Skip to main content
CVE-2026-9308 MEDIUM This Month

Reader View in Firefox for iOS executes arbitrary JavaScript due to an incorrect template substitution order, enabling cross-site scripting via JSON-LD data injection. The flaw affects all Firefox for iOS versions prior to 151.2 running on Apple iOS devices; unauthenticated remote attackers can exploit this by luring users to a malicious page and having them activate Reader View, after which attacker-controlled placeholder strings embedded in the page's structured data are processed as executable script. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and no-auth-required access vector (per CVSS PR:N) make it feasible for opportunistic campaigns targeting iOS Firefox users.

XSS Mozilla Apple
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24754 MEDIUM This Month

Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

XSS Security Advisories
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24755 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any authenticated user against resources owned by other users. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the flaw rooted in missing ownership verification on resource authorization checks within the Secure Data Forms module. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the low attack complexity and network accessibility make it a credible insider or credential-compromise risk in multi-tenant environments where data isolation is a compliance requirement.

Authentication Bypass Secure Data Forms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-10291 MEDIUM PATCH This Month

Regular expression denial of service in Enderfga claw-orchestrator 3.7.0 and earlier allows authenticated remote attackers to degrade service availability by submitting crafted patterns to the Session Grep Endpoint. The validateRegex function in claw-orchestrator/src/embedded-server.ts passes user-supplied body.pattern directly to the V8 JavaScript regex engine, which uses backtracking and can be forced into exponential-time evaluation via patterns like (a+)+$. No public exploit is identified at time of analysis, and the CVSS score of 4.3 (A:L) reflects limited - but real - availability impact via Node.js event loop exhaustion.

Denial Of Service Claw Orchestrator
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-49140 MEDIUM PATCH This Month

Nanobot's Matrix channel media download handler exhausts process memory and bandwidth when authenticated room members submit media events carrying missing or invalid declared size metadata. All versions of Nanobot prior to 0.2.1 are affected (CPE: cpe:2.3:a:hkuds:nanobot:*:*:*:*:*:*:*:*). An authenticated Matrix room member can send multiple concurrent malformed media events, causing the handler to fully materialize response bodies before performing post-download size validation, consuming process resources until service availability degrades. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch is available in v0.2.1.

Denial Of Service Nanobot
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-49138 MEDIUM PATCH This Month

Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe and reach internal or private network hosts by exploiting the httpx library's automatic HTTP redirect-following behavior. The attack bypasses initial URL validation by supplying a legitimate-looking external URL that responds with a 3xx redirect to a loopback or RFC-1918 address - the outbound request to the internal host is dispatched before any post-redirect validation is applied. No public exploit code exists and no CISA KEV listing is present, but the Changed Scope (S:C) in the CVSS vector indicates that successful exploitation can affect network components beyond Nanobot itself, such as internal APIs or metadata services.

SSRF Nanobot
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-8474 MEDIUM This Month

Reflected cross-site scripting in the Stormshield Network Security (SNS) appliance login API allows network-accessible attackers to inject and execute arbitrary scripts in a victim's browser session. Affected versions span three distinct release branches: 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5. Successful exploitation can result in session cookie theft, sensitive data exfiltration, or redirection to attacker-controlled sites. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45543 MEDIUM PATCH This Month

Broken share revocation in Nextcloud Forms versions 4.3.0 through 5.2.7 leaves former collaborators with persistent read access to uploaded respondent files after removal. The vulnerability stems from a two-layer share architecture where removing a collaborator deleted the Forms-layer share record but silently preserved the underlying Nextcloud Files-layer share on the uploaded files folder - meaning removed users retained filesystem-level access to sensitive form submission files. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the low-complexity network vector (CVSS AV:N/AC:L/PR:N/UI:N) means a removed collaborator can exploit this passively without any additional action.

Information Disclosure Path Traversal Nextcloud
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-49328 MEDIUM PATCH This Month

Server-Side Request Forgery in Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows unauthenticated remote attackers to trigger outbound HTTP requests from the server to internal or restricted network resources by supplying a crafted image URL to the UrlImageConverter component. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, making this trivially reachable against any exposed instance. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Apache SSRF
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-10285 MEDIUM This Month

Improper authorization in DevaslanPHP project-management (all versions through 2.0.0-beta1) allows any low-privileged authenticated attacker to remotely invoke the KanbanScrumHelper::recordUpdated function in the Ticket Handler component without adequate permission checks, resulting in unauthorized modification of ticket and kanban board records (integrity impact) and limited disruption of availability. The vendor was notified via GitHub issue #141 but had not responded at time of disclosure, meaning no patch is available. No public exploit code has been identified and the CVE does not appear in CISA KEV.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10284 MEDIUM This Month

Improper authorization in DevaslanPHP project-management up to 2.0.0-beta1 allows authenticated remote attackers to edit or delete ticket comments they do not own by exploiting missing ownership validation in the Livewire Handler component. The CVSS vector (PR:L, AV:N, AC:L) confirms the attack is network-accessible and requires only a low-privilege account with no user interaction. No vendor patch exists - the maintainer has not responded to the responsible disclosure submitted via GitHub issue - and no public exploit or CISA KEV listing has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10283 MEDIUM PATCH This Month

Missing admin-only middleware on DaybydayCRM's SettingsController (`updateOverall` and `updateFirstStep` methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.

Authentication Bypass Daybydaycrm
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-10282 MEDIUM PATCH This Month

Insecure Direct Object Reference in Bottelet DaybydayCRM up to version 2.2.1 allows any authenticated user to view or download arbitrary documents belonging to other users by enumerating the external_id URL parameter in DocumentsController. The missing authorization check in both the view() and download() methods means a low-privilege employee or contractor can exfiltrate documents linked to any Task, Project, Lead, or Client within the CRM. No public exploit identified at time of analysis and no CISA KEV listing, but the attack is trivially executable by any authenticated user given low complexity (AC:L, AT:N) and no user interaction required (UI:N).

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10269 MEDIUM PATCH This Month

Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JWT authentication by manipulating the HTTP Host header, gaining unauthorized access to protected dashboard and API endpoints. The vulnerable isLocalRequest() function in dashboardGuard.js blindly trusted the client-supplied Host header to determine whether a request originated from localhost, enabling any network-reachable attacker to spoof local origin by sending Host: localhost. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patch v0.4.1 is available and confirmed.

Authentication Bypass 9Router
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-40545 MEDIUM This Month

Reflected XSS in SOPlanning 1.55 and below allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of authenticated SOPlanning users by delivering a crafted malicious URL containing a payload in the `taches` parameter. The vulnerability stems from insufficient output sanitization of user-supplied input before it is reflected in the HTTP response. No public exploit code or CISA KEV listing exists at time of analysis; this was reported by CERT Poland (CERT.PL) and carries a CVSS 4.0 score of 5.1 (Medium).

XSS
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-40544 MEDIUM This Month

Stored XSS in SOPlanning 1.55 and earlier allows an authenticated low-privileged attacker to persist malicious JavaScript inside the application by uploading a crafted backup archive through the /process/upload_backup endpoint. The payload, embedded in a user.csv file within a ZIP, executes in a victim's browser when they click the Edit button on the affected backup entry - enabling session hijacking or UI manipulation against any user who interacts with the backup management interface. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.1 correctly reflects the constrained impact ceiling imposed by required authentication and passive user interaction.

XSS
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48559 MEDIUM This Month

Stored cross-site scripting in Lightweight Music Server (LMS) through version 3.76.0 allows low-privileged authenticated attackers to plant persistent JavaScript payloads via crafted media file metadata fields (GENRE, ARTIST, ALBUM) that execute automatically in any victim's browser upon browsing the web interface. The root cause is unsanitized rendering of library metadata using Wt::TextFormat::UnsafeXHTML in src/lms/ui/Utils.cpp, meaning payloads survive library scanning and are stored permanently. No public exploit code or CISA KEV listing has been identified at time of analysis; VulnCheck and ZeroScience (ZSL-2026-5987) have published coordinated advisories disclosing the vulnerability.

XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-40549 MEDIUM This Month

Cross-Site Request Forgery in SOPlanning 1.55 and below allows unauthenticated remote attackers to perform unauthorized group management operations - create, modify, or delete groups - by tricking an authenticated user into visiting a malicious webpage. The vulnerability affects the groupe_save endpoints, which accept forged GET or POST requests without validating request origin. No public exploit has been identified at time of analysis, and no KEV listing exists, but the low attack complexity and lack of privilege requirements for the attacker make social engineering viable against any authenticated user session.

CSRF
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-10533 MEDIUM This Month

OpenShift Container Platform exposes a resource exhaustion path where low-privileged authenticated users with pod creation rights can trigger cluster-wide API server degradation by exploiting two quota enforcement gaps: completed pods with restartPolicy:Never are excluded from ResourceQuota pod limits, and Kubernetes events are not quota-scoped. By repeatedly creating such short-lived pods, an attacker causes Kubernetes events to accumulate unboundedly in etcd, degrading API server performance across the entire cluster - a scope change (CVSS S:C) that extends impact well beyond the attacker's own namespace. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Kubernetes
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-45284 MEDIUM PATCH This Month

Authentication bypass in Nextcloud's user_oidc app (versions 1.3.6 through 8.3.x) allows users deleted from LDAP to continue authenticating via OpenID Connect. The root cause is a boolean logic inversion in LdapService.php - the condition `isLDAPEnabled()` was used instead of `!isLDAPEnabled()`, causing the LDAP deletion check to execute only when LDAP was inactive, effectively skipping it in every real-world deployment. No public exploit code has been identified at time of analysis; the issue was responsibly disclosed via HackerOne report #3554696.

Authentication Bypass Nextcloud
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-45153 MEDIUM PATCH This Month

PIN authentication bypass in the Nextcloud Files Android app (versions 33.0.0 through 33.0.x) allows a physically present attacker to circumvent the app's passcode lock screen by pressing the Android back button immediately after the host device is unlocked. The PassCodeActivity failed to intercept back-navigation events during PIN verification, granting direct file access without completing authentication. No public exploit identified at time of analysis and no CISA KEV listing; risk is tightly constrained by the physical access vector. Patched in version 33.1.0 via upstream PR #16896.

Google Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-45279 MEDIUM PATCH This Month

Path traversal in Nextcloud Server 31.x and 32.x allows authenticated non-admin users to copy arbitrary server-side files into their own Nextcloud storage directory when an administrator has configured the `{lang}` placeholder in the template directory config value. The root cause is insufficient sanitization of the `forceLanguage` HTTP request parameter and the `ACCEPT_LANGUAGE` header in `lib/private/L10N/Factory.php`, which were used unsanitized in filesystem path construction. No public exploit identified at time of analysis, though a HackerOne report (3468140) exists; CVSS scores this as Medium (4.4) due to high complexity and privilege preconditions, and impact is limited to confidentiality with no code execution possible.

Path Traversal Nextcloud
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-45729 MEDIUM PATCH This Month

Null pointer dereference in ThorVG's SVG loader crashes any process that passes untrusted SVG content through Picture::load(), enabling remote denial-of-service with a trivial 6-byte payload. All ThorVG releases prior to 1.0.5 are affected (CPE: cpe:2.3:a:thorvg:thorvg:*:*:*:*:*:*:*:*). No public exploit identified at time of analysis and no CISA KEV listing, but the fix-confirming PR diff (PR #4387) exposes the exact null-check omissions, substantially lowering the bar for independent exploit development.

Null Pointer Dereference Denial Of Service Thorvg
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45286 MEDIUM PATCH This Month

User enumeration via Nextcloud Calendar's attendee suggestion endpoint affects authenticated users on versions 5.5.13-5.5.16 and 6.2.0-6.2.2. The `searchAttendee` controller method in `ContactController.php` called the contacts manager search API without passing the instance's configured sharing restriction parameters - meaning enumeration-limiting settings (`shareapi_allow_share_dialog_user_enumeration`, `shareapi_only_share_with_group_members`, group-scoped restrictions) enforced on all other sharing endpoints were silently bypassed here. An authenticated low-privilege attacker can probe the endpoint with partial name or email strings to reconstruct the full user directory, disclosing usernames and email addresses that administrators had intentionally restricted. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed).

Information Disclosure Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28511 MEDIUM This Month

Information disclosure in eLabFTW prior to version 5.4.2 allows authenticated users to enumerate resource titles outside their authorization scope via numeric reference/search queries. Affected deployments in regulated environments - such as clinical labs or research institutions embedding patient identifiers, project names, or regulated data in resource titles - face elevated sensitivity risk despite the limited scope of exposure. Content-level access controls remain intact; only titles leak. No public exploit identified at time of analysis, and CVSS rates this Medium (4.3), consistent with authenticated, low-impact disclosure.

Information Disclosure Elabftw
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24756 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated low-privileged user to modify form resources owned by other users by substituting controlled resource identifiers in API requests, bypassing ownership authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the vulnerability is remotely exploitable with no complexity barrier beyond holding a valid account. No public exploit code and no CISA KEV listing identified at time of analysis; real-world risk is concentrated in multi-tenant Kiteworks deployments where data isolation between users is a security expectation.

Authentication Bypass Secure Data Forms
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45544 MEDIUM PATCH This Month

Nextcloud Tables versions 0.8.0 through 1.0.3 improperly disclose view filter criteria to authenticated users holding only read-only permissions on a shared view. The flaw in ViewService.php attempted to sanitize filter arrays for low-privileged users but instead exposed the full filter rules - potentially revealing sensitive column names, threshold values, or data organization logic the view owner intended to keep confidential. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV, indicating no confirmed active exploitation.

Information Disclosure Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46605 MEDIUM PATCH This Month

Incomplete authorization in Apache ActiveMQ Broker allows authenticated low-privilege users to remove messaging destinations (queues and topics) beyond their granted permissions, causing targeted availability disruption to broker-connected producers and consumers. Affected versions span the 5.x line before 5.19.7 and the 6.x line from 6.0.0 before 6.2.6, covering ActiveMQ Broker and ActiveMQ All distributions. With an EPSS of 0.01% (3rd percentile), no CISA KEV listing, and no public exploit code identified, this is a low-urgency but genuine authorization control gap that is most relevant to environments with multiple untrusted authenticated broker accounts.

Apache Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45264 MEDIUM PATCH This Month

Rename permission bypass in Nextcloud's team folder (groupfolders) feature allows authenticated low-privileged users holding READ and CREATE permissions to rename files in team folders even when UPDATE permission is explicitly denied. Affecting Nextcloud versions 17.0.0 through 21.0.3, the flaw originates from a single-character bitwise operator error in ACLStorageWrapper.php - a `&` used instead of `|` when evaluating combined permission flags effectively nullifies the UPDATE permission check. No public exploit identified at time of analysis; vendor-released patches are available across all affected version branches.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34193 MEDIUM PATCH This Month

Arbitrary firmware memory writes in Imagination Technologies Graphics DDK affect multiple DDK versions across Guest/Host VM deployments. A logic error in GPU driver address translation permits kernel-level software within a VM to issue malformed commands to GPU firmware, causing writes to memory regions outside the intended GPU memory boundary. The Chrome OS stable channel advisory reference confirms real-world platform-level impact, and a vendor patch is available. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Memory Corruption Information Disclosure Graphics Ddk
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8643 MEDIUM PATCH This Month

Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.

Path Traversal Pip
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-28581 MEDIUM This Month

Unauthorized emergency call placement is possible on Google Android 14, 15, 16, and 16-QPR2 due to a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. An unauthenticated local actor - requiring no privileges on the device - can exploit this flaw to initiate an emergency call outside of intended user controls. No public exploit has been identified at time of analysis, and SSVC assessment indicates no current exploitation activity.

Null Pointer Dereference Denial Of Service
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-47425 MEDIUM PATCH GHSA This Month

Arbitrary file write via path traversal in rattler's noarch:python entry-point installer allows a malicious conda package to write executable files outside the install prefix on both Unix and Windows. Any user of rattler < 0.43.2, pixi < 0.69.0, or rattler-build < 0.65.0 who installs a crafted noarch:python package is affected - no special configuration or flag opt-in is required. The attacker-controlled file is written with mode 0o775 on Unix or as a copied launcher .exe on Windows, enabling code execution when the entry-point is subsequently invoked. No public exploit code is identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Microsoft Path Traversal Python
NVD GitHub
EPSS
0.1%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy