Skip to main content
CVE-2026-48027 CRITICAL POC KEV THREAT CISA Emergency

Embedded malicious code in Nx Console (the editor extension for Nx and Lerna) version 18.95.0 turned a trusted developer tool into a trojan during a brief publish window on 19 May 2026. The poisoned build was live on the Visual Studio Marketplace for roughly 18 minutes (12:30-12:48 UTC) and on OpenVSX for roughly 36 minutes (12:33-13:09 UTC); any developer who installed or auto-updated during those windows executed attacker-controlled code inside their IDE, tagged here as information disclosure. It is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, with CISA SSVC rating exploitation as active, automatable, and total technical impact; the clean release 18.100.0 is the fix.

Information Disclosure Nx Console
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
26.8%
Threat
4.9
CVE-2026-8054 CRITICAL POC PATCH Act Now

SQL injection in dotCMS Core (versions 25.11.04-1 through 26.04.28-02) lets remote unauthenticated attackers read, modify, or destroy arbitrary database content through the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, which neither enforced authentication nor sanitized input before constructing SQL. The flaw carries a maximum CVSS 4.0 base score of 10.0, reflecting full confidentiality, integrity, and availability impact extending to subsequent systems. No public exploit was identified at time of analysis and EPSS is low (0.38%, 60th percentile), but the network-reachable, no-privilege, no-interaction profile makes this an urgent patch for affected (non-LTS) deployments.

SQLi Dotcms Core
NVD GitHub
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-47717 HIGH POC PATCH GHSA This Week

Unauthenticated information disclosure in FUXA 1.3.0 (web-based SCADA/HMI server, npm package fuxa-server) lets remote attackers retrieve full project configuration from the GET /api/project endpoint even when secureEnabled is turned on. The exposed data includes server-side script source code, device connection details, HMI view layouts with tag bindings, and alarm definitions. Publicly available exploit code exists (a single unauthenticated curl request demonstrated in the GitHub advisory), and the CVSS vector confirms unauthenticated network exploitation rated 7.5 (confidentiality-only impact); there is no public exploit identified as actively exploited in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-70103 HIGH POC PATCH This Week

Heap buffer overflow in libjxl 0.12.0 lets remote attackers corrupt heap memory by feeding a crafted PBM/PNM image to the jxl::extras::DecodeImagePNM routine, which writes decoded rows into an output buffer without first checking that the buffer is large enough for the header-declared dimensions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes unauthenticated, low-complexity exploitation with no user interaction, and CISA's SSVC framework rates it automatable with partial technical impact. Publicly available exploit code exists, though it is not listed in CISA KEV and no public exploit has been tied to active exploitation.

Heap Overflow Buffer Overflow Red Hat
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31266 HIGH POC This Week

Unauthorized invocation of the database migration endpoint (/actions/app/migrate) in Craft CMS 5.9.5 and earlier lets remote, unauthenticated attackers reach functionality that should be gated behind administrative authorization. The flaw stems from a missing authorization check (CWE-862) rather than a credential bypass on the login flow, and publicly available exploit code exists, though it is not listed in CISA KEV. CVSS is 7.3 with Low impact across confidentiality, integrity, and availability, reflecting partial rather than total compromise.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-45618 CRITICAL PATCH GHSA Act Now

Remote code execution in LiquidJS template engine versions before 10.26.0 lets an attacker who can supply template content escape the rendering context and run arbitrary Node.js code on the host. The `valueOf` filter leaks the engine's internal scope object (`this`), exposing the parser, filter registry, and ultimately the JavaScript Function constructor, which is chained into command execution. Rated CVSS 10.0 (CWE-94) with a complete working proof-of-concept published in the vendor advisory; it has publicly available exploit code but is not listed in CISA KEV, and no EPSS score was provided in the source data.

RCE Code Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-45102 CRITICAL PATCH Act Now

Sandbox escape in OneUptime before 10.0.98 lets an authenticated user break out of the Node.js vm-module isolation that the platform relies on to safely run untrusted logic, gaining code execution in the host context. The vm module was never intended as a security boundary and can be escaped using error objects and infinite recursion, yielding full confidentiality, integrity, and availability impact (CVSS 9.9, scope-changed). No public exploit is identified at time of analysis, but the escape technique is well-documented for the Node.js vm module generally.

Node.js Information Disclosure
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-42757 CRITICAL Act Now

Path traversal in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions up to and including 4.08.253 and allows authenticated low-privilege users to manipulate file paths outside the intended plugin directory. The linked Patchstack advisory characterizes the concrete impact as arbitrary file deletion, which can corrupt the WordPress installation or enable further compromise. EPSS probability is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, despite the 9.9 CVSS score.

Path Traversal
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-42748 CRITICAL Act Now

Arbitrary file upload in the WPify Woo Czech WordPress/WooCommerce plugin (versions through 5.4.1) lets a low-privileged authenticated user upload a dangerous file type - i.e., a PHP web shell - to the web server, leading to remote code execution. The CVSS 3.1 vector (PR:L, S:C, C:H/I:H/A:H) reflects a scope-changing critical-severity flaw scored 9.9 that compromises the entire host once exploited. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS score is very low (0.04%, 13th percentile), indicating little observed exploitation pressure despite the high CVSS.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-46425 CRITICAL PATCH Act Now

Privilege escalation via missing authorization in Budibase before 3.38.2 lets any authenticated user — including low-privilege BASIC accounts and workspace-scoped builders — reach the worker's SCIM API and perform full CRUD on every user and group in the tenant. The SCIM router only enforced an Enterprise feature flag and SCIM context, never a role/admin check, so identity-management operations meant for administrators were exposed to all sessions. Fixed in 3.38.2; no public exploit identified at time of analysis, but the trivial nature of the flaw (a single missing middleware) makes it easy to weaponize once known.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-42756 CRITICAL Act Now

Path traversal in the QuickWebP WordPress plugin (versions up to and including 3.2.7) allows authenticated low-privilege users to manipulate file paths and delete arbitrary files on the server, per the Patchstack advisory titling this an arbitrary file deletion flaw. With a CVSS of 9.9 and a changed scope, deletion of sensitive files such as wp-config.php can cascade into full site compromise. There is no public exploit identified at time of analysis.

Path Traversal
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-8175 CRITICAL Act Now

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

RCE Denial Of Service Buffer Overflow Heap Overflow Authentication Bypass +1
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-7524 CRITICAL Act Now

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

RCE Path Traversal IBM
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-44887 CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.

Code Injection RCE Python
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-12686 CRITICAL PATCH Act Now

Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the AdminCenter component, the device's web-based management interface. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw exploitable by unauthenticated attackers with low complexity and no user interaction, yielding full compromise of confidentiality, integrity, and availability (9.8 Critical). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network-RCE profile on a consumer NAS device makes this a high-priority patch target.

RCE Synology Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-25879 CRITICAL PATCH GHSA Act Now

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

PostgreSQL Python Information Disclosure SQLi RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-44888 CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. On default installations (PIALERT_WEB_PROTECTION = False) no credentials are required, matching the CVSS 9.8 network/no-privilege rating; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but trivial complexity and full CIA impact make it a high-priority patch.

Code Injection RCE Python
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8362 CRITICAL PATCH Act Now

Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in WOSDefaultHttpModule.dll, which fails to bounds-check overly long URL paths beginning with /woshome. Because the flaw is reachable over the network with no authentication and no user interaction (CVSS 9.8), an attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code in the context of the web module. No public exploit has been identified at the time of analysis, and the issue was reported by Tenable (TRA-2026-45).

Stack Overflow Buffer Overflow Triofox
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8363 CRITICAL PATCH Act Now

Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in the WOSDeviceDropFolder.dll component, which mishandles overly long URL paths that begin with /resources. The CVSS 9.8 vector indicates an unauthenticated, network-reachable flaw requiring no user interaction, meaning any attacker who can reach the Triofox web service can corrupt the stack and potentially execute arbitrary code. The issue was reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and no EPSS score was provided in the source data.

Stack Overflow Buffer Overflow Triofox
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8364 CRITICAL PATCH Act Now

Missing authentication in Gladinet Triofox's Cloud Server Agent Access Service (GladServerAgentService.exe) lets remote, unauthenticated attackers reach privileged HTTP endpoints exposed on TCP port 7878. The service processes requests to paths such as /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavCache without an authentication check (CWE-306), and the CVSS vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H) rates the impact as full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and no EPSS score was provided, but the 9.8 base score and unauthenticated network reachability make this a critical-priority issue for any internet-exposed Triofox deployment.

Authentication Bypass Triofox
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-42758 CRITICAL Act Now

Privilege escalation in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions through 4.08.252 and allows remote attackers to obtain elevated privileges due to incorrect privilege assignment. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed exploitation activity despite the critical severity.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45972 CRITICAL PATCH Act Now

Use-after-free and double-free conditions in the Linux kernel's SMB client (smb2_open_file) can be triggered when SMB2_open() retry paths fail to zero out err_iov and err_buftype buffers, leading to memory corruption. The flaw affects multiple stable kernel branches (6.1, 6.6, 6.12, 6.18) and is fixed in upstream patches; no public exploit identified at time of analysis and EPSS is very low (0.02%) despite the 9.8 CVSS score.

Information Disclosure Memory Corruption Use After Free Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45988 CRITICAL PATCH Act Now

Improper handling of failed RESPONSE packet decryption in the Linux kernel's rxrpc subsystem can leave packets in a partially decrypted state when requeued for retry after a temporary processing failure. The flaw affects multiple Linux kernel branches and was resolved upstream by discarding such packets and relying on the CHALLENGE/RESPONSE re-handshake. No public exploit identified at time of analysis, and EPSS scoring (0.02%, 5th percentile) indicates very low real-world exploitation probability despite the high CVSS rating.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45898 CRITICAL PATCH Act Now

Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.

Debian Ubuntu Information Disclosure Intel Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46039 CRITICAL PATCH Act Now

Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.

Linux Buffer Overflow Integer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46562 CRITICAL PATCH GHSA Act Now

Remote code execution in the Yamcs mission control framework (org.yamcs:yamcs-core, releases 4.7.3 through 5.12.6) lets a caller of the algorithm-override endpoint run arbitrary Java/OS code on the ground server. The Nashorn JavaScript engine that evaluates user-supplied algorithm text is created without a ClassFilter, so payloads can reach any Java class (e.g. java.lang.Runtime) and execute commands as the Yamcs process user; because the default install (no security.yaml) gives the built-in guest user superuser=true, the endpoint is reachable by an unauthenticated network attacker. A detailed working exploit is published in the GitHub Security Advisory (publicly available exploit code exists); the issue is not listed in CISA KEV and no EPSS score was provided in the input.

Java RCE Code Injection Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-42731 CRITICAL Act Now

Privilege escalation in the miniOrange OTP Verification WordPress plugin (all versions up to and including 5.4.9) lets remote unauthenticated attackers gain elevated privileges due to incorrect privilege assignment (CWE-266). With a CVSS 9.8 vector indicating network reach, no authentication, and no user interaction, a successful attack can fully compromise the confidentiality, integrity, and availability of the affected WordPress site. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8760 CRITICAL Act Now

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-44590 CRITICAL PATCH Act Now

Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. Fixed in 0.16.1; with a CVSS of 9.3 it is a high-severity supply-chain issue, though no public exploit was identified at time of analysis and the technique class is well documented.

Command Injection Sherlock
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.8%
CVE-2026-9739 CRITICAL PATCH GHSA Act Now

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an `Access-Control-Allow-Origin: *` header, which overrides the `allowed-origins`/`allowed-hosts` controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.

Information Disclosure Cors Misconfiguration
NVD GitHub
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-49103 CRITICAL PATCH Act Now

Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-48906 CRITICAL Act Now

Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.

Authentication Bypass Novarain Tassos Framework Plg System Nrframework Convert Forms Engagebox Google Structured Data +5
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-42755 CRITICAL Act Now

Unauthenticated blind SQL injection in the RealMag777 TableOn (posts-table-filterable) WordPress plugin through version 1.0.5.1 lets remote attackers inject crafted SQL into backend queries without credentials or user interaction. Because the CVSS scope is marked changed (S:C) with high confidentiality impact, a successful attack can read data beyond the vulnerable component, including the WordPress database. No public exploit is identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no current sign of widespread exploitation despite the 9.3 base score.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-42747 CRITICAL Act Now

Blind SQL injection in the Easy Form Builder WordPress plugin (by hassantafreshi), affecting all versions up to and including 4.0.6, lets remote unauthenticated attackers inject crafted SQL into backend database queries. With a CVSS of 9.3 and a scope-changed vector, a successful attack can read sensitive data across the database and impact availability. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no observed mass exploitation yet despite the high severity rating.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-35090 CRITICAL PATCH Act Now

Authentication bypass in Slican telephone exchanges (IPL-256, IPM-032, CCT-1668, MAC-6400, CXS-0424) lets an unauthenticated remote attacker who dials the device's management modem while presenting a specific caller ID bypass admin authentication and obtain full access to the service protocol and configuration panel. Because this 'magic' caller ID works regardless of how the exchange is configured - and even temporarily re-enables remote management when an administrator has disabled it - the flaw behaves like a hidden backdoor rather than a normal misconfiguration. CVSS 4.0 rates it 9.3 (critical); no public exploit has been identified at time of analysis, and the issue remains permanently unpatched on End-of-Life CCT-1668, MAC-6400, and CXS-0424 units running firmware 4.xx and below.

Authentication Bypass
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-35087 CRITICAL PATCH Act Now

Authentication bypass in Slican telephone exchanges (NCP, IPx, CCT-1668, MAC-6400, and CXS-0424 PBX systems) lets a remote attacker skip credential entry on the administrative protocol simply by issuing a specific command, granting full administrative control of the exchange. The flaw was reported by CERT Polska (cert.pl), carries a CVSS 4.0 base score of 9.3, and has no public exploit identified at time of analysis; however, the high score reflects unauthenticated network-reachable access with full confidentiality, integrity, and availability impact. Fixed firmware is available for current models, but the issue remains permanently unpatched on End-Of-Life CCT-1668, MAC-6400, and CXS-0424 units running version 4.xx and below.

Authentication Bypass
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-42761 CRITICAL Act Now

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and including 1.0.9) allows remote unauthenticated attackers to inject SQL into backend database queries and infer sensitive data through boolean or time-based responses. The CVSS 3.1 vector (PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope (S:C) reflects that compromise of the WordPress database can affect the entire site beyond the plugin itself. There is no public exploit identified at time of analysis, and no KEV listing or EPSS score was provided.

SQLi WordPress
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-42740 CRITICAL Act Now

Blind SQL injection in the Tainacan WordPress plugin (versions up to and including 1.0.3) lets remote unauthenticated attackers inject crafted SQL into backend database queries. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope plus high confidentiality impact drive the 9.3 score. There is no public exploit identified at the time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and unauthenticated reach make it a high-priority patch candidate.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-42727 CRITICAL Act Now

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and including 1.0.8) lets remote attackers inject SQL commands via an unsanitized parameter to read arbitrary data from the WordPress/WooCommerce database. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with a changed scope, meaning the injection reaches the backend database beyond the plugin component itself. There is no public exploit identified at time of analysis and no EPSS score was provided, so probability of exploitation cannot be quantified from the available data.

SQLi WordPress
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-9312 CRITICAL PATCH Act Now

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issuing crafted requests to internal services, reachable through an upload endpoint that fails to validate input. By injecting path-traversal content into request parameters, an attacker can redirect internal API calls to reach back-end services and harvest sensitive credentials. No public exploit identified at time of analysis; the issue was reported through the GitHub Bug Bounty program and carries a CVSS 4.0 base score of 9.2 (Critical), though the vector flags high attack complexity and an extra attack requirement that temper real-world ease of exploitation.

SSRF Path Traversal Enterprise Server
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-8450 CRITICAL PATCH Act Now

OS command injection in Perl's HTTP::Daemon before 6.17 (libwww-perl) lets remote unauthenticated attackers execute commands as the daemon process UID when request-derived input reaches the send_file() method. The method opened its string argument with Perl's 2-argument open(), whose magic prefixes ('| cmd', 'cmd |', '> path', '>> path') spawn subprocesses or write/truncate files; the read-pipe form additionally leaks subprocess stdout into the HTTP response body. There is no public exploit identified at time of analysis and no CISA KEV listing, but the upstream fix is released (6.17) and the patch diff is public, so the root cause is fully disclosed.

Command Injection
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-45063 CRITICAL PATCH GHSA Act Now

Identity spoofing in Symfony's Security-Http component (the X509Authenticator) lets a certificate-based (mTLS) client authenticate as an arbitrary victim user. The extractUsername() routine used an unanchored regex that matched emailAddress= anywhere in the client certificate's Subject DN, so an attacker holding any certificate from a trusted CA with an attacker-controlled free-text CN can smuggle emailAddress=victim@target inside the CN and be logged in as that victim. Rated CVSS 4.0 9.1 (CWE-290) with a low EPSS of 0.05% (17th percentile); no public exploit identified at time of analysis and it is not in CISA KEV, but a vendor patch and regression tests are published.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-49002 CRITICAL Act Now

Improper access control in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) lets remote unauthenticated attackers reach functionality that should be permission-gated, allowing them to read and modify system configuration data beyond their authorization. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) with high confidentiality and integrity impact but no availability impact, and the issue is tagged as an authentication bypass. EPSS is very low at 0.03% (9th percentile) and there is no public exploit identified at time of analysis.

Authentication Bypass Zxunipos Nds Lte
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46043 CRITICAL PATCH Act Now

Remote denial of service and potential memory corruption in the Linux kernel's RDMA Software RoCE (rxe) driver allows network attackers to send malformed RDMA packets that bypass length validation in rxe_rcv(). Affected systems with the rxe module loaded and reachable on the network can experience integer underflow in payload_size() due to an attacker-controlled BTH pad field, leading to negative values being passed to downstream receive-path handlers. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the CVSS 9.1 rating reflects the unauthenticated network attack surface where rxe is exposed.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44726 CRITICAL PATCH GHSA Act Now

Cleartext transmission of TLS-protected data in Deno's Node.js compatibility layer (node:tls / node:https) affects versions >= 2.0.0 and < 2.7.8: when autoSelectFamily (the Node-compat default) triggers an address-family fallback after the first connection attempt fails, the retry reuses a stale TLS upgrade hook bound to the dead handle, so the replacement TCP socket is never upgraded to TLS. Any data the application writes before the secureConnect event — request bodies, Authorization headers, tokens — leaves the host in plaintext. Publicly available exploit code exists (a working PoC in the GHSA advisory), but EPSS is only 0.02% and the issue is not in CISA KEV, so no public active exploitation is identified at time of analysis.

Node.js Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-7876 CRITICAL Act Now

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19 allows remote attackers to access and modify protected resources without valid credentials, scoring CVSS 9.1 critical. The flaw exposes confidential file transfer data and permits unauthorized modification of integrity-protected assets across all affected releases. No public exploit identified at time of analysis, and EPSS predicts only a 0.02% near-term exploitation probability despite the high severity rating.

IBM Authentication Bypass
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46621 CRITICAL PATCH GHSA Act Now

Remote code execution in Yamcs (the open-source mission control framework, yamcs-core) before 5.12.7 lets an authenticated operator holding the ChangeMissionDatabase privilege overwrite a Python (Jython) algorithm via the Mission Database REST API and run arbitrary OS commands on the host. The Jython script engine is invoked without a sandbox, so injected algorithm text can import java.lang.Runtime and shell out. Publicly available exploit code exists (a full PoC is published in the GitHub Security Advisory), but the issue is not listed in CISA KEV and no public in-the-wild exploitation is identified.

RCE Java Command Injection Code Injection Python
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-44632 CRITICAL PATCH GHSA Act Now

Remote code execution in Yamcs (Yet Another Mission Control System) versions before 5.12.7 allows an authenticated user holding the ChangeMissionDatabase privilege to run arbitrary OS commands on the server host. The flaw lives in the JavaExprAlgorithmExecutionFactory, which dynamically compiles user-supplied algorithm text with the Janino compiler without any sandbox or restrictive ClassLoader, so injected Java (e.g. java.lang.Runtime.exec) executes with the privileges of the Yamcs process. A detailed proof-of-concept exploit using a REST PATCH to override an existing algorithm is publicly available in the vendor advisory; the issue is not listed in CISA KEV.

RCE Java Code Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-48150 CRITICAL PATCH GHSA Act Now

Privilege escalation in Budibase before 3.39.0 lets a workspace-scoped builder promote themselves or any other user to global administrator with a single POST to /api/public/v1/roles/assign. The builderOrAdmin middleware admits app-level builders (builder.apps set, builder.global unset) and the controller blindly spreads the request body into the SDK, allowing the caller to set builder.global=true or admin.global=true on arbitrary user IDs. The flaw turns a tenant-confined Enterprise feature into full tenant-wide takeover; no public exploit is identified at time of analysis, but the technique is fully described in the GitHub advisory.

Privilege Escalation
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-8832 HIGH This Week

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.

Code Injection RCE PHP WordPress
NVD
CVSS 3.1
8.8
EPSS
0.4%
Page 1 of 15 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy