Skip to main content
CVE-2026-7473 MEDIUM POC KEV THREAT This Month

Tunnel decapsulation logic in Arista EOS fails to verify the encapsulation protocol type, allowing any tunneled packet destined for a configured decapsulation IP to be silently unwrapped and forwarded into the network. Unauthenticated remote attackers (PR:N, AV:N per CVSS 4.0) can inject traffic into network segments by exploiting this check bypass on switches with VXLAN, decap-groups, or GRE configurations. The CVE description explicitly states this issue has been reported as exploited in the wild; however, a CISA KEV entry was not confirmed in the provided data. The integrity impact is assessed as low on both the vulnerable and subsequent systems per CVSS 4.0 (VI:L/SI:L), but the network trust boundary violation in a core switching context warrants elevated operational priority.

Information Disclosure Eos
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.0%
Threat
4.4
CVE-2026-48907 CRITICAL POC KEV EUVD KEV THREAT Act Now

Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.

PHP Authentication Bypass Joomla Content Editor Jce Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-49777 CRITICAL POC PATCH Act Now

Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed.

Information Disclosure WordPress
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-47668 CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers execute arbitrary Node.js code by injecting JavaScript through the functionName parameter of the POST /runners/start JSON script runner. Default Docker deployments ship with Anonymous authentication enabled, making this exploitable without credentials (CVSS 10.0), and a public Nuclei template plus detailed PoC mean publicly available exploit code exists even though no CISA KEV listing was identified at time of analysis.

Docker Node.js RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-10580 CRITICAL POC Act Now

Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin.

Authentication Bypass WordPress Hippoo Mobile App For Woocommerce
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-71318 CRITICAL POC Act Now

Unauthenticated administrative access in Riello UPS NetMan 204 network management cards allows remote attackers to read sensitive configuration and invoke privileged power-control commands by requesting administrative pages directly. With CVSS 4.0 score 9.3, publicly available exploit code exists (Exploit-DB 52183), enabling attackers to trigger UPS shutdown, reboot, bypass-switching, and battery tests against the protected infrastructure without any credentials.

Authentication Bypass Netman 204
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-71317 CRITICAL POC Act Now

Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.

Authentication Bypass Netman 204
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-11420 CRITICAL PATCH Act Now

Unauthenticated arbitrary file write and read in the Network Installation Service (NIS) component of Altium Enterprise Server enables remote attackers to overwrite binaries or configuration, drop content into web-accessible directories, and exfiltrate package archives - escalating to remote code execution as the service account. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high impact across confidentiality, integrity, availability and scope) reflects a worst-case unauthenticated network primitive. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Path Traversal RCE On Prem Enterprise Server
NVD VulDB
CVSS 4.0
10.0
EPSS
0.7%
CVE-2026-11429 CRITICAL PATCH Act Now

Remote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal flaw in the shared Git Service component, which processes post-clone file-manipulation operations using user-supplied paths without validation. An authenticated user with basic git permissions can move arbitrary files outside the repository area, drop attacker-controlled scripts into directories the service later executes, and on multi-tenant Altium 365 infrastructure could have reached data belonging to other tenants on the same node. No public exploit identified at time of analysis, and EPSS sits at 0.44% (63rd percentile).

Path Traversal RCE Altium Enterprise Server Altium 365
NVD VulDB
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-11414 CRITICAL PATCH Act Now

Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-reachable attacker to forge signed Vault download URLs using a hard-coded key shipped identically across all installations. Chained with a co-located path traversal in the same download endpoint (and optionally CVE-2026-9152 for enumeration), an attacker can read arbitrary server-side files including configuration and key material, leading to full server compromise. No public exploit identified at time of analysis; CVSS 4.0 score is 10.0 and Altium 365 SaaS is not affected because cloud deployments use object storage rather than the local filesystem.

Authentication Bypass Path Traversal Hashicorp Altium Enterprise Server
NVD VulDB
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-45744 CRITICAL PATCH Act Now

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. No public exploit identified at time of analysis, but the vendor advisory (GHSA-37f4-wq95-pg33) provides sufficient technical detail to develop one trivially.

Command Injection Termix
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-45748 CRITICAL PATCH Act Now

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. No public exploit identified at time of analysis, but a vendor-released patch is available in version 2.3.2.

Command Injection Termix
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-7763 CRITICAL PATCH Act Now

Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.

Denial Of Service Buffer Overflow RCE Halowlink 2
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7762 CRITICAL PATCH Act Now

Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.

Denial Of Service Buffer Overflow RCE Halowlink 2
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6274 CRITICAL PATCH Act Now

Authentication bypass in DTS Electronics Redline WR3200 firmware versions 7.1.3 through 7.1.7 allows remote unauthenticated attackers to access functionality not properly constrained by ACLs, leading to full compromise of the device. The CVSS 9.8 rating reflects network-reachable exploitation with no privileges or user interaction required, though no public exploit identified at time of analysis. The flaw maps to CWE-287 (Improper Authentication) and was reported through Turkey's national CERT (USOM).

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-46389 CRITICAL PATCH Act Now

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows remote unauthenticated attackers to obtain OAuth2 tokens for any Keycloak client using the client-kubernetes-secret authenticator by submitting an arbitrary client_secret value. A logic flaw in the custom authenticator overwrites the submitted secret with the mounted Kubernetes secret prior to comparison, rendering the comparison meaningless. With EPSS at 0.04% there is no public exploit identified at time of analysis, but the SSVC technical impact is rated total and exploitation is automatable, making this a high-priority patch for UDS Core operators.

Authentication Bypass Kubernetes Uds Identity Config
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-11362 CRITICAL Act Now

Metric and tag injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows attackers who control event tag content to inject arbitrary metrics, tags, and event data into the DogStatsd telemetry stream. The CVSS 9.8 score reflects an unauthenticated network-vector CWE-93 (CRLF/separator injection) flaw where the format_event method fails to sanitize commas, newlines, pipes, and colons - including an ineffective s/|//g regex that misinterprets the pipe as a regex metacharacter. No public exploit identified at time of analysis and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation interest despite the high CVSS rating.

Code Injection Datadog
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-10879 CRITICAL PATCH Act Now

Heap buffer overflow in the Perl DBI module versions before 1.648 occurs when the preparse() function processes SQL statements containing 10 or more placeholder binders. The fixed-size buffer allocation (three characters per binder) is insufficient for multi-digit binder names like :p10 through :p99 (four chars) or :p100+ (five chars), enabling memory corruption. EPSS rates exploitation probability at only 0.02% (5th percentile) and no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix expanding the allocation.

Memory Corruption Buffer Overflow Dbi Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-11293 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to break out of the renderer sandbox via a use-after-free flaw in the Input component when a victim visits a crafted HTML page. The CVSS score of 9.6 reflects the scope change inherent to sandbox escapes, though Chromium rated the underlying severity as Low and EPSS estimates exploitation probability at only 0.03%. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Denial Of Service Use After Free Memory Corruption Google
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-11282 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Linux prior to version 149.0.7827.53 allows remote attackers to potentially break out of the renderer sandbox via a crafted HTML page when a user visits an attacker-controlled site. The flaw stems from insufficient policy enforcement in the Linux sandbox implementation and carries a high CVSS of 9.6 due to scope change, though Chromium itself rates the security severity as Low. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.

Information Disclosure Google
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-11250 CRITICAL PATCH Act Now

Information disclosure in Google Chrome DevTools prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. The flaw stems from a use-after-free condition (CWE-416) in DevTools, and while Google rates the underlying Chromium severity as Low, the NVD CVSS of 9.6 reflects the cross-origin scope change possible when chained with a prior renderer compromise. No public exploit identified at time of analysis.

Information Disclosure Use After Free Memory Corruption Google Red Hat +2
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-11344 MEDIUM POC This Month

Unrestricted file upload in code-projects Vehicle Management System 1.0 allows remote unauthenticated attackers to upload arbitrary files via the photo parameter of the New Driver Registration Form (newdriver.php), enabling remote code execution. Publicly available exploit code exists on GitHub, increasing the likelihood of opportunistic abuse against exposed instances despite no CISA KEV listing.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11342 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the 'room' parameter of /details.php to inject arbitrary SQL queries. Publicly available exploit code exists (published via GitHub by researcher and indexed by VulDB), increasing the likelihood of opportunistic exploitation against exposed instances. The flaw is reachable over the network with no privileges or user interaction, making any internet-facing deployment of this PHP application a viable target.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11334 MEDIUM POC This Month

SQL injection in tittuvarghese CollegeManagementSystem (rolling-release PHP project) allows remote unauthenticated attackers to manipulate the department_code parameter in dashboard_page/forms/fetch.php to inject arbitrary SQL. Publicly available exploit code exists (disclosed via VulDB and a GitHub issue), and because the project uses continuous delivery with no tagged versions, defenders cannot pin a fixed release. The maintainer has been notified but has not responded, increasing operational risk for any deployment.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11419 CRITICAL PATCH Act Now

Arbitrary file write in the Altium Enterprise Server Vault Service allows authenticated users to escape the configured storage root via the UploadController image upload endpoint and place content-controlled files anywhere the service account can write. The flaw (CVSS 4.0 base 9.4, CWE-22) escalates to remote code execution, service takeover, or denial of service by overwriting application binaries, configuration files, or dropping payloads in web-accessible directories. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Denial Of Service Path Traversal Hashicorp RCE On Prem Enterprise Server
NVD VulDB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-45779 CRITICAL PATCH Act Now

SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.

SQLi Open Xdmod
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-46399 CRITICAL PATCH Act Now

Authenticated remote code execution affects HAX CMS PHP backend versions prior to 26.0.0, where attackers with valid credentials can configure malicious Git filter commands to overwrite files and execute arbitrary code on the server. The flaw carries a CVSS 4.0 score of 9.4 due to full compromise of confidentiality, integrity, and availability with cascading subsequent system impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

PHP RCE
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-11423 CRITICAL PATCH Act Now

Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated low-privileged user to traverse the server filesystem via crafted filenames in MCAD and Simulation download flows. Because retrievable files include the master configuration holding privileged credentials, the bug escalates to full administrative takeover of the on-premises server. No public exploit identified at time of analysis, and Altium 365 cloud tenants are explicitly out of scope.

Path Traversal Altium Enterprise Server
NVD
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-45777 CRITICAL PATCH Act Now

Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.

Command Injection Open Xdmod
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-36500 CRITICAL Act Now

Directory traversal in the OpenDaylight Controller v12.0.5 cluster-admin:backup-datastore component allows unauthenticated remote attackers to read arbitrary files outside the intended backup directory via a crafted request. A public proof-of-concept exists on GitHub (majdlatah/ODL-Path-Traversal), though no active exploitation has been reported and EPSS scoring places real-world exploitation probability at the 16th percentile.

Path Traversal N A
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-50230 MEDIUM POC This Month

Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.

XSS Lyrion Music Server
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-9270 CRITICAL Act Now

Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. EPSS is very low (0.03%) and no public exploit identified at time of analysis, but the trivial network attack profile means risk depends entirely on whether untrusted input reaches the library.

Code Injection Datadog
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-47731 CRITICAL PATCH GHSA Act Now

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to direct the ait-bsc process to append attacker-controlled binary data to arbitrary files on the host filesystem, limited only by the OS permissions of the running process. Affected are AIT-Core 3.1.0 and all 2.x versions before 2.6.1, exploitable via a direct HTTP request if the BSC port is network-accessible or via a browser-based CSRF attack that works even against localhost-bound deployments. Publicly available exploit code exists (python_poc.py, attacker_tcp.py, and test1.html), though no CISA KEV listing was identified at time of analysis.

Python Path Traversal RCE Canonical Denial Of Service
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-6209 CRITICAL Act Now

Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Geographic Tracking System
NVD VulDB
CVSS 3.1
9.1
CVE-2026-6208 CRITICAL Act Now

Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. The CVSS 9.1 score reflects high confidentiality and integrity impact achievable over the network without authentication, though no public exploit identified at time of analysis. The flaw was reported by TR-CERT (Turkey's national CERT), suggesting coordinated disclosure for a regionally deployed product.

Authentication Bypass Geographic Tracking System
NVD VulDB
CVSS 3.1
9.1
CVE-2026-6207 CRITICAL Act Now

Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to perform system footprinting by analyzing observable discrepancies in server responses. The CVSS 9.1 score reflects high confidentiality and integrity impact over the network with no authentication required, though no public exploit identified at time of analysis. The vulnerability was reported by Turkey's national CERT (TR-CERT), suggesting it primarily affects deployments within Turkey's defense and government sectors where HAVELSAN products are commonly used.

Information Disclosure Geographic Tracking System
NVD VulDB
CVSS 3.1
9.1
CVE-2026-45746 CRITICAL PATCH Act Now

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.

Authentication Bypass Termix
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-45750 CRITICAL PATCH Act Now

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-v26q-rpv5-9m72) and CVSS 9.0 rating signal high impact across confidentiality, integrity, and availability of downstream SSH targets.

Command Injection Termix
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-7654 HIGH This Week

Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.

PHP Deserialization WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-48017 HIGH PATCH GHSA This Week

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.

Privilege Escalation Code Injection RCE Docker Node.js
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11307 HIGH PATCH This Week

Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to open a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) carrying a CVSS 8.8 rating, though Chromium rated its security severity as Low and no public exploit has been identified at time of analysis. User interaction is required, and code execution is constrained to the Chrome sandbox absent a chained sandbox escape.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11306 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component, allowing a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted PDF file. While exploitation is constrained to the sandbox and requires user interaction (visiting a page or opening a PDF), the CVSS score of 8.8 reflects the high impact on confidentiality, integrity, and availability if combined with a sandbox escape. No public exploit identified at time of analysis, and CISA SSVC indicates exploitation status of 'none'.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11305 HIGH PATCH This Week

Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) requiring user interaction to open or render the malicious PDF, and no public exploit identified at time of analysis. Chromium rates the security severity as Low despite the CVSS 8.8 score, reflecting the sandbox containment of the resulting code execution.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11303 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component that parses PDF documents. A remote attacker who lures a user into opening a crafted PDF can execute arbitrary code, though execution is contained within Chrome's renderer sandbox. No public exploit is identified at time of analysis, and SSVC indicates no observed exploitation.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11279 HIGH PATCH This Week

Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.

Information Disclosure Google Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11262 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the TabStrip component, enabling a remote attacker who lures a victim to a crafted HTML page to corrupt memory and execute arbitrary code within the renderer context. Google rates the underlying Chromium severity as Low, but the CVSS base score of 8.8 reflects the potential impact when chained with a sandbox escape. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11272 HIGH PATCH This Week

Privilege escalation in Google Chrome for iOS prior to 149.0.7827.53 allows remote attackers to elevate privileges when a victim is lured into performing specific UI gestures on a crafted HTML page. The flaw stems from insufficient input validation in the Reading List feature and carries a CVSS 3.1 score of 8.8, though EPSS is low at 0.05% and no public exploit identified at time of analysis. Google rates the underlying Chromium severity as Low despite the high CVSS, suggesting realistic exploitability is constrained by the required user interaction.

Apple Google Privilege Escalation Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-48095 HIGH PATCH This Week

Remote code execution in 7-Zip versions 26.00 and earlier is achievable via a crafted NTFS image that triggers a heap buffer overflow in the archive handler, overwriting an adjacent C++ object's vtable pointer to hijack control flow. The flaw stems from an undefined-behavior shift in CInStream::GetCuSize() that under-allocates a buffer to just one byte, which is then written up to 256 MB of attacker-controlled data. Exploitation requires the victim to open or extract a malicious archive (UI:R), but the NTFS handler is enabled by default and is selected via signature matching regardless of file extension; no public exploit identified at time of analysis.

Denial Of Service Memory Corruption Buffer Overflow RCE Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11295 HIGH PATCH This Week

Privilege escalation in Google Chrome's WebView component on Android prior to version 149.0.7827.53 allows a remote attacker to elevate privileges by serving a crafted HTML page to a victim. The flaw requires user interaction (visiting or rendering the malicious page) and carries a CVSS 8.8 due to the high confidentiality, integrity, and availability impact across the browser sandbox. No public exploit identified at time of analysis, and EPSS is very low at 0.04%, but Google has shipped a fix.

Google Privilege Escalation Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-11304 HIGH PATCH This Week

Heap corruption in Google Chrome's PDFium component before version 149.0.7827.53 allows remote attackers to potentially execute arbitrary code by tricking a user into opening a crafted PDF file. The flaw is a use-after-free (CWE-416) carrying a CVSS 8.8 rating, though no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (11th percentile). Google rates the Chromium severity as Low despite the high CVSS, reflecting the requirement for user interaction and absence of observed exploitation.

Denial Of Service Use After Free Memory Corruption Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy