Skip to main content
CVE-2026-46817 CRITICAL POC KEV THREAT NEWS Emergency

Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory.

Oracle Privilege Escalation Oracle Payments
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
Threat
5.0
CVE-2026-24444 CRITICAL POC Act Now

Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.

PHP Authentication Bypass
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-32847 HIGH POC This Week

{full_path:path} in new_ui/backend/main.py. Publicly available exploit code exists (referenced in HKUDS/DeepCode issue #126 and a VulnCheck advisory), making opportunistic exploitation realistic against exposed instances. No CISA KEV listing or EPSS data was provided, but the combination of no authentication, low complexity, and a single-request exploit places this at a high operational priority for any exposed deployment.

Path Traversal Deepcode
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-7862 HIGH POC PATCH This Week

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV.

WordPress Authentication Bypass
NVD WPScan
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-10044 HIGH POC PATCH This Week

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows paths or backslash traversal bypass it entirely. Publicly available exploit code exists and a vendor patch has been released; this issue was reported by VulnCheck.

Microsoft Path Traversal
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48526 HIGH POC PATCH GHSA This Week

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.

Python Authentication Bypass Pyjwt
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-9037 CRITICAL CISA Emergency

Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.

Authentication Bypass C6
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-9038 HIGH CISA Act Now

Stack-based buffer overflow in the XCharge C6 charging controller's signal-processing logic enables an attacker with physical access to the charging interface to corrupt memory by sending oversized message fields, potentially gaining code execution with elevated privileges. Reported through CISA's ICS-CERT under advisory ICSA-26-148-08, the flaw carries a CVSS 4.0 score of 8.6 driven by high impact to confidentiality, integrity, and availability of both the vulnerable component and adjacent subsystems. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Stack Overflow C6
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-9039 HIGH CISA Act Now

Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.

Information Disclosure C6
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-41141 MEDIUM POC PATCH This Month

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.

Authentication Bypass Espocrm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46840 CRITICAL NEWS Act Now

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.

Oracle Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-9645 CRITICAL Act Now

Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).

Command Injection Scadabr
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-46839 CRITICAL Act Now

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. The scope-change designation is the key differentiator - successful exploitation extends beyond ORDS itself into systems it fronts, most notably the backing Oracle Database.

Oracle Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-46824 CRITICAL Act Now

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows low-privileged remote attackers over HTTP to fully compromise the product with confidentiality, integrity, and availability impact. The CVSS 9.9 score reflects a scope-changing flaw whose blast radius extends to other Oracle E-Business Suite products beyond Universal Work Queue itself. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority Oracle Critical Patch Update item.

Oracle Privilege Escalation
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-46822 CRITICAL Act Now

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.

Oracle Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-46775 CRITICAL Act Now

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.

Oracle Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-38703 CRITICAL Act Now

Remote unauthenticated command injection in the ZeroTier VPN feature of InHand Networks IR302, IR305, IR315, and IR615 industrial routers grants ROOT-level code execution on affected devices. The flaw carries a CVSS 9.8 critical rating with no authentication required, exposing industrial network gateways to full compromise; no public exploit identified at time of analysis, but the vendor (InHand Networks PSA-2026-05) has acknowledged the issue.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-38707 CRITICAL Act Now

Remote code execution as root in InHand Networks industrial cellular routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to inject operating system commands through the IPSec VPN feature. The CVSS 9.8 score reflects network-reachable, low-complexity, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-38704 CRITICAL Act Now

Remote root command injection in InHand Networks industrial routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to fully compromise affected devices via the WireGuard VPN feature. With CVSS 9.8 and no required privileges or user interaction, this flaw grants attackers ROOT-level control over edge industrial networking equipment. No public exploit identified at time of analysis, but a vendor advisory (InHand-PSA-2026-05) has been published.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-38702 CRITICAL Act Now

Remote root command injection in InHand Networks IR302, IR305, IR315, and IR615 industrial cellular routers allows unauthenticated attackers to execute arbitrary OS commands as root via the Admin Access feature. The flaw affects IR302 V3.5.108, IR305/IR315/IR615 V1.0.118, and earlier firmware, with CVSS 9.8 reflecting network-reachable, no-auth exploitation; no public exploit identified at time of analysis but vendor PSA-2026-05 confirms the issue.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-34311 CRITICAL NEWS Act Now

Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.

Information Disclosure Oracle
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45039 CRITICAL PATCH Act Now

Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remote attackers to forge valid internode RPC requests by exploiting a hardcoded fallback secret 'rustfsadmin' used when neither RUSTFS_RPC_SECRET nor the global S3 secret key is configured. With a CVSS of 9.8 and full CIA impact, this represents a critical pre-auth compromise vector against the storage cluster's internal trust boundary. No public exploit identified at time of analysis, though the fallback secret is publicly visible in the source tree, making weaponization trivial.

Authentication Bypass Rustfs
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46135 CRITICAL PATCH Act Now

Race condition in the Linux kernel's NVMe/TCP target (nvmet-tcp) subsystem allows a remote NVMe/TCP host to trigger a double kref_put() on a queue object by sending an Initialization Connection Request (ICReq) and immediately closing the connection. The flaw, fixed in stable releases 6.12.88, 6.18.30, and 7.0.7 (mainline 7.1-rc2), stems from nvmet_tcp_handle_icreq() updating queue->state without serializing against concurrent target-side queue teardown, defeating the DISCONNECTING-state guard and enabling a use-after-free condition. No public exploit identified at time of analysis and EPSS is very low (0.02%), indicating limited real-world exploitation interest despite the headline 9.8 CVSS.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46195 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46137 CRITICAL PATCH Act Now

Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_ADDR retransmission helper, where the timer callback runs in softirq context without holding the socket lock via bh_lock_sock(). The data race could lead to inconsistent socket state when concurrent operations touch the same MPTCP socket. Despite a CVSS of 9.8, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis; the tag 'Information Disclosure' suggests realistic impact is far below the headline score.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46115 CRITICAL PATCH Act Now

Incorrect bvec coalescing in the Linux kernel's block layer (biovec_phys_mergeable) can merge physically contiguous bio_vec segments that belong to different zone-device dev_pagemaps, corrupting the ability to recover the correct pgmap via page_pgmap() for the merged segment. The flaw affects systems using zone device memory registered in multiple chunks (e.g., DAX/persistent memory or GPU/accelerator memory backends) and was fixed upstream; no public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9097 CRITICAL GHSA Act Now

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthenticated attackers to continue using stolen or revoked JWTs indefinitely via the OAuth token exchange endpoint. The GetTokenExchangeToken() function validates JWT signatures but never checks the Token table for revocation status, breaking a core security guarantee of the identity provider. EPSS exploitation probability is currently very low (0.02%, 5th percentile) and no public exploit is identified, though the 9.8 CVSS reflects the high impact on authentication boundaries.

Microsoft Information Disclosure Casdoor
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9094 CRITICAL PATCH GHSA Act Now

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to escalate privileges across organizational boundaries by exploiting incomplete JWT validation in the GetTokenExchangeToken function. While the signature is verified, the absence of an organization-scope check lets a valid token issued for one tenant be exchanged for tokens against applications belonging to a different tenant, breaking the multi-tenant trust model. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite a CVSS of 9.8.

Privilege Escalation Microsoft Casdoor
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9093 CRITICAL GHSA Act Now

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arbitrary users by replaying SAML assertions issued for unrelated service providers, because the SP implementation never sets AudienceURI nor inspects NotInAudience warnings from gosaml2. Despite a 9.8 CVSS, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis, though the flaw is reported by CERT/CC which indicates coordinated disclosure rigor.

Denial Of Service Casdoor
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8809 CRITICAL Act Now

Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (ACFE) WordPress plugin through version 0.9.2.5 allows remote attackers to create new administrator-level accounts on vulnerable sites. The flaw stems from the after_validate_save_post() function trusting an attacker-controlled POST parameter to bypass role allow-list and capability validation when a public ACFE frontend form with a Create User action is exposed. With a CVSS 9.8 and no public exploit identified at time of analysis, the vulnerability presents a direct site-takeover path on affected configurations.

Privilege Escalation WordPress Advanced Custom Fields
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-45323 CRITICAL PATCH Act Now

Stored cross-site scripting in MeshCore Card (Lovelace card for Home Assistant) prior to 0.3.3 allows any MeshCore radio node within direct or repeated mesh range to inject JavaScript into the Home Assistant frontend by setting a malicious node name. Exploitation requires a victim to view the card, and no public exploit has been identified at time of analysis, though the GHSA-5vrg-xpcj-xppc advisory confirms the issue and the 0.3.3 fix.

XSS Meshcore Card
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9967 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to trigger an out-of-bounds write in the GPU process via a crafted HTML page, potentially breaking out of Chrome's renderer sandbox. The flaw carries a CVSS 9.6 due to scope change (S:C) and high impact across confidentiality, integrity, and availability, but requires user interaction (UI:R) such as visiting a malicious page. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile), suggesting limited near-term mass exploitation despite the severe potential impact.

Google Memory Corruption Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9918 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox via a crafted HTML page that triggers an inappropriate implementation flaw in the Tint graphics component. The issue carries a CVSS 9.6 (scope-changed) rating reflecting cross-boundary impact, requires user interaction (visiting a malicious page), and is rated High severity by Chromium; there is no public exploit identified at time of analysis and EPSS is low at 0.03%.

Privilege Escalation Google Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9886 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the Base component. Chromium rates the severity Critical and CVSS scores it 9.6, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).

Google Use After Free Denial Of Service Memory Corruption Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9874 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.

Google Use After Free Denial Of Service Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9872 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to corrupt GPU process memory via a crafted HTML page, breaking out of the renderer sandbox boundary. Chromium rates this Critical severity with a CVSS of 9.6 due to scope change, though EPSS remains low at 0.03% and no public exploit identified at time of analysis.

Google Memory Corruption Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9876 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android prior to 148.0.7778.216 allows a remote attacker who lures a user to a crafted HTML page to break out of the renderer sandbox by exploiting a use-after-free condition in the WebGL component. Chromium rates the issue Critical and CVSS scores it 9.6 due to the scope change from compromised renderer to host, though EPSS is only 0.03% (10th percentile) and no public exploit identified at time of analysis.

Google Use After Free Denial Of Service Memory Corruption Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-9875 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to potentially break out of the renderer sandbox via an out-of-bounds read in the WebGL component when a victim visits a crafted HTML page. Chromium rates the underlying issue as Critical severity, and while no public exploit is identified at time of analysis (EPSS 0.03%), the combination of scope-change (S:C) and full CIA impact makes this a high-priority browser patch for Android fleets.

Google Information Disclosure Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-32998 CRITICAL Act Now

Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

RCE Service Provider Console
NVD VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-45261 CRITICAL PATCH Act Now

Remote code execution in GitButler desktop application versions prior to 0.19.7 allows attackers to execute arbitrary scripts within the Tauri webview by injecting malicious links into pull request bodies. The flaw activates when a user with forge integration enabled clicks the crafted link, leading to full compromise of the desktop client context. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-xpmj-536r-9fc6 publicly documents the issue.

RCE Code Injection Gitbutler
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-41178 MEDIUM POC PATCH GHSA This Month

CPU and log amplification in opentelemetry-go's baggage parser allows remote unauthenticated attackers to trigger denial-of-service by submitting oversized or malformed W3C baggage headers to any instrumented Go service. PR #7880 inadvertently removed the upfront raw-length check and per-member size guard from `baggage.Parse`, meaning the parser now fully tokenizes and percent-decodes every member of an arbitrarily large input rather than rejecting it early. A publicly available proof-of-concept exists (GHSA-5wrp-cwcj-q835); the vulnerability is not yet listed in CISA KEV, and impact is bounded to availability with no confirmed confidentiality or integrity consequence.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8980 CRITICAL Act Now

Privilege escalation in Mennekes Amtron EV charging stations (firmware ≤ 5.22.3) allows a low-privileged authenticated user to overwrite credentials for the admin (operator) and manufacturer accounts through crafted POST requests, effectively granting full takeover of the charger's management interface. Publicly available exploit code exists per the CyberDanube research advisory, and the CVSS 4.0 base score of 9.3 reflects high impact across confidentiality, integrity, and availability with cascading effects on subsequent systems. Not currently listed in CISA KEV.

Privilege Escalation
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-8979 CRITICAL Act Now

Unauthenticated password reset in Mennekes Amtron EV charging stations running firmware 5.22.3 and earlier allows remote attackers to seize the operator account by sending a crafted POST to /operator/operator. CVSS 4.0 of 9.3 with PR:N/UI:N and CWE-287 reflects a complete authentication bypass, and the CVSS exploit maturity flag (E:P) plus the cyberdanube research disclosure indicate publicly available exploit code exists, though the vulnerability is not currently listed in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-46819 CRITICAL NEWS Act Now

Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.

Authentication Bypass Oracle
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46185 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's SMB client (smb/client) symlink handling allows a malicious or compromised SMB server to trigger memory disclosure or denial-of-service against Linux clients that mount SMB shares. The flaw resides in symlink_data() where smb2_check_message() does not validate response length before fields beyond the 64-byte SMB2 header are accessed. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, though upstream kernel fixes have already been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46155 CRITICAL PATCH Act Now

Out-of-bounds heap read in the Linux kernel's SMB client (smb/client) allows a malicious or compromised SMB server to leak adjacent kernel heap memory to a connected Linux client. The flaw lives in smb2_compound_op() where check_wsl_eas() fails to validate that OutputBufferLength fits within iov_len before a memcpy, so a truncated response with an oversized OutputBufferLength and an early-terminated EA list triggers the read past the rsp_iov allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but upstream patches have been merged across multiple stable branches.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46119 CRITICAL PATCH Act Now

Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-9092 CRITICAL Act Now

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by supplying unverified email claims from upstream identity providers. The getExistUserByBindingRule function matches users solely by email address without validating the email_verified claim, enabling cross-IdP account compromise. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), but the CVSS 9.1 reflects the severe identity-layer impact.

Information Disclosure Casdoor
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-9098 CRITICAL GHSA Act Now

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity Provider to forge or replay SAML responses to /api/acs and obtain a valid session without an originating AuthnRequest. Because the SAML callback handler also processes responses using the IdP snapshot loaded at request start, a session can be issued even after an administrator has disabled or deleted the malicious IdP. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.01%, but the vulnerability was reported through CERT/CC and tagged as an Authentication Bypass.

Authentication Bypass Casdoor
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-9090 CRITICAL GHSA Act Now

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticated attackers to forge SAML assertions signed with attacker-controlled keys, impersonating arbitrary users. The flaw resides in the buildSpCertificateStore function, which trusts the X.509 certificate embedded in the inbound SAMLResponse rather than validating against the pre-configured Identity Provider certificate. No public exploit identified at time of analysis, and EPSS is currently low (0.01%), but SSVC flags the issue as automatable with total technical impact.

Denial Of Service Casdoor
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
Page 1 of 11 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy