Skip to main content
CVE-2026-53740 MEDIUM This Month

Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.

XSS Yoast Duplicate Post
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53739 MEDIUM This Month

Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The `duplicate_post_dismiss_notice` handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the `duplicate_post_show_notice` site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF Yoast Duplicate Post
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53736 MEDIUM PATCH This Month

Cross-site request forgery in the Easy Twitter Feeds WordPress plugin (versions before 1.2.13) allows unauthenticated remote attackers to trigger unauthorized post duplication by tricking an authenticated site user into visiting a crafted URL. The duplicate_post action handler fails to verify WordPress nonces, meaning any authenticated user's browser session can be silently weaponized to clone posts of any post type without their knowledge. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor-released fix is version 1.2.13.

CSRF Easy Twitter Feeds
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-7516 MEDIUM PATCH This Month

Clipboard hijacking in Lenovo's built-in Android browser application allows a malicious website to silently overwrite system clipboard contents on affected devices. The vulnerability impacts Lenovo Android tablets distributed exclusively in the Chinese market, enabling a network-based attacker to manipulate clipboard data when a user visits a crafted website. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; EPSS data was not provided in available intelligence.

Information Disclosure Google Lenovo
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-50565 MEDIUM PATCH GHSA This Month

Kubernetes service account token exposure in Fission serverless framework prior to v1.24.0 allows authenticated high-privilege users to escalate cluster privileges via a malicious builder image. Builder pods were created with ServiceAccountName set to fission-builder but without AutomountServiceAccountToken: false, causing the Kubernetes kubelet to automatically inject the fission-builder service account credential into every container in the pod - including untrusted, user-supplied builder images. An attacker with sufficient Fission privileges to register or modify builder environments can exploit this to read the mounted token and authenticate directly to the Kubernetes API using the fission-builder service account's RBAC permissions. No public exploit identified at time of analysis; vendor-released patch is available in v1.24.0.

Privilege Escalation Kubernetes
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-45559 MEDIUM This Month

LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.

Code Injection Nginx Apache LDAP
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-41697 MEDIUM PATCH This Month

Boolean-based blind query injection in Spring Data Relational (JDBC and R2DBC) allows remote unauthenticated attackers to infer database contents by supplying wildcard characters to Query By Example (QBE) endpoints using StringMatcher modes STARTING, ENDING, or CONTAINING. The root cause is insufficient escaping of externally-controlled binding values before they reach the underlying query logic. No public exploit or CISA KEV listing has been identified at time of analysis, but the network-accessible, no-authentication-required attack surface makes this a meaningful exposure for any Spring Data application that exposes QBE search functionality.

Nosql Injection Information Disclosure Java
NVD VulDB HeroDevs
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-0270 MEDIUM PATCH This Month

Path traversal in Palo Alto Networks Cortex XSOAR engine on Linux enables arbitrary file write to the host system by an unauthenticated adjacent-network attacker who can intercept and manipulate outbound network response traffic via MITM. The referenced NVD entry for CVE-2007-4559 - the canonical Python tarfile path traversal - strongly suggests XSOAR's content pack or update download pipeline uses Python's tarfile module without path sanitization, allowing a poisoned archive to escape the extraction directory. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metrics classify exploitation as unreported (E:U), though the attack is rated automatable (AU:Y) once MITM positioning is achieved.

Path Traversal Paloalto Cortex Xsoar
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-11596 MEDIUM This Month

ScreenConnect versions prior to 26.2 permit an authenticated user holding Host Pass creation privileges to bypass the intended maximum token expiration duration when generating delegated access tokens. The root cause is improper input validation (CWE-1284) on the duration field in the Host Pass workflow, allowing the value to exceed its designed upper bound. While no public exploit or CISA KEV listing exists at time of analysis, successful abuse results in the creation of anomalously long-lived access tokens, extending delegated access well beyond the security policy limit - a persistence and access-control integrity risk.

Information Disclosure Screenconnect
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-46532 MEDIUM This Month

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privileges to leak device memory and degrade availability across multiple ESP-IDF stable branches. Versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0 are confirmed affected via the Espressif GitHub security advisory. The parser's failure to validate payload length before dereferencing the buffer pointer enables a malformed AVRCP vendor command to read beyond allocated memory, yielding partial confidentiality loss and potential stack instability. No public exploit code exists and this CVE is not in CISA KEV at time of analysis.

Information Disclosure Buffer Overflow Esp Idf
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-0269 MEDIUM PATCH This Month

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the firewall into unplanned reboots or maintenance mode via a crafted packet, constituting a denial-of-service against the firewall itself. The CVSS 4.0 vector (AV:A/PR:L/VA:H) confirms the impact is purely availability - no confidentiality or integrity loss - and exploitation requires both authenticated access and adjacency to the tunnel interface. No public exploit code exists and no active exploitation has been reported; the vendor-assigned threat metric (E:U) reinforces that real-world risk is presently low.

Buffer Overflow Paloalto Cloud Ngfw Pan Os Panorama +1
NVD VulDB
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-52757 MEDIUM PATCH This Month

Heap-use-after-free corruption in Ghidra's decompiler before version 12.1 allows a local attacker - or any actor who can deliver a crafted binary to a target analyst - to corrupt freed heap memory when the victim opens the file in the decompiler view. The vulnerability resides in HighVariable::merge() during the variable merging pass, where stale pointers in the HighIntersectTest::highedgemap cache are dereferenced against freed memory, producing low-impact integrity and availability effects on the Ghidra process. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the tool's user base of security researchers who routinely open untrusted binaries elevates the practical threat profile.

Use After Free Information Disclosure Memory Corruption Ghidra
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-49497 MEDIUM PATCH This Month

Path traversal in Ghidra's SameDirDebugInfoProvider (versions before 12.1) enables filesystem probing and CRC32 hash leakage of arbitrary files when a user opens a crafted ELF binary during automatic DWARF analysis. The vulnerability stems from missing validation of filenames embedded in ELF .gnu_debuglink sections before those filenames are used to construct filesystem paths. No public exploit code is currently identified and it is not listed in CISA KEV, but the risk is notable for security researchers and reverse engineers who routinely analyze untrusted binaries.

Path Traversal Ghidra
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-8853 MEDIUM This Month

Stored Cross-Site Scripting in the MW WP Form WordPress plugin (all versions through 5.1.3) allows authenticated editor-level attackers to inject persistent malicious scripts via the 'memo' parameter that execute in the browsers of any user who views the affected contact data page. The vulnerability is made possible by a specific bypass of WordPress Core sanitization: because memo values are stored via update_post_meta() rather than wp_insert_post(), the native wp_kses_post() and unfiltered_html capability checks are never invoked, permitting editors - who are normally prevented from injecting raw HTML - to break out of the textarea element using injected closing tags. No public exploit has been identified at time of analysis, and the CVSS 4.4 Medium score reflects the high privilege and high complexity prerequisites.

XSS WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-41701 MEDIUM PATCH This Month

Predictable correlation IDs in Spring AMQP's RabbitTemplate.sendAndReceive() expose request-reply messaging to correlation hijacking when a fixed reply queue is configured. Affected are all widely used Spring AMQP branches from 2.4.x through 4.0.x - a broad install base across Java enterprise applications. A network-positioned attacker with high privileges can exploit the sequential counter to predict future correlation IDs, enabling interception or injection of reply messages into the shared fixed reply queue. No public exploit code exists and this vulnerability is not listed in CISA KEV; CVSS 4.4 Medium reflects real-world limitations from high privilege and complexity requirements despite the changed scope indicator.

Information Disclosure Java
NVD HeroDevs VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0268 MEDIUM PATCH This Month

Security control bypass in Palo Alto Networks Prisma Access Agent for Linux enables a local, low-privileged attacker to route network traffic outside the VPN tunnel, undermining the core data-in-transit protection the agent is designed to enforce. Only Linux deployments are affected - Windows, macOS, iOS, Android, and ChromeOS are explicitly not impacted. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 confidentiality impact is rated High due to the exposure of unencrypted traffic to untrusted network paths.

Authentication Bypass Microsoft Google Apple Prisma Access Agent
NVD VulDB
CVSS 4.0
4.4
EPSS
0.0%
CVE-2026-0267 MEDIUM PATCH This Month

GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or uninstalling the endpoint agent - to unprivileged local users. A local user who reads the exposed passcode can then bypass endpoint protection controls that are specifically designed to prevent such actions, effectively disabling Palo Alto's endpoint security enforcement on the affected machine. No public exploit exists at time of analysis, and CVSS 4.0 supplemental metrics classify exploitation likelihood as 'Unreported' (E:U), though the impact on security posture is significant given that the passcode mechanism is the primary access control preventing users from circumventing GlobalProtect.

Information Disclosure Apple Paloalto Globalprotect App Globalprotect Uwp App
NVD VulDB
CVSS 4.0
4.4
EPSS
0.0%
CVE-2026-53463 MEDIUM PATCH GHSA This Month

Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies malformed distort arguments via a crafted image. Affected are all ImageMagick 6.x versions prior to 6.9.13-50 and all 7.x versions prior to 7.1.2-25. An unauthenticated remote attacker who can cause a target application to process a specially crafted image can trigger a DoS; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Denial Of Service Null Pointer Dereference Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53440 MEDIUM This Month

Open redirect in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) enables unauthenticated remote attackers to craft login URLs with a malicious external domain in the 'from' parameter under the 'Delegate to servlet container' security realm, silently redirecting authenticated users to attacker-controlled sites post-login for phishing purposes. The CVSS vector (PR:N, UI:R) confirms no attacker authentication is needed, but victim interaction is mandatory - the user must click a crafted link and complete a login. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; vendor-released patches are available as of 2026-06-10.

Jenkins Open Redirect Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53437 MEDIUM This Month

Open redirect in Jenkins login flow enables phishing attacks by exploiting improper redirect URL validation. Tab or newline characters injected between `//` in a post-login redirect URL bypass Jenkins' legitimacy check, redirecting authenticated victims to attacker-controlled sites. Affects Jenkins weekly 2.567 and earlier and LTS 2.555.2 and earlier; vendor-released patches are available. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the bypass technique is trivially derivable from the public advisory.

Jenkins Open Redirect
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53634 MEDIUM POC PATCH GHSA This Month

Authorization bypass in Sharp (code16/sharp Laravel CMS package) versions 9.0.0 through 9.22.3 permits authenticated users lacking create permissions to invoke Quick Creation Command endpoints directly, circumventing the authorization layer to either retrieve entity creation forms or submit new records. The root cause is a missing `authorizationManager->check('create', $entityKey)` call in both the constructor and the `create` method of `ApiEntityListQuickCreationCommandController`, meaning the restriction enforced at the entity list level was not replicated at the command controller level. No public exploit exists and no CISA KEV listing is present; vendor-released patch v9.22.3 closes both vulnerable endpoints.

Authentication Bypass Sharp
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-50569 MEDIUM PATCH This Month

Input validation bypass in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows authenticated users with Kubernetes API access to create HTTPTrigger resources with malformed or unsafe URL paths, achieving low-integrity routing manipulation. The RelativeURL and Prefix fields in HTTPTriggerSpec were validated only at the Fission CLI layer; when the post-CRD-modernization admission webhook was retired in favor of API-server CEL, no CEL rules were authored for those two fields - leaving a complete gap exploitable via kubectl apply or direct Kubernetes REST API calls. No public exploit code exists and this CVE is not listed in CISA KEV, but the bypass is straightforward for any cluster user with HTTPTrigger create rights.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-20260 MEDIUM PATCH This Month

ANSI escape code injection in Splunk SOAR versions below 8.5.0 allows an unauthenticated remote attacker to embed terminal control sequences into application log files via crafted HTTP request paths. When an administrator subsequently views those logs in a terminal emulator, the escape codes may be interpreted, enabling visual output manipulation such as overwriting displayed text, hiding log entries, or altering terminal state. No public exploit code has been identified at time of analysis, and exploitation requires administrator interaction with affected log output, keeping real-world risk moderate despite the low authentication barrier.

Code Injection Splunk Splunk Soar
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-45563 MEDIUM This Month

Roxy-WI 8.2.6.4 and prior exposes a broken object-level authorization flaw in its audit history endpoint, allowing any authenticated user to read any other user's full action audit trail. The GET /history/user/<server_ip> endpoint conflates the server_ip path parameter with a user identifier and performs no authorization check, meaning a guest account in an unrelated group can enumerate administrators' operational history including server IPs touched, configs deployed, and services restarted. No patch is available at time of publication; no public exploit code or active exploitation has been identified.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53439 MEDIUM This Month

Missing authorization checks in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) expose user-specific configuration data to any authenticated user holding the Overall/Read permission. Authenticated low-privilege users can query the timezone setting of any Jenkins user account and enumerate the names of views configured within other users' 'My Views' personal dashboards, constituting an information disclosure weakness. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, placing real-world risk in the low-moderate tier primarily relevant to multi-tenant or shared Jenkins deployments.

Authentication Bypass Jenkins Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53438 MEDIUM This Month

Missing authorization enforcement in Jenkins allows low-privileged authenticated users to cancel build queue items they lack permission to view. Affecting Jenkins 2.567 and earlier (LTS 2.555.2 and earlier), this CWE-862 flaw breaks the expected access control invariant that Item/Cancel should be constrained by Item/Read visibility. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis, but the low attack complexity and network accessibility make it a realistic threat in multi-tenant Jenkins deployments where fine-grained RBAC is in use.

Authentication Bypass Jenkins Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53436 MEDIUM This Month

Open redirect exploitation in Jenkins allows unauthenticated network attackers to craft login URLs that bypass the post-authentication redirect validation and forward users to attacker-controlled external sites. Affected are Jenkins weekly releases through 2.567 and LTS releases through 2.555.2, where the redirect URL legitimacy check fails when the URL contains relative path segments such as `./` or `../`. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, placing this in a moderate-risk, phishing-enablement category rather than a direct system compromise class.

Jenkins Open Redirect Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41714 MEDIUM PATCH This Month

Improper certificate validation in Spring AMQP allows a network-positioned attacker to perform a man-in-the-middle attack against applications that configure broker connections via RabbitConnectionFactoryBean.setUri("amqps://...") without explicitly calling setUseSSL(true). Affected are Spring AMQP versions 2.4.0 through 4.0.3 across four release lines. Although TLS encryption is established, the absence of certificate chain validation and hostname verification means a rogue broker can impersonate the legitimate RabbitMQ instance, exposing message content in transit. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.

Information Disclosure Java
NVD HeroDevs VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-53464 MEDIUM PATCH GHSA This Month

Memory leak in ImageMagick's wand option parser degrades availability when invalid options are supplied, affecting all versions prior to 7.1.2-25. The leak is described as small, meaning impact is limited to gradual memory exhaustion rather than immediate resource collapse. No active exploitation has been identified (not in CISA KEV), no public exploit code is known, and an EPSS score was not provided - consistent with a low-severity, locally-triggered defect. The 'Information Disclosure' tag in the source data is inconsistent with the CVSS C:N metric and the description; this discrepancy should be treated as a possible tagging error unless the vendor advisory clarifies memory-content exposure.

Information Disclosure Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-45380 LOW PATCH Monitor

Path traversal via crafted .7z archive in bit7z before v4.0.12 on POSIX platforms allows an attacker-controlled symlink to escape the extraction directory by exactly one level - up to the parent directory. Any archive entries extracted after the malicious symlink is placed will write attacker-controlled files to the parent of the intended output path, carrying the permissions of the extracting process. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; the vendor-confirmed fix ships in version 4.0.12.

Microsoft Path Traversal
NVD GitHub
CVSS 3.1
3.6
EPSS
0.0%
CVE-2026-50568 LOW PATCH Monitor

Path traversal in Fission's SanitizeFilePath function (pkg/utils/utils.go) allows a low-privileged tenant to read or write files outside an intended safe directory on a shared Kubernetes volume. Versions prior to 1.25.0 validated directory confinement using strings.HasPrefix, which performs a purely lexical string comparison: a sibling path such as /packages-extra/evil incorrectly passes a check for the safe directory /packages because it satisfies the string prefix condition without a directory-separator boundary. The builder's Clean handler and the fetcher's Fetch and Upload handlers were all affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 3.1
3.6
EPSS
0.0%
CVE-2022-48575 LOW PATCH Monitor

A person with access to a Mac may be able to bypass Login Window. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apple Authentication Bypass
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-48051 LOW PATCH GHSA Monitor

Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.

Python Docker Microsoft SSRF
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-48855 LOW PATCH Monitor

Path disclosure in Erlang OTP's ssh_sftpd module exposes the absolute backend filesystem path of the SFTP chroot root to authenticated clients. By creating a symlink inside the chroot pointing to '/' and issuing SSH_FXP_READLINK, an authenticated SFTP client receives the raw absolute path (e.g., '/data/sftp') that the server uses as the chroot backend, rather than the sanitized chroot-relative value '/'. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrowly scoped, low-severity nature of the disclosure.

Information Disclosure Otp
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-29114 LOW Monitor

CA root certificate exposure in Dahua IPC devices allows unauthenticated network-based attackers, under specific prerequisite conditions, to retrieve the device's internal CA root certificate. If the obtained certificate is installed and trusted on client systems, the attacker could leverage it to issue fraudulent certificates recognized as valid by those clients, collapsing the integrity of affected certificate trust chains. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the CVSS 4.0 score of 2.3 reflects the multi-step, user-dependent nature of the full attack chain.

Information Disclosure Dahua
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2024-58350 LOW PATCH Monitor

Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability. Rated low severity (CVSS 2.1), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Ghidra
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11859 LOW PATCH Monitor

HTML injection in the 'fetch links' alert email feature of Thinkst Canarytokens allows unauthenticated remote attackers to embed malicious HTML and JavaScript into notification emails delivered to token owners (defenders). The vulnerability is notable because it weaponizes the deception platform's own alert mechanism against the security operators relying on it - turning a defensive tool into a phishing vector. Proof-of-concept exploit code exists (CVSS 4.0 E:P), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 base score of 2.0 reflects the limited, interaction-dependent impact.

Docker XSS
NVD GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-24717 LOW PATCH Monitor

Path traversal in QNAP QTS and QuTS hero NAS operating systems exposes arbitrary file contents to attackers who have already obtained administrator-level access. The root cause (CWE-22) indicates insufficient sanitization of file path inputs, allowing directory escape to reach files outside intended scope. No public exploit code has been identified at time of analysis, and CISA KEV lists no active exploitation - making this a targeted post-compromise risk rather than an opportunistic mass-exploitation scenario. Vendor-released patches address all affected branches as of May 2026.

Path Traversal Qnap Qts Quts Hero
NVD VulDB
CVSS 4.0
1.2
EPSS
0.2%
CVE-2026-24716 LOW PATCH Monitor

NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems enables a remote, administrator-authenticated attacker to trigger a denial-of-service condition. Exploitation requires the attacker to first hold or acquire an administrator account on the target device, after which a crafted request can crash system services. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Denial Of Service Null Pointer Dereference Qnap Qts Quts Hero
NVD VulDB
CVSS 4.0
1.2
EPSS
0.1%
CVE-2025-59382 LOW Monitor

External control of assumed-immutable web parameters in QNAP NAS software enables remote unauthenticated attackers to achieve low-integrity impact by manipulating parameters the application treats as unmodifiable. The vulnerability requires active user interaction to trigger, limiting opportunistic exploitation. QNAP has released a fix per advisory QSA-26-10; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Qts Quts Hero Qutscloud
NVD VulDB
CVSS 4.0
1.2
EPSS
0.0%
CVE-2026-0266 LOW PATCH Monitor

Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a JavaScript payload via the web management interface, enabling potential execution of that script in the browsers of other administrative users who view the affected interface element. Affected platforms include PA-Series and VM-Series physical and virtual firewalls as well as Panorama (both virtual appliances and M-Series hardware). The CVSS 4.0 base score of 1.1 reflects the extremely constrained exploitability: high-privilege access is a prerequisite and passive user interaction by a second victim is required. No public exploit identified at time of analysis.

XSS Paloalto Cloud Ngfw Pan Os Prisma Access
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-47764 HIGH PATCH GHSA This Week

Arbitrary file write via path traversal in PDM (Python Development Master) package manager allows malicious wheels to write files outside the intended installation directory during package installation. The flaw exists in InstallDestination.write_to_fs() which overrode the safe base class path validation with an unvalidated os.path.join() call, affecting PDM versions up to and including 2.22.4. No public exploit identified at time of analysis, though the issue mirrors the previously disclosed Poetry CVE-2026-34591 of the same class.

Path Traversal Suse
NVD GitHub
EPSS
0.0%
CVE-2026-47763 MEDIUM PATCH GHSA This Month

Arbitrary file clobber in PDM (Python Development Master) below version 2.27.0 allows an attacker who controls a cloned project repository to overwrite files outside the repository root by planting symlinks at project-local config paths (pdm.toml, .pdm-python, .python-version) that PDM writes to without symlink protection. When a developer runs any PDM command triggering a project-local config write against the malicious checkout, the tool follows the symlink and overwrites the target with attacker-influenced content - up to arbitrary file corruption relative to the invoking user's privileges. A working proof-of-concept is included in the GitHub security advisory GHSA-ghq2-5c67-fprm; no active exploitation is confirmed in CISA KEV at time of analysis.

RCE Python Suse
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-47753 MEDIUM PATCH GHSA This Month

Nil-pointer dereference in Incus daemon (incusd) versions before 7.1.0 allows any authenticated API user holding the standard can_create permission on any project to crash the entire incusd process by uploading a crafted backup tarball, causing denial of service across all projects on the affected cluster member. The vulnerable path in internal/server/storage/backend.go:795 dereferences Config.Volume without a nil guard while adjacent fields received nil-checks in sibling patches (GHSA-fwj8-62r8-8p8m, GHSA-r7w7-mmxr-47r9, GHSA-x5r6-jr56-89pv) released 2026-05-04. Publicly available exploit code exists in the form of a self-contained Go unit test and 2560-byte tarball builder included with the disclosure; no CISA KEV listing at time of analysis.

Null Pointer Dereference Denial Of Service Suse
NVD GitHub
EPSS
0.0%
CVE-2026-48063 CRITICAL POC PATCH GHSA Act Now

Message spoofing and app state corruption in Baileys WhatsApp library (versions < 6.7.22 and < 7.0.0-rc12) allow remote attackers to forge messages.upsert events, inject history sync data, and jam the app state sync system by sending crafted protocolMessage payloads via placeholderResendMessage. The flaw stems from missing self-origin checks on protocol message types that should only originate from the user's own device. No public exploit identified at time of analysis, but the upstream patch and detailed advisory provide enough information for exploit reconstruction.

Authentication Bypass
NVD GitHub
EPSS
0.0%
CVE-2026-48058 MEDIUM PATCH GHSA This Month

Session and OIDC state cookies in nebula-mesh up to v0.3.1 are transmitted without the Secure attribute, allowing a network-adjacent attacker who can observe a single plaintext HTTP request to recover the session cookie and fully impersonate the operator for up to 24 hours. The OIDC state cookie carries an additional CSRF risk during its 10-minute validity window, enabling an attacker to hijack the OIDC callback flow. A working reproducer is included in the GHSA advisory; no public exploit framework distribution is known and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

CSRF
NVD GitHub
EPSS
0.0%
CVE-2026-48025 MEDIUM PATCH GHSA This Month

Decrypted CA private keys in nebula-mesh linger in Go's process heap after signing operations complete, violating the keystore package's explicit zeroise contract. All versions through v0.3.6 are affected across three call sites - enroll.go:116, updates.go:297, and mobile_bundle.go:40 - each of which constructs a CAManager with a plaintext ed25519.PrivateKey and drops the reference without wiping the underlying slice. An attacker with local memory-read access can extract the plaintext CA private key from process heap, defeating the master-key envelope-encryption design's core security guarantee. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub
EPSS
0.0%
CVE-2026-48037 MEDIUM PATCH GHSA This Month

Silent security posture degradation in `@hulumi/baseline` (npm, versions < 1.4.0) allows AWS detective service configurations to appear active while being suspended, misconfigured, or inadvertently destroyed through normal Pulumi stack teardown operations. The `AccountFoundation` component's opt-in reuse mode for existing GuardDuty detectors and Security Hub configurations never validates imported resource state, meaning a suspended or slow-cadence GuardDuty detector silently passes deployment as healthy, and a routine `pulumi destroy` will call `BatchDisableStandards` to strip CIS/NIST compliance subscriptions from accounts that had those subscriptions before Hulumi was ever introduced. No public exploit identified at time of analysis; both failure modes are triggered by legitimate operator actions, not adversarial input.

Information Disclosure
NVD GitHub
EPSS
0.1%
CVE-2026-48036 HIGH PATCH GHSA This Week

Drift-detection logic flaw in the @hulumi/drift npm package (versions < 1.4.0) causes the verdict classifier to conflate adapter failure with a clean result, producing cached false-negative 'None / none' verdicts for up to six hours and false-positive incident-severity 'Mixed / high' or 'ConsoleBreakGlass / high' verdicts based on probe liveness rather than CloudTrail evidence. Consumers running drift detection in CI or cron pipelines could silently miss real console-break-glass mutations or be paged on routine provider-version churn. No public exploit identified at time of analysis; the issue is a CWE-755 improper-exception-handling defect rather than a remote attack primitive.

Privilege Escalation
NVD GitHub
EPSS
0.0%
CVE-2026-48035 HIGH PATCH GHSA This Week

Audit log tamper-resistance failure in @hulumi/baseline versions prior to 1.4.0 allows any S3-delete-capable principal in the AWS account to silently erase CloudTrail and AWS Config forensic records that the AccountFoundation construct was advertised to protect. Three compounding defects - hard-coded objectLock:false on the startup-hardened tier, unrestricted propagation of forceDestroy/logBucketForceDestroy to the audit bucket, and a sandbox tier that omitted Object Lock, server access logging, and the CloudTrail-Lake EventDataStore entirely - left consumers believing they had immutable audit capture when they did not. No public exploit identified at time of analysis, no CVSS or EPSS published, and the issue is a defense-in-depth/forensic-integrity weakness rather than a remote code execution path.

Information Disclosure
NVD GitHub
EPSS
0.0%
Prev Page 5 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy