Skip to main content
CVE-2026-46579 HIGH This Week

Authentication bypass in Red Hat OpenShift Container Platform 4 Router allows remote unauthenticated attackers to impersonate TLS client certificate identities by injecting X-SSL-Client-* headers over plain HTTP. The flaw affects Routes configured with insecureEdgeTerminationPolicy set to Allow, where the HTTP frontend fails to strip these trusted headers from inbound requests. No public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC marks exploitation status as none with total technical impact.

Authentication Bypass Red Hat Openshift Container Platform 4
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46599 HIGH POC PATCH GHSA This Week

Denial-of-service in the Go golang.org/x/image/tiff package (versions before 0.41.0) allows remote attackers to exhaust memory or CPU by submitting a small, maliciously-crafted TIFF image whose PackBits-compressed stream decodes to disproportionately large output. Any Go service that parses untrusted TIFF input via this library is exposed; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).

Denial Of Service Golang Org X Image Tiff
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-41280 HIGH This Week

Relative path traversal (Zip Slip) in Waterfall WF-500 RX Host version 7.9.1.0 R2502171040 enables code execution on the RX side when attackers already control the TX Host and the deployment uses a MySQL connector with file compression enabled. The flaw, tracked as CWE-23 and reported by Nozomi Networks Labs, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but it meaningfully undermines the data-diode trust boundary the WF-500 is deployed to enforce.

Path Traversal Wf 500
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2025-41278 HIGH This Week

Out-of-bounds read in the Waterfall WF-500 RX Host (firmware 7.10.0.0 R2601141040) enables an attacker who already controls the TX Host to execute code on the receiving (RX) side, bypassing the unidirectional security guarantee the data diode is designed to enforce. Discovered by Nozomi Networks Labs with no public exploit identified at time of analysis and an EPSS score of 0.02%, the issue is significant because it undermines the OT/IT segmentation use case the product exists to provide. The vulnerability is not listed in CISA KEV and there is no evidence of active exploitation.

Information Disclosure Buffer Overflow Wf 500
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-47123 HIGH PATCH This Week

Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-49372 HIGH PATCH This Week

Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated attackers to coerce the build server into issuing arbitrary outbound HTTP requests through the build status functionality. The CVSS 7.5 score (C:H/I:N/A:N) reflects high-impact disclosure of internal data without integrity or availability effects, and no public exploit is identified at time of analysis.

SSRF Teamcity
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45742 HIGH PATCH GHSA This Week

Remote denial of service in Gotenberg v8.10.0 through v8.32.0 allows unauthenticated attackers to crash the process by sending a single multipart request with multiple downloadFrom entries that trigger concurrent writes to unsynchronized Go maps. Because the default deployment enables downloadFrom and disables authentication, any internet-exposed instance can be terminated remotely without credentials, and publicly available exploit code exists in the upstream GitHub Security Advisory GHSA-vp73-vjw8-8f32. No public exploit identified in CISA KEV at time of analysis, but the PoC is fully reproducible and the fix is shipped in v8.33.0.

Race Condition Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45741 HIGH GHSA This Week

SSRF deny-list bypass in Gotenberg v8 (<= 8.32.0) allows unauthenticated remote attackers to reach internal cloud metadata services (e.g., AWS/GCP/Azure IMDS at 169.254.169.254) by serving a crafted DNS AAAA record containing IPv6 6to4, NAT64, or deprecated site-local prefixes that the IsPublicIP allow-list fails to recognize. Publicly available exploit code exists via the GitHub Security Advisory PoC, and the Chromium URL-convert route returns the upstream response as a PDF, yielding a full-read SSRF that can leak IAM credentials. No vendor-released patch identified at time of analysis (advisory lists no fixed version).

Google Microsoft Docker SSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-48501 HIGH PATCH GHSA This Week

Token leakage in GitHub CLI versions through 2.92.0 causes authentication tokens to be transmitted to unintended hosts when users run gh attestation, gh release verify, or gh release verify-asset commands. The flawed host normalization collapses *.github.com subdomains to github.com, leaking github.com tokens to tuf-repo.github.com (a GitHub Pages domain), while GH_ENTERPRISE_TOKEN values leak to external hosts tuf-repo-cdn.sigstore.dev and tmaproduction.blob.core.windows.net. No public exploit identified at time of analysis, and the vendor (GitHub) reports no evidence that tokens were captured or misused.

Microsoft Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-39292 HIGH This Week

Remote code execution in Falco Solutions PHPageBuilder v0.31.0 is possible through an unrestricted file upload flaw in the pagemanager/pagebuilder module, enabling unauthenticated remote attackers to upload arbitrary executable files (typically PHP webshells) and run code on the underlying web server. Publicly available exploit code exists in a dedicated GitHub repository, though EPSS scoring (0.06%, 18th percentile) and SSVC indicate no observed in-the-wild exploitation despite the attack being fully automatable.

File Upload RCE N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-7480 HIGH This Week

Local privilege escalation in ASUS System Control Interface allows an authenticated low-privileged user to gain SYSTEM-level code execution by issuing a crafted RPC call that bypasses the component's validation logic. The flaw stems from incorrect permission assignment (CWE-732) on a critical resource exposed over RPC, and no public exploit identified at time of analysis. CVSS 4.0 scores it 7.3 with high attack complexity, indicating exploitation is non-trivial but yields full host compromise.

RCE Asus System Control Interface
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-8070 HIGH This Week

Local privilege escalation in ASUS Armoury Crate allows an authenticated low-privileged user to bypass driver validation and gain unauthorized read/write access to physical memory. The flaw stems from incorrect permission assignment (CWE-732) on a critical resource exposed by the application's kernel driver, enabling memory tampering that can be leveraged for full system compromise. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Authentication Bypass Armoury Crate
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-39276 HIGH This Week

Authenticated remote code execution in Emlog Pro v2.6.9 stems from a path traversal flaw in the template upload feature that lets administrators write arbitrary PHP files outside the intended template directory. Attackers leverage crafted ZIP archives containing '../' sequences in member filenames to overwrite default template files or drop new PHP payloads inside the active template, yielding code execution under the web server account. No public exploit identified at time of analysis, but a vulnerability report repository on GitHub demonstrates the issue.

PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-11262 HIGH This Week

Stored cross-site scripting in the Link Whisper Free WordPress plugin (versions through 0.9.0) allows unauthenticated remote attackers to inject persistent JavaScript via the user_id parameter, which executes in the browser of any user who visits an affected page. The flaw stems from insufficient input sanitization and output escaping in the plugin's settings handler, and no public exploit identified at time of analysis. With a CVSS 7.2 score reflecting Scope:Changed impact, the bug is notable because exploitation requires no authentication despite affecting an administrative-adjacent plugin component.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-9493 HIGH This Week

Authorization bypass in BankPro E-Service Technology's Service Center application allows authenticated remote attackers to read other users' electronic commerce order details by tampering with an object identifier parameter in a query function. The CVSS 4.0 vector (AV:N/PR:L/VC:H) reflects a high-confidentiality impact over the network with low privileges and no user interaction, and there is no public exploit identified at time of analysis. The flaw is an Insecure Direct Object Reference (IDOR) reported by TWCERT, affecting financial/EC order data that is typically subject to privacy and PCI-DSS scrutiny.

Authentication Bypass Service Center
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-4776 HIGH PATCH NEWS GHSA This Week

Authenticated SQL injection in Mautic's API contact filtering allows API users to execute arbitrary SQL by abusing insufficient recursive sanitization of nested query parameters. The flaw (CWE-89) yields full read access to database contents and partial availability impact, but requires valid API credentials (PR:L). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-9808 HIGH PATCH GHSA This Week

Authorization bypass in Mautic 7 API v2 endpoints allows authenticated low-privilege users to read or modify records owned by other users, undermining role-based ownership scopes such as viewown and editown. The flaw was reported by Mautic and disclosed via GHSA-2jrw-c95w-h43g; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-47696 HIGH POC PATCH GHSA This Week

Wallet balance forgery in WWBN AVideo 29.0 and earlier allows any authenticated user to credit their own wallet with arbitrary funds by abusing an unfinished AuthorizeNet payment handler. The plugin/AuthorizeNet/processPayment.json.php endpoint hardcodes payment success and calls YPTWallet::addBalance() using an attacker-supplied amount with no validation of the underlying Authorize.Net transaction. No public exploit has been identified at time of analysis, but the flaw is trivially reproducible from a logged-in account.

RCE PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-49371 HIGH PATCH This Week

Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.

XSS Teamcity
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-49373 HIGH PATCH This Week

Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can configure Perforce connection settings on a build project. The flaw, classified as CWE-88 (argument injection), allows attackers with project configuration privileges to inject arguments through Perforce VCS root parameters, leading to command execution on the TeamCity server. No public exploit identified at time of analysis, and the EPSS/KEV signals were not provided in the source intelligence.

RCE Teamcity
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-38739 HIGH GHSA This Week

Union-based SQL injection in eZ Publish Legacy's dfscleanup.php script allows a local authenticated attacker with sufficient privileges to extract sensitive data, including user credentials, from the underlying MySQL database. The flaw resides in the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class and is permanently unpatched because all branches of the project have reached end of life. No public exploit identified at time of analysis, though a detailed researcher write-up exists on GitHub.

PHP Information Disclosure SQLi
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44495 HIGH PATCH GHSA This Week

Prototype-pollution gadget in Axios (npm) before 1.15.2 and 0.31.1 allows an attacker who has already polluted Object.prototype.transformResponse in the same JavaScript process to hijack response handling, exfiltrate request config (URL, headers, auth credentials), and tamper with returned data. The flaw lives in mergeConfig() and transformData(), which read config via prototype-chain lookups, so any helper library prototype pollution becomes a credential-theft and DoS primitive for every Axios request. No public exploit identified at time of analysis beyond the advisory's PoC, and the issue is not in CISA KEV.

Denial Of Service RCE Code Injection
NVD GitHub
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-10107 HIGH PATCH This Week

Server-side request forgery in MoviePilot v2's image proxy endpoint (/api/v1/system/img-proxy) allows authenticated attackers holding a valid resource_token cookie to coerce the server into fetching arbitrary internal URLs. The flaw stems from SecurityUtils.is_safe_url performing domain-membership checks without blocking private, loopback, or link-local IPs, letting attackers enumerate co-hosted media services such as Jellyfin, Emby, and Plex and exfiltrate internal data. No public exploit identified at time of analysis, though the upstream patch and vendor-published advisory clearly document the attack path.

SSRF Moviepilot
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-47248 MEDIUM PATCH GHSA This Month

Schema metadata disclosure in Parse Server's GraphQL endpoint allows unauthenticated callers to iteratively reconstruct the full application schema - including class names, field names, argument names, mutation names, and input-object fields - by exploiting 'Did you mean ...?' suggestions embedded in GraphQL validation-error messages. This affects all deployments with the GraphQL API mounted, bypasses the existing IntrospectionControlPlugin (the default schema-hiding control), and directly defeats the security goals of prior advisories GHSA-48q3-prgv-gm4w and GHSA-q5q9-2rhp-33qw. No public exploit or CISA KEV listing has been identified at time of analysis; however, the unauthenticated, low-effort nature of the enumeration technique and the reconnaissance value of schema intelligence make this a meaningful risk for deployments that rely on schema opacity as a defense layer.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-47141 MEDIUM PATCH GHSA This Month

Host process data leakage in vm2 (npm/vm2 <= 3.11.3) allows untrusted JavaScript executing inside a NodeVM sandbox to read sensitive host-process state - including HTTP Authorization headers, session tokens, and AsyncLocalStorage request context - by requiring process-wide observability builtins that were incorrectly absent from the DANGEROUS_BUILTINS denylist. The affected modules (diagnostics_channel, async_hooks, perf_hooks) are Node.js process-wide singletons, not sandbox-local constructs, so granting sandbox access to them exposes all host process data flowing through those channels. A publicly available exploit code exists confirming extraction of Bearer tokens and x-session-token headers from live host HTTP requests; this is not confirmed actively exploited (not in CISA KEV).

Information Disclosure Node.js Red Hat
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-47212 MEDIUM PATCH GHSA This Month

Webhook signature verification is silently skipped in Symfony's Twilio Notifier bridge across symfony/symfony 6.4.x through 8.0.x and symfony/twilio-notifier, even when a signing secret is explicitly configured. TwilioRequestParser::doParse() accepts a secret parameter but contains no code that reads or uses it, meaning every inbound POST to the webhook endpoint is accepted unconditionally regardless of whether the X-Twilio-Signature HMAC header is present or valid. An attacker who can reach the endpoint URL can inject arbitrary forged Twilio status callbacks - fake delivered, failed, or undelivered events - to corrupt delivery metrics or trigger downstream automation. No public exploit code identified at time of analysis; vendor-released patches are available in 6.4.40, 7.4.12, and 8.0.12.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-10068 MEDIUM This Month

Server-side request forgery in Shibby Tomato 1.28 allows unauthenticated remote attackers to force the router to issue arbitrary HTTP requests via a crafted UPnP SUBSCRIBE callback URL processed by the miniupnpd daemon's send() function. The affected firmware is end-of-life with no vendor patch forthcoming; the project has been superseded by FreshTomato. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack is remotely exploitable without authentication or special conditions on reachable devices.

SSRF
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-10075 MEDIUM This Month

Absolute Path Traversal in DreamMaker (developed by Interinfo) allows unauthenticated remote attackers to enumerate file names under arbitrary filesystem paths on the host. The vulnerability stems from CWE-36 (Absolute Path Traversal) and is exploitable over the network without any credentials or user interaction, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). Confidentiality impact is limited to file name disclosure rather than full file content retrieval, per the VC:L scoring. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Dreammaker
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-10074 MEDIUM This Month

Arbitrary file read in Interinfo's DreamMaker application allows privileged attackers to traverse relative path boundaries and download arbitrary system files. The vulnerability stems from insufficient path normalization in a file download or retrieval function, enabling exfiltration of sensitive system content without modifying or disrupting the target. No public exploit code has been identified at time of analysis, and the requirement for high privileges (PR:H per CVSS 4.0) materially limits the attacker pool.

Path Traversal Dreammaker
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47213 MEDIUM GHSA This Month

Timeout enforcement in BoxLite sandbox service fails to kill processes because the implementation sends the catchable SIGALRM signal (signal 14) instead of the uncatchable SIGKILL signal (signal 9) in guest/src/service/exec/timeout.rs. All BoxLite versions up to and including 0.8.2 (pip/boxlite) are affected. A low-privileged attacker who can submit workloads to the BoxLite API can register a SIGALRM handler or set it to SIG_IGN with a single call, surviving past any configured execution timeout and exhausting VM resources to degrade availability for all BoxLite users. Publicly available exploit code exists in GitHub advisory GHSA-xjhv-pp2r-6f82; no patch has been released as of time of analysis.

Denial Of Service Python
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42965 MEDIUM This Month

Server-side request forgery in Red Hat OpenShift Container Platform 4's Router component allows authenticated users with EndpointSlice write permissions to coerce the router into proxying requests to cloud provider instance metadata endpoints (e.g., 169.254.169.254), exposing instance credentials and sensitive metadata. The flaw bypasses prior IP-address-based validation by abusing FQDN-backed EndpointSlices that resolve to metadata services. No public exploit identified at time of analysis, and the issue is not present on CISA KEV.

SSRF Red Hat Openshift Container Platform 4
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49386 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before 2026.1.13570 permits any authenticated low-privileged user to enumerate restricted issues and articles through the Planning Canvas feature, exposing confidential project data they are not authorized to view. Rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), the flaw allows user-controlled identifiers to bypass access restrictions without proper authorization checks. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49379 MEDIUM PATCH This Month

Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensitive secrets via JVM thread name inspection. The root cause (CWE-522 - Insufficiently Protected Credentials) is TeamCity embedding credential values directly into thread names, which surfaces in thread dumps, monitoring interfaces, and diagnostic tooling accessible to low-privileged users. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) makes it a significant credential theft vector in enterprise CI/CD environments where TeamCity routinely holds access tokens to source repositories, cloud infrastructure, and deployment targets.

Information Disclosure Teamcity
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49376 MEDIUM PATCH This Month

Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to CI/CD resources. The flaw (CWE-863, Incorrect Authorization) permits manipulation of the username field within SAML assertions, potentially enabling impersonation of legitimate users and unauthorized read/write access to build configurations and pipeline data. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49385 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.1.13570 permits any low-privileged authenticated user to modify service accounts, an administrative operation that should be restricted to privileged roles. Rooted in CWE-862 (Missing Authorization), the flaw is exploitable over the network with low complexity, requiring no user interaction - meaning any valid account holder on an exposed instance can tamper with service account configurations. No public exploit or CISA KEV listing has been identified at time of analysis, but the integrity impact is rated high given the sensitivity of service account access in YouTrack deployments.

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47408 MEDIUM PATCH GHSA This Month

{workspace_id}/issues/{issue_id}/activity endpoint validates workspace membership but passes issue_id directly to an unscoped database query, returning actor identities, action types, and before/after field values from the details JSON blob for any issue UUID reachable by the attacker. No public exploit has been identified at time of analysis, but the vulnerability is source-inspection-verified via the GHSA-27p4-pjqv-whgj advisory.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47233 MEDIUM PATCH GHSA This Month

Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.

PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47230 MEDIUM PATCH GHSA This Month

Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.

XSS PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47227 MEDIUM PATCH GHSA This Month

Broken access control in Admidio's `modules/categories.php` allows any authenticated module-administrator to permanently delete, reorder, or rename category records belonging to modules they do not administer. An Announcements administrator, for example, can destroy Role categories, Event calendars, or Profile-field categories by supplying a foreign category UUID while passing their own authorized module type as the `type` GET parameter, bypassing a per-record authorization check that is permanently dead code. A detailed working proof-of-concept is publicly available, demonstrated on a fresh Admidio install; no public exploit identified at time of analysis as CISA KEV-confirmed active exploitation, but the CVSS 6.5 (PR:L, I:H) reflects real data-destruction risk in any Admidio deployment that delegates module-admin rights to non-superadmin users.

PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47226 MEDIUM PATCH GHSA This Month

Cross-folder unauthorized file deletion in Admidio v5.0.9 allows any authenticated member with upload rights on a single folder to permanently destroy files stored in folders where they hold only view access. The vulnerability stems from a broken authorization boundary in modules/documents-files.php: the top-level upload-right check trusts an attacker-supplied folder_uuid URL parameter rather than the target file's actual parent folder, while the file_delete handler performs only a view-right check. This is confirmed as an incomplete fix of GHSA-rmpj-3x5m-9m5f (previously addressed in v5.0.7 but reintroduced by v5.0.9). A fully functional public proof-of-concept with step-by-step curl commands has been confirmed against a Docker deployment of v5.0.9; no public exploit identified at time of analysis as a weaponized tool, but the PoC lowers exploitation barrier significantly.

Docker PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47184 MEDIUM PATCH GHSA This Month

Memory exhaustion in python-zeroconf's DNSCache component allows any unauthenticated host on the same Layer-2 segment to OOM-kill or severely degrade processes that consume mDNS/DNS-SD services (CVSS 6.5, AV:A/PR:N). The DNSCache._async_add method imposed no upper bound on cache entries, permitting a local-link attacker to multicast valid mDNS responses with unique names that accumulate across all four internal data structures faster than the 10-second cleanup interval can purge them. A second distinct variant exploits TTL re-advertisement to bloat the internal _expire_heap independently of the cache entry counter, providing a second unbounded growth path that bypasses any entry-count monitoring. No public exploit is identified at time of analysis; a vendor-released patch is available as of zeroconf 0.149.6 or 0.149.7 (minor version discrepancy between sources - see confidence notes).

Canonical Python Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47183 MEDIUM PATCH GHSA This Month

Memory exhaustion in python-zeroconf's exception deduplication logic allows any unauthenticated LAN-adjacent host to permanently pin approximately 9 KB of heap memory per unique malformed mDNS packet, enabling denial of service against zeroconf-dependent applications. The flaw affects all versions of the pip package `zeroconf` prior to 0.149.6; the unbounded `_seen_logs` dict in `QuietLogger` and `DNSIncoming._log_exception_debug` retained full Python traceback objects - and thus raw inbound packet buffers - keyed by attacker-influenced exception strings derived from ephemeral source ports, byte offsets, and pointer links. No public exploit or CISA KEV listing exists at time of analysis, but the attack is mechanistically straightforward and particularly severe on memory-constrained deployments such as Home Assistant on Raspberry Pi-class hardware, where sustained flood traffic can OOM-kill the process and disable HomeKit, Chromecast/Matter, and AirPlay discovery.

Canonical Python Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47180 MEDIUM PATCH GHSA This Month

Uncontrolled recursion in python-zeroconf's mDNS DNS name decoder (versions < 0.149.5) allows any unauthenticated host on the local link to crash or degrade the mDNS listener with a single ~3 kB packet. The `_decode_labels_at_offset` method recurses once per DNS compression pointer (RFC 1035 §4.1.4) with no cap on unique forward-pointer chain depth; a packet carrying ~1500 chained pointers overflows CPython's default call stack, and because `RecursionError` was omitted from `DECODE_EXCEPTIONS`, the exception escaped `DNSIncoming.__init__` rather than being handled gracefully. Replaying at a few hertz produces sustained CPU burn, log flooding, and degradation of all mDNS-dependent services (HomeKit, Chromecast/Matter, AirPlay, network printers); no public exploit identified at time of analysis, but the attack is trivially constructible from the published advisory and test fixture in PR #1719.

Information Disclosure Python Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47742 MEDIUM PATCH GHSA This Month

Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.

Authentication Bypass Shopper
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47745 MEDIUM PATCH GHSA This Month

Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Shopper
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39229 MEDIUM This Month

SQL Injection in Bolt CMS through version 3.7.0 exposes sensitive database contents to any authenticated low-privilege user via the unsanitized 'order' parameter on content listing pages. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms network-exploitable, low-complexity access requiring only a low-privileged account, with full confidentiality impact but no integrity or availability impact - placing this squarely in the data-exfiltration threat category. No public exploit confirmed at time of analysis, and no vendor-released patch has been identified from available data.

SQLi
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47268 MEDIUM PATCH GHSA This Month

Blind SSRF in Nezha Dashboard (v0.20.0-v2.0.9) allows any low-privileged authenticated user to force the dashboard process to issue arbitrary HTTP requests to loopback and internal network addresses by configuring a malicious DDNS webhook profile. The attacker fully controls the request method, URL, headers, and body, enabling probing or manipulation of internal services that trust the dashboard host's network position. A publicly available proof-of-concept confirms full pipeline exploitation against a loopback listener; no public exploit identified at time of analysis in CISA KEV.

SSRF
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9557 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Mautic's Focus component enables authenticated low-privileged users to coerce the hosting server into issuing arbitrary outbound HTTP requests to internal or external destinations. The CVSS scope change (S:C) confirms the vulnerability crosses the application boundary, making internal network reconnaissance viable from a standard marketing platform user account. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the authenticated-yet-low-privilege requirement and changed scope make this a meaningful lateral movement enabler in enterprise Mautic deployments.

SSRF
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9243 MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions up to and including 6.4.15) allows authenticated contributor-level attackers to persistently inject malicious scripts via the carousel_direction parameter of the Carousel Anything widget. The root cause is an unquoted HTML attribute context in the render() function where esc_attr() is applied but insufficient - attribute injection is still possible by appending space-separated event handlers to the bare dir= attribute. Injected payloads persist in the database and execute in any visiting user's browser, including administrators, enabling session hijacking or privilege escalation; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9714 MEDIUM This Month

Stored Cross-Site Scripting in the Simple Divi Shortcode WordPress plugin (versions up to and including 1.2) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into WordPress pages via the unsanitized 'id' parameter of the [showmodule] shortcode. The injected payload executes in the browser of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects within the victim's authenticated session context. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
Prev Page 4 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy