Skip to main content
CVE-2026-8327 MEDIUM PATCH This Month

Concrete CMS versions below 9.5.0 expose authenticated users to two related privilege-abuse primitives via a mass assignment flaw: password replacement without the current password, and disabling per-user IP-pinning that guards against session hijacking. The user-profile edit controller forwards the entire raw POST body to UserInfo::update() with no field whitelist, allowing any registered user to inject arbitrary model attributes - including the password field and session-security settings - into their own profile update. No public exploit code has been identified at time of analysis, but the attack is low-complexity and network-accessible for any authenticated user.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-46635 MEDIUM PATCH GHSA This Month

Twig's sandbox security policy is bypassed via the `column` filter when processing arrays of PHP objects, allowing an untrusted template author to read any public or magic property of any object reachable in the render context - completely circumventing the `SecurityPolicy`'s `allowedProperties` restrictions. All twig/twig versions prior to 3.26.0 are affected when sandbox mode is active and untrusted authors have `column` in their `allowedFilters`. This is a structural variant of CVE-2024-51755 that the prior ArrayAccess-focused fix left uncovered; no public exploit has been identified at time of analysis, and the fix is confirmed in Twig 3.26.0.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-46543 MEDIUM PATCH GHSA This Month

Unauthenticated remote crash of Nimiq full nodes running nimiq-blockchain versions before 1.5.0 is achievable by any network peer sending a single crafted RequestBatchSet message referencing the genesis block hash. The node's batch set handler iterates backward through macro blocks without a lower-bound guard, causing a Rust panic in Policy::macro_block_before when iteration reaches genesis, immediately terminating the process. No CISA KEV listing and no public exploit code exist at time of analysis; however, the attack requires no authentication and trivially low complexity, posing a real availability threat to any reachable full node.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27393 MEDIUM This Month

Missing authorization in the CF7 WOW Styler WordPress plugin (versions through 1.7.6) permits unauthenticated remote attackers to perform restricted administrative actions due to absent capability checks on one or more plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making it trivially reachable on any publicly exposed WordPress site running the affected plugin. Impact is limited to low-integrity writes (C:N/I:L/A:N), but no public exploit or CISA KEV entry has been identified at time of analysis.

Authentication Bypass Cf7 Wow Styler
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6841 MEDIUM PATCH This Month

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

XSS Request Tracker
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-46637 MEDIUM PATCH GHSA This Month

Cross-site scripting in twig/markdown-extra and twig/cssinliner-extra arises from three filters - html_to_markdown, markdown_to_html, and inline_css - being incorrectly registered with is_safe => ['all'], which instructs Twig's autoescaper to suppress output encoding in every context including JS, CSS, and URL. When attacker-controlled content flows through these filters and the result is interpolated into a non-HTML context such as an inline script block, the autoescaper emits the raw output verbatim, enabling XSS without the developer ever using the explicit |raw bypass. Notably, html_to_markdown has an additional entity-decoding gadget via league/html-to-markdown that converts encoded HTML entities back to live markup during code span generation, creating a secondary injection path even in HTML contexts. No public exploit identified at time of analysis and no CISA KEV listing.

XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-46628 MEDIUM PATCH GHSA This Month

Cross-site scripting in Twig's PHP templating engine allows attacker-controlled HTML markup to bypass autoescaping when rendered through the `|spaceless` filter. The filter was incorrectly registered with `is_safe => ['html']`, signaling to the autoescaper that its output is already safe and requires no HTML encoding - even when the input is user-supplied and autoescape is globally enabled. All `twig/twig` Composer installations prior to 3.26.0 are affected, as are downstream packages (notably certain Drupal modules) that independently copied the `spaceless` filter and inherited the same erroneous flag. No public exploit or active exploitation is identified at time of analysis.

Information Disclosure
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-4093 MEDIUM This Month

Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.

XSS Taxonomy Term Reference Tree Widget
NVD HeroDevs
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-22678 MEDIUM PATCH This Month

Stored cross-site scripting in Webmin before 2.641 allows low-privileged authenticated attackers to inject arbitrary JavaScript via the email template description field in the System and Server Status module. The payload is persisted through save_tmpl.cgi and rendered without HTML encoding by list_tmpls.cgi, executing in the browser of any user who subsequently views the template list - a population likely to include privileged administrators. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch (Webmin 2.641) is available.

XSS Webmin
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48230 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows JavaScript injection via ten unsanitized POST parameters in ticketsmdb_import.php, with payloads executing in the victim's browser upon response rendering. The vendor-released patch v3.44.2 addresses this as part of a critical security update that simultaneously fixed 88 vulnerabilities including 69 XSS and 19 SQL injection issues across the codebase, suggesting systemic input sanitization failures rather than an isolated defect. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48229 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in routes_i.php, rendered directly into HTML form hidden input value attributes. When a victim visits or is redirected to a crafted URL, the payload executes in their browser within the application's security context. No public exploit or CISA KEV listing exists at time of analysis, but the patch release (v3.44.2) simultaneously fixes 88 vulnerabilities - 69 of them XSS - indicating systemic input sanitization failures throughout the codebase that substantially elevate the overall risk posture of this application.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48228 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows attackers to inject arbitrary JavaScript through unsanitized id and ticket_id GET parameters in patient_w.php, which are written directly into an HTML form action URL without output encoding. Successful exploitation requires the victim to actively click a crafted link, after which the payload executes in the victim's browser under the application's origin, enabling session hijacking or unauthorized actions. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the scale of the v3.44.2 release - patching 69 XSS and 19 SQL injection issues simultaneously - suggests the codebase has historically received minimal security review.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48227 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 exposes authenticated users to arbitrary JavaScript execution via unsanitized GET parameters in patient.php. The vulnerability exists in the id and ticket_id parameters, whose values are written directly into an HTML form action URL without output encoding, enabling an attacker to craft a malicious link that executes script in the victim's browser upon rendering. No public exploit or active exploitation has been identified at time of analysis; however, the vendor's v3.44.2 release confirms this is one of 69 XSS vulnerabilities patched simultaneously, indicating systemic input-handling failures across the application.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48226 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (all versions before 3.44.2) allows JavaScript injection via the unsanitized `ref` and `mode_orig` POST parameters in `os_watch.php`, which are written verbatim into HTML form hidden input value attributes without output encoding. An attacker who can trick a user into submitting a crafted POST request will have arbitrary JavaScript execute in that user's browser session, enabling session theft, credential harvesting, or UI redress attacks. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the patch release simultaneously addressed 88 vulnerabilities - including 19 SQL injection issues - suggesting this application carried significant accumulated security debt that amplifies organizational risk beyond this single CVE.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48225 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the unsanitized _type POST parameter in landb.php, which is echoed directly into an HTML form hidden input value attribute without encoding. When a victim renders the crafted response, the injected script executes in their browser context, enabling session hijacking, credential theft, or forced action on behalf of the victim. This CVE is one of 69 XSS vulnerabilities addressed in the v3.44.2 critical security update; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48224 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics214.php, which reflects the unsanitized value directly into an HTML form hidden input value attribute. When a victim renders the crafted response, the payload executes in their browser session, enabling session hijacking or action-on-behalf-of-user attacks. No public exploit has been identified and this CVE is not listed in CISA KEV, though the v3.44.2 release addresses 88 total vulnerabilities - including SQL injection and hardcoded credentials - making upgrade broadly critical regardless of this specific finding.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48223 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows a malicious actor to inject arbitrary JavaScript into a victim's browser session via the unsanitized frm_add_str POST parameter in ics213rr.php, where the value is written directly into an HTML form hidden input attribute without escaping. The CVSS 4.0 vector scores this at 5.1 with scope change to subsequent systems (SC:L/SI:L), meaning successful exploitation affects data beyond the immediately vulnerable component. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch (v3.44.2) is confirmed available and also resolves 87 additional vulnerabilities including SQL injection, hardcoded credentials, and SSL validation failures.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48222 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics213.php, which is rendered unsanitized inside an HTML hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no privileges are required on the attacker side, but victim interaction is mandatory - a user must submit or be tricked into triggering the crafted request. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 critical security release, signaling systemic input sanitization failures across the codebase. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48221 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows injection of arbitrary JavaScript via the unsanitized frm_add_str POST parameter in ics205a.php, which is rendered verbatim inside an HTML form hidden input value attribute in the victim's browser. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release - a 'Critical Security Update' that also addressed 19 SQL injection issues and 5 hardcoded secrets, revealing systemic input handling failures across the codebase. No public exploit identified at time of analysis and no CISA KEV listing; however, the broader security debt in this application makes upgrading urgent beyond this single CVE.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48220 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) allows injection of arbitrary JavaScript through the frm_add_str POST parameter in ics205.php, which is rendered unsanitized inside an HTML form hidden input value attribute. The attacker must induce an authenticated victim to submit a crafted request (UI:A), limiting opportunistic exploitation but enabling session hijacking, credential theft, or further browser-based attacks against logged-in users. This CVE is one of 69 XSS vulnerabilities patched in v3.44.2, which also addressed 19 SQL injection issues and hardcoded credentials - indicating systemic input-handling deficiencies across the PHP codebase. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48219 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the frm_add_str POST parameter in ics202.php, where the unsanitized value is written directly into an HTML form hidden input value attribute. The CVSS 4.0 vector (PR:N/UI:A) indicates no attacker privilege is required, but victim interaction is mandatory - meaning an attacker must deceive a user into submitting a crafted POST request to trigger execution. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release alongside 19 SQL injection flaws and 5 hardcoded secrets, signaling a systemic insecurity posture in the codebase prior to this release. No public exploit identified at time of analysis; no CISA KEV listing.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48218 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets (all versions before 3.44.2) exposes the icons/buttons/landb.php endpoint to arbitrary JavaScript injection via unsanitized frm_name and frm_id POST parameters, which are rendered directly into both HTML content and inline JavaScript without encoding or sanitization. An attacker who can socially engineer an authenticated user into triggering a crafted POST request can execute arbitrary JavaScript within that user's browser session, enabling session hijacking, credential theft, or malicious UI manipulation. No public exploit has been identified at time of analysis; a vendor-released patch (v3.44.2) is available and all users are urged to upgrade immediately per the vendor's own release advisory.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48217 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before 3.44.2 allows JavaScript injection via unsanitized POST parameters (module_choice, flag, confirmation) in delete_module.php, executing attacker-supplied code in the browser of a victim who interacts with a crafted request. The CVSS 4.0 vector (PR:N/UI:A) indicates the attacker requires no privileges but depends on active victim interaction - consistent with a POST-based reflected XSS delivered via a cross-site auto-submitting form targeting an authenticated session. No public exploit has been identified at time of analysis, and vendor-released patch v3.44.2 is available, a landmark release that simultaneously addressed 88 vulnerabilities including 19 SQL injections and 68 additional XSS issues across the same codebase.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48216 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before v3.44.2 allows JavaScript injection via six unsanitized POST parameters in db_loader.php (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema), each reflected verbatim into HTML form input value attributes. An attacker who can deliver a crafted POST request to a victim's browser can execute arbitrary JavaScript in the victim's session context, enabling session hijacking or credential theft. The vendor-confirmed fix (v3.44.2) was released as a critical security update resolving 88 total vulnerabilities; no public exploit or CISA KEV listing is identified at time of analysis.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48215 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets (versions before 3.44.2) allows network-based attackers to inject arbitrary JavaScript through the frm_id POST parameter in circle.php, requiring victim interaction with a crafted link or form. The vulnerability executes malicious scripts in the victim's browser context with low-scope impact to confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis. VulnCheck reported this as one of 69 XSS vulnerabilities patched in the v3.44.2 security release, which addressed 88 total security issues including SQL injection and hardcoded credentials.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48214 MEDIUM PATCH This Month

Reflected XSS in Open ISES Tickets before v3.44.2 enables JavaScript injection through the unsanitized ticket_id POST parameter in add_nm.php, which is embedded without encoding into both an HTML form input value attribute and an inline JavaScript string literal - two distinct injection contexts. When a victim renders the malicious response, attacker-controlled script executes in their browser with potential to steal session tokens or perform actions under their identity. No public exploit exists and the vulnerability is not in CISA KEV, but the v3.44.2 release notes reveal 88 co-patched security defects (including 19 SQL injection issues and hardcoded secrets), meaning any unpatched deployment faces compounded, systemic risk far beyond this single CVE.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48213 MEDIUM PATCH This Month

Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id POST parameter in add.php, which is echoed unsanitized into an HTML form input value attribute. The CVSS 4.0 vector scores this at 5.1 with no privileges required and active user interaction needed, though the CVE description characterizes attackers as authenticated - a discrepancy discussed in the risk section. No public exploit code or CISA KEV listing exists at time of analysis. This vulnerability is one of 69 XSS issues patched in a single v3.44.2 release that also addressed 19 SQL injection flaws and 5 hardcoded secrets, suggesting systemic insecure coding practices across the codebase.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-44073 MEDIUM PATCH This Month

Privilege retention in Netatalk 1.5.0 through 4.4.2 results from auth modules silently ignoring failures of the seteuid() system call, allowing an authenticated network attacker to operate with unintended elevated privileges. When seteuid() fails-due to resource exhaustion, OS limits, or specific system configurations-the process continues execution under its original (higher) UID rather than the intended reduced privilege level, exposing file system objects or operations the user should not access. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV, but the vendor has confirmed the flaw and released a fix in version 4.5.0.

Information Disclosure Suse
NVD
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-46561 MEDIUM PATCH GHSA This Month

Redirect-based SSRF bypass in pyload-ng's parse_urls API allows authenticated attackers with ADD permission to probe internal network services and cloud metadata endpoints by chaining an open redirect through an attacker-controlled host. The prior SSRF fix (commit 33c55da, GHSA-7gvf-3w72-p2pg) correctly hardened HTTPChunk but left HTTPRequest used by RequestFactory.get_url() with allow_private_ip=True, rendering the is_global_host() check on the initial URL ineffective against 302 redirects to private IP space. A public proof-of-concept exploit exists demonstrating exfiltration of AWS IMDSv1 metadata; no public exploit identified at time of analysis for active in-the-wild exploitation, and CVE-2026-46561 is not listed in the CISA KEV catalog.

Microsoft Python SSRF
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-42396 MEDIUM PATCH This Month

Catalog zone transfer failure in PowerDNS Authoritative can be triggered by a high-privileged remote attacker who injects insufficiently validated member zone data, causing the catalog zone transfer mechanism to abort and preventing secondary nameservers from receiving zone updates. The impact is a targeted denial-of-service against DNS zone replication infrastructure, affecting any deployment using catalog zones (RFC 9432). No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

RCE Code Injection Authoritative
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-4811 MEDIUM This Month

Stored Cross-Site Scripting in the WPB Floating Menu & Categories WordPress plugin (all versions through 1.0.8) permits authenticated attackers holding Editor-level privileges or higher to inject arbitrary JavaScript via the 'Icon CSS Class' category field. The injected payload persists in the database and executes in the browser of any site visitor who loads a page containing the affected floating menu component, enabling session hijacking or credential harvesting against arbitrary users including administrators. No public exploit has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog; the CVSS 4.9 Medium score reflects the significant mitigation provided by the high-privilege prerequisite.

WordPress XSS
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-41999 MEDIUM PATCH This Month

Incorrect view selection in PowerDNS Authoritative Server when processing TCP PROXY protocol requests exposes DNS records intended for a different network segment to remote unauthenticated attackers, producing both unauthorized information disclosure and limited integrity impact. Deployments running split-horizon DNS via the Views feature alongside TCP PROXY protocol support are the specific affected population. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the attack concept requires no authentication and no user interaction, making it relevant wherever both features are co-deployed.

Authentication Bypass Authoritative
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-46609 MEDIUM PATCH GHSA This Month

HTML injection (stored XSS) in the Umbraco CMS Backoffice confirmation dialog allows authenticated low-privilege users to inject arbitrary HTML into an input field that is subsequently rendered without output encoding when a confirmation dialog is triggered. Affected versions span nuget/Umbraco.Cms 14.0.0 through 17.3.5. The CVSS score of 4.6 reflects the constrained attack surface: exploitation requires an authenticated Backoffice session and a second victim user to interact with the dialog, limiting blast radius to the admin panel rather than public-facing surfaces. No public exploit identified at time of analysis and this CVE does not appear in the CISA KEV catalog.

XSS
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-44059 MEDIUM PATCH This Month

Race condition in Netatalk's privilege toggle mechanism exposes AFP file server hosts to local privilege abuse across versions 2.2.5 through 4.4.2. The non-reentrant privilege toggle function can be exploited by a low-privileged local user who wins a narrow timing window to read, modify, or disrupt data at a transiently elevated privilege level. No public exploit code exists and the issue is not listed in CISA KEV; real-world risk is constrained by the requirement for local access and high attack complexity. Vendor-released patch is available in version 4.5.0.

Information Disclosure Race Condition Suse
NVD VulDB
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-46671 MEDIUM PATCH GHSA This Month

Path traversal in the Rust crate onenote_parser (versions before 1.1.1) enables an attacker who supplies a malicious `.onetoc2` notebook table-of-contents file to direct `Parser::parse_notebook` to open arbitrary files on the host filesystem outside the intended notebook directory. While direct content exfiltration is constrained by the parser aborting when a target file fails to parse as a OneNote section, file-existence probing and denial-of-service via large or special files (e.g., named pipes, device nodes) remain viable attack outcomes. No public exploit has been identified and no confirmed active exploitation exists; vendor-released patch version 1.1.1, published 2026-05-15, resolves the issue.

Path Traversal
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-46542 MEDIUM PATCH GHSA This Month

Process crash in the nimiq-keys Rust crate (versions below 1.4.0) occurs when the Ed25519 multisig delinearization path receives a 32-byte public key that is length-valid but does not represent a valid point on the Edwards25519 curve, triggering a Rust `.unwrap()` panic that kills the hosting wallet process. Affected users are those running the Nimiq web-client WASM library or nimiq-wallet crate who can be persuaded by an attacker to include a crafted key in a multisig setup; validator nodes and all consensus infrastructure are explicitly out of scope. No public exploit has been identified at time of analysis, and no KEV listing exists, indicating this has not been broadly weaponized.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46548 MEDIUM PATCH GHSA This Month

SSRF protection bypass in NocoDB's notification webhook plugins (Slack, Discord, Mattermost, Teams) allows authenticated Editor-level users to issue outbound POST requests to arbitrary internal hosts, including cloud-metadata endpoints. The root cause is a misplaced axios argument: `httpAgent`/`httpsAgent` were serialized into the request body instead of being passed as axios connection config, rendering the `request-filtering-agent` SSRF guard entirely ineffective across all four plugins. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Mattermost SSRF
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27349 MEDIUM This Month

Mail Mint WordPress plugin versions through 1.19.5 exposes sensitive system information to low-privilege authenticated users, enabling retrieval of embedded sensitive data from plugin responses or endpoints. Reported by Patchstack and classified under CWE-497, the flaw requires only a low-privilege WordPress account (PR:L per CVSS vector) over the network with no additional complexity or user interaction. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.

Information Disclosure Mail Mint
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46645 MEDIUM PATCH GHSA This Month

Authorization bypass in sqladmin (pip package, versions <= 0.25.0) allows authenticated-but-unauthorized users to query restricted model data through the `ajax_lookup` endpoint, silently circumventing any `is_accessible()` access control overrides that developers have implemented. Every other admin endpoint (`list`, `create`, `edit`, `delete`, `details`, `export`) enforces both the login requirement and the `is_accessible()` model-level authorization hook - the `ajax_lookup` endpoint at `GET /{identity}/ajax/lookup` enforced neither prior to patching. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4055 MEDIUM PATCH This Month

Incorrect authorization in Mattermost Playbooks (versions 11.5.0-11.5.1) allows any authenticated team member to create playbook runs in teams where they hold no run_create permission, by supplying an arbitrary team ID in the run creation API request. The server validates permissions only against the user's originating context rather than the target team specified in the payload, a classic authorization bypass rooted in CWE-863. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the low attack complexity makes this trivially exploitable by any authenticated insider or compromised account.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1881 MEDIUM This Month

Insecure Direct Object Reference in the Broadstreet WordPress plugin (all versions through 1.52.2) allows any authenticated user with Subscriber-level access to read arbitrary private post metadata by supplying a user-controlled key to the get_sponsored_meta AJAX endpoint without server-side authorization checks. The vulnerability stems from a missing object-level authorization check (CWE-639), a common class of flaw in WordPress plugin AJAX handlers. No public exploit code or active exploitation has been identified at time of analysis, and a patched version (1.53.2) is available via the WordPress plugin repository.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4843 MEDIUM This Month

Missing capability check in GSheet For Woo Importer (WordPress plugin, all versions through 2.3.1) allows authenticated attackers with Subscriber-level access to invoke the process_ajax_restore_action() AJAX function and permanently delete the plugin's Google Sheets API token and associated configuration options. This disrupts WooCommerce product import workflows dependent on the Google Sheets integration. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Google Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44067 MEDIUM PATCH This Month

Heap over-read in Netatalk's extended attribute (EA) header parser affects all releases from 2.1.0 through 4.4.2, allowing authenticated remote attackers to read beyond allocated heap boundaries under high-complexity conditions. The impact is limited to partial memory disclosure (C:L) and minor availability degradation (A:L) with no integrity impact, consistent with a read-only out-of-bounds primitive. No public exploit code exists and no active exploitation has been identified; vendor-released fix 4.5.0 is available.

Information Disclosure Buffer Overflow Suse
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-44063 MEDIUM PATCH This Month

LDAP filter injection in Netatalk 2.1.0 through 4.4.2 enables an authenticated remote attacker to manipulate LDAP query logic, potentially reading or modifying directory entries beyond their authorization scope. The CVSS score of 4.2 (Medium) reflects real but bounded impact - high attack complexity and a requirement for low-privilege authentication constrain opportunistic exploitation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

LDAP Code Injection Suse
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-44065 MEDIUM PATCH This Month

Off-by-two memory corruption in Netatalk's papd daemon affects all versions from 2.0.0 through 4.4.2, fixed in 4.5.0. The flaw resides in the lp_write() function of the Printer Access Protocol daemon, where an off-by-two boundary error can produce minor integrity and availability impact when triggered by an adjacent-network attacker. With a CVSS score of 3.7 and no public exploit or CISA KEV listing identified at time of analysis, this is a low-severity issue requiring both local network adjacency and high attack complexity, significantly limiting real-world exploitability.

Information Disclosure Suse
NVD
CVSS 3.1
4.2
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy