Skip to main content
CVE-2026-34910 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Ubiquiti Command Injection Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
Threat
5.0
CVE-2026-34909 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-34908 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.

Ubiquiti Authentication Bypass Unifi Os Server Udm Udm Pro +28
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-45659 HIGH POC KEV PATCH THREAT CISA NEWS Exploit Unlikely Act Now

Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.5%
Threat
4.8
CVE-2026-46670 CRITICAL POC PATCH GHSA Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi Docker
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9256 CRITICAL POC PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.

Buffer Overflow Nginx Heap Overflow Nginx Plus Nginx Open Source
NVD VulDB GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-9277 CRITICAL POC PATCH GHSA Act Now

Shell command injection in the npm shell-quote library (versions >= 1.1.0, <= 1.8.3) lets attacker-influenced object tokens smuggle a literal newline through quote(), turning the supposedly shell-safe output into multiple commands. The .op field of an object token was escaped character-by-character with /(.)/g, which in JavaScript does not match line terminators, so a newline survived unescaped and POSIX shells treat everything after it as a second command. Publicly available exploit code exists and a vendor patch (1.8.4) is released, though EPSS is low (0.05%) and SSVC marks current exploitation as none, indicating opportunity-but-not-yet-widespread risk.

Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-39830 CRITICAL POC PATCH GHSA Act Now

Resource exhaustion in the Go golang.org/x/crypto/ssh package allows a malicious SSH peer to leak goroutines and memory by sending unsolicited global request responses that fill an internal buffer and block the connection's read loop. Affected versions are below 0.52.0, and even calling Close() fails to release the blocked goroutine, enabling per-connection resource leaks against any Go application using this library as an SSH client or server. There is no public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates very low observed exploitation interest despite the high CVSS rating.

Buffer Overflow Golang Org X Crypto Ssh
NVD VulDB GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39832 CRITICAL POC PATCH GHSA Act Now

Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH hosts to use forwarded keys without the destination restrictions the user intended. When clients added keys to a remote agent, extensions such as restrict-destination-v00@openssh.com were silently dropped during serialization, effectively converting scoped keys into unrestricted ones on downstream hosts. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total and automatable.

SSH Deserialization Golang Org X Crypto Ssh Agent
NVD VulDB GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-8679 HIGH POC This Week

{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.

WordPress Authentication Bypass Audioigniter Music Player
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39829 HIGH POC PATCH GHSA This Week

Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attackers to exhaust CPU on SSH servers by submitting crafted RSA or DSA public keys with oversized parameters during public key authentication. EPSS is very low (0.03%) and there is no public exploit identified at time of analysis, but the bug is trivial to trigger and the fix has been published by the Go team in CL 781641/781661.

Jwt Attack Information Disclosure Golang Org X Crypto Ssh
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39828 MEDIUM POC PATCH GHSA This Month

SSH certificate permission enforcement in golang.org/x/crypto/ssh fails silently during multi-factor authentication flows, allowing authenticated users to bypass certificate-enforced restrictions such as force-command. Specifically, when an SSH server authentication callback returns PartialSuccessError with non-nil Permissions (as occurs in MFA sequences where a first factor succeeds and a second is required), those certificate permissions are silently discarded rather than propagated to the final session. Any Go-based SSH server using this library with both MFA and certificate-based permission restrictions is affected in versions prior to 0.52.0. No public exploit identified at time of analysis, and CISA KEV does not list this vulnerability.

Information Disclosure Golang Org X Crypto Ssh
NVD VulDB GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-40412 CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.

Microsoft File Upload
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-41104 CRITICAL PATCH NO ACTION HOSTED Monitor

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft malicious serialized payloads that the service processes, resulting in information disclosure across a trust boundary. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, though no public exploit identified at time of analysis and EPSS data was not provided.

Microsoft Deserialization
NVD VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-23652 CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.

Microsoft Command Injection
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-47280 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-42901 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-46595 CRITICAL PATCH GHSA Act Now

Authorization bypass in the Go golang.org/x/crypto/ssh package before version 0.52.0 allows remote attackers to circumvent source-address restrictions when SSH server configurations use callback authentication types other than public key. This is an incomplete-fix follow-up to CVE-2024-45337, which only addressed the public-key callback path while leaving other callback types vulnerable to the same source-address validation skip. No public exploit identified at time of analysis, EPSS is very low at 0.02%, and SSVC indicates no observed exploitation though the issue is automatable with partial technical impact.

Authentication Bypass Golang Org X Crypto Ssh
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-33712 CRITICAL Act Now

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.

Node.js Authentication Bypass SSRF Typebot Io
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-40411 CRITICAL PATCH NO ACTION HOSTED Monitor

Remote code execution in Microsoft Azure Virtual Network Gateway allows an authenticated attacker with low privileges to execute arbitrary code across a network boundary due to improper input validation. The CVSS 9.9 score reflects scope-changed impact (S:C) where exploitation can compromise resources beyond the vulnerable component itself, affecting confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the high score and managed-service nature warrant priority attention.

Microsoft Information Disclosure
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-32253 CRITICAL Act Now

Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.

OpenSSL Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-44930 CRITICAL PATCH GHSA Act Now

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90) in the LDAP-backed certificate repository to retrieve certificates they are not authorized to see. Affected builds span Apache CXF 3.x before 3.6.11, 4.0.0-4.1.x before 4.1.6, and 4.2.0 before 4.2.1; the issue was reported by Apache itself and fixed in those releases. No public exploit identified at time of analysis, EPSS is very low (0.02%, 4th percentile), and CISA SSVC scores exploitation as 'none' with only 'partial' technical impact.

Code Injection LDAP Apache Apache Cxf
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-39821 CRITICAL PATCH Act Now

Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).

Privilege Escalation Golang Org X Net Idna
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-8670 CRITICAL PATCH Act Now

Session replay weakness in syslink software AG's Avantra monitoring platform (versions before 25.3.1) on Linux and Windows allows remote attackers to reuse captured session identifiers because sessions are not properly expired. With CVSS 9.6 and scope change, an attacker who obtains a valid session ID can impersonate users and pivot into systems Avantra manages; no public exploit identified at time of analysis.

Microsoft Information Disclosure
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-7798 MEDIUM POC This Month

Blind Server-Side Request Forgery in FluentCRM (WordPress plugin, all versions ≤2.9.87) allows unauthenticated remote attackers to coerce the web server into issuing arbitrary HTTP requests via the 'SubscribeURL' parameter in SES bounce handling. Exploitation is constrained to sites where the SES bounce handling key has never been initialized - a default state that persists until an administrator visits the bounce configuration page. Successfully exploited, this flaw can be used to probe and interact with internal services (cloud metadata endpoints, intranet APIs, adjacent containers), achieving limited but meaningful confidentiality and integrity impact across a changed scope. No public exploit or CISA KEV listing exists at time of analysis, though source code references expose the vulnerable code path directly.

WordPress SSRF Fluentcrm Email Newsletter Automation Email Marketing Email Campaigns Optins Leads And Crm Solution
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-41090 CRITICAL PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.

Microsoft Command Injection
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-39835 MEDIUM POC PATCH GHSA This Month

Unauthenticated remote clients can crash SSH servers built with golang.org/x/crypto/ssh by presenting a certificate during the handshake when CertChecker is used as a public key callback without initializing IsUserAuthority or IsHostAuthority. All versions prior to 0.52.0 are affected; the nil function pointer dereference causes a Go runtime panic that terminates the SSH service. No public exploit code has been identified and EPSS places exploitation probability at the 1st percentile (0.01%), though the attack requires no authentication and low complexity per the CVSS vector.

Information Disclosure Golang Org X Crypto Ssh
NVD VulDB GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9054 CRITICAL PATCH Act Now

Remote denial-of-service in 9front (a fork of Plan 9 from Bell Labs) allows unauthenticated network attackers to trigger a kernel panic by sending malformed TCP, IL, RUDP, or GRE packets whose total length is shorter than the protocol header size. The flaw affects 9front Plan 9 4e prior to commit 70c97c334171c715df82774d1a47638abaca2db4 and carries a CVSS 4.0 score of 9.2 driven by high availability impact and automatable exploitation; no public exploit identified at time of analysis.

Information Disclosure 9Front
NVD VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-33000 CRITICAL PATCH Act Now

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.

Ubiquiti Command Injection Unifi Os Server
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33843 CRITICAL PATCH NO ACTION HOSTED Monitor

Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.

Microsoft Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-39833 CRITICAL PATCH GHSA Act Now

Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total.

Authentication Bypass Golang Org X Crypto Ssh Agent Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39834 CRITICAL PATCH GHSA Act Now

Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.

Buffer Overflow Integer Overflow Golang Org X Crypto Ssh Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-42508 CRITICAL PATCH GHSA Act Now

Improper certificate revocation validation in the golang.org/x/crypto/ssh/knownhosts package allows SSH connections to succeed against hosts whose CA SignatureKey has been revoked. Versions prior to 0.52.0 only validated the leaf 'key' against revocation entries while ignoring 'key.SignatureKey', enabling attackers holding a revoked CA-signed host key to impersonate trusted servers. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Information Disclosure Golang Org X Crypto Ssh Knownhosts
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39831 CRITICAL PATCH GHSA Act Now

Authentication bypass in the Go x/crypto/ssh library (versions before 0.52.0) allows SSH servers to accept FIDO/U2F security key signatures that were generated without the required physical user touch. The Verify() method for sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com key types failed to check the User Presence flag, enabling unattended use of stolen or relayed hardware-token signatures. No public exploit identified at time of analysis and EPSS is very low (0.01%), but SSVC rates technical impact as total with automatable exploitation.

SSH Authentication Bypass Golang Org X Crypto Ssh Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-35430 HIGH PATCH This Week

Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41075 HIGH PATCH This Week

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi Rt
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6406 HIGH PATCH This Week

Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).

Authentication Bypass Docker
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-5843 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-5817 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-8992 HIGH This Week

Remote code execution in Ivanti Secure Access Client versions prior to 22.8R6 allows unauthenticated attackers to run arbitrary code on endpoints by exploiting improper TLS certificate validation, contingent on user interaction (UI:R). No public exploit identified at time of analysis, but the CVSS 8.8 rating and Ivanti's own advisory disclosure mark this as a high-priority client-side risk for organizations using the VPN client.

RCE Ivanti Secure Access Client
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9018 HIGH This Week

Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.

WordPress Privilege Escalation Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3294 HIGH PATCH This Week

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

TP-Link Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-28445 HIGH PATCH GHSA This Week

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

XSS Privilege Escalation Typebot Io
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-25606 HIGH PATCH This Week

SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Information Disclosure SQLi Ster
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-9255 HIGH PATCH This Week

Authorization bypass in AWS Kiro CLI versions prior to 1.28.0 allows a local attacker to invoke arbitrary tools, including shell commands, without triggering the user approval prompt by piping crafted content through stdin. Reported by Amazon (AMZN) and tagged as an Authentication Bypass, this issue has a vendor-released fix in 1.28.0; publicly available exploit code exists is not indicated, and the SSVC framework currently records no observed exploitation despite a Total technical impact rating.

Authentication Bypass Kiro Cli
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-46727 HIGH POC PATCH This Week

Use-after-free in Ruby 4.x (before 4.0.5) lets remote attackers who can manipulate DNS response timing crash applications calling Addrinfo.getaddrinfo with a timeout: option or Socket.tcp with resolv_timeout:. The flaw lives in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) and, while reliably exploitable for denial of service, also raises a theoretical possibility of memory-corruption-based code execution. No public exploit identified at time of analysis.

Denial Of Service Race Condition Ruby
NVD VulDB GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41076 HIGH PATCH This Week

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

Authentication Bypass Rt
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-40172 HIGH This Week

{pk}/ endpoint. The UserSerializer skips the enable_group_superuser check enforced in the dedicated group-management paths, letting delegated user-management roles promote themselves or others to administrator-equivalent privilege. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the trivial attack mechanics (a single PATCH request) make weaponization straightforward for any tenant that has delegated user administration.

Privilege Escalation Authentik
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-26147 HIGH PATCH NO ACTION HOSTED Monitor

Information disclosure in Microsoft Azure Compute Gallery permits an authenticated remote attacker to read sensitive data across tenant or resource boundaries due to improper input validation (CWE-20). The scope-changed CVSS 7.7 rating reflects cross-boundary impact, but the exploit maturity is currently unproven (E:U) and no public exploit identified at time of analysis. Microsoft has published an official fix via MSRC.

Microsoft Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-34911 HIGH PATCH This Week

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy