Skip to main content
CVE-2026-12010 HIGH PATCH This Week

Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a heap buffer overflow in the GPU process. Chromium rates this severity Critical, and while no public exploit identified at time of analysis, the bug is part of a classic two-stage exploitation chain typically used in browser zero-day exploits. Patch is available from vendor in Chrome 149.0.7827.115 and later.

Heap Overflow Google Buffer Overflow Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12022 HIGH PATCH This Week

Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a race condition in Safe Browsing handling of a malicious file. Chromium rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.

Race Condition Google Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8464 HIGH PATCH This Week

Arbitrary file disclosure in Golem OEE MES (Neuron Soft) before 11.6.0 lets an unauthenticated attacker on the same local network read any file readable by the server process by manipulating HTTP request paths. Reported by CERT-PL with no public exploit identified at time of analysis, the issue is fixed in 11.6.0 and carries a CVSS 4.0 base score of 8.3 driven by adjacent-network access and high confidentiality impact extending beyond the application.

Path Traversal Golem Oee Mes
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-12014 HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-47189 HIGH PATCH This Week

Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission in any guild delete AutoMod rules belonging to other guilds. The flaw stems from looking up rules by global database ID without verifying guild ownership, and rule IDs are discoverable via the bot's autocomplete feature. No public exploit identified at time of analysis, but the GitHub Security Advisory and patched release v1.0.5 are public.

Authentication Bypass Quest Bot
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-48109 HIGH PATCH GHSA This Week

Denial-of-service in MessagePack-CSharp's optional LZ4 decompression path (Lz4Block and Lz4BlockArray modes) allows remote unauthenticated attackers to crash .NET applications that deserialize untrusted MessagePack payloads. A crafted payload with manipulated LZ4 token/length fields triggers an out-of-bounds read raising an AccessViolationException, and may also leak limited adjacent memory before the process dies. No public exploit identified at time of analysis, but the vendor has published an advisory (GHSA-hv8m-jj95-wg3x) with patched releases 2.5.301 and 3.1.7.

Deserialization Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-49982 HIGH POC PATCH GHSA This Week

Path traversal in node-tmp 0.2.6 allows remote attackers to create files or directories outside the temp directory by supplying non-string `prefix`, `postfix`, or `template` values (arrays, Buffers, or objects) whose `includes('..')` check returns falsy but whose string coercion contains `../`. The 0.2.6 `_assertPath` guard checks only strings, so JSON body fields or `qs`-parsed bracket arrays such as `?prefix[]=..` bypass it and write at attacker-controlled paths with host-process privileges. No public exploit identified at time of analysis, but the bypass pattern is trivial and the library is widely used in Node.js applications.

Authentication Bypass Node.js Node Tmp Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-40998 HIGH PATCH This Week

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath evaluation over StreamSource and SAXSource inputs because the underlying parser falls back to the JDK's default DocumentBuilderFactory rather than Spring's hardened configuration. Affected versions span the 3.1.x, 4.0.x, 4.1.x and 5.0.x release lines, and while no public exploit was identified at time of analysis, the CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates that any service that feeds untrusted XML through this template can be reached by unauthenticated remote attackers. The flaw was reported by VMware/Spring and is tracked in the official Spring security advisory.

Java XXE Spring Web Services
NVD VulDB HeroDevs
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-40994 HIGH PATCH This Week

Insecure default initialization in Spring Web Services' Wss4jSecurityInterceptor disables WSS4J BSP (WS-I Basic Security Profile) enforcement on inbound RequestData, allowing remote attackers to submit SOAP messages that violate BSP-mandated WS-Security rules. Affected versions span 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1, with no public exploit identified at time of analysis. The CVSS 8.2 score reflects high integrity impact because protocol-level cryptographic checks expected by downstream consumers are silently weakened.

Java Information Disclosure Spring Web Services
NVD HeroDevs VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-50633 HIGH PATCH This Week

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JNDI injection when they can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected versions span Apache CXF 4.2.0 to before 4.2.2, and all versions prior to 4.1.7. Despite a CVSS of 8.1, there is no public exploit identified at time of analysis and EPSS sits at 0.04%, suggesting limited near-term exploitation likelihood.

Apache RCE Cxf
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-50632 HIGH PATCH This Week

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untrusted users are permitted to configure JMS transport, representing a third attempt to fully address the original advisory CVE-2026-44417. With no public exploit identified at time of analysis and an EPSS score of 0.04%, near-term mass exploitation appears unlikely, but the SSVC technical impact is rated total and the flaw is deemed automatable once weaponized.

Apache RCE Cxf
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-11816 HIGH PATCH This Week

Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outside the intended extraction directory when a victim loads a malicious model archive. The flaw stems from validating archive member paths against the process current working directory rather than the actual extraction destination, which collapses to the filesystem root in common Docker, CI/CD, and Jupyter setups. No public exploit identified at time of analysis, but the upstream fix and a Huntr bounty disclosure make targeted exploitation against ML pipelines plausible.

Path Traversal Python Docker Keras
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7787 HIGH PATCH This Week

Insecure direct object reference (IDOR) in IBM Langflow OSS 1.0.0 through 1.9.1 allows an authenticated user to read or modify sensitive resources belonging to other users by manipulating object identifiers. The flaw carries a CVSS 8.1 (High) rating due to high confidentiality and integrity impact over the network, though EPSS exploitation probability remains low at 0.04% and there is no public exploit identified at time of analysis. SSVC classifies exploitation as 'none' but flags the issue as automatable with partial technical impact, indicating defenders should still prioritize patching given the trivial attack complexity.

Authentication Bypass IBM Langflow Oss
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-12012 HIGH PATCH This Week

Use after free in Network in Google Chrome prior to 149.0.7827.115 allowed an attacker in a privileged network position to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46622 HIGH PATCH This Week

Plaintext credential exposure in SolidInvoice open-source invoicing platform prior to 2.3.17 allows any actor with read access to the application database to harvest every user's REST API token directly from the api_tokens table. Because tokens are stored unhashed, secondary exposures such as SQL injection, stolen backups, replicated databases, or insider access become full account-takeover paths against the API. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the patch in 2.3.17 (commit 8645391) introduces HMAC-SHA256 token hashing keyed by SOLIDINVOICE_APP_SECRET.

SQLi Solidinvoice
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41700 HIGH PATCH This Week

Cross-Site WebSocket Hijacking in Spring for GraphQL allows remote attackers to execute arbitrary GraphQL operations under an authenticated victim's identity when the application has enabled the GraphQL WebSocket transport. The flaw stems from missing origin validation on WebSocket handshakes (CWE-346), affecting Spring for GraphQL 1.0.x, 1.3.x, 1.4.x, and 2.0.x branches up to 2.0.3. No public exploit identified at time of analysis, but the high CVSS (8.1) and reliance only on a single victim click make this a meaningful risk for any deployment exposing the WebSocket endpoint.

Java Information Disclosure Spring For Graphql
NVD VulDB HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46489 HIGH PATCH This Week

Stored cross-site scripting in SolidInvoice prior to 2.3.17 allows an authenticated administrator to upload a malicious SVG as the company logo, with the file's contents being base64-encoded and injected unescaped into every page of the application. The embedded JavaScript executes in every authenticated user's browser session, enabling session hijacking and privileged action abuse across the tenant. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Solidinvoice
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-31272 HIGH PATCH This Week

Privilege escalation in Apple macOS Sequoia prior to 15.4 allows a locally executing application to bypass launch constraint protections and run malicious code with elevated privileges. The flaw, reported by Apple and tracked as EUVD-2025-210116, carries CVSS 7.8 (local, low complexity, low privileges) and CWE-269 improper privilege management, with no public exploit identified at time of analysis and CISA SSVC marking exploitation status as 'none'.

Privilege Escalation Apple
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-10847 HIGH This Week

Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.

Checkpoint Privilege Escalation Microsoft RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-53806 HIGH PATCH GHSA This Week

Command execution bypass in OpenClaw before 2026.5.12 lets low-privileged remote users smuggle inline shell content past exec allowlist revalidation by combining POSIX shell flags into a single argument. The flaw exists because parsing logic treats grouped option characters differently from discrete flags, enabling unintended command paths when the affected exec feature is enabled. No public exploit identified at time of analysis, but the issue was reported by VulnCheck and a vendor advisory plus patch are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-53810 HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw before 2026.5.18 allows operators with trusted marketplace access to redirect extension loading to unscanned package payloads, bypassing the platform's security scanning controls. The flaw stems from improper validation of runtime extension metadata (CWE-829), and while no public exploit has been identified at time of analysis, a vendor patch is available via GHSA-v6r2-jh58-xx6w and VulnCheck has tagged it as RCE.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-53807 HIGH PATCH This Week

Authorization bypass in OpenClaw prior to 2026.5.6 allows authenticated Telegram users to circumvent the commands.allowFrom sender allowlist by invoking interactive callbacks that mark the caller as authorized before validation runs. Reported by VulnCheck with a vendor patch available, this CWE-863 flaw lets attackers execute restricted command behaviors outside configured Telegram sender restrictions, though no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-53811 HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.7 allows authenticated Matrix users to impersonate other identities by manipulating their mutable display name to match policy entries in the allowFrom feature. The flaw stems from authentication relying on a user-controlled attribute (CWE-290), letting attackers receive agent access intended for another Matrix identity. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-47170 HIGH PATCH This Week

Server-side request forgery in Garlic-Hub digital signage manager prior to version 1.1 allows authenticated users to coerce the server into issuing arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. Responses are stored in the publicly accessible media pool, enabling internal port scanning, service fingerprinting, and exfiltration of internal HTTP responses. No public exploit identified at time of analysis, but the upstream commit (076b6d7) and GHSA-x24v-76hr-989r advisory disclose the patched validator logic.

SSRF Garlic Hub
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-11774 HIGH This Week

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. No public exploit identified at time of analysis, and the impact is amplified in FreeIPA and Red Hat Identity Management deployments where any enrolled user, host, or service principal qualifies as an authenticated attacker.

Integer Overflow RCE Denial Of Service Red Hat Buffer Overflow +8
NVD VulDB
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-5497 HIGH PATCH This Week

Denial of service in vLLM 0.8.0 and later allows remote unauthenticated attackers to crash the inference server by sending a single OpenAI-compatible chat completion request containing a video/jpeg data URL with thousands of comma-separated base64-encoded JPEG frames. The VideoMediaIO.load_base64() method decodes every frame without enforcing a count limit, exhausting server memory. No public exploit identified at time of analysis, but an upstream fix commit is available on GitHub.

Denial Of Service Vllm Project Vllm
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-48068 HIGH PATCH GHSA This Week

Remote denial of service in @grpc/grpc-js (the official gRPC library for Node.js) allows unauthenticated network attackers to crash any server process by sending a malformed HTTP/2 stream initiation frame. The flaw stems from an uncaught exception (CWE-248) triggered during stream setup, affecting all server applications built on this widely-used npm package across multiple release branches (1.9.x through 1.14.x). No public exploit identified at time of analysis, but the trivial attack complexity and absence of any workaround make patching the only mitigation.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-48069 HIGH PATCH GHSA This Week

Denial of service in the @grpc/grpc-js Node.js library allows remote attackers to crash any client or server process by sending an invalid compressed gRPC message. The flaw affects all versions prior to the fixed releases (1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4) and is exploitable over the network without authentication. No public exploit identified at time of analysis, and the vendor states there is no workaround other than upgrading.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-52860 HIGH PATCH This Week

Arbitrary Python code execution in Vim prior to 9.2.0597 occurs when a user triggers Python omni-completion (`<C-x><C-o>`) on a buffer containing crafted `def` or `class` headers, because the pythoncomplete autoload reconstructs definitions and runs them through `exec()`, which evaluates default values, annotations, and base-class expressions at definition time. The earlier g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this sink. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Python Code Injection RCE Vim
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-48043 HIGH PATCH GHSA This Week

Remote memory exhaustion in Netty's netty-codec-http2 component allows unauthenticated remote peers to crash the JVM by triggering a ByteBuf reference-count leak in DelegatingDecompressorFrameListener. When crafted HTTP/2 frames cause the flow-controller to throw, pooled ByteBuf decompression chunks are not released, accumulating heap pressure until an OutOfMemoryError terminates the JVM. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the no-authentication, no-interaction attack path makes any internet-exposed HTTP/2 service using affected Netty versions susceptible to sustained DoS.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-11945 HIGH PATCH This Week

Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve superuser execution by embedding malicious code in a crafted JSON key-value pair that is later processed by the import_database_rules() or import_roles_rules() functions when invoked by a superuser. The attack is a stored payload that requires a superuser to trigger import of attacker-controlled rules, and no public exploit identified at time of analysis. SSVC marks exploitation as none and not automatable, but technical impact is total once the trigger condition is met.

PostgreSQL SQLi Postgresql Anonymizer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41856 HIGH PATCH This Week

Authorization bypass in Spring for GraphQL (versions 1.0.0-1.0.6, 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3) allows remote attackers to invoke @Controller data fetcher methods whose security annotations are declared on parent classes or interfaces, because the framework's annotation detection does not consistently resolve annotations across type hierarchies. The flaw is rated CVSS 7.5 (confidentiality-only impact) and no public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS vector makes any affected GraphQL endpoint a meaningful exposure.

Authentication Bypass Java Spring For Graphql
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-46315 HIGH PATCH This Week

Unauthorized access to protected user data is possible in Apple macOS prior to Tahoe 26.1, where a locally installed application can bypass system permission boundaries (CWE-284) to read data normally gated by TCC/entitlement controls. Apple has shipped a fix that adds additional restrictions, and no public exploit has been identified at time of analysis. The NVD CVSS vector advertises network exploitability, but the description clearly describes a local application abuse path, which materially changes the realistic risk picture.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-47169 HIGH PATCH This Week

Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only the Manage Server (ManageGuild) permission to abuse the AutoRole configuration to auto-assign an Administrator-level role to newly joining members. No public exploit identified at time of analysis, but the attack path is fully documented in the GitHub Security Advisory GHSA-8vgg-4hpx-7qfg, making the technique trivially reproducible by anyone with the required guild permission.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-46697 HIGH PATCH This Week

Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.

PHP WordPress SSRF
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-52858 HIGH PATCH This Week

Arbitrary code execution in Vim prior to 9.2.0561 occurs when a user opens a malicious Python file and triggers Python omni-completion (python3complete.vim or pythoncomplete.vim), causing Vim's completion script to execute import/from statements from the buffer through Python's import machinery and run attacker-controlled package code as the editing user. Affects any Vim build with +python3 or +python interpreter support; no public exploit identified at time of analysis, but the upstream patch and detailed advisory (GHSA-52mc-rq6p-rc7c) make the issue well-documented. The CVSS 4.0 score of 7.3 reflects required user interaction (opening the file and invoking completion) but high impact on confidentiality, integrity, and availability of the user's account.

Python Code Injection RCE Vim Suse
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-47162 HIGH PATCH This Week

Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a victim browse a maliciously named directory to execute arbitrary Vimscript and shell commands in the user's Vim session. The flaw resides in s:NetrwBookHistSave(), which serializes directory paths into ~/.vim/.netrwhist using unescaped single-quoted string literals, so a directory name containing a single quote breaks out of the literal and is executed the next time Vim sources the history. No public exploit identified at time of analysis, but a proof-of-concept payload is embedded in the upstream regression test (Test_netrw_injection).

RCE Vim
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-53813 HIGH PATCH GHSA This Week

Path traversal in OpenClaw before version 2026.4.25 allows attackers with workspace access to manipulate local package root resolution and load memory-core artifacts from attacker-controlled locations, leading to arbitrary code execution or sensitive data disclosure. The flaw stems from workspace state influencing artifact resolution paths (CWE-427, Uncontrolled Search Path Element). No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory describing the fake package root resolution technique.

Path Traversal Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-27511 HIGH PATCH GHSA This Week

Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated administrators to perform a JNDI injection attack via a crafted DB2 JDBC connection URL submitted through the Vector Data Sources page, ultimately triggering Java deserialization of untrusted data and arbitrary code execution. No public exploit identified at time of analysis, and the vulnerability is not on CISA KEV, but the attack pattern follows well-known JNDI/Log4Shell-style RCE techniques. Risk is meaningful only where the DB2 extension is deployed and an administrative account is reachable.

Atlassian Deserialization RCE
NVD GitHub
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-47163 HIGH PATCH This Week

Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access to invoke moderator-only /automod add, /automod remove, and /automod list commands due to missing Discord default permission requirements and absent runtime permission checks. Exploitation enables a low-privileged member to register automod rules matching common text patterns, causing the bot to delete other users' legitimate messages. No public exploit identified at time of analysis, but the trivial nature of the abuse and public advisory increase likelihood of weaponization in active Discord servers.

Authentication Bypass Quest Bot
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2023-33999 HIGH This Week

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Mail Log
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48089 HIGH PATCH GHSA This Week

Improper authorization in DevGuard versions prior to v1.4.2 allows any authenticated user on the instance - including users with no membership in the target organization, project, or asset - to perform write operations on vulnerability-triage endpoints of any public asset. The flaw lets attackers create, modify, or delete VEX rules, dependency-vulnerability events, license risks, external references, and artifacts, corrupting the integrity of published vex.json/sbom.json output consumed by downstream supply-chain users. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%, 11th percentile), reflecting the niche audience but not the integrity blast radius.

Gitlab Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40987 HIGH PATCH This Week

Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.

Path Traversal Java Spring Integration
NVD VulDB HeroDevs
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-42653 HIGH This Week

Stored cross-site scripting in the SliceWP WordPress affiliate-marketing plugin (all versions up to and including 1.2.6) lets remote attackers persist malicious JavaScript that executes in the browsers of users who later view the affected page. Patchstack-reported issue with no public exploit identified at time of analysis; CVSS 7.1 reflects the scope-changing impact when an admin or another user is lured into rendering the injected payload. Affects WordPress sites running the iova.Mihai SliceWP plugin in default configurations exposed to attacker-supplied input.

XSS Slicewp
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-53815 HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.5.19 allows authenticated lower-trust users to read messages from channels outside their allowlist by abusing missing validation in message read actions. The flaw maps to CWE-862 (Missing Authorization) and carries a CVSS 4.0 score of 7.1 with high confidentiality impact; no public exploit identified at time of analysis, but a vendor patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-48099 HIGH PATCH GHSA This Week

Path traversal in WsgiDAV 4.3.3 allows WebDAV clients to read, write, or delete files outside the configured filesystem share root when a sibling directory's name shares a prefix with the share root. The flaw lives in FilesystemProvider._loc_to_file_path(), which performs a string-prefix containment check instead of a path-boundary-aware one, and is reachable via URL-encoded dot segments such as /%2e%2e/. No public exploit is identified at time of analysis, but a proof-of-concept is described in the vendor advisory and a vendor-released patch exists (4.3.4).

Path Traversal Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-8406 HIGH This Week

Authenticated information disclosure in openSIS Classic 9.3 lets any logged-in user with messaging-module access read other users' sent messages by tampering with the mail_id parameter sent to modules/messaging/SentMail.php. The flaw is a textbook insecure direct object reference (CWE-639) with no public exploit identified at time of analysis, though the upstream commit fixing it is published on GitHub, effectively documenting the vulnerable code path.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-6250 HIGH PATCH This Week

Authenticated format string vulnerability in the ONVIF service of TP-Link Tapo C110 v2 cameras allows adjacent-network attackers with valid credentials to manipulate stack memory and redirect execution to internal functions, triggering an unauthorized factory reset. Successful exploitation wipes configuration, deletes stored credentials, and disrupts video surveillance service. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Tapo C110 V2
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-47781 HIGH POC PATCH GHSA This Week

Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.

Python Privilege Escalation Code Injection RCE Suse
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-50645 HIGH PATCH This Week

Denial of service in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 allows remote unauthenticated attackers to exhaust server resources by sending messages containing an unbounded number of attachment headers during deserialization. The flaw stems from missing input limits in the message deserialization path and can be triggered without authentication or user interaction. EPSS rates real-world exploitation probability as low (0.02%) and no public exploit identified at time of analysis, but SSVC flags the attack as automatable.

Apache Denial Of Service Cxf
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy