Skip to main content
CVE-2026-42890 MEDIUM PATCH GHSA This Month

Arbitrary Node.js code execution via signed Actual Budget macOS binary (versions prior to 26.5.0) is enabled by the ELECTRON_RUN_AS_NODE fuse being left active in the Electron 39.2.7 runtime. An attacker who can place a script on disk or influence the process environment can invoke Actual.app with ELECTRON_RUN_AS_NODE=1, causing the signed binary to act as a Node.js interpreter executing attacker-controlled code under Actual's macOS code signature and entitlements. No public exploit identified at time of analysis; a vendor-released patch exists in version 26.5.0 per GHSA-7rvm-xjpp-63r9.

Apple Code Injection Node.js RCE
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-9549 MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's service discovery active check output allows a high-privileged administrator to inject persistent malicious HTML or JavaScript that executes in the browsers of other administrators or users with host read permissions when they run checks on the service discovery page. Affected versions span all currently maintained branches: Checkmk below 2.5.0p5, below 2.4.0p31, below 2.3.0p48, and all 2.2.0 releases with no patch for that branch. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the stored nature of the XSS and its targeting of privileged user sessions make it a meaningful lateral-privilege and session-compromise vector within Checkmk deployments.

XSS Checkmk
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-8078 MEDIUM PATCH This Month

Stored cross-site scripting in Checkmk's global settings change log enables a high-privileged administrator to persist malicious HTML or JavaScript within changelog messages, which then executes silently in the browsers of other authenticated users who view the Activate Changes page or Audit log. Affected versions span all 2.2.0 releases and builds prior to 2.5.0p5, 2.4.0p31, and 2.3.0p48. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the insider-threat angle - an already-privileged admin targeting peer users - is the realistic concern here.

XSS Checkmk
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-46298 MEDIUM PATCH This Month

Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.

Linux Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-10787 MEDIUM This Month

Missing authorization on the deleted user groups API in Devolutions Server enables authenticated low-privileged users to enumerate metadata of deleted user groups via crafted API requests, bypassing intended access controls. Affected deployments include versions 2026.2.4.0 and 2026.1.20.0 and earlier, as confirmed by the vendor advisory DEVO-2026-0015. No public exploit exists and CISA SSVC confirms no active exploitation, placing this at low operational priority despite its network-accessible attack vector.

Authentication Bypass Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45536 MEDIUM PATCH GHSA This Month

File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.

Information Disclosure Java Linux Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-44631 CRITICAL PATCH Act Now

Apache HTTP Server 2.4.0-2.4.67 has a buffer underwrite (CWE-124) in ap_regname, triggered by a crafted regular expression in the server configuration. The vendor (Apache) rates this Low severity. A separate CISA-ADP assessment assigned CVSS 9.8 using a network, unauthenticated vector that is inconsistent with the vendor description, because exploitation requires control over the httpd configuration. No public exploit and not in CISA KEV. Fixed in 2.4.68.

Information Disclosure Apache Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-47712 LOW PATCH GHSA Monitor

Path traversal in Dulwich's porcelain.format_patch function allows patch files to be written outside the intended output directory by processing commits with malicious subject lines. Any service passing untrusted commits to dulwich.porcelain.format_patch(outdir=...) - such as CI pipelines, PR review platforms, or developer tooling processing third-party repositories - is affected in versions 0.24.0 through 1.2.4. No public exploit identified at time of analysis and no CISA KEV listing, but the attack pattern is trivially reproducible from the advisory description alone; exploitation requires no special tooling beyond crafting a commit with a subject like 'x/../../target'.

Microsoft Path Traversal
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-48488 LOW POC PATCH GHSA Monitor

Weak cryptographic hashing of attachment passwords in phpMyFAQ prior to 4.1.4 exposes protected attachment credentials to offline cracking or collision-based forgery. The application stored SHA-1 hashes of per-attachment passwords in the database column `password_hash`, computed via `sha1((string) $key)` in `AbstractAttachment::setKey()`. Because SHA-1 has been cryptographically broken since the 2017 SHAttered collision attack, an attacker who obtains these database-stored hashes faces significantly weakened resistance compared to a modern algorithm. No active exploitation is confirmed (CISA KEV: no; exploit status E:U per CVSS 4.0), and the CVSS 4.0 base score of 2.7 reflects limited real-world impact.

Information Disclosure Phpmyfaq
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-11505 LOW PATCH Monitor

Hard-coded cryptographic key exposure in the glnassys (GL.iNet NAS system) component across eight GL.iNet router models running firmware 4.8.x enables a low-privileged remote attacker to exploit a static authentication token and potentially execute unauthorized commands against the NAS subsystem. The vulnerability is rooted in CWE-321 (Use of Hard-coded Cryptographic Key), where the firmware embeds a fixed authentication secret that cannot be rotated by users or administrators. No public exploit identified at time of analysis, and the vendor has released firmware 4.9.0 as a fix.

Information Disclosure A1300 Ax1800 Axt1800 Mt2500 +4
NVD VulDB GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-11480 LOW Monitor

Second-order SQL injection in BeikeShop's Admin Design Builder endpoint (versions up to 1.6.0.22) allows authenticated admin-panel users to manipulate the `settings.value` argument in `beike/Admin/Routes/admin.php` to inject arbitrary SQL. The root cause spans multiple PHP repository classes - `DesignService.php`, `BrandRepo.php`, and `ProductRepo.php` - where brand and product ID arrays were passed to database queries without integer casting or sanitization. A public proof-of-concept exploit exists; the CVSS 4.0 score of 2.1 reflects the administrative authentication prerequisite that meaningfully constrains real-world exposure.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-49756 LOW PATCH Monitor

CRLF injection in Req, the Elixir HTTP client library (versions 0.5.3 through before 0.6.0), allows an attacker who can influence multipart form field metadata - specifically name, filename, or content_type values - to inject arbitrary headers into outgoing multipart requests or smuggle additional form parts. The flaw exists because Req.Utils.encode_form_part/2 interpolates caller-supplied metadata directly into Content-Disposition and Content-Type header lines without escaping double-quotes, carriage returns, or newlines. The attack surface is particularly accessible when using File.Stream inputs, since POSIX filenames may legitimately contain CR/LF characters. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog; however, any application forwarding user-controlled filenames through Req.post/2 with form_multipart is affected.

RCE Req
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-47344 LOW PATCH GHSA Monitor

XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

XSS Html Sanitizer
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11519 LOW Monitor

Improper authorization in SourceCodester Inventory System 1.0 allows authenticated remote attackers to manipulate the ROLE parameter in the account creation API endpoint, bypassing role-based access controls to create or modify accounts with elevated privileges beyond what is authorized. The affected component is /Product_Inventory/api/users_handler.php, a PHP endpoint that fails to enforce server-side authorization on the ROLE argument during account creation. A publicly available proof-of-concept exploit exists (CVSS temporal E:P), lowering the barrier for opportunistic abuse. No patch has been identified at time of analysis.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11469 LOW Monitor

Server-side request forgery in jishenghua jshERP up to version 3.6 allows a remote, highly-privileged attacker to manipulate the 'platformValue' argument of the platformConfig Add Endpoint, causing the server to issue forged HTTP requests to internal or external targets. The CVSS 4.0 base score of 2.0 reflects the high privilege requirement (PR:H), but exploitation is simplified by low complexity and no user interaction. A publicly available exploit exists (E:P confirmed in CVSS vector), and the project maintainer has not responded to the responsible disclosure issue filed on GitHub.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11520 LOW Monitor

Reflected cross-site scripting in SourceCodester Inventory System 1.0 allows remote authenticated attackers to inject arbitrary JavaScript into victim browsers via unsanitized parameters in header.php. The attack requires low-level authentication and victim interaction with a crafted URL, limiting scope to integrity impact only (no confidentiality or availability impact per CVSS). Publicly available exploit code exists (CVSS E:P), though no active exploitation has been confirmed via CISA KEV, and the overall CVSS score of 3.5 (Low) reflects the constrained attack conditions.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11511 LOW Monitor

HTML injection in Bolt CMS 3.7.5 and earlier allows authenticated remote attackers to inject arbitrary HTML by manipulating the `style` argument within the HTML Attribute Handler component (`src/Storage/Field/Type/TextType.php`). The vulnerability requires low-privilege credentials and passive victim interaction for injected content to render, producing low-severity but persistent integrity exposure. Publicly available exploit code exists (CVSS E:P confirmed), and because the project repository has been archived as read-only by the maintainer, no vendor patch will ever be released - any remaining deployment faces permanent unpatched exposure.

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11479 LOW Monitor

Weak SHA1-based chunk ID generation in yoanbernabeu grepai 0.35.0 enables insufficient namespace isolation within the Qdrant vector database backend, allowing an authenticated remote attacker to potentially access or corrupt indexed data belonging to other projects sharing the same Qdrant collection. The vulnerability stems from the absence of project namespace scoping in chunk UUID derivation, meaning chunk IDs could collide or be predicted across project boundaries. Publicly available exploit code exists per the CVSS E:P modifier and vendor disclosure, though no confirmed active exploitation (CISA KEV) has been recorded; the extremely low CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-11481 LOW Monitor

Cross-project embedding cache leakage in grepai (versions up to 0.35.0) allows a local low-privileged authenticated user to retrieve cached PostgreSQL embedding vectors belonging to other projects by supplying a known or predicted content_hash value to the LookupByContentHash function. The underlying flaw is a missing project_id scope in the SQL query, meaning any project's embedding vectors can be retrieved by any other authenticated caller who can supply a matching hash. No public exploitation has been confirmed via CISA KEV, but proof-of-concept exploit code has been publicly disclosed per VulDB and GitHub issue #249, and a fix PR (#250) is pending acceptance.

Information Disclosure PostgreSQL
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-47735 HIGH PATCH GHSA This Week

Authenticated arbitrary local file read in Basekick Labs Arc analytics platform allows any token holder - even one with an empty permissions array - to exfiltrate sensitive host files (auth.db bcrypt hashes, arc.toml S3/TLS secrets, /proc/self/environ) and pivot to SSRF against cloud metadata endpoints by abusing unblocked DuckDB I/O functions in the SELECT clause. The flaw stems from an incomplete regex denylist in internal/api/query.go that filtered only read_parquet and arc_partition_agg while leaving the wider DuckDB I/O family (read_csv_auto, read_json, read_text, read_blob, glob, parquet_metadata, read_xlsx, etc.) and SELECT-list scalar table functions unguarded. No public exploit identified at time of analysis, but the GHSA advisory ships a working single-request proof-of-concept and the fix is shipped in Arc 2026.06.1.

Path Traversal SSRF
NVD GitHub
EPSS
0.0%
CVE-2026-47726 HIGH PATCH GHSA This Week

Information disclosure in nebula-mesh through v0.3.1 allows any holder of an operator API key to read the server-wide audit log via GET /api/v1/audit-log, exposing cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entries. The handleGetAuditLog endpoint enforces only bearer authentication with no admin-role check, so a low-privilege tenant can enumerate staffing patterns and high-value targets. Publicly available exploit code exists in the form of a one-line curl reproducer published in the GHSA advisory; no public exploit identified at time of analysis as actively weaponized, and the issue is not on CISA KEV.

Authentication Bypass Google
NVD GitHub
EPSS
0.0%
CVE-2026-47725 HIGH PATCH GHSA This Week

Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.

CSRF XSS Privilege Escalation
NVD GitHub
EPSS
0.0%
CVE-2026-47723 HIGH PATCH GHSA This Week

Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.

CSRF XSS
NVD GitHub
EPSS
0.0%
CVE-2026-47722 HIGH PATCH GHSA This Week

YAML injection in nebula-mesh (juev/nebula-mesh, forked as forgekeep/nebula-mesh) prior to v0.3.2 allows an authenticated operator to inject arbitrary YAML keys into a managed agent's config.yml via the unvalidated adv_tun_device and ListenHost host-override fields. A successful injection lets the attacker self-promote a target host to a Nebula lighthouse or relay, redirecting and intercepting mesh traffic across the overlay network. No public exploit identified at time of analysis, but a detailed PoC payload is published in the GHSA advisory itself.

Code Injection RCE
NVD GitHub
EPSS
0.0%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy