Skip to main content
CVE-2026-8071 HIGH POC PATCH This Week

Stored cross-site scripting in the Anti-Spam by CleanTalk Spam Protection WordPress plugin before 6.79 allows unauthenticated remote attackers to inject arbitrary JavaScript into approved comments via a custom shortcode in the email-encoding feature, with execution occurring when any visitor or administrator views the affected post. Publicly available exploit code exists per WPScan, increasing exposure for the plugin's large WordPress installation base, though it requires user interaction (UI:R) to trigger the payload. The high CVSS score of 8.8 reflects the potential for administrator account compromise leading to full site takeover.

XSS WordPress
NVD WPScan
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-71329 HIGH POC PATCH Monitor

Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to permanently hang the Node.js event loop by supplying a crafted JXL or HEIF image containing a box with a zero-valued size field. Publicly available exploit code exists and an upstream fix has been merged, making this a credible availability threat for any service that accepts user-supplied images and runs them through image-size. No active exploitation has been reported in CISA KEV at time of analysis.

Denial Of Service Node.js Image Size Red Hat Suse
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-71330 HIGH POC PATCH This Week

Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated attackers to permanently stall the Node.js event loop by submitting a malformed ICNS image. The flaw stems from an infinite loop in the ICNS parser when an entry length field is zero, and publicly available exploit code exists per VulnCheck and an independent write-up; no public exploit identified at time of analysis indicates active exploitation, but the POC makes weaponization trivial.

Denial Of Service Node.js Image Size Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-3326 HIGH POC PATCH This Week

Unauthenticated SQL injection in the XStore WordPress theme before 9.7.3 allows remote attackers to inject arbitrary SQL queries through an AJAX action that fails to sanitise and escape a user-supplied parameter. Publicly available exploit code exists per WPScan, and the changed scope (S:C) with high confidentiality impact indicates an attacker can extract sensitive data across security boundaries - including WordPress user records, password hashes, and configuration secrets - without any credentials or user interaction.

SQLi WordPress
NVD WPScan
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-3018 HIGH POC This Week

Unauthenticated time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows remote attackers to extract sensitive database contents via the 'wpmlsubscriber_id' parameter. The flaw stems from insufficient input escaping and lack of prepared statements, and no public exploit identified at time of analysis. The CVSS 7.5 score reflects confidentiality-only impact with no required authentication or user interaction.

SQLi WordPress
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11417 HIGH POC PATCH GHSA This Week

OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to 2.245.0 (2.246.0 on Windows) allows an actor controlling bundling property values (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via shell metacharacter injection. The flaw, reported by Amazon and tracked under GHSA-999r-qq7v-r334, affects developer and CI/CD machines synthesizing CDK applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Command Injection Microsoft Aws Cloud Development Kit Library
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-20251 HIGH PATCH This Week

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. The flaw is reported by Cisco and disclosed via Splunk advisory SVD-2026-0601.

Python Deserialization Splunk RCE Splunk Enterprise +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-49759 HIGH PATCH This Week

Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by sending a single crafted SCTP ERROR chunk to a listening SCTP port. The flaw is a stack-based buffer overflow (CWE-121) in sctp_parse_error_chunk, with the publicly disclosed advisory from the Erlang Ecosystem Foundation (EEF) and an upstream commit confirming the fix; no public exploit identified at time of analysis, and the overflow only permits writing 16-bit values interleaved with a fixed tag, limiting impact to DoS plus minor memory disclosure.

Denial Of Service Buffer Overflow Stack Overflow Otp
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-50223 HIGH PATCH This Week

Server-side template injection in Apache OFBiz before 24.09.07 allows authenticated users holding Content or DataResource editing privileges to inject template code that is rendered by the framework, resulting in remote code execution on the application server. The flaw is rated CVSS 8.8 with publicly available exploit code exists via the oss-security disclosure thread, though EPSS sits at 0.09% (26th percentile), indicating broad opportunistic exploitation has not yet been observed. Apache has shipped a fix in 24.09.07 and recommends immediate upgrade.

RCE Apache Code Injection Ofbiz
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-53435 HIGH This Week

Authenticated remote code execution in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) allows attackers with permission to submit config.xml to trigger deserialization of arbitrary core or plugin types that subsequently handle HTTP requests, enabling user impersonation, Script Console abuse, and arbitrary file reads from the controller. The flaw is tracked as a CWE-502 unsafe deserialization issue with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No public exploit identified at time of analysis, but the vendor (Jenkins project) has issued a coordinated advisory and patched releases.

RCE Deserialization Jenkins
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-44693 HIGH This Week

Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session management subsystem introduced during the v6.0 rewrite. Remote attackers can leverage concurrent requests to compromise web admin session state, potentially gaining high-impact access (C:H/I:H/A:H per CVSS 8.8) to the DNS sinkhole and network filtering controls. No public exploit identified at time of analysis, but vendor has published an upstream fix in v6.6.1.

Race Condition Information Disclosure Ftl
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45328 HIGH This Week

Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller abuse esp_tee secure-service wrappers (AES, SHA, ECC, HMAC, SPI, MMU, WDT, attestation, OTA, secure storage) due to insufficient buffer-range validation in esp_secure_services.c and esp_secure_services_iram.c. EPSS is 0.02% and there is no public exploit identified at time of analysis, but technical impact is total because the flaw lets REE code reach TEE-protected hardware peripherals and security services.

Information Disclosure Esp Idf
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47342 HIGH PATCH This Week

Privilege escalation in Apache OFBiz versions prior to 24.09.07 allows a low-privileged authenticated user to elevate their permissions to a higher-privileged role, leading to full compromise of confidentiality, integrity, and availability of the ERP system. The flaw is rooted in improper authorization (CWE-285) and is exploitable remotely over the network with low complexity once valid low-tier credentials are held. No public exploit identified at time of analysis, and EPSS scoring (0.02%) plus CISA SSVC (Exploitation: none) suggest no observed exploitation activity yet.

Privilege Escalation Apache Authentication Bypass Ofbiz
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45564 HIGH This Week

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to execute arbitrary OS commands by abusing the configver URL-path parameter on POST /config/versions/<service>/<server_ip>/<configver>/save, which flows unsanitized into an os.system() call wrapping dos2unix. No public exploit identified at time of analysis, but the GHSA advisory is published and no vendor patch exists, leaving exposed instances at immediate risk of full compromise of the management interface host.

Command Injection Nginx Apache
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26237 HIGH PATCH This Week

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks and interact with resources they should not be permitted to reach. The flaw is classified as a missing authorization issue (CWE-862) and carries a CVSS 4.0 score of 8.7 due to its network-reachable, low-complexity nature with no privileges or user interaction required. No public exploit identified at time of analysis, but QNAP NAS appliances are historically high-value targets for opportunistic attackers.

Authentication Bypass Qumagie
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-26239 HIGH PATCH This Week

Stack-based buffer overflow in QNAP File Station 5 versions 5.5.0 through 5.5.6.5208 allows authenticated remote attackers to corrupt memory and crash processes on affected NAS deployments. CVSS 4.0 score of 8.7 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Stack Overflow Buffer Overflow File Station 5
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46669 HIGH PATCH This Week

Pairing soundness flaw in OpenVM's openvm-pairing guest library prior to version 1.6.0 allows attackers to produce zero-knowledge proofs that pass a pairing check despite being mathematically invalid, because the try_honest_pairing_check function fails to verify that the scaling factor s lies in a proper subfield of Fp12 as required by Theorem 3 of eprint 2024/640. The vulnerability carries an 8.7 CVSS 4.0 score with high integrity impact and no confidentiality or availability impact, and no public exploit identified at time of analysis. The vendor patched it in OpenVM v1.6.0 as part of a coordinated security release addressing four advisories.

Information Disclosure Openvm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-52758 HIGH PATCH This Week

SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers to inject arbitrary SQL via filter types that concatenate user-supplied values directly into PostgreSQL queries. Successful exploitation lets an attacker read, modify, or delete contents of the backing BSim PostgreSQL database used to store function signatures. No public exploit identified at time of analysis, though a vendor security advisory has been published by NSA on GitHub.

PostgreSQL SQLi Ghidra
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-10143 HIGH PATCH This Week

Denial of service in kafka-python versions prior to 2.3.2 allows a malicious or man-in-the-middle Kafka broker to freeze the client's event loop during SCRAM authentication by returning an excessive PBKDF2 iteration count. Because ScramClient.process_server_first_message() forwards the broker-supplied value directly to hashlib.pbkdf2_hmac() without bounds checking, producers, consumers, admin clients, and group heartbeats all stall, leading to consumer-group eviction and reconnect loops. No public exploit identified at time of analysis, though VulnCheck has published a vendor-style advisory and an upstream patch has been merged.

Python Denial Of Service Kafka Python
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-29116 HIGH This Week

Remote denial-of-service in multiple Dahua video surveillance product lines (IPC, SD, NVR, XVR, EVS, VTO, VTH, ASI, TPC) allows unauthenticated network attackers to send a specially crafted packet that triggers an unhandled exception (CWE-617), forcing the device into an unexpected reboot. The CVSS 4.0 score of 8.7 reflects high availability impact with no required privileges or user interaction, and no public exploit identified at time of analysis.

Denial Of Service Dahua
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-52754 HIGH PATCH This Week

Authentication bypass in NSA Ghidra versions prior to 12.1 allows any holder of a valid CA-signed certificate to impersonate arbitrary users by submitting their public certificate alongside a null signature to PKIAuthenticationModule.authenticate(). Successful exploitation yields privilege escalation, tampering of repository access controls, exfiltration of shared reverse-engineering databases, and persistent compromise of the Ghidra server. No public exploit identified at time of analysis, but a vendor patch and detailed advisory from VulnCheck are available.

Authentication Bypass Jwt Attack Ghidra
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46689 HIGH PATCH GHSA This Week

Unauthenticated remote denial-of-service in Kanidm identity management server versions prior to 1.9.3 allows any network attacker to crash the entire kanidmd daemon by sending a single GET request to any /scim/v1/* endpoint with a deeply nested parenthesised ?filter= query string. The recursive-descent PEG parser exhausts the worker thread's 2 MiB stack, triggering Rust's std::process::abort(). No public exploit identified at time of analysis, but technical details and root cause are fully disclosed in the upstream advisory.

Buffer Overflow Kanidm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-10142 HIGH PATCH This Week

Denial of service in the kafka-python client library (versions prior to 2.3.2) allows a malicious Kafka broker or man-in-the-middle attacker to exhaust client memory or wedge connections by sending a crafted 4-byte frame length header. The protocol parser's receive_bytes() function performs no bounds check on the declared frame size, leading to multi-gigabyte allocations or uncaught ValueError exceptions that stop consumer heartbeats. No public exploit identified at time of analysis; reported by VulnCheck with an upstream patch already merged.

Python Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-49498 HIGH PATCH This Week

SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users to escalate to PostgreSQL superuser by injecting crafted username strings into ALTER ROLE statements issued by the changePassword() method. Exploitation requires only low-privileged authenticated access to the Ghidra server, and no public exploit has been identified at time of analysis despite a working proof-of-concept being implied by the detailed vendor advisory from VulnCheck and NSA.

PostgreSQL SQLi Ghidra
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-22893 HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator credentials to execute arbitrary OS commands on the appliance. The flaw spans multiple QTS and QuTS hero release trains (5.2.x, 5.3.x, and 6.0.x) and has been patched by QNAP across all affected branches. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but the post-authentication code execution primitive is highly valuable for attackers who have already harvested admin credentials.

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2025-66279 HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to execute arbitrary OS commands on the NAS appliance. The CVSS 4.0 base score of 8.6 reflects high impact across confidentiality, integrity, and availability, though exploitation requires high privileges (PR:H). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; QNAP has released fixed builds across affected QTS and QuTS hero branches.

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2025-66273 HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained administrator credentials to execute arbitrary OS commands on the appliance. Reported by QNAP itself and tracked as EUVD-2025-210099, the issue affects multiple branches across QTS 5.2.x and QuTS hero 5.2.x, 5.3.x, and 6.0.x and is fixed in builds dated 2026-02-06 through 2026-05-20. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-52751 HIGH PATCH This Week

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the flaw.

RCE Deserialization Ghidra
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-50131 HIGH PATCH NEWS GHSA This Week

Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.

SSRF Fedify Vocab Runtime
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-24724 HIGH PATCH This Week

Authorization bypass in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5243) allows a remote attacker with a valid low-privileged user account to circumvent intended access restrictions and reach files or operations they should not be able to access. The flaw was reported by QNAP itself with a CVSS 4.0 score of 8.6 reflecting high confidentiality and integrity impact, and there is no public exploit identified at time of analysis. Note that the vendor description text references 'File Station 6,' but the CPE, affected version list, and fix data all point to File Station 5, which appears to be a typo in the advisory.

Authentication Bypass File Station 5
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-53673 HIGH This Week

Insecure direct object reference in BuddyPress 14.4.0's messages REST API lets any authenticated WordPress user read, reply to, or delete another user's private message threads by supplying a target user_id parameter. The flaw originates in get_item_permissions_check, which trusts the attacker-supplied identifier instead of the authenticated session, and the same broken check is reused by update and delete handlers. No public exploit identified at time of analysis, but the simplicity of the request manipulation and CVSS 4.0 base of 8.6 mark this as a high-priority issue for any community site running BuddyPress.

Authentication Bypass
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-50570 HIGH PATCH This Week

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows a tenant with permission to create Function or Environment CRDs to obtain CAP_SYS_TIME inside function/runtime containers by bypassing an incomplete capability denylist in the ValidatePodSpecSafety admission webhook. The denylist only blocked six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE) and omitted CAP_SYS_TIME and others, letting tenant-controlled code modify the container's system clock. No public exploit identified at time of analysis, but the upstream patch and CRD diff are publicly visible in fission/fission PR #3465.

Privilege Escalation Kubernetes
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-49824 HIGH PATCH GHSA This Week

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an authenticated tenant with permission to create Function objects in their own namespace to reference an Environment in a different namespace, because the admission webhook in pkg/webhook/function.go validated namespace equality only for secrets and configmaps, not for spec.environment.namespace. An attacker can pivot across Kubernetes namespace boundaries and pull in environment configuration belonging to other tenants (CVSS 8.5, scope-changed, high confidentiality impact). No public exploit identified at time of analysis, though the upstream fix and full patch diff are publicly available on GitHub.

Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-9151 HIGH PATCH This Week

OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an authenticated attacker on an adjacent network to execute arbitrary commands by uploading a malicious VPN client configuration file. The flaw stems from improper sanitization of special characters during configuration import (CWE-78) and carries a CVSS 4.0 base score of 8.5. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but TP-Link has released firmware fixes for all affected models.

Command Injection TP-Link
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-8637 HIGH PATCH This Week

Local privilege escalation in Lenovo's LanSchool Classic client application allows authenticated users on affected endpoints to execute arbitrary code with elevated privileges via an uncontrolled search path (CWE-427). The flaw carries a CVSS 4.0 score of 8.5 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because LanSchool Classic is widely deployed in K-12 and education environments, exploitation could let a student or low-privileged user gain SYSTEM-level control of managed classroom devices.

RCE Lanschool Classic
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-9045 HIGH PATCH This Week

Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks.

RCE Microsoft Authentication Bypass Lenovo
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45549 HIGH This Week

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privilege 'guest' role 4 - to start, stop, or restart the roxy-wi-smon-agent systemd unit on arbitrary managed servers, with the action executing as root via Roxy-WI's passwordless sudo SSH credentials. The flaw stems from missing role and group-ownership checks on the agent_action endpoint, and no public exploit has been identified at time of analysis though the vulnerability is trivially reachable once an account exists.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-52750 HIGH PATCH This Week

Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.

Command Injection Microsoft Ghidra
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-10721 HIGH This Week

PHP Object Injection in Concrete CMS versions below 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The flaw is triggered when a malicious serialized payload has already been written to the database, meaning the unauthenticated trigger depends on a prior write primitive existing in the deployment. No public exploit identified at time of analysis, and CVSS 4.0 base scores it 8.4 with high confidentiality, integrity, and availability impact.

PHP Deserialization
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-24067 HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users on the host to gain root-level capabilities by abusing a TOCTOU race in the privileged helper's XPC client validation. The com.slatedigital.connect.privileged.helper.tool2 service identifies callers by PID and then queries code-signing information, but PID reuse lets an attacker substitute a trusted process between check and use. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the technical pattern is well-known on macOS and a SEC Consult advisory describes the flaw in detail.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-52755 HIGH PATCH This Week

Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the theme directory via Zip Slip path traversal sequences in malicious theme ZIP archives, leading to code execution or credential compromise. The flaw requires user interaction (importing the booby-trapped theme) and is exploited locally against the user running Ghidra. No public exploit identified at time of analysis, though the technique (Zip Slip) is well-documented and trivially reproducible.

RCE Path Traversal Ghidra
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-52752 HIGH PATCH This Week

Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking a user into installing a malicious extension archive. The extension installer fails to sanitize ZIP entry names, enabling classic Zip Slip path traversal that writes files outside the intended extension directory. No public exploit identified at time of analysis, though the technique is well-documented and trivially reproducible.

RCE Path Traversal Ghidra
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-24066 HIGH This Week

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users to execute commands as root by connecting to the privileged XPC helper service with a self-signed certificate whose subject OU matches the expected value. The flaw stems from improper certificate validation (CWE-296) in the helper's client authorization logic, which fails to verify the certificate chains to a trusted code-signing authority. No public exploit is identified in CISA KEV at time of analysis, and EPSS reflects very low (0.01%) near-term exploitation probability, but a detailed vendor-lab advisory is publicly available.

Apple Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-10238 HIGH PATCH This Week

Local privilege escalation to System Management Mode (SMM) in Lenovo ThinkPad BIOS firmware allows a high-privileged local user to execute arbitrary code at one of the most privileged execution rings on x86 hardware. The flaw, an out-of-bounds write (CWE-787) discovered by Lenovo during an internal security assessment, affects a wide range of current-generation ThinkPad models including X1 Carbon 13th Gen, X13 Gen 6, T14s Gen 6, P14s/P16v Gen 3, L13/L14/L16 Gen 6, and E16 Gen 3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Memory Corruption X13 Gen 6 Type 21Rk 21Rl Laptops Thinkpad Bios X1 Carbon 13Th Gen Type 21Nx 21Ny Laptops Thinkpad Bios P16V Gen 3 Type 21Rs 21Rt Laptop Thinkpad Bios +105
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-10237 HIGH PATCH This Week

Arbitrary privileged memory read/write in Lenovo ThinkPad embedded controller (EC) firmware allows a local administrator on affected ThinkPad models (X13 Gen 6, X1 Carbon 13th Gen, P16v Gen 3, L16 Gen 1/2, T14s Gen 6, P14s Gen 6, L13 Gen 6, L14 Gen 6) to access or modify protected memory regions. Discovered during Lenovo's internal security assessment, the issue is rated CVSS 4.0 8.4 (High) and there is no public exploit identified at time of analysis, with no CISA KEV listing. Despite the high score, exploitation requires high privileges and local access, narrowing realistic abuse to attackers who already have admin on the host or to supply-chain/insider scenarios.

Information Disclosure X13 Gen 6 Type 21Rk 21Rl Laptops Thinkpad Bios X1 Carbon 13Th Gen Type 21Nx 21Ny Laptops Thinkpad Bios P16V Gen 3 Type 21Rs 21Rt Laptop Thinkpad Bios L16 Gen 1 Type 21L7 21L8 Laptops Thinkpad Bios +91
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-46558 HIGH PATCH This Week

Cross-workspace authorization bypass in Plane (makeplane) prior to version 1.3.1 allows any authenticated user of one workspace to read, copy, delete, and overwrite file assets belonging to other workspaces on the same instance. The flaw stems from missing membership checks on V2 asset endpoints and is fixed in v1.3.1; no public exploit identified at time of analysis.

Authentication Bypass Plane
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-45567 HIGH This Week

Authentication bypass in Roxy-WI versions 8.2.6.4 and prior allows remote unauthenticated attackers to reach protected API functionality by including the 'api' substring in the URL, with the /api/gpt endpoint specifically exposed without authentication. The flaw carries a CVSS 8.3 with scope change and affects a web management interface for HAProxy, Nginx, Apache, and Keepalived, and no public exploit has been identified at time of analysis. No vendor-released patch exists at time of publication, making this a high-priority issue for any internet-exposed installation.

Authentication Bypass Nginx Apache
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-50637 HIGH PATCH This Week

Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject arbitrary StatsD metrics by supplying metric names or values containing newlines, colons, or pipes that the send method passes unvalidated into UDP packets. Because the StatsD protocol multiplexes multiple metrics per packet using newline delimiters, an attacker who controls any string flowing into a recorded metric can forge additional metrics, poisoning monitoring data and downstream alerting. EPSS is very low (0.03%), no public exploit is identified at time of analysis, and there is no CISA KEV listing.

Code Injection Metrics
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-10846 HIGH PATCH This Week

Off-path DNS response spoofing in NLnet Labs ldns 1.2.0 through 1.9.0 allows remote attackers to inject forged answers into applications that use the library as a UDP stub resolver, including the bundled drill tool. The library fails to validate the response source address/port, the query transaction ID, and the question section against the original query, making cache and answer poisoning feasible without on-path positioning. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.2 reflects high integrity impact on any downstream application that trusted ldns to validate DNS answers.

Information Disclosure Ldns Suse
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41717 HIGH PATCH This Week

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.

Code Injection Java Spring Data Mongodb
NVD HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy