Skip to main content
CVE-2026-34910 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Ubiquiti Command Injection Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
Threat
5.0
CVE-2026-34909 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-34908 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.

Ubiquiti Authentication Bypass Unifi Os Server Udm Udm Pro +28
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-46670 CRITICAL POC PATCH GHSA Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi Docker
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9256 CRITICAL POC PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.

Buffer Overflow Nginx Heap Overflow Nginx Plus Nginx Open Source
NVD VulDB GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-9277 CRITICAL POC PATCH GHSA Act Now

Shell command injection in the npm shell-quote library (versions >= 1.1.0, <= 1.8.3) lets attacker-influenced object tokens smuggle a literal newline through quote(), turning the supposedly shell-safe output into multiple commands. The .op field of an object token was escaped character-by-character with /(.)/g, which in JavaScript does not match line terminators, so a newline survived unescaped and POSIX shells treat everything after it as a second command. Publicly available exploit code exists and a vendor patch (1.8.4) is released, though EPSS is low (0.05%) and SSVC marks current exploitation as none, indicating opportunity-but-not-yet-widespread risk.

Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-39830 CRITICAL POC PATCH GHSA Act Now

Resource exhaustion in the Go golang.org/x/crypto/ssh package allows a malicious SSH peer to leak goroutines and memory by sending unsolicited global request responses that fill an internal buffer and block the connection's read loop. Affected versions are below 0.52.0, and even calling Close() fails to release the blocked goroutine, enabling per-connection resource leaks against any Go application using this library as an SSH client or server. There is no public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates very low observed exploitation interest despite the high CVSS rating.

Buffer Overflow Golang Org X Crypto Ssh
NVD VulDB GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39832 CRITICAL POC PATCH GHSA Act Now

Constraint extension stripping in the golang.org/x/crypto SSH agent client (versions prior to 0.52.0) allows remote SSH hosts to use forwarded keys without the destination restrictions the user intended. When clients added keys to a remote agent, extensions such as restrict-destination-v00@openssh.com were silently dropped during serialization, effectively converting scoped keys into unrestricted ones on downstream hosts. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total and automatable.

SSH Deserialization Golang Org X Crypto Ssh Agent
NVD VulDB GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40412 CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.

Microsoft File Upload
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-41104 CRITICAL PATCH NO ACTION HOSTED Monitor

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft malicious serialized payloads that the service processes, resulting in information disclosure across a trust boundary. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, though no public exploit identified at time of analysis and EPSS data was not provided.

Microsoft Deserialization
NVD VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-23652 CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.

Microsoft Command Injection
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-47280 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-42901 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-46595 CRITICAL PATCH GHSA Act Now

Authorization bypass in the Go golang.org/x/crypto/ssh package before version 0.52.0 allows remote attackers to circumvent source-address restrictions when SSH server configurations use callback authentication types other than public key. This is an incomplete-fix follow-up to CVE-2024-45337, which only addressed the public-key callback path while leaving other callback types vulnerable to the same source-address validation skip. No public exploit identified at time of analysis, EPSS is very low at 0.02%, and SSVC indicates no observed exploitation though the issue is automatable with partial technical impact.

Authentication Bypass Golang Org X Crypto Ssh
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-33712 CRITICAL Act Now

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.

Node.js Authentication Bypass SSRF Typebot Io
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-40411 CRITICAL PATCH NO ACTION HOSTED Monitor

Remote code execution in Microsoft Azure Virtual Network Gateway allows an authenticated attacker with low privileges to execute arbitrary code across a network boundary due to improper input validation. The CVSS 9.9 score reflects scope-changed impact (S:C) where exploitation can compromise resources beyond the vulnerable component itself, affecting confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the high score and managed-service nature warrant priority attention.

Microsoft Information Disclosure
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-32253 CRITICAL Act Now

Authentication bypass in LizardByte Sunshine self-hosted game stream host (versions prior to 2026.516.143833) allows remote unauthenticated attackers to bypass client-certificate authentication and access protected HTTPS endpoints. The custom OpenSSL verification callback in src/crypto.cpp incorrectly treats several certificate validation errors as successful verification, enabling untrusted certificates to pass authentication. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects trivial network-based exploitation against default deployments.

OpenSSL Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-44930 CRITICAL PATCH GHSA Act Now

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90) in the LDAP-backed certificate repository to retrieve certificates they are not authorized to see. Affected builds span Apache CXF 3.x before 3.6.11, 4.0.0-4.1.x before 4.1.6, and 4.2.0 before 4.2.1; the issue was reported by Apache itself and fixed in those releases. No public exploit identified at time of analysis, EPSS is very low (0.02%, 4th percentile), and CISA SSVC scores exploitation as 'none' with only 'partial' technical impact.

Code Injection LDAP Apache Apache Cxf
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-39821 CRITICAL PATCH Act Now

Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).

Privilege Escalation Golang Org X Net Idna
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-8670 CRITICAL PATCH Act Now

Session replay weakness in syslink software AG's Avantra monitoring platform (versions before 25.3.1) on Linux and Windows allows remote attackers to reuse captured session identifiers because sessions are not properly expired. With CVSS 9.6 and scope change, an attacker who obtains a valid session ID can impersonate users and pivot into systems Avantra manages; no public exploit identified at time of analysis.

Microsoft Information Disclosure
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-41090 CRITICAL PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.

Microsoft Command Injection
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-9054 CRITICAL PATCH Act Now

Remote denial-of-service in 9front (a fork of Plan 9 from Bell Labs) allows unauthenticated network attackers to trigger a kernel panic by sending malformed TCP, IL, RUDP, or GRE packets whose total length is shorter than the protocol header size. The flaw affects 9front Plan 9 4e prior to commit 70c97c334171c715df82774d1a47638abaca2db4 and carries a CVSS 4.0 score of 9.2 driven by high availability impact and automatable exploitation; no public exploit identified at time of analysis.

Information Disclosure 9Front
NVD VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-33000 CRITICAL PATCH Act Now

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.

Ubiquiti Command Injection Unifi Os Server
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33843 CRITICAL PATCH NO ACTION HOSTED Monitor

Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.

Microsoft Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-39833 CRITICAL PATCH GHSA Act Now

Authentication bypass in Go's golang.org/x/crypto/ssh/agent in-memory keyring (versions before 0.52.0) allows SSH key signing operations to proceed without the intended ConfirmBeforeUse user confirmation prompt. Applications that relied on this constraint to gate sensitive signing actions effectively had no protection, with no error returned to indicate the constraint was silently ignored. No public exploit identified at time of analysis and EPSS is very low (0.02%), but SSVC rates technical impact as total.

Authentication Bypass Golang Org X Crypto Ssh Agent Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39834 CRITICAL PATCH GHSA Act Now

Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.

Buffer Overflow Integer Overflow Golang Org X Crypto Ssh Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-42508 CRITICAL PATCH GHSA Act Now

Improper certificate revocation validation in the golang.org/x/crypto/ssh/knownhosts package allows SSH connections to succeed against hosts whose CA SignatureKey has been revoked. Versions prior to 0.52.0 only validated the leaf 'key' against revocation entries while ignoring 'key.SignatureKey', enabling attackers holding a revoked CA-signed host key to impersonate trusted servers. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Information Disclosure Golang Org X Crypto Ssh Knownhosts
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-39831 CRITICAL PATCH GHSA Act Now

Authentication bypass in the Go x/crypto/ssh library (versions before 0.52.0) allows SSH servers to accept FIDO/U2F security key signatures that were generated without the required physical user touch. The Verify() method for sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com key types failed to check the User Presence flag, enabling unattended use of stolen or relayed hardware-token signatures. No public exploit identified at time of analysis and EPSS is very low (0.01%), but SSVC rates technical impact as total with automatable exploitation.

SSH Authentication Bypass Golang Org X Crypto Ssh Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-48700 CRITICAL Monitor

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

RCE Pcmanfm Qt Suse
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy