Skip to main content
CVE-2025-14042 MEDIUM This Month

Stored Cross-Site Scripting in the Automotive Car Dealership Business WordPress Theme (all versions through 13.4.1) enables authenticated contributors to permanently embed arbitrary JavaScript via the 'project_details' custom field in Portfolio Items. Because the CVSS scope is Changed (S:C), injected scripts execute in the victim's browser context - not just the WordPress admin panel - enabling session hijacking, credential harvesting, or drive-by malware delivery against site visitors. No public exploit code has been identified at time of analysis, though contributor-level access is routinely available in multi-author dealership or agency WordPress deployments, making the authentication barrier practically low.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6275 MEDIUM This Month

Stored cross-site scripting in the StatCounter - Free Real Time Visitor Stats WordPress plugin (versions up to and including 2.1.1) allows authenticated users with Author-level access or higher to inject arbitrary JavaScript into post pages by setting a crafted WordPress profile nickname. The unescaped nickname is embedded directly into a JavaScript string context within a <script> block rendered on every post page via the wp_head hook, causing the payload to execute in the browser of any visitor - including unauthenticated users - who loads a post authored by the attacker. No public exploit has been identified at time of analysis, but the low attack complexity (AC:L) and broad exposure surface (every post page on affected sites) make this a practical risk wherever sites permit untrusted Author-level accounts.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-47200 MEDIUM PATCH GHSA This Month

{ middleware })` auth checks. Affected are Nuxt 3.11.0-3.21.5 and Nuxt 4.0.0-alpha.1-4.4.5 when `experimental.componentIslands` is enabled and pages rely solely on route middleware for authorization - a pattern common in Nuxt 4 where componentIslands is on by default. A working proof-of-concept using a single curl command is published in the vendor advisory; no public exploit identified at time of analysis beyond the POC, and no CISA KEV listing exists. Vendor-released patches are available as nuxt@3.21.6 and nuxt@4.4.6.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-44287 MEDIUM PATCH This Month

Sandbox escape in FastGPT's JavaScript code execution worker allows authenticated remote attackers to execute arbitrary OS commands inside the sandbox container by bypassing a regex-based blocklist. The sandbox at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() using a regex that matches only ASCII whitespace between 'import' and '(', failing to account for JavaScript's syntactically valid block comment syntax - the payload import/**/("child_process") parses correctly by the JS engine but evades the regex entirely. Because the safeRequire Proxy only intercepts require() and not native ES import(), the attacker gains direct access to child_process and execSync as uid=100(sandbox). No public exploit identified at time of analysis, but the bypass technique is fully documented in the vendor advisory and is trivially reproducible by any authenticated user.

RCE Code Injection Fastgpt
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-9831 MEDIUM PATCH This Month

Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.

Information Disclosure Race Condition Extreme Platform One
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-10101 MEDIUM This Month

Pull-secret credential exposure in Red Hat Advanced Cluster Management (ACM) and Multicluster Engine (MCE) assisted-service leaks the full contents of a referenced pull-secret - including username, password, email, and base64-encoded auth token - into the publicly-readable `InfraEnv.status.conditions[].message` field when pull-secret validation fails. A low-privileged namespace principal holding the stock Kubernetes `view` ClusterRole, which is explicitly denied direct `get`/`list` on Secret objects, can recover the entire `.dockerconfigjson` credential payload by reading InfraEnv status. This constitutes a confirmed RBAC bypass (CWE-201) demonstrated via a reproduced proof-of-concept; no active exploitation via CISA KEV has been recorded at time of analysis.

Authentication Bypass Kubernetes
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-10061 LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows a low-privileged, network-based attacker to execute arbitrary OS commands on the device by manipulating the peerPin argument submitted to the formWPS CGI handler at /goform/formWPS. A public proof-of-concept exploit is available on GitHub, confirmed by the E:P modifier in the CVSS 4.0 vector. No patch has been or will ever be released - the vendor explicitly confirmed this router reached end-of-life in 2009, making permanent device replacement the only viable remediation.

Command Injection Tew 432Brp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-10060 LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows network-reachable authenticated attackers to execute arbitrary OS commands by injecting shell metacharacters into the ip, mask, or gateway parameters of the formSetRoute CGI handler at /goform/formSetRoute. A public proof-of-concept exploit has been disclosed on GitHub. No patch will ever be released - TRENDnet has explicitly confirmed the device reached end-of-life in 2009 and is unable to replicate or remediate the vulnerability, making permanent residual risk the defining characteristic of this CVE.

Command Injection Tew 432Brp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-49384 MEDIUM PATCH This Month

Stored XSS in JetBrains PyCharm's Jupyter notebook Markdown cell renderer allows a remote, unauthenticated attacker to execute arbitrary JavaScript in the context of a victim's PyCharm session by delivering a crafted notebook file. All PyCharm versions prior to 2025.3.4 are affected. The vulnerability carries no KEV listing and no public exploit has been identified at time of analysis, though the low attack complexity and lack of required privileges make opportunistic abuse via shared or repository-hosted notebooks plausible.

XSS Pycharm
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-49375 MEDIUM PATCH This Month

Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The Changed scope (S:C) in the CVSS vector indicates the payload can escape the vulnerable component and affect the victim's broader browser session, enabling session token theft, credential harvesting, or malicious redirects against TeamCity users. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Teamcity
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-36324 MEDIUM This Month

Stored or reflected Cross-Site Scripting in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious JavaScript through the user registration form in register.php. When a privileged user such as an administrator views the submitted registration data, the script executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public disclosure write-up is available on GitHub; no vendor patch has been identified at this time.

XSS PHP
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-47121 MEDIUM GHSA This Month

Intermediate-symlink traversal in Sparkle's binary delta apply pipeline allows a holder of a compromised EdDSA signing key to achieve arbitrary file write at the privilege level of the AppInstaller process - root for system-domain installs. The flaw exists in SUBinaryDeltaApply.m, which only inspects the immediate parent directory for symlink status rather than all intermediate path components; a .delta archive item can first plant a symlink (e.g., pointing to /Library/LaunchDaemons) and a second item can then write through it via fopen(), which follows kernel-resolved symlinks unconditionally. A fully functional proof-of-concept demonstrating LaunchDaemon persistence installation is detailed in GHSA-hg88-v3cw-3qrh, though it requires a valid EdDSA signature, meaning public exploit utility is gated on signing key possession. No vendor-released patch has been identified at time of analysis.

Path Traversal
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-35673 MEDIUM PATCH This Month

SSRF policy bypass in OpenClaw before 2026.4.29 enables authenticated low-privileged attackers to circumvent private-network SSRF protections via browser debug and export routes. The flaw (CWE-863, Incorrect Authorization) allows an attacker who already holds valid credentials to reuse previously blocked browser tabs, causing the application to export or inspect content from protected internal resources that the SSRF policy was intended to restrict. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the high confidentiality impact on the vulnerable component (VC:H in CVSS 4.0) warrants prompt patching for internet-exposed instances.

SSRF Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-47741 MEDIUM PATCH This Month

Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthenticated checkout requests to bypass a coupon's global usage_limit, resulting in committed orders carrying unauthorized discounts the merchant never intended to grant. The CreateOrderFromCartAction::execute method created the Order database row before atomically reserving the discount slot, opening a classic TOCTOU window that becomes reliably exploitable under the high-concurrency traffic of flash sales or Black Friday events. A compounding bug rendered usage_limit_per_user entirely non-functional in all pre-2.8.0 versions - the underlying counter was never incremented anywhere in the codebase - meaning per-user caps provided zero protection regardless of a customer's redemption history. No public exploit identified at time of analysis; this CVE is not listed in CISA KEV.

Information Disclosure Race Condition Shopper
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-46690 MEDIUM GHSA This Month

Memory unsafety in unbounded-spsc 0.2.0 (Rust crate) allows a local attacker with low privileges to cause out-of-bounds reads, allocator corruption, and process crashes by winning a TOCTOU race between Sender::send and Receiver::drop. The root defect is a pointer-as-value transmute in the DISCONNECTED arm of Sender::send (src/lib.rs:384-401): the code transmutes an 8-byte raw pointer (*mut Producer<T>) directly into Consumer<T>, meaning the fake Consumer's internal Arc::ptr points at the Sender struct itself rather than the real ArcInner<Buffer<T>>. No public exploit identified at time of analysis, but a proof-of-concept reproducing SIGSEGV is included in the advisory and reproduces approximately 3 out of 10 trials under heavy contention in release mode.

Information Disclosure Canonical Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-47395 MEDIUM PATCH GHSA This Month

Local SSRF in PraisonAI's direct-prompt CLI allows an attacker who can influence prompt text to cause the operator's machine to fetch loopback and private-network HTTP resources, injecting the response body into the LLM prompt context. Affected packages are pip/praisonai <= 4.6.39 and pip/praisonaiagents <= 1.6.39; patches are available in 4.6.40 and 1.6.40 respectively. Publicly available exploit code exists (confirmed working PoC in the GHSA advisory), no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), and the CVSS 5.5 score reflects a meaningful confidentiality impact (C:H) constrained by a local attack vector.

Information Disclosure Mozilla SSRF Python
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47390 MEDIUM PATCH GHSA This Month

SSRF protection bypass in PraisonAI's spider_tools component (praisonaiagents <= 1.6.39, PraisonAI <= 4.6.39) allows an attacker who can influence URLs submitted to scrape_page(), crawl(), or extract_text() to reach loopback-only HTTP services by supplying alternate loopback address encodings such as octal IPv4, hex, decimal integer, or trailing-dot hostname forms. The _validate_url() function performs only exact-string blocklist checks against 'localhost' and '127.0.0.1', without DNS resolution, IP normalization, or post-connect address validation, causing the bypass. Publicly available exploit code (PoC) has been confirmed functional; no active exploitation via CISA KEV has been identified at time of analysis.

RCE SSRF Python
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47694 MEDIUM GHSA This Month

Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.

XSS Avideo
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-9811 MEDIUM PATCH GHSA This Month

Stored XSS in Mautic 7's project selector component allows an authenticated low-privileged user to inject malicious script payloads via unsanitized project names rendered through AJAX into DOM option fields. When an administrative user subsequently opens an entity editor containing the affected project selector, the payload executes in the admin's browser session with a changed scope (S:C per CVSS), enabling session hijacking, unauthorized state manipulation, or organizational data exfiltration within the dashboard. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present, though the stored, persistent nature of the payload and low attack complexity make this a credible privilege-escalation pivot for internal threat actors.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47229 MEDIUM PATCH GHSA This Month

Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.

PHP CSRF
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-48555 MEDIUM PATCH This Month

Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.

PHP SSRF Laravel Medialibrary
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-45352 MEDIUM PATCH This Month

Unbounded memory allocation in cpp-httplib prior to 0.43.4 allows remote unauthenticated attackers to crash the hosting process via a crafted HTTP request using chunked Transfer-Encoding with a negative chunk-size value. The root cause is a silent unsigned wrap-around in strtoul() that bypasses the library's incomplete size guard, causing chunk_remaining to be set to a near-maximum 64-bit value and forcing the server's read loop to attempt consuming that many bytes from the network. No active exploitation has been confirmed (no CISA KEV listing); no public exploit identified at time of analysis.

Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-44518 MEDIUM PATCH This Month

Out-of-bounds read in liboqs prior to 0.16.0 allows a remote unauthenticated attacker to crash the verifying process by supplying a truncated signature buffer to the XMSS or XMSS^MT stateful signature verification function. The missing caller-supplied length validation causes the implementation to read past the end of the buffer; the overread bytes feed into an internal hash computation only and are not returned to the caller, eliminating any data-leakage oracle. The primary real-world impact is a denial-of-service crash if the overread crosses an unmapped memory page. No public exploit or CISA KEV listing is identified at time of analysis.

Denial Of Service Oracle Buffer Overflow Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42500 MEDIUM PATCH This Month

Panic-induced denial of service in the golang.org/x/image/bmp decoder allows remote unauthenticated attackers to crash any Go application that processes untrusted BMP files. When a paletted BMP containing an out-of-range palette index is decoded, the image package accesses invalid memory and triggers a Go runtime panic, terminating the affected goroutine or process. No public exploit exists at time of analysis, but the attack is automatable per SSVC and requires no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any internet-exposed BMP processing endpoint an accessible target.

Information Disclosure Golang Org X Image Bmp
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-46344 MEDIUM PATCH This Month

Out-of-bounds read in liboqs prior to 0.16.0 affects the XMSS and XMSS^MT stateful signature verification routines, exploitable by any unauthenticated remote attacker who can supply a crafted public key to a verifying process. The flaw arises when a correctly-sized signature buffer is paired with a public key whose OID bytes reference a different XMSS parameter set, causing the library to derive a larger sig_bytes value and index past the end of the caller-supplied buffer, with the primary observable effect being a process crash. No active exploitation is confirmed (not in CISA KEV) and no independently published exploit has been identified at time of analysis, though a proof-of-concept scenario is embedded in the upstream fix commit's test suite.

Denial Of Service Information Disclosure Oracle Buffer Overflow Red Hat +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45294 MEDIUM PATCH This Month

FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.

Information Disclosure Freescout
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-46705 MEDIUM PATCH GHSA This Month

Authentication state leakage in the russh Rust SSH server library allows unauthenticated remote attackers to manipulate the authentication flow for one user by exploiting retained internal state from a prior authentication attempt made for a different user on the same connection. Versions >= 0.34.0-beta.1 and < 0.61.0 are affected. A publicly available proof-of-concept (provided in GHSA-hpv4-5h6f-wqr3) demonstrates that russh's connection-scoped AuthRequest state - including remaining methods list, partial_success, and in-progress method state - persists across (user, service) principal changes in violation of RFC 4252 section 5, enabling an attacker to observe or influence state that should be isolated to a different principal.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44489 MEDIUM PATCH GHSA This Month

{} instances that inherit from Object.prototype - and setProxy() in lib/adapters/http.js reads proxy.username and proxy.auth without hasOwnProperty guards, allowing prototype-polluted values to forge a Proxy-Authorization header injected into every proxied request. A working proof of concept has been publicly disclosed by the reporter; no active exploitation has been confirmed (not in CISA KEV).

Apple Node.js Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-34127 MEDIUM PATCH This Month

Stored XSS in the TP-Link TL-SG108PE v5 web management interface allows an authenticated administrator on an adjacent network to inject persistent malicious script via the SYSNAM configuration parameter during a config file import operation. The injected payload is stored on the device and executes in any administrator's browser upon viewing the affected management page, enabling session cookie theft, unauthorized configuration changes, or exposure of sensitive management-plane data. No public exploit code has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and not automatable, consistent with the high privilege and adjacency prerequisites.

XSS TP-Link
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-43917 MEDIUM This Month

Missing organization-level authorization in Dokploy 0.19.0 and earlier allows authenticated users from one organization to access, modify, and delete resources belonging to other organizations on the same instance. The shared `protectedProcedure` middleware confirms session authentication but never validates that the requested resource belongs to the caller's active organization, exposing 22 endpoints spanning deployments, backups, volume operations, cluster management, and mounts to cross-organization abuse. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.

Authentication Bypass Dokploy
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-12714 MEDIUM This Month

Unauthenticated modification of SEO metadata settings is possible in the Rank Math SEO WordPress plugin through version 1.0.271, stemming from a missing authorization check on the REST API function `update_site_editor_homepage`. Remote, unauthenticated attackers can overwrite homepage title, meta descriptions, breadcrumb labels, and social media metadata, enabling SEO poisoning campaigns and injection of malicious content into breadcrumb components rendered sitewide. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity and requires no authentication.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9189 MEDIUM This Month

Payment bypass in the Contact Form 7 - PayPal & Stripe Add-on for WordPress (all versions up to and including 2.4.9) permits unauthenticated attackers to complete arbitrary pending orders without tendering the required payment amount. The IPN handler correctly authenticates PayPal callbacks via the `cmd=_notify-validate` round-trip, but then blindly trusts the attacker-controlled `invoice` field and passes it to `cf7pp_complete_payment()` without verifying that `mc_gross`, `mc_currency`, or `receiver_email` in the IPN match the stored order values - resulting in full order completion triggered by a minimal real payment. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the direct financial incentive and low attack complexity elevate real-world priority beyond what the medium CVSS score alone implies.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2128 MEDIUM This Month

Unauthenticated information disclosure in the Cloudways Breeze Cache plugin for WordPress (all versions ≤ 2.5.2) allows remote attackers to retrieve administrator-cached page content by supplying a forged session cookie. When the non-default 'Cache Logged-in Users' feature is active, the plugin resolves cached page files by parsing the username directly from the cookie value without verifying the WordPress HMAC signature, enabling any unauthenticated actor who knows or guesses a valid username to obtain that user's cached HTML output. Exposed data includes full content of private posts, Admin Bar markup, WordPress nonces, and other privileged interface elements. No public exploit has been identified and the vulnerability is not listed in CISA KEV; version 2.5.3 contains the fix.

Information Disclosure PHP WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47228 MEDIUM PATCH GHSA This Month

Cross-site request forgery in Admidio's registration module (`modules/registration.php`) allows an unauthenticated attacker to force a password reset on any user account by tricking a registration-administrator into visiting a malicious page. The `send_login` mode uniquely omits the `SecurityUtils::validateCsrfToken()` check present in all four sibling branches, and unconditionally accepts GET requests, meaning a single `<img src=...>` tag is sufficient to trigger the attack - no form submission or JavaScript required. Publicly available exploit code confirmed against HEAD commit c5cde53; no active exploitation in CISA KEV at time of analysis.

PHP CSRF
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-10099 MEDIUM This Month

WebSocket frame parsing in XX-Net V5.16.6 corrupts application-layer data when the local HTTP server's WebSocket_receive_worker routine unconditionally consumes 4 bytes as a masking key regardless of the RFC 6455 MASK bit, causing payload data to be silently misinterpreted. Attackers with local system access and no privileges can send unmasked WebSocket frames to the embedded simple_http_server.py endpoint, causing the first 4 bytes of any payload to be misread as a mask key and the remainder to be incorrectly XOR-decoded. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; an upstream fix exists as a GitHub commit and open pull request but a formally released patched version has not been independently confirmed.

Information Disclosure
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6892 MEDIUM This Month

Symlink-following vulnerability in the Canon PIXMA/PIXUS CUPS Printer Driver installer for macOS allows a local authenticated attacker to manipulate directory permissions beyond their authorization. By placing a specially crafted symbolic link in a path the installer traverses, the attacker can redirect installer-time permission changes to arbitrary directories during a privileged installation run. Affected versions are 16.91.0.0 and earlier across Japan (iX6800 Series), the US, and Europe (MG2500 and iX6800 Series); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Apple Information Disclosure
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6891 MEDIUM This Month

Symlink following in the Canon My Image Garden macOS installer (version 3.6.8 and earlier) enables a locally authenticated attacker to manipulate file permissions outside their authorization scope. During installation - which typically runs with elevated privileges - an attacker who pre-places a crafted symbolic link at a path the installer accesses can redirect file operations to arbitrary targets, achieving unauthorized integrity impact on the host system. No public exploit code and no CISA KEV listing exist at time of analysis; however, the Canon PSIRT has published formal advisories confirming the issue.

Apple Information Disclosure
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-10070 MEDIUM This Month

Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged authenticated attacker to perform unauthorized operations via the /admin/update/ Super Admin Password Handler endpoint. The intelligence tags this as an authentication bypass, suggesting a higher-privileged admin role boundary can be crossed - potentially allowing one admin to manipulate super admin credentials beyond their authorized scope. No public exploit identified at time of analysis; however, vendor behavior (deleting the GitHub disclosure issue without explanation and ignoring email contact) creates significant uncertainty around patch availability and actual vulnerability scope.

Authentication Bypass Mall
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-45551 MEDIUM PATCH This Month

Stored XSS privilege escalation in Group-Office (enterprise CRM/groupware by Intermesh) allows any low-privileged authenticated user to execute arbitrary JavaScript in an administrator's browser by chaining two distinct flaws. The attack exploits a missing ownership check on the legacy settings API (index.php?r=core/saveSetting) - permitting writes to any user's settings regardless of identity - combined with an unsafe JavaScript sink in the email module that injects the email_font_size setting directly into rendered script without sanitization. No confirmed active exploitation exists (not in CISA KEV), but SSVC confirms a proof-of-concept exists, making this a credible privilege-escalation path for any attacker with a low-privileged account.

XSS Microsoft PHP
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-10039 MEDIUM This Month

SQL Injection in the Frontend Admin by DynamiApps WordPress plugin (all versions through 3.28.28) allows authenticated administrators to extract arbitrary data from the WordPress database via the 'order' parameter in the payments list view. The vulnerability stems from unsanitized concatenation of user-supplied input into a raw SQL query, reachable only when a valid 'orderby' parameter is also present in the same request. No public exploit has been identified at time of analysis, and the high privilege requirement (administrator-level) substantially limits the realistic attacker pool, keeping this a medium-severity, low-urgency finding despite the AV:N classification.

SQLi WordPress
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-6324 MEDIUM PATCH This Month

HTTP request smuggling in libsoup allows remote unauthenticated attackers to exploit an unsigned-to-signed integer conversion error in the `soup_body_input_stream_read_chunked()` function via a crafted HTTP request. The vulnerability is confined to specific proxy topologies where libsoup operates either behind or in front of a non-libsoup HTTP intermediary, and successful exploitation can result in authentication bypass, web cache poisoning, or unauthorized access. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the integrity and confidentiality impacts warrant urgent attention in any affected mixed-proxy deployment.

Request Smuggling Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-10058 MEDIUM This Month

Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables authenticated, high-privileged remote attackers to inject persistent JavaScript payloads that execute in the browsers of other users upon page load. The changed scope (S:C in CVSS) indicates the injected script breaks out of the attacker's session context and affects victim users browsing the same application, potentially enabling session hijacking, credential theft, or lateral movement within the SCADA management interface. No public exploit code has been identified at time of analysis, and no confirmed active exploitation is on record.

XSS Its Intelligent Scada System
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-10057 MEDIUM This Month

Stored Cross-Site Scripting in ITP Technology's ITS Intelligent SCADA System enables privileged remote attackers to inject persistent JavaScript payloads into the application that execute automatically in other users' browsers upon page load. Affected are all versions per CPE data (cpe:2.3:a:itp_technology:its_intelligent_scada_system:*:*:*:*:*:*:*:*), meaning the entire product line carries this exposure. This vulnerability is not confirmed actively exploited (CISA KEV), no public exploit code has been identified, and EPSS data was not provided in available intelligence.

XSS Its Intelligent Scada System
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-33384 MEDIUM This Month

Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.

Information Disclosure Session Fixation
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-49382 MEDIUM PATCH This Month

Template injection (SSTI) in JetBrains IntelliJ IDEA's Copyright plugin before version 2026.1 enables local code execution when a victim interacts with a maliciously crafted copyright template. The flaw, rooted in CWE-1336 (improper neutralization of template engine special elements), requires both local access and user interaction, and carries a CVSS score of 4.5 (Medium) reflecting these significant constraints. No public exploit or CISA KEV listing has been identified at time of analysis.

Ssti RCE
NVD VulDB
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-44640 MEDIUM PATCH This Month

Type confusion in NanoMQ MQTT Broker's QUIC dialer close path allows a local attacker with high complexity to cause the broker process to hang or crash. Versions prior to 0.24.14 store a pointer as `nni_quic_conn*` during dialing but later misread that same memory location as `ex_quic_conn*` during dialer close, producing invalid object interpretation across mismatched struct layouts. No public exploit code or active exploitation has been identified at time of analysis; the vendor-released fix is available in version 0.24.14.

Memory Corruption Denial Of Service Nanomq
NVD GitHub VulDB
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-47190 MEDIUM PATCH GHSA This Month

Excessive RBAC permissions in the Metal3 ip-address-manager (IPAM) controller's ClusterRole expose Kubernetes Secrets to post-compromise abuse. The metal3-ipam-controller-manager-role granted full CRUD on core/v1 Secrets - yet PR diff evidence confirms the controller never accesses Secrets in normal operation, making these permissions entirely unnecessary. If the controller pod is compromised via a supply chain attack or container escape, an attacker inheriting the controller's service account token can read, modify, or delete any Secret in the namespace, turning a narrow container compromise into cluster-wide credential exfiltration. No public exploit exists and no CISA KEV listing, but the confidentiality impact is rated High (C:H) by NVD.

Privilege Escalation Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-47234 MEDIUM PATCH GHSA This Month

Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.

Information Disclosure PHP CSRF Python
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-7430 MEDIUM This Month

Stored Cross-Site Scripting in the Post Snippets WordPress plugin (≤4.0.19) allows authenticated administrators on multisite installations to inject persistent JavaScript into the post editor via a crafted import file, exploiting a commented-out quote-escaping routine in WPEditor.php. The injected payload executes silently in the browser of any administrator who subsequently opens any post editor page, enabling session hijacking or further lateral movement within the multisite network. No public exploit identified at time of analysis; real-world impact is bounded by the Administrator-level access prerequisite and the explicit exclusion of single-site WordPress installations.

XSS PHP WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-48810 MEDIUM PATCH This Month

Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 5 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy