Skip to main content
CVE-2026-11268 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics layer on Windows allows a remote unauthenticated attacker to read sensitive cross-origin memory contents by delivering a crafted HTML page to a victim. Affected are all Chrome versions on Windows prior to 149.0.7827.53. The root cause is an uninitialized memory use (CWE-457) within ANGLE, Chrome's graphics abstraction library. No public exploit has been identified at time of analysis, EPSS is very low at 0.03% (11th percentile), and the vulnerability is not listed in the CISA KEV catalog, consistent with the vendor's own 'Low' severity rating.

Information Disclosure Google Microsoft
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48112 MEDIUM PATCH This Month

Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.

Integer Overflow Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48101 MEDIUM PATCH This Month

Uninitialized heap memory disclosure in 7-Zip's UEFI capsule (.scap) parser exposes potentially sensitive heap contents when an unauthenticated remote attacker delivers a crafted capsule file that a user opens. The OpenCapsule function allocates a heap buffer sized by the attacker-controlled CapsuleImageSize field without zero-initialization, then silently ignores read failures on truncated files, causing the unread tail - containing raw heap data - to be surfaced as extracted file content. Affecting versions 9.21 through 26.00, a fix is available in 26.0.1; no public exploit code has been identified at time of analysis.

Information Disclosure 7 Zip
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11287 MEDIUM PATCH This Month

Navigation policy bypass in Google Chrome on Android (prior to 149.0.7827.53) enables a remote attacker who has already achieved renderer process compromise to circumvent navigation restrictions through a specially crafted HTML page. The vulnerability carries a CVSS integrity impact of High (I:H) with no confidentiality or availability impact, indicating the primary risk is unauthorized navigation to restricted targets - a technique commonly used to chain into further exploitation. No public exploit identified at time of analysis, and EPSS of 0.02% (6th percentile) reflects negligible current exploitation probability; however, its value as a chaining primitive in multi-stage browser attacks warrants attention.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11283 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Shortcuts feature on macOS allows remote attackers to circumvent Chrome's internal URL filtering or navigation controls via a crafted malicious file. Affected versions are all Chrome releases on Mac prior to 149.0.7827.53. The CVSS vector (PR:N, UI:R, I:H) indicates no attacker authentication is required but user interaction with the malicious file is mandatory; EPSS at 0.02% (4th percentile) and no public exploit identified at time of analysis confirm low exploitation probability, consistent with Chromium's own 'Low' severity rating.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11275 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for Android's Page Info component (prior to 149.0.7827.53) enables an attacker who has already compromised the renderer process to circumvent Chrome's navigation controls via a specially crafted HTML page. This is a chained exploitation scenario: the vulnerability cannot be triggered standalone but requires a prior renderer compromise as a prerequisite, limiting its practical threat surface. No public exploit has been identified at time of analysis, EPSS is negligible at 0.02%, and the vulnerability is not listed in CISA KEV. Google rates its internal severity as Low.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11258 MEDIUM PATCH This Month

File System Access API in Google Chrome prior to 149.0.7827.53 allows a remote attacker to bypass discretionary access control (DAC) by convincing a user to perform specific UI gestures on a crafted HTML page. The CVSS vector (I:H, C:N, A:N) confirms the impact is limited to unauthorized file integrity compromise - an attacker could write or modify local files beyond what the user explicitly permitted. No public exploit code exists and EPSS is 0.02% (4th percentile), aligning with Chromium's own internal 'Low' severity rating, indicating limited real-world exploitation likelihood at time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11278 MEDIUM PATCH This Month

Cross-origin data leakage via Chrome's CustomTabs component on Android exposes confidential web content to attackers who can deliver a crafted HTML page to a victim. Affected versions are all Chrome for Android releases prior to 149.0.7827.53. Despite Chromium's internal 'Low' severity rating, the CVSS confidentiality impact is scored High (C:H), and user interaction is required (UI:R) - meaning exploitation depends on a victim opening attacker-controlled content. No public exploit code exists and no active exploitation has been identified; EPSS at 0.01% (1st percentile) corroborates low near-term exploitation likelihood.

Information Disclosure Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-37737 MEDIUM This Month

CORS origin allowlist bypass in sanic-cors 2.2.0 and prior enables cross-origin access to authenticated resources by exploiting an unanchored regular expression in the origin-matching logic. The library's try_match() function in sanic_cors/core.py uses Python's re.match() - which matches only from the start of a string, not the full string - allowing an attacker who controls a domain prefixed with a trusted origin (e.g., trusted.example.com.attacker.com) to satisfy the allowlist check. Exploitation requires a victim user to visit an attacker-controlled page, placing this in a network-accessible, user-interaction-required threat model. No public exploit code has been identified at time of analysis, and no KEV listing exists.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-50592 MEDIUM PATCH This Month

Reflected cross-site scripting in Znuny's AdminCommunicationLog (communication log administration view) allows a low-privileged authenticated attacker to inject arbitrary JavaScript that executes in the context of other users' browsers, with changed scope indicating impact beyond the vulnerable component itself. Affected releases are Znuny LTS before 6.5.21 and Znuny before 7.3.3. No public exploit identified at time of analysis and this CVE does not appear in CISA KEV, though the low-complexity, network-accessible attack vector and changed scope elevate practical concern for deployments with untrusted low-privilege users.

XSS Znuny
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-21030 MEDIUM This Month

Improper access control in the MediaTek Audio HAL on Samsung Mobile Devices running Android 14, 15, and 16 permits local unprivileged attackers to invoke restricted privileged functions within the audio subsystem. The CVSS 4.0 subsequent system impact is rated High across confidentiality, integrity, and availability (SC:H/SI:H/SA:H), indicating that successful exploitation can cascade well beyond the Audio HAL itself to compromise broader device system components. No public exploit identified at time of analysis; Samsung has released a fix in SMR Jun-2026 Release 1.

Information Disclosure Mediatek
NVD VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-21026 MEDIUM This Month

Improper export of Android application components in Samsung's SpriteWallpaper app enables local attackers without privileges to access sensitive information and achieve disproportionately high impact on subsequent system components. Devices running Android 16 prior to the SMR Jun-2026 Release 1 security update are affected. No public exploit has been identified at time of analysis, but the zero-privilege local requirement and high subsequent system impact (SC:H/SI:H/SA:H) elevate practical risk on shared or managed Android devices.

Information Disclosure Google
NVD
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-47386 MEDIUM PATCH GHSA This Month

OAuth authorization code exchange in NocoDB versions up to 2026.05.0 is vulnerable to a race condition that breaks the single-use guarantee enforced by PKCE. By submitting two or more concurrent token-exchange requests before the server atomically marks the authorization code as consumed, an attacker who controls a malicious OAuth client can obtain multiple valid (access_token, refresh_token) pairs from a single authorization code, resulting in unauthorized long-lived session access alongside the legitimate token. Fixed in 2026.05.1 via an atomic compare-and-swap database operation; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Microsoft Race Condition
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-47380 MEDIUM PATCH GHSA This Month

User enumeration via observable timing discrepancy in NocoDB's sign-in endpoint allows network-positioned attackers to determine whether an email address is registered. The authentication service (`auth.service.ts`) returned immediately for unknown users without executing a bcrypt password hash comparison, producing measurably shorter response times than for known users - a classic timing side-channel. No public exploit has been identified at time of analysis, but the technique requires no privileges and is straightforward to execute against any network-accessible NocoDB instance running versions prior to 2026.04.1.

Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-21036 MEDIUM This Month

Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.

Samsung Authentication Bypass Samsung Internet
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-11308 MEDIUM PATCH This Month

Privilege escalation in Google Chrome's Extensions subsystem, affecting all versions prior to 149.0.7827.53, allows a remote attacker who socially engineers a user into installing a crafted malicious extension to gain elevated privileges within the browser context, impacting confidentiality, integrity, and availability at a low-to-moderate level. The CVSS score of 6.3 (Medium) reflects the network-reachable attack vector offset by mandatory user interaction (UI:R), and Chromium's own security team rated this as Low severity - a notable downgrade from the NVD-calculated score. No public exploit code and no KEV listing have been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) corroborates minimal observed exploitation activity.

Google Privilege Escalation Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-11339 LOW POC Monitor

Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows remote authenticated attackers to execute arbitrary OS commands via the `ussdValue` parameter of the `/boafrm/formUSSDSetup` endpoint, processed by the vulnerable `sub_41CF20` function without input sanitization. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation requiring only low-privilege credentials - a realistic threshold on consumer routers commonly deployed with default or weak passwords. A public proof-of-concept exploit is available on GitHub, materially elevating practical risk above what the moderate CVSS score of 6.3 suggests; no public exploit identified at time of analysis maps to confirmed active exploitation (not in CISA KEV).

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-10878 LOW POC Monitor

Command injection in D-Link DWR-M920 router firmware versions 1.1.50 and 1.1.70 allows a low-privileged, remote-authenticated attacker to inject OS commands via the action_value parameter in the SMS management endpoint /boafrm/formSmsManage. The vulnerability resides in the C function sub_41C8E8 and stems from unsanitized user input being passed directly to a command interpreter (CWE-77). A public proof-of-concept exploit is available on GitHub, lowering the bar for exploitation despite the absence of CISA KEV listing.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-38579 MEDIUM This Month

Multiple reflected Cross-Site Scripting vulnerabilities in damasac's thaipalliative_lte PHP application (through version 3.0) allow unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs. The vulnerable file /substudy/ezform.php unsafely echoes four distinct user-controlled parameters - idFormMain, id (in two locations), and ptid_key - directly into HTML attributes and JavaScript contexts without output encoding. A proof-of-concept exists per SSVC data; however, EPSS is very low at 0.08% (23rd percentile) and exploitation is not confirmed by CISA KEV, suggesting limited widespread attacker interest at time of analysis.

PHP XSS N A
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11273 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in the Omnibox component of Google Chrome prior to 149.0.7827.53 enables a remote unauthenticated attacker to inject arbitrary scripts or HTML across origin boundaries by exploiting insufficient input validation. Successful exploitation requires convincing a victim to visit a crafted HTML page and perform specific UI gestures, as confirmed by the UI:R CVSS component and the CVE description. No public exploit has been identified at time of analysis, and the EPSS score of 0.07% (22nd percentile) combined with Google's own 'Low' severity classification indicates limited near-term exploitation likelihood.

Google Code Injection Chrome
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11336 LOW POC Monitor

Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-21825 MEDIUM This Month

Reflected cross-site scripting in HCL Digital Experience Compose's search center allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session. The CVSS Scope:Changed rating reflects that the injected script executes outside the originating application's security domain, enabling session hijacking, credential harvesting, or malicious UI redirection against authenticated portal users. No public exploit code and no active exploitation have been identified at time of analysis, though the low attack complexity and absence of privilege requirements make it trivially deliverable via phishing.

XSS Dx Compose
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21826 MEDIUM This Month

Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attackers to manipulate HTTP Host headers, causing the application to generate attacker-controlled redirect URLs targeting victims - a classic open redirect primitive (CWE-601) confirmed by the Open Redirect tag. The CVSS 6.1 score reflects Changed scope (S:C), meaning impact crosses beyond the vulnerable component, with low confidentiality and integrity impact consistent with phishing and session-hijacking abuse. No public exploit code or CISA KEV listing has been identified at time of analysis.

Open Redirect
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-11341 LOW POC Monitor

OS command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary shell commands on the device via the IMEI_value parameter of the /boafrm/formIMEISetup endpoint. The vulnerable function sub_412DA0 fails to sanitize attacker-controlled input before passing it to an OS-level command, granting low-privilege network access sufficient to achieve code execution with the confidence of a partial proof-of-concept. A publicly available exploit has been disclosed on GitHub, elevating practical risk beyond the CVSS 6.3 score alone.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-11337 LOW POC Monitor

Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-47250 MEDIUM PATCH GHSA This Month

Argument injection in the kubectl_generic tool of mcp-server-kubernetes (npm, ≤ 3.6.2) enables Kubernetes bearer token exfiltration through indirect prompt injection, allowing privilege escalation to the operator's full RBAC permissions. An attacker with limited cluster access plants a crafted JSON payload in pod log output; when an AI agent using the MCP server reads those logs and follows the injected instruction, kubectl_generic calls kubectl with attacker-controlled --server and --insecure-skip-tls-verify flags, forwarding the operator's kubeconfig bearer token to an attacker-controlled HTTPS endpoint. A fully working public PoC exists confirmed end-to-end on a live kind cluster using Claude Haiku; the fix is available in version 3.7.0. No active exploitation per CISA KEV is confirmed at time of analysis.

OpenSSL Python Privilege Escalation Kubernetes Node.js
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-11335 LOW POC Monitor

Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.

PHP Information Disclosure Session Fixation
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11333 LOW POC Monitor

Unrestricted file upload in tittuvarghese CollegeManagementSystem exposes the Student Data Upload endpoint (`dashboard_page/forms/upload_student_data.php`) to remote exploitation by authenticated low-privilege users, allowing arbitrary file types - including PHP web shells - to be uploaded to the server by manipulating the Student-Data-CSV argument. All deployed instances across all commits are affected given the project's rolling release model, and no vendor-released patch exists as the maintainer has not responded to responsible disclosure. Publicly available exploit code exists, raising real-world risk above what the CVSS 6.3 score alone implies.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-47375 MEDIUM PATCH GHSA This Month

SQL injection in NocoDB's Postgres formula engine exposes authenticated creators to arbitrary SQL execution via the unvalidated `direction` argument of the `ARRAYSORT(...)` formula function. All NocoDB instances on npm/nocodb versions prior to 2026.04.1 using Postgres-backed bases are affected; MySQL and SQLite backends are not. An attacker holding creator/owner-level `columnAdd` permission can inject persistent SQL that executes during column creation and re-executes on every subsequent read of the formula column, enabling confirmed denial-of-service and potentially broader data access depending on database-level permissions. No public exploit identified at time of analysis; this vulnerability is not listed in CISA KEV.

SQLi PostgreSQL
NVD GitHub VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-11326 MEDIUM PATCH This Month

OpenAI Atlas before 1.2025.288.15 improperly exposed privileged browser APIs - including browser history access and tab open/close controls - to any web content loaded from *.openai.com origins, including the publicly accessible forum.openai.com. Because forum.openai.com harbored an independent cross-site scripting vulnerability, an attacker could chain the two weaknesses: inject a script via the forum XSS, which then silently invokes Atlas's privileged APIs against a visiting victim. No public exploit or CISA KEV listing has been confirmed at time of analysis, though a public security research blog (hacktron.ai) describes the attack surface; the EPSS score of 0.02% (4th percentile) reflects low observed exploitation probability.

Authentication Bypass XSS Openai Atlas
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2024-27928 MEDIUM PATCH GHSA This Month

### Impact If an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-11338 LOW POC Monitor

Stored cross-site scripting in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows a remote attacker with high-privilege (admin-level) access to inject persistent malicious JavaScript into the Username field of the user management panel at /admin/?page=user/manage_user, which then executes in the browser of any other privileged user who visits that page. The vulnerability carries a CVSS base score of only 2.4 due to the combination of required high privileges, mandatory user interaction, and limited integrity-only impact with no confidentiality or availability consequence. No public exploit identified at time of analysis as a KEV-confirmed threat, but publicly available exploit code exists via a published Medium article and VulDB report.

XSS Ship Ferry Ticket Reservation System
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-21038 MEDIUM This Month

Out-of-bounds memory access in Samsung Android USB Driver for Windows (all versions prior to 1.9.5.0) allows a local attacker without elevated privileges to corrupt or read memory beyond allocated bounds, resulting in high availability impact and low integrity impact on the affected Windows host. Samsung has released version 1.9.5.0 as the corrective patch, documented under EUVD-2026-34810. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis, though the CVSS 4.0 AT:P modifier signals a required target-specific condition that narrows exploitability.

Google Microsoft Samsung Buffer Overflow Information Disclosure +1
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-11312 LOW POC Monitor

Inefficient algorithmic complexity in bytedance InfiniStore up to version 0.2.33 allows a local, low-privileged attacker to partially degrade availability by triggering worst-case execution in the purge_kv_map function. The CVSS vector (AV:L/AC:L/PR:L/UI:N/A:L) confirms limited blast radius - local-only access with no confidentiality or integrity impact - but a public proof-of-concept exists per the GitHub issue tracker and is reflected in the E:P temporal modifier. No patch has been issued; the vendor has not responded to the coordinated disclosure.

Information Disclosure Infinistore
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-11238 MEDIUM PATCH This Month

Inappropriate implementation in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a crafted Chrome Extension to access and read sensitive data from process memory. Exploitation requires social engineering a target user into installing a malicious extension, after which the extension can invoke under-guarded DevTools APIs to extract potentially sensitive in-memory content such as credentials, tokens, or session data. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% indicates very low observed exploitation probability; however, the confidentiality impact is rated High by CVSS.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-49343 MEDIUM PATCH GHSA This Month

Throttler slot exhaustion in klever-go's account-data trie syncer enables unauthenticated remote attackers to permanently consume all `NumGoRoutinesThrottler` slots by causing repeated trie-node sync failures or timeouts during epoch bootstrap, halting node participation in consensus. Both `userAccountsSyncer.syncDataTrie()` and `kappAccountsSyncer.syncDataTrie()` call `StartProcessing()` but omit `EndProcessing()` on three distinct error paths, meaning each failed sync permanently leaks one slot for the lifetime of that throttler instance. A runtime proof-of-concept is publicly confirmed in GHSA-fw38-pc54-jvx9 showing that exactly N timeout failures exhaust a capacity-N throttler; no CISA KEV listing exists at time of analysis, but the operational impact on bootstrapping validators is severe.

Denial Of Service
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-25624 MEDIUM This Month

Cross-site scripting in the Arista Edge Threat Management Next Generation Firewall web UI dashboard allows a high-privileged attacker to inject unvalidated input that is reflected back into administrative profiles, enabling script execution in the context of other administrative sessions. The vulnerability carries a CVSS 4.0 score of 5.8 (Medium), with confidentiality impact rated High on the vulnerable system - consistent with session token or credential harvesting from targeted admin accounts. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.

XSS Ng Firewall
NVD VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-10732 MEDIUM This Month

Arbitrary file write in the npm decompress package (all versions) exploits a second-generation Zip Slip bypass that circumvents protections introduced in the CVE-2020-12265 fix. By crafting a ZIP archive where a symlink entry and a same-named regular file share an identical path, an attacker leverages microtask scheduling order to write file contents through the unresolved symlink to arbitrary locations outside the extraction output directory, creating a realistic path to remote code execution. Publicly available exploit code exists per the E:P temporal modifier and a published PoC Gist, elevating real-world concern especially for applications processing untrusted archives in automated pipelines.

Path Traversal RCE Decompress
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-50263 MEDIUM This Month

Use-after-free read in X.Org X server and Xwayland's CreateSaverWindow() function exposes heap memory to local authenticated users, resulting in information disclosure. A low-privileged local X client can manipulate window attributes and force screen saver activation to trigger a read from freed memory, leaking potentially sensitive heap contents (C:H/I:N/A:N). No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, an upstream fix commit has been published and a Red Hat advisory is available.

Information Disclosure Use After Free Memory Corruption Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-50262 MEDIUM This Month

Out-of-bounds read in X.Org X server and Xwayland's GLX extension handler `__glXDisp_ChangeDrawableAttributes()` allows a local low-privileged user to disclose sensitive memory contents from the X server process. Faulty size validation permits reading a client-controlled number of bytes beyond the request buffer boundary, resulting in high confidentiality impact per CVSS. A secondary write path exists in the same function but is gated behind byte-swapped client support, which is disabled by default, substantially limiting its practical exposure. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-50591 MEDIUM PATCH This Month

Stored cross-site scripting in Znuny's user preferences mechanism allows an authenticated low-privileged attacker to inject persistent malicious scripts that execute in other users' browsers, crossing security boundaries (S:C) to potentially compromise administrator sessions or perform unauthorized actions on their behalf. Both the LTS branch (before 6.5.21) and the main release branch (before 7.3.3) are affected. Vendor-released patches exist for both branches; no public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

XSS Znuny
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-11243 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Downloads subsystem prior to version 149.0.7827.53 enables a remote unauthenticated attacker to circumvent browser navigation controls by luring a user to a crafted HTML page. The flaw is rooted in an inappropriate implementation classified as CWE-346 (Origin Validation Error), meaning Chrome fails to properly validate the origin of requests or data within the Downloads flow. Rated Medium by CVSS (5.4) and Low by Chromium's own severity scale, no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-46401 MEDIUM PATCH This Month

Persistent session token access in HAX CMS (haxtheweb) prior to version 26.0.0 allows attackers who possess a valid authentication token to retain access to CMS administrative functions and metadata even after the legitimate user has logged out. The root cause is CWE-613 (Insufficient Session Expiration): authentication tokens are not invalidated server-side upon logout, meaning the session termination mechanism is cosmetic rather than functional. Both PHP and NodeJS backend deployments are affected. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, but the fix is available in version 26.0.0.

PHP Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-47385 MEDIUM PATCH GHSA This Month

Path traversal in NocoDB allows authenticated users with base-create permission to point a SQLite data source at any file readable or writable by the NocoDB server process, including its own internal state databases. The flaw exists in the SQLite client and base/integration create services, which accept a caller-supplied filename and pass it directly to filesystem calls without any path restriction or canonicalization. An attacker exploiting this can read or overwrite `noco.db`, tenant databases under `nc_minimal_dbs/`, or any other file accessible to the NocoDB process - enabling full internal state disclosure, cross-tenant data access, and destructive modification. No public exploit has been identified at time of analysis, and a vendor-released patch exists in version 2026.05.1.

Path Traversal
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-45776 MEDIUM PATCH This Month

Session variable manipulation in Open XDMoD prior to version 11.0.3 enables low-privileged authenticated remote attackers to bypass access control logic by submitting a crafted HTTPS POST request that overrides a session variable governing authorization decisions. Exploitation is contingent on the optional Job Performance (SUPReMM) module being installed; without it, the vulnerable code path is not reachable. No public exploit code exists and no active exploitation has been identified at time of analysis; the vendor released a fix in v11.0.3 on 2026-05-12 following private disclosure on 2026-04-06.

Authentication Bypass Xdmod
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-47382 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in NocoDB (npm/nocodb, versions up to and including 2026.05.0) allows authenticated users with connection-test permission to direct the NocoDB server process to open raw TCP sockets to attacker-specified internal destinations, including Redis instances, cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), and internal databases. The vulnerable connection-test endpoint accepted user-supplied database hostnames without DNS resolution or address-range validation, effectively making NocoDB an unauthenticated SSRF proxy to the internal network from the server's vantage point. No public exploit has been identified at time of analysis; a vendor-released patch exists in version 2026.05.1.

SSRF Redis
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11346 MEDIUM PATCH This Month

Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct internal network reconnaissance by forcing the server to issue arbitrary outbound HTTP requests. Affected product is linqi by linqi GmbH (all versions per CPE cpe:2.3:a:linqi_gmbh:linqi:*). By embedding a crafted HTTP Request component inside a custom workflow process, the attacker can enumerate internal hosts and open ports through differential response analysis (Success, Failed, or 504 Gateway Time-out). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

SSRF Linqi
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47384 MEDIUM PATCH GHSA This Month

SQL injection in NocoDB's bulk groupBy endpoint allows authenticated users holding column-create or column-rename permissions to read arbitrary data from the connected database by crafting a malicious column title. Affected versions are all NocoDB npm releases up to and including 2026.05.0; a vendor-released patch is available in 2026.05.1. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low complexity of exploitation once authenticated and the direct database read impact make prompt patching a priority for any internet-exposed NocoDB deployment.

SQLi
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2020-25900 MEDIUM This Month

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hellotalk
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-11246 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's IndexedDB implementation affects all versions prior to 149.0.7827.53, enabling an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. The integrity-only impact (C:N/I:H/A:N) means a successful exploitation could allow unauthorized writes or data manipulation across origins, but does not directly expose confidential data. No public exploit code has been identified at time of analysis, and Google's own Chromium security team rated this Low severity; a vendor-released patch is available at version 149.0.7827.53.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 4 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy