Skip to main content
CVE-2026-47229 MEDIUM PATCH GHSA This Month

Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.

PHP CSRF
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-48555 MEDIUM PATCH This Month

Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.

PHP SSRF Laravel Medialibrary
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-45352 MEDIUM PATCH This Month

Unbounded memory allocation in cpp-httplib prior to 0.43.4 allows remote unauthenticated attackers to crash the hosting process via a crafted HTTP request using chunked Transfer-Encoding with a negative chunk-size value. The root cause is a silent unsigned wrap-around in strtoul() that bypasses the library's incomplete size guard, causing chunk_remaining to be set to a near-maximum 64-bit value and forcing the server's read loop to attempt consuming that many bytes from the network. No active exploitation has been confirmed (no CISA KEV listing); no public exploit identified at time of analysis.

Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-44518 MEDIUM PATCH This Month

Out-of-bounds read in liboqs prior to 0.16.0 allows a remote unauthenticated attacker to crash the verifying process by supplying a truncated signature buffer to the XMSS or XMSS^MT stateful signature verification function. The missing caller-supplied length validation causes the implementation to read past the end of the buffer; the overread bytes feed into an internal hash computation only and are not returned to the caller, eliminating any data-leakage oracle. The primary real-world impact is a denial-of-service crash if the overread crosses an unmapped memory page. No public exploit or CISA KEV listing is identified at time of analysis.

Denial Of Service Oracle Buffer Overflow Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42500 MEDIUM PATCH This Month

Panic-induced denial of service in the golang.org/x/image/bmp decoder allows remote unauthenticated attackers to crash any Go application that processes untrusted BMP files. When a paletted BMP containing an out-of-range palette index is decoded, the image package accesses invalid memory and triggers a Go runtime panic, terminating the affected goroutine or process. No public exploit exists at time of analysis, but the attack is automatable per SSVC and requires no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any internet-exposed BMP processing endpoint an accessible target.

Information Disclosure Golang Org X Image Bmp
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-46344 MEDIUM PATCH This Month

Out-of-bounds read in liboqs prior to 0.16.0 affects the XMSS and XMSS^MT stateful signature verification routines, exploitable by any unauthenticated remote attacker who can supply a crafted public key to a verifying process. The flaw arises when a correctly-sized signature buffer is paired with a public key whose OID bytes reference a different XMSS parameter set, causing the library to derive a larger sig_bytes value and index past the end of the caller-supplied buffer, with the primary observable effect being a process crash. No active exploitation is confirmed (not in CISA KEV) and no independently published exploit has been identified at time of analysis, though a proof-of-concept scenario is embedded in the upstream fix commit's test suite.

Denial Of Service Information Disclosure Oracle Buffer Overflow Red Hat +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45294 MEDIUM PATCH This Month

FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.

Information Disclosure Freescout
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-46705 MEDIUM PATCH GHSA This Month

Authentication state leakage in the russh Rust SSH server library allows unauthenticated remote attackers to manipulate the authentication flow for one user by exploiting retained internal state from a prior authentication attempt made for a different user on the same connection. Versions >= 0.34.0-beta.1 and < 0.61.0 are affected. A publicly available proof-of-concept (provided in GHSA-hpv4-5h6f-wqr3) demonstrates that russh's connection-scoped AuthRequest state - including remaining methods list, partial_success, and in-progress method state - persists across (user, service) principal changes in violation of RFC 4252 section 5, enabling an attacker to observe or influence state that should be isolated to a different principal.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44489 MEDIUM PATCH GHSA This Month

{} instances that inherit from Object.prototype - and setProxy() in lib/adapters/http.js reads proxy.username and proxy.auth without hasOwnProperty guards, allowing prototype-polluted values to forge a Proxy-Authorization header injected into every proxied request. A working proof of concept has been publicly disclosed by the reporter; no active exploitation has been confirmed (not in CISA KEV).

Apple Node.js Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-34127 MEDIUM PATCH This Month

Stored XSS in the TP-Link TL-SG108PE v5 web management interface allows an authenticated administrator on an adjacent network to inject persistent malicious script via the SYSNAM configuration parameter during a config file import operation. The injected payload is stored on the device and executes in any administrator's browser upon viewing the affected management page, enabling session cookie theft, unauthorized configuration changes, or exposure of sensitive management-plane data. No public exploit code has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and not automatable, consistent with the high privilege and adjacency prerequisites.

XSS TP-Link
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-43917 MEDIUM This Month

Missing organization-level authorization in Dokploy 0.19.0 and earlier allows authenticated users from one organization to access, modify, and delete resources belonging to other organizations on the same instance. The shared `protectedProcedure` middleware confirms session authentication but never validates that the requested resource belongs to the caller's active organization, exposing 22 endpoints spanning deployments, backups, volume operations, cluster management, and mounts to cross-organization abuse. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.

Authentication Bypass Dokploy
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-12714 MEDIUM This Month

Unauthenticated modification of SEO metadata settings is possible in the Rank Math SEO WordPress plugin through version 1.0.271, stemming from a missing authorization check on the REST API function `update_site_editor_homepage`. Remote, unauthenticated attackers can overwrite homepage title, meta descriptions, breadcrumb labels, and social media metadata, enabling SEO poisoning campaigns and injection of malicious content into breadcrumb components rendered sitewide. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity and requires no authentication.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9189 MEDIUM This Month

Payment bypass in the Contact Form 7 - PayPal & Stripe Add-on for WordPress (all versions up to and including 2.4.9) permits unauthenticated attackers to complete arbitrary pending orders without tendering the required payment amount. The IPN handler correctly authenticates PayPal callbacks via the `cmd=_notify-validate` round-trip, but then blindly trusts the attacker-controlled `invoice` field and passes it to `cf7pp_complete_payment()` without verifying that `mc_gross`, `mc_currency`, or `receiver_email` in the IPN match the stored order values - resulting in full order completion triggered by a minimal real payment. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the direct financial incentive and low attack complexity elevate real-world priority beyond what the medium CVSS score alone implies.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2128 MEDIUM This Month

Unauthenticated information disclosure in the Cloudways Breeze Cache plugin for WordPress (all versions ≤ 2.5.2) allows remote attackers to retrieve administrator-cached page content by supplying a forged session cookie. When the non-default 'Cache Logged-in Users' feature is active, the plugin resolves cached page files by parsing the username directly from the cookie value without verifying the WordPress HMAC signature, enabling any unauthenticated actor who knows or guesses a valid username to obtain that user's cached HTML output. Exposed data includes full content of private posts, Admin Bar markup, WordPress nonces, and other privileged interface elements. No public exploit has been identified and the vulnerability is not listed in CISA KEV; version 2.5.3 contains the fix.

Information Disclosure PHP WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47228 MEDIUM PATCH GHSA This Month

Cross-site request forgery in Admidio's registration module (`modules/registration.php`) allows an unauthenticated attacker to force a password reset on any user account by tricking a registration-administrator into visiting a malicious page. The `send_login` mode uniquely omits the `SecurityUtils::validateCsrfToken()` check present in all four sibling branches, and unconditionally accepts GET requests, meaning a single `<img src=...>` tag is sufficient to trigger the attack - no form submission or JavaScript required. Publicly available exploit code confirmed against HEAD commit c5cde53; no active exploitation in CISA KEV at time of analysis.

PHP CSRF
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-10099 MEDIUM This Month

WebSocket frame parsing in XX-Net V5.16.6 corrupts application-layer data when the local HTTP server's WebSocket_receive_worker routine unconditionally consumes 4 bytes as a masking key regardless of the RFC 6455 MASK bit, causing payload data to be silently misinterpreted. Attackers with local system access and no privileges can send unmasked WebSocket frames to the embedded simple_http_server.py endpoint, causing the first 4 bytes of any payload to be misread as a mask key and the remainder to be incorrectly XOR-decoded. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; an upstream fix exists as a GitHub commit and open pull request but a formally released patched version has not been independently confirmed.

Information Disclosure
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6892 MEDIUM This Month

Symlink-following vulnerability in the Canon PIXMA/PIXUS CUPS Printer Driver installer for macOS allows a local authenticated attacker to manipulate directory permissions beyond their authorization. By placing a specially crafted symbolic link in a path the installer traverses, the attacker can redirect installer-time permission changes to arbitrary directories during a privileged installation run. Affected versions are 16.91.0.0 and earlier across Japan (iX6800 Series), the US, and Europe (MG2500 and iX6800 Series); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Apple Information Disclosure
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6891 MEDIUM This Month

Symlink following in the Canon My Image Garden macOS installer (version 3.6.8 and earlier) enables a locally authenticated attacker to manipulate file permissions outside their authorization scope. During installation - which typically runs with elevated privileges - an attacker who pre-places a crafted symbolic link at a path the installer accesses can redirect file operations to arbitrary targets, achieving unauthorized integrity impact on the host system. No public exploit code and no CISA KEV listing exist at time of analysis; however, the Canon PSIRT has published formal advisories confirming the issue.

Apple Information Disclosure
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-10070 MEDIUM This Month

Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged authenticated attacker to perform unauthorized operations via the /admin/update/ Super Admin Password Handler endpoint. The intelligence tags this as an authentication bypass, suggesting a higher-privileged admin role boundary can be crossed - potentially allowing one admin to manipulate super admin credentials beyond their authorized scope. No public exploit identified at time of analysis; however, vendor behavior (deleting the GitHub disclosure issue without explanation and ignoring email contact) creates significant uncertainty around patch availability and actual vulnerability scope.

Authentication Bypass Mall
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-45551 MEDIUM PATCH This Month

Stored XSS privilege escalation in Group-Office (enterprise CRM/groupware by Intermesh) allows any low-privileged authenticated user to execute arbitrary JavaScript in an administrator's browser by chaining two distinct flaws. The attack exploits a missing ownership check on the legacy settings API (index.php?r=core/saveSetting) - permitting writes to any user's settings regardless of identity - combined with an unsafe JavaScript sink in the email module that injects the email_font_size setting directly into rendered script without sanitization. No confirmed active exploitation exists (not in CISA KEV), but SSVC confirms a proof-of-concept exists, making this a credible privilege-escalation path for any attacker with a low-privileged account.

XSS Microsoft PHP
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-10039 MEDIUM This Month

SQL Injection in the Frontend Admin by DynamiApps WordPress plugin (all versions through 3.28.28) allows authenticated administrators to extract arbitrary data from the WordPress database via the 'order' parameter in the payments list view. The vulnerability stems from unsanitized concatenation of user-supplied input into a raw SQL query, reachable only when a valid 'orderby' parameter is also present in the same request. No public exploit has been identified at time of analysis, and the high privilege requirement (administrator-level) substantially limits the realistic attacker pool, keeping this a medium-severity, low-urgency finding despite the AV:N classification.

SQLi WordPress
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-6324 MEDIUM PATCH This Month

HTTP request smuggling in libsoup allows remote unauthenticated attackers to exploit an unsigned-to-signed integer conversion error in the `soup_body_input_stream_read_chunked()` function via a crafted HTTP request. The vulnerability is confined to specific proxy topologies where libsoup operates either behind or in front of a non-libsoup HTTP intermediary, and successful exploitation can result in authentication bypass, web cache poisoning, or unauthorized access. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the integrity and confidentiality impacts warrant urgent attention in any affected mixed-proxy deployment.

Request Smuggling Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-10058 MEDIUM This Month

Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables authenticated, high-privileged remote attackers to inject persistent JavaScript payloads that execute in the browsers of other users upon page load. The changed scope (S:C in CVSS) indicates the injected script breaks out of the attacker's session context and affects victim users browsing the same application, potentially enabling session hijacking, credential theft, or lateral movement within the SCADA management interface. No public exploit code has been identified at time of analysis, and no confirmed active exploitation is on record.

XSS Its Intelligent Scada System
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-10057 MEDIUM This Month

Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables privileged remote attackers to inject persistent JavaScript payloads into the application that execute automatically in other users' browsers upon page load. Affected are all versions per CPE data (cpe:2.3:a:itp_technology:its_intelligent_scada_system:*:*:*:*:*:*:*:*), meaning the entire product line carries this exposure. This vulnerability is not confirmed actively exploited (CISA KEV), no public exploit code has been identified, and EPSS data was not provided in available intelligence.

XSS Its Intelligent Scada System
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-33384 MEDIUM This Month

Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.

Information Disclosure Session Fixation
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-49382 MEDIUM PATCH This Month

Template injection (SSTI) in JetBrains IntelliJ IDEA's Copyright plugin before version 2026.1 enables local code execution when a victim interacts with a maliciously crafted copyright template. The flaw, rooted in CWE-1336 (improper neutralization of template engine special elements), requires both local access and user interaction, and carries a CVSS score of 4.5 (Medium) reflecting these significant constraints. No public exploit or CISA KEV listing has been identified at time of analysis.

Ssti RCE
NVD VulDB
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-44640 MEDIUM PATCH This Month

Type confusion in NanoMQ MQTT Broker's QUIC dialer close path allows a local attacker with high complexity to cause the broker process to hang or crash. Versions prior to 0.24.14 store a pointer as `nni_quic_conn*` during dialing but later misread that same memory location as `ex_quic_conn*` during dialer close, producing invalid object interpretation across mismatched struct layouts. No public exploit code or active exploitation has been identified at time of analysis; the vendor-released fix is available in version 0.24.14.

Memory Corruption Denial Of Service Nanomq
NVD GitHub VulDB
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-47190 MEDIUM PATCH GHSA This Month

Excessive RBAC permissions in the Metal3 ip-address-manager (IPAM) controller's ClusterRole expose Kubernetes Secrets to post-compromise abuse. The metal3-ipam-controller-manager-role granted full CRUD on core/v1 Secrets - yet PR diff evidence confirms the controller never accesses Secrets in normal operation, making these permissions entirely unnecessary. If the controller pod is compromised via a supply chain attack or container escape, an attacker inheriting the controller's service account token can read, modify, or delete any Secret in the namespace, turning a narrow container compromise into cluster-wide credential exfiltration. No public exploit exists and no CISA KEV listing, but the confidentiality impact is rated High (C:H) by NVD.

Privilege Escalation Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-47234 MEDIUM PATCH GHSA This Month

Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.

Information Disclosure PHP CSRF Python
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-7430 MEDIUM This Month

Stored Cross-Site Scripting in the Post Snippets WordPress plugin (≤4.0.19) allows authenticated administrators on multisite installations to inject persistent JavaScript into the post editor via a crafted import file, exploiting a commented-out quote-escaping routine in WPEditor.php. The injected payload executes silently in the browser of any administrator who subsequently opens any post editor page, enabling session hijacking or further lateral movement within the multisite network. No public exploit identified at time of analysis; real-world impact is bounded by the Administrator-level access prerequisite and the explicit exclusion of single-site WordPress installations.

XSS PHP WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-48810 MEDIUM PATCH This Month

Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48811 MEDIUM PATCH This Month

FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49378 MEDIUM PATCH This Month

Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49377 MEDIUM PATCH This Month

Sensitive data exposure in JetBrains TeamCity before 2025.11.2 allows authenticated low-privileged users to read confidential values stored in default build agent parameters. The root cause (CWE-526) indicates that sensitive information - such as API keys, tokens, or credentials - is passed or stored through agent environment/configuration parameters without adequate access restrictions. With a CVSS score of 4.3 and no public exploit or KEV listing, this represents a moderate-priority information disclosure risk, most dangerous in environments where agent parameters are used to propagate secrets across pipelines.

Information Disclosure Teamcity
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49369 MEDIUM PATCH This Month

Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.

Information Disclosure Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47232 MEDIUM PATCH GHSA This Month

Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.

OpenSSL Ubuntu CSRF Python PHP
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8995 MEDIUM This Month

Poll Maker WordPress plugin (versions ≤6.3.7) leaks the complete WP_User object - including bcrypt password hashes, email addresses, login names, registration dates, roles, and capabilities - through an AJAX endpoint that performs no nonce verification or capability check beyond confirming the requestor is logged in. Any subscriber-level authenticated user on an affected site can call the `ays_poll_get_user_information` action and retrieve user data that WordPress deliberately withholds from all of its standard interfaces, including the REST API. No public exploit has been identified at time of analysis, but the attack requires only a valid subscriber session and a single POST request, and the recovered bcrypt hash enables offline password-cracking attacks.

Information Disclosure WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47122 MEDIUM GHSA This Month

UI spoofing via XPC authentication bypass in Sparkle 2.x (through 2.9.1) allows a local low-privileged attacker to inject forged appcast metadata into the update progress broadcast, causing any Sparkle-aware application to display attacker-controlled release notes, version strings, and critical-update flags. The attack exploits a post-stage-1 regression in the AppInstaller's Mach service authentication: once _performedStage1Installation is set, code-signing validation is silently dropped for new connections to the <bundleId>-spki service. Critically, installed code integrity is not compromised - only the UI metadata displayed to users is affected. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-49316 MEDIUM This Month

CAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM)-enforced immobilizer, enabling vehicle operation without legitimate anti-theft deactivation. An attacker within physical or adjacent proximity drives the WCM's CAN controller into bus-off state by incrementing its transmit error counter past the threshold, permanently silencing the WCM's periodic shutdown command. Because peer ECUs treat WCM silence as benign rather than a security event - a fail-open design - the motorcycle becomes fully operable as though the immobilizer were properly unlocked. No public exploit code has been identified at time of analysis; ASRG is withholding full protocol details pending vendor remediation, reported under CVE-2026-49316.

Authentication Bypass Scout Bobber Tech
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-49325 MEDIUM This Month

Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wireless Control Module wiring harness to leave the motorcycle fully operable without ever supplying a valid rider PIN. The root flaw is a fail-open ECU design: the peer ECU cannot distinguish an authenticated WCM shutdown pulse from a simple open-circuit condition caused by disconnecting the relevant wire pair, so wire interruption silently suppresses the immobilizer. Reported by ASRG under coordinated disclosure with connector details withheld; no public exploit has been identified and the vulnerability is not confirmed actively exploited (CISA KEV).

Authentication Bypass Scout Bobber Tech
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-10052 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Red Hat Quay 3's config-tool allows a highly privileged attacker with config editor access to probe internal network infrastructure from the Quay pod's network position. By supplying attacker-controlled endpoints to the LDAP and SMTP validation functions - which make outbound connections without IP or hostname filtering - the attacker can enumerate internal services and map network topology behind the container boundary. The scope change (S:C) in the CVSS vector confirms that exploitation reaches systems beyond the Quay component itself. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

SSRF Red Hat
NVD
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-49324 MEDIUM This Month

Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allows an adjacent-network attacker with write access to the in-vehicle network to irreversibly immobilize the motorcycle by deliberately tripping an immobilizer lockout counter that persists across power cycles. The WCM's lockout counter accepts increments from any unauthenticated message without session binding, meaning a small number of crafted in-vehicle network frames is sufficient to trigger a permanent lockout condition requiring dealer intervention to resolve. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog, though the attack technique is straightforward given adjacent network access.

Denial Of Service Scout Bobber Tech
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-49323 MEDIUM This Month

Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.

Microsoft Information Disclosure Scout Bobber Tech
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-49322 MEDIUM This Month

The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.

Microsoft Information Disclosure Scout Bobber Tech
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy