Skip to main content
CVE-2025-66281 MEDIUM PATCH This Month

NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to crash a network-facing service and cause a denial-of-service condition without any authentication or user interaction. Multiple active OS branches are affected - QTS 5.2.x and QuTS hero h5.2.x through h6.0.x - across a device population that is historically internet-exposed and frequently targeted. No public exploit has been identified and this vulnerability is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface makes DoS attempts trivially repeatable against unpatched devices.

Denial Of Service Null Pointer Dereference Qnap Qts Quts Hero
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-29115 MEDIUM This Month

Denial of service in Dahua IPC and SD (Speed Dome) camera devices allows an authenticated remote attacker to trigger an unexpected system reboot by sending a specially crafted network packet. The vulnerability is vendor-reported under advisory DHCC-SA-202606-001 and affects specific IPC and SD models with firmware built before March 26, 2026. No public exploit code has been identified at time of analysis, and the attack requires high-privilege authentication (PR:H), materially limiting the realistic attacker population.

Denial Of Service Dahua
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-62851 MEDIUM PATCH This Month

Path traversal in QNAP License Center (versions 1.9.0 through 1.9.55) permits a high-privileged attacker with an administrator account to read arbitrary files or system data outside the intended directory scope. The CVSS 4.0 vector (AV:N/PR:H) indicates network-reachable exploitation contingent on first obtaining administrative credentials. No public exploit code or active exploitation has been identified at time of analysis; a vendor-released patch is available in version 1.9.56.

Path Traversal License Center
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-10740 MEDIUM PATCH This Month

Unbounded memory allocation in the CRYPTO frame reassembler of AWS s2n-quic (all versions before v1.82.0) enables unauthenticated remote actors to degrade service availability by sending crafted QUIC Initial packets. Because QUIC Initial packets are processed prior to handshake completion, no session establishment or authentication is required to trigger the condition. No public exploit code or active exploitation has been identified at time of analysis, but the low-complexity, zero-authentication attack path makes this straightforwardly reachable on any exposed s2n-quic endpoint.

Denial Of Service S2N Quic
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-49760 MEDIUM PATCH This Month

Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding Erlang terms containing very large integers, causing Denial of Service. Affected OTP releases span from 17.0 through unfixed branches of 27.x, 28.x, and 29.x, making this a wide-ranging availability risk for C-language nodes that interface with the Erlang runtime. Because overflow bytes are constrained exclusively to ASCII hex digits (0-9, A-F), arbitrary code execution is not feasible - confirmed impact is process crash only. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog.

Denial Of Service Buffer Overflow Stack Overflow Otp Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-49496 MEDIUM PATCH This Month

Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application crash by supplying a crafted binary for decompilation. All Ghidra releases prior to 12.1 are affected, as is any downstream application consuming the SLEIGH library via the public Sleigh::oneInstruction C++ API. The CVSS v4.0 score of 6.9 reflects a high availability impact (VA:H) with low integrity impact (VI:L) and no confidentiality impact; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Use After Free Buffer Overflow Memory Corruption Ghidra
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-53693 MEDIUM PATCH This Month

Stored cross-site scripting in MISP BSimVis through v0.2.0 allows network-accessible attackers who can create or influence tag names, collection names, entity identifiers, cluster names, or tag metadata to inject malicious payloads that execute in victims' browsers. The vulnerability spans multiple client-side rendering paths in tags.js, where user-controlled values were interpolated raw into innerHTML, HTML attributes, inline JavaScript event handlers, and CSS style values - covering tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. No public exploit has been identified at time of analysis; the issue was reported and patched by CIRCL, the primary MISP development organization.

XSS Bsimvis
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-52753 MEDIUM PATCH This Month

Uncontrolled memory allocation in Ghidra's rust_demangle function (versions before 12.0.3) allows a denial-of-service condition when a user analyzes a specially crafted binary containing malicious Rust symbol names. The affected function allocates output buffers without enforcing size limits, enabling exponential memory growth that crashes the Ghidra process. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the practical attack surface is real for teams that routinely analyze untrusted Rust binaries.

Denial Of Service Ghidra
NVD GitHub
CVSS 4.0
6.7
EPSS
0.0%
CVE-2026-49495 MEDIUM PATCH This Month

Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted binary to crash the entire JVM and destroy all unsaved analyst work. The ExportTrie.parseTrie() method lacks cycle detection when walking export trie structures, so a malicious Mach-O binary embedding circular trie references triggers unbounded queue growth and exponential string concatenation until an OutOfMemoryError terminates the JVM process. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the risk is materially elevated in adversarial research contexts where analysts routinely open untrusted binaries - exactly the workflow Ghidra is designed for.

Denial Of Service Ghidra
NVD GitHub
CVSS 4.0
6.7
EPSS
0.0%
CVE-2026-52759 MEDIUM PATCH This Month

Uncontrolled heap memory allocation in Ghidra's Mach-O binary parser (versions before 12.1.1) allows denial of service by crashing the Ghidra JVM. The parser reads the `ncmds` load command count field directly from a Mach-O file header and uses it to drive heap allocation without cross-validating it against the actual file size, enabling a crafted binary to exhaust JVM memory. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, though the attack primitive is straightforward to reproduce from the description.

Denial Of Service Ghidra
NVD GitHub
CVSS 4.0
6.7
EPSS
0.0%
CVE-2026-48107 MEDIUM PATCH GHSA This Month

Denial of service in Russh (versions 0.37.0-0.60.x), a Rust SSH client and server library, allows a malicious SSH server to crash connecting clients by exploiting improper input validation in the keyboard-interactive authentication path. The server supplies an attacker-controlled prompt count in a USERAUTH_INFO_REQUEST message, which the client passes directly to Vec::with_capacity() before verifying the packet contains the claimed number of prompts - resulting in a panic or out-of-memory condition that terminates the client process. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Russh
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-41727 MEDIUM PATCH This Month

Improper input validation in Spring for Apache Kafka's non-blocking retry topic infrastructure allows an authenticated network producer to disrupt message processing availability across multiple major version lines. By injecting a crafted `retry_topic-attempts` header with an out-of-range integer value, an attacker causes the retry topic router to misidentify the message's position in the retry sequence, producing high availability impact (A:H per CVSS). Affected deployments span Spring for Apache Kafka 2.8.x through 4.0.x. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Information Disclosure Apache Java Spring For Apache Kafka
NVD HeroDevs VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-41726 MEDIUM PATCH This Month

Unbounded heap growth in Spring for Apache Kafka's DelegatingDeserializer allows an authenticated network producer to trigger a Denial of Service against any consumer application that opts into this deserializer. By flooding the consumer with Kafka records carrying unique, randomized spring.kafka.serialization.selector header values, an attacker forces unbounded cache growth on the consumer's JVM heap, ultimately inducing GC thrash and OutOfMemoryError. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low-complexity, network-accessible attack surface warrants prompt remediation for affected deployments.

Denial Of Service Apache Java
NVD HeroDevs VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-50639 MEDIUM PATCH This Month

Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl, allowing unauthenticated remote attackers to forge or corrupt statsd telemetry streams. The root cause is the _labels function's failure to strip or reject newlines and statsd control characters from tag label values before they are encoded into statsd UDP packets. Because statsd and dogstatsd protocols use newlines as metric delimiters, an attacker who can influence any label value flowing into the adapter can cause the server to parse additional attacker-controlled metrics. No public exploit has been identified at time of analysis, but SSVC rates the flaw as automatable with partial technical impact.

Code Injection Metrics
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11884 MEDIUM This Month

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replication supplier to crash the server or corrupt heap memory by creating objectclass definitions with excessively long SUP (oc_superior) values. The flaw exists in schema serialization functions where the SUP field length is excluded from buffer size calculations yet still written via strcat(), producing an off-by-N heap overwrite. This is explicitly an incomplete fix variant of CVE-2025-14905, meaning organizations that patched that prior CVE may remain exposed if the SUP field code path was not remediated; no public exploit has been identified at time of analysis.

Heap Overflow Buffer Overflow Red Hat Directory Server 11 Red Hat Directory Server 12 Red Hat Directory Server 13 +5
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46540 MEDIUM This Month

Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.

Information Disclosure Checkpoint
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-53474 MEDIUM This Month

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools .xlsx file whose cluster-name cells are interpolated unsanitized into DuckDB queries, enabling arbitrary file reads on the host. Because the tool runs as a SaaS migration assessment service, leaked Kubernetes service account tokens or other credentials can pivot to full environment compromise. No public exploit identified at time of analysis, but an upstream fix is available via PR #1231.

SQLi Kubernetes Migration Assessment
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45329 MEDIUM This Month

Information disclosure in Espressif ESP-IDF 5.5.4 and 6.0 allows local code in the Rich Execution Environment (REE) to leak TEE-protected memory by passing crafted pointer arguments to ESP-TEE secure-service wrappers. Because TEE hardware peripherals (ECC, SHA, SPI) run in RISC-V M-mode with full address-space access, attackers can coerce them to read from TEE-exclusive memory and return raw bytes, computed functions, or single-bit oracles enabling incremental disclosure of sensitive material. No public exploit identified at time of analysis; vendor-released patches exist in 5.5.5 and 6.0.1.

Information Disclosure Oracle
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11853 MEDIUM PATCH This Month

Arbitrary symlink creation in Debusine's mergeuploads task allows remote unauthenticated attackers to overwrite files accessible to the worker process. Affected versions 0.12.0 through 0.14.8 fail to sanitize fully user-controlled paths embedded in Debian manifest files (.dsc and .changes), enabling path traversal via CWE-59 link-following. Despite a CVSS network-accessible, no-auth vector, real-world risk is bounded by deployment context - exploitation requires the ability to submit packages to a Debusine instance. No public exploit identified at time of analysis and EPSS sits at 0.02% (4th percentile).

Information Disclosure Debian
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45160 MEDIUM This Month

Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP or DHCP server mode. The `parse_options()` function in the bundled lwIP DHCP server component walks BOOTP/DHCP option TLV fields without validating that each option's declared length stays within the received packet buffer, allowing an adjacent-network unauthenticated attacker to trigger a device crash by sending a single crafted DHCP request. Five active release branches are affected (5.2.x through 6.0.x); vendor-released patches are available across all branches. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Buffer Overflow Esp Idf
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47155 MEDIUM PATCH GHSA This Month

Artifact pin decay in vLLM (< 0.22.0) allows pinned model deployments to silently load secondary artifacts - dynamic code modules, GGUF files, image processors, retrieval side weights, and same-repository subfolder configs - from unpinned or default HuggingFace Hub revisions, undermining supply-chain integrity guarantees. Operators who supply `--revision` or `--code-revision` to audit and lock a specific model version can unknowingly serve behavior-affecting components that fall outside the reviewed artifact set. No public exploit code has been identified at time of analysis, but seven discrete affected code paths across vllm's model loader and registry subsystems have been confirmed at commit 3795d7acf431980e62e738493f437ae2a51549da, with a fix released in vLLM 0.22.0 via PR #42616.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11852 MEDIUM PATCH This Month

Missing authorization controls on Debusine's artifact relationship endpoints allow remote actors to create and delete artifact relationships without holding the necessary write permissions, affecting all versions from 0.2.0 through 0.14.5. The only implicit gatekeeping was visibility of the referenced artifacts - not modification rights - a CWE-862 (Missing Authorization) flaw that exposes both data integrity and limited confidentiality of build artifact metadata. No public exploit code exists and EPSS places exploitation probability at 0.01% (3rd percentile), reflecting the tool's niche deployment scope within Debian build infrastructure; the vulnerability is not confirmed actively exploited (CISA KEV).

Authentication Bypass Debian
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45561 MEDIUM This Month

{version,uptime,status,checks}/<server_ip>` route family passes the Flask URL path parameter directly into a Python `requests.get()` call without any allowlist or blocklist validation, making IPv4 literals such as 169.254.169.254, RFC1918 ranges, and 127.0.0.1 all valid targets. No publicly available patches exist at time of analysis, and no public exploit code or CISA KEV listing has been identified.

Python Nginx SSRF Apache
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-53698 MEDIUM This Month

Absolute path traversal (CWE-36) in Silverpeas through 6.4.6 allows authenticated remote users to read arbitrary files from the server filesystem by exploiting the 'Personal space' fallback path in the FileServer servlet, activated when no componentId parameter is supplied. The CVSS vector confirms network-reachable, low-complexity exploitation requiring only low-privilege credentials, with high confidentiality impact and no integrity or availability loss. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Silverpeas
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41719 MEDIUM PATCH This Month

SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.

Code Injection Java Redis
NVD HeroDevs
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8613 MEDIUM This Month

Stored Cross-Site Scripting in the aThemes Addons for Elementor WordPress plugin (versions up to and including 1.1.8) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title_tag' widget setting in the Posts Timeline and Posts Carousel widgets. The injected payload executes in the browsers of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing has been identified at time of analysis, though the contributor-level authentication barrier is low in multi-author WordPress deployments.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9019 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Image Collage WordPress plugin (all versions through 1.13.6) allows authenticated attackers with author-level access to permanently inject arbitrary JavaScript into pages via the `grid[properties][borderColor]` and `grid[images][N][attachment_url]` parameters, which executes in victims' browsers upon page load. The critical aggravating factor is that payloads are persisted via WordPress's `update_post_meta()` API rather than through post content, which deliberately sidesteps the `unfiltered_html` capability check that normally prevents lower-privilege users from injecting raw HTML - meaning site administrators cannot block this attack path through standard WordPress role controls alone. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low privilege requirement and well-documented bypass of WordPress hardening make this a credible threat on multi-author sites.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8444 MEDIUM This Month

DOM-Based Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions up to and including 2.6.7) allows authenticated attackers holding Contributor-level access or higher to inject persistent malicious scripts through multiple unsanitized plugin parameters. The injected payload executes in the browsers of any user who subsequently loads an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and the plugin is not listed in the CISA KEV catalog, but the Changed scope (S:C) in the CVSS vector elevates real-world impact beyond the 6.4 score suggests for multi-author WordPress deployments.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-48859 MEDIUM PATCH This Month

Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote attackers to distinguish valid from invalid usernames in a single probe. When the daemon is configured with the `user_passwords` or `password` options, valid usernames trigger a 600,000-iteration PBKDF2-SHA256 computation (~300ms) while invalid usernames return near-instantly (~0ms) through an early-exit path - a gap detectable without repeated attempts. No public exploit has been identified at time of analysis, and exploitation is constrained to non-default, test-oriented configurations.

Information Disclosure Otp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-52756 MEDIUM PATCH This Month

Path traversal in Ghidra's IsfServer component (all versions before 12.2) allows remote unauthenticated attackers to enumerate filesystem paths and probe arbitrary files by connecting to TCP port 54321 and sending crafted protobuf messages. The root cause is unsanitized client-supplied namespace strings passed directly to filesystem operations, a CWE-22 defect. Given Ghidra's deployment context - security research, malware analysis, and reverse engineering of sensitive artifacts, often in high-value government and defense environments - successful exploitation could expose directory structures and sensitive file metadata on the analyst's workstation. No public exploit code has been identified and this vulnerability is not in CISA KEV at time of analysis.

Path Traversal Ghidra
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-48858 MEDIUM PATCH This Month

SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the IP address returned in a server's 227 response, connecting the data channel to an attacker-controlled internal target without validating it against the control connection's actual peer address. All Erlang applications using the ftp client in its default passive IPv4 mode (ipfamily=inet, ftp_extension=false) across OTP 17.4 through pre-29.0.2 are affected, spanning both the legacy inets-bundled module and the standalone ftp application. No active exploitation has been confirmed (not in CISA KEV), but a functional proof-of-concept demonstrating the redirect attack is publicly embedded in the upstream fix commit, significantly lowering the exploitation barrier.

SSRF Otp Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-24719 MEDIUM PATCH This Month

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an administrator account to execute arbitrary OS commands on the appliance. The flaw carries a CVSS 4.0 score of 8.6, but the PR:H requirement substantially narrows the attacker population; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. QNAP has shipped fixed builds (QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514).

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
6.1
EPSS
0.5%
CVE-2026-53465 MEDIUM PATCH GHSA This Month

Heap-based buffer over-write in ImageMagick's SF3 encoder prior to version 7.1.2-25 allows an attacker who can supply a crafted multi-frame image to corrupt heap memory, yielding high availability impact and potential integrity exposure. All ImageMagick installations before 7.1.2-25 are affected regardless of platform. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV; however, CWE-122 write primitives carry inherent escalation risk beyond the scored DoS impact depending on heap layout at time of trigger.

Heap Overflow Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-0273 MEDIUM PATCH This Month

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrictions and execute arbitrary OS commands as root via the CLI or Web UI. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are explicitly excluded per the vendor advisory. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.1 accurately reflects the significant mitigating factor of requiring high-privilege administrative access before exploitation is possible.

Command Injection Paloalto Cloud Ngfw Pan Os Prisma Access
NVD VulDB
CVSS 4.0
6.1
EPSS
0.3%
CVE-2026-46642 MEDIUM PATCH This Month

Stored cross-site scripting in draw.io prior to version 29.7.12 allows arbitrary JavaScript execution in the editor's origin when a victim opens a crafted .drawio file. The flaw bypasses the existing label sanitizer entirely because it resides in a separate, unsanitized code path - the Text Format panel's feature-detection routine - which assigns raw cell label content directly to a detached DOM element's innerHTML. Exploitation is automatic upon file import since draw.io selects cells programmatically during that process, requiring no additional user interaction beyond opening the file. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Drawio
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41706 MEDIUM PATCH This Month

Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.

Open Redirect Java Spring Security
NVD HeroDevs VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41008 MEDIUM PATCH This Month

Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Java Spring Authorization Server Spring Security
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45384 MEDIUM PATCH This Month

Arbitrary file overwrite in bit7z prior to version 4.0.12 is possible through a symlink attack targeting the predictable temporary file (`<archive_path>.tmp`) created during archive update operations. An attacker with write access to the archive directory can pre-place a symlink at that path pointing to a sensitive target file; when a process subsequently calls bit7z to update an archive, the library follows the symlink and overwrites the target with archive data. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though its low-complexity prerequisites on POSIX systems make it a meaningful risk in shared-directory or multi-tenant environments.

Information Disclosure Bit7z
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45566 MEDIUM This Month

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled domains by exploiting a bypass in the login flow's URL filter. The filter blocks `next` parameter values containing `http://` or `https://` substrings but does not account for RFC-3986 userinfo@host syntax; submitting `next=@evil.example/path` causes the server to construct `https://victim.example@evil.example/path`, which modern browsers route to `evil.example`. No public exploit code has been identified at time of analysis, no patch is available, and this vulnerability is not listed in CISA KEV.

Nginx Open Redirect Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45560 MEDIUM This Month

Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.

XSS Nginx Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0272 MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an authenticated CLI administrator to perform operations at the root OS level, bypassing intended privilege boundaries through a missing authorization control (CWE-862). The risk is substantially gated by the requirement for existing administrative CLI access (CVSS PR:H), making insider threats and compromised admin credentials the primary real-world attack paths. No public exploits or confirmed active exploitation have been identified at time of analysis, and the vendor's own E:U supplemental metric reinforces the low exploitation urgency - though root-level OS access to a firewall represents a severe impact if the prerequisite is met.

Privilege Escalation Authentication Bypass Paloalto Cloud Ngfw Pan Os +1
NVD VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-41721 MEDIUM PATCH This Month

Uncontrolled resource consumption in Spring Data Commons exposes applications to a remote Denial of Service condition when two specific features are active simultaneously. An unauthenticated remote attacker can send a specially crafted HTTP request to any endpoint backed by a @ProjectedPayload-annotated controller method, triggering unbounded memory allocation that exhausts the JVM heap and crashes the application. The vulnerability spans eight major release lines (2.7.x through 4.0.x), making the potential blast radius broad across Spring-based Java backends. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS attack complexity rating of High reflects non-trivial preconditions that meaningfully limit opportunistic exploitation.

Denial Of Service Java Spring Data Commons
NVD HeroDevs
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-41711 MEDIUM PATCH This Month

Denial of Service in Spring Data Commons affects applications that parse Sort parameters, triggering a StackOverflowException via crafted input. All major supported and legacy branches from 2.7.x through 4.0.x are affected, making the blast radius exceptionally broad across the Spring ecosystem. CVSS rates this Medium (5.9) with a high attack complexity qualifier (AC:H), unauthenticated network access (PR:N), and full availability impact (A:H); no active exploitation is confirmed and no public exploit code has been identified at time of analysis.

Denial Of Service Java Spring Data Commons
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-53462 MEDIUM POC PATCH GHSA This Month

Heap-use-after-free in ImageMagick's CheckPrimitiveExtent function allows remote attackers to crash the image processing service by supplying crafted input that triggers a memory allocation failure, resulting in a denial-of-service condition. Affected are all releases of the 6.x branch prior to 6.9.13-50 and all 7.x releases prior to 7.1.2-25. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the network-accessible attack vector is relevant wherever ImageMagick processes untrusted images (e.g., web upload pipelines, CI/CD asset processors).

Use After Free Memory Corruption Denial Of Service Imagemagick Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-40991 MEDIUM PATCH This Month

XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. No confirmed active exploitation exists (not in CISA KEV), and no public exploit has been identified at time of analysis; however, the High confidentiality impact against developer and CI environments warrants prompt patching.

XXE Java
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-41696 MEDIUM PATCH This Month

Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.

Nosql Injection Information Disclosure Java Spring Data Mongodb
NVD VulDB HeroDevs
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-50127 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassing of outbound request restrictions via IPv6 transition address encoding techniques. By supplying a hostname whose DNS AAAA record resolves to a NAT64-wrapped, 6to4-wrapped, or IPv4-compatible IPv6 address that encodes a private IPv4 endpoint, an attacker causes Weblate's validator to pass the address as globally routable while the host kernel routes the packet to the embedded private IPv4 target. The vulnerability carries High confidentiality impact (CVSS 5.9, AV:N/AC:H) because SSRF can expose internal services such as cloud IMDS credential endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

SSRF Weblate Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-0271 MEDIUM PATCH This Month

Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.

Microsoft Apple Paloalto Privilege Escalation Google +1
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48061 MEDIUM PATCH GHSA This Month

Host validation bypass in Litestar's AllowedHostsMiddleware allows unauthenticated remote attackers to circumvent the allowed-hosts allowlist by omitting the HTTP Host header and substituting a client-controlled X-Forwarded-Host header set to any whitelisted domain. Affected are all Litestar deployments (pip/litestar < 2.22.0) using AllowedHostsConfig that are reachable without a trusted reverse proxy stripping X-Forwarded-Host - a condition reflected in the CVSS AC:H rating. Publicly available exploit code exists demonstrating the bypass; no CISA KEV listing at time of analysis.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-20257 MEDIUM PATCH This Month

Classic dashboard style attribute injection in Splunk Enterprise and Splunk Cloud Platform enables a low-privileged authenticated user to craft panels that bypass the Trusted Domains List and exfiltrate sensitive data from a higher-privileged user's browser session. Affected branches span Splunk Enterprise below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and multiple Splunk Cloud Platform release trains. No public exploit has been identified at time of analysis, and SSVC rates current exploitation as none with partial technical impact, though the high confidentiality impact potential warrants prompt patching in environments where low-privileged users can share dashboards with administrators.

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
5.7
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy