Skip to main content
CVE-2026-35202 LOW PATCH GHSA Monitor

Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-9568 LOW PATCH Monitor

Code injection in ThingsBoard 4.3.1.0 and 4.3.1.1 allows remote attackers to embed control characters and shell metacharacters into server-generated Docker Compose YAML files and MQTT publish commands via the /api/v1/provision endpoint's getGatewayDockerComposeFile and getMqttPublishCommand functions. Device credential fields - including clientId, userName, password, and credentialsId - are passed unsanitized into YAML and shell command construction, enabling injection of shell special characters such as $, backtick, and double-quote. No public exploit has been identified at time of analysis; SSVC rates exploitation as none and EPSS is 0.04%, though the RCE tag warrants scrutiny given the CVSS 4.0 score of only 2.3.

Code Injection RCE Thingsboard
NVD VulDB GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-9581 LOW Monitor

Improper access control in JeecgBoot versions up to 3.9.1 allows low-privileged authenticated remote users to interact with the /sys/comment/add endpoint beyond their assigned permission level, resulting in low-impact confidentiality, integrity, and availability effects. The CVSS 4.0 score of 2.1 reflects a narrow blast radius with no subsequent system compromise, but a publicly available proof-of-concept (E:P) elevates the likelihood of opportunistic exploitation on internet-facing deployments. No active exploitation has been confirmed by CISA KEV at time of analysis.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-71310 LOW PATCH Monitor

The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

XSS Gdpr Cookies Module For Backdrop Cms
NVD VulDB
CVSS 4.0
1.8
EPSS
0.0%
CVE-2026-44210 MEDIUM PATCH GHSA This Month

VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain full read/write access to the host filesystem. All Kata Containers installations prior to commit ffa59ce3aa78 are affected when using the default configuration.toml, which enables the `virtio_fs_extra_args` and `kernel_params` pod annotations out of the box. An attacker crafts a pod with two annotations: one to redirect virtiofsd to serve the host root filesystem (`/`) into the guest VM, and a second to enable the agent debug console - after which the entire host filesystem is accessible from inside the supposedly isolated VM. A fully working proof-of-concept with confirmed output against Kata Containers 3.28.0 on Ubuntu 24.04 has been publicly disclosed; no public exploit confirmed as actively exploited (CISA KEV) at time of analysis.

Ubuntu Kubernetes Gitlab Docker Code Injection +1
NVD GitHub
EPSS
0.1%
CVE-2026-43947 HIGH PATCH GHSA This Week

Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.

RCE Information Disclosure Node.js Authentication Bypass
NVD GitHub
EPSS
0.6%
CVE-2026-43946 HIGH PATCH GHSA This Week

Unauthenticated disclosure of arbitrary industrial tag values in FUXA 1.3.0 lets remote actors read live process data through the /api/getTagValue endpoint. Per the vendor advisory (GHSA-fwcm-rqvw-j3p7), the API mints a signed 'guest' identity when no API key or access token is supplied, and the per-script authorization check fails open when the referenced sourceScriptName points to a non-existent script, so the guest request is treated as authorized. No CISA KEV listing and no weaponized public exploit code were identified, though the advisory documents the exact vulnerable code paths; the flaw is fixed in v1.3.1.

Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2026-43945 HIGH PATCH GHSA This Week

Pre-authentication remote code execution affects FUXA, an open-source web-based SCADA/HMI platform, in versions >= 1.2.11 and < 1.3.1 (the advisory references build v1.3.0-2706). The flaw is a path-confusion authentication bypass: the login middleware performs a substring match against the full request URL (including the query string), so appending a benign-looking parameter such as ?x=/socket.io to any administrative request causes the server to treat it as a public WebSocket handshake and skip the secureEnabled and nodeRedAuthMode checks entirely. When Node-RED is enabled with command-capable nodes, this reaches the /nodered/* admin interface and yields code execution in the container context (advisory states 'as root'). The GitHub Security Advisory (GHSA-p69w-mmfv-xrfj) discloses the exact bypass payload, so publicly available exploit details exist; there is no CISA KEV listing and no public report of active exploitation at time of analysis.

RCE Code Injection
NVD GitHub
EPSS
0.7%
CVE-2026-48047 MEDIUM PATCH GHSA This Month

Path traversal in XWiki Platform's WebJars API enables a subwiki admin who can publish and install a malicious WebJar extension to write arbitrary files anywhere on the server filesystem. The affected Maven component `xwiki-platform-webjars-api` fails to validate that JAR entry paths extracted during extension installation remain within the intended export directory, allowing overwrite of configuration files or potential superadmin credential manipulation. No public exploit is identified and no CISA KEV listing exists; vendor-released patches are available across three version branches.

Atlassian Path Traversal
NVD GitHub
EPSS
0.1%
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy