer is also non-NULL - a pointer that can be freed mid-race. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, CVSS AV:N/PR:N confirms remote unauthenticated triggering, and the fix has been released in version 0.24.11.

Null Pointer Dereference Denial Of Service Nanomq Nanonng
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45712 MEDIUM PATCH GHSA This Month

Full process crash in Mailpit before v1.30.0 is achievable by a remote unauthenticated attacker via a race condition in the /proxy endpoint's CSS rewriter cache, causing Go's unrecoverable fatal runtime panic and terminating the SMTP, POP3, and HTTP listeners simultaneously. The root cause is an unsynchronized read of a package-level assets map[string]MessageAssets cache that is written concurrently by a cleanup goroutine and re-entrant CSS-rewriting handlers - Go's runtime detects the collision and calls throw(), which bypasses http.Server's handler-panic recovery. Publicly available exploit code exists in the GHSA advisory; no CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence.

Denial Of Service Race Condition
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-45711 MEDIUM PATCH GHSA This Month

Arbitrary file write via path traversal in Mailpit's `dump --http` subcommand (versions < 1.30.0) allows any HTTP server impersonating a Mailpit instance to write attacker-controlled bytes to arbitrary paths outside the intended output directory. The attacker controls both the file path (via the message ID field in the JSON response) and the file contents (via the raw message body endpoint), enabling writes anywhere the dumping user has write permission - including cron jobs, shell startup files, and CI artifact directories. Publicly available exploit code exists (Python PoC published in GHSA-qx5x-85p8-vg4j); no confirmed active exploitation at time of analysis.

Path Traversal Python RCE
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45709 MEDIUM PATCH GHSA This Month

Incomplete SSRF remediation in mailpit's HTML check endpoint (>= v1.28.3, < v1.30.0) leaves `internal/htmlcheck/css.go::newSafeHTTPClient` without the IP-filtering dialer that sibling endpoints already employ, allowing the server to dial loopback, RFC1918, cloud IMDS (169.254.169.254), CGNAT, and multicast ranges. On default mailpit deployments - where SMTP auth and UI auth are both disabled - unauthenticated network-reachable attackers can trigger this by injecting one HTML email and issuing a single GET to `/api/v1/message/{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.

Java Docker SSRF Redis Oracle
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-34600 MEDIUM PATCH This Month

Unauthorized note disclosure in Joplin server versions 3.5.2 and prior allows authenticated former share recipients to retrieve notes after sharing has been revoked, via two compounding logic errors in the ChangeModel delta API. The first flaw attaches full item content to delta responses without re-verifying current share status; the second incorrectly compresses create → delete event sequences into a NOOP rather than a delete, causing the API to synthesize a create event with full note content for deleted items when those events span separate delta pages. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but confidentiality impact is rated High given that full note content is returned to unauthorized recipients.

Information Disclosure Joplin
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-57798 MEDIUM PATCH This Month

Denial of service via unbounded memory allocation in Joplin note-taking application versions 3.6.14 and prior crashes the application by exhausting system memory when an excessively long string is provided as a note title. Authenticated local users with access to the Joplin UI, or attackers holding a compromised local API token, can trigger this Out Of Memory condition through either direct UI interaction or an HTTP POST to the local web service API (default port 41184). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, exploitation requires only low privileges and no user interaction once access is established.

Denial Of Service Joplin
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-8814 MEDIUM PATCH GHSA This Month

Decompression bomb (data amplification) in ExifReader npm package before 4.39.0 allows remote unauthenticated attackers to exhaust server memory by supplying a crafted PNG file with a highly compressed zTXt metadata chunk. The vulnerable path activates only when the caller enables asynchronous parsing (`async: true`), at which point ExifReader decompresses the chunk via the Compression Streams API with no upper bound on output size. Publicly available proof-of-concept exploit code exists (E:P); this CVE is not listed in CISA KEV.

Information Disclosure Exifreader
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-43492 MEDIUM PATCH This Month

Integer underflow in the Linux kernel's MPI crypto library function `mpi_read_raw_from_sgl()` allows a local low-privileged user to trigger an infinite kernel loop via the `KEYCTL_PKEY_ENCRYPT` syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit `2d4d1eea540b` but became exploitable only after commit `63ba4d67594a` changed how asymmetric key operations construct scatterlists, allowing `out_len > in_len` with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.

Integer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43491 MEDIUM PATCH This Month

Memory exhaustion in the Linux kernel's QRTR (Qualcomm IPC Router) namespace subsystem allows a local low-privileged attacker to crash the system by flooding NEW_SERVER registration messages without triggering any bound check. Affected systems are those running kernels between the introducing commit (0c2204a4ad710d95d348ea006f14ba926e842ffd) and the fix commits across stable branches. No public exploit code has been identified and EPSS sits at the 5th percentile, indicating minimal observed exploitation activity.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47308 MEDIUM This Month

NULL pointer dereference in Samsung's open-source Walrus WebAssembly runtime crashes the parser when processing malformed WASM binaries, resulting in denial of service. The vulnerability exists in the WASMBinaryReader component (WASMParser.cpp) at commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9, where multiple error-handling code paths fail to return early, allowing execution to continue past invalid state and dereference null pointers. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Samsung Null Pointer Dereference Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47307 MEDIUM This Month

NULL pointer dereference in Samsung Open Source Walrus's WebAssembly binary parser causes application-level denial of service when a crafted .wasm module containing deeply nested instructions is loaded. The vulnerability affects the Walrus runtime at commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9 (CPE: cpe:2.3:a:samsung_open_source:walrus) and is classified CVSS 5.5 Medium with a local attack vector requiring user interaction. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; an upstream fix is available in GitHub PR #409 but a tagged release version has not been independently confirmed.

Samsung Null Pointer Dereference Denial Of Service
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45581 MEDIUM PATCH GHSA This Month

TLS private key password exposure in Hyperledger fabric-chaincode-java (versions 2.3.1 through 2.5.9) leaks credentials to any local user with read access to chaincode server logs when the service runs in chaincode-as-a-service (CaaS) mode with TLS enabled. The fabric-chaincode-shim runtime logs the TLS private key password in plaintext at INFO level during server startup, classified under CWE-532. A local attacker who recovers the logged password and separately obtains the TLS private key file gains the material needed to impersonate the chaincode server, potentially intercepting or injecting chaincode communications. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27766 MEDIUM This Month

Information disclosure in OpenHarmony v6.0 and earlier enables a low-privileged local attacker to leak high-sensitivity data from the system without any user interaction. The root cause is a signal handler race condition (CWE-364), where asynchronous signal delivery can expose protected memory contents while leaving system integrity and availability unaffected. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Openharmony
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-25850 MEDIUM This Month

OpenHarmony v6.0 and prior versions expose sensitive information to local low-privileged attackers due to improper preservation of permissions (CWE-281). A locally authenticated attacker with standard user privileges can exploit this flaw to leak confidential data - achieving high confidentiality impact - without requiring elevated rights or user interaction. No public exploit code or active exploitation has been identified at time of analysis, but the low complexity and no-interaction-required nature of the attack make it straightforward to exploit once access is obtained.

Information Disclosure Openharmony
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47317 MEDIUM This Month

Uncontrolled recursion in Samsung's Escargot JavaScript engine triggers excessive heap allocation, causing a denial-of-service condition with high availability impact. The vulnerability affects the specific commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung smart TV and appliance firmware. No public exploit code exists and no active exploitation is confirmed by CISA KEV; however, the fix PR reveals multiple heap exhaustion and integer underflow scenarios addressable through crafted JavaScript inputs.

Information Disclosure Samsung
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47316 MEDIUM This Month

Denial of service in Samsung Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 stems from multiple improper exceptional-condition handling paths exposed during JavaScript execution: a null pointer dereference when resolving error values in nested eval/throw/finally scenarios, an integer underflow in TypedArray.copyWithin() triggered by resizable ArrayBuffer coercion, and an unguarded assertion failure when array objects transition unexpectedly from fast to slow mode. Attack vector is local and requires user interaction (UI:R), with impact confined entirely to availability - crashing the host process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Samsung
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy