Skip to main content
CVE-2026-43828 MEDIUM PATCH This Month

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

Information Disclosure Apache
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-9503 LOW POC PATCH Monitor

Null pointer dereference in GNU LibreDWG (all versions through 0.14) allows a local, low-privileged attacker to crash any application that uses the library to parse a maliciously crafted DWG file, resulting in a denial-of-service condition with no confidentiality or integrity impact. The affected code path is within the DWG 2004 compressed-section handler in src/decode.c, where missing bounds checks on section entry address fields permit invalid memory access. A public proof-of-concept exploit file exists; however, the vulnerability is not listed in CISA KEV, EPSS sits at 0.01% (2nd percentile), and SSVC rates it non-automatable with only partial technical impact, collectively indicating negligible in-the-wild exploitation risk at time of analysis.

Denial Of Service Null Pointer Dereference Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-9502 LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG's dwgread utility (versions 0.1 through 0.14) allows a local attacker with low privileges to corrupt heap memory by supplying a specially crafted R2004-format DWG file. The vulnerable function decompress_R2004_section in src/decode.c fails to validate decompression offset and size parameters before writing, enabling out-of-bounds heap writes with partial confidentiality, integrity, and availability impact. Publicly available exploit code exists as a crafted DWG file; however, no active exploitation is confirmed (not in CISA KEV), EPSS is 0.01% (2nd percentile), and the local-only attack vector sharply constrains real-world risk.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-9501 LOW POC PATCH Monitor

Reachable assertion (CWE-617) in GNU LibreDWG's `decompress_R2004_section` function allows a local low-privileged attacker to crash the `dwgread` utility by supplying a malformed R2004-format DWG file with out-of-bounds decompression parameters. All releases from 0.1 through 0.14 are confirmed affected. Publicly available exploit code exists, though EPSS sits at 0.01% (2nd percentile) and no active exploitation is confirmed - consistent with the strictly local, no-code-execution impact profile.

Denial Of Service Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-9500 LOW POC Monitor

Heap-based buffer overflow in GNU LibreDWG's read_2004_compressed_section function (src/decode.c) exposes users of the dwgread utility to partial confidentiality, integrity, and availability compromise when processing a maliciously crafted DWG file. All released versions from 0.1 through 0.14 are affected, and a publicly available proof-of-concept exploit file exists on GitHub. No vendor patch has been issued; the project has not responded to the responsible disclosure despite early notification via issue report.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-9504 LOW POC PATCH Monitor

Out-of-bounds read in GNU LibreDWG's dwggrep utility exposes heap memory when processing maliciously crafted DWG files containing LTYPE objects with unterminated wide-character dash text strings. Affected versions span 0.1 through 0.14 (CPE: cpe:2.3:a:gnu:libredwg). A local authenticated attacker can trigger partial information disclosure by supplying a crafted DWG file to the dwggrep command-line tool; a public proof-of-concept DWG payload exists, though EPSS of 0.01% (2nd percentile) and absence from CISA KEV indicate no widespread exploitation activity at time of analysis.

Information Disclosure Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-9422 MEDIUM This Month

Injection vulnerability in KLiK SocialMediaWebsite 1.0 allows remote unauthenticated attackers to submit crafted HTTP POST request parameters to the application's input handler, achieving partial compromise of confidentiality, integrity, and availability. Classified under CWE-74 and tagged as Code Injection, the flaw carries a CVSS 4.0 score of 5.5 (Medium) with confirmed proof-of-concept exploit code publicly available (E:P). Despite the POC, EPSS places exploitation probability at 0.04% (14th percentile), indicating low observed real-world exploitation activity and a narrow effective target base.

Code Injection Klik Socialmediawebsite
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9421 MEDIUM This Month

Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP File Upload Klik Socialmediawebsite
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-32389 MEDIUM PATCH This Month

Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.

Authentication Bypass Nanocare
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24586 MEDIUM This Month

Missing Authorization in the Newses WordPress theme (Themeansar) through version 2.0.0.77 permits low-privileged authenticated users to exploit incorrectly configured access control security levels, resulting in partial integrity and availability impact. The flaw, reported by Patchstack and tracked under ENISA EUVD-2026-31747, allows an authenticated attacker to perform actions beyond their intended permission scope without proper authorization checks. No public exploit code or active exploitation has been identified at time of analysis, and all available signals - EPSS at 0.04%, SSVC exploitation status of 'none', and Automatable: no - indicate limited real-world threat at this time.

Authentication Bypass Newses
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-9078 MEDIUM This Month

Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left Unicode characters and internationalized domain names (IDNs) in the link preview UI surface, enabling a spoofing/phishing attack against users on any iOS version prior to 151.1. The CVSS vector (PR:N/UI:R) indicates unauthenticated network-reachable exploitation contingent on user interaction with a crafted link. EPSS at the 5th percentile and SSVC exploitation status of 'none' confirm no active exploitation or public exploit code has been identified at time of analysis, positioning this as a targeted phishing risk rather than a broad automated threat.

Apple Information Disclosure Mozilla Firefox For Ios
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-46745 MEDIUM PATCH This Month

LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.

Authentication Bypass LDAP Apache Code Injection Apache Airflow Fab Provider
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-40127 MEDIUM PATCH This Month

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955

Authentication Bypass Lifetime
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-27357 MEDIUM PATCH This Month

Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.

Authentication Bypass Wp Search Analytics
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27398 MEDIUM This Month

Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).

Authentication Bypass Rsvp And Event Management
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24592 MEDIUM This Month

Missing authorization in the Auto Affiliate Links WordPress plugin (all versions through 6.8.8.3) allows unauthenticated remote attackers to bypass access control checks and perform unauthorized write operations against affiliate link configurations. The vulnerability is classified as broken access control (CWE-862) and was reported by Patchstack. No public exploit code exists and no active exploitation has been confirmed - EPSS sits at 0.03% (8th percentile) and SSVC exploitation status is 'none' - indicating negligible real-world threat activity at time of analysis despite the attack being fully automatable with no authentication required.

Authentication Bypass Auto Affiliate Links
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24546 MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attackers to read restricted data by exploiting missing authorization checks on plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code or active exploitation has been identified at time of analysis, and an EPSS score of 0.03% (8th percentile) reflects low real-world exploitation probability.

Authentication Bypass Gamipress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9274 MEDIUM This Month

This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.

Authentication Bypass Wi Fi Camera Cp E38Q Cp E48Q Cp E25Q Cp E35Q Cp E45Q Cp E28Q Cp E21Q Cp E31Q Cp E41Q Cp E24Q Cp Z43Q Cp E34Q Cp E44Q Cp T31Q Cp V48Q Cp V41Q Cp Z45Q
NVD
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-44598 MEDIUM PATCH This Month

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

Open Redirect Apache SSRF
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27346 MEDIUM PATCH This Month

Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.

Authentication Bypass B2Bking
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-42797 MEDIUM PATCH This Month

Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.

Information Disclosure Apache Apache Syncope
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-6059 MEDIUM This Month

A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network.

XSS Aterm Wx1800Hp Aterm Wx5400Hp Aterm Wx7800T8 Aterm Wx11000T12 +5
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-48849 MEDIUM PATCH This Month

Stored XSS and HTML/CSS injection in Roundcube Webmail 1.6.x and 1.7.x allows an authenticated attacker to plant a malicious payload in a draft message's subject field, which then executes in the browsers of other users when they encounter the draft restore dialog on a shared mailbox. Fixed in versions 1.6.16 and 1.7.1 per vendor advisory published 2026-05-24. No public exploit identified at time of analysis, and EPSS sits at 0.03% (10th percentile), indicating minimal observed exploitation interest.

XSS Webmail
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-24527 MEDIUM This Month

Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.

Authentication Bypass WordPress Autoship Cloud For Woocommerce Subscription Products
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24582 MEDIUM This Month

FlexTable WordPress plugin (versions up to and including 3.24.0) by WPPOOL contains a missing authorization vulnerability enabling low-privileged authenticated users to perform restricted plugin actions beyond their intended access level, resulting in limited but unauthorized integrity modifications. The flaw stems from CWE-862 (Missing Authorization), where plugin endpoints fail to verify that an authenticated user holds the required WordPress capability before executing privileged operations. No public exploit code exists and this vulnerability is not in the CISA Known Exploited Vulnerabilities catalog; EPSS scoring at 0.03% (8th percentile) confirms negligible likelihood of broad exploitation at this time.

Authentication Bypass Flextable
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24545 MEDIUM This Month

Missing authorization in the QR Redirector WordPress plugin (versions through 2.0.3) exposes redirect management functionality to authenticated low-privileged users who lack the appropriate capability checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms any authenticated WordPress user - including subscribers or contributors - can exploit this flaw remotely without user interaction. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) and SSVC exploitation status of 'none' place this at low operational priority for most environments.

Authentication Bypass Qr Redirector
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24554 MEDIUM This Month

Cross-Site Request Forgery in the WPSubscription WordPress plugin (Convers Lab, versions through 1.9.1) enables remote unauthenticated attackers to perform unauthorized state-changing actions by tricking an authenticated WordPress user into visiting a malicious page or clicking a crafted link. The CVSS 4.3 Medium rating reflects limited integrity impact (I:L) with no confidentiality or availability exposure. No public exploit code exists and no active exploitation is confirmed - EPSS at 0.01% (3rd percentile) and SSVC 'Exploitation: none' both corroborate the low real-world threat level at time of analysis.

CSRF Wpsubscription
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24597 MEDIUM This Month

Cross-Site Request Forgery in WpDevArt's Organization Chart WordPress plugin (all versions through 1.7.5) enables remote unauthenticated attackers to perform unauthorized state-changing actions against the plugin by tricking an authenticated WordPress user into interacting with a crafted request. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that while no authentication or elevated complexity is required on the attacker's side, exploitation is gated by mandatory victim interaction, limiting realistic impact to integrity modifications only. No public exploit code exists and no active exploitation has been identified; EPSS score of 0.01% (3rd percentile) and SSVC exploitation status of 'none' collectively indicate low real-world threat at time of analysis.

CSRF Organization Chart
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48847 LOW PATCH Monitor

Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. No public exploit has been identified at time of analysis, and EPSS stands at 0.06%, though Roundcube installations are historically targeted by espionage-motivated threat actors and patching is strongly recommended.

Authentication Bypass Redis Webmail
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-48852 LOW PATCH Monitor

Assertion failure in ECDSA signature verification within PuTTY 0.71 through 0.83 allows a network-positioned attacker to crash the PuTTY client, producing a denial-of-service condition. The vulnerability (CWE-617: Reachable Assertion) carries a CVSS 3.7 Low score with no confidentiality or integrity impact - availability impact is limited to the client process itself. No public exploit code exists and no active exploitation has been identified; SSVC rates exploitation as none and the EPSS score of 0.04% (12th percentile) confirms minimal current exploitation probability.

Denial Of Service Putty
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-48850 LOW PATCH Monitor

Double free in PuTTY's RSA key exchange implementation affects versions 0.72 through 0.83, creating a memory corruption condition that can crash the client when connecting to a server that negotiates RSA KEX. The CVSS vector (AV:N/AC:H/PR:N/UI:N/A:L) reflects a network-reachable but high-complexity trigger with only limited availability impact, consistent with a difficult-to-reproduce crash rather than reliable code execution. No active exploitation is confirmed per CISA KEV, SSVC reports exploitation status as none, and EPSS sits at 0.04% (12th percentile), indicating low real-world exploitation pressure at time of analysis.

Information Disclosure Putty
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-48851 LOW PATCH Monitor

PuTTY's trust sigil mechanism - the application icon displayed to distinguish legitimate remote TELNET output from locally-injected spoofed content - fails to reset trust state between proxy authentication and the start of the main TELNET session in versions 0.77 through 0.83. Under CWE-451 (UI Misrepresentation of Critical Information), an attacker positioned to control or influence a TELNET proxy could present deceptive terminal content to the user bearing the trusted indicator, achieving low-integrity impact by misleading the user about the source or authenticity of displayed data. No public exploit exists, EPSS is 0.03% (9th percentile), CISA SSVC rates exploitation as none, and the overall CVSS score is 3.1 (Low), reflecting high attack complexity and narrow real-world applicability.

Information Disclosure Putty
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-5222 LOW PATCH GHSA Monitor

Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.

Information Disclosure Cargo
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-9420 LOW Monitor

Injection via HTTP GET request parameter manipulation in KLiK SocialMediaWebsite 1.0 allows remote attackers to inject arbitrary content or code through the application's parameter handler, contingent on passive user interaction. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact scoped exclusively to the vulnerable system with no lateral impact. Publicly available exploit code exists per the E:P exploit maturity metric and SSVC poc classification, though EPSS at 0.04% (13th percentile) and the non-KEV status indicate no observed widespread exploitation.

Code Injection Klik Socialmediawebsite
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9497 LOW Monitor

Unsafe deserialization in changmingxie tcc-transaction (versions up to 2.1.0) allows a remotely authenticated attacker with low privileges to exploit the Fastjson AutoType feature via the REST API, achieving limited confidentiality, integrity, and availability impact on the affected system. A proof-of-concept exploit exists (CVSS 4.0 E:P), referenced in a public GitHub bug report, though EPSS probability sits at just 0.04% (12th percentile) and SSVC assesses exploitation as none at time of analysis, indicating no observed active abuse. The vendor was notified prior to disclosure but did not respond, meaning no official patch has been released.

Deserialization Tcc Transaction
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-47069 LOW POC PATCH GHSA Monitor

CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response splitting against applications using versions 0.9.0 through before 4.0.1. While the function correctly validates the Name and Value cookie arguments against CRLF and control characters, it concatenates the domain and path options verbatim into the output iolist with no equivalent check, creating an injection point. An attacker who can influence the domain or path values passed to that function - for example, by submitting a crafted Host header or URL path that an application forwards directly into the cookie-setting call - can inject arbitrary additional Set-Cookie headers into the HTTP response. No public exploit identified at time of analysis per KEV absence, though SSVC confirms a proof-of-concept exists.

Code Injection Hackney
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-48589 PATCH Monitor

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Open Redirect Apache
NVD VulDB
EPSS
0.0%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy