Skip to main content
CVE-2026-48172 CRITICAL POC KEV PATCH THREAT NEWS Act Now

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.

Privilege Escalation Redis
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-34926 MEDIUM POC KEV PATCH THREAT Act Now

Directory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged local attacker to manipulate a key server table and inject malicious code that propagates to all managed endpoint agents, effectively weaponizing the EDR platform's own distribution infrastructure. The attack requires an adversary who has already obtained administrative credentials to the Apex One server through a separate compromise vector. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector signals that a successful exploit extends impact beyond the server itself to the entire managed agent fleet.

Path Traversal Trendai Apex One Trendai Apex One As A Service
NVD VulDB GitHub
CVSS 3.1
6.7
EPSS
0.3%
CVE-2026-43494 HIGH POC PATCH CISA Act Now

Local privilege escalation potential in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition triggered when zerocopy page pinning fails during sendmsg() operations. The flaw, introduced in Linux 4.17, allows local authenticated users to corrupt kernel memory by exploiting an error path in rds_message_zcopy_from_user() that fails to reset op_nents, causing rds_message_purge() to free pages that were already released. Publicly available exploit code exists, though EPSS scoring is very low (0.02%) and the issue is not listed in CISA KEV.

Linux Information Disclosure
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.0%
Threat
5.1
CVE-2026-47114 HIGH POC PATCH This Week

Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell commands as the logged-in user by tricking the victim into approving an iina://open URL containing malicious mpv_-prefixed parameters. Publicly available exploit code exists and a vendor patch has been released; exploitation requires a single browser protocol prompt approval (UI:A) but no authentication and no valid media file.

Information Disclosure Apple Iina
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-9152 CRITICAL HOSTED Monitor

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.

Authentication Bypass Hashicorp
NVD VulDB
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-46695 CRITICAL PATCH GHSA Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Node.js Docker Authentication Bypass RCE Python
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-44050 CRITICAL PATCH Act Now

Heap buffer overflow in the Netatalk cnid_metad daemon's comm_rcv() function allows remote attackers with low-level privileges to corrupt memory across versions 2.0.0 through 4.4.2. Given the CVSS 9.9 score with scope change and high impact across confidentiality, integrity, and availability, successful exploitation likely leads to code execution in the daemon's context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Heap Overflow Suse
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-6279 CRITICAL Act Now

Unauthenticated remote code execution in the Avada Builder (fusion-builder) WordPress plugin versions up to and including 3.15.2 allows attackers to execute arbitrary PHP on affected sites by abusing an unsanitized call_user_func() invocation reachable through a public AJAX endpoint. Wordfence-reported issue affects any WordPress site running the Avada theme stack that exposes a Post Cards or Table of Contents element on a public page, since the protecting nonce is deterministically leaked in the page's JavaScript. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial precondition (visiting one page that emits the nonce) make this high-priority.

WordPress PHP RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-43501 CRITICAL PATCH Act Now

Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-6960 CRITICAL Act Now

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.

File Upload WordPress RCE Bookingpress Appointment Booking Pro
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-46614 CRITICAL PATCH GHSA Act Now

Authentication bypass in Fission (Kubernetes serverless framework) versions 1.22.0 and earlier allows unauthenticated remote callers reaching the public router (svc/router, port 8888) to invoke any Function object by guessing its metadata.name and namespace via the /fission-function/<ns>/<name> route, completely bypassing HTTPTrigger host, path, method, and method-allow-list restrictions. The flaw also enables function-name enumeration and crosses tenant boundaries in multi-tenant deployments; no public exploit identified at time of analysis, though the fix commits and root-cause analysis are public on GitHub.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-48207 CRITICAL PATCH GHSA Act Now

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Deserialization Apache Python
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-71211 CRITICAL PATCH Act Now

Remote code execution in the Trend Micro Apex One management console allows attackers with console access to upload malicious files via a path traversal flaw (CWE-22) and execute arbitrary commands on the server. The on-premises product (versions before 14.0.0.14136) is affected, while SaaS deployments have already been remediated by the vendor. No public exploit identified at time of analysis; the issue was responsibly disclosed through the Zero Day Initiative (ZDI-26-137).

Trend Micro Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-71210 CRITICAL PATCH Act Now

Remote code execution in Trend Micro Apex One management console allows attackers with network access to the console to upload malicious files via a path traversal flaw (CWE-22) and execute arbitrary commands on affected installations. The on-premises Apex One 2019 (14.0) prior to 14.0.0.14136 is impacted, while the SaaS variant (below 14.0.20315) has already been mitigated by the vendor; no public exploit identified at time of analysis, though it was reported through the Zero Day Initiative.

Trend Micro Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-5118 CRITICAL Act Now

Privilege escalation in the Divi Form Builder WordPress plugin (versions ≤5.1.2) allows unauthenticated remote attackers to register administrator accounts by submitting a tampered 'role' parameter in the registration POST body. The plugin trusts the client-supplied role value instead of enforcing the form's configured default_user_role, yielding full WordPress site takeover. No public exploit identified at time of analysis, but the CVSS 9.8 score and trivial exploitability make this a high-priority patch for any site running the plugin with public registration forms.

WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46703 CRITICAL PATCH GHSA Act Now

Arbitrary file write on the host in Boxlite sandbox service versions prior to 0.9.0 allows attackers to escape the OCI image extraction root via crafted symlink entries in layer tarballs, enabling remote code execution on the host (typically as root). Exploitation requires a user to pull and load a malicious OCI image distributed through registries such as DockerHub. Publicly available exploit code exists (vendor-published PoC); no public exploit identified in CISA KEV at time of analysis.

Path Traversal Python RCE
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-8134 CRITICAL PATCH GHSA Act Now

Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

LFI PHP Path Traversal RCE
NVD VulDB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-39531 CRITICAL Act Now

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthenticated attackers to inject SQL commands through improperly neutralized input. With a CVSS 9.3 (scope-changed) rating from Patchstack, successful exploitation can expose sensitive database contents and partially impact availability across the WordPress installation. No public exploit identified at time of analysis and the plugin is not currently listed in CISA KEV.

SQLi Wp Directory Kit
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-48242 CRITICAL PATCH Act Now

Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-48241 CRITICAL PATCH Act Now

Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-5433 CRITICAL PATCH Act Now

Remote code execution in Honeywell Control Network Module (CNM) versions 100.1 through 110.2 allows authenticated high-privilege attackers to inject arbitrary OS commands through the device's web interface using command delimiters. The flaw carries a CVSS 9.1 rating due to scope change and full CIA impact, and no public exploit identified at time of analysis, though the industrial-control context makes any RCE highly consequential. Honeywell has released a patch via its process.honeywell.com portal.

Honeywell RCE Command Injection
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-4929 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Simple Hierarchical Select (SHS) module for Drupal 7 (versions 7.x-1.0 through 7.x-1.10) enables authenticated attackers with taxonomy term editing privileges to inject malicious scripts via unsanitized term names. Two distinct code paths are confirmed vulnerable: field formatter output rendered by shs_field_formatter_view and term-tree child data generated by shs_term_get_children, both of which fail to apply proper output escaping before HTML rendering. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the network-accessible attack vector combined with Drupal 7's end-of-life status substantially elevates residual risk for unpatched deployments.

XSS Simple Hierarchical Select
NVD HeroDevs
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-8135 HIGH PATCH GHSA This Week

Remote code execution in Concrete CMS versions 5.0 through 9.5.0 allows a high-privileged administrator to bypass the platform's `_fromCIF` deserialization guard by submitting malicious payloads through the REST API instead of standard form POST requests. The flaw resides in the ExpressEntryList block controller (CWE-502) and stores a serialized PHP gadget in the `filterFields` database column, which is unmarshalled when another administrator subsequently views or edits the block, leading to full server takeover. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Deserialization PHP RCE
NVD VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-46654 HIGH PATCH GHSA This Week

Transcript malleability in the Plonky3 p3-challenger crate (MultiField32Challenger) allows a malicious prover to craft distinct observation streams that collapse to identical Fiat-Shamir challenges, breaking the soundness binding of the SNARK transcript. Affected versions are p3-challenger < 0.4.3 and 0.5.0-0.5.2, with fixes shipped in 0.4.3 and 0.5.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; risk is primarily to ZK proof system integrity rather than confidentiality.

Code Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-44048 HIGH PATCH This Week

Stack-based buffer overflow in Netatalk versions 2.0.4 through 4.4.2 allows authenticated remote attackers to corrupt memory via UCS-2 type confusion in the convert_charset() function, leading to high-impact compromise of confidentiality, integrity, and availability. The flaw affects Netatalk, the open-source AppleTalk/AFP file server commonly used to share files with macOS clients, and is fixed in version 4.4.3. No public exploit identified at time of analysis, though the high CVSS of 8.8 and low attack complexity warrant prompt patching.

Stack Overflow Buffer Overflow Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-44047 HIGH PATCH This Week

SQL injection in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to compromise the MySQL-backed CNID (Catalog Node ID) database used to track AppleTalk/AFP file metadata. The high CVSS 8.8 score (CVSS:3.1/AV:N/AC:L/PR:L/UI:N) reflects network-reachable exploitation with low privileges and high impact to confidentiality, integrity, and availability; no public exploit identified at time of analysis.

SQLi Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-43495 HIGH PATCH This Week

Slab-out-of-bounds read in the Linux kernel's t7xx WWAN driver allows a malicious or compromised MediaTek modem to leak up to 262140 bytes of kernel memory by sending a crafted port enumeration message with an inflated port_count field. The flaw affects systems using the t7xx driver (e.g., laptops with MediaTek 5G M.2 modems such as the FM350-GL) and has no public exploit identified at time of analysis, with an EPSS score of 0.02% indicating very low predicted exploitation activity.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39461 HIGH This Week

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to specified patch levels, where a missing FD_SETSIZE bounds check enables stack corruption when a low-privileged attacker forces a setuid-root application to allocate file descriptors above 1024. Successful exploitation yields root-equivalent privileges on the local host. No public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.02%, but the issue is confirmed by a FreeBSD security advisory (SA-26:22.libcasper).

Stack Overflow Buffer Overflow Freebsd
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46519 HIGH PATCH GHSA This Week

Authorization bypass in mcp-server-kubernetes versions prior to 3.6.0 allows authenticated clients to invoke any Kubernetes tool - including destructive operations like kubectl_delete, exec_in_pod, and node_management - regardless of ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, or ALLOWED_TOOLS restrictions. The controls were enforced only at the tools/list discovery layer, leaving tools/call unguarded, which effectively reduces operator-configured least-privilege policies to cosmetic filters. Publicly available exploit code exists (a single curl invocation reproduces it), and in cluster-admin deployments the flaw is equivalent to full cluster compromise for any client reaching the endpoint.

Kubernetes Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-46612 HIGH PATCH GHSA This Week

Unauthenticated archive CRUD in Fission's storagesvc (≤ v1.22.0) lets any in-cluster workload list, download, replace, or delete function deployment archives across all tenants by hitting the ClusterIP-exposed /v1/archive and /v1/archives endpoints. Because uploaded archives are later fetched and executed by function specialization, the flaw escalates from a tenant data-exposure issue to in-cluster code execution. No public exploit identified at time of analysis, but the trivial HTTP pattern and lack of auth middleware make weaponization straightforward for any attacker with a foothold pod.

Kubernetes Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-48235 HIGH PATCH This Week

SQL injection in Open ISES Tickets before 3.44.2 allows attackers controlling or impersonating an InstaMapper or Google Latitude GPS tracking endpoint to inject malicious SQL via unsanitized latitude, longitude, callsign, mph, altitude, and timestamp values parsed by incs/remotes.inc.php. The CVSS 4.0 base score of 8.8 reflects unauthenticated network exploitation with high confidentiality impact, and no public exploit is identified at time of analysis. The flaw was disclosed by VulnCheck and is one of 19 SQL injection issues patched in the v3.44.2 release.

PHP Google SQLi
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-9089 HIGH This Week

Code integrity failure in ConnectWise Automate Agent versions prior to 2026.5 allows adjacent network attackers to substitute malicious components during plugin loading and self-update operations. The Automate agent does not fully verify the authenticity of downloaded components, enabling code execution at the agent's privilege level across managed endpoints. No public exploit identified at time of analysis, though the high CVSS score of 8.8 and the agent's deep system access make this a priority remediation for MSPs using the platform.

Information Disclosure Automate
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46633 HIGH PATCH GHSA This Week

{% use %}` tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because `SecurityPolicy` unconditionally permits `{% use %}` regardless of `allowedTags` configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.

PHP Code Injection RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-46640 HIGH PATCH GHSA This Week

Arbitrary PHP code execution in Twig templating engine versions 3.15.0 through 3.25.x allows attackers who control template source to inject raw PHP into the compiled template via the `_self.(<string>)` dynamic-attribute macro-reference path, fully bypassing the SandboxExtension. The flaw executes injected code at template-load time, before any SecurityPolicy check runs, rendering even a globally-enabled empty allowlist sandbox ineffective. No public exploit identified at time of analysis, but the vendor advisory describes the bypass mechanism in enough detail that PoC development is straightforward.

PHP Code Injection RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47101 HIGH PATCH GHSA This Week

Privilege escalation in LiteLLM proxy versions prior to 1.83.14 allows an authenticated internal_user to elevate to proxy_admin by generating an API key with an attacker-controlled allowed_routes field that grants access to admin-only endpoints. Because the key-generation handler did not verify that the requested routes fell within the caller's own role permissions, the resulting key successfully reaches admin routes and bypasses role-based access control. Publicly available exploit code exists via a Huntr bounty disclosure and gist, and the upstream commits are merged in the v1.83.14-stable release.

Authentication Bypass Privilege Escalation Litellm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47102 HIGH PATCH GHSA This Week

Privilege escalation in LiteLLM prior to 1.83.10 allows any authenticated user with access to the /user/update endpoint to elevate themselves to proxy_admin by including a user_role field in a self-update request. The endpoint enforces ownership (users can only update their own account) but fails to restrict which fields are mutable, granting full administrative control over users, teams, keys, models, and prompt history. Publicly available exploit code exists via a published huntr.com bounty writeup and gist PoC, though no public exploit identified as actively used in the wild at time of analysis.

Authentication Bypass Litellm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46490 HIGH PATCH GHSA This Week

Privilege escalation in samlify (Node.js SAML library) versions prior to 2.13.0 allows authenticated users to inject arbitrary XML markup into signed SAML assertions because template substitution only escapes attribute contexts, not element text. An attacker with a valid account can supply crafted values in user-controlled fields (e.g., email) that close the AttributeValue element and inject additional saml:Attribute elements (such as role=admin), which the IdP then signs and the SP accepts as trusted. No public exploit identified at time of analysis beyond the vendor-published PoC in the GHSA advisory.

Node.js Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40165 HIGH This Week

Authentication bypass in authentik identity provider allows attackers with an account on a federated SAML Source to impersonate arbitrary users by injecting an XML comment into the NameID value of a signed SAML assertion. Affected versions are 2025.12.4 and prior, plus 2026.2.0-rc1 through 2026.2.2; the GitHub Security Advisory GHSA-9wj8-xv4r-qwrp confirms the issue with a CVSS 8.7 (High) score, and no public exploit is identified at time of analysis though the upstream commit and a regression test demonstrate the truncation behavior.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-46617 HIGH PATCH GHSA This Week

Privilege escalation in Fission (Kubernetes serverless framework) versions <= 1.22.0 allows any user able to deploy or update a Function CRD to read every Secret and ConfigMap in the runtime namespace, bypassing the Function.spec.secrets allowlist. The flaw stems from runtime pods running under the namespace-privileged fission-fetcher ServiceAccount whose automounted token is reachable by the user-code container alongside the fetcher sidecar. No public exploit identified at time of analysis, but the vendor-issued advisory (GHSA-85g2-pmrx-r49q) describes a trivially reachable abuse path once a function can be deployed.

Kubernetes Privilege Escalation
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-9157 HIGH PATCH This Week

Unrestricted file upload in Gmission Web Fax versions 3.0 up to (but not including) 3.1 allows attackers to upload files of dangerous types and trigger remote code inclusion, leading to full confidentiality, integrity, and availability impact on the host. The flaw was reported by FSI and a vendor patch is available, though no public exploit code has been identified at time of analysis. Note that the CVSS 4.0 vector advertises a local attack vector (AV:L) which conflicts with the description's 'Remote Code Inclusion' wording - this discrepancy should be verified.

File Upload Web Fax
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-45253 HIGH This Week

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.

Memory Corruption Buffer Overflow RCE Freebsd
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-2740 HIGH PATCH This Week

Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313) on agent machines, stemming from a flaw in a bundled third-party dependency. An authenticated attacker with low privileges can inject commands (CWE-77) to execute arbitrary code on managed agent endpoints, with no public exploit identified at time of analysis.

RCE Zoho Command Injection
NVD VulDB
CVSS 3.1
8.4
EPSS
1.2%
CVE-2026-46481 HIGH PATCH GHSA This Week

Sensitive credential disclosure in OpenMetadata 1.12.1 allows any authenticated non-admin SSO user to retrieve cleartext database passwords and a long-lived ingestion-bot JWT by triggering a TEST_CONNECTION workflow via POST /api/v1/automations/workflows. The HTTP 201 response unexpectedly echoes the stored Oracle/database secret and the bot's bearer token, which can then be replayed against service APIs with bot-level privileges. A detailed proof-of-concept is published in the GitHub Security Advisory (GHSA-9vmh-whc4-7phg), so publicly available exploit code exists; no public exploit identified at time of analysis in CISA KEV.

Microsoft Information Disclosure Apache Oracle
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-48248 HIGH PATCH This Week

Man-in-the-middle interception of authentication traffic in Open ISES Tickets before 3.44.2 is possible because the application's login flow in incs/login.inc.php disables TLS certificate verification on outbound HTTPS requests. Network-positioned attackers can present forged certificates to capture or modify API keys and session-bearing data exchanged during login. No public exploit identified at time of analysis, though the fix is bundled into a broader critical security release that also addresses 69 XSS and 19 SQL injection issues.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48249 HIGH PATCH This Week

Missing TLS certificate verification in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept and tamper with outbound HTTPS traffic from the mobile (RouteMate) login flow, exposing API keys and session-bearing data. The flaw stems from rm/incs/mobile_login.inc.php disabling CURLOPT_SSL_VERIFYPEER and omitting CURLOPT_SSL_VERIFYHOST. No public exploit identified at time of analysis, and the issue is one of 88 security fixes shipped in the v3.44.2 release.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48247 HIGH PATCH This Week

Man-in-the-middle exposure in Open ISES Tickets before 3.44.2 stems from the shared helper functions in incs/functions.inc.php disabling TLS certificate verification (CURLOPT_SSL_VERIFYPEER=false) on outbound HTTPS calls, letting network-positioned attackers intercept or modify traffic carrying API keys and session data. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the vendor's v3.44.2 release notes describe it as a critical security update that also bundles fixes for 88 other issues including XSS and SQL injection.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48246 HIGH PATCH This Week

TLS certificate verification bypass in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept HTTPS traffic between the application server and Google Maps Directions API during incident report generation. The flaw stems from ajax/reports.php explicitly setting CURLOPT_SSL_VERIFYPEER to false without configuring CURLOPT_SSL_VERIFYHOST, exposing Google API keys and any session-bearing data carried in outbound requests. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but a vendor patch is available in v3.44.2.

Information Disclosure PHP Google
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-44051 HIGH PATCH This Week

Arbitrary file read in Netatalk 3.0.2 through 4.4.2 allows authenticated remote attackers to create attacker-controlled symbolic links that the AFP server follows, exposing sensitive files outside the intended share. The flaw is fixed in version 4.4.3 and no public exploit identified at time of analysis. Securin reported the issue and the vendor has published an advisory at netatalk.io.

Information Disclosure Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4858 HIGH PATCH GHSA This Week

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitrary internal APIs using the system administrator's auth token by manipulating integration action URLs. Affected branches include 11.6.x, 11.5.x, 11.4.x, and 10.11.x, with no public exploit identified at time of analysis. CVSS 8.0 reflects high impact across confidentiality, integrity, and availability despite high attack complexity and required user interaction.

Path Traversal Mattermost
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-43502 HIGH PATCH This Week

Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from an error in zerocopy send cleanup logic where an early-failed send can have its pinned user pages mishandled. The flaw affects multiple kernel branches from 4.17 onward and is fixed across stable trees (6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3). No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy