Skip to main content
CVE-2026-35273 CRITICAL POC KEV THREAT NEWS Emergency

Remote takeover of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 is possible through the Updates Environment Management component via unauthenticated HTTP requests. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network-based exploitation against any internet- or intranet-exposed instance, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' language and the unauthenticated nature make this a high-priority patching target.

Oracle Authentication Bypass Peoplesoft Enterprise Peopletools
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.0%
Threat
5.0
CVE-2026-42647 CRITICAL POC Act Now

Blind SQL injection in Beardev JoomSport (WordPress plugin) through version 5.7.7 allows remote unauthenticated attackers to inject crafted SQL into backend database queries. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality exposure and partial availability impact, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue.

SQLi Joomsport
NVD GitHub
CVSS 3.1
9.3
EPSS
5.2%
CVE-2026-48039 CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.

Python Authentication Bypass Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-8589 HIGH POC PATCH NEWS This Week

Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18.11 prior to 18.11.5, and 19.0 prior to 19.0.2 allows an authenticated low-privileged user to inject unsanitized input into certain group setting fields and add unauthorized email addresses to a targeted user's account. Publicly available exploit code exists via a HackerOne report, though EPSS exploitation probability remains very low at 0.02% and the SSVC framework rates current exploitation as 'none' with total technical impact when successful.

Gitlab XSS
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-10087 HIGH POC PATCH NEWS This Week

Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role user to execute arbitrary client-side JavaScript in the browser of a targeted user, leveraging improper input sanitization. The flaw affects all 17.1 through 18.10.x, 18.11.x, and 19.0.x branches before fixed releases, and publicly available exploit code exists via a HackerOne report, raising the realistic risk of opportunistic abuse against multi-tenant GitLab instances.

Gitlab XSS
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-6552 HIGH POC PATCH NEWS This Week

Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack other group members' accounts through improper authorization in the Group SAML identity management functionality. Publicly available exploit code exists via a HackerOne report, and GitLab released patched versions 18.10.8, 18.11.5, and 19.0.2 on 2026-06-10. The flaw stems from CWE-639 (Authorization Bypass Through User-Controlled Key) and yields a scope-changing high-impact compromise per CVSS 3.1.

Gitlab Authentication Bypass
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-10795 HIGH POC This Week

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. No public exploit identified at time of analysis, but the plugin's massive WordPress install base and trivial post-bypass impact make this a high-priority patch.

Jwt Attack Authentication Bypass WordPress RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-48020 HIGH POC PATCH GHSA This Week

Route-level authentication bypass in Traefik's StripPrefix middleware allows unauthenticated remote attackers to reach protected backend endpoints (e.g., /admin, /internal/config) by crafting request paths such as /api../admin or /api%2e%2e/admin. The public router matches before path normalization, but StripPrefix subsequently normalizes the path via JoinPath() so the backend receives the protected path without the authentication middleware ever running. Publicly available exploit code exists (full PoC in the advisory), patches are released, and EPSS sits at 0.22% (45th percentile) with no CISA KEV listing.

Python Authentication Bypass Docker
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.2%
CVE-2026-7250 HIGH POC PATCH NEWS This Week

Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows unauthenticated remote attackers to crash or degrade the API request parsing middleware via malformed input. Publicly available exploit code exists (HackerOne report 3671995), and the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) reflects trivially-reachable, no-auth exploitation against any internet-exposed GitLab instance. No CISA KEV listing at time of analysis.

Gitlab Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1500 MEDIUM POC PATCH This Month

Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to trigger denial of service by submitting a specially crafted file. All self-managed GitLab instances running versions from 17.10 up through the patched releases (18.10.8, 18.11.5, 19.0.2) are affected across both Community and Enterprise Editions. A publicly available exploit exists on HackerOne (report #3517331), though no active exploitation has been confirmed by CISA KEV.

Gitlab File Upload Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-50245 HIGH CISA Act Now

Unauthenticated snapshot disclosure in Brickcom Cube, Dome, Bullet, and Box IP cameras lets anyone reachable on the camera's /ONVIF endpoint retrieve still images from the live video feed without credentials. The flaw, reported through CISA ICS-CERT (ICSA-26-162-03) and tagged as an authentication bypass, is a classic CWE-306 missing-authentication issue affecting devices typically deployed in physical-security and OT environments. No public exploit identified at time of analysis, but exploitation is trivial once the endpoint is reachable.

Authentication Bypass Cube Dome Bullet Box
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-50005 HIGH CISA Act Now

Unauthorized camera feed access affects Brickcom Cube, Dome, Bullet, and Box IP camera product lines due to factory-shipped default credentials (CWE-1392). Any attacker reaching the camera's management interface can authenticate using the known default account and silently view live video, with no public exploit identified at time of analysis though the trivial nature of the issue means weaponization requires no specialized tooling. CISA ICS-CERT issued advisory ICSA-26-162-03 covering the issue.

Information Disclosure Cube Dome Bullet Box
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-11839 CRITICAL Act Now

Remote code execution in Başarsoft Rotaban versions V2026.06.002 through V2026.06.003 (exclusive) allows authenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The flaw stems from missing validation of uploaded file types (CWE-434) and was reported by TR-CERT; no public exploit identified at time of analysis, but the CVSS 9.9 score and scope-change indicator make this a high-priority patch target for any Rotaban deployment.

File Upload Rotaban
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-41699 CRITICAL PATCH Act Now

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.

Deserialization Java RCE Spring For Graphql
NVD VulDB HeroDevs
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-42846 CRITICAL Act Now

Remote command injection in ClipBucket v5 prior to version 5.5.3 - #140 allows authenticated users to execute arbitrary OS commands by submitting a crafted URL through the Remote Play video import feature. The URL is concatenated unescaped into shell commands, so any metacharacter is interpreted by the shell, yielding code execution as the web server user. No public exploit identified at time of analysis, but the vendor-confirmed advisory and trivial exploitation pattern make this a high-priority issue for any internet-exposed deployment.

Command Injection Clipbucket V5
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-45060 CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-49261 CRITICAL PATCH NEWS Act Now

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes by embedding shell metacharacters in a joiner node's name, which the server passes unsanitized to the script defined in wsrep_notify_cmd. Affected branches are 10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.1–11.8.7, and 12.3.1, but only when wsrep_notify_cmd is configured. It carries a vendor CVSS of 9.8; however EPSS is very low (0.05%, 15th percentile) and SSVC marks exploitation as 'none', so there is no public exploit identified at time of analysis and it is not on CISA KEV.

Command Injection Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-49060 CRITICAL Act Now

Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allows remote unauthenticated attackers to elevate privileges on affected sites due to incorrect privilege assignment (CWE-266). With a CVSS 3.1 score of 9.8 and Patchstack-reported network-exploitable characteristics, this issue can lead to full compromise of WooCommerce-backed WordPress stores; no public exploit identified at time of analysis.

Privilege Escalation WordPress Hippoo Mobile App For Woocommerce
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-50628 CRITICAL PATCH Act Now

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inverted IP-binding check rejects requests from the configured bound IP and permits requests from every other source address. The flaw turns an intended IP allowlist into an implicit deny-list of one, enabling remote unauthenticated attackers to reach protected OAuth endpoints from arbitrary networks. EPSS is low (0.04%) and no public exploit identified at time of analysis, but the trivial nature of the logic inversion makes exploitation straightforward once the misbehaving filter is enabled.

Information Disclosure Cxf
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-49875 CRITICAL PATCH Act Now

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to trigger out-of-band external entity resolution via the EndpointReferenceUtils and W3CMultiSchemaFactory classes, which instantiate SAXParserFactory without JAXP hardening. While CVSS scores this 9.8 critical, EPSS reports only 0.02% exploitation probability, and there is no public exploit identified at time of analysis. Successful exploitation could enable data exfiltration, SSRF, or denial-of-service against applications that process attacker-controlled XML through CXF web services.

Apache XXE Cxf
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-48062 CRITICAL PATCH GHSA Act Now

Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).

File Upload PHP RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-38581 CRITICAL Act Now

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7852 CRITICAL PATCH Act Now

Remote code execution in Limatek System Inc. LimRAD NAC versions prior to 5.5.7.3.9 allows unauthenticated remote attackers to upload dangerous file types and achieve Remote Code Inclusion. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects an internet-reachable, no-interaction exploitation path against a network access control appliance, though no public exploit identified at time of analysis. The vulnerability was disclosed by TR-CERT and tracked in Turkish national vulnerability advisory TR-26-0366.

File Upload Limrad Nac
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-12027 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Headless component sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and carries CVSS 9.6 due to scope change and user interaction, though EPSS remains very low (0.03%) and there is no public exploit identified at time of analysis. A vendor patch is available in the stable channel update published June 2026.

Privilege Escalation Google Red Hat
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-47174 CRITICAL PATCH Act Now

Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as the live production Docker image without code review or merge approval. The flaw stems from a GitHub Actions deploy workflow that can be tricked into treating an unmerged pull request build as a main-branch deployment, then checking out the PR commit, building it, pushing it as the `latest` Docker tag, and triggering a Dokploy deployment. No public exploit identified at time of analysis, and CVE is not listed in CISA KEV.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.0%
CVE-2026-47172 CRITICAL PATCH Act Now

Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote attackers to deploy malicious container images to production by opening a pull request from a branch named 'main'. The unprivileged build workflow's head_sha is consumed by a downstream privileged deploy workflow, which then builds and publishes attacker-controlled code as the 'latest' Docker image and triggers production rollout. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-9qf3-c86c-j346) documents the chain end-to-end.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.0%
CVE-2026-4764 CRITICAL PATCH Act Now

Privilege escalation in Google Cloud Dialogflow CX allows authenticated users holding specific IAM roles to abuse the playbook import functionality and potentially take over the entire GCP project. Google has confirmed the issue was patched server-side on 15 March 2026 with no customer action required, and no public exploit has been identified at time of analysis.

Authentication Bypass Google
NVD
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-6269 MEDIUM POC PATCH This Month

Incorrect authorization enforcement in GitLab CE/EE exposes hidden merge requests to unauthorized modification by authenticated users holding developer-role permissions. The flaw spans a wide version range - from 15.10 through the patched releases 18.10.8, 18.11.5, and 19.0.2 - meaning a large proportion of self-managed GitLab deployments are potentially affected. A publicly available proof-of-concept exists via a disclosed HackerOne report, raising the practical exploitation risk beyond what the medium CVSS score alone suggests; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

Gitlab Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39494 CRITICAL Act Now

Blind SQL injection in the WordPress plugin Product Filter by WBW (versions up to and including 3.1.2) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries via crafted filter parameters. The CVSS 9.3 score reflects a scope-changed impact (S:C) where the WordPress database can be queried beyond the plugin's own context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Product Filter By Wbw
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-49973 CRITICAL PATCH Act Now

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settings API endpoint during the first-run window to POST the _set_password parameter, persist an arbitrary password hash, and obtain a valid administrative session cookie. The flaw, reported by VulnCheck and tracked as an improper access control (CWE-306) issue, locks the legitimate operator out of their own instance and grants full administrative control. No public exploit identified at time of analysis, but an upstream fix landed in release v0.51.358.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-45177 CRITICAL PATCH Act Now

Authentication bypass in Idira Secrets Manager SaaS Edge prior to version 1.8 allows remote unauthenticated attackers to obtain valid access tokens by submitting specially crafted requests that subvert internal validation logic. Reported by Palo Alto Networks researchers and tracked under CyberArk Security Bulletin CA26-20, the flaw carries a CVSS 4.0 score of 9.1 (Critical) due to high confidentiality and integrity impact on a product whose entire purpose is custody of enterprise secrets. There is no public exploit identified at time of analysis, but the secrets-management use case makes any token theft a high-leverage compromise.

Authentication Bypass Conjur Cloud Edge Finding Only
NVD VulDB
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-9648 CRITICAL PATCH Act Now

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Information Disclosure Crypton Certificate Suse
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-50627 CRITICAL PATCH Act Now

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource Server to replay it against an unrelated Resource Server because the 'aud' (Audience) claim is not validated. Affects Apache CXF 4.2.0 through 4.2.1 and all versions prior to 4.1.7, enabling cross-service authentication bypass with full confidentiality, integrity, and availability impact on the unintended target. No public exploit identified at time of analysis and EPSS is very low (0.02%, 4th percentile), but the fix is straightforward and the issue is structurally severe for federated OAuth2/JWT deployments.

Apache Information Disclosure Cxf
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41005 CRITICAL PATCH Act Now

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remote attackers to forge SAML assertions and impersonate users by exploiting a logic flaw where XML encryption was accepted as a substitute for XML signature verification. Because the Service Provider's public encryption key is published in SAML metadata, any party - not just a trusted Identity Provider - can craft encrypted-but-unsigned assertions that UAA will decrypt and trust, breaking the identity-assurance guarantee of SAML. No public exploit identified at time of analysis, but the cryptographic confusion (CWE-347) is well-understood and the impact (full identity spoofing into the platform IAM) is severe.

Jwt Attack Denial Of Service Uaa Cf Deployment
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-45176 HIGH PATCH This Week

Local privilege escalation in CyberArk (Idira) Endpoint Privilege Manager Agent versions prior to 26.5 allows low-privileged users on Windows, macOS, and Linux endpoints to abuse improper access controls in high-privileged agent components and execute actions with elevated privileges. The flaw was reported by Palo Alto Networks (CyberArk's parent) and addressed in agent version 26.5.0, with no public exploit identified at time of analysis. Because EPM is itself a privilege-management control, a bypass directly undermines the security posture of every endpoint where it is deployed.

Privilege Escalation Idira Endpoint Privilege Manager
NVD VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-12007 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).

Microsoft Use After Free Memory Corruption RCE Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-12020 HIGH PATCH This Week

Use after free in Autofill in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-12013 HIGH PATCH This Week

Use after free in Media in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Microsoft Use After Free Memory Corruption Denial Of Service Google +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7870 HIGH PATCH This Week

Privilege escalation in IBM i versions 7.3, 7.4, 7.5, and 7.6 allows an authenticated user to execute attacker-controlled code with administrator privileges due to an unqualified library call (CWE-427, uncontrolled search path). No public exploit identified at time of analysis, but IBM has released a patch and rated the issue as high severity (CVSS 8.8) given the low complexity and high impact across confidentiality, integrity, and availability.

Information Disclosure IBM
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-12035 HIGH PATCH This Week

Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Microsoft Use After Free Memory Corruption Denial Of Service Google +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45418 HIGH This Week

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-12018 HIGH PATCH This Week

Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.

Privilege Escalation Microsoft Google
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-24284 HIGH PATCH This Week

Sandbox escape in Apple macOS prior to Sequoia 15.4 allows a locally installed application to break out of the App Sandbox and perform unauthorized actions outside its confinement boundary. Apple addressed the issue with improved checks; no public exploit identified at time of analysis, though SSVC rates technical impact as total.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47171 HIGH PATCH This Week

Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Discord user to schedule reminders containing @everyone or @here payloads that the bot later re-sends without mention suppression. Because the bot typically holds the Mention Everyone permission, the stored reminder text effectively grants unprivileged users the ability to ping an entire server or channel on demand. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the trivial reproduction path makes the abuse pattern likely once known.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-53661 HIGH PATCH This Week

Session cookie hijacking in Boruta authorization server prior to 0.9.1 allows network-positioned attackers to capture authentication and remember-me cookies because they lack the Secure attribute and may be transmitted over plaintext HTTP. The flaw affects boruta_web, boruta_identity, and boruta_admin components and enables full user impersonation, including potentially administrative sessions on an OAuth 2.0/OpenID Connect identity provider. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-48054 HIGH PATCH GHSA This Week

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied strings passed through `opts.name` or `opts.uri` into the `zipHardhat`/`zipFoundry` helpers to break out of string literals inside generated Hardhat and Foundry test scaffolding, leading to arbitrary code execution on the developer's machine when `npm test` or `forge test` is run. No public exploit is identified at time of analysis, but a vendor advisory and patched commit are public via GitHub Security Advisory GHSA-4x76-22x2-rx8v.

Node.js Code Injection RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45172 HIGH PATCH This Week

Authenticated command injection in CyberArk Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6 allows low-privileged users to execute arbitrary OS commands on the PSMP host. Because PSMP brokers privileged SSH sessions to downstream targets, code execution on this host can pivot an attacker from a constrained PAM user into the operator of the privileged-access tier. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 4.0 base score of 8.7 reflects high confidentiality and integrity impact on the vulnerable system.

Command Injection Pam Self Hosted Privilege Cloud
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-53901 HIGH PATCH This Week

Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-controlled id when creating objects, because the add() handler stripped id from the raw $params but not from the normalized $input passed to entity patching. No public exploit identified at time of analysis, but the upstream commit aff1ca7 makes the root cause and exploit path trivially recoverable. CVSS 4.0 of 8.7 (VI:H) reflects integrity-only impact on the vulnerable system.

Authentication Bypass Cerebrate
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47181 HIGH PATCH This Week

Account takeover in PenguinMod-BackendApi versions prior to 1.0.0 allows any authenticated user holding a valid password reset token for their own account to change the password of any other account via a NoSQL injection flaw in the password reset endpoint. The issue is tracked as CWE-20 (improper input validation) and tagged as Code Injection; no public exploit identified at time of analysis, but a vendor security advisory (GHSA-wwwc-jwrc-3pj8) has been published.

Code Injection Penguinmod Backendapi
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-45171 HIGH PATCH This Week

Authenticated arbitrary code execution in CyberArk Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5 allows low-privileged users to escape intended boundaries through incomplete input validation combined with misconfigured folder permissions. Because PSM brokers privileged sessions to critical infrastructure, code execution here directly threatens vaulted credentials and downstream targets, making this a high-impact issue despite requiring authentication. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects the severity of compromising a PAM component.

Path Traversal RCE Privileged Session Manager Vault
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy