Skip to main content
CVE-2026-8035 MEDIUM This Month

Local denial of service in NI's NI-PAL kernel driver (versions 26.3.0 and prior on Windows and Linux) allows an authenticated local user to crash the host system by sending malformed input that triggers a NULL pointer dereference in kernel space. No public exploit identified at time of analysis, but the kernel-level impact means a successful trigger takes down the entire host, not just the driver process. The issue is vendor-disclosed by NI with an advisory published on ni.com.

Microsoft Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41577 MEDIUM PATCH This Month

SAML assertion validation in authentik's ResponseProcessor.parse() completely omits verification of the Conditions element, allowing unauthenticated remote attackers (PR:N per CVSS 4.0 vector) to replay expired SAML assertions or submit assertions originally issued for a different service provider. All authentik deployments prior to versions 2025.12.5 and 2026.2.3 that use SAML sources are affected. This is not listed in CISA KEV and no public exploit has been identified at time of analysis, but the low-complexity, network-accessible attack path against a core authentication primitive makes this a meaningful integrity risk in any SAML-federated deployment.

Denial Of Service Authentik
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-40314 MEDIUM This Month

Missing authorization controls in NamelessMC 2.2.4 expose private profile post reaction data to unauthenticated visitors and allow low-privileged authenticated users to interact with posts from profiles they are blocked by or that are set to private. Two distinct code paths are vulnerable: the reaction query endpoint in `modules/Core/queries/reactions.php` accepts unauthenticated GET requests without enforcing privacy settings, while `core/classes/Misc/ProfilePostReactionContext.php` only validates post existence rather than caller access rights. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the unauthenticated read path requires no prerequisites against internet-facing installations.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45080 MEDIUM PATCH This Month

Improper access control in Klaw, the Aiven-Open self-service Apache Kafka governance portal, exposes user password hashes to unauthenticated remote attackers in all versions prior to 2.10.4. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network without any authentication or user interaction, making it trivially reachable in internet-exposed deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the unauthenticated network vector lowers the bar significantly for opportunistic attackers seeking credential material.

Information Disclosure Apache Klaw
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47265 MEDIUM PATCH GHSA This Month

Cross-origin cookie leakage in aiohttp prior to 3.14.0 allows sensitive per-request cookies to be forwarded to attacker-controlled domains when a redirect is followed. When application code passes cookies via the `cookies` parameter of an aiohttp request, those cookies are not dropped upon following a cross-origin redirect - violating the origin isolation guarantee users expect. An attacker who can influence redirect responses (e.g., via a compromised or malicious upstream server) can harvest cookie values intended only for the original origin. No public exploit identified at time of analysis; EPSS data not provided in source intelligence.

Information Disclosure Python
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-35049 MEDIUM PATCH This Month

Persistent denial-of-service in wire-ios prior to version 4.16.0 allows any authenticated Wire user to permanently crash the victim's iOS client by sending a single crafted Proteus external message with an encrypted payload shorter than 16 bytes. The crash triggers automatically upon message receipt with no user interaction required, and because the malicious message persists in local storage, the app enters an unrecoverable crash loop on every subsequent relaunch - effectively locking the victim out of the application entirely until local state is wiped. No public exploit code is identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Apple Denial Of Service
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-8993 MEDIUM PATCH This Month

D.Launcher 2, a component of the Slovak eID client ecosystem by Ditec a.s., exposes Windows users to NTLM credential theft and SSRF attacks via improperly handled custom URL protocol registrations. An unauthenticated remote attacker who convinces a victim to open a specially crafted URL can trigger outbound NTLM authentication or SMB connections to attacker-controlled infrastructure, leaking Net-NTLMv2 hashes suitable for offline cracking or relay attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

SSRF D Launcher 2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44653 MEDIUM This Month

LibreChat's MCP server configuration API leaks decrypted admin-managed credentials - including plaintext API keys and OAuth client secrets - to any authenticated user holding only VIEW-level access to a shared MCP server. All deployments running versions up to and including 0.8.3 are affected, with the flaw accessible via standard GET requests to `/api/mcp/servers` and `/api/mcp/servers/:serverName`. No public exploit or active exploitation has been identified at time of analysis, but the low-complexity, low-privilege network vector makes credential exfiltration straightforward in any multi-user LibreChat environment.

Information Disclosure Librechat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3198 MEDIUM PATCH This Month

Missing authorization enforcement in MLflow 3.9.0 allows any low-privileged authenticated user to enumerate all gateway secrets, endpoints, and model definitions via three unprotected Gateway API list endpoints. The root cause is an omission in the `BEFORE_REQUEST_HANDLERS` dictionary within `mlflow/server/auth/__init__.py`, which gates authorization for request handlers - three Gateway API list operations (`ListGatewaySecretInfos`, `ListGatewayEndpoints`, `ListGatewayModelDefinitions`) are absent from this registry, bypassing access control entirely when basic-auth is active. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low attack complexity and high confidentiality impact warrant prompt remediation in any deployment with multi-tenant or least-privilege access expectations.

Authentication Bypass Mlflow Mlflow Red Hat
NVD
CVSS 3.0
6.5
EPSS
0.0%
CVE-2026-46718 MEDIUM PATCH This Month

Unsafe reflection in Apache Calcite 1.5.0 through 1.41 allows unauthenticated remote attackers to supply externally-controlled input that influences class or code selection at runtime, resulting in partial confidentiality and integrity impact (CVSS C:L/I:L). The vulnerability stems from CWE-470, where user-supplied input is used unsanitized to drive Java reflection operations. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (7th percentile) indicates low community-assessed exploitation probability at time of analysis.

Information Disclosure Apache Red Hat
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-35718 MEDIUM This Month

Path traversal in VIVOTEK FD8136-VVTK firmware 0300a exposes the full device filesystem to authenticated low-privilege attackers via the /admin/downloadMedias.cgi endpoint. An attacker holding any valid credential can craft a request with directory traversal sequences to read arbitrary files - including configuration data, credentials, or private keys stored on the device. No confirmed active exploitation (not in CISA KEV), but a vulnerability research repository on GitHub exists for this CVE, and EPSS is very low at 0.02%, suggesting limited widespread attacker awareness at time of analysis.

Path Traversal N A
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3871 MEDIUM This Month

Buffer overflow in the UPnP DeletePortMapping() command of Zyxel VMG4005-B50B DSL/Ethernet CPE firmware (through 5.13(ABRL.5.4)C0) enables an unauthenticated adjacent-network attacker to crash the device's UPnP service. The impact is a temporary, recoverable denial-of-service confined to the UPnP function - availability is fully affected (A:H) while confidentiality and integrity remain unimpacted (C:N/I:N). No public exploit code or CISA KEV listing exists at time of analysis; the vulnerability was disclosed by Zyxel itself on 2026-06-02.

Zyxel Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3870 MEDIUM This Month

Buffer overflow in the UPnP AddPortMapping() command handler on Zyxel VMG4005-B50B DSL/Ethernet CPE devices allows adjacent unauthenticated attackers to crash the UPnP service, causing a temporary denial-of-service condition. Affected firmware versions run through 5.13(ABRL.5.4)C0, and the vulnerability was self-disclosed by Zyxel in a June 2026 advisory covering multiple CPE product lines. No public exploit code exists and this vulnerability has not been confirmed as actively exploited (not in CISA KEV).

Zyxel Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27145 MEDIUM PATCH This Month

Quadratic-complexity denial-of-service in Go's crypto/x509 package allows a network-positioned attacker presenting a certificate with a large DNS Subject Alternative Name list to exhaust CPU on the verifying party. The root cause is that VerifyHostname called strings.Split(host, ".") inside a loop over every DNS SAN entry rather than computing it once, scaling work as O(SANs × hostname_labels). Critically, x509.Verify performs hostname validation before chain building, meaning even untrusted, self-signed certificates trigger the expensive computation - no valid CA-issued certificate is required. No public exploit is identified at time of analysis, and EPSS is 0.00%, consistent with a newly-disclosed algorithmic complexity issue without weaponized tooling.

Information Disclosure Crypto X509
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5074 MEDIUM This Month

SQL Injection in ARMember Premium WordPress membership plugin (versions up to and including 7.3.1) enables authenticated attackers with Subscriber-level access to extract sensitive database contents via the `get_private_content_data` AJAX action. The flaw resides in the `sSortDir_0` parameter, which is concatenated unsanitized into an ORDER BY clause - a notoriously difficult injection point to parameterize, requiring explicit allowlist validation that is absent here. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the low authentication bar (subscriber accounts) and network-accessible attack vector make it a meaningful risk where the addon is active.

SQLi WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-52766 MEDIUM This Month

Missing Authorization in the Printeers Print & Ship WordPress plugin (versions through 1.17.0) allows authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles, resulting in high-integrity impact against affected WordPress sites. The flaw is classified under CWE-862 and reported by Patchstack as an incorrectly configured access control security level, meaning the plugin fails to enforce proper capability checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the moderate-priority tier for WordPress site operators running the affected plugin.

Authentication Bypass Printeers Print Ship
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8885 MEDIUM This Month

Stored Cross-Site Scripting in the DeMomentSomTres Shortcodes WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript into page content via the 'callout' shortcode's 'width' and 'align' attributes. The injected payload executes in the browsers of any subsequent visitor to the affected page, enabling session hijacking, credential theft, or malicious redirects scoped to the WordPress front-end. No public exploit has been identified at time of analysis, and the CVSS Scope:Changed rating reflects that the impact extends beyond the attacker's own session to affect other users.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4080 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Cart WordPress plugin (all versions up to and including 1.8) permits authenticated Contributor-level users to inject persistent JavaScript payloads via the 'add_to_cart' shortcode. The vulnerability originates in the ectp_add_to_cart() function at plugin.php lines 280-287, where shortcode attributes such as 'product_name', 'product_desc', 'itemid', 'product_qty', and 'price' are processed with sanitize_text_field()-a function that strips HTML tags but does not escape double-quote characters-before being embedded in double-quoted HTML attributes. This allows attribute context breakout and arbitrary event handler injection that executes against any visitor loading the affected page. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2382 MEDIUM This Month

Stored Cross-Site Scripting in the FPW Category Thumbnails WordPress plugin (all versions ≤1.9.5) allows authenticated attackers with Subscriber-level access to plant persistent JavaScript payloads via the unsanitized 'id' parameter of the 'fpw_fs_get_file' AJAX action. The injected script executes in an administrator's browser upon visiting the plugin's settings page, creating a privilege-escalation pathway from low-privileged subscriber to effective site administrator. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the low attack complexity and Changed Scope signal meaningful risk in open-registration WordPress environments.

XSS WordPress
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4081 MEDIUM This Month

Stored Cross-Site Scripting in the ZeM STL WordPress plugin (all versions through 1.0) allows authenticated contributors to plant persistent malicious scripts in page content via unsanitized [zemstl] shortcode attributes. Wordfence confirmed that the 'url', 'color', and 'bgcolor' shortcode parameters are directly interpolated into HTML attribute context within zemstl.php without passing through WordPress's esc_attr() or any equivalent escaping function, as evidenced by references to the vulnerable source lines (L74, L103, L104, L107). Any site visitor who loads a page containing the injected shortcode will silently execute the attacker's script, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users including administrators. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-3722 MEDIUM This Month

Stored Cross-Site Scripting in the Auto Image Attributes From Filename With Bulk Updater WordPress plugin (all versions through 4.9) allows authenticated attackers holding Author-level access or higher to persist arbitrary JavaScript payloads via unsanitized attachment metadata fields. The injected scripts execute in the browser of any user who subsequently accesses the affected page, with Changed scope (S:C) indicating the payload crosses the plugin's trust boundary into the broader WordPress session context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-35717 MEDIUM This Month

Stack-based buffer overflow in VIVOTEK FD8136 network camera firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root by sending a crafted POST request to the export_language.cgi administrative endpoint. The CGI handler passes an attacker-controlled Content-Length HTTP header value directly to fread() with no bounds validation, overflowing a 0x60-byte stack buffer and overwriting the saved link register; the binary's lack of stack canaries eliminates the primary runtime defense against this class of attack. A researcher-published proof-of-concept exists on GitHub, though EPSS stands at 0.05% (17th percentile) and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at time of analysis.

Buffer Overflow RCE Stack Overflow Fd8136 Firmware
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-35716 MEDIUM This Month

Stack-based buffer overflow in VIVOTEK FD8136 firmware FD8136-VVTK-0300a grants authenticated remote attackers root-level code execution by supplying an oversized POST parameter to any of three symlinked CGI admin endpoints. The vulnerable `motion_privacy.cgi` binary copies the `n1` parameter into a fixed 164-byte (0xa4) stack buffer with no bounds check and no stack canary protection, overwriting the saved link register and diverting execution to attacker-controlled code. A public proof-of-concept is available on GitHub; no active exploitation has been confirmed in CISA KEV at time of analysis.

Buffer Overflow RCE Stack Overflow N A
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2021-4479 MEDIUM PATCH This Month

Dräger Atlan A350 software versions 1.00 through 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending specifically crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required.

Denial Of Service Atlan A350
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2019-25723 MEDIUM This Month

Dräger Perseus A500 software versions 2.00 through 2.02 contains an improper input handling vulnerability that allows external attackers to cause a denial of service by sending specifically crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Perseus A500
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-49120 MEDIUM PATCH This Month

Server-side request forgery in Medplum versions prior to 5.1.14 lets authenticated users abuse the FHIR Subscription worker to make the server issue HTTP POST requests to arbitrary internal endpoints. Because the worker delivers full FHIR resource payloads to attacker-chosen URLs, attackers can target cloud instance metadata services (e.g., AWS IMDS), internal databases, and orchestrator APIs to steal IAM credentials and exfiltrate patient health records. No public exploit identified at time of analysis, but a vendor patch and a VulnCheck advisory are available.

SSRF Medplum
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-49943 MEDIUM This Month

Stack-based buffer overflow in CZ.NIC BIRD Internet Routing Daemon through 2.19.0 allows an established BGP peer to crash the daemon by sending a crafted AS_PATH exceeding 2048 expanded ASNs when RFC 8654 Extended Messages are enabled and an AS path mask filter is active. The as_path_match() function in nest/a-path.c uses a fixed 2049-entry stack array while parse_path() expands AS_PATH segments without enforcing a corresponding capacity limit, causing a write beyond the stack buffer boundary and a daemon crash. No public exploit identified at time of analysis; notably, the vendor has explicitly declined to prioritize a fix, instead citing operator best-practice filtering as the expected mitigation.

Buffer Overflow Stack Overflow Suse Red Hat
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-49753 MEDIUM POC PATCH GHSA This Month

HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-controlled upstream servers to desynchronize response framing on shared connections by exploiting a non-RFC-compliant Content-Length parser. Mint's parser accepts sign-prefixed integers such as '+0' or '+123' that RFC 7230 forbids, creating a disagreement with RFC-strict fronting proxies about where one HTTP response body ends and the next begins. When Mint reuses connections via keep-alive, pipelining, or pooling across trust boundaries, this parser mismatch can be weaponized to leak bytes from one requester's response into another's stream. No public exploit code has been identified at time of analysis, and no KEV listing exists; a vendor patch (v1.9.0) is available.

Information Disclosure Request Smuggling Mint
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-10510 MEDIUM This Month

Cross-site scripting in the GeniexWebView component of Transsion's AI Assistant Lifestyle Android application (com.transsion.aiassistantlifestyle) enables unauthenticated remote attackers to execute arbitrary JavaScript within the app's WebView context by delivering a crafted web_action_data URL parameter to a victim. The Changed scope (S:C) in the CVSS vector indicates impact crosses the originating component boundary - a meaningful risk in Android WebViews where JavaScript-to-native bridges may be exposed. No public exploit identified at time of analysis, and the EPSS score of 0.12% at the 31st percentile signals low current exploitation interest.

XSS Google
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30586 MEDIUM This Month

Cross-site scripting in usememos Memos v.0.26.0 allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers by exploiting insufficient sanitization in the SANITIZE_SCHEMA configuration within the MemoContent rendering component. Publicly available exploit code exists (PoC gist by gabdevele). Both Public and Private Memo View pages are affected, enabling sensitive information disclosure and limited content manipulation across the changed scope boundary. EPSS stands at 0.05% (17th percentile), indicating low widespread exploitation probability despite the PoC's existence.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-10662 LOW POC PATCH Monitor

Server-side request forgery in blender-mcp's ZIP File Handler allows authenticated remote attackers to manipulate the zip_file_url parameter in import_generated_asset_hunyuan, causing the MCP server to issue arbitrary outbound HTTP requests on behalf of the attacker - including to internal network resources such as cloud metadata endpoints. All rolling-release commits up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected, per CPE cpe:2.3:a:ahujasid:blender-mcp:*:*:*:*:*:*:*:*. A publicly available exploit exists via GitHub issue #203 (E:P confirmed in CVSS temporal vector), though no CISA KEV listing exists at time of analysis.

SSRF Blender Mcp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10624 LOW POC Monitor

Insecure Direct Object Reference (IDOR) in SourceCodester Human Resource Management 1.0 allows authenticated remote attackers to read other employees' records by manipulating the `employeeid` parameter in `/detailview.php`. The vulnerability results in unauthorized disclosure of employee data across account boundaries, with no integrity or availability impact. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10661 LOW POC PATCH Monitor

Server-Side Request Forgery and arbitrary file read in ahujasid/blender-mcp allows authenticated remote attackers to exfiltrate local filesystem content or pivot to internal network services via unsanitized manipulation of the input_image_url parameter in the generate_hunyuan3d_model function (src/blender_mcp/server.py). The parameter is passed without validation directly to both open() for local file reads and requests.get() for remote fetches, enabling path traversal and SSRF primitives simultaneously. A publicly available exploit exists (GitHub issue #202); no CISA KEV listing at time of analysis. The fix has been merged upstream (PR #205, commit 5b37be25).

Information Disclosure Blender Mcp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10616 LOW POC Monitor

Missing authorization in nextlevelbuilder GoClaw up to version 3.11.3 allows low-privileged remote attackers to trigger unauthorized team task completions via the TeamTasksTool.executeComplete function. The flaw, classified as CWE-862, permits any authenticated user to bypass permission checks in the Team Task Completion Handler, falsely marking tasks as complete regardless of their authorization level. A publicly available exploit exists (referenced in GitHub issue #1133), though no public exploit confirmed in active exploitation - the vulnerability is not listed in CISA KEV, and its CVSS 4.0 score of 2.1 reflects the limited integrity-only impact.

Authentication Bypass Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-40713 MEDIUM PATCH This Month

Physical access to Dell ThinOS 10 endpoints running versions prior to ThinOS10 2602_10.0765 allows an unauthenticated attacker to bypass access controls, exposing sensitive information with high confidentiality and integrity impact. The flaw, rooted in CWE-284 (Improper Access Control), enables circumvention of authentication or authorization mechanisms at the device level without requiring prior credentials. No active exploitation has been confirmed (not in CISA KEV) and no public exploit has been identified; Dell has released a patched build addressing this issue.

Dell Information Disclosure Authentication Bypass
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33553 MEDIUM This Month

Cross-site scripting in Northern.tech CFEngine Enterprise Mission Portal (the web-based management UI) affects versions 3.24.3 and 3.27.0, patched in 3.24.4 and 3.27.1 respectively. An unauthenticated remote attacker can craft a malicious URL or inject content that, when rendered in a victim's browser within the Mission Portal, executes arbitrary JavaScript in the context of the victim's session. No public exploit identified at time of analysis, and EPSS places this in the 5th percentile, indicating low observed exploitation interest.

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1451 MEDIUM This Month

Reflected Cross-Site Scripting in the rognone plugin for WordPress (versions up to and including 0.6.2) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted link containing a malicious 'a' parameter. The vulnerability originates in header.php at line 74, where user-supplied input is reflected into page output without sanitization or escaping. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided in source intelligence.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2425 MEDIUM This Month

Reflected Cross-Site Scripting in the hiWeb Migration Simple WordPress plugin (all versions up to and including 2.0.0.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'new_domain' parameter rendered in template/force-re-migrate-confirm.php. Exploitation requires tricking a logged-in WordPress administrator into clicking a crafted URL, at which point the injected script executes in the administrator's browser session under the site's origin - a Changed scope per CVSS - enabling potential account takeover or unauthorized admin-level actions. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in source intelligence.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1450 MEDIUM This Month

Reflected Cross-Site Scripting in the rognone WordPress plugin (versions ≤ 0.6.2) exposes visitors of affected sites to arbitrary JavaScript injection via the unsanitized 'mode' URL parameter in header.php. Unauthenticated remote attackers (PR:N per CVSS) can deliver a malicious link that, when clicked by a victim, executes attacker-controlled scripts in the victim's browser within the changed scope (S:C) of the WordPress application context. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack complexity (AC:L) and zero authentication requirement lower the bar for opportunistic abuse.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-10568 LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10559 LOW POC Monitor

Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10558 LOW POC Monitor

File inclusion in SourceCodester Pizzafy Ecommerce System 1.0 exposes the admin panel to path traversal attacks via the `page` parameter in `/admin/index.php`, enabling an authenticated remote attacker to include arbitrary server-side files. Successful exploitation yields low-impact confidentiality, integrity, and availability compromise consistent with the CVSS C:L/I:L/A:L rating. A public exploit writeup (POC) exists on GitHub, significantly lowering the skill threshold for exploitation; however, no active exploitation has been confirmed via CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10550 LOW POC Monitor

Command injection in elunez eladmin's Application Deployment Module (App.java) allows authenticated remote attackers with low privileges to execute arbitrary operating system commands by manipulating the `uploadPath` argument. All versions up to and including 2.7 are affected per the CPE record. A public proof-of-concept exploit exists (referenced via GitHub issue #899), though no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV). The vendor has not responded to the coordinated disclosure, leaving no official patch available.

Java Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2026-10583 LOW POC Monitor

Server-side request forgery in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers with high-privilege credentials to manipulate the TTS Configuration Import function into issuing arbitrary server-side HTTP requests to unintended destinations. The vulnerable code path is the Import function within internal/http/tts_config.go, reachable over the network without user interaction once an administrative session is established. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal metric E:P and GitHub issue #1132); no active exploitation has been confirmed by CISA KEV, and the project has characterized the report as a bug rather than a security issue, which may signal a slower remediation response.

SSRF Goclaw
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-10567 LOW POC PATCH Monitor

Stored cross-site scripting in CordysCRM (1Panel-dev, versions up to 1.4.1) allows an authenticated remote attacker to inject malicious scripts via the unvalidated Description parameter in the ModuleFormController's Save function. The payload persists to the database and executes in any victim's browser upon viewing the affected module form, enabling session hijacking, credential theft, or UI-based phishing. A publicly available proof-of-concept exists (GitHub issue #2233); no public exploitation at scale has been confirmed, and an official vendor patch is available as of v1.7.0.

XSS Java
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-10548 LOW POC Monitor

Improper authentication in NousResearch hermes-agent through version 2026.4.23 allows a local low-privileged attacker to manipulate the Credential Pool Synchronization component, specifically the `_sync_anthropic_entry_from_credentials_file` function in `agent/credential_pool.py`, bypassing authentication controls over Anthropic API credentials. A proof-of-concept exploit is publicly available on GitHub and the vendor did not respond to coordinated disclosure, leaving no patch available at time of analysis. No public exploit identified at time of analysis for active KEV-confirmed campaigns, but publicly available exploit code exists and lowers the bar for any attacker already holding local system access.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-48682 MEDIUM This Month

Out-of-bounds read in FastNetMon Community Edition through 1.2.9 allows unauthenticated remote attackers to disclose memory contents by sending crafted IPv4 packets with a manipulated IHL field to any monitored network interface. The parser in `src/simple_packet_parser_ng.cpp` validates only a 20-byte minimum buffer before blindly advancing a pointer by `4 * IHL` bytes, enabling a 40-byte over-read (IHL=15) or type confusion where TCP/UDP structures are parsed from raw IP header bytes (IHL 0-4). No public exploit identified at time of analysis; EPSS (0.02%, 4th percentile) and SSVC (exploitation: none, automatable: no) both signal low near-term exploitation probability.

Memory Corruption Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-41918 MEDIUM CISA This Month

Sensitive configuration data exposure in Siemens RUGGEDCOM RST2428P industrial network switch (all firmware versions before V4.0) allows authenticated attackers to retrieve confidential information from the browser cache. The web management interface fails to enforce proper cache-control directives when an authenticated user performs specific configuration modification workflows, persisting sensitive data in the local browser cache. No public exploit code exists and the vulnerability is not listed in CISA KEV, though the High confidentiality impact (VC:H) on the vulnerable component elevates concern for OT/industrial network environments where configuration data can expose network topology or credentials.

Information Disclosure
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-28116 MEDIUM This Month

Stored XSS in the Progress Planner WordPress plugin (versions through 1.9.0) enables a high-privileged attacker to inject persistent malicious scripts into web pages served to other users. Because the scope is marked Changed (S:C), the injected payload executes in the context of lower-privileged site visitors, not just the attacker's session, crossing the admin-to-user security boundary. No public exploit code or active exploitation has been identified at time of analysis.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-10566 LOW POC Monitor

Unsafe deserialization in FoundationAgents MetaGPT versions up to and including 0.8.2 allows a local low-privileged attacker to achieve confidentiality, integrity, and availability impact by manipulating the `mapping` argument passed to `Message.check_instruct_content` in `metagpt/schema.py`. Publicly available exploit code (POC) exists via a GitHub issue report, elevating practical risk despite the local-only attack vector. No vendor patch has been released - the project was notified via issue report but has not responded, leaving installations without a remediation path.

Deserialization Metagpt
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy