Skip to main content
CVE-2026-20255 MEDIUM PATCH This Month

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authenticated users to craft dashboards that silently exfiltrate sensitive data to attacker-controlled external servers. The flaw (CWE-20) resides in the external content dialog, which fails to enforce complete domain restrictions, allowing outbound requests to untrusted hosts when a victim interacts with the malicious dashboard. No public exploit exists and this vulnerability is not listed in CISA KEV, but the High confidentiality impact (C:H) in the CVSS vector reflects meaningful data exposure risk in environments where Splunk indexes security events, credentials, or sensitive operational logs.

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-20254 MEDIUM PATCH This Month

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data exfiltration by low-privileged users targeting higher-privileged accounts. A low-privileged user (without 'admin' or 'power' roles) can craft a malicious classic dashboard containing injected CSS via inline style attributes; when a higher-privileged user views the dashboard, outbound HTTP requests are triggered to attacker-controlled external servers, bypassing the Trusted Domains restriction. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, but the C:H confidentiality impact and cross-privilege exploitation path make this a meaningful insider or compromised-account threat in environments with mixed privilege levels.

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-20256 MEDIUM PATCH This Month

Classic dashboard drill-down links in Splunk Enterprise and Splunk Cloud Platform can be weaponized by low-privileged authenticated users to silently redirect victims to attacker-controlled external sites, enabling data exfiltration. The flaw stems from an incomplete URL scheme validator that recognizes only 'http://' and 'https://' prefixes, allowing protocol-relative URLs like '//attacker.com' to bypass the external-navigation warning dialog entirely. No public exploit code exists and no active exploitation is confirmed (not in CISA KEV), but the attack requires only a low-privileged account and a single victim click, making it a realistic phishing vector in multi-tenant or large enterprise Splunk deployments.

Authentication Bypass Splunk Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-11604 MEDIUM This Month

Heap-based buffer overflow in OpenVPN's ovpn-dco-win Windows kernel driver (versions 2.0.0-2.8.3) allows a remote authenticated VPN peer to crash the host system by sending a crafted data packet that exploits an incorrect buffer size calculation in the epoch key generator. Because the vulnerable code executes in kernel mode, the resulting memory corruption causes a full system crash (BSOD), not a user-space fault. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, though the kernel-level availability impact is severe when conditions are met.

Denial Of Service Buffer Overflow Ovpn Dco Win
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-20259 MEDIUM PATCH This Month

Improper access control on the saved search ownership reassignment endpoint in Splunk Enterprise and Splunk Cloud Platform allows a highly privileged authenticated user - one whose role contains the `edit_saved_search_owner` capability - to reassign saved search ownership to users outside their authorized scope. Affected versions span Splunk Enterprise below 10.2.4 and 10.0.7, and multiple Splunk Cloud Platform branches below their respective fixed builds. No public exploit has been identified at time of analysis, and the PR:H CVSS requirement confines risk primarily to insider threats or scenarios involving compromised privileged Splunk accounts.

Splunk Authentication Bypass Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47768 MEDIUM PATCH GHSA This Month

Sensitive information disclosure in nebula-mesh (all versions ≤ v0.3.1) leaks newly-minted 32-byte operator API bearer tokens into browser URL history, cross-origin Referer headers, and reverse-proxy access logs by embedding the raw token in a 303 redirect query string. Any actor with read access to nginx combined-format logs, CDN logs, or browser history backup storage can harvest the token and impersonate the operator via the API. A secondary CWE-116 flaw in the same handler omits url.QueryEscape on the user-supplied key name, enabling query-string corruption and potential header injection in older proxies. No public exploit identified at time of analysis; a detailed step-by-step reproducer is included in the GitHub Security Advisory GHSA-9pg3-25fq-p6cc. Fix is available in v0.3.2.

Nginx Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20258 MEDIUM PATCH This Month

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132) allows a low-privileged authenticated user - without 'admin' or 'power' roles - to embed malicious JavaScript inside a classic dashboard HTML panel that executes in another user's browser session. Exploitation requires phishing the victim into initiating a specific browser request, and no public exploit was identified at time of analysis.

XSS Splunk Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41003 MEDIUM PATCH This Month

Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Java RCE Spring Security
NVD VulDB HeroDevs
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53473 MEDIUM This Month

Stored cross-site scripting in Red Hat's migration-planner-ui-app (kubev2v project) allows an authenticated attacker who can register a discovery agent to inject a javascript: URI into the agent's credentialUrl field, which executes in another organizational user's browser when they click the resulting link in the UI. No public exploit identified at time of analysis, but the upstream fix (PR #750) and Red Hat Bugzilla entry confirm the issue is real and patched via a safeExternalUrl protocol allowlist. Successful exploitation hijacks the victim's Red Hat SSO session and enables cross-tenant data access and API actions.

XSS Red Hat Migration Planner Ui
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53441 MEDIUM PATCH GHSA This Month

Stored XSS in Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 allows attackers holding Agent/Configure permission to inject persistent malicious scripts via the `POST config.xml` API by supplying an unescaped generic offline cause description. When any Jenkins user views the affected agent page, the payload executes in their browser, enabling session hijacking or unauthorized actions within the Jenkins instance. No public exploit or CISA KEV listing has been identified, and EPSS probability is low at 0.02%, reflecting the constrained attack surface from the required permission prerequisite.

Jenkins XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-11626 MEDIUM This Month

Local privilege escalation in Broadcom's Symantec Endpoint Protection CleanWipe Removal Tool for macOS, versions prior to 16.0.0.65, allows a local attacker to gain administrative control of the affected system. The vulnerability is rooted in CWE-250 (Execution with Unnecessary Privileges), a class where a process operates with more permissions than its function requires, creating an elevation pathway. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog; however, the full confidentiality, integrity, and availability impact on the vulnerable component (VC:H/VI:H/VA:H) underscores the severity of a successful exploitation.

Apple Privilege Escalation
NVD VulDB
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-11815 MEDIUM This Month

Insecure deserialization in Broadcom Layer 7 API Gateway 11.2.1 exposes organizations to remote code execution or broken security control enforcement when an adversary can intercept and tamper with traffic between a client application and the gateway. The CVSS 4.0 vector assigns High subsequent-system confidentiality impact (SC:H), reflecting the gateway's privileged position as a broker to downstream backend services - meaning a successful exploit can cascade beyond the gateway itself. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the RCE potential and architectural sensitivity of an API gateway make this a meaningful priority for affected deployments.

Deserialization RCE Layer 7 Api Gateway
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-22899 MEDIUM PATCH This Month

NULL pointer dereference in QNAP File Station 5 enables authenticated remote attackers to crash the service and cause a denial-of-service condition. Exploitation requires prior acquisition of a valid user account on the target QNAP NAS device, after which the attacker can trigger the dereference remotely over the network. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Null Pointer Dereference File Station 5
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-24720 MEDIUM PATCH This Month

Resource exhaustion in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5242) allows a remote attacker holding a low-privilege user account to exhaust shared resources, denying availability to other users, processes, or applications on the same system. The vulnerability is classified as a Denial-of-Service risk with no impact on confidentiality or data integrity. No public exploit code or CISA KEV listing has been identified at time of analysis; QNAP has released a patched version and published a security advisory.

Denial Of Service File Station 5
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2024-21944 MEDIUM This Month

Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of. Rated medium severity (CVSS 5.3). No vendor patch available.

Information Disclosure Amd Epyc 7003 Series Processors Amd Epyc 9004 Series Processor Suse
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-26241 MEDIUM PATCH This Month

Stack-based buffer overflow in QNAP File Station 5 enables remote unauthenticated attackers to corrupt memory or destabilize processes through a network-accessible attack path requiring only passive user interaction. Affected versions are all releases prior to 5.5.6.5243; QNAP's own security team (security@qnapsecurity.com.tw) discovered and disclosed the issue via advisory QSA-26-27. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the unauthenticated network attack vector lowers the bar for opportunistic targeting of QNAP NAS deployments.

Stack Overflow Buffer Overflow File Station
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-26240 MEDIUM PATCH This Month

Stack-based buffer overflow in QNAP File Station 5 allows unauthenticated remote attackers to corrupt process memory or crash the file management service when a victim user passively interacts with a crafted input. Affected versions are all File Station 5 releases prior to 5.5.6.5243, running on QNAP NAS devices accessible over the network. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; QNAP has confirmed and released a fix in version 5.5.6.5243 via advisory QSA-26-32.

Stack Overflow Buffer Overflow File Station
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-48108 MEDIUM PATCH GHSA This Month

Resource exhaustion in Russh's SSH server identification-string reader allows unauthenticated remote attackers to hold connection setup resources indefinitely during the cleartext pre-authentication phase. Russh versions 0.34.0-beta.1 through 0.60.x used the same permissive identification reader for both client and server roles, failing to cap the number of pre-banner lines a connecting client could send before the SSH identification string - a constraint OpenSSH enforces strictly per RFC 4253. Any application serving SSH via russh is exposed to this pre-auth resource-holding condition. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SSH Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-47751 MEDIUM PATCH GHSA This Month

Malicious MCP server configuration injection via pull requests enables remote code execution on GitHub Actions runners running anthropics/claude-code-action versions prior to 1.0.74. The action's combination of checking out attacker-controlled PR head branches, reading `.mcp.json` from the working directory by default, and unconditionally enabling all discovered project MCP servers creates a poisoned pipeline execution path - an attacker who can open a PR can plant a malicious `.mcp.json` that executes arbitrary commands once a privileged user or automated trigger invokes the Claude action against that PR. Successful exploitation results in full secret exfiltration from the workflow environment, including API keys and tokens accessible to the runner. No public exploit identified at time of analysis; the fix was disclosed via GitHub Security Advisory GHSA-8q5r-mmjf-575q and patched in version 1.0.74.

Command Injection RCE
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-44505 MEDIUM This Month

Indefinite future hang (denial of service) in Nimiq core-rs-albatross's network-libp2p component allows any remote peer to cause DHT get-record callers to block forever by returning a record that fails signature or structural verification. The root cause is improper error handling in handle_dht_get (swarm.rs): on verifier failure or subsequent inconsistent-state transitions, the oneshot channel used by Network::dht_get is never completed and per-query bookkeeping is never cleaned up, leaving the awaiting caller suspended without a timeout. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV. The issue is patched in version 1.4.0.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-53737 MEDIUM This Month

Stored cross-site scripting in the Juicer WordPress plugin (versions through 1.12.18) allows an attacker who controls a connected social media feed source to inject arbitrary JavaScript that executes in a WordPress administrator's browser when the Juicer settings page loads. The plugin fetches remote feed API responses and renders them on the admin settings page without HTML output escaping, enabling script injection via externally controlled data. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the passive user interaction requirement limiting broad exploitation.

XSS Juicer
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-49397 MEDIUM PATCH GHSA This Month

Information disclosure in nezha 2.x server monitoring dashboard exposes private services marked with `EnableShowInService: false` to unauthenticated network visitors through two API endpoints that bypass the intended visibility filter. Attackers who can reach the API can enumerate hidden service names, IDs, and per-server timing data by iterating over public server IDs or guessing numeric service IDs - both low-cardinality spaces in typical deployments. No public exploit is required to leverage this; a fully functional proof-of-concept using only standard `curl` commands is documented in the GitHub security advisory GHSA-vrmh-5mmx-hjwx, and the fix is available in version 2.0.14.

Information Disclosure Oracle Microsoft Hashicorp
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41837 MEDIUM PATCH This Month

Spring Data REST's Querydsl integration exposes arbitrary persistent entity property paths as request-parameter filter keys without first applying Jackson serialization customizations such as @JsonIgnore or @JsonView, allowing unauthenticated remote attackers to probe and extract values of fields that developers intentionally suppressed from the API surface. All major release trains from 3.7.x through 5.0.x are affected across a broad Spring Boot installation base. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the no-auth, low-complexity network vector makes this straightforward to abuse against misconfigured deployments.

Authentication Bypass Java Spring Data Rest
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41730 MEDIUM PATCH This Month

Spring Data REST leaks persistence-layer internals - including database schema details, Hibernate/JPA exception messages, and query structures - by serializing the full exception cause chain directly into HTTP error response bodies. All five active release lines are affected (3.7.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x), and the CVSS vector confirms unauthenticated remote exploitation against default configurations with no user interaction required. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the zero-friction access conditions make any network-exposed Spring Data REST deployment a realistic target for automated reconnaissance that could enable follow-on, more damaging attacks.

Information Disclosure Java Spring Data Rest
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-53675 MEDIUM This Month

Insecure direct object reference in BuddyPress 14.4.0's friends REST API exposes any authenticated attacker's ability to enumerate the complete friend list of any arbitrary user on the platform. The root cause is a missing ownership check in the `get_items_permissions_check` method, which validates only that the requester is logged in - not that they have authorization to view the target `user_id`'s social connections. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and broad applicability to any authenticated user on affected WordPress installations make it a genuine privacy risk for communities using BuddyPress's social networking features.

Authentication Bypass
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-53442 MEDIUM This Month

Unencrypted secret storage in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) exposes credentials submitted via POST config.xml to any user holding Item/Extended Read permission or with read access to the Jenkins controller filesystem. Secrets that should be encrypted at rest are written as plaintext into job config.xml files, making them directly readable through Jenkins' built-in permission model or OS-level file access. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the privileged insider and lateral-movement risk is significant for organizations embedding CI/CD credentials in job configurations.

Information Disclosure Jenkins Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41694 MEDIUM PATCH This Month

Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.

Information Disclosure Oracle Jwt Attack Java Spring Security
NVD VulDB HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48096 MEDIUM PATCH GHSA This Month

Cache key collision in OpenFGA's iterator caching mechanism allows two distinct authorization check requests to resolve to the same cache key, causing the engine to return a stale, incorrect authorization result to a subsequent requester. All OpenFGA deployments prior to version 1.16.0 with iterator caching enabled are affected, specifically when using the experimental weighted_graph_check union resolution path. An authenticated attacker who can trigger authorization checks under conditions that produce a colliding cache key may receive an incorrect allow or deny decision, undermining the integrity and confidentiality of access control enforced by the engine. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Openfga Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62850 MEDIUM This Month

NULL pointer dereference in QNAP QuTS hero NAS operating system allows a remote attacker who has already obtained or possesses an administrator account to trigger a denial-of-service condition, crashing affected services. Affected branches span QuTS hero h5.2.x, h5.3.x, and h6.0.x series, with vendor-released patches available as of early-to-mid 2026. No public exploit code or CISA KEV listing has been identified at time of analysis, and the mandatory prerequisite of high-privilege authentication substantially constrains real-world impact.

Denial Of Service Null Pointer Dereference Qnap Quts Hero
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-66280 MEDIUM PATCH This Month

Integer overflow (CWE-190) in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained an administrator account to further compromise system integrity and availability. Affected versions span QTS 5.2.x and QuTS hero h5.2.x through h6.0.x; QNAP released patched builds in February and May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory prerequisite of administrator-level access materially constrains real-world exploitability.

Qnap Integer Overflow Buffer Overflow Qts Quts Hero
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-58468 MEDIUM PATCH This Month

Cross-site request forgery in QNAP Notification Center allows remote unauthenticated attackers to forge state-changing requests on behalf of authenticated NAS users, potentially resulting in privilege escalation or session hijacking within the Notification Center context. Affected versions are all Notification Center 1.10.0 builds prior to 1.10.0.3291, confirmed by QNAP advisory QSA-26-13 and EUVD-2025-210096. Exploitation requires active victim interaction (CVSS 4.0 UI:A), integrity impact is rated low (VI:L), and no public exploit code or active exploitation has been identified at time of analysis.

CSRF Notification Center
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53742 MEDIUM This Month

Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53741 MEDIUM This Month

Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53740 MEDIUM This Month

Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.

XSS Yoast Duplicate Post
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53739 MEDIUM This Month

Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The `duplicate_post_dismiss_notice` handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the `duplicate_post_show_notice` site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF Yoast Duplicate Post
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53736 MEDIUM PATCH This Month

Cross-site request forgery in the Easy Twitter Feeds WordPress plugin (versions before 1.2.13) allows unauthenticated remote attackers to trigger unauthorized post duplication by tricking an authenticated site user into visiting a crafted URL. The duplicate_post action handler fails to verify WordPress nonces, meaning any authenticated user's browser session can be silently weaponized to clone posts of any post type without their knowledge. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor-released fix is version 1.2.13.

CSRF Easy Twitter Feeds
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-7516 MEDIUM PATCH This Month

Clipboard hijacking in Lenovo's built-in Android browser application allows a malicious website to silently overwrite system clipboard contents on affected devices. The vulnerability impacts Lenovo Android tablets distributed exclusively in the Chinese market, enabling a network-based attacker to manipulate clipboard data when a user visits a crafted website. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; EPSS data was not provided in available intelligence.

Information Disclosure Google Lenovo
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-50565 MEDIUM PATCH GHSA This Month

Kubernetes service account token exposure in Fission serverless framework prior to v1.24.0 allows authenticated high-privilege users to escalate cluster privileges via a malicious builder image. Builder pods were created with ServiceAccountName set to fission-builder but without AutomountServiceAccountToken: false, causing the Kubernetes kubelet to automatically inject the fission-builder service account credential into every container in the pod - including untrusted, user-supplied builder images. An attacker with sufficient Fission privileges to register or modify builder environments can exploit this to read the mounted token and authenticate directly to the Kubernetes API using the fission-builder service account's RBAC permissions. No public exploit identified at time of analysis; vendor-released patch is available in v1.24.0.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-45559 MEDIUM This Month

LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.

Code Injection Nginx Apache LDAP
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-41697 MEDIUM PATCH This Month

Boolean-based blind query injection in Spring Data Relational (JDBC and R2DBC) allows remote unauthenticated attackers to infer database contents by supplying wildcard characters to Query By Example (QBE) endpoints using StringMatcher modes STARTING, ENDING, or CONTAINING. The root cause is insufficient escaping of externally-controlled binding values before they reach the underlying query logic. No public exploit or CISA KEV listing has been identified at time of analysis, but the network-accessible, no-authentication-required attack surface makes this a meaningful exposure for any Spring Data application that exposes QBE search functionality.

Nosql Injection Information Disclosure Java
NVD VulDB HeroDevs
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-0270 MEDIUM PATCH This Month

Path traversal in Palo Alto Networks Cortex XSOAR engine on Linux enables arbitrary file write to the host system by an unauthenticated adjacent-network attacker who can intercept and manipulate outbound network response traffic via MITM. The referenced NVD entry for CVE-2007-4559 - the canonical Python tarfile path traversal - strongly suggests XSOAR's content pack or update download pipeline uses Python's tarfile module without path sanitization, allowing a poisoned archive to escape the extraction directory. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metrics classify exploitation as unreported (E:U), though the attack is rated automatable (AU:Y) once MITM positioning is achieved.

Path Traversal Paloalto Cortex Xsoar
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-11596 MEDIUM This Month

ScreenConnect versions prior to 26.2 permit an authenticated user holding Host Pass creation privileges to bypass the intended maximum token expiration duration when generating delegated access tokens. The root cause is improper input validation (CWE-1284) on the duration field in the Host Pass workflow, allowing the value to exceed its designed upper bound. While no public exploit or CISA KEV listing exists at time of analysis, successful abuse results in the creation of anomalously long-lived access tokens, extending delegated access well beyond the security policy limit - a persistence and access-control integrity risk.

Information Disclosure Screenconnect
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-46532 MEDIUM This Month

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privileges to leak device memory and degrade availability across multiple ESP-IDF stable branches. Versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0 are confirmed affected via the Espressif GitHub security advisory. The parser's failure to validate payload length before dereferencing the buffer pointer enables a malformed AVRCP vendor command to read beyond allocated memory, yielding partial confidentiality loss and potential stack instability. No public exploit code exists and this CVE is not in CISA KEV at time of analysis.

Information Disclosure Buffer Overflow Esp Idf
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-0269 MEDIUM PATCH This Month

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the firewall into unplanned reboots or maintenance mode via a crafted packet, constituting a denial-of-service against the firewall itself. The CVSS 4.0 vector (AV:A/PR:L/VA:H) confirms the impact is purely availability - no confidentiality or integrity loss - and exploitation requires both authenticated access and adjacency to the tunnel interface. No public exploit code exists and no active exploitation has been reported; the vendor-assigned threat metric (E:U) reinforces that real-world risk is presently low.

Buffer Overflow Paloalto Cloud Ngfw Pan Os Panorama +1
NVD VulDB
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-52757 MEDIUM PATCH This Month

Heap-use-after-free corruption in Ghidra's decompiler before version 12.1 allows a local attacker - or any actor who can deliver a crafted binary to a target analyst - to corrupt freed heap memory when the victim opens the file in the decompiler view. The vulnerability resides in HighVariable::merge() during the variable merging pass, where stale pointers in the HighIntersectTest::highedgemap cache are dereferenced against freed memory, producing low-impact integrity and availability effects on the Ghidra process. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the tool's user base of security researchers who routinely open untrusted binaries elevates the practical threat profile.

Use After Free Information Disclosure Memory Corruption Ghidra
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-49497 MEDIUM PATCH This Month

Path traversal in Ghidra's SameDirDebugInfoProvider (versions before 12.1) enables filesystem probing and CRC32 hash leakage of arbitrary files when a user opens a crafted ELF binary during automatic DWARF analysis. The vulnerability stems from missing validation of filenames embedded in ELF .gnu_debuglink sections before those filenames are used to construct filesystem paths. No public exploit code is currently identified and it is not listed in CISA KEV, but the risk is notable for security researchers and reverse engineers who routinely analyze untrusted binaries.

Path Traversal Ghidra
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-8853 MEDIUM This Month

Stored Cross-Site Scripting in the MW WP Form WordPress plugin (all versions through 5.1.3) allows authenticated editor-level attackers to inject persistent malicious scripts via the 'memo' parameter that execute in the browsers of any user who views the affected contact data page. The vulnerability is made possible by a specific bypass of WordPress Core sanitization: because memo values are stored via update_post_meta() rather than wp_insert_post(), the native wp_kses_post() and unfiltered_html capability checks are never invoked, permitting editors - who are normally prevented from injecting raw HTML - to break out of the textarea element using injected closing tags. No public exploit has been identified at time of analysis, and the CVSS 4.4 Medium score reflects the high privilege and high complexity prerequisites.

XSS WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-41701 MEDIUM PATCH This Month

Predictable correlation IDs in Spring AMQP's RabbitTemplate.sendAndReceive() expose request-reply messaging to correlation hijacking when a fixed reply queue is configured. Affected are all widely used Spring AMQP branches from 2.4.x through 4.0.x - a broad install base across Java enterprise applications. A network-positioned attacker with high privileges can exploit the sequential counter to predict future correlation IDs, enabling interception or injection of reply messages into the shared fixed reply queue. No public exploit code exists and this vulnerability is not listed in CISA KEV; CVSS 4.4 Medium reflects real-world limitations from high privilege and complexity requirements despite the changed scope indicator.

Information Disclosure Java
NVD HeroDevs VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0268 MEDIUM PATCH This Month

Security control bypass in Palo Alto Networks Prisma Access Agent for Linux enables a local, low-privileged attacker to route network traffic outside the VPN tunnel, undermining the core data-in-transit protection the agent is designed to enforce. Only Linux deployments are affected - Windows, macOS, iOS, Android, and ChromeOS are explicitly not impacted. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 confidentiality impact is rated High due to the exposure of unencrypted traffic to untrusted network paths.

Authentication Bypass Microsoft Google Apple Prisma Access Agent
NVD VulDB
CVSS 4.0
4.4
EPSS
0.0%
CVE-2026-0267 MEDIUM PATCH This Month

GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or uninstalling the endpoint agent - to unprivileged local users. A local user who reads the exposed passcode can then bypass endpoint protection controls that are specifically designed to prevent such actions, effectively disabling Palo Alto's endpoint security enforcement on the affected machine. No public exploit exists at time of analysis, and CVSS 4.0 supplemental metrics classify exploitation likelihood as 'Unreported' (E:U), though the impact on security posture is significant given that the passcode mechanism is the primary access control preventing users from circumventing GlobalProtect.

Information Disclosure Apple Paloalto Globalprotect App Globalprotect Uwp App
NVD VulDB
CVSS 4.0
4.4
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy