Skip to main content
CVE-2026-47935 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged remote attacker to execute arbitrary JavaScript in a victim's browser by manipulating the DOM environment through a crafted webpage. The changed scope (S:C in CVSS) means successful exploitation can affect resources beyond the vulnerable component itself, enabling session hijacking or credential theft against AEM users. Exploitation requires user interaction - the victim must be social-engineered into visiting an attacker-controlled or injected URL - and no public exploit or CISA KEV listing exists at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34692 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to inject malicious JavaScript that executes entirely within the victim's browser by manipulating client-side DOM sinks. The CVSS scope change (S:C) signal indicates successful exploitation can affect browser components beyond the AEM instance itself - enabling session hijacking or unauthorized actions on behalf of the victim. Adobe PSIRT has issued Security Bulletin APSB26-56 covering this issue; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34033 MEDIUM This Month

HTML content injection in Apache Answer's email notification system allows authenticated users to embed arbitrary HTML markup into notification emails delivered to other platform users. All versions through 2.0.0 are affected. Because no CVSS vector was published at time of analysis, authentication requirements are confirmed from the description rather than from a CVSS PR component - an attacker must have a valid platform account to submit the content that triggers the malicious notification. No public exploit code and no CISA KEV listing have been identified.

XSS Apache
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36728 MEDIUM This Month

Markdown-based XSS in FastapiAdmin v2.2.0's AI assistant chat function allows unauthenticated remote attackers to inject crafted markdown payloads that execute arbitrary JavaScript in a victim's browser. The Changed scope (S:C) in the CVSS vector confirms the vulnerability crosses the application trust boundary into the browser security context. A public proof-of-concept exists via the researcher disclosure repository, and no vendor-released patch has been identified at time of analysis.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36722 MEDIUM This Month

Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.

RCE File Upload N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47989 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) allows an authenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by manipulating the client-side DOM environment. The CVSS scope change (S:C) confirms the injected script executes in the victim's browser context - separate from the vulnerable AEM application - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. Exploitation requires low privileges (authenticated attacker) and user interaction (victim must visit a crafted webpage); no public exploit identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47987 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables an authenticated remote attacker to inject and execute arbitrary JavaScript within a victim's browser session by manipulating the client-side DOM environment. The CVSS Scope:Changed rating confirms the vulnerability crosses the security boundary from the AEM application into the victim's browser context, enabling theft of session tokens, credential harvesting, or malicious redirects. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47985 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows an authenticated attacker to deliver a crafted webpage that, when visited by a victim, executes arbitrary JavaScript within the victim's browser context. The CVSS scope change (S:C) indicates impact crosses the security boundary of the vulnerable AEM component into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis; SSVC assessment marks exploitation as none and the attack as not automatable.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47983 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager allows an authenticated, low-privileged attacker to execute arbitrary JavaScript in a victim's browser by enticing them to visit a crafted webpage. Affected versions span the 6.5.x line through 6.5.24, the LTS SP1 branch, and all cloud releases through 2026.04. The Scope:Changed CVSS attribute indicates the injected script can affect resources beyond the originating AEM context - elevating the practical impact above what the 5.4 Medium score alone suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47982 MEDIUM This Month

DOM-based Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows an authenticated low-privilege attacker to execute arbitrary JavaScript in a victim's browser by directing them to a crafted webpage. The scope-changed rating (S:C) indicates the injected script's impact escapes the vulnerable AEM component boundary, potentially compromising session data or other browser-accessible resources belonging to the victim. No public exploit code has been identified and no active exploitation is confirmed by CISA KEV at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47981 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to permanently inject malicious JavaScript into vulnerable form fields within the CMS. When any user - including administrators - browses the page hosting the tampered field, the injected script executes in their browser under the application's security context, with scope change (S:C) enabling impact beyond the originating component. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and broad AEM deployment surface make patching a priority for enterprise environments.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47980 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 6.5.24, LTS SP1, and 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious scripts into vulnerable form fields within the CMS authoring interface. When a higher-privileged user such as an administrator subsequently browses to the page hosting the injected content, the JavaScript executes in their browser session under a changed security scope, enabling potential session hijacking or privilege escalation. No public exploit code or active exploitation confirmed by CISA KEV has been identified at time of analysis; Adobe has issued security advisory APSB26-56 addressing this issue.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47977 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user - including higher-privileged administrators - browses to the affected page, the injected script executes in their browser, potentially enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and scope-changed rating elevate real-world concern for multi-tenant AEM deployments.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47975 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persistently inject malicious JavaScript into vulnerable form fields within the CMS. When any victim - potentially a higher-privileged editor or administrator - browses to the page containing the injected content, the script executes in their browser context, with scope change (S:C) indicating the impact crosses AEM's security boundary into the victim's browser. No public exploit identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47973 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) 2026.04 and earlier enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user - including administrators - browses to a page containing the injected content, the script executes in their browser under a changed security scope (S:C), potentially compromising confidentiality and integrity of the victim's session. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, AEM's widespread enterprise deployment and the low barrier of entry (low-privilege account only) make this a meaningful risk in environments where untrusted or lightly vetted users have authoring or form-editing access.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47970 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables low-privileged authenticated attackers to inject persistent malicious JavaScript into vulnerable form fields, which then executes in the browsers of users who visit the affected pages. The CVSS Scope:Changed designation means injected scripts can breach the security context of the AEM application itself, potentially affecting other browser-accessible resources. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47966 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields, which executes in other users' browsers upon page load. Affected versions span the 6.5.x branch through 6.5.24, the LTS SP1 track, and cloud-native releases through 2026.04. No public exploit code or active exploitation has been identified at time of analysis; however, the changed scope (S:C) elevates real-world impact by enabling session hijacking or credential theft against higher-privileged users such as authors or administrators.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47962 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, 2026.04 and earlier allows a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any user browses a page containing the poisoned field, the script executes in their browser - with scope change (S:C) meaning the injected payload can affect resources and sessions beyond the origin of the vulnerable component itself. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47958 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions up to and including 6.5.24, LTS SP1, and 2026.04) allows a low-privileged authenticated attacker to persist malicious JavaScript in vulnerable form fields. When a victim - such as an administrator - browses a page containing the injected payload, the script executes in their browser session, enabling session hijacking, credential theft, or privilege escalation within the AEM instance. The CVSS Scope:Changed designation elevates practical risk above the medium base score of 5.4, as impact extends beyond the attacker's own session to the victim's browser context. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47957 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions up to and including 6.5.24, LTS SP1, and 2026.04 enables a low-privileged authenticated attacker to inject persistent malicious JavaScript into vulnerable form fields. When any victim user subsequently browses to the page hosting the injected content, the script executes in their browser - outside AEM's security boundary (CVSS S:C, scope changed) - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47954 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (versions 6.5.24, LTS SP1, and 2026.04 and earlier) enables a low-privileged authenticated attacker to persist malicious JavaScript payloads inside vulnerable form fields. When a higher-privileged user - such as an administrator or editor - later browses the affected page, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions on the victim's behalf. The CVSS Scope:Changed designation confirms the exploit transcends the attacker's own privilege boundary; no public exploit has been identified and CISA SSVC assessment rates exploitation as none at time of analysis.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47953 MEDIUM This Month

Stored Cross-Site Scripting in Adobe Experience Manager (AEM) versions 6.5.24, LTS SP1, and 2026.04 and earlier enables a low-privileged authenticated attacker to persist malicious JavaScript inside vulnerable form fields, which subsequently executes in any victim's browser upon visiting the affected page. The CVSS scope-change flag (S:C) reflects that the injected code breaks out of AEM's server-side security boundary and runs in the victim's browser context, enabling session hijacking or credential theft against higher-privileged users such as administrators. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and broad AEM enterprise deployment surface make this a credible lateral-escalation vector inside organizations.

XSS Adobe
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41972 MEDIUM This Month

Path traversal in the HarmonyOS SMS application allows unauthenticated remote attackers to impact integrity and availability on affected Huawei devices. Exploitation requires user interaction - a victim must engage with a crafted message - but no privileges or special authentication are needed from the attacker's side, lowering the barrier to reach a target. No public exploit or CISA KEV listing exists at time of analysis; this appears to be a vendor-disclosed issue patched in the June 2026 Huawei security bulletin.

Path Traversal
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-36726 MEDIUM This Month

{file} endpoint, which fails to restrict path traversal sequences in the file parameter. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no privileges, and no user interaction from a network position. No public exploit identified at time of analysis, and the EPSS score of 0.12% (30th percentile) reflects low observed exploitation probability, though the no-auth attack surface warrants attention for publicly exposed deployments.

Path Traversal N A
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-42914 MEDIUM PATCH Exploit Unlikely This Month

Windows Kerberos out-of-bounds read (CWE-125) allows a low-privilege network attacker to crash the Kerberos authentication service across all actively supported Windows client and server platforms, from Windows Server 2012 through Windows Server 2025 and Windows 11 26H1. The attack requires prior domain authentication and high-complexity triggering conditions (CVSS AC:H), limiting opportunistic mass exploitation, though a successful attack against a domain controller can deny authentication domain-wide by crashing the KDC. Vendor patches are available via the Microsoft MSRC advisory; no public exploit code exists and SSVC confirms no observed exploitation at time of analysis.

Denial Of Service Information Disclosure Microsoft Buffer Overflow Windows 10 1607 +12
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-49843 MEDIUM PATCH This Month

Session eviction via unauthenticated sessid collision in FreeSWITCH mod_verto (all versions prior to 1.11.1) allows a remote unauthenticated attacker who knows a target client's session UUID to forcibly disconnect that client - terminating active calls and closing their WebSocket connection - by racing a crafted JSON-RPC first-frame before the authentication gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms full network reachability with no credentials required; the sole prerequisite is knowledge of the victim's session UUID. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.

Authentication Bypass Freeswitch
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-49472 MEDIUM PATCH This Month

Denial-of-service exposure in FreeSWITCH versions prior to 1.11.0 stems from a vendored, unpatched copy of libexpat XML tokenization code embedded in the bundled xmlrpc-c library. The function PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c was cloned from an outdated upstream libexpat release and never received the corresponding security fix, leaving FreeSWITCH's XML parsing surface vulnerable. An authenticated low-privilege attacker over the network can exploit this to achieve high availability impact against the telecom stack; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Freeswitch
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41852 MEDIUM PATCH This Month

Spring Expression Language (SpEL) evaluation logic in Spring Framework 5.3.x through 7.0.x fails to enforce method invocation restrictions in read-only or restricted contexts, allowing remote unauthenticated attackers (CVSS PR:N, AV:N) to invoke arbitrary zero-argument methods and trigger unintended application logic. Scored LOW (3.7) with only availability impact per CVSS (A:L), though the 'Authentication Bypass' tag and CWE-863 (Incorrect Authorization) suggest the authorization bypass itself may have broader implications not fully reflected in the score. No public exploit identified at time of analysis and no CISA KEV listing, but the wide version range across four active Spring Framework release trains represents significant ecosystem exposure.

Authentication Bypass Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-46747 MEDIUM CISA This Month

Path traversal in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 exposes arbitrary file system locations via the SFTP directory listing endpoint. An authenticated low-privileged network attacker can send a crafted path to GET /api/sftp/uploadFiles to read files outside the intended directory scope, resulting in unauthorized disclosure of file system contents. No active exploitation or public proof-of-concept has been identified at time of analysis; the impact is limited to confidentiality with no integrity or availability consequence.

Path Traversal Sinec Ins
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47352 MEDIUM PATCH GHSA This Month

Improper authorization in TYPO3 CMS Backend API routes allows authenticated backend users to retrieve file metadata for files and folders outside their permitted file mounts or storages. Specifically, the ImageProcessController and LinkController endpoints failed to call checkActionPermission('read') before returning resource data, letting any backend-authenticated user enumerate file system structure beyond their assigned access scope. No active exploitation has been reported and no public exploit code has been identified at time of analysis, but the low-complexity network-accessible nature of the flaw makes it straightforward for any backend user to abuse.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47350 MEDIUM PATCH GHSA This Month

Missing authorization in TYPO3 CMS's DataHandler allows authenticated backend users with low privileges to move content records across pages without holding edit permissions on the source page. The `moveRecord()` method in `DataHandler.php` validated destination-page access but omitted the symmetrical check on the source page, enabling unauthorized restructuring of the content hierarchy. Affected versions are 13.0.0-13.4.31 and 14.0.0-14.3.3; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41853 MEDIUM PATCH This Month

Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.

Information Disclosure Java Request Smuggling Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-11696 MEDIUM PATCH This Month

Uninitialized memory use in the Video component of Google Chrome on Windows (prior to 149.0.7827.103) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by directing the victim to a crafted HTML page. The vulnerability is Windows-specific, rated High severity by Chromium's internal scale, and carries a CVSS 5.3 due to the high attack complexity and required user interaction stacking atop the renderer-compromise prerequisite. No public exploit identified at time of analysis; Google has released a fix in version 149.0.7827.103.

Information Disclosure Google Microsoft Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-11678 MEDIUM PATCH This Month

Integer overflow in libyuv allows a renderer-compromised attacker to read sensitive process memory in Google Chrome prior to 149.0.7827.103. This is a chained, post-exploitation vulnerability: the attacker must first control the Chrome renderer process (via a separate exploit), then serve a crafted HTML page that triggers the libyuv integer overflow to extract memory contents - making this a privilege escalation and data exfiltration primitive within a broader attack chain. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Google Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-11669 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's Media component on ChromeOS allows an attacker who has already compromised the renderer process to exfiltrate potentially sensitive data from process memory via a crafted HTML page. Affected are all Chrome for ChromeOS releases prior to 149.0.7827.103. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained by both the ChromeOS-only scope and the mandatory prerequisite of a pre-compromised renderer, making this a chained attack scenario rather than a standalone critical threat.

Google Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41847 MEDIUM PATCH This Month

Security bypass in Spring WebFlux's Kotlin Router DSL (CWE-284: Improper Access Control) allows remote unauthenticated attackers to circumvent access control rules in Spring Framework 5.3.0 through 5.3.48. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation without authentication, though high attack complexity constrains opportunistic exploitation. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Java
NVD HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4986 MEDIUM PATCH This Month

WPForms WordPress plugin versions prior to 1.10.0.5 allow unauthenticated remote attackers to forge PayPal webhook payloads and manipulate the payment state of arbitrary transactions due to absent webhook authenticity verification. The endpoint blindly processes incoming PayPal webhook events without validating their origin or integrity, enabling attackers to mark pending or failed payments as completed. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects low current exploitation activity, though the business impact of fraudulent payment confirmation can materially exceed what the CVSS integrity score suggests.

Authentication Bypass WordPress
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42769 MEDIUM PATCH This Month

Trust anchor substitution in OpenSSL's CMP rootCaKeyUpdate handler allows a network-positioned attacker with low privileges to bypass certificate validation via a cert/issuer field confusion bug (CWE-295), affecting four actively maintained OpenSSL branches. The high confidentiality impact (C:H) reflects the potential for a substituted malicious trust anchor to undermine TLS certificate chains, enabling downstream interception of protected communications. No public exploit identified at time of analysis; vendor patch released 2026-06-09 across all affected branches.

OpenSSL Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42489 MEDIUM PATCH This Month

Denial of service against Xen host management is possible through deliberate abuse of the unfair domctl system-wide lock, affecting all Xen versions from 3.3 onwards. A less-privileged domain can monopolize the lock used to serialize guest creation and management operations, starving the control domain or equally/more-privileged entities of lock access and potentially rendering the entire host unmanageable. No public exploit identified at time of analysis, and no CVSS score was published with XSA-492.

Python Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-47351 MEDIUM PATCH GHSA This Month

TYPO3 CMS clipboard functionality exposes unauthorized records and files to authenticated backend users due to missing read permission enforcement. Affected versions span 10.4.0 through 13.4.30 and 14.0.0 through 14.3.2. A low-privileged backend user can insert arbitrary database records or file system objects into their clipboard, causing the application to resolve and expose metadata about resources they are not authorized to view - effectively bypassing access controls on content visibility. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47347 MEDIUM POC PATCH GHSA This Month

Open redirect exploitation in TYPO3 CMS allows unauthenticated remote attackers to bypass the `GeneralUtility::sanitizeLocalUrl` locality check by crafting URLs containing backslash sequences, control characters, or slash-pattern variations that the prior implementation failed to reject, redirecting victims to arbitrary external sites for phishing. All major active TYPO3 branches are affected: versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the bypass patterns are explicitly documented in the upstream fix's own test suite, substantially lowering the bar to reproduction.

Open Redirect
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41981 MEDIUM This Month

Heap-based buffer overflow in the HarmonyOS IPC (Inter-Process Communication) module allows a local low-privileged attacker to impact confidentiality, integrity, and availability of the affected system. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) confirms exploitation requires local authenticated access with low complexity, limiting but not eliminating real-world risk on consumer and wearable Huawei devices. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Heap Overflow Buffer Overflow
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8499 MEDIUM This Month

Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.

PHP Memory Corruption WordPress RCE
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9211 MEDIUM PATCH This Month

Unauthenticated local-network control of NETGEAR CAX30, RAX30, RAX5, and RAXE300 routers is possible through an authentication bypass rooted in improper input validation (CWE-20). An attacker already present on the local network segment - such as a guest Wi-Fi user, a compromised IoT device, or a rogue actor on the same LAN - can circumvent authentication and gain full administrative control, enabling arbitrary configuration changes, traffic interception, or persistent backdoor installation. No public exploit code has been identified at time of analysis, and NETGEAR has released firmware patches for all four affected product lines.

Authentication Bypass Cax30 Rax30 Rax5 Raxe300
NVD
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-41984 MEDIUM This Month

Use-after-free in the HarmonyOS package management module allows a locally authenticated, highly privileged attacker to corrupt memory and primarily impact service availability. The CVSS vector (AV:L/AC:H/PR:H) constrains the attack to local, high-complexity scenarios requiring administrative privileges, yielding a medium-severity score of 5.2. No public exploit code or CISA KEV listing has been identified at time of analysis, though the Authentication Bypass tag in the intelligence data warrants scrutiny given the high-privilege prerequisite implied by CVSS.

Authentication Bypass
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2025-62858 MEDIUM PATCH This Month

Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface.

Stack Overflow Qnap Buffer Overflow Qts Quts Hero
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-34416 MEDIUM This Month

Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a malicious payload in the `project` request parameter. The injected input breaks out of both JavaScript string and HTML attribute context within the body onload event handler, granting attacker-controlled script execution in the victim's session. No active exploitation is confirmed (not in CISA KEV), but a public GitHub gist documenting the issue exists, suggesting POC-level detail is openly accessible.

XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-32856 MEDIUM This Month

Reflected XSS in Ellucian Banner Self-Service allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized content via the `toDateFormat` parameter of the publicly accessible `dateConverter` endpoint. The CVSS vector (PR:N, S:C) confirms no credentials are needed to craft the attack and that the impact crosses security boundaries into the victim's browser session, enabling session hijacking or credential theft against higher-education users. No public exploit has been identified and this is not listed in CISA KEV, but the unauthenticated endpoint and simple social-engineering delivery path make this practically exploitable with low attacker skill.

XSS Banner Self Service
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-47106 MEDIUM This Month

Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Banner Self Service
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-25557 MEDIUM This Month

Reflected XSS in Evoluted PHP Directory Listing Script through version 4.0.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL. The `dir` parameter in `index.php` is rendered unsanitized in two distinct HTML contexts: the page `<title>` element and breadcrumb `<a href>` attributes, each enabling distinct injection techniques — title context breakout and event handler injection respectively. No public exploit has been confirmed via CISA KEV, though a proof-of-concept gist is referenced in the NVD advisory data, indicating exploit code may be publicly accessible.

PHP XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
Prev Page 5 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy