Skip to main content
CVE-2026-8376 CRITICAL PATCH Act Now

Heap-based buffer overflow in Perl interpreters up to and including 5.43.10 on 32-bit builds lets a caller that compiles an attacker-controlled regular expression corrupt heap memory at regex compile time, with potential for code execution. The flaw stems from an integer overflow in Perl_study_chunk when optimizing a repeated fixed substring, and is rated CVSS 9.8 by NVD. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; the issue is limited to 32-bit Perl builds and applications that feed untrusted input into regex compilation.

Buffer Overflow Perl Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9058 CRITICAL PATCH Act Now

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

Authentication Bypass Szafir Sdk
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-42773 CRITICAL Act Now

Blind SQL injection in the eMagicOne Store Manager WordPress plugin (versions up to and including 1.3.2) allows remote unauthenticated attackers to inject malicious SQL through improperly sanitized parameters. With a CVSS 9.3 score and changed scope, successful exploitation can expose confidential database contents across the WordPress installation, though EPSS remains very low (0.03%) and no public exploit identified at time of analysis.

SQLi Emagicone Store Manager
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-42774 CRITICAL Act Now

SQL injection in Crocoblock JetEngine (a WordPress plugin) through version 3.8.8.1 allows remote unauthenticated attackers to inject crafted SQL into backend queries, leading to high-impact confidentiality disclosure and limited availability impact with a scope change to other components. The flaw carries a CVSS 9.3 rating and was disclosed by Patchstack, but there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.

SQLi Jetengine
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-2651 CRITICAL PATCH GHSA Act Now

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.

Authentication Bypass RCE Mlflow Mlflow
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy