Skip to main content
CVE-2026-11190 MEDIUM PATCH This Month

Discretionary access control bypass in Google Chrome's Extensions subsystem affects all versions prior to 149.0.7827.53, enabling integrity compromise without exposing confidential data. Exploitation requires convincing a target user to install a crafted malicious Chrome Extension, placing social engineering at the center of any attack path. No public exploit code exists and no active exploitation has been confirmed; EPSS sits at 0.01% (1st percentile), indicating very low observed exploitation probability at time of analysis.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11183 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's GWP-ASan memory safety subsystem (versions prior to 149.0.7827.53) enables a local attacker to disclose potentially sensitive contents from process memory by delivering a malicious file to the target. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact but no integrity or availability impact, consistent with a pure information-disclosure class. No public exploit code has been identified at time of analysis, EPSS exploitation probability is extremely low at 0.01% (1st percentile), and SSVC assessment confirms no known active exploitation, collectively indicating a low near-term threat priority despite the notable confidentiality impact rating.

Information Disclosure Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11148 MEDIUM PATCH This Month

Cross-origin data leakage via an inappropriate CSRF-class implementation in Google Chrome's Payments component on Android prior to 149.0.7827.53 allows network-delivered exploitation when a victim visits a crafted HTML page. The confidentiality impact is rated High by CVSS (C:H), as sensitive payment-related data from one origin can be exposed to an attacker-controlled page. No public exploit has been identified at time of analysis and the EPSS score of 0.01% (1st percentile) indicates a low probability of in-the-wild exploitation, making this a medium-priority patch rather than an emergency response item.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11143 MEDIUM PATCH This Month

Out-of-bounds heap read in Google Chrome's Extensions component on Linux exposes sensitive process memory to a malicious extension author. Affected versions are Chrome on Linux prior to 149.0.7827.53; Windows and macOS are not listed as affected. Exploitation requires convincing a target user to install a crafted malicious extension, limiting exposure compared to the CVSS 6.5 score implies - no public exploit identified at time of analysis, and EPSS of 0.01% (1st percentile) reflects low current exploitation probability.

Heap Overflow Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11048 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) allows an attacker who socially engineers a user into installing a crafted malicious extension to violate cross-origin boundaries, enabling unauthorized integrity impact against content from other origins. The CVSS vector (I:H, C:N) confirms the impact is write/modify-only - sensitive data exfiltration is not a direct consequence. No public exploit code or active exploitation has been identified at time of analysis; EPSS is negligible at 0.01% (1st percentile), consistent with the social-engineering prerequisite limiting mass exploitation.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11026 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Extensions subsystem (all versions prior to 149.0.7827.53) enables circumvention of browser-enforced navigation controls when a user installs a crafted malicious extension. Rooted in CWE-284 (Improper Access Control), the flaw allows the extension to override navigation guards - potentially enabling unauthorized redirects or bypass of URL-based security policies - with a high integrity impact per CVSS (I:H). No public exploit has been identified at time of analysis, EPSS is 0.01% (1st percentile), and the vulnerability is not listed in CISA's KEV catalog, indicating low current exploitation momentum despite a medium CVSS score of 6.5.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11014 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome prior to version 149.0.7827.53 enables an attacker to circumvent Chrome's site isolation security boundary through a crafted malicious extension, resulting in high integrity impact (I:H per CVSS). The attack is gated by user interaction - specifically, the victim must be convinced to install the malicious extension - after which the extension exploits insufficient policy enforcement in Chrome's Extensions subsystem to cross site isolation boundaries without authorization. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates negligible current exploitation interest.

Authentication Bypass Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-10997 MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome's Extensions subsystem prior to version 149.0.7827.53 allows a crafted extension to bypass discretionary access controls (DAC), producing high-integrity impact with no confidentiality or availability consequence. Exploitation requires an attacker to socially engineer a user into installing a malicious extension, after which the extension subverts Chrome's permission boundary enforcement. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; EPSS is extremely low at 0.01% (1st percentile), consistent with no observed mass exploitation.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-10863 MEDIUM PATCH This Month

Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.

PHP Information Disclosure SQLi Misp
NVD GitHub VulDB
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-47703 MEDIUM PATCH GHSA This Month

DNS transaction ID entropy collapse in AdGuard Home (≤v0.107.74) and its underlying dnsproxy library (≤v0.81.2) reduces the backend UDP forwarding tuple from two random variables to one: the DNS ID is deterministically 0 on every client-triggered DoQ-to-UDP hop, leaving only the UDP source port as the sole remaining entropy variable. An off-path attacker who can inject spoofed ICMP error messages toward the resolver's egress address can exploit a reliable source-port oracle - confirmed across four consecutive runs for both products - to identify the correct backend socket state before injecting a forged DNS response, placing this attack in the same threat-model class as SAD DNS and TUdoor. No public exploit confirmed at time of analysis beyond the working oracle reproducer included in the advisory disclosure; the advisory is not listed in CISA KEV.

OpenSSL Race Condition Oracle Information Disclosure Docker
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-65640 MEDIUM This Month

Stored cross-site scripting in Arket Globe Document Intelligence 5.0.0.559 enables authenticated low-privilege attackers to inject persistent JavaScript payloads into document text fields, which execute in the browsers of other users viewing the 'Task in Progress / Recent' page. The CVSS High confidentiality impact (C:H) reflects the realistic risk of session token theft or account takeover against higher-privileged users such as administrators. Publicly available exploit code exists on GitHub (vincenzo-emanuele/CVE-2025-65640), and while no CISA KEV listing is present, the SSVC framework confirms exploitation-class proof-of-concept activity.

XSS
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-5589 MEDIUM This Month

Integer underflow in Zephyr RTOS Bluetooth Mesh solicitation handling (versions ≤ 4.3.0) allows any physically proximate, unauthenticated BLE device to corrupt memory via a crafted advertising PDU, potentially causing denial of service or arbitrary code execution on the target device. The flaw resides in bt_mesh_sol_recv() within the OD Private Proxy Server feature and requires no prior pairing or device association to trigger. No public exploit has been identified at time of analysis and EPSS probability is low at 0.02%, but the combination of zero-interaction exploitation and RCE impact on embedded IoT devices warrants prioritization where this configuration is deployed.

Denial Of Service Memory Corruption Buffer Overflow RCE Zephyr
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-11187 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Glic component (versions prior to 149.0.7827.53) enables remote attackers to circumvent browser navigation controls by delivering a crafted HTML page that the victim must open. The vulnerability is rooted in an inappropriate implementation (CWE-284, Improper Access Control) within the Glic subsystem and yields limited but multi-dimensional impact across confidentiality, integrity, and availability (C:L/I:L/A:L). No public exploit identified at time of analysis and this CVE does not appear in CISA KEV; Google has assigned a 'Medium' severity rating consistent with the CVSS 6.3 score.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-11184 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows a remote, unauthenticated attacker to circumvent policy enforcement in the browser's Actor component by delivering a crafted HTML page to a target user. The flaw (CWE-602) enables unauthorized navigation actions that could expose users to cross-origin manipulation or redirects with low but non-trivial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and EPSS of 0.02% combined with SSVC exploitation status of none indicates limited active threat, though the broad attack surface of any Chrome desktop user visiting a malicious page warrants timely patching.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-11181 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Media Session component (prior to 149.0.7827.53) enables remote attackers to violate cross-origin isolation via a crafted HTML page. The vulnerability stems from an inappropriate implementation (CWE-346: Origin Validation Error) in the Media Session API, which fails to properly enforce origin boundaries. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; EPSS sits at 0.02% (4th percentile), consistent with low observed exploitation activity.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-43926 MEDIUM PATCH This Month

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Oracle Apache Nginx Fossbilling
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-50182 MEDIUM PATCH GHSA This Month

Reflected XSS in WWBN AVideo's YouTubeAPI plugin allows any unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser by inducing the victim to open a single crafted URL. The unsanitized `$_GET['search']` parameter is interpolated raw into pagination link href attributes in `plugin/YouTubeAPI/gallerySection.php`, and the AVideo Layout plugin then automatically hoists the injected script tag into a clean executable inline script block at page bottom - bypassing naive attribute-context filters. A detailed proof-of-concept is publicly documented in GitHub Security Advisory GHSA-hgjh-6wj8-gcgf; no active exploitation confirmed in CISA KEV at time of analysis.

PHP XSS CSRF
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11205 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome for iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to inject arbitrary scripts or HTML across origin boundaries by delivering a crafted QR code and convincing the target to perform specific UI gestures within the browser. The CVSS Scope:Changed rating confirms this bypasses the same-origin policy, meaning injected scripts can access sessions and data from other open origins. No public exploit code has been identified at time of analysis, and the EPSS score of 0.07% (22nd percentile) indicates low observed exploitation probability, though the attack is fully network-accessible once social engineering is achieved. Note: the 'RCE' tag attached to this CVE is inconsistent with the description, which describes UXSS - not OS-level code execution - and should be treated as a tagging error.

Apple Google RCE Suse Chrome +1
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11034 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome for Android's Tab Group Sync feature allows remote unauthenticated attackers to inject arbitrary scripts or HTML via malicious network traffic against Chrome versions prior to 149.0.7827.53. The CVSS Changed Scope (S:C) confirms that injected content escapes the vulnerable component's origin boundary, affecting other origins - the defining characteristic of UXSS, which is more severe than conventional XSS because it bypasses the browser-level same-origin policy rather than just application-level controls. No public exploit has been identified at time of analysis, and EPSS at 0.07% (22nd percentile) reflects low current exploitation probability; the vulnerability is not listed in CISA KEV.

Google Code Injection Chrome
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-10916 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's DevTools component allows an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, bypassing the same-origin policy. Affected versions are all Chrome releases prior to 149.0.7827.53. No public exploit code exists and no active exploitation has been observed; this vulnerability functions as a second-stage capability within a broader attack chain requiring prior renderer compromise.

Google Code Injection Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11186 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to version 149.0.7827.53 allows remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries via a crafted HTML page, requiring only user interaction. The Scope:Changed CVSS component (S:C) confirms this bypasses Chrome's Same-Origin Policy, enabling access to content from other origins in the victim's browser session. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, UXSS classes in major browsers are historically targeted by threat actors for session hijacking and credential theft.

XSS Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11150 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's XML processing component allows remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries by luring a victim to a crafted HTML page. All Chrome versions prior to 149.0.7827.53 are affected, with the Scope:Changed (S:C) CVSS vector confirming this vulnerability can bypass the Same-Origin Policy - the defining characteristic of UXSS. No public exploit code has been identified at time of analysis, and the EPSS score of 0.06% (18th percentile) reflects low observed exploitation probability, though UXSS primitives are historically attractive to threat actors targeting session data and credential theft at scale.

XSS Google Chrome
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11122 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's Keyboard implementation prior to version 149.0.7827.53 enables remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries via a crafted HTML page. The Scope:Changed CVSS vector reflects the fundamental nature of this class: successful exploitation bypasses the Same-Origin Policy, potentially granting script access to sessions, cookies, and DOM content across all origins open in the browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.06% (18th percentile) indicates low current exploitation probability, though UXSS primitives are historically high-value for targeted attacks.

Google Code Injection Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-44889 MEDIUM PATCH GHSA This Month

Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.

Python Open Redirect Google Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-8916 MEDIUM This Month

Out-of-bounds write in Samsung's rlottie animation rendering library allows a crafted Lottie animation file to trigger integer truncation in the embedded FreeType rasterizer, causing memory corruption. All rlottie versions before commit dcfde72eae1b0464dc0dd760aec00ada6a148635 are affected, spanning any downstream product or platform embedding this library (including Samsung TV and appliance firmware). Exploitation requires local access and user interaction to render a malicious animation, with primary impact being high availability loss (crash/DoS) and limited integrity impact; no public exploit identified at time of analysis and no active exploitation confirmed.

Memory Corruption Samsung Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-47318 MEDIUM This Month

Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in `gray_render_cubic` (`src/vector/freetype/v_ft_raster.cpp`) subdivides Bezier curves onto a fixed-size `bez_stack` (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Stack Overflow Samsung Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-47306 MEDIUM This Month

Uncontrolled recursion in Samsung's rlottie library, affecting all versions before commit e2d19e3b, allows a locally-delivered malicious Lottie animation file to crash the host application by triggering infinite recursive resolution of circular precomposition asset references during parsing. The CVSS vector (AV:L/UI:R/A:H) confirms the primary impact is high availability loss - a stack overflow - with no confidentiality exposure despite the 'Information Disclosure' tag in source metadata. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Samsung
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-49510 MEDIUM This Month

Integer overflow in Samsung's rlottie animation library allows a crafted Lottie animation file to trigger memory corruption, resulting in high availability impact and low integrity impact on the rendering application. Specifically affecting the gradient color-stop parsing logic in lottiemodel.cpp, the flaw arises when a malformed colorPoints value causes a signed integer multiplication to overflow before being assigned to a size_t, producing an undersized buffer computation. No active exploitation has been identified at time of analysis, and a fix is available upstream via GitHub PR #592, though a formally tagged release version has not been independently confirmed.

Samsung Integer Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-10305 MEDIUM This Month

Out-of-bounds read in Samsung's rlottie rendering library prior to commit 223a2a41ba4f462e4abe767bebba49a366c9b9fd allows a local attacker to crash the rendering process (high availability impact) or cause low-level integrity corruption by supplying a crafted Lottie animation file. Two distinct code paths are affected: signed integer overflow in FreeType raster bit-shift macros and a missing zero-stopCount guard in gradient color table generation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the wide embedding of rlottie in Samsung consumer devices (TVs, appliances) represents a meaningful aggregate exposure.

Information Disclosure Samsung Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-47319 MEDIUM This Month

Uncontrolled memory allocation in Samsung Open Source rlottie allows a local attacker to trigger excessive heap allocation by supplying a crafted Lottie animation file containing polygon or polystar shape elements with arbitrarily large point counts. Affected are all rlottie versions prior to commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd. An attacker who can cause a user to open a malicious .lottie or .json animation - in any application embedding the rlottie library - can achieve a high-severity denial-of-service and a minor integrity impact, consistent with the CVSS A:H/I:L scoring. No public exploit code exists and no CISA KEV listing is present at time of analysis.

Information Disclosure Samsung
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-47320 MEDIUM This Month

Uncontrolled recursion and uninitialized pointer access in Samsung's rlottie animation library allow a locally-delivered malicious Lottie file to crash any host application via stack exhaustion. All rlottie versions prior to commit eae37633fda13ac05b25c6c95aacea4bc33c80a3 are affected; the PR #593 fix confirms cyclic layer parent references in crafted JSON animation payloads as the definitive trigger. No public exploit code has been identified at time of analysis and rlottie is not listed in CISA KEV, though the high availability impact (A:H) makes denial-of-service reliable for applications that accept user-supplied animation content.

Information Disclosure Memory Corruption Samsung
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-11229 MEDIUM PATCH This Month

Privilege escalation in Google Chrome's Enterprise feature (versions prior to 149.0.7827.53) allows a local attacker with physical device access to elevate privileges and access confidential information. The CVSS vector (AV:P/C:H) confirms the attack requires hands-on physical access to the target device, limiting the realistic threat surface to scenarios such as unattended or shared managed endpoints. No public exploit exists and no active exploitation has been identified at time of analysis; EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' align with the low overall risk posture.

Google Privilege Escalation
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-10815 LOW POC Monitor

Missing authorization on the Admin Dashboard endpoint of LakshayD02's Hostel-Management-System-PHP allows low-privileged authenticated users to manipulate the ID parameter in hostel/index.php to access or modify records beyond their permitted scope. All commits up to f87e67c283bab6f718faf2fec6ae39a13bd7036b are affected; the project uses no formal versioning, so no unaffected release exists. Publicly available exploit code exists, and the project maintainer had not responded to coordinated disclosure at time of reporting.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10811 LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 exposes the `/receipt.php` endpoint to database manipulation by authenticated remote attackers via the `ef_id` parameter. The CVSS temporal metric E:P confirms a publicly available exploit, disclosed via a GitHub issue, meaning exploitation is accessible to low-skilled attackers. No CISA KEV listing is present, but the combination of public POC, network-reachable attack vector, and low attack complexity makes this a credible threat for any internet-facing deployment of this PHP application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10810 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser session by manipulating the 'page' parameter in /navbar.php. The attack requires user interaction - a victim must follow a crafted URL - limiting mass exploitation, but publicly available exploit code (referenced via a GitHub issue) lowers the barrier for targeted phishing campaigns. No CISA KEV listing; EPSS data was not provided, though the combination of no authentication requirement and public POC warrants prompt attention for exposed deployments.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10809 LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 allows authenticated remote attackers with low privileges to manipulate database queries via the `ID` parameter in `/manage_user.php`. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only a low-privilege account, with confidentiality, integrity, and availability all partially impacted. A public proof-of-concept exploit is available (E:P in CVSS temporal metrics, corroborated by a GitHub issue), though no active exploitation has been confirmed via CISA KEV. No vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10808 LOW POC Monitor

SQL injection in itsourcecode Fees Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the `ID` parameter in `/manage_student.php`, resulting in partial compromise of confidentiality, integrity, and availability. The affected product is a PHP-based academic fee tracking application; exploitation requires a valid low-privilege account but no additional user interaction. A publicly available proof-of-concept exploit (referenced via GitHub) lowers the bar for opportunistic exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10807 LOW POC Monitor

Unrestricted file upload in Stumasy (mjperpinosa) allows a low-privileged authenticated attacker to upload arbitrary files through the profile image change endpoint, potentially enabling server-side code execution. The vulnerable parameter `pr_profile_image` in `application/PHP/objects/profiles/change_profile_image.php` performs no meaningful file type validation, making it trivial to submit non-image payloads including PHP webshells. A publicly available exploit exists via the project GitHub issue tracker; the vendor has not responded to the disclosure, and no patch has been released. No CISA KEV listing at time of analysis.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10806 LOW POC Monitor

Unrestricted file upload in mjperpinosa's stumasy PHP application allows authenticated remote attackers to upload arbitrary and potentially dangerous file types via the up_file_to_post parameter in add_post.php, enabling likely remote code execution through web shell deployment. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation requiring only low-privilege authentication with no user interaction. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the vendor has not responded to the responsible disclosure - no patch is available at time of analysis.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4881 MEDIUM POC PATCH This Month

Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Octopus Server
NVD VulDB GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-11199 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's WebRTC implementation allows a network-positioned attacker to extract sensitive cross-origin information via crafted malicious network traffic. Affected versions are all Chrome releases prior to 149.0.7827.53; the fix is available in the stable channel update. No public exploit exists and no active exploitation has been identified - EPSS sits at 0.02% (4th percentile) and CISA SSVC assesses exploitation as none and automation as not feasible, placing real-world urgency well below the raw CVSS confidentiality impact suggests.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-40605 MEDIUM PATCH This Month

Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.

Python Path Traversal Tautulli
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-11232 MEDIUM PATCH This Month

UI spoofing via malicious network traffic in Google Chrome's TabGroups feature (all versions prior to 149.0.7827.53) enables remote unauthenticated attackers to misrepresent browser interface elements to victims, exploiting CWE-451 (UI Misrepresentation of Critical Information). The CVSS 5.4 score reflects limited but real confidentiality and availability impact (C:L/A:L), with Chromium's own severity team rating it Low. No public exploit identified at time of analysis, and Google has released a remediation in the 149.0.7827.53 stable channel update.

Information Disclosure Google
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-10984 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Accessibility component on Android prior to 149.0.7827.53 enables remote attackers to misrepresent interface elements via a crafted HTML page. Per the CVSS vector (PR:N/UI:R), unauthenticated remote attackers can achieve this through user-visited pages, with limited integrity and availability impact (I:L/A:L) and no confidentiality breach. EPSS at 0.03% (11th percentile) indicates very low exploitation probability, no public exploit exists, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-11157 MEDIUM PATCH This Month

Script injection via Chrome's Accessibility component allows a remote attacker who convinces a victim to install a malicious extension to perform Universal Cross-Site Scripting (UXSS), injecting arbitrary scripts or HTML into web page contexts the user visits. Affected are all Chrome desktop versions prior to 149.0.7827.53. EPSS is 0.01% (2nd percentile) and this vulnerability is not in CISA KEV, indicating very low real-world exploitation probability at time of analysis; however, the social-engineering prerequisite (malicious extension installation) remains a credible threat vector in targeted campaigns.

Code Injection Google RCE Chrome
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47671 MEDIUM PATCH GHSA This Month

Unauthenticated cross-origin read and write access to local development secrets in the Nhost CLI configserver affects all developers running `nhost dev` with CLI versions prior to 1.46.0. The hidden `configserver` subcommand exposes a Mimir GraphQL API with no-op authorization middleware and wildcard CORS (`Access-Control-Allow-Origin: *`), allowing any web page from an arbitrary origin to exfiltrate Hasura admin secrets, JWT signing keys, webhook secrets, and Grafana credentials, or inject attacker-controlled values into the local `.secrets` file. Publicly available exploit code exists within the security advisory itself; this CVE is not listed in CISA KEV, so no confirmed active exploitation in the wild is established at time of analysis.

Authentication Bypass Grafana
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-11098 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's GPU component (prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate sensitive cross-origin information by delivering a specially crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) assigns a score of 6.5 Medium, reflecting high confidentiality impact tempered by required user interaction and the critical prerequisite of a pre-compromised renderer. No public exploit has been identified at time of analysis, and EPSS registers at 0.05% (15th percentile), consistent with a multi-stage exploitation barrier.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-10864 MEDIUM PATCH This Month

Authenticated low-privileged users in MISP versions up to and including 2.5.38 can manipulate the fields parameter of the New Users and New Organisations dashboard widgets to bypass server-side field redaction and retrieve restricted metadata - including user email addresses even when email disclosure is explicitly disabled via Security.disclose_user_emails configuration. The root cause is an order-of-operations flaw: in the original code, the email redaction check was applied after the fallback logic that repopulated the field list, meaning a crafted empty field selection after validation could trigger a return of unredacted model fields. No public exploit has been identified at time of analysis, and SSVC rates exploitation status as none; however, the low attack complexity and absence of user interaction requirements mean any authenticated user can reliably reproduce the condition.

Information Disclosure Misp
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10854 MEDIUM PATCH This Month

Private galaxy metadata in MISP versions up to and including 2.5.38 was exposed to authenticated non-site-admin users through the event template builder workflow due to missing organisation and distribution-based access controls. The EventTemplatesController.php __setBuilderConfig() method queried all enabled galaxies without filtering by ownership or distribution level, allowing users from one organisation to read galaxy names, types, and descriptions that belong to other organisations and are marked private. No public exploit has been identified and SSVC rates exploitation as none; however, in multi-tenant intelligence-sharing environments this information disclosure carries meaningful operational security risk, as galaxy metadata can reveal the intelligence focus areas or classification schemes of peer organisations.

Information Disclosure Misp
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-46739 MEDIUM PATCH This Month

Metric injection in Net::Statsd for Perl (all versions before 0.13) allows network-reachable, unauthenticated attackers to forge additional StatsD metric lines by embedding newlines, colons, or pipes in metric names or values passed through the library. Any application that feeds untrusted external input into Net::Statsd method calls without prior sanitization is directly exposed, because the wire format uses those characters as delimiters between metrics in a single UDP datagram. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the CVSS AV:N/AC:L/PR:N/UI:N surface warrants prompt patching wherever user-controlled strings reach metric instrumentation calls.

Code Injection Net
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 10 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy