141 CVEs tracked today. 24 Critical, 31 High, 46 Medium, 7 Low.
-
CVE-2026-46670
CRITICAL
CVSS 9.8
Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.
PHP
Python
Docker
SQLi
-
CVE-2026-46595
CRITICAL
CVSS 10.0
Authorization bypass in the Go golang.org/x/crypto/ssh package before version 0.52.0 allows remote attackers to circumvent source-address restrictions when SSH server configurations use callback authentication types other than public key. This is an incomplete-fix follow-up to CVE-2024-45337, which only addressed the public-key callback path while leaving other callback types vulnerable to the same source-address validation skip. No public exploit identified at time of analysis, EPSS is very low at 0.02%, and SSVC indicates no observed exploitation though the issue is automatable with partial technical impact.
Authentication Bypass
Golang Org X Crypto Ssh
-
CVE-2026-42508
CRITICAL
CVSS 9.1
Improper certificate revocation validation in the golang.org/x/crypto/ssh/knownhosts package allows SSH connections to succeed against hosts whose CA SignatureKey has been revoked. Versions prior to 0.52.0 only validated the leaf 'key' against revocation entries while ignoring 'key.SignatureKey', enabling attackers holding a revoked CA-signed host key to impersonate trusted servers. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Information Disclosure
Golang Org X Crypto Ssh Knownhosts
-
CVE-2026-39834
CRITICAL
CVSS 9.1
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.
Buffer Overflow
Integer Overflow
Golang Org X Crypto Ssh
-
CVE-2026-39833
CRITICAL
CVSS 9.1
Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total.
Authentication Bypass
Golang Org X Crypto Ssh Agent
-
CVE-2026-39832
CRITICAL
CVSS 9.1
Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH hosts to use forwarded keys without the destination restrictions the user intended. When clients added keys to a remote agent, extensions such as restrict-destination-v00@openssh.com were silently dropped during serialization, effectively converting scoped keys into unrestricted ones on downstream hosts. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total and automatable.
Deserialization
SSH
Golang Org X Crypto Ssh Agent
-
CVE-2026-39821
CRITICAL
CVSS 9.6
Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).
Privilege Escalation
Golang Org X Net Idna
-
CVE-2026-34910
CRITICAL
CVSS 10.0
Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Command Injection
Ubiquiti
-
CVE-2026-34909
CRITICAL
CVSS 10.0
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Path Traversal
Ubiquiti
-
CVE-2026-34908
CRITICAL
CVSS 10.0
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.
Authentication Bypass
Ubiquiti
-
CVE-2026-33712
CRITICAL
CVSS 10.0
Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.
Authentication Bypass
SSRF
Node.js
Typebot Io
-
CVE-2026-33000
CRITICAL
CVSS 9.1
Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.
Command Injection
Ubiquiti
-
CVE-2026-32253
CRITICAL
CVSS 9.8
Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.
Authentication Bypass
OpenSSL
-
CVE-2026-9054
CRITICAL
CVSS 9.2
Remote denial-of-service in 9front (a fork of Plan 9 from Bell Labs) allows unauthenticated network attackers to trigger a kernel panic by sending malformed TCP, IL, RUDP, or GRE packets whose total length is shorter than the protocol header size. The flaw affects 9front Plan 9 4e prior to commit 70c97c334171c715df82774d1a47638abaca2db4 and carries a CVSS 4.0 score of 9.2 driven by high availability impact and automatable exploitation; no public exploit identified at time of analysis.
Information Disclosure
9Front
-
CVE-2026-8670
CRITICAL
CVSS 9.6
Session replay weakness in syslink software AG's Avantra monitoring platform (versions before 25.3.1) on Linux and Windows allows remote attackers to reuse captured session identifiers because sessions are not properly expired. With CVSS 9.6 and scope change, an attacker who obtains a valid session ID can impersonate users and pivot into systems Avantra manages; no public exploit identified at time of analysis.
Information Disclosure
Microsoft
Avantra
-
CVE-2026-48700
CRITICAL
CVSS 9.3
An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be use...
RCE
Pcmanfm Qt
-
CVE-2026-47280
CRITICAL
CVSS 10.0
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.
Authentication Bypass
Microsoft
-
CVE-2026-42901
CRITICAL
CVSS 10.0
Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.
Authentication Bypass
Microsoft
-
CVE-2026-41104
CRITICAL
CVSS 10.0
Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft malicious serialized payloads that the service processes, resulting in information disclosure across a trust boundary. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, though no public exploit identified at time of analysis and EPSS data was not provided.
Deserialization
Microsoft
-
CVE-2026-41090
CRITICAL
CVSS 9.3
Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.
Command Injection
Microsoft
-
CVE-2026-40412
CRITICAL
CVSS 10.0
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.
Microsoft
File Upload
-
CVE-2026-40411
CRITICAL
CVSS 9.9
Remote code execution in Microsoft Azure Virtual Network Gateway allows an authenticated attacker with low privileges to execute arbitrary code across a network boundary due to improper input validation. The CVSS 9.9 score reflects scope-changed impact (S:C) where exploitation can compromise resources beyond the vulnerable component itself, affecting confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the high score and managed-service nature warrant priority attention.
Information Disclosure
Microsoft
-
CVE-2026-33843
CRITICAL
CVSS 9.1
Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.
Authentication Bypass
Microsoft
-
CVE-2026-23652
CRITICAL
CVSS 10.0
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.
Command Injection
Microsoft
-
CVE-2026-46727
HIGH
CVSS 8.1
Use-after-free in Ruby 4.x (before 4.0.5) lets remote attackers who can manipulate DNS response timing crash applications calling Addrinfo.getaddrinfo with a timeout: option or Socket.tcp with resolv_timeout:. The flaw lives in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) and, while reliably exploitable for denial of service, also raises a theoretical possibility of memory-corruption-based code execution. No public exploit identified at time of analysis.
Denial Of Service
Race Condition
-
CVE-2026-46597
HIGH
CVSS 7.5
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) allows remote unauthenticated attackers to crash SSH server processes by sending crafted AES-GCM encrypted packets. An incorrectly placed bytes-to-int cast in the AES-GCM packet decoder triggers a server-side panic when processing well-crafted inputs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Information Disclosure
Golang Org X Crypto Ssh
-
CVE-2026-45659
HIGH
CVSS 8.8
Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.
Deserialization
Microsoft
-
CVE-2026-41076
HIGH
CVSS 8.1
Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.
Authentication Bypass
-
CVE-2026-41075
HIGH
CVSS 8.8
Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
SQLi
-
CVE-2026-41074
HIGH
CVSS 7.1
Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.
CSRF
-
CVE-2026-40172
HIGH
CVSS 8.1
Privilege escalation in authentik identity provider versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2 allows an authenticated user holding the change_user permission to assign arbitrary groups - including superuser groups - to any target user via the PATCH /api/v3/core/users/{pk}/ endpoint. The UserSerializer skips the enable_group_superuser check enforced in the dedicated group-management paths, letting delegated user-management roles promote themselves or others to administrator-equivalent privilege. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the trivial attack mechanics (a single PATCH request) make weaponization straightforward for any tenant that has delegated user administration.
Privilege Escalation
Authentik
-
CVE-2026-39968
HIGH
CVSS 7.1
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.
Authentication Bypass
-
CVE-2026-39965
HIGH
CVSS 7.7
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.
SSRF
Open Redirect
Typebot Io
-
CVE-2026-35430
HIGH
CVSS 8.8
Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Authentication Bypass
Microsoft
-
CVE-2026-34911
HIGH
CVSS 7.7
Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Path Traversal
Ubiquiti
-
CVE-2026-34207
HIGH
CVSS 7.6
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.
SSRF
Typebot Io
-
CVE-2026-28445
HIGH
CVSS 8.7
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.
XSS
Privilege Escalation
Typebot Io
-
CVE-2026-26147
HIGH
CVSS 7.7
Information disclosure in Microsoft Azure Compute Gallery permits an authenticated remote attacker to read sensitive data across tenant or resource boundaries due to improper input validation (CWE-20). The scope-changed CVSS 7.7 rating reflects cross-boundary impact, but the exploit maturity is currently unproven (E:U) and no public exploit identified at time of analysis. Microsoft has published an official fix via MSRC.
Information Disclosure
Microsoft
-
CVE-2026-25606
HIGH
CVSS 8.7
SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Information Disclosure
SQLi
-
CVE-2026-23663
HIGH
CVSS 7.5
Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.
Privilege Escalation
Microsoft
-
CVE-2026-9291
HIGH
CVSS 7.1
Arbitrary code execution in Amazon Braket Python SDK versions prior to 1.117.0 allows an authenticated attacker with S3 write access to the job output bucket to compromise any client machine that processes those job results. The flaw stems from insecure pickle deserialization in the job results processing component, and while no public exploit has been identified at time of analysis, the impact extends to every downstream consumer of poisoned results. EPSS data is unavailable, but the supply-chain-style propagation across analyst workstations and CI systems materially raises real-world risk.
RCE
Deserialization
Amazon Braket Python Sdk
-
CVE-2026-9277
HIGH
CVSS 8.1
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitrary shell commands via unescaped line terminators in the .op field. Affects the quote() API and parse() flows that accept object tokens, with no public exploit identified at time of analysis but a vendor-released upstream fix in commit 1518179. EPSS data was not provided, but the package's massive ecosystem footprint (millions of weekly npm downloads) makes downstream supply-chain exposure substantial.
Command Injection
Red Hat
-
CVE-2026-9256
HIGH
CVSS 8.1
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers to crash worker processes and potentially achieve code execution via crafted HTTP requests targeting servers using rewrite directives with overlapping PCRE captures. The flaw affects a core HTTP module shipped in default builds, making widespread exposure plausible wherever vulnerable rewrite rules are configured, though exploitation requires specific configuration prerequisites and ASLR bypass for full RCE. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Buffer Overflow
Heap Overflow
Nginx
Red Hat
Nginx Open Source
-
CVE-2026-9255
HIGH
CVSS 7.8
Arbitrary tool and shell command execution in AWS Kiro CLI before 1.28.0 occurs because the tool authorization prompt does not validate the source of its input, allowing attacker-controlled content piped via stdin to satisfy approval prompts on behalf of the user. An attacker who can get a victim to pipe untrusted content (file, curl output, clipboard, etc.) into kiro-cli can invoke any built-in tool - including shell - bypassing the human-in-the-loop confirmation step. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication Bypass
Kiro Cli
-
CVE-2026-9018
HIGH
CVSS 8.8
Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.
WordPress
Privilege Escalation
-
CVE-2026-9011
HIGH
CVSS 7.5
Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
WordPress
Authentication Bypass
Ditty Responsive News Tickers Sliders And Lists
-
CVE-2026-8992
HIGH
CVSS 8.8
Remote code execution in Ivanti Secure Access Client versions prior to 22.8R6 allows unauthenticated attackers to run arbitrary code on endpoints by exploiting improper TLS certificate validation, contingent on user interaction (UI:R). No public exploit identified at time of analysis, but the CVSS 8.8 rating and Ivanti's own advisory disclosure mark this as a high-priority client-side risk for organizations using the VPN client.
RCE
Ivanti
Secure Access Client
-
CVE-2026-8679
HIGH
CVSS 7.5
Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.
WordPress
Authentication Bypass
Audioigniter Music Player
-
CVE-2026-8671
HIGH
CVSS 7.5
Sensitive information disclosure in syslink software AG Avantra (versions before 25.3.0) on Linux and Windows allows an attacker with high privileges and adjacent network access to harvest data written into log files, with a scope-changed impact crossing trust boundaries. The flaw is tracked as CWE-532 and rated CVSS 7.5, but no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information Disclosure
Microsoft
Avantra
-
CVE-2026-6406
HIGH
CVSS 8.8
Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).
Authentication Bypass
Docker
Docker Desktop
-
CVE-2026-5843
HIGH
CVSS 8.2
Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape to the host by serving a malicious model whose config.json points model_file at a Python file. The MLX inference backend uses MLX-LM's importlib-based loader with no trust_remote_code gate and no sandbox, so a pull-and-infer request to model-runner.docker.internal executes attacker code as the Docker Desktop user. No public exploit identified at time of analysis and KEV status is not indicated.
RCE
Python
Docker
Apple
Docker Desktop
-
CVE-2026-5817
HIGH
CVSS 8.2
Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Docker network to execute Python code on the host as the Docker Desktop user. The vllm-metal backend hardcodes trust_remote_code=True when loading tokenizers and runs unsandboxed, so any model pulled from an OCI registry can ship attacker-controlled Python that executes when inference is requested via the model-runner.docker.internal API. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
RCE
Python
Docker
Apple
Docker Desktop
-
CVE-2026-5740
HIGH
CVSS 7.5
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects the unauthenticated network-reachable nature of the attack with high availability impact.
Denial Of Service
Mattermost
-
CVE-2026-4834
HIGH
CVSS 7.5
Unauthenticated SQL injection in the WP ERP Pro WordPress plugin (versions through 1.5.1) allows remote attackers to extract sensitive database contents by manipulating the 'search_key' parameter. The flaw stems from missing input escaping and unprepared SQL statements, enabling UNION-based or appended query attacks against any WordPress site running the affected plugin. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
WordPress
SQLi
-
CVE-2026-3294
HIGH
CVSS 8.7
An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation.
Successful exploitation allows an attacker to obtain full administ...
Information Disclosure
TP-Link
-
CVE-2026-47166
MEDIUM
CVSS 5.7
Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.
Buffer Overflow
Information Disclosure
-
CVE-2026-47165
MEDIUM
CVSS 4.1
Information disclosure in Magick.NET's distributed pixel cache server exposes sensitive pixel data due to the absence of a challenge-response authentication model on the cache service. All Magick.NET NuGet packages (Q16, Q16-HDRI, and OpenMP variants across AnyCPU, x64, x86, arm64 architectures) prior to version 14.12.0 are affected. A highly privileged local attacker meeting the high-complexity conditions of this vulnerability could read pixel cache contents belonging to other processes, leaking potentially sensitive image data. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Information Disclosure
-
CVE-2026-46715
MEDIUM
Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.
Authentication Bypass
Python
CSRF
-
CVE-2026-46693
MEDIUM
CVSS 4.1
File descriptor hijacking in ImageMagick's distributed pixel cache server (magick -distribute-cache) exposes sensitive data via a race condition exploitable by a privileged local attacker. Affected are all Magick.NET NuGet packages across Q16, Q16-HDRI, OpenMP, and ARM64 variants prior to version 14.12.0. Successful exploitation yields high-confidentiality impact - an attacker can read file descriptors belonging to the server process - though no public exploit code exists and this is not currently listed in the CISA KEV catalog.
Information Disclosure
Race Condition
-
CVE-2026-46692
MEDIUM
CVSS 4.1
Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.
Buffer Overflow
Heap Overflow
-
CVE-2026-46598
MEDIUM
CVSS 5.3
Panic-induced denial of service in the golang.org/x/crypto/ssh/agent package allows remote unauthenticated attackers to crash processes by submitting specially crafted SSH agent protocol messages containing malformed wire-format bytes that are unsafely cast into an ed25519.PrivateKey without sufficient validation. All versions of golang.org/x/crypto/ssh/agent prior to 0.52.0 are affected. No public exploit exists at time of analysis (EPSS 0.02%), though the SSVC framework flags the attack as automatable, and a vendor patch is available.
Information Disclosure
Golang Org X Crypto Ssh Agent
-
CVE-2026-44409
MEDIUM
CVSS 5.7
Unauthorized information disclosure in the ZTE MU5250 5G mobile router allows an adjacent-network attacker with low-privilege access to retrieve sensitive information due to misconfigured access control mechanisms. The vulnerability carries a CVSS 3.1 base score of 5.7 (Medium) with high confidentiality impact, confirmed by ZTE through their own security bulletin. No public exploit code or CISA KEV listing has been identified at time of analysis, limiting immediate mass-exploitation risk, though the high confidentiality impact (C:H) warrants timely remediation in network-sensitive deployments.
Information Disclosure
Zte
-
CVE-2026-42827
MEDIUM
CVSS 6.5
Command injection in Microsoft 365 Copilot exposes sensitive information to unauthenticated remote attackers when a victim user interacts with attacker-controlled content, resulting in High confidentiality impact with no integrity or availability effect. The vulnerability carries a CVSS 6.5 (Medium) score, reflecting network accessibility and low attack complexity offset by a mandatory user interaction requirement. No public exploit code exists at time of analysis, and Microsoft has released an official patch documented via the Microsoft Security Response Center.
Command Injection
-
CVE-2026-41073
MEDIUM
CVSS 4.6
Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to embed malicious formulas in ticket fields that execute when an administrator or staff member exports data to CSV and opens the file in a spreadsheet application. Affected versions span the entire RT 5.0 line prior to 5.0.10 and RT 6.0.0 through 6.0.2. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the attack surface is broad given that CSV exports are a routine administrative workflow in ticketing systems.
Code Injection
-
CVE-2026-41069
MEDIUM
CVSS 6.5
Out-of-bounds read in libheif versions 1.21.2 and prior crashes any application that parses attacker-controlled HEIF sequence files, resulting in denial of service. The defect lives in the SampleAuxInfoReader constructor, which enters its processing loop when saiz.sample_count > 0 even though stco.entry_count == 0 left the chunks vector empty; dereferencing chunks[0] then triggers the crash. No public exploit code has been identified at time of analysis, but the attack requires only that a user open or process a specially crafted HEIF file, making it relevant wherever libheif is embedded in image-handling applications (browsers, media libraries, operating-system image stacks). Vendor-released patch v1.22.0 is available.
Buffer Overflow
Information Disclosure
-
CVE-2026-39969
MEDIUM
CVSS 6.5
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to unauthenticated webhook spoofing by any network-accessible attacker. The endpoint POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.
Authentication Bypass
Typebot Io
-
CVE-2026-39966
MEDIUM
CVSS 6.5
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.
Authentication Bypass
Typebot Io
-
CVE-2026-39964
MEDIUM
CVSS 5.4
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.
XSS
Typebot Io
-
CVE-2026-39835
MEDIUM
CVSS 5.3
Unauthenticated remote clients can crash SSH servers built with golang.org/x/crypto/ssh by presenting a certificate during the handshake when CertChecker is used as a public key callback without initializing IsUserAuthority or IsHostAuthority. All versions prior to 0.52.0 are affected; the nil function pointer dereference causes a Go runtime panic that terminates the SSH service. No public exploit code has been identified and EPSS places exploitation probability at the 1st percentile (0.01%), though the attack requires no authentication and low complexity per the CVSS vector.
Information Disclosure
Golang Org X Crypto Ssh
-
CVE-2026-28735
MEDIUM
CVSS 5.4
OAuth scope validation bypass in Mattermost's GitHub integration allows authenticated users to escalate repository access beyond what was originally authorized. By manipulating the scope parameter in the GitHub OAuth authorization URL before the callback is processed, a low-privileged Mattermost user can obtain a GitHub token with broader permissions - including access to private repositories - than the application intended to grant. Affecting versions across four active release branches (10.11.x through 11.6.x), this is no public exploit identified at time of analysis and is not listed in CISA KEV, but the low complexity and authentication-only barrier make it a realistic insider or compromised-account risk.
Authentication Bypass
Mattermost
-
CVE-2026-28444
MEDIUM
CVSS 6.5
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read execution logs belonging to other workspaces by supplying an arbitrary victim resultId alongside their own authorized typebotId. The endpoint authorizes the caller by typebotId but fetches log records by resultId alone, skipping cross-ownership validation that all peer endpoints in the same router correctly enforce. Exploitation exposes sensitive runtime data including HTTP response bodies, AI model outputs, and webhook payloads. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward nature of the IDOR - requiring only a valid session and a guessed or enumerated resultId - makes unauthorized data access realistic for any authenticated platform user.
Authentication Bypass
Information Disclosure
Typebot Io
-
CVE-2026-25607
MEDIUM
CVSS 5.7
Weak password encoding in STER (all versions before 9.5) exposes stored credentials to local reverse-engineering by any low-privileged user on the system. The root cause (CWE-261) is use of a reversible or insufficiently one-way encoding scheme rather than a cryptographically strong hashing algorithm, enabling an attacker who can observe encoded password data to deduce plaintext values by analyzing patterns across known-value samples. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact (VC:H in CVSS 4.0) confirms that successful exploitation fully exposes affected credentials. The issue was reported by CERT-PL and fixed by CIOP-PIB in version 9.5.
Information Disclosure
-
CVE-2026-9104
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in the Draft List WordPress plugin (versions up to and including 2.6.3) allows authenticated attackers with author-level access to inject arbitrary web scripts into draft post titles using attribute-breakout techniques. The critical aggravating factor is the changed scope (S:C in CVSS): the unescaped rendering path is specifically triggered for users who lack edit capabilities, meaning the payload executes against unauthenticated visitors and subscribers - not just privileged users. No public exploit has been identified at time of analysis, but Wordfence disclosure and the low privilege bar (author-level sufficient) make this a meaningful cross-user threat in any multi-author WordPress environment.
WordPress
XSS
-
CVE-2026-9053
MEDIUM
CVSS 6.9
File disclosure via malicious HTML file upload default values in Mothra, the web browser bundled with the 9front Plan 9 fork, allows a remote unauthenticated attacker to exfiltrate arbitrary local files from a victim's filesystem. By crafting a webpage containing a hidden file input element with a pre-set malicious default path, the attacker can cause Mothra to silently submit a targeted local file to an attacker-controlled server upon user interaction. The CVSS 4.0 E:P supplemental metric indicates publicly available proof-of-concept exploit code exists; no CISA KEV listing is present, suggesting exploitation is not yet confirmed at scale.
File Upload
9Front
-
CVE-2026-8997
MEDIUM
CVSS 4.8
vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the hist...
Buffer Overflow
Heap Overflow
Vifm
-
CVE-2026-8692
MEDIUM
CVSS 4.3
Authorization bypass in the Vedrixa Forms WordPress plugin (all versions through 1.1.1) permits authenticated attackers with subscriber-level access to overwrite the structure of any registration form by writing attacker-controlled data directly to the plugin's FORMS database table. The root cause is a missing authorization check on the form-saving AJAX handler, compounded by the fact that the required ajax-nonce is publicly exposed via wp_localize_script() on any page rendering a form shortcode - meaning any authenticated visitor can harvest the nonce without elevated privileges. The vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis; however, on open-registration WordPress sites the subscriber-level barrier is trivially bypassed.
WordPress
Authentication Bypass
Vedrixa Forms User Registration Form Signup Form Drag Drop Form Builder
-
CVE-2026-8684
MEDIUM
CVSS 5.3
Authorization bypass in MotoPress Hotel Booking plugin for WordPress (all versions through 6.0.1) allows unauthenticated remote attackers to overwrite or delete internal booking notes for any reservation by supplying an arbitrary booking ID. The root cause is a nonce that is unconditionally output into every public page's HTML via wp_localize_script under MPHB._data.nonces, meaning any site visitor - without an account or any prior interaction - can obtain a valid nonce and invoke the update-booking-notes AJAX action against any booking. No public exploit code has been identified at time of analysis, but the trivially accessible nonce makes this effectively zero-friction to abuse.
WordPress
Authentication Bypass
Motopress Hotel Booking
-
CVE-2026-8673
MEDIUM
CVSS 5.9
Unprotected credential transport in syslink software AG Avantra before version 25.3.0 exposes authentication material to network-layer interception on both Linux and Windows deployments. The vulnerability, classified under CWE-523, allows a suitably positioned network adversary to capture credentials in transit, with the CVSS vector indicating high confidentiality and integrity impact upon successful exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the high attack complexity and high privilege prerequisite meaningfully constrain the realistic attacker population.
Information Disclosure
Microsoft
Avantra
-
CVE-2026-8672
MEDIUM
CVSS 5.1
Default credential exposure in syslink software AG Avantra (all versions before 25.3.0) on Linux and Windows allows a local attacker with high-privilege access to authenticate using known default passwords, achieving high confidentiality impact against monitoring data and infrastructure configurations managed by the platform. Reported by NCSC.ch and addressed in version 25.3.0, this CWE-1393 flaw represents an insider threat or post-compromise lateral movement risk for organizations running Avantra in SAP and IT operations environments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Information Disclosure
Microsoft
Avantra
-
CVE-2026-8381
MEDIUM
CVSS 5.4
Broken access control in TeamViewer DEX Platform (On-Premises) before version 9.2 allows authenticated low-privileged users to invoke administrative API endpoints and access sensitive resources outside their authorized scope. The root cause is CWE-862 (Missing Authorization) - backend API endpoints omit proper role-based authorization checks despite confirming user identity. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, but the network-accessible attack vector and low complexity make exploitation straightforward for any user holding valid platform credentials.
Authentication Bypass
Dex On Premises
-
CVE-2026-7798
MEDIUM
CVSS 5.4
Blind Server-Side Request Forgery in FluentCRM (WordPress plugin, all versions ≤2.9.87) allows unauthenticated remote attackers to coerce the web server into issuing arbitrary HTTP requests via the 'SubscribeURL' parameter in SES bounce handling. Exploitation is constrained to sites where the SES bounce handling key has never been initialized - a default state that persists until an administrator visits the bounce configuration page. Successfully exploited, this flaw can be used to probe and interact with internal services (cloud metadata endpoints, intranet APIs, adjacent containers), achieving limited but meaningful confidentiality and integrity impact across a changed scope. No public exploit or CISA KEV listing exists at time of analysis, though source code references expose the vulnerable code path directly.
WordPress
SSRF
Fluentcrm Email Newsletter Automation Email Marketing Email Campaigns Optins Leads And Crm Solution
-
CVE-2026-7636
MEDIUM
CVSS 4.3
Sensitive information exposure in the Slider by Soliloquy WordPress plugin (versions ≤ 2.8.1) allows authenticated attackers with subscriber-level access to read draft slider content that should be restricted to administrators and editors. The flaw exists in the plugin's map_meta_cap implementation within posttype.php, where capability checks are insufficiently enforced, permitting low-privileged users to retrieve draft slider metadata including unpublished media URLs, captions, and full slider configuration details. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
WordPress
Information Disclosure
Slider By Soliloquy Responsive Image Slider For Wordpress
-
CVE-2026-7615
MEDIUM
CVSS 4.3
Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
PHP
WordPress
CSRF
Widget Context
-
CVE-2026-7509
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in the KIA Subtitle WordPress plugin (all versions through 4.0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the `before` and `after` attributes of the `the-subtitle` shortcode. Any site visitor loading a page containing the injected shortcode will execute the attacker's script in their browser context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and network-accessible attack vector make this a meaningful risk for multi-author WordPress sites.
WordPress
XSS
-
CVE-2026-7249
MEDIUM
CVSS 4.3
Unauthorized modification of weather display settings in the Location Weather WordPress plugin (versions ≤3.0.2) is achievable by any authenticated user with Contributor-level access or above, due to missing capability checks on the administrative functions `splw_update_block_options()` and `lwp_clean_weather_transients()`. Affected sites expose the protective nonce to all authenticated sessions via `wp_localize_script()` on the `init` hook, neutralizing what would otherwise be a secondary CSRF defense and making exploitation straightforward for any logged-in user. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world impact is limited to disruption of weather widget display and cache integrity rather than data theft or code execution.
WordPress
Authentication Bypass
-
CVE-2026-6864
MEDIUM
CVSS 6.1
Reflected Cross-Site Scripting in the CBX 5 Star Rating & Review WordPress plugin (versions up to and including 1.0.7) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'page' parameter rendered in administrative log templates. Successful exploitation requires social engineering an authenticated administrator into clicking a crafted URL, limiting automated mass exploitation while remaining a realistic threat in targeted phishing campaigns against WordPress site owners. No public exploit code or CISA KEV listing has been identified at time of analysis.
WordPress
XSS
-
CVE-2026-5755
MEDIUM
CVSS 6.5
Uncontrolled memory allocation in Mattermost's TIFF image processing allows authenticated users to trigger server-side out-of-memory (OOM) conditions, effectively taking down the collaboration platform. Affected are all Mattermost deployments running versions 10.11.x through 11.6.0. Any account holding file upload or URL-posting permissions can exploit this remotely without elevated privileges, making it a realistic insider or compromised-account threat. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad authentication base increase practical risk.
Denial Of Service
File Upload
Mattermost
-
CVE-2026-5308
MEDIUM
CVSS 4.9
Denial of service in Mattermost's plugin HTTP endpoint layer allows an authenticated high-privilege attacker to exhaust server resources by sending crafted oversized HTTP request bodies. Affected across four concurrent release branches - 10.11.x through 11.6.x - with no published EPSS score and no confirmed active exploitation or public proof-of-concept at time of analysis. The CVSS score of 4.9 (Medium) accurately reflects the high-privilege prerequisite that meaningfully limits the realistic attacker population, though availability impact is rated High, meaning successful exploitation disrupts service availability entirely.
Denial Of Service
Mattermost
-
CVE-2026-4646
MEDIUM
CVSS 4.3
Authenticated denial-of-service in Mattermost's plugin subsystem allows a low-privileged user to crash the plugin process by sending a crafted HTTP request to the PR details API endpoint. Affected across four active release branches (10.11.x, 11.4.x, 11.5.x, 11.6.x), the flaw stems from missing input validation in API request handlers (CWE-1287). No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the low authentication barrier (any valid account) combined with network accessibility makes it a realistic insider or post-compromise nuisance risk.
Denial Of Service
Mattermost
-
CVE-2026-4635
MEDIUM
CVSS 6.5
Server crash via race condition in Mattermost's persistent notification and channel archival subsystem allows any low-privileged authenticated user to bring down the server with no user interaction required. Affected branches span 10.11.x through 11.6.x across multiple maintenance lines. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the low authentication bar combined with network accessibility and low attack complexity makes this a credible insider threat or targeted denial-of-service vector against any exposed Mattermost deployment.
Denial Of Service
Race Condition
Mattermost
-
CVE-2026-4070
MEDIUM
CVSS 4.3
Cross-Site Request Forgery in the Alfie - Feed Plugin for WordPress (all versions ≤ 1.2.1) allows unauthenticated remote attackers to delete arbitrary plugin feed data by tricking a logged-in site administrator into clicking a crafted link. The missing nonce validation on the alfie_manage() function means any forged GET request containing the 'delete' parameter will be processed without verifying its origin, permanently removing records from the plugin's four database tables. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and purely social-engineering prerequisite make it a credible threat against active WordPress sites using this plugin.
WordPress
CSRF
-
CVE-2026-3636
MEDIUM
CVSS 4.3
Team member role data leaks from Mattermost's API across multiple actively maintained release branches due to missing sanitization of response payloads for low-privilege callers. Any authenticated user - regardless of their team role - can invoke standard team API endpoints and receive unsanitized member objects that expose role designations such as admin or system_admin. The vulnerability spans 10.11.x through 11.6.x, has no public exploit code, and is not listed in CISA KEV, but the low attack complexity and broad version coverage make it a meaningful reconnaissance risk in enterprise or multi-tenant deployments.
Information Disclosure
Mattermost
-
CVE-2026-3481
MEDIUM
CVSS 6.1
Reflected Cross-Site Scripting in WP Blockade - Visual Page Builder (all versions through 0.9.14) allows authenticated attackers holding at minimum a WordPress Subscriber-level account to inject arbitrary JavaScript into pages rendered in a victim's browser. The vulnerability exists in the render_shortcode_preview() function, which passes raw GET input through do_shortcode() without sanitization or output escaping - when the input is not a recognized shortcode, WordPress returns it verbatim, causing any embedded script to execute. Exploitation requires social engineering an authenticated user (e.g., an admin) into clicking a crafted link, but the low barrier to entry (Subscriber-level account) significantly widens the attacker pool on multi-user WordPress installations. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
WordPress
XSS
-
CVE-2026-3473
MEDIUM
CVSS 5.9
File ownership and access control enforcement is absent in the Boards API across four release branches of Mattermost, allowing any authenticated user to access and download files belonging to other users or teams by submitting crafted API requests containing valid file IDs. Affected deployments span versions 10.11.x through 11.6.x per EUVD-2026-31429 and vendor advisory MMSA-2026-00620. CVSS scores this at 5.9 (Medium) reflecting high attack complexity due to the file ID prerequisite; no public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Authentication Bypass
Mattermost
-
CVE-2026-2518
MEDIUM
CVSS 4.3
Missing authorization controls in the FastX WordPress theme allow authenticated Subscriber-level users to install and activate the PostX plugin without administrative approval. The vulnerability exists in two AJAX callback functions - 'ultp_install_callback' and 'ultp_activate_callback' - which fail to verify whether the requesting user holds sufficient capabilities before executing privileged plugin management operations. All versions up to and including 1.0.2 are affected per WPXPO's theme codebase on themes.trac.wordpress.org. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
WordPress
Authentication Bypass
-
CVE-2025-32751
MEDIUM
CVSS 5.5
Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.
Authentication Bypass
Dell
Powerflex Manager
Powerflex Manager Appliance
Powerflex Manager Rack
-
CVE-2025-32749
MEDIUM
CVSS 5.3
Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate directory contents, potentially revealing sensitive files, configuration data, or internal path structures. Both the Appliance and Rack deployment forms are confirmed affected per Dell advisories DSA-2025-434 and DSA-2025-435. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the combination of Information Disclosure and Privilege Escalation tags suggests the exposed directory contents may facilitate further privilege escalation beyond initial information leakage.
Privilege Escalation
Information Disclosure
Dell
Powerflex Manager
Powerflex Manager Appliance
-
CVE-2025-32747
MEDIUM
CVSS 5.3
Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors) allows a low-privileged local attacker to escalate their privileges, impacting confidentiality, integrity, and availability at a low level each (CVSS 5.3 Medium, CWE-266). Dell has published dual advisories (DSA-2025-434 and DSA-2025-435) addressing the Appliance and Rack variants respectively. No public exploit code and no active exploitation have been identified at time of analysis.
Information Disclosure
Dell
Powerflex Manager
Powerflex Manager Appliance
Powerflex Manager Rack
-
CVE-2025-32746
MEDIUM
CVSS 4.0
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.
Authentication Bypass
Dell
Powerflex Manager
Powerflex Manager Appliance
Powerflex Manager Rack
-
CVE-2025-32745
MEDIUM
CVSS 4.2
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker on an adjacent network to intercept and tamper with protected communications. The flaw (CWE-295) means the product fails to adequately verify peer certificates during TLS/SSL exchanges, enabling a man-in-the-middle position to read or modify in-transit management data. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Information Disclosure
Dell
Powerflex Manager
Powerflex Manager Appliance
Powerflex Manager Rack
-
CVE-2025-26483
MEDIUM
CVSS 6.1
Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft malicious application URLs that silently redirect targeted users to arbitrary attacker-controlled web destinations. Exploitation requires user interaction (CVSS UI:R) - a victim must follow a specially crafted link - but no authentication or special privileges are needed on the attacker's side. The primary risk is phishing: because the initial URL appears to point at a legitimate Dell infrastructure management portal, users are more likely to trust and follow it, making credential theft or sensitive data disclosure against PowerFlex administrators a realistic outcome. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Open Redirect
Dell
Powerflex Manager
Powerflex Manager Appliance
Powerflex Manager Rack
-
CVE-2026-44930
None
CVSS 4.3
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Apache
LDAP
Code Injection
Apache Cxf
-
CVE-2026-44618
None
CVSS 5.3
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Apache
XXE
Apache Cxf
-
CVE-2026-44417
None
CVSS 7.5
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, ...
RCE
Apache
Apache Cxf
-
CVE-2026-42626
None
CVSS 5.9
HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not properly manage concurrent TCP connections to port 9100 (JetDirect/RAW printing). An unauthenticated remote attacker on the same network can establish a persistent connection to port 9100 and send keep-alive packets, causing the printer's se...
Denial Of Service
HP
N A
-
CVE-2026-42506
None
CVSS 6.1
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
XSS
Golang Org X Net Html
-
CVE-2026-42502
None
CVSS 6.1
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
XSS
Golang Org X Net Html
-
CVE-2026-40166
None
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing se...
Information Disclosure
Authentik
-
CVE-2026-39970
None
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a c...
XSS
Typebot Io
-
CVE-2026-39967
LOW
CVSS 3.1
Cross-typebot result data leakage in Typebot versions 3.15.2 and prior allows an authenticated user to read session variables, prior answers, and PII from a different typebot by supplying a foreign resultId to the startChat endpoint. The bot engine's findResult query omits typebotId from its database filter (CWE-639 IDOR), so any valid result record is returned regardless of which typebot owns it. If the attacker possesses a valid CUID2 resultId from another typebot and that typebot has rememberUser enabled, they can read the original user's names, emails, phone numbers, and other session variables exposed through matching variable names. No public exploit has been identified at time of analysis; vendor-released patch is available in version 3.16.0.
Authentication Bypass
-
CVE-2026-39831
None
CVSS 9.1
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, ...
Authentication Bypass
Golang
SSH
Golang Org X Crypto Ssh
-
CVE-2026-39830
None
CVSS 9.1
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Denial Of Service
Golang
SSH
Golang Org X Crypto Ssh
-
CVE-2026-39829
None
CVSS 7.5
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key...
Denial Of Service
Golang
SSH
Golang Org X Crypto Ssh
-
CVE-2026-39828
None
CVSS 6.3
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now...
Authentication Bypass
Golang
SSH
Golang Org X Crypto Ssh
-
CVE-2026-39824
LOW
CVSS 3.3
Integer overflow in NewNTUnicodeString within the Go extended syscall package for Windows allows a local low-privileged attacker to silently inject a truncated NTUnicodeString into applications that expect validation failures on oversized input. Affected is golang.org/x/sys/windows before version 0.44.0. Because the function returns a truncated result rather than an error, consuming code may proceed with a malformed string, potentially bypassing length-based security checks or causing downstream logic errors - no public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02%.
Buffer Overflow
Integer Overflow
Golang Org X Sys Windows
-
CVE-2026-37470
None
CVSS 7.3
An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components
RCE
N A
-
CVE-2026-36228
None
CVSS 7.3
Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality
RCE
Buffer Overflow
N A
-
CVE-2026-36227
None
CVSS 6.5
Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter
RCE
Path Traversal
N A
-
CVE-2026-36226
None
CVSS 6.1
Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component
XSS
N A
-
CVE-2026-27136
None
CVSS 6.1
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
XSS
Golang Org X Net Html
-
CVE-2026-25681
None
CVSS 6.1
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
XSS
Golang Org X Net Html
-
CVE-2026-25680
None
CVSS 6.5
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Denial Of Service
Golang Org X Net Html
-
CVE-2026-25608
LOW
CVSS 2.3
Cleartext TCP transmission in STER (by Poland's Central Institute for Labour Protection, CIOP) exposes sensitive data including passwords, personal data, and authentication tokens to interception. All versions prior to 9.5 are affected per EUVD-2026-31424. Exploitation requires the attacker to be pre-positioned on the network path (CVSS AT:P), limiting opportunistic mass exploitation, but poses meaningful risk in shared or corporate network environments where insider or adjacent-network threats exist. No public exploit code identified at time of analysis and no confirmed active exploitation (CISA KEV).
Information Disclosure
-
CVE-2026-9264
None
CVSS 9.3
A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to exe...
XSS
RCE
Information Disclosure
LFI
Sketchup
-
CVE-2026-9251
None
CVSS 5.4
Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request.
This issue affects :
* Devolutions ...
Authentication Bypass
Server
-
CVE-2026-9249
None
CVSS 3.1
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Information Disclosure
Server
-
CVE-2026-9248
None
CVSS 2.6
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.
This issue affects :
* Devolutions Server 2026.1....
Authentication Bypass
Hashicorp
Server
-
CVE-2026-9247
None
CVSS 2.4
Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request.
This issue affects :
* Devolutions Server 2026.1.6.0 th...
Information Disclosure
Server
-
CVE-2026-9246
None
CVSS 4.3
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 th...
Authentication Bypass
Hashicorp
Server
-
CVE-2026-9245
None
CVSS 5.0
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Dev...
Open Redirect
Server
-
CVE-2026-9224
None
CVSS 4.3
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3....
Authentication Bypass
Server
-
CVE-2026-9223
None
CVSS 4.3
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
Authentication Bypass
Hashicorp
Server
-
CVE-2026-9047
None
CVSS 7.6
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors.
This issue affects :
* Devolutions...
Authentication Bypass
Server
-
CVE-2026-8477
None
CVSS 2.7
Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request.
This issue affe...
Information Disclosure
Server
-
CVE-2026-8353
LOW
CVSS 2.1
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious ...
XSS
Privilege Escalation
Concrete Cms
-
CVE-2026-8347
LOW
CVSS 2.3
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The...
Authentication Bypass
Concrete Cms
-
CVE-2026-8340
LOW
CVSS 2.3
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The C...
CSRF
-
CVE-2026-7325
None
CVSS 7.1
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server.
This issue affects :
...
SSRF
Server
-
CVE-2026-5171
None
CVSS 4.3
Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through...
Authentication Bypass
Server
-
CVE-2025-46371
LOW
CVSS 3.6
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager's SSH component (versions ≤4.6.2) allows a locally authenticated low-privileged attacker to bypass SSH protection mechanisms, affecting both Appliance and Rack form factors. The CVSS vector (AV:L/AC:H/PR:L) reflects significant exploitation barriers: physical or logical local access is required, attack complexity is high, and impact is limited to partial confidentiality and integrity loss with no availability impact. Dell has published dual advisories (DSA-2025-434 for Appliance, DSA-2025-435 for Rack); no public exploit or CISA KEV listing exists at time of analysis.
Authentication Bypass
Dell
Powerflex Manager
Powerflex Manager Appliance
Powerflex Manager Rack
-
CVE-2025-45145
None
CVSS 7.5
Directory traversal in Follett Software's Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via the image parameter
Path Traversal
N A