Skip to main content
CVE-2026-0273 MEDIUM PATCH This Month

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrictions and execute arbitrary OS commands as root via the CLI or Web UI. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are explicitly excluded per the vendor advisory. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.1 accurately reflects the significant mitigating factor of requiring high-privilege administrative access before exploitation is possible.

Command Injection Paloalto Cloud Ngfw Pan Os Prisma Access
NVD VulDB
CVSS 4.0
6.1
EPSS
0.3%
CVE-2026-46642 MEDIUM PATCH This Month

Stored cross-site scripting in draw.io prior to version 29.7.12 allows arbitrary JavaScript execution in the editor's origin when a victim opens a crafted .drawio file. The flaw bypasses the existing label sanitizer entirely because it resides in a separate, unsanitized code path - the Text Format panel's feature-detection routine - which assigns raw cell label content directly to a detached DOM element's innerHTML. Exploitation is automatic upon file import since draw.io selects cells programmatically during that process, requiring no additional user interaction beyond opening the file. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Drawio
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41706 MEDIUM PATCH This Month

Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.

Open Redirect Java Spring Security
NVD HeroDevs VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41008 MEDIUM PATCH This Month

Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Java Spring Authorization Server Spring Security
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45384 MEDIUM PATCH This Month

Arbitrary file overwrite in bit7z prior to version 4.0.12 is possible through a symlink attack targeting the predictable temporary file (`<archive_path>.tmp`) created during archive update operations. An attacker with write access to the archive directory can pre-place a symlink at that path pointing to a sensitive target file; when a process subsequently calls bit7z to update an archive, the library follows the symlink and overwrites the target with archive data. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though its low-complexity prerequisites on POSIX systems make it a meaningful risk in shared-directory or multi-tenant environments.

Information Disclosure Bit7z
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45566 MEDIUM This Month

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled domains by exploiting a bypass in the login flow's URL filter. The filter blocks `next` parameter values containing `http://` or `https://` substrings but does not account for RFC-3986 userinfo@host syntax; submitting `next=@evil.example/path` causes the server to construct `https://victim.example@evil.example/path`, which modern browsers route to `evil.example`. No public exploit code has been identified at time of analysis, no patch is available, and this vulnerability is not listed in CISA KEV.

Nginx Open Redirect Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45560 MEDIUM This Month

Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.

XSS Nginx Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0272 MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an authenticated CLI administrator to perform operations at the root OS level, bypassing intended privilege boundaries through a missing authorization control (CWE-862). The risk is substantially gated by the requirement for existing administrative CLI access (CVSS PR:H), making insider threats and compromised admin credentials the primary real-world attack paths. No public exploits or confirmed active exploitation have been identified at time of analysis, and the vendor's own E:U supplemental metric reinforces the low exploitation urgency - though root-level OS access to a firewall represents a severe impact if the prerequisite is met.

Privilege Escalation Authentication Bypass Paloalto Cloud Ngfw Pan Os +1
NVD VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-41721 MEDIUM PATCH This Month

Uncontrolled resource consumption in Spring Data Commons exposes applications to a remote Denial of Service condition when two specific features are active simultaneously. An unauthenticated remote attacker can send a specially crafted HTTP request to any endpoint backed by a @ProjectedPayload-annotated controller method, triggering unbounded memory allocation that exhausts the JVM heap and crashes the application. The vulnerability spans eight major release lines (2.7.x through 4.0.x), making the potential blast radius broad across Spring-based Java backends. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS attack complexity rating of High reflects non-trivial preconditions that meaningfully limit opportunistic exploitation.

Denial Of Service Java Spring Data Commons
NVD HeroDevs
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-41711 MEDIUM PATCH This Month

Denial of Service in Spring Data Commons affects applications that parse Sort parameters, triggering a StackOverflowException via crafted input. All major supported and legacy branches from 2.7.x through 4.0.x are affected, making the blast radius exceptionally broad across the Spring ecosystem. CVSS rates this Medium (5.9) with a high attack complexity qualifier (AC:H), unauthenticated network access (PR:N), and full availability impact (A:H); no active exploitation is confirmed and no public exploit code has been identified at time of analysis.

Denial Of Service Java Spring Data Commons
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-53462 MEDIUM POC PATCH GHSA This Month

Heap-use-after-free in ImageMagick's CheckPrimitiveExtent function allows remote attackers to crash the image processing service by supplying crafted input that triggers a memory allocation failure, resulting in a denial-of-service condition. Affected are all releases of the 6.x branch prior to 6.9.13-50 and all 7.x releases prior to 7.1.2-25. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the network-accessible attack vector is relevant wherever ImageMagick processes untrusted images (e.g., web upload pipelines, CI/CD asset processors).

Use After Free Memory Corruption Denial Of Service Imagemagick Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-40991 MEDIUM PATCH This Month

XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. No confirmed active exploitation exists (not in CISA KEV), and no public exploit has been identified at time of analysis; however, the High confidentiality impact against developer and CI environments warrants prompt patching.

XXE Java
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-41696 MEDIUM PATCH This Month

Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.

Nosql Injection Information Disclosure Java Spring Data Mongodb
NVD VulDB HeroDevs
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-50127 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassing of outbound request restrictions via IPv6 transition address encoding techniques. By supplying a hostname whose DNS AAAA record resolves to a NAT64-wrapped, 6to4-wrapped, or IPv4-compatible IPv6 address that encodes a private IPv4 endpoint, an attacker causes Weblate's validator to pass the address as globally routable while the host kernel routes the packet to the embedded private IPv4 target. The vulnerability carries High confidentiality impact (CVSS 5.9, AV:N/AC:H) because SSRF can expose internal services such as cloud IMDS credential endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

SSRF Weblate Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-0271 MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.

Microsoft Apple Paloalto Privilege Escalation Google +1
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48061 MEDIUM PATCH GHSA This Month

Host validation bypass in Litestar's AllowedHostsMiddleware allows unauthenticated remote attackers to circumvent the allowed-hosts allowlist by omitting the HTTP Host header and substituting a client-controlled X-Forwarded-Host header set to any whitelisted domain. Affected are all Litestar deployments (pip/litestar < 2.22.0) using AllowedHostsConfig that are reachable without a trusted reverse proxy stripping X-Forwarded-Host - a condition reflected in the CVSS AC:H rating. Publicly available exploit code exists demonstrating the bypass; no CISA KEV listing at time of analysis.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-20257 MEDIUM PATCH This Month

Classic dashboard style attribute injection in Splunk Enterprise and Splunk Cloud Platform enables a low-privileged authenticated user to craft panels that bypass the Trusted Domains List and exfiltrate sensitive data from a higher-privileged user's browser session. Affected branches span Splunk Enterprise below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and multiple Splunk Cloud Platform release trains. No public exploit has been identified at time of analysis, and SSVC rates current exploitation as none with partial technical impact, though the high confidentiality impact potential warrants prompt patching in environments where low-privileged users can share dashboards with administrators.

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-20255 MEDIUM PATCH This Month

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authenticated users to craft dashboards that silently exfiltrate sensitive data to attacker-controlled external servers. The flaw (CWE-20) resides in the external content dialog, which fails to enforce complete domain restrictions, allowing outbound requests to untrusted hosts when a victim interacts with the malicious dashboard. No public exploit exists and this vulnerability is not listed in CISA KEV, but the High confidentiality impact (C:H) in the CVSS vector reflects meaningful data exposure risk in environments where Splunk indexes security events, credentials, or sensitive operational logs.

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-20254 MEDIUM PATCH This Month

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data exfiltration by low-privileged users targeting higher-privileged accounts. A low-privileged user (without 'admin' or 'power' roles) can craft a malicious classic dashboard containing injected CSS via inline style attributes; when a higher-privileged user views the dashboard, outbound HTTP requests are triggered to attacker-controlled external servers, bypassing the Trusted Domains restriction. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, but the C:H confidentiality impact and cross-privilege exploitation path make this a meaningful insider or compromised-account threat in environments with mixed privilege levels.

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-20256 MEDIUM PATCH This Month

Classic dashboard drill-down links in Splunk Enterprise and Splunk Cloud Platform can be weaponized by low-privileged authenticated users to silently redirect victims to attacker-controlled external sites, enabling data exfiltration. The flaw stems from an incomplete URL scheme validator that recognizes only 'http://' and 'https://' prefixes, allowing protocol-relative URLs like '//attacker.com' to bypass the external-navigation warning dialog entirely. No public exploit code exists and no active exploitation is confirmed (not in CISA KEV), but the attack requires only a low-privileged account and a single victim click, making it a realistic phishing vector in multi-tenant or large enterprise Splunk deployments.

Authentication Bypass Splunk Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-11604 MEDIUM This Month

Heap-based buffer overflow in OpenVPN's ovpn-dco-win Windows kernel driver (versions 2.0.0-2.8.3) allows a remote authenticated VPN peer to crash the host system by sending a crafted data packet that exploits an incorrect buffer size calculation in the epoch key generator. Because the vulnerable code executes in kernel mode, the resulting memory corruption causes a full system crash (BSOD), not a user-space fault. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, though the kernel-level availability impact is severe when conditions are met.

Denial Of Service Buffer Overflow Ovpn Dco Win
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-20259 MEDIUM PATCH This Month

Improper access control on the saved search ownership reassignment endpoint in Splunk Enterprise and Splunk Cloud Platform allows a highly privileged authenticated user - one whose role contains the `edit_saved_search_owner` capability - to reassign saved search ownership to users outside their authorized scope. Affected versions span Splunk Enterprise below 10.2.4 and 10.0.7, and multiple Splunk Cloud Platform branches below their respective fixed builds. No public exploit has been identified at time of analysis, and the PR:H CVSS requirement confines risk primarily to insider threats or scenarios involving compromised privileged Splunk accounts.

Splunk Authentication Bypass Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47768 MEDIUM PATCH GHSA This Month

Sensitive information disclosure in nebula-mesh (all versions ≤ v0.3.1) leaks newly-minted 32-byte operator API bearer tokens into browser URL history, cross-origin Referer headers, and reverse-proxy access logs by embedding the raw token in a 303 redirect query string. Any actor with read access to nginx combined-format logs, CDN logs, or browser history backup storage can harvest the token and impersonate the operator via the API. A secondary CWE-116 flaw in the same handler omits url.QueryEscape on the user-supplied key name, enabling query-string corruption and potential header injection in older proxies. No public exploit identified at time of analysis; a detailed step-by-step reproducer is included in the GitHub Security Advisory GHSA-9pg3-25fq-p6cc. Fix is available in v0.3.2.

Nginx Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20258 MEDIUM PATCH This Month

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132) allows a low-privileged authenticated user - without 'admin' or 'power' roles - to embed malicious JavaScript inside a classic dashboard HTML panel that executes in another user's browser session. Exploitation requires phishing the victim into initiating a specific browser request, and no public exploit was identified at time of analysis.

XSS Splunk Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41003 MEDIUM PATCH This Month

Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Java RCE Spring Security
NVD VulDB HeroDevs
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53473 MEDIUM This Month

Stored cross-site scripting in Red Hat's migration-planner-ui-app (kubev2v project) allows an authenticated attacker who can register a discovery agent to inject a javascript: URI into the agent's credentialUrl field, which executes in another organizational user's browser when they click the resulting link in the UI. No public exploit identified at time of analysis, but the upstream fix (PR #750) and Red Hat Bugzilla entry confirm the issue is real and patched via a safeExternalUrl protocol allowlist. Successful exploitation hijacks the victim's Red Hat SSO session and enables cross-tenant data access and API actions.

XSS Red Hat Migration Planner Ui
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53441 MEDIUM PATCH GHSA This Month

Stored XSS in Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 allows attackers holding Agent/Configure permission to inject persistent malicious scripts via the `POST config.xml` API by supplying an unescaped generic offline cause description. When any Jenkins user views the affected agent page, the payload executes in their browser, enabling session hijacking or unauthorized actions within the Jenkins instance. No public exploit or CISA KEV listing has been identified, and EPSS probability is low at 0.02%, reflecting the constrained attack surface from the required permission prerequisite.

Jenkins XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-11626 MEDIUM This Month

Local privilege escalation in Broadcom's Symantec Endpoint Protection CleanWipe Removal Tool for macOS, versions prior to 16.0.0.65, allows a local attacker to gain administrative control of the affected system. The vulnerability is rooted in CWE-250 (Execution with Unnecessary Privileges), a class where a process operates with more permissions than its function requires, creating an elevation pathway. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog; however, the full confidentiality, integrity, and availability impact on the vulnerable component (VC:H/VI:H/VA:H) underscores the severity of a successful exploitation.

Apple Privilege Escalation
NVD VulDB
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-11815 MEDIUM This Month

Insecure deserialization in Broadcom Layer 7 API Gateway 11.2.1 exposes organizations to remote code execution or broken security control enforcement when an adversary can intercept and tamper with traffic between a client application and the gateway. The CVSS 4.0 vector assigns High subsequent-system confidentiality impact (SC:H), reflecting the gateway's privileged position as a broker to downstream backend services - meaning a successful exploit can cascade beyond the gateway itself. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the RCE potential and architectural sensitivity of an API gateway make this a meaningful priority for affected deployments.

Deserialization RCE Layer 7 Api Gateway
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-22899 MEDIUM PATCH This Month

NULL pointer dereference in QNAP File Station 5 enables authenticated remote attackers to crash the service and cause a denial-of-service condition. Exploitation requires prior acquisition of a valid user account on the target QNAP NAS device, after which the attacker can trigger the dereference remotely over the network. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Null Pointer Dereference File Station 5
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-24720 MEDIUM PATCH This Month

Resource exhaustion in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5242) allows a remote attacker holding a low-privilege user account to exhaust shared resources, denying availability to other users, processes, or applications on the same system. The vulnerability is classified as a Denial-of-Service risk with no impact on confidentiality or data integrity. No public exploit code or CISA KEV listing has been identified at time of analysis; QNAP has released a patched version and published a security advisory.

Denial Of Service File Station 5
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2024-21944 MEDIUM This Month

Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of. Rated medium severity (CVSS 5.3). No vendor patch available.

Information Disclosure Amd Epyc 7003 Series Processors Amd Epyc 9004 Series Processor Suse
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-26241 MEDIUM PATCH This Month

Stack-based buffer overflow in QNAP File Station 5 enables remote unauthenticated attackers to corrupt memory or destabilize processes through a network-accessible attack path requiring only passive user interaction. Affected versions are all releases prior to 5.5.6.5243; QNAP's own security team (security@qnapsecurity.com.tw) discovered and disclosed the issue via advisory QSA-26-27. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the unauthenticated network attack vector lowers the bar for opportunistic targeting of QNAP NAS deployments.

Stack Overflow Buffer Overflow File Station
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-26240 MEDIUM PATCH This Month

Stack-based buffer overflow in QNAP File Station 5 allows unauthenticated remote attackers to corrupt process memory or crash the file management service when a victim user passively interacts with a crafted input. Affected versions are all File Station 5 releases prior to 5.5.6.5243, running on QNAP NAS devices accessible over the network. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; QNAP has confirmed and released a fix in version 5.5.6.5243 via advisory QSA-26-32.

Stack Overflow Buffer Overflow File Station
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-48108 MEDIUM PATCH GHSA This Month

Resource exhaustion in Russh's SSH server identification-string reader allows unauthenticated remote attackers to hold connection setup resources indefinitely during the cleartext pre-authentication phase. Russh versions 0.34.0-beta.1 through 0.60.x used the same permissive identification reader for both client and server roles, failing to cap the number of pre-banner lines a connecting client could send before the SSH identification string - a constraint OpenSSH enforces strictly per RFC 4253. Any application serving SSH via russh is exposed to this pre-auth resource-holding condition. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SSH Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-47751 MEDIUM PATCH GHSA This Month

Malicious MCP server configuration injection via pull requests enables remote code execution on GitHub Actions runners running anthropics/claude-code-action versions prior to 1.0.74. The action's combination of checking out attacker-controlled PR head branches, reading `.mcp.json` from the working directory by default, and unconditionally enabling all discovered project MCP servers creates a poisoned pipeline execution path - an attacker who can open a PR can plant a malicious `.mcp.json` that executes arbitrary commands once a privileged user or automated trigger invokes the Claude action against that PR. Successful exploitation results in full secret exfiltration from the workflow environment, including API keys and tokens accessible to the runner. No public exploit identified at time of analysis; the fix was disclosed via GitHub Security Advisory GHSA-8q5r-mmjf-575q and patched in version 1.0.74.

Command Injection RCE
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-44505 MEDIUM This Month

Indefinite future hang (denial of service) in Nimiq core-rs-albatross's network-libp2p component allows any remote peer to cause DHT get-record callers to block forever by returning a record that fails signature or structural verification. The root cause is improper error handling in handle_dht_get (swarm.rs): on verifier failure or subsequent inconsistent-state transitions, the oneshot channel used by Network::dht_get is never completed and per-query bookkeeping is never cleaned up, leaving the awaiting caller suspended without a timeout. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV. The issue is patched in version 1.4.0.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-53737 MEDIUM This Month

Stored cross-site scripting in the Juicer WordPress plugin (versions through 1.12.18) allows an attacker who controls a connected social media feed source to inject arbitrary JavaScript that executes in a WordPress administrator's browser when the Juicer settings page loads. The plugin fetches remote feed API responses and renders them on the admin settings page without HTML output escaping, enabling script injection via externally controlled data. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the passive user interaction requirement limiting broad exploitation.

XSS Juicer
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-49397 MEDIUM PATCH GHSA This Month

Information disclosure in nezha 2.x server monitoring dashboard exposes private services marked with `EnableShowInService: false` to unauthenticated network visitors through two API endpoints that bypass the intended visibility filter. Attackers who can reach the API can enumerate hidden service names, IDs, and per-server timing data by iterating over public server IDs or guessing numeric service IDs - both low-cardinality spaces in typical deployments. No public exploit is required to leverage this; a fully functional proof-of-concept using only standard `curl` commands is documented in the GitHub security advisory GHSA-vrmh-5mmx-hjwx, and the fix is available in version 2.0.14.

Information Disclosure Oracle Microsoft Hashicorp
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41837 MEDIUM PATCH This Month

Spring Data REST's Querydsl integration exposes arbitrary persistent entity property paths as request-parameter filter keys without first applying Jackson serialization customizations such as @JsonIgnore or @JsonView, allowing unauthenticated remote attackers to probe and extract values of fields that developers intentionally suppressed from the API surface. All major release trains from 3.7.x through 5.0.x are affected across a broad Spring Boot installation base. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the no-auth, low-complexity network vector makes this straightforward to abuse against misconfigured deployments.

Authentication Bypass Java Spring Data Rest
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41730 MEDIUM PATCH This Month

Spring Data REST leaks persistence-layer internals - including database schema details, Hibernate/JPA exception messages, and query structures - by serializing the full exception cause chain directly into HTTP error response bodies. All five active release lines are affected (3.7.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x), and the CVSS vector confirms unauthenticated remote exploitation against default configurations with no user interaction required. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the zero-friction access conditions make any network-exposed Spring Data REST deployment a realistic target for automated reconnaissance that could enable follow-on, more damaging attacks.

Information Disclosure Java Spring Data Rest
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-53675 MEDIUM This Month

Insecure direct object reference in BuddyPress 14.4.0's friends REST API exposes any authenticated attacker's ability to enumerate the complete friend list of any arbitrary user on the platform. The root cause is a missing ownership check in the `get_items_permissions_check` method, which validates only that the requester is logged in - not that they have authorization to view the target `user_id`'s social connections. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and broad applicability to any authenticated user on affected WordPress installations make it a genuine privacy risk for communities using BuddyPress's social networking features.

Authentication Bypass
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-53442 MEDIUM This Month

Unencrypted secret storage in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) exposes credentials submitted via POST config.xml to any user holding Item/Extended Read permission or with read access to the Jenkins controller filesystem. Secrets that should be encrypted at rest are written as plaintext into job config.xml files, making them directly readable through Jenkins' built-in permission model or OS-level file access. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the privileged insider and lateral-movement risk is significant for organizations embedding CI/CD credentials in job configurations.

Information Disclosure Jenkins Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41694 MEDIUM PATCH This Month

Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.

Information Disclosure Oracle Jwt Attack Java Spring Security
NVD VulDB HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48096 MEDIUM PATCH GHSA This Month

Cache key collision in OpenFGA's iterator caching mechanism allows two distinct authorization check requests to resolve to the same cache key, causing the engine to return a stale, incorrect authorization result to a subsequent requester. All OpenFGA deployments prior to version 1.16.0 with iterator caching enabled are affected, specifically when using the experimental weighted_graph_check union resolution path. An authenticated attacker who can trigger authorization checks under conditions that produce a colliding cache key may receive an incorrect allow or deny decision, undermining the integrity and confidentiality of access control enforced by the engine. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Openfga Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62850 MEDIUM This Month

NULL pointer dereference in QNAP QuTS hero NAS operating system allows a remote attacker who has already obtained or possesses an administrator account to trigger a denial-of-service condition, crashing affected services. Affected branches span QuTS hero h5.2.x, h5.3.x, and h6.0.x series, with vendor-released patches available as of early-to-mid 2026. No public exploit code or CISA KEV listing has been identified at time of analysis, and the mandatory prerequisite of high-privilege authentication substantially constrains real-world impact.

Denial Of Service Null Pointer Dereference Qnap Quts Hero
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-66280 MEDIUM PATCH This Month

Integer overflow (CWE-190) in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained an administrator account to further compromise system integrity and availability. Affected versions span QTS 5.2.x and QuTS hero h5.2.x through h6.0.x; QNAP released patched builds in February and May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory prerequisite of administrator-level access materially constrains real-world exploitability.

Qnap Integer Overflow Buffer Overflow Qts Quts Hero
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-58468 MEDIUM PATCH This Month

Cross-site request forgery in QNAP Notification Center allows remote unauthenticated attackers to forge state-changing requests on behalf of authenticated NAS users, potentially resulting in privilege escalation or session hijacking within the Notification Center context. Affected versions are all Notification Center 1.10.0 builds prior to 1.10.0.3291, confirmed by QNAP advisory QSA-26-13 and EUVD-2025-210096. Exploitation requires active victim interaction (CVSS 4.0 UI:A), integrity impact is rated low (VI:L), and no public exploit code or active exploitation has been identified at time of analysis.

CSRF Notification Center
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53742 MEDIUM This Month

Stored cross-site scripting in the QuantumCloud Simple Link Directory WordPress plugin (versions through 9.0.4) allows low-privileged contributors to inject arbitrary JavaScript via unsanitized embed shortcode attributes that are reflected into HTML data attributes. When an authenticated user with contributor-level access publishes or embeds content containing a maliciously crafted shortcode, any viewer who loads the affected page executes attacker-controlled JavaScript in their browser context. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low privilege requirement broadens the realistic attacker pool on multi-author WordPress installations.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53741 MEDIUM This Month

Stored cross-site scripting in Simple Link Directory (WordPress plugin by QuantumCloud) through version 9.0.4 allows a low-privileged attacker to permanently inject arbitrary JavaScript into the plugin's 'no results found' output. The root cause is that the sld_no_results_found option value is interpolated directly into a JavaScript string literal without HTML or JavaScript encoding - WordPress's sanitize_text_field function is misapplied here because it strips tags but preserves quote characters, enabling quote-breakout from the JS string context. Every visitor to any page rendering the link directory widget executes the payload, making this a persistent, wide-blast stored XSS with no public exploit identified at time of analysis.

XSS Simple Link Directory
NVD
CVSS 4.0
5.1
EPSS
0.0%
Prev Page 4 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy