Skip to main content
CVE-2026-45663 CRITICAL Act Now

Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.

Docker File Upload Command Injection
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-44962 CRITICAL PATCH Act Now

Local privilege escalation in Plesk's APS Application Catalog allows an authenticated low-privileged user to execute arbitrary operating system commands by injecting malicious XPath syntax into the catalog search functionality. The flaw carries a critical CVSS 3.1 score of 9.9 due to scope change and full CIA impact, and no public exploit identified at time of analysis. The advisory was disclosed via HackerOne and acknowledged in a Plesk support article, but EPSS and KEV signals are not provided in the available intelligence.

Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-45633 CRITICAL Act Now

Authenticated command injection in Dokploy 0.26.6 and earlier enables any logged-in user to run arbitrary OS commands as root via the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated into shell commands without validation, yielding a CVSS 9.9 (Scope:Changed) issue affecting this self-hosted PaaS. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Docker Command Injection
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-47210 CRITICAL PATCH GHSA Act Now

Sandbox escape in vm2 (npm package, versions <= 3.11.3) allows arbitrary code execution in the Node.js host process when untrusted code is run on runtimes exposing WebAssembly JSPI (Node 24 with --experimental-wasm-jspi, or Node 26+ by default). A working PoC demonstrates that a JSPI-backed Promise reaches host-realm Promise.prototype.finally without bridge interposition, letting attacker-controlled species logic walk a rejection object's constructor chain to host process and execute arbitrary commands. No public exploit identified as actively used in the wild, but a complete weaponized PoC is published in the GHSA advisory.

Node.js RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47410 CRITICAL PATCH GHSA Act Now

Pre-authentication full account takeover in praisonai-platform (pip package, versions <= 0.1.2) allows remote unauthenticated attackers to forge JWTs for any user, including workspace owners and admins. The JWT signing key silently falls back to the hardcoded literal 'dev-secret-change-me' from the public GitHub source because the production-mode guard only triggers when PLATFORM_ENV is explicitly set to a non-default value, which default deployments do not do. Publicly available exploit code exists in the GHSA advisory itself, though no public exploit campaign or CISA KEV listing has been reported at time of analysis.

RCE Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47391 CRITICAL PATCH GHSA Act Now

Remote code execution in PraisonAI's first-party A2A server example (pip package <= 4.6.39) allows unauthenticated network attackers to execute arbitrary Python on the server process by sending a JSON-RPC message/send request to /a2a that drives the LLM-backed agent into invoking an eval()-based calculate tool. The chain combines three first-party defaults - no auth_token, 0.0.0.0 bind, and an eval()-backed example tool - and was confirmed end-to-end against a real Gemini model with a canary marker file write. No public exploit identified at time of analysis beyond the proof-of-concept in the advisory itself, and the issue is not in CISA KEV.

Denial Of Service RCE Code Injection Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47393 CRITICAL PATCH GHSA Act Now

Authentication bypass in PraisonAI versions <= 4.6.39 allows remote unauthenticated attackers to invoke arbitrary LLM orchestration via the Flask API server generated by the documented `praisonai deploy --type api` quickstart. The generator defaults `auth_enabled=False`, causing `check_auth()` to short-circuit to `True` and accept any request to `/chat` and `/agents`, exposing the operator's LLM API keys and any agent-attached tools (python_repl, bash, file I/O, HTTP). Publicly available exploit code exists in the form of a working PoC, and CVSS scores this 9.8 critical.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47396 CRITICAL PATCH GHSA Act Now

Unauthenticated remote agent control in PraisonAI's call server (versions <= 4.6.39) allows any network-reachable client to enumerate, inspect, invoke, and unregister registered agents when the operator launches `praisonai-call` without setting the `CALL_SERVER_TOKEN` environment variable. The flaw stems from a fail-open authentication dependency combined with the server binding to 0.0.0.0 by default, and a working proof-of-concept is published in the GHSA advisory demonstrating end-to-end exploitation against a default deployment.

Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3655 CRITICAL Act Now

Authentication bypass in the OTP Login With Phone Number, OTP Verification WordPress plugin versions 1.8.50 through 1.8.60 allows unauthenticated remote attackers to log in as any user - including administrators - whose phone number is stored in user meta. The flaw stems from the Firebase OTP verification flow failing to bind the verified Firebase session to the phone number supplied in the request, so attackers can verify their own phone via Firebase and then submit a victim's number to be authenticated as that victim. No public exploit identified at time of analysis, but the trivial logic flaw and CVSS 9.8 score make this a critical priority.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-8732 CRITICAL Act Now

Remote unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (all versions through 6.1.0) allows attackers to create a new administrator account and authenticate as that user, resulting in complete site takeover. The flaw stems from an AJAX handler exposed to unauthenticated users and protected only by a publicly-embedded nonce, making the access check ineffective. No public exploit identified at time of analysis, but the trivial nature of the bug (default-enabled handler, no authentication, magic login URL returned to the caller) makes weaponization straightforward once details circulate.

Privilege Escalation WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47416 CRITICAL PATCH GHSA Act Now

{workspace_id}/members/{user_id} request. The route's FastAPI dependency defaults to min_role="member" and is never overridden, while the service layer applies the requested role with no caller-privilege or role-hierarchy checks. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-c2m8-4gcg-v22g) provides full reproduction details and a fix is shipped in 0.1.4.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-45628 CRITICAL Act Now

Command injection in Dokploy 0.29.2 and earlier allows authenticated users with application create/edit permissions to execute arbitrary shell commands on the host by injecting metacharacters into branch names, repository URLs, or Docker credentials. The flaw stems from unsanitized template-literal interpolation passed to child_process.exec(), and at time of analysis no public exploit identified at time of analysis, but the vendor security advisory GHSA-3frc-cfh9-ch2c documents the issue.

Docker Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-41277 CRITICAL Act Now

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to run arbitrary operating system commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs and tracked as CVE-2025-41277, carries a CVSS 4.0 base score of 9.3 and represents a critical risk for industrial environments relying on Waterfall's data diode gateways. No public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating elevated but not yet widespread exploitation activity.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41276 CRITICAL Act Now

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to inject and execute arbitrary OS commands through the Console WebUI. Discovered by Nozomi Networks Labs, the flaw carries a CVSS 4.0 score of 9.3 with no required privileges or user interaction; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile).

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41275 CRITICAL Act Now

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R2502171040) allows attackers reachable on the management network to execute arbitrary operating system commands on the appliance. The flaw was reported by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3, and currently has no public exploit identified at time of analysis, with an EPSS score of 1.02% (78th percentile).

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41274 CRITICAL Act Now

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers to inject and execute arbitrary OS commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3 and represents a critical risk to industrial unidirectional gateway deployments. No public exploit identified at time of analysis, and EPSS is 1.02% (78th percentile), suggesting elevated but not yet widespread exploitation interest.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41272 CRITICAL Act Now

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attackers reachable over the network to execute arbitrary operating system commands through the Console WebUI. The flaw was discovered by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating moderate predicted exploitation interest.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41270 CRITICAL Act Now

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to execute arbitrary operating system commands via the Console WebUI. The flaw was identified by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, though there is no public exploit identified at time of analysis and EPSS sits at 1.02%, indicating elevated but not yet realized exploitation pressure.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41269 CRITICAL Act Now

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to run arbitrary operating system commands via the Console WebUI. The flaw was disclosed by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, but no public exploit identified at time of analysis and EPSS sits at 1.02% (78th percentile), indicating credible but not yet widespread exploitation pressure.

Command Injection Wf 500
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2025-41273 CRITICAL Act Now

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to perform privileged actions through the Console WebUI via an alternate path or channel. Discovered by Nozomi Networks Labs, the flaw scores CVSS 9.3 (Critical) under v4.0 with network attack vector and no privileges required, though EPSS is low at 0.14% (34th percentile) and no public exploit identified at time of analysis. Given Waterfall's role in OT/ICS unidirectional gateway deployments, successful exploitation of the management console could enable adversaries to manipulate security-critical configurations.

Authentication Bypass Wf 500
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-46376 CRITICAL PATCH Act Now

Authentication bypass in FreePBX User Control Panel (UCP) versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6 allows remote unauthenticated attackers to access UCP accounts using hard-coded initial template credentials when administrators fail to rotate them after enabling the feature. With a CVSS 4.0 score of 9.3 and CWE-798 (Use of Hard-coded Credentials), the flaw exposes high-confidentiality and high-integrity impact to the affected component, though no public exploit identified at time of analysis.

Authentication Bypass Security Reporting
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-45043 CRITICAL PATCH Act Now

Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportIAMAction abuse the PUT /rustfs/admin/v3/import-iam endpoint to mint service accounts under arbitrary parent identities - including the root minioadmin user - granting full administrative control via attacker-chosen, persistent credentials. CVSS 4.0 scores this 9.3 (Critical) reflecting low attack complexity, low privileges, and high confidentiality/integrity impact with scope change. No public exploit identified at time of analysis, and no EPSS or KEV signal is provided.

Privilege Escalation Rustfs
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-9051 CRITICAL Act Now

Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass Systemlink Enterprise
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-45668 CRITICAL PATCH Act Now

Remote code execution in TriliumNext Trilium Notes desktop client prior to 0.102.2 allows attackers to achieve arbitrary code execution by tricking a user into importing a malicious ZIP archive with safe import enabled. The flaw chains a #docName path traversal (CWE-22) with stored XSS, and the Electron renderer's nodeIntegration=true setting elevates the XSS into full host RCE. No public exploit identified at time of analysis, but the vendor advisory describes a complete working chain and the CVSS 4.0 score of 9.3 reflects subsequent-system impact.

XSS Path Traversal Trilium
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-10071 CRITICAL Act Now

Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.

File Upload RCE Dreammaker
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-10042 CRITICAL PATCH Act Now

{method_name} and /simple_execute/{method_name} endpoints, which call pickle.loads() on raw HTTP request bodies. The flaw scored CVSS 4.0 of 9.2 and has an upstream fix in commit d7441481, but no public exploit was identified at time of analysis; risk is amplified by the default Docker image running as root, leading to full container compromise.

Docker RCE Deserialization
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2018-25384 MEDIUM POC This Month

Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4290 CRITICAL Act Now

Unauthenticated arbitrary user deletion in the WP Travel Pro WordPress plugin (versions through 10.6.0) allows remote attackers to delete any WordPress account, including administrators, via an exposed REST API endpoint. The flaw stems from a broken permission callback combined with missing role validation, producing a CVSS 9.1 integrity/availability impact. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward for any actor reading the advisory.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-41268 HIGH This Week

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to remove files on the host machine via a relative path traversal flaw in the Administration WebUI. The flaw was identified by Nozomi Networks Labs; no public exploit identified at time of analysis, and the EPSS score of 1.38% (81st percentile) indicates moderately elevated but not extreme exploitation likelihood. Because Waterfall WF-500 is a unidirectional security gateway deployed at OT/IT boundaries in industrial environments, file deletion can directly disrupt data diode operations.

Path Traversal Wf 500
NVD
CVSS 4.0
8.8
EPSS
1.4%
CVE-2026-45630 CRITICAL Act Now

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets admin or owner users execute arbitrary shell commands on remote servers managed by the PaaS through the application.updateTraefikConfig tRPC endpoint. The flaw stems from unsanitized shell interpolation in an echo call, granting full command execution across any host the Dokploy controller manages. No public exploit identified at time of analysis, but the high-privilege admin context combined with cross-server reach makes this a meaningful post-compromise escalation path.

Command Injection Dokploy
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-40425 MEDIUM PATCH CISA This Month

Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Path Traversal Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45662 HIGH This Week

Command injection in Dokploy 0.29.0 and earlier allows authenticated users to execute arbitrary OS commands on the host by deleting a Docker registry whose registryUrl contains shell metacharacters. The deleteRegistry function in packages/server/src/services/registry.ts passes registryUrl unescaped into docker logout, while the adjacent docker login call correctly uses shEscape() - making this a clear regression. No public exploit identified at time of analysis, but the root cause is documented in the vendor's GHSA advisory.

Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-41236 HIGH PATCH GHSA This Week

Privilege escalation in Froxlor 2.3.6 allows an authenticated customer with shell access to gain root SSH on the managed host by exploiting a symlink-following flaw in the root-owned SSH key synchronization cron. By replacing the customer's `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys` before the privileged sync runs, attacker-supplied keys are appended to root's authorized_keys. No public exploit identified at time of analysis beyond the detailed PoC in the GHSA advisory, and the issue is fixed in Froxlor 2.3.7.

Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-44421 HIGH PATCH This Week

Heap buffer overflow write in FreeRDP client versions prior to 3.26.0 allows a malicious RDP server to corrupt client memory and potentially achieve code execution when the victim connects with RDPGFX enabled. The flaw resides in gdi_CacheToSurface, where validation uses a clamped destination rectangle while the actual copy uses unclamped cacheEntry width/height values, enabling a large out-of-bounds heap write. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Heap Overflow RCE Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44422 HIGH PATCH This Week

Heap use-after-free/double-free in the FreeRDP RDP client (versions prior to 3.26.0) lets a malicious or compromised RDP server corrupt client memory through the RDPEAR authentication-redirection path. The flaw stems from the RDPEAR NDR parser reusing a single non-null pointer ref-id across multiple logical fields, causing the same heap object to be assigned to two outputs and freed twice by the generic destructor. There is no public exploit beyond a proof-of-concept (SSVC: poc), and EPSS exploitation probability is very low (0.05%), but the SSVC technical impact is rated total and a vendor fix is available.

Information Disclosure Use After Free Memory Corruption Freerdp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44420 HIGH PATCH This Week

Heap buffer overflow write in FreeRDP's server-side clipboard (cliprdr) channel allows a malicious RDP client to crash server processes and potentially achieve remote code execution against FreeRDP versions prior to 3.26.0. The flaw is triggered by a malformed CB_CLIP_CAPS PDU with an undersized capabilitySetLength field, corrupting heap memory after authentication. No public exploit identified at time of analysis, but the CVSS 8.8 rating and heap corruption nature make this a high-priority patch for any RDP server deployment using FreeRDP.

Heap Overflow RCE Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47405 HIGH PATCH GHSA This Week

Vertical privilege escalation in PraisonAI Platform versions 0.1.2 and earlier allows any authenticated low-privilege workspace member to self-promote to owner and take over the workspace. The flaw stems from administrative FastAPI routes reusing a shared authorization dependency that defaults to the lowest 'member' role, so role-mutation endpoints never enforce admin/owner checks. A working PoC is published in the GHSA-h37g-4h4p-9x97 advisory, though no public exploit identified at time of analysis in mass-exploitation form, and the issue is not currently in CISA KEV.

Privilege Escalation Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-47399 HIGH PATCH GHSA This Week

Cross-workspace object access in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allows any authenticated workspace member to read, modify, and delete agents, projects, issues, and comments belonging to other workspaces by supplying the victim object's global UUID through their own workspace-scoped URL. The flaw stems from route-layer membership checks not being bound to service-layer object lookups, breaking tenant isolation in multi-tenant deployments. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis beyond the advisory's own demonstration.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-48169 HIGH PATCH GHSA This Week

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Privilege Escalation Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44829 HIGH PATCH GHSA This Week

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Docker Microsoft Path Traversal Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-11993 HIGH This Week

Authenticated PHP Object Injection in the WooCommerce Infinite Scroll and Ajax Pagination WordPress plugin (versions up to and including 1.8) allows Subscriber-level users to deserialize attacker-controlled data via the 'settings' parameter of the import_settings function. While the plugin itself contains no usable POP chain, the presence of any vulnerable gadget in another installed plugin or theme can escalate this into arbitrary file deletion, sensitive data disclosure, or remote code execution. There is no public exploit identified at time of analysis, but the low privilege barrier and ubiquity of WordPress gadget chains make this a meaningful risk for multi-plugin sites.

PHP Information Disclosure WordPress Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-41271 HIGH This Week

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to retrieve sensitive files from the device through a path traversal flaw in the Console WebUI. Discovered and disclosed by Nozomi Networks Labs, the issue scores CVSS 4.0 8.7 with network attack vector and no privileges required, though no public exploit identified at time of analysis and the device is not currently listed in CISA KEV.

Path Traversal Wf 500
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-41279 HIGH This Week

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) allows attackers with high privileges to execute arbitrary operating system commands on the unidirectional gateway appliance. The flaw was discovered and reported by Nozomi Networks Labs, carries a CVSS 4.0 score of 8.6, and an EPSS of 0.70% (72nd percentile); no public exploit identified at time of analysis. Because WF-500 is deployed as a data-diode between IT and OT/ICS networks, code execution on the RX Host effectively compromises a critical security boundary.

Command Injection Wf 500
NVD
CVSS 4.0
8.6
EPSS
0.7%
CVE-2025-41266 HIGH This Week

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) allows remote attackers with high privileges to execute arbitrary operating system commands on the underlying host. The flaw was identified by Nozomi Networks Labs and carries a CVSSv4 score of 8.6, but no public exploit identified at time of analysis and EPSS sits at 0.70% (72th percentile), reflecting limited expected exploitation activity against this niche OT/industrial product.

Command Injection Wf 500
NVD
CVSS 4.0
8.6
EPSS
0.7%
CVE-2025-41265 HIGH This Week

OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authenticated remote attackers to execute arbitrary operating system commands on the underlying host. The flaw was disclosed by Nozomi Networks Labs and carries a CVSS 4.0 score of 8.6; no public exploit identified at time of analysis, and EPSS exploitation probability is modest at 0.70%.

Command Injection Wf 500
NVD
CVSS 4.0
8.6
EPSS
0.7%
CVE-2026-10108 HIGH PATCH GHSA This Week

{file_path:path} endpoint. The flaw stems from comparing an attacker-controlled absolute path against the music base path without a trailing separator, so sibling directories sharing the base name's prefix are reachable. No public exploit identified at time of analysis, but the upstream commit publicly discloses the exact bypass technique.

Path Traversal Xiaomusic
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-48557 HIGH PATCH GHSA This Week

File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.

File Upload PHP Apache Laravel Medialibrary
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47135 HIGH PATCH GHSA This Week

Sandbox escape in vm2 versions 3.11.2 and earlier (through 3.11.3) allows sandboxed JavaScript to obtain real Node.js cross-realm symbols and write them onto host objects, hijacking host-side control flow such as util.promisify, stream duck-typing, and WebStream internals. The flaw stems from an incomplete Symbol.for override that blocks only 2 of 9 dangerous nodejs.* symbols and from bridge write traps that lack the dangerous-symbol guard present on read traps. A working proof-of-concept hijacking util.promisify is published in the GHSA advisory, and a vendor patch (3.11.4) is available; no entry in CISA KEV at time of analysis.

Apple Node.js Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-10069 HIGH This Week

Remote denial-of-service in Shibby Tomato 1.28 firmware allows unauthenticated network attackers to exhaust resources via the miniupnpd UPnP daemon at usr/sbin/miniupnpd. The affected project is end-of-life and superseded by FreshTomato, meaning no upstream fix will be issued. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects high availability impact with no authentication or user interaction required.

Denial Of Service
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-46527 HIGH PATCH This Week

Denial of service in cpp-httplib (C++ header-only HTTP/HTTPS library) versions prior to 0.44.0 allows remote unauthenticated attackers to crash server processes by sending an HTTP request with a malformed X-Forwarded-For header. The flaw is reachable only when the application has configured a non-empty trusted-proxy list via Server::set_trusted_proxies(). CVSS 4.0 scores this 8.7 (high) due to network reachability and high availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Null Pointer Dereference Denial Of Service Suse
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy