Skip to main content
CVE-2026-8698 MEDIUM This Month

Stored Cross-Site Scripting in the Cryptocurrency Prijsvergelijking Widget WordPress plugin (version 1.0) allows authenticated attackers holding contributor-level access to inject persistent JavaScript into any page where the plugin shortcode is placed, executing silently in the browsers of all subsequent visitors including administrators. The root cause is the as_get_coin_shortcode() function writing user-controlled 'width' and 'height' shortcode attributes directly into an iframe's HTML style attribute without calling esc_attr(), enabling style-context breakout via crafted attribute-termination payloads. No public exploit has been independently listed at time of analysis and EPSS stands at 0.03% (9th percentile), indicating low observed exploitation probability, though the CVSS Changed Scope designation means a single injected payload can compromise sessions of any user - including site administrators - who loads the affected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8048 MEDIUM This Month

Stored Cross-Site Scripting in the My Email Shortcode WordPress plugin (versions up to and including 0.91) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'subject' attribute of the 'my-email' shortcode. The Changed scope in the CVSS vector (S:C) confirms that successful exploitation crosses security boundaries, affecting visiting users' browser sessions regardless of their own privilege level. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.03% at the 9th percentile indicates low observed exploitation probability at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8040 MEDIUM This Month

Stored Cross-Site Scripting in the faq shortcode WordPress plugin (all versions up to and including 1.0) permits authenticated contributors to persist arbitrary JavaScript into site pages via the unsanitized 'color' attribute of the [faq] shortcode, with the payload executing in any visitor's browser upon page load. The vulnerability stems from missing input sanitization and output escaping in faq.php at line 65, and the changed scope (S:C in CVSS) confirms cross-user impact beyond the attacker's own session. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation activity.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6565 MEDIUM This Month

Stored Cross-Site Scripting in Style Kits for Elementor (analogwp-templates) WordPress plugin versions up to and including 2.5.0 allows authenticated attackers with contributor-level access to inject persistent JavaScript payloads via the kit title parameter at the /wp-json/agwp/v1/tokens/save REST API endpoint. The injected script executes in the browser of any user who subsequently visits an affected page, with a Changed scope (S:C) indicating cross-user impact that can reach administrators. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) signals low observed exploitation probability, though the contributor-level barrier is low on multi-author WordPress sites.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3897 MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3896 MEDIUM This Month

Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3895 MEDIUM This Month

Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.

XSS WordPress Authentication Bypass
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-45703 MEDIUM PATCH GHSA This Month

WordExportBundle in Pimcore CMS enforces only feature-level permission (`word_export`) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the `word_export` permission can supply arbitrary `type/id` parameters to `wordExportAction()` to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied `view` access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.

Docker PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-45073 MEDIUM PATCH GHSA This Month

SQL injection in Symfony's PdoAdapter cache component allows any caller who can influence the `$prefix` argument to `AbstractAdapterTrait::clear()` to inject arbitrary SQL into a DELETE statement, potentially deleting unintended rows from the cache table or reshaping query semantics. Affected versions span symfony/cache across four maintained branches: below 5.4.52, 6.x below 6.4.40, 7.x below 7.4.12, and 8.x below 8.0.12. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, but vendor-released patches are available across all affected branches.

SQLi
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-45067 MEDIUM PATCH GHSA This Month

Email-header and SMTP command injection (CWE-93) in Symfony's Mime component (symfony/mime, also shipped in the symfony/symfony monolith) lets an attacker who controls any address value smuggle CRLF sequences past a trusted validation boundary. The Address value-object - used for every Mailer to/cc/bcc/from/reply-to address - accepts an RFC-5322 quoted-string local-part containing raw carriage-return/line-feed bytes, which is later emitted verbatim into rendered message headers and into SmtpTransport's MAIL FROM/RCPT TO lines, allowing injection of new headers (e.g. an unauthorized Bcc) or new SMTP commands. It affects symfony/mime before 5.4.52, 6.4.40, and 7.4.12; there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-42791 MEDIUM PATCH This Month

OCSP responder certificate validity bypass in Erlang OTP's public_key library allows forged OCSP responses-signed with the private key of an expired responder certificate-to be accepted as valid, defeating TLS certificate revocation checks. Affected deployments include TLS clients using OCSP stapling via the ssl application, and any application calling public_key:pkix_ocsp_validate/5 directly for server-side client certificate validation. An attacker who has obtained the private key of an expired CA-designated OCSP responder can present a revoked TLS certificate alongside a forged OCSP response and achieve authentication bypass. No public exploit code exists and CISA KEV does not list this vulnerability; SSVC rates exploitation as none at time of analysis.

Authentication Bypass Erlang Otp Red Hat
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-45070 MEDIUM PATCH GHSA This Month

Header injection in Symfony's Mime component (symfony/mime) enables attackers to inject arbitrary MIME headers into serialized email messages when an application passes untrusted input as a parameter name to ParameterizedHeader. The component correctly encodes parameter values per RFC 2045/5322 but emits parameter names verbatim, meaning CRLF sequences in a user-influenced parameter name terminate the current header line and allow arbitrary new headers to be appended. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and vendor-released patches are available across all supported Symfony branches.

Code Injection
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-46416 MEDIUM This Month

Cross-connection response leakage in Microsoft UFO's WebSocket layer allows an authenticated low-privileged user to receive protocol responses intended for a different authenticated session. The flaw stems from a singleton UFOWebSocketHandler design where per-connection state is stored in shared mutable instance fields, causing each new connection to overwrite the previous connection's protocol object reference. No public exploit or CISA KEV listing exists at time of analysis, but the attack complexity is low and exploitation requires only standard authenticated access to the same UFO instance.

Microsoft Authentication Bypass
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2254 MEDIUM PATCH This Month

Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-privileged users to interact with platform mail notification resources without authorization. Affected versions span the 8.3.x, 9.3.x, and pre-10.2.0.6/11.0.0.0 release lines. An attacker with a valid low-privilege account can read, modify, or disrupt mail notification configurations, resulting in limited confidentiality, integrity, and availability impact. No public exploit code exists and no active exploitation has been identified at time of analysis.

Information Disclosure Pentaho Data Integration And Analytics
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-42538 MEDIUM PATCH This Month

Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure File Upload Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-47274 MEDIUM PATCH This Month

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-47270 MEDIUM PATCH This Month

Thread-safety flaws in pam_usb's deny_remote feature allow incorrect remote-session authentication decisions in display managers like GDM that run concurrent authentication threads. Three functions use the non-reentrant strtok(), whose single global state pointer can be overwritten mid-parse by a racing thread, corrupting tmux session data or /proc environ analysis used to classify sessions as local or remote. Compounding this, strtok() is called directly on the raw pointer returned by getenv(TMUX), inserting NUL bytes directly into the live process environment block and permanently corrupting the TMUX variable for all subsequent authentications in that long-lived process. An attacker with local low-privileged access on an affected system running GDM could exploit thread interleaving to cause deny_remote=true to pass a remote session as local. No public exploit identified at time of analysis; CVSS 6.3 with local, high-complexity attack vector.

Information Disclosure Race Condition
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-30498 MEDIUM Monitor

Cross-Site Request Forgery in Jason2605 AdminPanel 4.0 exposes the delete.php endpoint to forged requests, allowing an unauthenticated remote attacker to perform unauthorized deletion operations by tricking an authenticated administrator into triggering the request. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-reachable with no required attacker privileges, though victim interaction is mandatory. A publicly available proof-of-concept exists per SSVC classification, though no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP CSRF
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2237 MEDIUM PATCH This Month

Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query strings, exposing encryption-related secrets to local attackers who can access web server logs, browser history, or other locally readable URL artifacts. The flaw (CWE-598) requires no privileges or user interaction beyond local system presence, and carries a High confidentiality impact rating because credentials or passphrases associated with volume encryption may be recoverable from logged GET requests. No public exploit exists and EPSS sits at the 1st percentile, indicating no widespread exploitation activity at time of analysis.

Synology Information Disclosure
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-8707 MEDIUM This Month

Reflected Cross-Site Scripting in the NS Product icon badge WordPress plugin (all versions through 1.2.4) enables unauthenticated remote attackers to inject arbitrary JavaScript via the PHP_SELF superglobal, which is reflected into page output without sanitization or escaping across at least four code locations in ns_addNewOptionsPage.php. Exploitation requires convincing a victim (typically an authenticated WordPress admin) to click a crafted link, limiting mass exploitation but enabling targeted session hijacking or credential theft against site administrators. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.09% (26th percentile) indicates low current exploitation probability.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-3001 MEDIUM This Month

Reflected Cross-Site Scripting in the Gutenverse plugin for WordPress (all versions through 3.4.6) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious search URL. The vulnerability arises from the plugin's search-result-title block outputting the raw search query string directly into page HTML without sanitization. Exploitation requires user interaction (victim must click a crafted link) and the gutenverse/search-result-title block must be present on the site's search results template. No public exploit code has been identified at time of analysis, and CISA KEV confirmation of active exploitation is absent.

XSS PHP WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-3349 MEDIUM This Month

Reflected Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions ≤ 3.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'url' parameter on the plugin's redirect page. Successful exploitation requires tricking a WordPress user into clicking a specially crafted link, after which the malicious script executes in the victim's browser within the scope of the WordPress site - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit has been identified at time of analysis; EPSS stands at 0.06% (19th percentile) and CISA SSVC rates exploitation status as none, indicating minimal real-world exploitation activity at this time.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-44644 MEDIUM GHSA This Month

XSS sanitizer bypass in LiquidJS's strip_html filter (all versions through 10.25.7) allows stored or reflected cross-site scripting via newline-embedded HTML tags. The filter's catch-all regex branch uses JavaScript's dot operator without the dotAll flag, causing tags containing literal newline or carriage-return characters (e.g., <img\nsrc=x\nonerror=alert(1)>) to pass through unmodified - while browsers parse such tags as fully valid HTML elements and execute embedded event handlers. Publicly available exploit code exists; no vendor-released patch has been identified at time of analysis.

Node.js CSRF XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44587 MEDIUM PATCH GHSA This Month

CarrierWave's `content_type_denylist` silently fails to block MIME types containing regex metacharacters - most critically `image/svg+xml` - because string entries are interpolated directly into a regex without `Regexp.quote` or anchoring, causing the `+` character to be treated as a quantifier rather than a literal. Any Ruby application relying on this denylist to prevent SVG uploads for stored XSS protection is completely unprotected despite believing the control is active. A publicly available proof-of-concept exploit demonstrates successful SVG bypass; no public exploit identified at time of analysis for active KEV-level exploitation.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-9607 LOW POC Monitor

SQL injection in itsourcecode Courier Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized 's' parameter in /parcel_list.php. A proof-of-concept exploit is publicly available on GitHub, meaningfully lowering the barrier to exploitation despite the low CVSS 4.0 score of 2.1. No vendor patch has been identified at time of analysis, leaving deployments reliant on compensating controls.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8911 MEDIUM This Month

Cross-Site Request Forgery in WP AutoBuzz (WordPress plugin, all versions ≤1.1.1) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious scripts by tricking an authenticated administrator into clicking a crafted link. The attack carries particular severity because the unsanitized value is written directly via WordPress's update_option at the plugin level, entirely bypassing the DISALLOW_UNFILTERED_HTML hardening constant that would otherwise block unfiltered HTML in post content. No public exploit code and no active exploitation have been identified at time of analysis; EPSS is 0.02% and SSVC classifies exploitation status as none.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-8906 MEDIUM This Month

Cross-Site Request Forgery in WP Promoter (WordPress plugin, all versions ≤1.3) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious JavaScript by tricking an authenticated administrator into clicking a crafted link. The CVSS changed-scope designation (S:C) signals that successfully injected scripts execute in the browsers of subsequent site visitors - extending impact beyond the targeted administrator. No public exploit code has been identified and EPSS at 0.01% (2nd percentile) reflects negligible observed exploitation activity at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-66593 MEDIUM PATCH This Month

Synology Assistant before version 7.0.6-50085 exposes local users to arbitrary file write with restricted content via an origin validation error triggered during the installation process. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) indicates that while integrity impact is limited, availability impact is rated High - meaning an attacker can corrupt or overwrite files in ways that destabilize the system, even though the written content is constrained. No public exploit code exists and CISA has not added this to KEV; EPSS stands at 0.00%, reflecting minimal observed exploitation interest.

Synology Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-66592 MEDIUM PATCH This Month

Synology Active Backup for Business Agent before version 3.1.0-4967 contains an origin validation error (CWE-346) that permits local users to write arbitrary files with restricted content during the installation process, resulting in high availability impact and limited integrity compromise. The CVSS vector (AV:L/PR:N/UI:R) indicates exploitation requires local system access and user interaction - specifically, the installation must be in progress. No public exploit code has been identified and EPSS sits at 0.00%, aligning with SSVC's 'exploitation: none' assessment, indicating this is a low-urgency but legitimate local privilege abuse risk during deployment windows.

Synology Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13593 MEDIUM PATCH This Month

Arbitrary file write with restricted content in Synology ActiveProtect Agent before 1.1.0-0439 is exploitable by local users during the installation process due to an origin validation error (CWE-346). The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates a low-complexity local attack requiring user interaction - consistent with exploitation during an installation workflow - and scores high on availability impact (A:H) while integrity impact is limited (I:L), suggesting the file write can disrupt system stability despite content restrictions. No public exploit code exists and CISA SSVC rates exploitation as none with partial technical impact.

Synology Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-49102 MEDIUM PATCH This Month

Stored cross-site scripting in Webmin's mailboxes component (detach.cgi) allows a remote unauthenticated attacker to execute arbitrary JavaScript in the browser session of an authenticated Webmin user by sending an email containing a crafted SVG attachment. Because detach.cgi served SVG files with the image/svg+xml content type instead of a safe type, browsers treated the SVG as an active document on the Webmin origin, enabling script execution with full same-origin access to the Webmin interface. No public exploit has been identified and CISA has not listed this in KEV, but the attack surface is straightforward given the ubiquity of email as a delivery channel and Webmin's privileged system-administration context.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-10466 MEDIUM PATCH This Month

Stored XSS in Synology Safe Access before 1.3.1-0329 on SRM (Synology Router Manager) allows remote authenticated administrators to inject malicious scripts that execute in the SRM context, enabling limited reads or writes of non-sensitive files and constrained denial-of-service conditions. The CVSS Scope:Changed rating confirms cross-component impact - the vulnerability originates in the Safe Access module but affects the broader SRM platform. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% and SSVC exploitation status of 'none' collectively indicate negligible current threat in the wild.

XSS Synology
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2024-40684 MEDIUM This Month

IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Brute Force IBM
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-46538 MEDIUM This Month

Authenticated cross-device task-result injection in Microsoft UFO's constellation architecture allows a low-privileged peer device to hijack the pending task response of a victim device by spoofing a TASK_END message. Specifically in version 3.0.1-4-ge2626659, the constellation server resolves pending Futures keyed solely on session_id without binding verification to the originating device, meaning any authenticated constellation participant who can supply a matching session_id can substitute attacker-controlled result data into the victim device's task flow. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the high-complexity CVSS vector (AC:H) reflects the session_id guessing or observation requirement.

Microsoft Code Injection
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45027 MEDIUM PATCH This Month

Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-48999 MEDIUM This Month

Stored cross-site scripting in ZTE ZXUniPOS NDS-LTE enables an authenticated high-privilege attacker to persist malicious JavaScript within the system, which executes automatically in the browsers of other users who access the affected pages. Affected versions include V24.30.40CP02 and V24.40.40 and their respective earlier releases, confirmed via ENISA EUVD-2026-32041 and ZTE's own security bulletin. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects a very low automated exploitation probability.

XSS Zte Zxunipos Nds Lte
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-48066 MEDIUM PATCH This Month

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Race Condition Information Disclosure Pam Usb
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-44839 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.

XSS Rabbitmq Server Red Hat
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2025-68712 MEDIUM This Month

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.

Google Information Disclosure Privilege Escalation Authentication Bypass Chrome
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-48927 MEDIUM This Month

Stored cross-site scripting in Jenkins buildgraph-view Plugin 1.8 and earlier allows authenticated attackers with job or view configuration privileges to inject persistent malicious scripts via an unescaped build URL. Any Jenkins user who subsequently views the affected build graph page triggers execution of the attacker-controlled script in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is known; SSVC rates exploitation status as none with partial technical impact.

XSS Jenkins
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45865 MEDIUM PATCH This Month

Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-46028 MEDIUM PATCH This Month

Race condition in the Linux kernel's AF_ALG AEAD AIO interface allows a local low-privileged user to trigger a denial of service by exploiting shared socket-wide IV buffer state across concurrent asynchronous AEAD requests. The algif_aead subsystem fails to snapshot the Initialization Vector into per-request storage before dispatching async operations, meaning any concurrent socket activity that updates the shared IV can corrupt an in-flight request before it completes. No public exploit has been identified and EPSS is extremely low at 0.02% (7th percentile); vendor-released patches are available across all supported stable kernel branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45985 MEDIUM PATCH This Month

Stale data exposure in the Linux kernel's ext4 filesystem affects systems using the dioread_nolock mount option, triggered by a flag-handling logic error in the extent-splitting code path during Direct I/O operations. When `EXT4_GET_BLOCKS_CONVERT` is incorrectly passed during a pre-I/O split of an unwritten extent, a simultaneous `-ENOSPC` failure in `ext4_split_extent_at()` causes the entire on-disk extent to be prematurely converted to written state while the in-memory extent status tree retains an inconsistent unwritten marker for the second half; if the DIO write subsequently fails, a future read of that region exposes stale pre-zero data. No public exploit has been identified at time of analysis, EPSS is 0.02% (7th percentile), and there is no CISA KEV listing, indicating no confirmed active exploitation.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45983 MEDIUM PATCH This Month

NFSv4 server slot exhaustion in the Linux kernel nfsd subsystem causes persistent denial of service for NFS clients when idmap upcall delays occur during compound argument decoding. Specifically, when a SETATTR or similar compound operation triggers an idmap lookup upcall that exceeds the allowed time limit, cache_check() sets RQ_USEDEFERRAL and drops the request before nfs4svc_encode_compoundres() can execute - meaning the NFSD4_SLOT_INUSE session slot flag is never cleared. All subsequent client requests on that session slot fail with NFSERR_JUKEBOX indefinitely. No public exploit has been identified and EPSS is 0.02% (7th percentile), indicating no active exploitation pressure; this is a logic flaw with confirmed upstream patches across all major stable branches.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45982 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's ACPICA subsystem crashes the kernel via a missed execution path in acpi_ev_address_space_dispatch(), resulting in a local denial of service. Affected systems run Linux kernel versions tracing back to commit 0acf24ad7e10f547809faefb8069f8f5482eb4d9, spanning multiple stable branches through at least 6.19.x. No public exploit exists and EPSS is negligible at 0.02% (7th percentile), but the high availability impact and wide kernel version coverage make patching prudent for any multi-tenant or availability-sensitive Linux environment.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45981 MEDIUM PATCH This Month

Use-after-free and double-free conditions in the Linux kernel's s390/cio Channel I/O subsystem expose IBM Z (mainframe) systems to local denial-of-service attacks via kernel crash. The flaw resides in `css_alloc_subchannel()`, where `device_initialize()` is invoked before DMA mask configuration; if that configuration fails, the error path incorrectly calls `kfree()` directly, bypassing the kernel device model's reference counting and corrupting kernel memory. With a CVSS score of 5.5 (AV:L), an EPSS of 0.02% (7th percentile), no KEV listing, and strict hardware-architecture scope limited to s390/IBM Z, this is no public exploit identified at time of analysis and represents a low-urgency but architecturally significant stability fix.

Linux Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45978 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's staging Greybus lights driver (`drivers/staging/greybus/lights.c`) causes a local denial of service via kernel panic. The flaw affects systems running Greybus-enabled kernels since commit 2870b52b (Linux 4.9 onward), where a low-privileged local user can trigger a kernel crash if `kcalloc()` fails during lights channel initialization. No public exploit exists and EPSS is 0.02% (7th percentile), reflecting niche hardware dependency; the vulnerability is not listed in CISA KEV.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45974 MEDIUM PATCH This Month

Invalid leaf access in the btrfs quota subsystem of the Linux kernel allows a local low-privileged user to crash the system by triggering a denial-of-service condition in `btrfs_quota_enable()`. When `btrfs_search_slot_for_read()` returns 1 - signaling end-of-tree with no valid key found - the function fails to exit its loop and proceeds to dereference the now-invalid path pointer, causing a kernel panic. Patched versions are confirmed across multiple stable series (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0); no public exploit or CISA KEV listing exists at time of analysis.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45969 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel HID PlayStation driver crashes the kernel when force feedback (FF) effects are triggered on a PlayStation controller that experienced a silent initialization failure. Systems running Linux 5.12 through unpatched stable branches with PlayStation controllers (DualSense, DualShock 4, or compatible HID devices) attached are affected. A local low-privileged attacker who can trigger FF effects on a controller where input_ff_create_memless() returned an error can cause a kernel panic, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with a niche hardware driver flaw.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-45968 MEDIUM PATCH This Month

Null pointer dereference in the Linux kernel's cpuidle ladder governor crashes PowerNV systems when only a single idle state is registered - the governor incorrectly indexes into state 1 as if it were the first usable non-polling state, resulting in a NULL enter callback invocation and immediate kernel panic. Systems running IBM PowerNV hardware without a power-mgt device tree node are specifically at risk, as this firmware configuration causes cpuidle to register only the polling state (state 0). No public exploit code exists and EPSS probability is 0.02% (7th percentile), reflecting this is a platform-specific availability issue rather than a broadly exploitable attack surface; it is not listed in CISA KEV.

Denial Of Service Linux Null Pointer Dereference Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 9 of 15 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy