Skip to main content
CVE-2026-45614 MEDIUM PATCH This Month

Private ECDH key recovery in OP-TEE prior to version 4.11.0 is achievable by a local attacker who can invoke TEE_DeriveKey with approximately 30-40 crafted public key values lying off the target elliptic curve. Because the implementation omits point validation - failing to verify that (X, Y) satisfies Y^2 ≡ X^3 + aX + b mod P for the specified curve - each malformed call leaks a residue d mod r, where d is the private key and r is the order of the attacker-chosen invalid curve. Accumulated residues allow full private key reconstruction via the Chinese Remainder Theorem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the underlying invalid curve attack technique is well-documented in cryptographic literature and reproducible by any skilled attacker with local access.

Information Disclosure Jwt Attack Linux
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-7421 MEDIUM This Month

Stored Cross-Site Scripting in the Passeum Ticketing WordPress plugin (all versions ≤ 1.0) allows authenticated administrators on multisite installations to load attacker-controlled JavaScript and CSS on every frontend page that renders a plugin shortcode. The attack path runs through the plugin's `shop_name` setting: the `validate_shop_name()` function accepts any non-empty string, and `get_shop_url()` passes URLs beginning with 'http' directly to `wp_register_script()` and `wp_register_style()` without sanitization, causing the site to enqueue external resources from an attacker-controlled domain for all site visitors. No public exploit identified at time of analysis, and the vulnerability is explicitly scoped to WordPress multisite environments - single-site administrators are unaffected because they already hold the `unfiltered_html` capability.

XSS WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-45702 MEDIUM PATCH This Month

Type confusion in OP-TEE OS versions 4.3.0 through 4.10.x allows a highly privileged local attacker operating in the normal world to crash the Trusted Execution Environment by submitting a malformed FFA_MEM_SHARE request, resulting in denial of service of all secure services hosted in the TEE. Exploitation is gated behind a non-default build configuration requiring both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y, substantially narrowing the affected population to deployments using OP-TEE as an S-EL1 Secure Partition Manager Core. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog; the CVSS score of 4.4 (Medium) reflects these real-world constraints accurately.

Information Disclosure Memory Corruption Linux
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2024-47273 MEDIUM PATCH This Month

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Synology
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-36602 MEDIUM This Month

Kernel pointer disclosure in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows unauthenticated adjacent-network attackers to obtain raw MIPS KSEG0 kernel addresses through the UPnP GetStatusInfo action, effectively defeating kernel address-space layout randomization on the device. The leaked pointer reveals the kernel memory map and is most useful as a precursor to a more severe exploit chain rather than as a standalone attack - its primary value is enabling reliable offset calculation for subsequent memory corruption attacks. No public exploit identified at time of analysis, EPSS is 0.02% (7th percentile), and the vulnerability is not listed in CISA KEV.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-36615 MEDIUM This Month

Unauthenticated information disclosure in the Mercusys AC12G (EU) V1 router allows any attacker on the adjacent network to retrieve internal buffer contents by querying an undocumented `/agileconfigreset` HTTP endpoint, confirmed for firmware version AC12G(EU)_V1_200909. The CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, though exploitation is bounded to the local network segment rather than the internet. No public exploit has been identified at time of analysis, and no vendor patch has been confirmed.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9732 MEDIUM This Month

Cross-Site Request Forgery in the EmergencyWP WordPress plugin (all versions ≤1.4.2) permits unauthenticated attackers to overwrite critical plugin settings by tricking an authenticated site administrator into triggering a forged request. The missing nonce validation in the form_settings_ui settings save handler exposes controls that include WordPress role capability manipulation (add_cap/remove_cap), a data-erasure-on-uninstall flag, life-check timing, and the mandator notification email - settings whose combined impact exceeds the CVSS 4.3 baseline. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the role-capability attack surface warrants prioritized patching for sites relying on this plugin.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-36618 MEDIUM This Month

DNS version disclosure on Mercusys AC12G (EU) V1 router exposes the internal unbound 1.22.0 resolver version to unauthenticated adjacent-network attackers via CHAOS TXT queries. Any host on the same network segment can query 'version.bind' and receive a precise software version string, enabling targeted reconnaissance against known unbound vulnerabilities. No active exploitation or public exploit code has been identified at time of analysis, but the disclosure materially reduces attacker effort in follow-on attacks.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-36613 MEDIUM This Month

Uninitialized memory disclosure in the Mercusys AC12G (EU) V1 router exposes 128 bytes of internal server buffer contents to unauthenticated adjacent-network attackers. The device's HTTP server fails to sanitize responses for POST requests sent to undefined paths, returning raw internal buffer data instead of a clean error. No active exploitation is confirmed (not in CISA KEV), but a public researcher advisory exists on GitHub; the CVSS score of 4.3 (Medium) reflects the adjacent-network-only attack vector and limited confidentiality impact.

Information Disclosure Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-37700 MEDIUM This Month

Stored or reflected Cross-Site Scripting in MaxSite CMS v.109.2 allows a remote attacker with low-privilege authenticated access to inject malicious scripts via the Backend page file upload endpoint (admin_page), which execute in the browsers of other users - including administrators - to exfiltrate sensitive information such as session tokens. The CVSS vector (S:C) confirms the attack crosses a security scope boundary, amplifying impact beyond the attacker's own session. A researcher-published proof-of-concept is publicly available on GitHub, though EPSS remains very low at 0.05% (17th percentile) and no active exploitation has been confirmed by CISA KEV.

XSS File Upload
NVD GitHub VulDB
CVSS 3.1
4.1
EPSS
0.1%
CVE-2024-47263 MEDIUM PATCH This Month

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Synology
NVD
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-50052 LOW PATCH Monitor

HTTP/2 request parsing in Vinyl Cache and Varnish Cache enables backend request desync (HTTP request smuggling), exploitable for cache poisoning, authentication bypass, and information disclosure against affected deployments. Vinyl Cache prior to 9.0.1 and Varnish Cache prior to 9.0.3, plus legacy pre-split Varnish Cache branches spanning versions 6.0.14 through 8.0.1, are confirmed affected across three distinct CPE lineages. Exploitation is gated behind an explicitly non-default configuration - HTTP/2 must be enabled via the +http2 feature parameter - which substantially limits exposure; no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Request Smuggling Authentication Bypass Vinyl Cache Varnish Cache Pre Split +1
NVD VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-10705 LOW PATCH Monitor

Resource exhaustion in Dask up to version 3.0 allows authenticated remote attackers to trigger excessive resource consumption via the `nunique_approx` function in the HyperLogLog (HLL) handler component. The root cause is a HashDoS vulnerability - adversarially crafted string or object-type input values can be engineered to collide within the 32-bit hash space used for approximate distinct counting and shuffle partitioning, causing partition hotspotting and disproportionate CPU/memory load on worker nodes. No public exploit code exists at time of analysis, and the CVSS score of 3.1 (Low) with AC:H and A:L confirms limited real-world availability impact absent a targeted, high-complexity effort.

Denial Of Service Dask
NVD VulDB GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-8404 LOW PATCH Monitor

Incorrect cache storage in Django's UpdateCacheMiddleware exposes responses that should have been excluded from caching due to uppercase or mixed-case Cache-Control directives (e.g., 'Private', 'NO-STORE'). Affected versions 5.2.x before 5.2.15 and 6.0.x before 6.0.6 fail to perform case-insensitive comparison of Cache-Control directive strings, causing the middleware to cache responses it should skip, which remote attackers can then retrieve. No public exploit has been identified at time of analysis, and active exploitation is not confirmed; the low CVSS 4.0 score of 2.3 accurately reflects limited scope, though real-world impact scales with how sensitive the incorrectly cached data is.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-48587 LOW PATCH Monitor

Cache-bypass information disclosure in Django's `has_vary_header()` utility allows remote attackers to read cached HTTP responses intended for other users by exploiting improper whitespace handling in `Vary` header comparisons. Affected versions are Django 5.2.x before 5.2.15 and 6.0.x before 6.0.6; earlier unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated and may also be affected per the vendor. The CVSS 4.0 score of 2.3 reflects constrained real-world impact requiring both a non-default prerequisite condition and user interaction, with no public exploit or confirmed active exploitation identified at time of analysis.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-35193 LOW PATCH Monitor

Cache information disclosure in Django 5.2.x and 6.0.x allows remote unauthenticated attackers to read private authenticated responses served from shared caching layers. The `UpdateCacheMiddleware` component omits `Authorization` from the `Vary` response header when authenticated requests lack an explicit `Cache-Control: public` directive, causing caches to serve authenticated users' responses to subsequent unauthenticated requestors at the same URL. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects meaningful - but constrained - real-world impact gated behind specific deployment prerequisites.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-7666 LOW PATCH Monitor

Django's SMTP email backend silently downgrades to cleartext transmission when a STARTTLS handshake fails under the `fail_silently=True` configuration, exposing email content to on-path network interception. Affected are Django 6.0.x before 6.0.6 and 5.2.x before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be vulnerable. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and mandatory on-path network positioning required for exploitation.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-6873 LOW PATCH Monitor

Cookie context confusion in Django's signed cookie implementation allows a remote low-privileged attacker to substitute a cookie signed in one application context into a different context where a distinct (name, salt) pair produces the same concatenated string. Affected are Django 6.0 before 6.0.6 and Django 5.2 before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be affected. The real-world impact is limited to low-confidence data exposure (VC:L), with no public exploit identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects a low-severity, contextually constrained flaw.

Jwt Attack Code Injection Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-10691 LOW PATCH Monitor

ReDoS (Regular Expression Denial of Service) in wonderwhy-er DesktopCommanderMCP versions up to 0.2.38 allows authenticated remote attackers to exhaust server CPU by supplying crafted regex patterns with nested quantifiers to the start_search function in src/search-manager.ts. The unpatched code compiled user-controlled regex patterns directly into JavaScript RegExp objects without validating for catastrophic backtracking constructs, enabling partial availability degradation. A public proof-of-concept exploit exists (CVSS E:P), though the vulnerability is not listed in CISA KEV, and the CVSS 4.0 base score of 2.1 reflects its limited, low-availability impact.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-10692 LOW PATCH Monitor

Uncontrolled resource consumption in johnhuang316 code-index-mcp versions up to 2.14.0 allows an authenticated remote attacker with low privileges to trigger a denial of service by supplying a catastrophically backtracking regex pattern to the `search_code_advanced` tool's `regex` argument. The `is_safe_regex_pattern` validation function fails to reject pathological patterns, causing the MCP server process to exhaust CPU resources and become unresponsive. A public proof-of-concept exploit exists (CVSS 4.0 E:P); no active exploitation via CISA KEV has been reported, and impact is limited to availability of the vulnerable component only.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10690 LOW Monitor

Server-Side Request Forgery in wonderwhy-er DesktopCommanderMCP 0.2.37 allows low-privileged remote MCP clients to coerce the server into fetching arbitrary internal URLs via the `url` argument of the `readFileFromUrl` function in `src/tools/filesystem.ts`. The unpatched server performs no origin validation and follows HTTP redirects automatically, enabling attackers to reach RFC 1918 private networks and cloud instance metadata services (AWS/GCP/Azure at 169.254.169.254) from the server's network context. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing is present at time of analysis.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10729 LOW Monitor

HTML injection in Thinkst Applied Research Canarytokens notification emails for 'Slow Redirect' and 'Cloned Website' token types allows an attacker who triggers those tokens to embed arbitrary HTML and JavaScript into the alert email sent to the operator. If the recipient opens the notification in an HTML-rendering email client, the injected content executes within that client's context, enabling interface manipulation and XSS. This affects self-hosted Docker deployments between tag sha-c42435e and sha-bfda4df; a proof of concept exists (CVSS E:P), though no public exploit confirmed active exploitation and CISA KEV listing is absent.

Docker XSS
NVD GitHub VulDB
CVSS 4.0
1.2
EPSS
0.0%
CVE-2026-10766 LOW Monitor

SHA-1 hash collisions in mlrun's DataFrame Hash Handler allow a local authenticated user to corrupt dataset artifact integrity in ML pipelines up to version 1.12.0-rc3. The `calculate_dataframe_hash` function in `mlrun/utils/helpers.py` uses SHA-1 over raw pandas hash bytes without encoding type or schema information, meaning structurally distinct DataFrames - differing only in column dtype (e.g., bool vs int, int8 vs int64, datetime64[ns] vs int64) - produce identical hashes. Publicly available exploit code exists (disclosed via GitHub issue #9691 and PR #9692 with concrete collision test cases); no active exploitation is confirmed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy