Skip to main content
CVE-2026-5516 MEDIUM This Month

Security bypass via race condition in IBM WebSphere Application Server Liberty 22.0.0.11 through 26.0.0.5 allows a remote, highly-privileged attacker to circumvent access controls during a narrow timing window, resulting in high-confidentiality-impact data exposure. The CVSS vector confirms network-based exploitation requiring high privileges and high attack complexity, constraining real-world risk significantly. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Authentication Bypass IBM Race Condition
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3348 MEDIUM This Month

Stored Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions through 3.6.1) allows authenticated administrators to persist malicious JavaScript payloads via the plugin's settings fields - including Description and Title - which then execute in the browsers of any user who accesses the plugin's redirect pages. The attack is constrained to multi-site WordPress deployments or single-site installations where unfiltered_html has been explicitly disabled, and requires Administrator-level credentials, substantially narrowing real-world exposure. No public exploit code has been identified at time of analysis, and EPSS stands at a very low 0.03% (8th percentile), consistent with the narrow exploitation window.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-48792 MEDIUM PATCH This Month

Authentication bypass in pam_usb prior to 0.9.1 allows a local low-privileged user to circumvent hardware token requirements by exploiting silent EACCES error suppression in the virtual input device scanner. When the PAM module's evdev.c component fails to open /dev/input/event* nodes due to permission errors, it returns a false negative indicating no virtual devices are present, and the caller in local.c proceeds with authentication as if the hardware check passed cleanly. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Pam Usb
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-40914 MEDIUM PATCH This Month

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.

Apache Command Injection Jenkins Authentication Bypass Denial Of Service +2
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2022-41656 MEDIUM This Month

Missing Authorization vulnerability in Bizswoop Account Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.1.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-42540 MEDIUM PATCH This Month

Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.

CSRF Information Disclosure File Upload
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42543 MEDIUM PATCH This Month

Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.

CSRF Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48924 MEDIUM PATCH This Month

Open redirect vulnerability in Jenkins Bitbucket OAuth Plugin 0.17 and earlier enables unauthenticated network attackers to craft login URLs that redirect authenticated victims to arbitrary, attacker-controlled destinations, facilitating phishing campaigns targeting Jenkins users. The plugin fails to validate or restrict the post-login redirect URL parameter, classified under CWE-601. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.3 Medium rating reflects network reachability offset by a mandatory user interaction requirement.

Open Redirect Jenkins
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14481 MEDIUM This Month

Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.

Authentication Bypass WordPress
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48923 MEDIUM PATCH This Month

Missing permission check in Jenkins AppSpider Plugin 1.0.17 and earlier allows any authenticated user with Overall/Read permission to force the Jenkins server to initiate connections to arbitrary attacker-specified URLs via a form validation endpoint. This constitutes a server-side request forgery (SSRF)-class primitive - an attacker can leverage this to probe internal network services, perform port scanning, or interact with internal infrastructure reachable by the Jenkins host. No public exploit has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.

Privilege Escalation Jenkins
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48926 MEDIUM PATCH This Month

Jenkins Job Import Plugin version 143.v044a_2e819b_27 and earlier exposes credentials ID enumeration to any authenticated user holding the minimal Overall/Read permission due to a missing permission check on an HTTP endpoint. Any low-privileged Jenkins user can query this endpoint and retrieve the IDs of all credentials stored in the Jenkins credentials store, enabling reconnaissance for follow-on credential-targeting attacks. No public exploit has been identified at time of analysis, CISA has not listed this in KEV, and SSVC rates exploitation status as none with partial technical impact.

Privilege Escalation Jenkins
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1248 MEDIUM This Month

Information disclosure in IBM Business Automation Workflow (containers and traditional deployments) exposes internal database schema details through application error messages to authenticated low-privilege users. Affecting versions across the 24.0.0, 24.0.1, 25.0.0, and 25.0.1 release lines, a network-accessible authenticated attacker can deliberately trigger error conditions to harvest database structure information - table names, column names, or schema layout - without needing elevated permissions. No public exploit code exists and no active exploitation is confirmed; SSVC assessment classifies this as non-automatable with partial technical impact, consistent with its limited confidentiality scope.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2255 MEDIUM PATCH This Month

Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users to retrieve Hadoop cluster credentials via the Cluster Test API response. Affected versions span the 8.3.x, 9.3.x, and 10.x lines up to 10.2.0.6, as well as all pre-11.0.0.0 builds in the 11.x line. The vendor acknowledges partial self-mitigation: because the Cluster Test API is only accessible to users who already hold sufficient privileges to submit Hadoop jobs via the backend API, the incremental credential exposure is constrained - though the plaintext disclosure still enables credential harvesting for lateral movement or offline use. No public exploit code exists and EPSS is negligible at time of analysis.

Information Disclosure Pentaho Data Integration And Analytics
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8903 MEDIUM This Month

Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and including 2.1 enables unauthenticated remote attackers to manipulate the plugin's firewall rules and 2FA configuration - potentially disabling protection entirely - by inducing an authenticated site administrator to click a crafted link. The vulnerable surface is the `ipv_save_changes` function in `admin-settings.php`, which lacks proper nonce validation. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) reflects very low automated exploitation probability, though the downstream security impact of silently disabling 2FA or firewall rules is disproportionate to the raw CVSS score of 4.3.

WordPress Hashicorp CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9674 MEDIUM PATCH This Month

Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.

CSRF Jenkins
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48925 MEDIUM PATCH This Month

Cross-site request forgery in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows unauthenticated remote attackers to trigger unauthorized pull request builds by tricking an authenticated Jenkins user into visiting a crafted page. The vulnerability stems from missing CSRF token validation on the endpoint that triggers pull request builds. With CVSS 4.3 (Medium) and no public exploit or KEV listing identified at time of analysis, this represents a moderate-integrity risk primarily in CI/CD pipeline environments where unauthorized build execution could be leveraged for resource abuse or workflow manipulation.

CSRF Jenkins
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7614 MEDIUM This Month

Cross-Site Request Forgery in the Old Posts Highlighter WordPress plugin (all versions ≤1.0.3) enables unauthenticated network attackers to modify the plugin's configuration settings without authorization, provided they can socially engineer an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect WordPress nonce validation in the OPH_options function within OPH_admin.php, a standard anti-CSRF control in the WordPress plugin ecosystem. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% (2nd percentile) reflects minimal observed exploitation pressure.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9236 MEDIUM This Month

Cross-Site Request Forgery in the CM Ad Changer WordPress plugin (all versions ≤ 2.0.7) allows permanent, irreversible deletion of advertising campaigns, associated banner records, and uploaded media files without any attacker authentication. The root cause is absent or incorrect nonce validation in the cmac_campaigns_action function, meaning forged HTTP requests bypass WordPress's standard CSRF defenses entirely. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at the 2nd percentile, but the social-engineering bar - tricking one administrator into clicking a link - is low, making this a meaningful integrity risk for ad-dependent WordPress deployments.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8942 MEDIUM This Month

Cross-Site Request Forgery in MetaMagic SEO Plugin for WordPress (all versions ≤ 1.6) enables unauthenticated remote attackers to modify plugin SEO configuration - including enabling or disabling the plugin and toggling meta tag output - by inducing a logged-in administrator to trigger a forged HTTP request. The root cause is missing or incorrect nonce validation in the metamagic_update_options function, as confirmed by Wordfence (security@wordfence.com) and indexed under ENISA EUVD-2026-32117. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and SSVC exploitation status of 'none' indicate very low real-world exploitation probability at this time.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8943 MEDIUM This Month

Cross-Site Request Forgery in the GoStats for WordPress plugin (all versions ≤ 1.4) allows unauthenticated remote attackers to overwrite plugin configuration options - specifically gostats_siteid and gostats_server - by tricking an authenticated administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation in the gostats_manage() function, bypassing WordPress's standard CSRF defense. No active exploitation has been confirmed: the vulnerability is absent from CISA KEV, carries an EPSS score of 0.01% (2nd percentile), and SSVC rates exploitation status as none - indicating negligible real-world exploitation pressure at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8941 MEDIUM This Month

Cross-Site Request Forgery in CDN Linker lite WordPress plugin (versions up to and including 1.3.1) enables unauthenticated remote attackers to hijack a site's CDN URL by tricking a logged-in administrator into triggering a forged request. The vulnerable function, ossdl_off_options(), lacks proper nonce validation, meaning an attacker who successfully engineers admin interaction can repoint all static asset references - JavaScript, CSS, images - to an attacker-controlled domain. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the EPSS score of 0.01% (2nd percentile) reflects low current exploitation probability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8939 MEDIUM This Month

Cross-Site Request Forgery in the Search Simple Fields WordPress plugin (versions ≤ 0.2) enables unauthenticated remote attackers to modify plugin configuration by tricking an authenticated site administrator into clicking a crafted link. The root cause is absent or incorrect nonce validation in the `search_simple_fields_options()` function within `functions_admin.php`, allowing forged HTTP requests to alter settings such as post types, custom fields, media fields, and the custom media function name. No active exploitation is confirmed (no CISA KEV listing, EPSS at 0.01%, SSVC exploitation status: none), making this a low-urgency but straightforward finding on affected WordPress installations.

PHP WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8938 MEDIUM This Month

Cross-Site Request Forgery in the auto making JSON-LD WordPress plugin (all versions through 4.5.3) enables unauthenticated remote attackers to overwrite the plugin's license key option and trigger unauthorized installation of pro components by inducing an authenticated administrator to visit a malicious page. The vulnerability originates from absent or incorrect nonce validation in the `amJL_certification` function (settings/certification.php), bypassing WordPress's built-in CSRF protection and cascading into downstream calls to `amJL_is_license_valid()` and `amJL_download_and_install_pro_features()`. No public exploit has been identified at time of analysis; EPSS is 0.01% (2nd percentile) and SSVC confirms no known exploitation.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8708 MEDIUM This Month

Cross-Site Request Forgery in the Genzel breadcrumbs WordPress plugin (all versions ≤1.2) enables unauthenticated attackers to silently overwrite breadcrumb configuration - including templates, delimiters, home labels, URIs, and routing rules - by tricking a logged-in administrator into loading a forged request. The flaw is rooted in absent nonce validation inside the _options_page function, confirmed at gb.class.php lines 412 and 424 and page-options.php line 16. No public exploit identified at time of analysis; EPSS of 0.01% (2nd percentile) signals negligible mass-exploitation probability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41009 MEDIUM PATCH This Month

Path traversal in BOSH Director allows a compromised BOSH agent to cause the Director to read and delete arbitrary files outside the blobstore root on the Director host filesystem. When the Director processes long-running operations such as compile_package and is configured with the local blobstore provider, agent-supplied blob IDs in the reply JSON are passed unmodified into filesystem path construction, enabling traversal strings like '../../jobs/director/config/director.yml' to resolve to sensitive files. No public exploit exists and no active exploitation has been identified; the CVSS 4.0 score of 4.3 reflects the significant prerequisite barriers including high privilege requirements and a specific non-default configuration.

Path Traversal Bosh
NVD
CVSS 4.0
4.3
EPSS
0.0%
CVE-2026-8716 MEDIUM PATCH This Month

Unauthorized CI data access in GitLab CE/EE allows an authenticated low-privileged user to read CI pipeline data from a ref type (branch, tag, or merge request ref) other than the one they are authorized to view, under certain unspecified conditions. All GitLab installations - both Community and Enterprise editions - running versions from 12.7 through the unpatched releases are affected. The vulnerability is classified as information disclosure with low confidentiality impact; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.

Gitlab Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5296 MEDIUM PATCH This Month

Authorization bypass in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to circumvent flow restrictions when foundational flows are enabled at the group level. Affecting all EE versions from 18.7 through 19.0 (prior to the respective patch releases), this flaw stems from missing authorization checks (CWE-862) and results in a low-integrity-impact, network-accessible exploitation path. No active exploitation has been identified (SSVC: Exploitation none), and GitLab has released patches across all affected branches as of 2026-05-27.

Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2601 MEDIUM PATCH This Month

GitLab Enterprise Edition exposes sensitive deployment data to authenticated users holding only developer-role permissions due to missing authorization checks on deployment-related project resources (CWE-862). Affected versions span a wide range - all EE releases from 11.5 through 18.10.6, 18.11.0 through 18.11.3, and 19.0.0 - making this broadly applicable across unpatched GitLab EE deployments. No public exploit identified at time of analysis per CISA KEV, though SSVC intelligence indicates proof-of-concept code exists, and a HackerOne report (3556381) corroborates researcher discovery.

Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49054 MEDIUM This Month

Missing authorization in The Post Grid WordPress plugin (versions through 7.9.2) allows authenticated low-privileged users to bypass access control checks and read data restricted to higher-privileged roles. The flaw stems from inadequate capability enforcement within the plugin's request handling, enabling privilege escalation of access scope without elevated credentials. No public exploit identified at time of analysis, and CISA has not listed this in the KEV catalog; SSVC signals confirm no known active exploitation.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49052 MEDIUM This Month

Missing authorization in Wpmet's ElementsKit Elementor addons Lite plugin for WordPress (versions through 3.9.6) permits authenticated low-privilege users to invoke privileged plugin functionality without proper access control verification. The CVSS vector (PR:L, I:L) confirms the attack requires a valid low-privilege WordPress account - such as a Subscriber - but grants unintended write-level access to restricted plugin operations. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk moderate; however, the network-accessible, low-complexity nature of the flaw means any authenticated user on an affected installation is a potential threat actor.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49051 MEDIUM This Month

Missing authorization in the WP Meta and Date Remover WordPress plugin (versions through 2.3.6) allows low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in unauthorized read access to restricted information. The CVSS vector (PR:L, C:L) confirms that exploitation requires a valid WordPress account and yields only partial confidentiality exposure with no integrity or availability impact. No public exploit code has been identified and CISA SSVC rates exploitation as none, making this a lower-urgency but real access control gap in WordPress environments running the affected plugin.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49047 MEDIUM This Month

Missing authorization in the DearFlip WordPress flipbook plugin (versions through 2.4.27) allows authenticated low-privileged users to bypass access control checks and read restricted data. The flaw, classified under CWE-862, permits exploitation of incorrectly configured access control security levels within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates technical impact as partial.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49045 MEDIUM This Month

Missing authorization in the Adminimize WordPress plugin (versions through 1.11.11) allows authenticated low-privileged users to exploit incorrectly configured access control security levels, resulting in unauthorized read access to restricted information. The flaw, classified under CWE-862, was discovered by Patchstack's audit team and affects the plugin's role-based admin interface customization logic. No public exploit or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with only partial technical impact.

Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48973 MEDIUM This Month

Broken access control in the SVG Support WordPress plugin (versions through 2.5.14) allows low-privileged authenticated users to perform unauthorized actions due to missing authorization checks on one or more plugin functions. The vulnerability (CWE-862) enables an attacker with a basic WordPress account to circumvent access control restrictions and make unauthorized modifications, impacting integrity without exposing sensitive data or causing service disruption. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with partial technical impact.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48971 MEDIUM This Month

Missing authorization controls in the WebToffee Product Import Export for WooCommerce WordPress plugin (versions through 2.5.6) allow low-privileged authenticated users to access protected import/export functionality beyond their intended permission level, resulting in unauthorized read access to product data. The flaw is classified under CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user is actually permitted to perform sensitive operations. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a limited-impact, network-accessible vulnerability constrained by the requirement for prior authentication.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9689 MEDIUM This Month

HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.

Authentication Bypass Build Of Keycloak
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-21785 MEDIUM This Month

HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier expose a misconfigured Content Security Policy that omits fallback directives, permitting browsers to bypass intended origin restrictions and load unauthorized external resources. The Changed Scope (S:C) in the CVSS vector confirms that exploitation can affect resources or contexts beyond the vulnerable WebUI component itself - consistent with the XSS tag indicating potential cross-origin script injection. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the high-privilege and user-interaction prerequisites substantially constrain the realistic attack surface.

XSS
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-9712 LOW PATCH Monitor

Unauthorized file download in pretix's export API allows an authenticated attacker to retrieve export files belonging to other users by supplying a UUID not associated with their own account. Affected versions span a wide range from pretix 2024.10.0 through the 2026.4.x series prior to the 2026.4.2 patch. Exploitation is significantly constrained by the CVSS 4.0 AT:P (Attack Target: Prerequisite) condition - the attacker must independently obtain a valid UUID for a target file, making opportunistic exploitation unlikely absent a secondary information-disclosure weakness. No public exploit code exists and no active exploitation has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 4.0
3.8
EPSS
0.0%
CVE-2026-33552 LOW Monitor

Incorrect access control in Northern.tech Mender Enterprise Server before 4.1.1 allows remote unauthenticated attackers to gain limited confidential data exposure under high-complexity conditions. Classified under CWE-269 (Improper Privilege Management) and tagged as a Privilege Escalation vector, the flaw introduces an unauthorized access path to restricted resources, though impact is constrained to low confidentiality loss with no integrity or availability consequence. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects a minimal probability of imminent widespread exploitation.

Privilege Escalation
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-46057 LOW PATCH Monitor

Landlock LSM's credential transfer hook in the Linux kernel silently drops the LOG_SUBDOMAINS_OFF audit-muting flag across fork() boundaries, breaking the documented sandboxing pattern where a parent process suppresses subdomain audit logs before spawning sandboxed children. Affected kernels from commit ead9079f75696 onward across the 6.15, 6.18, and 7.x stable branches allow child processes to emit unexpected Landlock audit records the operator explicitly intended to suppress. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), and this is a logic correctness defect rather than a privilege-escalation or data-exfiltration path.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-49009 LOW Monitor

Directory traversal in Northern.tech Mender Server allows a remote authenticated attacker to read files outside intended directory boundaries, resulting in limited confidentiality exposure. Affected versions include v4.1.0, v4.0.1, and all prior releases; patched versions v4.1.1 and v4.0.2 are available. No public exploit code and no active exploitation have been identified at time of analysis, and the low CVSS score of 3.1 reflects constrained real-world impact.

Path Traversal
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2024-47267 LOW PATCH Monitor

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Synology Path Traversal
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2024-47272 LOW PATCH Monitor

Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Synology
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2024-47270 LOW PATCH Monitor

Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Synology Information Disclosure
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-45064 LOW PATCH GHSA Monitor

Symfony HtmlSanitizer's UrlSanitizer::parse() passes Unicode BiDi override characters (U+202A-U+202E, U+2066-U+2069) unchanged into href and src HTML attributes, enabling visual URL spoofing against any application that renders sanitized user-supplied HTML to other users. All HtmlSanitizer configurations that permit links or media elements are affected across symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11, as well as the bundled symfony/symfony 6.1.0-6.4.39. No public exploit has been released and this CVE is not listed in CISA KEV, but the BiDi spoofing technique is a well-documented, low-complexity phishing primitive requiring no authentication on the attacker's side.

Information Disclosure
NVD GitHub
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-45066 LOW PATCH GHSA Monitor

Three distinct URL allowlist bypasses in Symfony's symfony/html-sanitizer component allow content authors to smuggle off-allowlist URLs past host and scheme restriction controls configured via allowLinkHosts(), allowLinkSchemes(), allowMediaHosts(), and allowMediaSchemes(). The root cause is a combination of parser-differential attacks exploiting divergence between RFC-3986 (used server-side) and the WHATWG URL Standard (used by browsers), plus misclassification of <area> elements as media rather than navigable links. Affected applications processing untrusted HTML with host/scheme allowlists in symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11 are at risk; no public exploit identified at time of analysis and this CVE does not appear in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-45065 LOW PATCH GHSA Monitor

Protocol-relative URL injection in Symfony's UrlGenerator allows open redirect via regex alternation bypass in route parameter validation. When route requirements use alternation patterns (e.g., `_locale: 'en|fr|vi|de'`), the validation regex `#^REQUIREMENT$#` fails to anchor middle alternatives due to regex operator precedence, enabling substring matching against attacker-supplied values. An attacker who can influence route parameters fed into the Twig `path()`/`url()` helpers can inject a value like `/evil.com` - which satisfies the requirement by containing `vi` as a substring - causing UrlGenerator to produce `//evil.com/...`, a protocol-relative URL the browser navigates off-site. No public exploit is identified at time of analysis, and the vulnerability is not listed in CISA KEV; patches are released across all supported Symfony branches.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-45072 LOW PATCH GHSA Monitor

Stored XSS in Symfony's WebProfiler `CodeExtension::fileExcerpt()` allows JavaScript execution in a developer's browser when the profiler renders non-PHP files containing attacker-controlled content. Affected are symfony/symfony 6.4.24-6.4.39, 7.2.9-7.4.11, and 8.0.0-8.0.11, along with symfony/twig-bridge 6.4.24-6.4.39. The attack requires a separate write primitive to any file under the project root - log poisoning via `var/log/dev.log` is the canonical vector - after which exploitation is reliable and requires only developer interaction with the profiler. No public exploit has been identified at time of analysis, and the vulnerability is scoped to development environments only.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-9609 LOW Monitor

Weak password recovery in QianFox FoxCMS versions 1.2.0 through 1.2.6 exposes the admin panel's account recovery flow to abuse by authenticated administrators via a remotely accessible network vector. Publicly available exploit code exists (CVSS E:P), though the requirement for high privileges (PR:H) substantially constrains real-world impact, corroborated by an EPSS score of just 0.03% (11th percentile) and no CISA KEV listing. The vendor was notified via a GitHub issue report but has not responded, leaving all affected versions unpatched at time of analysis.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-9608 LOW Monitor

Cross-site scripting in QianFox FoxCMS versions 1.2.0 through 1.2.6 allows a high-privileged attacker to inject malicious JavaScript via the /Tag/edit endpoint in the Administrator Backend, executing in the context of another user's browser session upon interaction. A proof-of-concept exploit has been publicly disclosed via a GitHub issue report, though the vendor has not yet acknowledged or responded to the disclosure. The CVSS 4.0 score of 1.9 and EPSS of 0.03% (9th percentile) reflect the severe prerequisite constraints - administrator-level authentication and passive user interaction - which sharply limit real-world exploitability.

XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
Prev Page 14 of 15 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy