Skip to main content
CVE-2026-45659 HIGH POC KEV PATCH THREAT CISA NEWS Exploit Unlikely Act Now

Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.5%
Threat
4.8
CVE-2026-8679 HIGH POC This Week

{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.

WordPress Authentication Bypass Audioigniter Music Player
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39829 HIGH POC PATCH GHSA This Week

Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attackers to exhaust CPU on SSH servers by submitting crafted RSA or DSA public keys with oversized parameters during public key authentication. EPSS is very low (0.03%) and there is no public exploit identified at time of analysis, but the bug is trivial to trigger and the fix has been published by the Go team in CL 781641/781661.

Jwt Attack Information Disclosure Golang Org X Crypto Ssh
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-35430 HIGH PATCH This Week

Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41075 HIGH PATCH This Week

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi Rt
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6406 HIGH PATCH This Week

Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).

Authentication Bypass Docker
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-5843 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-5817 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-8992 HIGH This Week

Remote code execution in Ivanti Secure Access Client versions prior to 22.8R6 allows unauthenticated attackers to run arbitrary code on endpoints by exploiting improper TLS certificate validation, contingent on user interaction (UI:R). No public exploit identified at time of analysis, but the CVSS 8.8 rating and Ivanti's own advisory disclosure mark this as a high-priority client-side risk for organizations using the VPN client.

RCE Ivanti Secure Access Client
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9018 HIGH This Week

Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.

WordPress Privilege Escalation Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3294 HIGH PATCH This Week

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

TP-Link Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-28445 HIGH PATCH GHSA This Week

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

XSS Privilege Escalation Typebot Io
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-25606 HIGH PATCH This Week

SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Information Disclosure SQLi Ster
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-9255 HIGH PATCH This Week

Authorization bypass in AWS Kiro CLI versions prior to 1.28.0 allows a local attacker to invoke arbitrary tools, including shell commands, without triggering the user approval prompt by piping crafted content through stdin. Reported by Amazon (AMZN) and tagged as an Authentication Bypass, this issue has a vendor-released fix in 1.28.0; publicly available exploit code exists is not indicated, and the SSVC framework currently records no observed exploitation despite a Total technical impact rating.

Authentication Bypass Kiro Cli
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-46727 HIGH POC PATCH This Week

Use-after-free in Ruby 4.x (before 4.0.5) lets remote attackers who can manipulate DNS response timing crash applications calling Addrinfo.getaddrinfo with a timeout: option or Socket.tcp with resolv_timeout:. The flaw lives in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) and, while reliably exploitable for denial of service, also raises a theoretical possibility of memory-corruption-based code execution. No public exploit identified at time of analysis.

Denial Of Service Race Condition Ruby
NVD VulDB GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41076 HIGH PATCH This Week

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

Authentication Bypass Rt
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-40172 HIGH This Week

{pk}/ endpoint. The UserSerializer skips the enable_group_superuser check enforced in the dedicated group-management paths, letting delegated user-management roles promote themselves or others to administrator-equivalent privilege. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the trivial attack mechanics (a single PATCH request) make weaponization straightforward for any tenant that has delegated user administration.

Privilege Escalation Authentik
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-26147 HIGH PATCH NO ACTION HOSTED Monitor

Information disclosure in Microsoft Azure Compute Gallery permits an authenticated remote attacker to read sensitive data across tenant or resource boundaries due to improper input validation (CWE-20). The scope-changed CVSS 7.7 rating reflects cross-boundary impact, but the exploit maturity is currently unproven (E:U) and no public exploit identified at time of analysis. Microsoft has published an official fix via MSRC.

Microsoft Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-34911 HIGH PATCH This Week

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-39965 HIGH This Week

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.

Open Redirect SSRF Typebot Io
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-34207 HIGH This Week

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.

SSRF Typebot Io
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-45145 HIGH This Week

Arbitrary file disclosure in Follett Software's Destiny Library Manager (version 22_0_2_rc1) lets remote unauthenticated attackers read system and application files by supplying directory-traversal sequences in the 'image' parameter. Publicly available exploit code exists (a Medium write-up documenting the unauthenticated LFI), and CISA's SSVC framework classifies exploitation as proof-of-concept and automatable, though EPSS remains modest at 0.46% (64th percentile). The flaw is fixed in v.22.5 AU1.

Path Traversal N A
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-44417 HIGH PATCH GHSA This Week

Remote code execution in Apache CXF (versions before 3.6.11, 4.0.0-4.1.5, and 4.2.0) arises because the fix for CVE-2025-48913 was incomplete, leaving a second code path through which untrusted JMS configuration can be abused to execute code. The flaw only matters where untrusted users are permitted to supply or influence JMS transport configuration for CXF endpoints. This is a remediation-regression issue carrying no public exploit identified at time of analysis, a very low EPSS (0.10%), and SSVC exploitation status of 'none', but the technical impact is rated total.

RCE Apache Apache Cxf
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23663 HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.

Microsoft Privilege Escalation
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46597 HIGH POC PATCH GHSA This Week

Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) allows remote unauthenticated attackers to crash SSH server processes by sending crafted AES-GCM encrypted packets. An incorrectly placed bytes-to-int cast in the AES-GCM packet decoder triggers a server-side panic when processing well-crafted inputs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Information Disclosure Golang Org X Crypto Ssh Suse
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8671 HIGH PATCH This Week

Sensitive information disclosure in syslink software AG Avantra (versions before 25.3.0) on Linux and Windows allows an attacker with high privileges and adjacent network access to harvest data written into log files, with a scope-changed impact crossing trust boundaries. The flaw is tracked as CWE-532 and rated CVSS 7.5, but no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5740 HIGH PATCH GHSA This Week

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects the unauthenticated network-reachable nature of the attack with high availability impact.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9011 HIGH This Week

Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

WordPress Authentication Bypass Ditty Responsive News Tickers Sliders And Lists
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4834 HIGH This Week

Unauthenticated SQL injection in the WP ERP Pro WordPress plugin (versions through 1.5.1) allows remote attackers to extract sensitive database contents by manipulating the 'search_key' parameter. The flaw stems from missing input escaping and unprepared SQL statements, enabling UNION-based or appended query attacks against any WordPress site running the affected plugin. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-36228 HIGH This Week

Remote code execution in Easy Chat Server 3.1 stems from a buffer overflow in the chat message handling functionality, letting remote attackers overwrite memory to leak sensitive data and run arbitrary code on the hosting Windows machine. The product is a small standalone web-based chat server historically used as an exploit-development target, and publicly available exploit code exists (GitHub PoC), though EPSS is low (0.18%, 39th percentile) and it is not on CISA KEV. No public evidence of active in-the-wild exploitation was identified at time of analysis.

Buffer Overflow RCE N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-37470 HIGH This Week

Clickjacking in ClipBucket v5 5.5.2 lets an attacker embed the application's login page in a hidden iframe due to missing HTTP response security headers, enabling UI-redressing attacks that can capture credentials or trick authenticated users into unintended actions. The flaw is classified CWE-1021 (Improper Restriction of Rendered UI Layers), not the 'arbitrary code execution' the raw description claims — the referenced technical writeup and the CVSS profile (UI:R) both point to a framing/credential-theft issue. EPSS is very low (0.05%, 14th percentile) and CISA SSVC scores exploitation as 'none', indicating no observed active exploitation.

XSS RCE N A
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-9291 HIGH PATCH GHSA This Week

Arbitrary code execution in Amazon Braket Python SDK versions prior to 1.117.0 allows an authenticated attacker with S3 write access to the job output bucket to compromise any client machine that processes those job results. The flaw stems from insecure pickle deserialization in the job results processing component, and while no public exploit has been identified at time of analysis, the impact extends to every downstream consumer of poisoned results. EPSS data is unavailable, but the supply-chain-style propagation across analyst workstations and CI systems materially raises real-world risk.

Deserialization RCE Amazon Braket Python Sdk
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-39968 HIGH This Week

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41074 HIGH This Week

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.

CSRF Rt
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy