THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — May 20, 2026

206 CVEs tracked today. 22 Critical, 68 High, 112 Medium, 4 Low.

CVE-2026-47372 CRITICAL CVSS 9.1
Predictable salt generation in the Perl module Crypt::SaltedHash through version 0.09 weakens password hash storage by deriving salts from Perl's non-cryptographic rand() function. Attackers who obtain a salted hash database can predict or precompute salts, dramatically reducing the cost of offline brute-force or rainbow-table attacks against stored credentials. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the upstream maintainer has released a fix in version 0.10 that switches to a system CSPRNG.

Information Disclosure Suse
CVE-2026-46421 CRITICAL
Supply chain compromise of SAP CAP Node.js database packages (@cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, @cap-js/db-service 2.10.1) published on April 29, 2026 enables credential theft and self-propagation on developer and build machines. Malicious code in these npm packages harvests npm tokens, cloud provider credentials, SSH keys, and GitHub PATs from any host that installed them. No public exploit identified at time of analysis as a separate POC, since the malicious payload itself constituted in-the-wild distribution via npm registry.

Information Disclosure PostgreSQL Node.js
CVE-2026-45498 MEDIUM CVSS 4.0
Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack complexity and no user interaction required. The CVSS 4.0 score reflects limited impact - confidentiality and integrity are unaffected, and availability impact is rated Low. Vendor patch is available via Microsoft Security Response Center; no public exploit identified at time of analysis and no CISA KEV listing.

Denial Of Service Microsoft
CVE-2026-45444 CRITICAL CVSS 10.0
Unrestricted file upload in WP Swings Gift Cards For WooCommerce Pro plugin (versions up to and including 4.2.6) allows remote unauthenticated attackers to upload malicious files of dangerous types to vulnerable WordPress sites. With a maximum CVSS score of 10.0 and a scope-changed vector, successful exploitation typically leads to remote code execution and full site compromise. No public exploit identified at time of analysis, though the high severity and ease of exploitation make this a priority concern for any WooCommerce site using this plugin.

WordPress File Upload
CVE-2026-41091 HIGH CVSS 7.8
Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by abusing improper link resolution (CWE-59) before file access. The flaw scores CVSS 7.8 with high impact to confidentiality, integrity, and availability, and no public exploit is identified at time of analysis. Microsoft has released a patch via MSRC, and there is no current CISA KEV listing or EPSS signal indicating active mass exploitation.

Information Disclosure Microsoft
CVE-2026-39405 CRITICAL CVSS 9.4
Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with course-editing privileges to write arbitrary files outside the intended upload directory by uploading a maliciously crafted SCORM ZIP package. The CVSS 4.0 base score of 9.4 reflects high impact across confidentiality, integrity, and availability with scope change to subsequent systems, though exploitation requires low-privileged authentication. No public exploit identified at time of analysis.

Path Traversal
CVE-2026-33278 CRITICAL CVSS 9.1
Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attackers to crash the daemon or potentially achieve arbitrary code execution by serving a malicious signed zone to a vulnerable resolver. The flaw stems from a struct-assignment bug during deep copying of response messages when DS sub-queries suspend validation under NSEC3 computational budget exhaustion. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.1 with network attack vector and no required privileges or user interaction makes this a high-priority patching target for any operator running a recursive Unbound resolver.

RCE Denial Of Service Use After Free Memory Corruption Red Hat
CVE-2026-33137 CRITICAL CVSS 9.3
Unauthenticated XAR import in XWiki Platform allows remote attackers to create or modify arbitrary documents in a target wiki via the POST /wikis/{wikiName} REST endpoint, which was missing authorization checks. Affects all releases prior to 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1. CVSS 4.0 base score is 9.3 (critical) with no public exploit identified at time of analysis, but the patch commit clearly exposes the trivial nature of the bypass.

Authentication Bypass
CVE-2026-24207 CRITICAL CVSS 9.8
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected functionality over the network, potentially chaining to code execution, privilege escalation, data tampering, denial of service, or information disclosure. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects a critical severity issue affecting an AI/ML inference platform commonly deployed in production model-serving environments. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Authentication Bypass RCE Denial Of Service Information Disclosure Nvidia
CVE-2026-23734 CRITICAL CVSS 9.3
Path traversal in XWiki Platform allows unauthenticated remote attackers to read arbitrary files on the server, including sensitive configuration like WEB-INF/xwiki.cfg, by abusing the resource parameter of the ssx and jsx endpoints with leading-slash prefixes. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege exploitation with high impact to confidentiality, integrity, and availability of the vulnerable component. No public exploit identified at time of analysis, though the GitHub Security Advisory includes a working URL pattern that effectively demonstrates the issue.

Path Traversal
CVE-2026-22314 CRITICAL CVSS 9.0
Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (through 2025.04 5+323020) allows an authenticated, low-privileged attacker to execute code on other users' systems via crafted input that crosses a scope boundary, with user interaction required on the victim side. CVSS 9.0 reflects the cross-user/cross-system impact (Scope:Changed) and full CIA compromise; no public exploit identified at time of analysis. The product is a clinical/healthcare workflow platform, so successful exploitation can pivot between hospital workstations and the server tier.

RCE Code Injection
CVE-2026-20223 CRITICAL CVSS 10.0
Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.

Authentication Bypass Cisco
CVE-2026-9141 CRITICAL CVSS 9.3
Authentication bypass in Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets remote attackers reach the embedded web configuration interface without any login, granting full administrative read and write access over alarm routing and device settings. The CVSS 4.0 score of 9.3 reflects unauthenticated network exploitation with high impact on confidentiality, integrity, and availability, and a public technical write-up exists on Medium alongside a VulnCheck advisory, though no public exploit identified at time of analysis.

Authentication Bypass
CVE-2026-9139 CRITICAL CVSS 9.3
Authentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attackers to recover hard-coded administrative credentials by viewing the page source of login.zhtml, because the validate() function performs credential checking entirely client-side. With a CVSS 4.0 base score of 9.3 (AV:N/AC:L/PR:N/UI:N) and a VulnCheck advisory plus a public Medium write-up, the flaw is trivially exploitable, though no public exploit identified at time of analysis as a packaged tool and the device is not currently listed in CISA KEV.

Authentication Bypass
CVE-2026-9129 CRITICAL CVSS 9.4
Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to escape the configured storage root via URL-encoded absolute paths in the Viewer StorageController API, exposing the master configuration containing database credentials, signing keys, certificate passwords, and OAuth secrets. The CVSS 4.0 base score of 9.4 reflects scope change to confidential information enabling full server takeover; no public exploit identified at time of analysis, but the vendor (Altium) has released a fix and cloud-hosted tenants are unaffected because they do not use the local filesystem storage component.

Path Traversal
CVE-2026-9102 CRITICAL CVSS 9.4
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the temporary upload directory and plant files anywhere on the host filesystem via crafted multipart Content-Disposition headers in the Gerber upload APIs. The flaw (CVSS 4.0 score 9.4, CWE-22) escalates to remote code execution by dropping payloads into web-accessible paths or overwriting service binaries, and a vendor patch is available. No public exploit identified at time of analysis.

RCE Denial Of Service Path Traversal File Upload
CVE-2026-9082 MEDIUM CVSS 6.5
SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database queries with no required privileges or user interaction, as confirmed by CVSS vector AV:N/AC:L/PR:N/UI:N. The vulnerability yields partial confidentiality and integrity impact per CVSS - enabling data enumeration and limited data manipulation - but does not grant full database control or server compromise. No active exploitation is confirmed (not listed in CISA KEV; SSVC exploitation status: none), but SSVC flags this as automatable, making opportunistic mass scanning against the large global Drupal install base a credible near-term risk.

SQLi
CVE-2026-9065 CRITICAL CVSS 9.3
SQL injection in SureCart WordPress plugin versions prior to 4.2.1 allows authenticated high-privileged attackers to extract arbitrary database contents via the /surecart/v1/integrations/{id} REST endpoint. The flaw stems from a sanitization bypass in the wp-query-builder component where payloads containing a dot character skip $wpdb->prepare() escaping entirely, enabling UNION-based data exfiltration. No public exploit identified at time of analysis, though Tenable Research has published technical details (TRA-2026-43).

WordPress SQLi
CVE-2026-9059 CRITICAL CVSS 9.3
Authenticated SQL injection in NextGEN Gallery (WordPress plugin by Awesome Motive/Imagely) before version 4.2.1 allows attackers holding the 'NextGEN Gallery overview' capability - granted to Administrators by default - to inject arbitrary SQL via the 'orderby' parameter on the '/imagely/v1/galleries' and '/imagely/v1/albums' REST endpoints. CVSS 4.0 rates this 9.3 due to high confidentiality, integrity, and scope impact; no public exploit identified at time of analysis, but the issue was reported by Tenable Research (TRA-2026-42) and a vendor patch is available.

SQLi
CVE-2026-8631 CRITICAL CVSS 9.3
Heap-based integer overflow in the hpcups component of HP Linux Imaging and Printing Software (HPLIP) allows attackers to achieve arbitrary code execution and/or privilege escalation by submitting crafted print data. The CVSS 4.0 base score of 9.3 reflects network-reachable exploitation against the printing subsystem with no authentication or user interaction required, though no public exploit identified at time of analysis and the issue has not been added to CISA KEV.

RCE Buffer Overflow Heap Overflow HP Suse
CVE-2026-8598 CRITICAL CVSS 9.1
Information disclosure in ZKTeco SSC335-GC2063-Face-0B77 Solution Camera exposes credentials and service details through an undocumented configuration export port that requires no authentication. Remote unauthenticated attackers on the network can retrieve camera account credentials and enumerate open services, enabling full takeover of the device. No public exploit identified at time of analysis, but the CVSS 9.1 score and ICS-CERT advisory reflect significant operational risk to deployed surveillance infrastructure.

Information Disclosure
CVE-2026-8467 CRITICAL CVSS 9.5
Unauthenticated remote code execution in phenixdigital phoenix_storybook 0.5.0 through versions before 1.1.0 allows attackers to execute arbitrary Elixir code on the server by abusing the psb-assign WebSocket event to inject HEEx template expressions. The flaw stems from attribute values being interpolated verbatim into HEEx templates that are then compiled and evaluated with full Kernel imports and no sandbox. Publicly available exploit code exists via the upstream commit and GHSA advisory, though no public exploit identified at time of analysis for in-the-wild use; CVSS 4.0 score is 9.5.

RCE Code Injection
CVE-2026-7637 CRITICAL CVSS 9.8
PHP Object Injection in the Boost plugin for WordPress (versions up to and including 2.0.3) allows unauthenticated remote attackers to inject arbitrary PHP objects via the STYXKEY-BOOST_USER_LOCATION cookie. The vulnerability stems from unsafe deserialization of attacker-controlled cookie data; while the plugin itself ships no usable POP (property-oriented programming) chain, exploitation becomes high-impact when any other installed plugin or theme provides one. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP WordPress Information Disclosure Deserialization
CVE-2026-7284 CRITICAL CVSS 9.8
Privilege escalation in the Easy Elements for Elementor WordPress plugin (versions up to and including 1.4.4) allows unauthenticated remote attackers to register accounts with the 'administrator' role, granting full site takeover. The flaw exists in the 'easyel_handle_register' function which fails to validate or restrict the user role parameter submitted during registration. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward.

WordPress Privilege Escalation
CVE-2026-6555 CRITICAL CVSS 9.8
Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.

PHP WordPress RCE File Upload
CVE-2026-47784 HIGH CVSS 8.1
Timing side-channel in memcached versions prior to 1.6.42 allows remote attackers to recover SASL authentication credentials by measuring response times during password comparison. The flaw stems from the use of the non-constant-time memcmp() function within sasl_server_userdb_checkpass, enabling byte-by-byte inference of stored passwords. No public exploit identified at time of analysis, but the upstream fix has been published.

Information Disclosure Red Hat Suse
CVE-2026-47783 HIGH CVSS 8.1
Observable timing discrepancy in memcached prior to version 1.6.42 enables remote attackers to enumerate valid SASL authentication usernames by measuring response time differences. The vulnerable sasl_server_userdb_checkpass function exits its credential-file loop early upon matching a valid username, producing measurable timing variance between known and unknown accounts. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Suse
CVE-2026-47373 HIGH CVSS 7.5
Timing side-channel in the Perl module Crypt::SaltedHash through version 0.09 allows remote attackers to recover stored password hashes by measuring response-time discrepancies during hash validation. The flaw stems from use of Perl's short-circuiting `eq` operator inside the `validate()` routine, enabling byte-by-byte hash inference. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix in version 0.10 replacing the comparison with a constant-time routine.

Information Disclosure Suse
CVE-2026-45804 HIGH CVSS 7.5
Remote code execution in Hugging Face diffusers (Python package, versions < 0.38.0) is achievable via a TOCTOU race between two sequential Hub downloads inside DiffusionPipeline.from_pretrained, letting a malicious repo owner bypass the trust_remote_code guard and silently execute arbitrary Python during model loading. Exploitation requires user interaction (loading a malicious repo without pinning a revision) and high attack complexity due to a sub-second race window, but no public exploit beyond the reporter's PoC is identified at time of analysis. Affected users running diffusers <0.38.0 should upgrade to 0.38.0 where the issue is fixed.

RCE Python
CVE-2026-45584 HIGH CVSS 8.1
Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.

Buffer Overflow Heap Overflow Microsoft
CVE-2026-44933 HIGH CVSS 8.5
Privilege escalation via chroot bypass in PluginScript allows local users to execute host binaries such as /bin/bash with root privileges when the repoManagerRoot is set to '/' (a common default or result of --root). Because chroot to the system root is a no-op, path traversal within the plugin escapes intended isolation. No public exploit identified at time of analysis, but the issue was reported by a SUSE researcher and is tracked in SUSE Bugzilla.

Information Disclosure Suse
CVE-2026-44926 HIGH CVSS 8.8
Privilege escalation in Veritas InfoScale CmdServer prior to version 7.4.2 allows authenticated remote attackers to bypass access control restrictions and achieve full compromise of confidentiality, integrity, and availability on the targeted host. The flaw is tagged as an authentication bypass by intelligence sources and carries a CVSS 8.8 (High) rating; no public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass N A
CVE-2026-44925 HIGH CVSS 8.8
Cross-Site Request Forgery in InfoScale 9.1.3 Operations Manager (VIOM) web application allows remote attackers on the adjacent network to coerce an authenticated user with an active session into clicking a malicious link that triggers unintended state-changing actions in VIOM. No public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on confidentiality, integrity, and availability if a privileged VIOM operator is targeted.

CSRF
CVE-2026-43619 HIGH CVSS 7.2
Symlink race condition in Rsync 3.4.2 and earlier allows local attackers with filesystem access to redirect path-based system calls (chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, lstat) to files outside the exported rsync module boundary. The flaw affects rsync daemons configured with 'use chroot = no' and was reported by VulnCheck; no public exploit identified at time of analysis. A patched release (v3.4.3) is available from the RsyncProject upstream, which adds openat2 RESOLVE_BENEATH for secure relative path resolution.

Information Disclosure Red Hat Suse
CVE-2026-42959 HIGH CVSS 8.7
Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an attacker controlling a DNSSEC-signed domain to crash the resolver process with a single crafted query. The DNSSEC validator uses an incorrect counter when computing write offsets for ADDITIONAL section rrsets while building chase-reply messages, leaving an uninitialized pointer that is later dereferenced. No public exploit identified at time of analysis, and the issue is fixed in Unbound 1.25.1.

Denial Of Service Memory Corruption Red Hat Suse
CVE-2026-42944 HIGH CVSS 8.7
Heap overflow denial-of-service in NLnet Labs Unbound recursive DNS resolver versions 1.14.0 through 1.25.0 allows remote unauthenticated attackers to crash the resolver by sending DNS queries containing multiple NSID, DNS Cookie, and/or EDNS Padding options. The flaw stems from a numeric truncation in EDNS field size calculation that lets attacker-influenced data overflow the response buffer. No public exploit identified at time of analysis and not listed in CISA KEV, but the impact is service-wide DNS outage for any user of an affected resolver.

Denial Of Service Red Hat Suse
CVE-2026-42834 HIGH CVSS 7.8
Local privilege escalation in Microsoft's Windows Admin Center (Azure Portal edition) allows an authenticated low-privileged attacker to gain higher privileges by abusing symbolic link resolution before file access. The flaw, reported by Microsoft itself, carries a CVSS 7.8 with no public exploit identified at time of analysis, and a vendor patch is available via the Microsoft Security Response Center advisory.

Information Disclosure Microsoft
CVE-2026-42383 HIGH CVSS 7.6
Blind SQL injection in YITH WooCommerce Product Add-Ons (WordPress plugin) through version 4.29.0 allows high-privileged authenticated users to inject malicious SQL into database queries, leading to confidentiality compromise and limited availability impact across a changed security scope. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.6; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress SQLi
CVE-2026-41054 HIGH CVSS 7.8
Local privilege escalation in haveged (HArdware Volatile Entropy Gathering and Expansion Daemon) allows authenticated low-privileged users to escalate to root via the daemon's command socket, which is affected by missing authentication for a critical function (CWE-305). The flaw was disclosed on the oss-security mailing list on 2026-05-20 by Jiri Hladky, with vendor patches available from SUSE and tracking in Debian (bug#1137096); no public exploit identified at time of analysis.

Privilege Escalation
CVE-2026-39352 HIGH CVSS 8.7
Arbitrary file read in the Frappe full-stack web application framework allows remote unauthenticated attackers to retrieve files outside intended directories via path traversal sequences in affected versions prior to 15.105.0 and 16.15.0. The CVSS 4.0 base score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Successful exploitation discloses sensitive server-side files such as configuration secrets, site keys, or credentials used by downstream ERPNext deployments.

Path Traversal
CVE-2026-39310 HIGH CVSS 8.6
Authentication bypass in Trilium Notes Desktop (Electron build) versions 0.102.1 and earlier allows remote unauthenticated attackers on the same network to access the Clipper API and read or manipulate notes without any credentials. The Electron runtime detection explicitly disables auth middleware on endpoints like /api/clipper/notes and the handshake endpoint, which fingerprints the application - no public exploit identified at time of analysis, but the vendor advisory GHSA-jcvx-vc83-cppw confirms the issue and the fix shipped in 0.102.2.

Authentication Bypass CSRF
CVE-2026-39047 HIGH CVSS 7.5
Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service (JetDirect) on TCP port 9100

RCE Buffer Overflow Stack Overflow
CVE-2026-29518 HIGH CVSS 7.3
Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. No public exploit identified at time of analysis, but the upstream patch in release 3.4.3 and a detailed VulnCheck advisory disclose the precise race window.

Privilege Escalation
CVE-2026-24425 HIGH CVSS 8.7
Sandbox bypass in Twig template engine versions 2.16.x and 3.9.0 through 3.25.x allows attackers with template rendering capabilities to execute arbitrary PHP code when the sandbox is enabled via a SourcePolicyInterface rather than globally. The runtime check on sort, filter, map, and reduce filters fails to propagate the current template source, allowing arbitrary PHP callables to be passed and executed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the RCE/PHP tagging and CVSS 4.0 score of 8.7 indicate high impact for applications offering user-editable templates.

PHP RCE
CVE-2026-24218 HIGH CVSS 8.1
Host impersonation and machine-in-the-middle attacks against NVIDIA DGX OS systems are possible because the factory provisioning process clones a base image that ships identical SSH host keys onto every similarly provisioned system, primarily affecting DGX Spark deployments. With a CVSS of 8.1 and a CWE-321 (Use of Hard-Coded Cryptographic Key) root cause, an unauthenticated network attacker who possesses the shared key material from any one device can impersonate peers, potentially leading to code execution, data tampering, privilege escalation, information disclosure, or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

RCE Denial Of Service Information Disclosure Nvidia
CVE-2026-24217 HIGH CVSS 8.8
Path traversal in NVIDIA BioNeMo Core for Linux allows remote attackers to escape intended directory boundaries when a user is induced to load a malicious file, enabling code execution, information disclosure, data tampering, or denial of service. The flaw carries a high CVSS score of 8.8 driven by network reachability and full CIA impact, though exploitation requires user interaction; no public exploit identified at time of analysis.

RCE Denial Of Service Information Disclosure Path Traversal Nvidia
CVE-2026-24216 HIGH CVSS 7.8
Arbitrary code execution in NVIDIA BioNemo Framework on Linux allows a local attacker to abuse unsafe deserialization of untrusted data (CWE-502), leading to code execution, denial of service, information disclosure, and data tampering. The CVSS 7.8 vector indicates local attack vector with required user interaction, and no public exploit has been identified at time of analysis.

RCE Denial Of Service Information Disclosure Deserialization Nvidia
CVE-2026-24214 HIGH CVSS 8.0
Integer overflow in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory corruption that may result in code execution, data tampering, or denial of service. The flaw requires low-level privileges plus user interaction (CVSS 8.0, AV:N/AC:L/PR:L/UI:R) and affects deployments exposing the DALI inference pipeline. No public exploit identified at time of analysis.

RCE Denial Of Service Integer Overflow Nvidia
CVE-2026-24213 HIGH CVSS 8.0
Out-of-bounds read in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory disclosure that may escalate to code execution, data tampering, or denial of service. The flaw carries a CVSS 8.0 (High) rating reflecting low-privilege network access with required user interaction, and no public exploit identified at time of analysis. NVIDIA has published a security bulletin addressing the issue.

RCE Buffer Overflow Denial Of Service Information Disclosure Nvidia
CVE-2026-24210 HIGH CVSS 7.5
Denial of service in NVIDIA Triton Inference Server can be triggered remotely by unauthenticated attackers via an integer overflow condition (CWE-190). The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Defenders running Triton in network-exposed inference deployments should prioritize patching since exploitation requires no privileges, no user interaction, and low attack complexity.

Denial Of Service Integer Overflow Nvidia
CVE-2026-24209 HIGH CVSS 7.5
Denial of service in NVIDIA Triton Inference Server can be triggered remotely without authentication via a path traversal flaw (CWE-22), enabling unauthenticated network attackers to disrupt model-serving availability. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis.

Denial Of Service Path Traversal Nvidia
CVE-2026-24206 HIGH CVSS 7.3
Authentication bypass in NVIDIA Triton Inference Server allows remote unauthenticated attackers to circumvent access controls, potentially leading to privilege escalation, denial of service, or information disclosure. With a CVSS 7.3 score and network-reachable attack vector (AV:N/AC:L/PR:N/UI:N), the flaw is exploitable without user interaction or credentials, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV, and EPSS data was not provided in the source intelligence.

Authentication Bypass Denial Of Service Information Disclosure Nvidia
CVE-2026-24188 HIGH CVSS 8.2
Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Memory Corruption Nvidia
CVE-2026-24163 HIGH CVSS 7.5
Unsafe deserialization in NVIDIA TensorRT-LLM's RPC testing component allows a local high-privileged attacker to trigger code execution, denial of service, data tampering, or information disclosure across a changed scope. The flaw is rated CVSS 7.5 despite local-only access and high attack complexity because successful exploitation crosses a security boundary (S:C) and yields full CIA impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Denial Of Service Information Disclosure Deserialization Nvidia
CVE-2026-22554 HIGH CVSS 7.8
Heap-based buffer overflow in MediaArea MediaInfoLib's Channel Splitting parser allows attackers to corrupt heap memory and potentially execute arbitrary code when a victim opens a maliciously crafted media file. The CVSS 7.8 vector (AV:L/UI:R) indicates local attack with required user interaction, and no public exploit identified at time of analysis. The flaw was reported by Cisco Talos and disclosed in TALOS-2026-2374.

Buffer Overflow Heap Overflow
CVE-2026-22315 HIGH CVSS 7.2
Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users to abuse the built-in SQL editor to exfiltrate user records - including cleartext-stored passwords - from the application backend. The flaw affects Meona Client Launcher up to build dated 19.06.2020 15:11:49 and Meona Server Component up to 2025.04 5+323020. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure
CVE-2026-20239 HIGH CVSS 7.5
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple branches below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13) allows authenticated users with a role granting access to the `_internal` index to view session cookies and response bodies containing sensitive data logged by the platform. Cisco-reported and patched by Splunk in advisory SVD-2026-0503, the issue is a CWE-532 sensitive-data-in-logs flaw rather than a remote code execution bug, with no public exploit identified at time of analysis.

Information Disclosure Splunk
CVE-2026-9144 HIGH CVSS 8.4
Stored cross-site scripting in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets authenticated low-privilege users plant persistent JavaScript in the device's web configuration interface by splitting payloads across multiple admin form fields. The injected script executes in any administrator session that views dashboard pages such as index.zhtml, enabling session hijack or privilege escalation within the appliance. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
CVE-2026-9136 HIGH CVSS 8.3
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submission privileges to overwrite arbitrary existing ShadowAttribute records by supplying a target id within the add proposal request. The framework's ORM interprets a client-supplied primary key as an update directive, breaking the boundary between proposal creation and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass
CVE-2026-9133 HIGH CVSS 8.3
Arbitrary file read in amazon-mq rabbitmq-aws before 0.2.1 allows authenticated remote users to read any file accessible to the RabbitMQ process by submitting a crafted arn:aws-debug:file scheme to the PUT /api/aws/arn/validate validation endpoint. The flaw stems from leftover debug code in the ARN resolver and was reported by AWS itself; no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

RCE
CVE-2026-9126 HIGH CVSS 8.8
Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Denial Of Service Google Use After Free Memory Corruption
CVE-2026-9123 HIGH CVSS 7.5
Heap buffer overflow in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179 allows an adjacent-network attacker to execute arbitrary code within the renderer sandbox via malicious network traffic. Google's Chrome team reported the issue with a Medium severity rating, and no public exploit identified at time of analysis. The vulnerability requires adjacent network positioning rather than full internet-based access, limiting practical exploitation to attackers on the same local network segment.

RCE Buffer Overflow Google Heap Overflow Suse
CVE-2026-9121 HIGH CVSS 8.8
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.

Buffer Overflow Information Disclosure Google Suse
CVE-2026-9120 HIGH CVSS 8.8
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.

RCE Denial Of Service Google Use After Free Memory Corruption
CVE-2026-9119 HIGH CVSS 8.8
Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.

RCE Buffer Overflow Google Heap Overflow Suse
CVE-2026-9118 HIGH CVSS 8.8
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.

RCE Denial Of Service Google Use After Free Memory Corruption
CVE-2026-9117 HIGH CVSS 7.5
Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.

Information Disclosure Google Memory Corruption Suse
CVE-2026-9114 HIGH CVSS 8.8
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.

RCE Denial Of Service Google Use After Free Memory Corruption
CVE-2026-9112 HIGH CVSS 8.8
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.

RCE Denial Of Service Google Use After Free Memory Corruption
CVE-2026-9111 HIGH CVSS 8.8
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).

RCE Denial Of Service Google Use After Free Memory Corruption
CVE-2026-9064 HIGH CVSS 7.5
Denial of service in 389-ds-base LDAP server allows remote unauthenticated attackers to exhaust CPU and heap memory by sending a single LDAP request packed with hundreds of thousands of minimal controls. Because get_ldapmessage_controls_ext() does not cap the per-message control count, the 2 MB default BER message limit is the only ceiling, and concurrent abuse causes worker thread starvation or OOM termination. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Denial Of Service Red Hat Suse
CVE-2026-9057 HIGH CVSS 8.2
Privilege escalation via broken access control in Talend Administration Center allows a low-privileged user holding only 'View' permission to modify the Talend Studio update URL, redirecting downstream Studio clients to attacker-controlled update endpoints. The flaw has a CVSS 8.2 rating reflecting changed scope and high confidentiality/integrity impact, and no public exploit identified at time of analysis. A vendor patch is available per the Qlik/Talend support advisory.

Information Disclosure
CVE-2026-9010 HIGH CVSS 7.5
Unauthenticated SQL injection in the PixelYourSite Boost plugin for WordPress (versions up to and including 2.0.3) allows remote attackers to extract sensitive database contents via time-based blind SQLi in the 'current_url' and 'user_name' parameters. Wordfence reported the issue with a CVSS 7.5 (confidentiality-only impact); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

WordPress SQLi
CVE-2026-9003 HIGH CVSS 8.7
SQL injection in TONNET's E-LAN Hybrid Recording System allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate database contents over the network. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, and no public exploit identified at time of analysis. The flaw is reported through TWCERT and affects TONNET's TPR7308 product line per CPE data.

SQLi
CVE-2026-8632 HIGH CVSS 8.5
Local privilege escalation in HP Linux Imaging and Printing Software (HPLIP) allows authenticated low-privileged users to execute arbitrary OS commands via command injection, potentially gaining elevated privileges on affected Linux hosts. The CVSS 4.0 score of 8.5 reflects high impact to confidentiality, integrity, and availability with low attack complexity, and no public exploit identified at time of analysis. The vulnerability is reported directly by HP PSIRT under advisory hpsbpi04118.

RCE Command Injection Red Hat HP Suse
CVE-2026-8469 HIGH CVSS 8.2
Unauthenticated denial-of-service in phenixdigital phoenix_storybook (0.2.0 through versions before 1.1.0) lets a remote attacker crash the entire BEAM virtual machine by exhausting its atom table. Multiple LiveView event handlers in ExtraAssignsHelpers feed user-controlled strings into String.to_atom/1, and because BEAM atoms are never garbage-collected, ~1,048,576 unique attacker-supplied keys/values permanently consume the atom table and abort every application running on that node. No public exploit identified at time of analysis, but the upstream fix is in commit 96d5246 and version 1.1.0.

Denial Of Service
CVE-2026-7613 HIGH CVSS 7.2
Stored cross-site scripting in the Cost of Goods by PixelYourSite WordPress plugin (versions ≤1.2.12) allows remote unauthenticated attackers to inject persistent JavaScript via the 'csvdata[0][cost_of_goods_value]' parameter. Injected payloads execute in the browser of any user (including administrators) who later views the affected page, enabling session hijacking and admin takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS
CVE-2026-7522 HIGH CVSS 8.8
Local File Inclusion in the Advanced Database Cleaner - Premium WordPress plugin (versions up to and including 4.1.0) allows Subscriber-level authenticated users to include and execute arbitrary .php files via the 'template' parameter. The flaw, reported by Wordfence, carries a CVSS score of 8.8 and can be escalated to full remote code execution when combined with a file upload primitive, while no public exploit identified at time of analysis.

PHP WordPress RCE Information Disclosure LFI
CVE-2026-7467 HIGH CVSS 8.8
Privilege escalation in the Read More & Accordion WordPress plugin (versions up to and including 3.5.7) allows authenticated low-privileged users granted import rights through the plugin's role settings to write arbitrary rows into the wp_users and wp_usermeta tables, effectively creating a new administrator account. The flaw stems from the RadMoreAjax::importData function failing to restrict target database tables and to validate imported data. No public exploit identified at time of analysis, though the vulnerability was disclosed by Wordfence threat intelligence researchers.

WordPress Privilege Escalation
CVE-2026-7460 HIGH CVSS 7.4
Stored cross-site scripting in the mailcow-dockerized administrator Queue Manager allows attackers who can influence Postfix queue metadata to inject HTML/JavaScript that executes in an authenticated administrator's browser. The flaw exists because the /api/v1/get/mailq/all endpoint feeds server-controlled queue fields into DataTables rows that are rendered as HTML without sufficient output encoding. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
CVE-2026-6456 HIGH CVSS 8.8
Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

PHP WordPress Authentication Bypass Privilege Escalation
CVE-2026-5947 HIGH CVSS 7.5
Denial of service in ISC BIND 9 resolvers can be triggered when a SIG(0)-signed DNS message is dropped under recursive-clients pressure, creating a race that leads to a use-after-free on the discarded message buffer. Affects BIND 9.20.0-9.20.22, 9.21.0-9.21.21, and the 9.20.9-S1-9.20.22-S1 subscription branch; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Information Disclosure Race Condition Red Hat Suse
CVE-2026-5946 HIGH CVSS 7.5
Remote denial of service in ISC BIND 9 named allows unauthenticated attackers to trigger assertion failures and crash the resolver by sending DNS messages with non-Internet classes (CHAOS, HESIOD) or meta-classes (ANY, NONE) through code paths involving recursion, dynamic UPDATE, NOTIFY, or IN-specific record processing in non-IN data. The flaw affects BIND 9.11.0 through 9.21.21 across both open-source and Supported Preview (S1) branches, with no public exploit identified at time of analysis. CVSS 7.5 reflects high availability impact with network-reachable, low-complexity, unauthenticated exploitation.

Denial Of Service Red Hat Suse
CVE-2026-5783 HIGH CVSS 7.6
Reflected cross-site scripting in Beyaz Computer Software's CityPLus application (versions before V24.29750.1.0) allows remote attackers to inject malicious script into web responses that execute in a victim's browser after the victim clicks a crafted link. The CVSS 7.6 score is elevated by a High Availability impact, suggesting the XSS payload can crash or render the application unusable beyond typical session-theft outcomes. No public exploit identified at time of analysis and the issue was reported by TR-CERT (Turkey's national CERT).

XSS
CVE-2026-5200 HIGH CVSS 8.8
Authenticated privilege escalation in the AcyMailing WordPress plugin (versions up to and including 10.8.2) allows users with subscriber-level access or higher to modify privileged plugin configuration and export subscriber secret keys. By chaining these missing authorization flaws with knowledge of an administrator's email address, attackers can achieve full administrator account takeover. No public exploit identified at time of analysis, but Wordfence - the reporting party - typically tracks WordPress plugin abuse closely.

WordPress Authentication Bypass
CVE-2026-3985 HIGH CVSS 7.5
Unauthenticated SQL injection in the Creative Mail - Easier WordPress & WooCommerce Email Marketing plugin (versions up to and including 1.6.9) allows remote attackers to append arbitrary SQL clauses through the 'checkout_uuid' parameter handled by the has_checkout_consent() method. The flaw stems from missing escaping and the absence of a prepared statement, enabling extraction of sensitive database contents from any WordPress site running the vulnerable plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

WordPress SQLi
CVE-2026-3593 HIGH CVSS 7.4
Use-after-free in the DNS-over-HTTPS (DoH) implementation of ISC BIND 9 (9.20.0-9.20.22, 9.21.0-9.21.21, and Subscription Edition 9.20.9-S1-9.20.22-S1) allows remote attackers to corrupt freed memory in the resolver/server process, potentially causing denial of service and possible information disclosure. The 9.18.x branch (including 9.18.11-S1 through 9.18.48-S1) is explicitly unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Use After Free Memory Corruption Red Hat Suse
CVE-2026-3039 HIGH CVSS 7.5
Denial of service in ISC BIND 9 DNS servers configured with TKEY GSS-API authentication allows remote unauthenticated attackers to trigger excessive memory consumption by sending maliciously crafted packets. The flaw primarily impacts Active Directory-integrated DNS and Kerberos-secured DNS deployments, where service exhaustion can disrupt authentication, name resolution, and dependent enterprise services. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 7.5 score and network-reachable, unauthenticated nature warrant timely patching.

Information Disclosure Red Hat Suse
CVE-2026-0856 HIGH CVSS 7.8
Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.

Authentication Bypass
CVE-2025-33255 HIGH CVSS 7.5
Unsafe deserialization in NVIDIA TensorRT-LLM's MPI server component allows a high-privileged local attacker to achieve code execution, denial of service, data tampering, or information disclosure on systems running the affected library. The CVSS 7.5 score reflects high impact but constrained exploitability (AV:L/AC:H/PR:H), and no public exploit identified at time of analysis. Scope change (S:C) indicates compromise can extend beyond the vulnerable component to impact other resources on the host.

RCE Denial Of Service Information Disclosure Deserialization Nvidia
CVE-2025-32750 HIGH CVSS 7.5
Information disclosure in Dell PowerFlex Manager (Appliance, Rack, and core Manager) versions 4.6.2 and earlier allows unauthenticated remote attackers to enumerate server contents through exposed directory listings. The flaw carries a CVSS 7.5 (high) rating driven entirely by confidentiality impact and requires no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on CISA KEV.

Information Disclosure Dell
CVE-2025-11954 HIGH CVSS 8.0
Cross-site request forgery in Sitemio Information Technologies' WISECP product through version 20022026 allows attackers to trick authenticated users into performing unintended state-changing actions by visiting a malicious page. Successful exploitation carries high impact across confidentiality, integrity, and availability (CVSS 8.0), though it requires user interaction and the victim to hold valid low-privilege credentials. No public exploit identified at time of analysis, and the vendor did not respond to disclosure outreach by TR-CERT.

CSRF
CVE-2026-47782 MEDIUM CVSS 4.6
Silent file download in RoboForm Password Manager for Android (Siber Systems, Inc.) can be triggered by a co-installed malicious application delivering a crafted Android Intent containing an attacker-controlled URL. RoboForm fails to validate the URL destination, request user confirmation, or surface any notification before fetching and writing remote content to the device. Reported by JPCERT (JVNVU93461473) with no CISA KEV listing and no public exploit identified at time of analysis, placing this in a moderate-low real-world risk category despite the sensitive nature of the affected product - a password manager.

Information Disclosure Google
CVE-2026-46431 MEDIUM CVSS 4.3
Cross-origin read access to Algernon's SSE auto-refresh event server (versions ≤ 1.17.6) allows any web page visited by a developer to silently subscribe to the live file-change stream via a browser-native EventSource. The root cause is a hardcoded wildcard `Access-Control-Allow-Origin: *` response header in the dedicated SSE port activated by the `-a` flag, with no origin inspection or allow-list logic present in the vendored recwatch handler. No public exploit identified at time of analysis per KEV absence, though a complete working proof-of-concept - including exploit HTML and curl verification transcript - is published in GHSA-hw27-4v2q-5qff.

Information Disclosure Apple Microsoft Canonical Cors Misconfiguration
CVE-2026-46430 MEDIUM CVSS 4.3
Algernon's auto-refresh SSE event server unintentionally exposes developer file-change streams to unauthenticated LAN peers on Linux and macOS due to a platform-dependent bind address default that was never intended to reach adjacent hosts. On non-Windows platforms, the SSE listener resolves to 0.0.0.0:5553 (all interfaces), while Windows correctly binds to 127.0.0.1:5553 - a silent asymmetry introduced in engine/flags.go that leaves developers on the most common Algernon platforms exposed whenever they work on shared networks. A publicly available proof-of-concept demonstrates that any host on the same subnet can enumerate project filenames and edit timing with a single unauthenticated curl command, with no developer interaction required; no public exploit identified at time of analysis rises to confirmed active exploitation (not in CISA KEV).

Information Disclosure Apple Microsoft
CVE-2026-46420 MEDIUM CVSS 5.6
Command injection in shivammathur/setup-php (versions 2.25.0 through 2.37.0) allows an attacker who can influence repository files to execute arbitrary commands on a GitHub Actions runner when the action resolves the PHP version from attacker-controlled content. The risk is highest in privileged workflows using pull_request_target that check out untrusted PR code before invoking setup-php, potentially exposing repository secrets and CI/CD infrastructure. No public exploit code or KEV listing exists at time of analysis, but the attack is realistic in any project using this common CI action pattern with auto-merging or cross-repo workflows.

PHP Command Injection
CVE-2026-45792 MEDIUM
Silent output manipulation in RTK (Rust Token Killer) prior to v0.32.0 allows an attacker who can place a file in a repository to intercept and alter all shell command output before it reaches an LLM during AI-assisted development. The root cause is that RTK unconditionally loaded `.rtk/filters.toml` from the current working directory with highest priority and no user notification, enabling regex-based suppression or rewriting of file contents, diffs, and security scan results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack surface - repository-committed config files silently hijacking LLM context - is particularly relevant to AI-assisted development pipelines where developers may not scrutinize every checked-in config.

Information Disclosure
CVE-2026-45585 MEDIUM CVSS 6.8
Windows security feature bypass, publicly dubbed 'YellowKey', exposes systems to full confidentiality, integrity, and availability compromise via command injection (CWE-77) requiring only physical access - no credentials or user interaction needed. A proof-of-concept was released publicly prior to patch availability, violating coordinated disclosure norms, which lowers the attacker skill bar significantly. No vendor-released patch exists at time of analysis; Microsoft has confirmed the issue and is preparing a security update.

Command Injection Microsoft
CVE-2026-45443 MEDIUM CVSS 5.0
Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.

Authentication Bypass
CVE-2026-44924 MEDIUM CVSS 5.4
Cross-site scripting in Veritas InfoScale VIOM 9.1.3 allows a low-privileged authenticated attacker to inject malicious scripts into the web application, which execute in the browser context of other users - including potentially administrators. The CVSS 3.1 score of 5.4 with Changed scope (S:C) indicates the injected payload can cross security boundaries and impact principals beyond the originating session. No public exploit code has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.

XSS
CVE-2026-44923 MEDIUM CVSS 6.5
SQL injection in Veritas InfoScale Operations Manager (VIOM) prior to v9.1.3 enables remote, unauthenticated attackers to escalate privileges via crafted requests. The vulnerability is network-accessible with no authentication or user interaction required, and SSVC scoring confirms it is automatable, lowering the bar for mass exploitation. No public exploit or CISA KEV listing has been identified at time of analysis, but the unauthenticated attack surface and automatable classification make this a meaningful exposure for any internet-facing VIOM deployment.

SQLi
CVE-2026-44608 MEDIUM CVSS 4.6
Heap use-after-free in Unbound's RPZ (Response Policy Zone) subsystem crashes the DNS resolver under a specific race condition affecting multi-threaded deployments. Versions 1.14.0 through 1.25.0 are affected when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers is served via XFR (zone transfer) and a simultaneous read occurs in another thread. The crash is remotely triggerable by timing a DNS query against an in-progress XFR, but requires multiple co-occurring non-default conditions; no public exploit exists and no active exploitation has been confirmed.

Denial Of Service Red Hat Suse
CVE-2026-44392 MEDIUM CVSS 5.3
Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.

Authentication Bypass
CVE-2026-44390 MEDIUM CVSS 6.9
Denial of service in NLnet Labs Unbound 1.25.0 and earlier allows remote unauthenticated attackers to exhaust CPU resources by querying for content from a specially crafted malicious DNS zone containing very large RRsets whose records share no suffix above the root. The name compression logic fails to increment its bounding counter in this edge-case code path, causing an unbounded CPU-locking loop until packet construction completes. This is a complement fix to CVE-2024-8508, which introduced a compression limit in 1.21.1 that did not cover this specific bypass scenario; no public exploit has been identified at time of analysis.

Denial Of Service Suse
CVE-2026-43620 MEDIUM CVSS 6.9
Receiver-side out-of-bounds array read in Rsync 3.4.2 and earlier allows a malicious rsync server to deterministically crash any connecting client process via a crafted synchronization session. The flaw in recv_files() causes the client to dereference an invalid pointer at an unmapped address, producing a reliable SIGSEGV. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the crash is described as deterministic, meaning any attacker controlling or impersonating an rsync server can reliably deny service to clients that connect.

Buffer Overflow Information Disclosure Red Hat Suse
CVE-2026-43618 MEDIUM CVSS 6.1
Information disclosure in Rsync 3.4.2 and prior allows an authenticated remote sender to leak receiver process memory through an integer overflow in the compressed-token decoder. The flaw exposes environment variables, credentials, heap and stack contents, and library pointers, weakening ASLR and enabling follow-on exploitation; no public exploit identified at time of analysis, but Rsync 3.4.3 bundles the security fix.

Information Disclosure Integer Overflow Red Hat Suse
CVE-2026-43617 MEDIUM CVSS 6.3
Hostname-based ACL bypass in the rsync daemon (rsync ≤ 3.4.2) allows unauthenticated remote attackers to circumvent administrator-configured deny rules when the daemon runs with chroot enabled. By manipulating the PTR record for their source IP or engineering a reverse DNS resolution failure, an attacker causes the daemon to fall back to the default hostname 'UNKNOWN', which does not match any configured deny entry and therefore permits the connection. Confidentiality and integrity are both partially at risk; no public exploit has been identified at time of analysis, and a vendor-released patch (v3.4.3) is available.

Authentication Bypass Red Hat Suse
CVE-2026-42960 MEDIUM CVSS 5.7
DNS cache poisoning in NLnet Labs Unbound 1.25.0 and earlier allows an adjacent-network attacker to inject malicious resource records into the resolver's cache by exploiting insufficient validation of authority-section RRSets. By attaching forged non-NS RRSets (such as MX records) with accompanying address records in spoofed or fragmented DNS replies, an attacker can trick Unbound into caching poisoned entries when the authority RRSet carries sufficient trust as in-zone delegation data. Publicly available proof-of-concept exploit code exists (CVSS 4.0 E:P); this is a complement fix to CVE-2025-11411, meaning systems that patched the prior vulnerability but have not upgraded to 1.25.1 remain exposed.

Code Injection Suse
CVE-2026-42923 MEDIUM CVSS 6.9
Unbound DNS resolver up to and including version 1.25.0 exposes a denial-of-service condition in its DNSSEC validation stack, specifically in the negative cache code path used to look up DS records. An adversary who controls a DNSSEC-signed zone can craft NSEC3 records with high-but-permissible iteration counts for child delegations, causing any vulnerable Unbound instance that queries those records to perform unbounded SHA-1 hash computations while holding a global negative cache lock - blocking all other threads that need cache access. No public exploit code exists and this is not listed in the CISA KEV catalog at time of analysis, but coordinated query floods against the vulnerable code path could escalate a single-instance slowdown into a full denial of service.

Denial Of Service Suse
CVE-2026-42534 MEDIUM CVSS 6.9
Resolution performance degradation in NLnet Labs Unbound 1.25.0 and earlier allows an unauthenticated remote attacker - who also controls a malicious or slow authoritative nameserver - to subvert the jostle logic designed to evict stalled queries, ultimately causing denial of resolution service. The jostle mechanism, which activates when the num-queries-per-thread limit is reached, is bypassed because retransmitted duplicate queries reset the aging timestamp to the latest duplicate rather than preserving the original query start time, preventing aged queries from being correctly identified and replaced. No public exploit has been identified at time of analysis; however, the vendor has confirmed the issue and released a patch in version 1.25.1.

Information Disclosure Suse
CVE-2026-41292 MEDIUM CVSS 6.6
Unbound DNS resolver versions up to and including 1.25.0 allow remote unauthenticated attackers to degrade or deny service by sending DNS queries carrying abnormally large numbers of EDNS options, causing resolver threads to become occupied with unbounded parsing and internal data structure allocation. Coordinated multi-source attacks amplify thread exhaustion into full denial of service for legitimate DNS clients. No public exploit identified at time of analysis; vendor-released patch is available in Unbound 1.25.1, which enforces a hard cap of 100 incoming EDNS options.

Denial Of Service Suse
CVE-2026-40622 MEDIUM CVSS 6.6
Ghost domain name extension in NLnet Labs Unbound 1.16.2 through 1.25.0 allows an adversary controlling an expired ghost zone to artificially prolong its resolvability by causing Unbound to overwrite the cached parent-side referral NS rrset with the child-side apex NS rrset, extending the ghost domain window by up to one full cache-max-ttl interval. The attack requires the adversary to control the target ghost zone and issue a single NS query to a vulnerable resolver; in non-default configurations using 'harden-referral-path: yes', no external query is needed as Unbound performs the triggering lookup internally. No public exploit identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 Exploit Maturity is rated 'Unreported', though the integrity impact on DNS resolution is high (VI:H) and represents a meaningful trust boundary violation.

Information Disclosure
CVE-2026-40102 MEDIUM CVSS 6.5
ORM Field Reference Injection in Plane versions 1.3.0 and below enables any authenticated workspace MEMBER to exfiltrate sensitive data - including bcrypt password hashes, API tokens, and user email addresses - via a single crafted GET request. The SavedAnalyticEndpoint omits the field allowlist validation present in the regular AnalyticsEndpoint, passing the user-supplied segment parameter directly into Django F() expressions, which then traverse foreign-key relationships and return referenced field values in the JSON response. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack is trivially reconstructable from the public GHSA-93x3-ghh7-72j3 advisory and the exfiltrated data directly enables secondary attacks.

Python Information Disclosure Nosql Injection
CVE-2026-40094 MEDIUM CVSS 4.3
Panic-triggered denial of service in Nimiq's core-rs-albatross (versions prior to 1.4.0) allows a network-level attacker to crash the node's RPC task by injecting a signed PeerContact with an empty addresses list into the libp2p peer discovery layer. The crash is deferred: the malicious contact is accepted and stored silently, but any subsequent call to get_address_book - from an RPC client or web client - triggers an unconditional Rust panic via .expect() on an empty iterator. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and network-accessible vector make casual exploitation plausible against any exposed node operator workflow.

Denial Of Service
CVE-2026-39311 MEDIUM CVSS 6.8
Stored XSS-to-RCE chain in Trilium Notes versions 0.102.1 and prior allows a network attacker to execute arbitrary Node.js code on the server by tricking an authenticated user into viewing a malicious SVG attachment. The vulnerability exploits three compounding design flaws - unsanitized SVG serving with the image/svg+xml MIME type, a deliberately disabled Content Security Policy, and an unauthenticated-from-same-origin script execution endpoint at /api/script/exec - enabling full server compromise through a single user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, but the detailed disclosure in the GitHub security advisory provides a near-complete attack recipe; EPSS data was not available in the provided intelligence.

XSS RCE Node.js
CVE-2026-39309 MEDIUM CVSS 5.5
Trilium Notes Electron desktop application on macOS, versions 0.102.1 and prior, permits local attackers to spoof macOS Transparency, Consent, and Control (TCC) permission prompts by exploiting the enabled RunAsNode Electron fuse, which allows arbitrary Node.js code to execute under Trilium's trusted identity. An attacker with local code execution can spawn a subprocess inheriting Trilium's macOS identity and then request TCC-protected resources - camera, microphone, screen, ~/Documents, ~/Downloads - causing the system prompt to appear as if the legitimate Trilium Notes app is requesting access, not the attacker. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the social-engineering angle makes it particularly dangerous for macOS users who extend implicit trust to Trilium. Version 0.102.2 resolves the issue by disabling the RunAsNode fuse.

Authentication Bypass Node.js Apple
CVE-2026-35593 MEDIUM CVSS 6.8
Path traversal via the attachment upload API in Trilium Notes 0.102.1 and prior allows an authenticated high-privilege attacker to read arbitrary files from the server's filesystem by supplying a controlled file path in a POST request body. The two-step exploitation pattern - POST to /api/attachments/{attachmentId}/upload-modified-file to stage a file, then GET from /api/attachments/{attachmentId}/download to retrieve its contents - effectively turns the attachment system into an unauthenticated file disclosure proxy once the initial write is performed. The CVSS Changed scope (S:C) reflects that exposed materials such as SSH keys, database credentials, and application configs can cascade into compromise of co-hosted services well beyond Trilium itself. No public exploit or CISA KEV listing has been identified at time of analysis.

RCE Path Traversal
CVE-2026-35070 MEDIUM CVSS 6.4
Command injection in Dell SmartFabric Storage Software versions prior to 1.4.5 enables a high-privileged local attacker to gain unauthorized read and write access to the underlying filesystem. Exploitation requires local system presence and high-level privileges, with the CVSS vector (AV:L/AC:H/PR:H) indicating a constrained threat surface despite the high confidentiality, integrity, and availability impact scores. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Command Injection Dell
CVE-2026-35016 MEDIUM CVSS 5.1
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `frm_query` POST parameter in `search.php`, which is echoed verbatim into an HTML input `VALUE` attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.

PHP XSS
CVE-2026-35015 MEDIUM CVSS 5.1
Reflected XSS in Open ISES Tickets before 3.44.2 enables injection of arbitrary JavaScript via the unsanitized `the_ticket` GET parameter in do_unit_mail.php, which is written directly into a JavaScript variable assignment without output encoding. An attacker who can deliver a crafted URL to a user of the application can execute arbitrary JavaScript in that user's browser session, enabling session hijacking, credential theft, or UI redirection. No active exploitation is confirmed (not in CISA KEV), and no public POC is identified at time of analysis, though a patch commit and vendor release are publicly available, raising the exposure window.

PHP XSS
CVE-2026-35014 MEDIUM CVSS 5.1
Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id GET parameter in routes_nm.php, which is unsanitized and written directly into an HTML hidden input field VALUE attribute. The CVSS 4.0 vector (PR:N) indicates no privileges are required, but the CVE description explicitly characterizes the attacker as authenticated - this discrepancy must be verified with the vendor before determining actual exploitation prerequisites. Active user interaction is required (UI:A), meaning exploitation depends on a victim clicking a crafted URL. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

PHP XSS
CVE-2026-35013 MEDIUM CVSS 5.1
Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.

PHP XSS
CVE-2026-35012 MEDIUM CVSS 5.1
Reflected XSS in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the ticket_id GET parameter in add_facnote.php, which is written unsanitized into a hidden HTML input field's VALUE attribute. An attacker can craft a URL containing a JavaScript payload and trick a user into visiting it, causing script execution in the victim's browser session within the application's origin. No public exploit has been identified at time of analysis, and a vendor-released patch is confirmed at v3.44.2. Notably, this CVE is one of at least 69 XSS vulnerabilities addressed in the same release, indicating systemic input sanitization failures across the codebase.

PHP XSS
CVE-2026-35011 MEDIUM CVSS 5.1
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a payload in the `frm_call` GET parameter of `opena.php`, which is reflected directly into page output without sanitization. The CVSS 4.0 vector scores this at 5.1 (Medium), with impact limited to the subsequent browser context (SC:L/SI:L) rather than the server itself. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV - however, the v3.44.2 release patched 88 total vulnerabilities including 19 SQL injection flaws, indicating systemic security debt warranting urgent upgrade regardless of this CVE's moderate score.

PHP XSS
CVE-2026-35010 MEDIUM CVSS 5.1
Reflected XSS in Open ISES Tickets before 3.44.2 enables JavaScript injection via the ticket_id GET parameter in patient_JF.php, where the unsanitized value is written directly into a JavaScript variable assignment in the server response. The CVSS 4.0 vector (PR:N, UI:A) indicates no authentication is required from the attacker's side, though the CVE description contradicts this by specifying 'authenticated attackers' - this conflict should be verified with the vendor. Exploitation requires the victim to actively visit a crafted URL, limiting mass exploitation, but the broader v3.44.2 release context - which patches 88 total vulnerabilities including 19 SQL injection flaws - signals systemic input validation failures across the codebase. No public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS
CVE-2026-35009 MEDIUM CVSS 5.1
Reflected XSS in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in add_note.php, with payload execution occurring in the browser of any authenticated user who visits a crafted URL. The CVSS 4.0 score of 5.1 (Medium) reflects the mandatory user interaction requirement and impact scope limited to the browser context, with no server-side confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis; the vendor released v3.44.2 as a critical security update that addresses this issue alongside 87 additional vulnerabilities.

PHP XSS
CVE-2026-35008 MEDIUM CVSS 5.1
Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the ticket_id GET parameter in single.php, which is rendered unsanitized into an HTML attribute and executed in a victim's browser upon visiting a crafted URL. This vulnerability is one of 69 XSS issues patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and hardcoded credentials - signaling systemic input handling deficiencies across the application. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 score of 5.1 and mandatory user interaction (UI:A) limit automated exploitation.

PHP XSS
CVE-2026-35007 MEDIUM CVSS 5.1
Reflected XSS in Open ISES Tickets before version 3.44.2 allows attackers to inject arbitrary JavaScript into a victim's browser session via the unsanitized 'id' GET parameter in single_unit.php. The injected value is written directly into an HTML attribute without escaping, enabling session hijacking, credential theft, or malicious redirects when a victim visits an attacker-crafted URL. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 security release - indicating systemic input validation failures across the application. No public exploit or CISA KEV listing has been identified at time of analysis.

PHP XSS
CVE-2026-32792 MEDIUM CVSS 4.6
Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.

Buffer Overflow Denial Of Service Information Disclosure Suse
CVE-2026-30691 MEDIUM CVSS 6.1
Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.

XSS
CVE-2026-27424 MEDIUM CVSS 4.3
Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Authentication Bypass
CVE-2026-27405 MEDIUM CVSS 6.5
Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass
CVE-2026-26028 MEDIUM CVSS 6.1
HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.

Authentication Bypass Microsoft
CVE-2026-25602 MEDIUM CVSS 4.4
Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally authenticated low-privileged user to send email messages to arbitrary recipients. Both the Client Launcher Component through version 19.06.2020 15:11:49 and the Server Component through version 2025.04 5+323020 are affected per NVD CPE data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the integrity and information disclosure impact could enable internal email abuse or phishing pivots from a compromised endpoint.

Information Disclosure
CVE-2026-24573 MEDIUM CVSS 6.5
Stored XSS in the Themeisle Visualizer WordPress plugin (all versions before 4.0.0) allows an authenticated low-privileged user to inject persistent malicious scripts into chart or visualization content. When a victim user subsequently views the affected page, the injected script executes in their browser within a changed scope (S:C), meaning impact extends beyond the attacker's own session to other users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network-accessible vector make this straightforward to abuse on sites with open or loosely controlled contributor registration.

XSS
CVE-2026-24215 MEDIUM CVSS 5.7
Uncontrolled resource consumption in NVIDIA Triton Inference Server's DALI backend allows a network-adjacent, low-privileged attacker to exhaust server resources, resulting in denial of service. The vulnerability (CWE-400) is triggered through the DALI data-loading and augmentation backend, requires low privileges and user interaction, and carries a CVSS score of 5.7 (Medium). No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a monitored-but-not-critical-urgency tier for most deployments.

Denial Of Service Nvidia
CVE-2026-24208 MEDIUM CVSS 5.3
Path traversal exploitation in NVIDIA Triton Inference Server enables unauthenticated remote attackers to cause denial of service by submitting crafted requests containing malicious path components. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero authentication or user interaction is required, making this broadly reachable from the network with low attack complexity. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the no-prerequisite attack profile warrants patching per NVIDIA's advisory at nvidia.custhelp.com.

Denial Of Service Path Traversal Nvidia
CVE-2026-24160 MEDIUM CVSS 5.5
Null pointer dereference in NVIDIA TensorRT-LLM across all supported platforms allows a local attacker to crash the application and cause denial of service. The flaw stems from an unchecked return value that is subsequently dereferenced, triggering a fault when the returned pointer is null. With a CVSS score of 5.5 and no public exploit or CISA KEV listing identified at time of analysis, real-world risk is moderate and constrained by the local attack vector and mandatory user interaction.

Denial Of Service Nvidia
CVE-2026-24142 MEDIUM CVSS 6.3
Deserialization of untrusted data in NVIDIA TensorRT-LLM across all platforms allows a local, low-privileged attacker to achieve code execution, data tampering, and information disclosure by exploiting an unsafe serialized handle. The CVSS Changed Scope (S:C) indicates the impact can extend beyond the vulnerable component itself - notable given TensorRT-LLM's role as an inference serving library often integrated into multi-tenant or production AI infrastructure. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

RCE Information Disclosure Deserialization Nvidia
CVE-2026-21836 MEDIUM CVSS 6.5
HCL DominoIQ's Retrieval-Augmented Generation (RAG) feature fails to enforce document-level access controls when processing AI queries, allowing authenticated low-privileged users to retrieve sensitive Domino documents they are not authorized to view. Affecting the AI query subsystem of HCL DominoIQ, this broken access control flaw carries a CVSS 6.5 with High confidentiality impact, reflecting meaningful data exposure risk in enterprise Domino deployments. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass Information Disclosure
CVE-2026-20240 MEDIUM CVSS 6.5
Denial of Service in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged authenticated user to render the entire instance non-functional by exploiting missing input validation in the `coldToFrozen.sh` script bundled with the `splunk_archiver` app. The script accepts arbitrary file paths and renames them without restricting operations to safe directories, enabling renaming of critical Splunk system directories. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege requirement (PR:L per CVSS) makes this actionable for any authenticated non-admin user in multi-tenant or enterprise deployments. A vendor patch is available via advisory SVD-2026-0504.

Denial Of Service Splunk
CVE-2026-20238 MEDIUM CVSS 6.5
Unauthorized data disclosure in Splunk AI Toolkit versions below 5.7.3 allows authenticated low-privileged users to bypass srchFilter-based access controls and read confidential data scoped to more restricted custom roles. The flaw stems from the Splunk platform's behavior of combining inherited search filters via the OR SPL operator, causing the permissive filter injected by the AI Toolkit's authorize.conf to override stricter filters on child roles. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the CVSS confidentiality impact is rated High, making this a meaningful data exposure risk in multi-tenant or compliance-sensitive Splunk deployments.

Authentication Bypass Splunk
CVE-2026-20206 MEDIUM CVSS 6.3
Command injection in the BrowserBot component of Cisco ThousandEyes Enterprise Agent (CWE-78) allows authenticated SaaS users with transaction test management privileges to execute arbitrary OS commands inside the BrowserBot container as the unprivileged 'node' user. Exploitation requires valid ThousandEyes SaaS credentials and the ability to manage transaction tests, scoping the realistic threat primarily to insiders and compromised privileged accounts. Cisco has already deployed a remediation server-side; no customer action is required. No public exploit code or CISA KEV listing exists at time of analysis.

Command Injection Cisco
CVE-2026-20199 MEDIUM CVSS 4.7
Remote code execution as root in Cisco ThousandEyes Virtual Appliance is achievable by any authenticated administrator through a crafted SSL certificate upload. The flaw stems from CWE-74 injection in the certificate handling subsystem, where user-supplied certificate data is not adequately sanitized before being processed by the underlying OS. Despite a CVSS score of 4.7 (Medium), the actual post-exploitation impact is severe - root-level OS access - though the PR:H prerequisite substantially constrains the realistic attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis.

RCE Cisco
CVE-2026-20171 MEDIUM CVSS 6.8
BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.

Denial Of Service Cisco
CVE-2026-9150 MEDIUM CVSS 6.5
Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request.

Buffer Overflow Denial Of Service Stack Overflow Debian Red Hat
CVE-2026-9137 MEDIUM CVSS 5.1
MISP's CSP report endpoint in versions 2.5.0 through 2.5.37 accepts payloads up to 1 MB per report instead of the developer-intended 1 KB limit, due to a 1,024x magnitude error in the truncation guard (`1024 * 1024` instead of `1024`). On deployments where the endpoint is reachable by untrusted clients, unauthenticated remote parties (per CVSS PR:N) can abuse this discrepancy to flood application logs with oversized reports, contributing to disk exhaustion or log integrity degradation. No public exploit code exists and active exploitation has not been confirmed; the CVSS 4.0 score of 5.1 (Low-Medium) reflects the limited, availability-only impact.

Denial Of Service
CVE-2026-9124 MEDIUM CVSS 5.3
Cross-origin data leakage in Google Chrome prior to 148.0.7778.179 exposes sensitive information to attackers who have already achieved renderer process compromise. The flaw stems from insufficient input validation (CWE-20) in Chrome's Input handling, enabling a crafted HTML page to exfiltrate data across origin boundaries. No active exploitation is confirmed - SSVC assigns exploitation status 'none' and the vulnerability is not listed in CISA KEV - but the confidentiality impact is rated High by CVSS, warranting prompt patching.

Information Disclosure Google Suse
CVE-2026-9122 MEDIUM CVSS 6.5
Out-of-bounds read in the GPU process of Google Chrome on macOS prior to 148.0.7778.179 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a crafted HTML page (CVSS UI:R), limiting automation potential - consistent with SSVC's 'Automatable: no' determination. No public exploit identified at time of analysis and CISA has not added this to the Known Exploited Vulnerabilities catalog; Chrome's own severity rating is Medium.

Buffer Overflow Information Disclosure Google Suse
CVE-2026-9116 MEDIUM CVSS 4.3
ServiceWorker policy enforcement failure in Google Chrome prior to version 148.0.7778.179 enables unauthenticated remote attackers to leak cross-origin data by luring a victim to a crafted HTML page. The vulnerability stems from Chrome's ServiceWorker layer failing to adequately enforce isolation boundaries (CWE-693), allowing a malicious origin to read data it should not have access to under the same-origin policy. No public exploit identified at time of analysis, and the CVSS score of 4.3 reflects limited confidentiality impact; however, the zero-privilege, network-accessible attack vector means any Chrome user browsing a malicious page could be affected.

Information Disclosure Google Suse
CVE-2026-9115 MEDIUM CVSS 4.3
Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.

Authentication Bypass Google Suse
CVE-2026-9113 MEDIUM CVSS 4.3
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.

Buffer Overflow Information Disclosure Google Suse
CVE-2026-9110 MEDIUM CVSS 4.2
UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.

Information Disclosure Google Microsoft Suse
CVE-2026-9101 MEDIUM CVSS 5.3
Prototype pollution in MongoDB Compass's CSV import parsing logic creates a '1-click' command execution path across versions 1.36.x through 1.49.5. A crafted CSV file can pollute JavaScript object prototypes during the import workflow, causing untrusted file paths to reach Electron's shell.openExternal() API and be executed by the operating system's default handler. No public exploit code has been identified and this CVE is absent from CISA KEV, but the passive user-interaction requirement - simply importing a CSV as part of routine database work - makes targeted social engineering a credible delivery vector in data-heavy environments.

Information Disclosure Prototype Pollution
CVE-2026-9100 MEDIUM CVSS 6.0
The legacy GridFS API in the MongoDB C Driver fails to validate file metadata fields retrieved from the database, enabling crafted documents stored in a GridFS collection to trigger either a division-by-zero crash (denial of service) or an out-of-bounds read that exposes process memory contents to the caller. Versions in the 1.x branch before 1.30.8 and 2.x branch before 2.2.4 are affected per EUVD-2026-31132. The CVSS 4.0 score of 6.0 accurately reflects a constrained attack path requiring low-privilege database access and a pre-positioned malicious document (AT:P), with no public exploit identified at time of analysis.

Buffer Overflow Suse
CVE-2026-9087 MEDIUM CVSS 6.4
Account takeover via IdP linking proof reuse in Red Hat Build of Keycloak allows an authenticated attacker with an account on the same external Identity Provider to hijack another user's local Keycloak account. The cross-session verification proof generated during the IdP account linking flow is scoped only to the tuple (local userId, idpAlias) and is not cryptographically bound to the specific upstream identity that completed verification, enabling a second IdP account - controlled by the attacker - to consume that proof and become linked to the victim's local account. No public exploit has been identified at time of analysis and the flaw is not listed in the CISA KEV catalog, though the high Confidentiality and Integrity impact (CVSS C:H/I:H) reflects the severity of a successful account takeover.

Authentication Bypass Red Hat
CVE-2026-9084 MEDIUM CVSS 6.0
Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored `sub` value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.

Authentication Bypass
CVE-2026-9056 MEDIUM CVSS 5.4
Stored cross-site scripting in Qlik Talend Administration Center allows an authenticated user holding server management permissions to inject persistent malicious script payloads that execute in the browsers of other TAC users who subsequently view the affected content. The CVSS Changed scope (S:C) signals that successful exploitation crosses security boundaries beyond the application itself, enabling impact on victim browser sessions. No public exploit code identified at time of analysis, no CISA KEV listing, but Qlik has published a security fix via their official support community.

XSS
CVE-2026-8685 MEDIUM CVSS 6.5
SQL Injection in the Infility Global WordPress plugin (all versions through 2.15.16) allows authenticated attackers holding only a Subscriber-level account to append arbitrary SQL to existing database queries and extract sensitive information. The vulnerability originates in the show_control_data::post_list() function, which is registered as an admin menu page gated only by the 'read' capability - the lowest WordPress capability tier. With CVSS C:H and no integrity or availability impact, the primary real-world risk is wholesale database exfiltration on any site with open user registration. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress SQLi
CVE-2026-8627 MEDIUM CVSS 6.1
Reflected Cross-Site Scripting in the Correct Prices WordPress plugin (versions up to and including 1.0) exposes any site running this plugin to script injection via crafted URLs. The correct_prices_page() function writes the raw value of $_SERVER['PHP_SELF'] into a form's action attribute without calling esc_url() or esc_attr(), allowing an attacker to break out of the HTML attribute context and inject arbitrary markup. CVSS vector PR:N confirms no authentication is required from the attacker, though exploitation is limited by a required user interaction (UI:R) - a victim must be tricked into following a specially crafted link. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code was identified at time of analysis.

WordPress XSS
CVE-2026-8626 MEDIUM CVSS 6.1
Reflected Cross-Site Scripting in the SponsorMe plugin for WordPress (all versions through 0.5.2) allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user - likely a WordPress administrator - into clicking a specially crafted wp-admin/admin.php URL. The PHP_SELF superglobal is reflected unsanitized in two distinct locations within the same vulnerable function: a form action attribute (sponsorme.php:440) and an anchor href attribute (sponsorme.php:475), doubling the attack surface. No patch has been identified at time of analysis, and no public exploit or CISA KEV listing has been confirmed.

PHP WordPress XSS
CVE-2026-8624 MEDIUM CVSS 6.1
Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.

WordPress XSS
CVE-2026-8610 MEDIUM CVSS 4.3
Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.

WordPress Authentication Bypass CSRF
CVE-2026-8488 MEDIUM CVSS 4.3
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to degrade availability by triggering excessive resource allocation without server-side throttling controls. Affecting all MOVEit Automation releases prior to 2025.0.11 and the 2025.1.x branch prior to 2025.1.7, successful exploitation results in limited availability impact (A:L per CVSS) against the targeted instance. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; the vendor has released patched versions.

Denial Of Service
CVE-2026-8487 MEDIUM CVSS 6.5
Incorrect default permissions in Progress Software MOVEit Automation expose embedded sensitive data to authenticated low-privileged users over the network. Affected versions span the 2025.0.x line before 2025.0.11 and the 2025.1.x line before 2025.1.7. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates that any network-accessible instance running a vulnerable version can be exploited by a legitimately authenticated user with minimal privileges, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Privilege Escalation Information Disclosure
CVE-2026-8486 MEDIUM CVSS 5.3
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (CWE-770), allowing an attacker to degrade service availability without any credentials or user interaction. Affected versions span the 2025.0.x branch (before 2025.0.11) and the 2025.1.x branch (before 2025.1.7). Progress Software has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, though MOVEit products remain high-value targets given their history as enterprise MFT infrastructure.

Denial Of Service
CVE-2026-8485 MEDIUM CVSS 5.9
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-service via excessive resource consumption. Unauthenticated network attackers can trigger the flaw against versions prior to 2025.0.11 and 2025.1.x prior to 2025.1.7, resulting in availability loss with no confidentiality or integrity impact per the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis; risk is moderated by high attack complexity.

Information Disclosure
CVE-2026-8424 MEDIUM CVSS 4.3
Settings-reset CSRF in the Remove Yellow BGBOX WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to overwrite the plugin's stored configuration by tricking a logged-in site administrator into loading a forged request. The vulnerability stems from absent nonce validation on the rybb_api_settings page, confirmed by Wordfence with direct source code references to admin/rybb_api_settings.php and includes/functions.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited integrity impact keeps real-world priority low.

WordPress CSRF
CVE-2026-8423 MEDIUM CVSS 4.3
Cross-Site Request Forgery in the JaviBola Custom Theme Test WordPress plugin (all versions through 2.0.5) enables unauthenticated remote attackers to silently replace the site's active theme by forging a request that modifies the `jbct_theme` option. Exploitation requires social-engineering a logged-in site administrator into clicking a crafted link - the CVSS UI:R requirement reflects this dependency. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress CSRF
CVE-2026-8420 MEDIUM CVSS 6.1
Cross-Site Request Forgery in the BLOGCHAT Chat System WordPress plugin (all versions through 1.3.6.3) enables unauthenticated remote attackers to both update plugin settings and inject persistent malicious web scripts by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from missing or incorrect nonce validation across multiple functions in wp-blogchat-widget.php (lines 208, 215, 222, 293), making it a compound CSRF+Stored XSS risk with Changed scope (S:C) in the CVSS rating. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress CSRF
CVE-2026-8419 MEDIUM CVSS 4.3
Cross-Site Request Forgery in the Amazon Scraper WordPress plugin (submone, all versions through 1.1) allows unauthenticated remote attackers to modify plugin settings and inject persistent malicious scripts by tricking an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation across multiple functions in amazon-admin.php (identified at lines 13, 26, 45, and 49). No public exploit has been identified at time of analysis, and the plugin has not been added to the CISA KEV catalog, but the Wordfence-reported disclosure includes direct source code references making exploitation straightforward for a motivated attacker.

WordPress CSRF
CVE-2026-8418 MEDIUM CVSS 4.3
Cross-Site Request Forgery in the Games Catalog WordPress plugin (versions ≤ 1.2.0) enables unauthenticated attackers to delete arbitrary game catalog entries and their associated WordPress posts by tricking a logged-in site administrator into clicking a crafted link. The vulnerable gc_crud() function in admin-crud.php processes the action=delete parameter via a GET request with no wp_verify_nonce() or check_admin_referer() call, bypassing WordPress's standard CSRF defenses entirely. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface is fully visible in the public WordPress plugin Trac repository, making it trivially constructible.

WordPress CSRF
CVE-2026-8038 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in the Faces of Users WordPress plugin (all versions through 0.0.3) allows authenticated attackers with Contributor-level access or above to inject persistent malicious JavaScript via the 'default' attribute of the 'facesofusers' shortcode. Once injected, the payload executes silently in the browser of any user who visits the compromised page, enabling session theft, credential harvesting, or malicious redirects targeting higher-privileged users including administrators. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress XSS
CVE-2026-7472 MEDIUM CVSS 4.9
Time-based blind SQL injection in the Read More & Accordion WordPress plugin (slug: expand-maker) through version 3.5.7 enables authenticated administrators to exfiltrate arbitrary database contents, including administrator password hashes, by manipulating the orderby GET parameter. The flaw exists in two data-retrieval functions in ReadMoreData.php, where user input bypasses effective sanitization and is concatenated unquoted into an ORDER BY SQL clause. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the high-confidentiality CVSS impact (C:H) reflects genuine data-exposure potential.

PHP WordPress Information Disclosure SQLi
CVE-2026-7462 MEDIUM CVSS 6.1
Reflected Cross-Site Scripting in the VatanSMS WP SMS WordPress plugin (all versions through 1.01) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `page` parameter, executing in the context of a logged-in administrator's browser session. Exploitation requires social engineering an administrator into clicking a crafted link, making this a medium-severity but realistic threat vector for WordPress site takeover or credential theft. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress XSS
CVE-2026-7385 MEDIUM CVSS 5.8
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.

WordPress Information Disclosure
CVE-2026-6728 MEDIUM CVSS 5.3
Sensitive information exposure in the Slider Revolution WordPress plugin (versions up to and including 7.0.9) allows unauthenticated remote attackers to bypass WordPress's native password-protection mechanism and retrieve the full content of protected posts, pages, and WooCommerce products via the vulnerable `get_stream_data()` function. The CVSS vector confirms no authentication, no user interaction, and no special conditions are required, making this trivially exploitable against any affected installation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure
CVE-2026-6566 MEDIUM CVSS 4.3
Insecure Direct Object Reference in NextGEN Gallery WordPress plugin through version 4.2.0 allows authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete gallery images belonging to other users, including their physical files from disk. The DELETE /imagely/v1/images/{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.

WordPress Authentication Bypass
CVE-2026-6549 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in the Logo Manager For Enamad WordPress plugin (versions up to and including 0.7.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title' attribute of three shortcodes - vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom. The injected payload executes in the browser of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis; however, the low privilege requirement (contributor) broadens the realistic attacker pool on multi-author WordPress sites.

WordPress XSS
CVE-2026-6452 MEDIUM CVSS 4.3
Cross-Site Request Forgery in the Bigfishgames Syndicate WordPress plugin (all versions through 1.2) enables unauthenticated remote attackers to reset and overwrite plugin settings by forging admin-panel requests. The vulnerability resides in the bigfishgames_syndicate_submenu() function, which lacks proper WordPress nonce validation, meaning any crafted HTTP request bearing a valid admin session will be accepted as legitimate. Exploitation requires tricking an authenticated site administrator into triggering the forged request; no public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

WordPress CSRF
CVE-2026-6405 MEDIUM CVSS 4.3
Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.

PHP WordPress XSS CSRF
CVE-2026-6404 MEDIUM CVSS 4.4
Stored Cross-Site Scripting in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows authenticated administrators to persist malicious scripts in the plugin's settings that execute in any user's browser upon visiting the settings page. The flaw exists because the plugin applies sanitize_text_field() to the anomify_api_key input - a function that strips HTML tags but does not encode double-quote characters - then echoes the stored value directly into an HTML attribute context (value="...") without the appropriate esc_attr() call. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE; the CVSS score of 4.4 reflects the high privilege bar and high complexity required to exploit.

WordPress XSS
CVE-2026-6401 MEDIUM CVSS 4.3
Cross-Site Request Forgery in the Bottom Bar WordPress plugin (all versions up to and including 0.1.7) allows unauthenticated attackers to modify plugin configuration by tricking a logged-in administrator into visiting a malicious page. All three administrative settings forms - main settings, sharing services, and restore defaults - lack both wp_nonce_field() output and server-side check_admin_referer() validation in bottom-bar-admin.php, meaning any POST to those endpoints is processed without request authenticity checks. No public exploit has been identified at time of analysis, no patched version has been confirmed, and the vulnerability is not listed in CISA KEV.

PHP WordPress CSRF
CVE-2026-6400 MEDIUM CVSS 4.3
Cross-Site Request Forgery in the Child Height Predictor by Ostheimer WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of nonce verification in the options() function - neither wp_nonce_field() in the form template nor check_admin_referer()/wp_verify_nonce() in the handler - meaning any forged POST request from an admin session will be accepted and persisted to the database. No public exploit has been identified at time of analysis, and CVSS scores this as medium severity (4.3), which aligns with the limited integrity impact (settings modification only, no confidentiality or availability loss).

WordPress CSRF
CVE-2026-6399 MEDIUM CVSS 4.4
Stored Cross-Site Scripting in the General Options WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers holding Administrator-level privileges to persist malicious JavaScript in the Contact Number settings field, which executes in the browser of any administrator who subsequently visits the plugin's settings page. The flaw is rooted in the misapplication of sanitize_text_field() for output escaping - a function that strips HTML tags but does not encode double-quote characters, enabling attribute context breakout when the stored value is echoed inside a double-quoted HTML attribute. WordPress's wp_magic_quotes backslash-prefixing mechanism provides no protection here because HTML parsers treat the backslash as a literal character rather than an escape sequence. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

WordPress XSS
CVE-2026-6397 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.

WordPress XSS
CVE-2026-6395 MEDIUM CVSS 6.1
Cross-Site Request Forgery chained to Stored Cross-Site Scripting in the Word 2 Cash WordPress plugin (versions ≤ 0.9.2) allows unauthenticated remote attackers to plant persistent JavaScript payloads inside the WordPress admin panel. The attack succeeds because the plugin's settings handler (w2c_admin()) performs no nonce verification, no input sanitization before storage, and no output escaping on retrieval - meaning a forged POST from any attacker-controlled page is indistinguishable from a legitimate admin save. No public exploit or CISA KEV listing has been identified at time of analysis, but the CVSS score of 6.1 with Changed scope reflects real post-exploitation reach within the admin context once triggered.

WordPress XSS CSRF
CVE-2026-6394 MEDIUM CVSS 5.4
Server-side request forgery in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) exposes internal network infrastructure to unauthenticated remote attackers by combining an unvalidated URL passthrough with a publicly leaked authentication nonce. The plugin's import_demo() function at template.php:242 forwards an attacker-supplied URL directly to WordPress's wp_remote_get() with no scheme restriction, host allowlist, or RFC-1918 blocklist, and the nexa_blocks_nonce that gates this AJAX endpoint is serialized into every public-facing page's HTML via wp_localize_script, nullifying the intended access control entirely. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the effective authentication bypass and trivial exploitation path elevate practical risk substantially above what the CVSS 5.4 score alone communicates.

WordPress SSRF
CVE-2026-6391 MEDIUM CVSS 6.1
Cross-Site Request Forgery in the Sentence To SEO WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to inject persistent malicious scripts and overwrite plugin settings by forging admin form submissions against the unprotected create_admin_page() function. Because the CVSS vector carries Changed scope (S:C), a successfully forged request can achieve Stored XSS within the WordPress admin context, crossing the boundary from the plugin into the administrator's browser session. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists, but the attack class is well-understood and exploitation templates for WordPress CSRF-to-XSS chains are widely available.

WordPress CSRF
CVE-2026-6072 MEDIUM CVSS 6.5
Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

PHP WordPress Authentication Bypass
CVE-2026-5950 MEDIUM CVSS 5.3
Resource exhaustion in ISC BIND 9's resolver state machine allows remote unauthenticated attackers to trigger an unbounded resend loop by sending crafted DNS queries that activate bad-server retry conditions, degrading resolver availability. Multiple active release branches are affected across standard and Subscription Edition builds spanning versions 9.18.36 through 9.21.21. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the fully network-accessible, zero-authentication attack vector makes every exposed BIND 9 resolver a potential target.

Denial Of Service Suse
CVE-2026-5776 MEDIUM CVSS 6.1
Stored XSS in the Email Encoder WordPress plugin (all versions before 2.4.7) permits unauthenticated remote attackers to inject persistent malicious scripts by supplying unsanitized email addresses through public-facing input fields. Because the CVSS scope is Changed (S:C), injected payloads execute in victim browsers rather than the server context, enabling session hijacking, credential theft, or malicious redirects against any visitor who loads an affected page. A publicly available proof-of-concept exists per WPScan reporting; no public exploit identified at time of analysis as actively exploited via CISA KEV.

WordPress XSS
CVE-2026-5293 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in the Diagnosis Generator (診断ジェネレータ作成プラグイン) WordPress plugin allows any subscriber-level authenticated user to write arbitrary JavaScript into WordPress theme files by exploiting a missing capability check in themeFunc(). The payload persists in theme files and executes in every site visitor's browser upon loading any page containing the diagnosis form shortcode, giving a single low-privilege attacker persistent, cross-user script execution. No public exploit has been identified at time of analysis, but the subscriber-level access requirement makes this a broad risk on any WordPress site with open user registration.

WordPress XSS
CVE-2026-5075 MEDIUM CVSS 4.3
Sensitive credential exposure in the All in One SEO WordPress plugin (versions up to and including 4.9.7) allows authenticated contributors to harvest API tokens, OAuth credentials, and license keys directly from rendered page source. The plugin passes unmasked internal configuration data to the browser via WordPress's wp_localize_script() mechanism in post editor contexts, making sensitive values accessible to any user with contributor-level access or above. No public exploit code or active exploitation has been identified at time of analysis, but exposed credentials carry secondary risk - compromised API/OAuth tokens could enable account takeover or abuse of connected third-party services.

WordPress Information Disclosure
CVE-2026-4293 MEDIUM CVSS 5.3
Cross-site scripting in Kieback & Peter DDC building automation controllers allows a network-accessible attacker to inject and execute arbitrary JavaScript within a victim's browser session when interacting with the device's web interface. Affected models span the full DDC4000 product line - DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400, and their 'E' variants (DDC4002E, DDC4020E, DDC4040E, DDC4200E, DDC4400E) - representing widely deployed OT/ICS building management infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the ICS context elevates concern given the physical-world impact of compromised building controllers.

XSS
CVE-2026-3592 MEDIUM CVSS 5.3
Amplified resource exhaustion in ISC BIND 9 resolvers enables remote unauthenticated attackers to cause disproportionate resource consumption by directing a victim resolver to query a specially crafted authoritative DNS zone. All major BIND 9 resolver branches are affected, spanning versions 9.11.x through 9.21.x including BIND 9 Supported (S1) variants, representing a broad deployment footprint across enterprise and ISP resolver infrastructure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; ISC has released patched versions.

Information Disclosure Suse
CVE-2026-2955 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in the AI Chatbot & Workflow Automation by AIWU WordPress plugin (versions ≤1.4.14) allows injection of arbitrary web scripts via the unsanitized X-Forwarded-For HTTP request header. The injected payload persists server-side and executes in the browser of any user who accesses an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, though practical exploitation is further constrained by a 20-character storage limit on the injected value.

WordPress XSS
CVE-2026-2813 MEDIUM CVSS 4.7
Open redirect vulnerability in ArcGIS Server 11.5 allows an attacker to craft a malicious login-workflow URL that, upon user authentication, silently redirects the victim's browser to an attacker-controlled external site. The flaw lies in insufficient input validation of the redirect parameter within the login redirection workflow, with impact explicitly limited to client-side browser navigation - no server-side compromise or cross-component data exposure is possible. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified at time of analysis, and EPSS data was not present in the available intelligence feed.

Open Redirect
CVE-2026-2812 MEDIUM CVSS 5.3
Improper authentication on an undocumented administrative endpoint in ArcGIS Server 11.1 through 12.0 allows unauthenticated remote attackers to disrupt the web-based browsing interface by sending a crafted HTTP request. The vulnerability is classified as CWE-287 and carries a CVSS 5.3 medium score, reflecting network-reachable, zero-privilege exploitation offset by limited impact (integrity only, no confidentiality or availability loss). No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
CVE-2026-0857 MEDIUM CVSS 6.0
Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the Meona Server Component from Mesalvo, exposing confidential data to local privileged attackers. The CVSS vector (AV:L/PR:H/S:C/C:H) indicates that a locally authenticated administrator can read sensitive material - likely credentials or session tokens - directly from process memory, with the changed scope suggesting this exposure can cascade to resources or components beyond the initially compromised process. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Information Disclosure
CVE-2025-31973 MEDIUM CVSS 4.0
HCL BigFix Service Management (SM) ships container deployments built on outdated or insecure base images, inheriting known vulnerabilities from those upstream layers rather than introducing a discrete code-level flaw. The CVSS vector (AV:L/PR:H/UI:R) constrains real-world risk significantly: exploitation requires local access, high privileges, and user interaction, making opportunistic remote attack unlikely. The actual exploitability and impact depend entirely on which specific vulnerabilities are present in the underlying base image versions in use. No public exploit code and no CISA KEV listing exist at the time of analysis.

Information Disclosure
CVE-2025-15369 MEDIUM CVSS 5.3
Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.

WordPress Authentication Bypass
CVE-2026-47099 LOW CVSS 2.1
DOM-based cross-site scripting in telejson versions prior to 6.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript by supplying a crafted JSON payload to the parse() function, specifically via a malicious _constructor-name_ property that is injected unsanitized into a new Function() call during prototype reconstruction. All applications using telejson < 6.0.0 that pass externally-sourced JSON - particularly those using postMessage for cross-frame communication - to telejson.parse() are affected. No public exploit has been identified at time of analysis, though the GHSA advisory (GHSA-ccgf-5rwj-j3hv) publishes both vulnerable and patched source code at named release tags, substantially lowering the barrier to exploitation. Vendor-released patch is available as telejson 6.0.0.

XSS
CVE-2026-47068 LOW CVSS 2.3
Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.

Authentication Bypass
CVE-2026-45232 LOW CVSS 2.1
Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.

Buffer Overflow
CVE-2025-31985 LOW CVSS 3.7
Missing X-Content-Type-Options response header in HCL BigFix Service Management (SM) leaves browsers without MIME-type sniffing protection, creating conditions where malicious or ambiguously typed content served through the application could be misinterpreted and executed by a victim's browser. The CVSS score of 3.7 (Low) reflects genuine constraints: high attack complexity, required low-privilege authentication, and mandatory user interaction all limit realistic exploitability. No public exploit code exists and this vulnerability is not confirmed actively exploited (CISA KEV), consistent with its classification as a security misconfiguration rather than a critical flaw.

Information Disclosure

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities