Skip to main content
CVE-2026-53811 HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.7 allows authenticated Matrix users to impersonate other identities by manipulating their mutable display name to match policy entries in the allowFrom feature. The flaw stems from authentication relying on a user-controlled attribute (CWE-290), letting attackers receive agent access intended for another Matrix identity. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-47170 HIGH PATCH This Week

Server-side request forgery in Garlic-Hub digital signage manager prior to version 1.1 allows authenticated users to coerce the server into issuing arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. Responses are stored in the publicly accessible media pool, enabling internal port scanning, service fingerprinting, and exfiltration of internal HTTP responses. No public exploit identified at time of analysis, but the upstream commit (076b6d7) and GHSA-x24v-76hr-989r advisory disclose the patched validator logic.

SSRF Garlic Hub
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-6976 LOW POC PATCH Monitor

Merge request diff manipulation in GitLab CE/EE allows authenticated users with developer-role permissions to hide file changes from code reviewers by exploiting improper input handling of file names, undermining the integrity of the code review process. Publicly available exploit code exists via HackerOne report #3638136 (tagged 'exploit' in vendor references), though no confirmed active exploitation has been recorded in CISA KEV. The vulnerability spans a broad version range from 15.9 through the patched releases, meaning self-managed GitLab deployments without current patch levels are at risk from malicious insiders or compromised developer accounts bypassing review gates.

Gitlab Authentication Bypass
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-11774 HIGH This Week

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. No public exploit identified at time of analysis, and the impact is amplified in FreeIPA and Red Hat Identity Management deployments where any enrolled user, host, or service principal qualifies as an authenticated attacker.

Integer Overflow RCE Denial Of Service Red Hat Buffer Overflow +8
NVD VulDB
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-5497 HIGH PATCH This Week

Denial of service in vLLM 0.8.0 and later allows remote unauthenticated attackers to crash the inference server by sending a single OpenAI-compatible chat completion request containing a video/jpeg data URL with thousands of comma-separated base64-encoded JPEG frames. The VideoMediaIO.load_base64() method decodes every frame without enforcing a count limit, exhausting server memory. No public exploit identified at time of analysis, but an upstream fix commit is available on GitHub.

Denial Of Service Vllm Project Vllm
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-48068 HIGH PATCH GHSA This Week

Remote denial of service in @grpc/grpc-js (the official gRPC library for Node.js) allows unauthenticated network attackers to crash any server process by sending a malformed HTTP/2 stream initiation frame. The flaw stems from an uncaught exception (CWE-248) triggered during stream setup, affecting all server applications built on this widely-used npm package across multiple release branches (1.9.x through 1.14.x). No public exploit identified at time of analysis, but the trivial attack complexity and absence of any workaround make patching the only mitigation.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-48069 HIGH PATCH GHSA This Week

Denial of service in the @grpc/grpc-js Node.js library allows remote attackers to crash any client or server process by sending an invalid compressed gRPC message. The flaw affects all versions prior to the fixed releases (1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4) and is exploitable over the network without authentication. No public exploit identified at time of analysis, and the vendor states there is no workaround other than upgrading.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-52860 HIGH PATCH This Week

Arbitrary Python code execution in Vim prior to 9.2.0597 occurs when a user triggers Python omni-completion (`<C-x><C-o>`) on a buffer containing crafted `def` or `class` headers, because the pythoncomplete autoload reconstructs definitions and runs them through `exec()`, which evaluates default values, annotations, and base-class expressions at definition time. The earlier g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this sink. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Python Code Injection RCE Vim
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-48043 HIGH PATCH GHSA This Week

Remote memory exhaustion in Netty's netty-codec-http2 component allows unauthenticated remote peers to crash the JVM by triggering a ByteBuf reference-count leak in DelegatingDecompressorFrameListener. When crafted HTTP/2 frames cause the flow-controller to throw, pooled ByteBuf decompression chunks are not released, accumulating heap pressure until an OutOfMemoryError terminates the JVM. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the no-authentication, no-interaction attack path makes any internet-exposed HTTP/2 service using affected Netty versions susceptible to sustained DoS.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-11945 HIGH PATCH This Week

Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve superuser execution by embedding malicious code in a crafted JSON key-value pair that is later processed by the import_database_rules() or import_roles_rules() functions when invoked by a superuser. The attack is a stored payload that requires a superuser to trigger import of attacker-controlled rules, and no public exploit identified at time of analysis. SSVC marks exploitation as none and not automatable, but technical impact is total once the trigger condition is met.

PostgreSQL SQLi Postgresql Anonymizer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41856 HIGH PATCH This Week

Authorization bypass in Spring for GraphQL (versions 1.0.0-1.0.6, 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3) allows remote attackers to invoke @Controller data fetcher methods whose security annotations are declared on parent classes or interfaces, because the framework's annotation detection does not consistently resolve annotations across type hierarchies. The flaw is rated CVSS 7.5 (confidentiality-only impact) and no public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS vector makes any affected GraphQL endpoint a meaningful exposure.

Authentication Bypass Java Spring For Graphql
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-46315 HIGH PATCH This Week

Unauthorized access to protected user data is possible in Apple macOS prior to Tahoe 26.1, where a locally installed application can bypass system permission boundaries (CWE-284) to read data normally gated by TCC/entitlement controls. Apple has shipped a fix that adds additional restrictions, and no public exploit has been identified at time of analysis. The NVD CVSS vector advertises network exploitability, but the description clearly describes a local application abuse path, which materially changes the realistic risk picture.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-47169 HIGH PATCH This Week

Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only the Manage Server (ManageGuild) permission to abuse the AutoRole configuration to auto-assign an Administrator-level role to newly joining members. No public exploit identified at time of analysis, but the attack path is fully documented in the GitHub Security Advisory GHSA-8vgg-4hpx-7qfg, making the technique trivially reproducible by anyone with the required guild permission.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-46697 HIGH PATCH This Week

Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.

PHP WordPress SSRF
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-52858 HIGH PATCH This Week

Arbitrary code execution in Vim prior to 9.2.0561 occurs when a user opens a malicious Python file and triggers Python omni-completion (python3complete.vim or pythoncomplete.vim), causing Vim's completion script to execute import/from statements from the buffer through Python's import machinery and run attacker-controlled package code as the editing user. Affects any Vim build with +python3 or +python interpreter support; no public exploit identified at time of analysis, but the upstream patch and detailed advisory (GHSA-52mc-rq6p-rc7c) make the issue well-documented. The CVSS 4.0 score of 7.3 reflects required user interaction (opening the file and invoking completion) but high impact on confidentiality, integrity, and availability of the user's account.

Python Code Injection RCE Vim Suse
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-47162 HIGH PATCH This Week

Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a victim browse a maliciously named directory to execute arbitrary Vimscript and shell commands in the user's Vim session. The flaw resides in s:NetrwBookHistSave(), which serializes directory paths into ~/.vim/.netrwhist using unescaped single-quoted string literals, so a directory name containing a single quote breaks out of the literal and is executed the next time Vim sources the history. No public exploit identified at time of analysis, but a proof-of-concept payload is embedded in the upstream regression test (Test_netrw_injection).

RCE Vim
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-53813 HIGH PATCH GHSA This Week

Path traversal in OpenClaw before version 2026.4.25 allows attackers with workspace access to manipulate local package root resolution and load memory-core artifacts from attacker-controlled locations, leading to arbitrary code execution or sensitive data disclosure. The flaw stems from workspace state influencing artifact resolution paths (CWE-427, Uncontrolled Search Path Element). No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory describing the fake package root resolution technique.

Path Traversal Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-27511 HIGH PATCH GHSA This Week

Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated administrators to perform a JNDI injection attack via a crafted DB2 JDBC connection URL submitted through the Vector Data Sources page, ultimately triggering Java deserialization of untrusted data and arbitrary code execution. No public exploit identified at time of analysis, and the vulnerability is not on CISA KEV, but the attack pattern follows well-known JNDI/Log4Shell-style RCE techniques. Risk is meaningful only where the DB2 extension is deployed and an administrative account is reachable.

Atlassian Deserialization RCE
NVD GitHub
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-47163 HIGH PATCH This Week

Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access to invoke moderator-only /automod add, /automod remove, and /automod list commands due to missing Discord default permission requirements and absent runtime permission checks. Exploitation enables a low-privileged member to register automod rules matching common text patterns, causing the bot to delete other users' legitimate messages. No public exploit identified at time of analysis, but the trivial nature of the abuse and public advisory increase likelihood of weaponization in active Discord servers.

Authentication Bypass Quest Bot
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2023-33999 HIGH This Week

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Mail Log
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48089 HIGH PATCH GHSA This Week

Improper authorization in DevGuard versions prior to v1.4.2 allows any authenticated user on the instance - including users with no membership in the target organization, project, or asset - to perform write operations on vulnerability-triage endpoints of any public asset. The flaw lets attackers create, modify, or delete VEX rules, dependency-vulnerability events, license risks, external references, and artifacts, corrupting the integrity of published vex.json/sbom.json output consumed by downstream supply-chain users. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%, 11th percentile), reflecting the niche audience but not the integrity blast radius.

Gitlab Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40987 HIGH PATCH This Week

Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.

Path Traversal Java Spring Integration
NVD VulDB HeroDevs
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-42653 HIGH This Week

Stored cross-site scripting in the SliceWP WordPress affiliate-marketing plugin (all versions up to and including 1.2.6) lets remote attackers persist malicious JavaScript that executes in the browsers of users who later view the affected page. Patchstack-reported issue with no public exploit identified at time of analysis; CVSS 7.1 reflects the scope-changing impact when an admin or another user is lured into rendering the injected payload. Affects WordPress sites running the iova.Mihai SliceWP plugin in default configurations exposed to attacker-supplied input.

XSS Slicewp
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-53815 HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.5.19 allows authenticated lower-trust users to read messages from channels outside their allowlist by abusing missing validation in message read actions. The flaw maps to CWE-862 (Missing Authorization) and carries a CVSS 4.0 score of 7.1 with high confidentiality impact; no public exploit identified at time of analysis, but a vendor patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-3553 LOW POC PATCH Monitor

Incorrect authorization checks in GitLab CE/EE expose confidential issue details to authenticated low-privileged users under specific conditions. The flaw spans an enormous version range starting from 12.0, meaning a large population of self-hosted GitLab instances running unpatched versions is potentially affected. A publicly available exploit was disclosed via HackerOne (report #3578216), which elevates practical risk above what the low CVSS score of 3.1 alone suggests, even though active exploitation has not been confirmed by CISA KEV.

Gitlab Authentication Bypass
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-48099 HIGH PATCH GHSA This Week

Path traversal in WsgiDAV 4.3.3 allows WebDAV clients to read, write, or delete files outside the configured filesystem share root when a sibling directory's name shares a prefix with the share root. The flaw lives in FilesystemProvider._loc_to_file_path(), which performs a string-prefix containment check instead of a path-boundary-aware one, and is reachable via URL-encoded dot segments such as /%2e%2e/. No public exploit is identified at time of analysis, but a proof-of-concept is described in the vendor advisory and a vendor-released patch exists (4.3.4).

Path Traversal Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-8406 HIGH This Week

Authenticated information disclosure in openSIS Classic 9.3 lets any logged-in user with messaging-module access read other users' sent messages by tampering with the mail_id parameter sent to modules/messaging/SentMail.php. The flaw is a textbook insecure direct object reference (CWE-639) with no public exploit identified at time of analysis, though the upstream commit fixing it is published on GitHub, effectively documenting the vulnerable code path.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-6250 HIGH PATCH This Week

Authenticated format string vulnerability in the ONVIF service of TP-Link Tapo C110 v2 cameras allows adjacent-network attackers with valid credentials to manipulate stack memory and redirect execution to internal functions, triggering an unauthorized factory reset. Successful exploitation wipes configuration, deletes stored credentials, and disrupts video surveillance service. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Tapo C110 V2
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-52859 MEDIUM PATCH This Month

Out-of-bounds read in Vim's built-in terminal emulator (`:terminal` feature) prior to version 9.2.0565 allows a program running inside a `:terminal` window to crash Vim by outputting crafted Unicode combining characters that exhaust all six libvterm cell slots, causing the unguarded loop in `update_snapshot()` to walk past the fixed-size array and append out-of-bounds memory into the scrollback buffer. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit code has been identified, placing this in the lower-urgency tier despite the CVSS 4.0 score of 6.9. Real-world exploitation is constrained by the requirement that a victim be actively using Vim's `:terminal` feature to render attacker-influenced program output.

Information Disclosure Buffer Overflow Vim Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-53818 MEDIUM PATCH GHSA This Month

Authorization bypass in OpenClaw before 2026.4.24 allows local, low-privileged callers to circumvent owner-only tool policies and before-tool-call hooks via the MCP loopback feature. By routing requests through the affected loopback path, a non-owner principal can invoke tools that should be restricted to the owner role, effectively escalating effective privileges within the application. No public exploit code has been identified at time of analysis, but a vendor patch has been released and the vulnerability was reported by VulnCheck.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-11561 CRITICAL PATCH Act Now

Expression language injection in Soagen Informatics' Apinizer API management platform versions 2026.04.0 through 2026.04.5 allows remote unauthenticated attackers to inject malicious EL expressions that the server evaluates, resulting in arbitrary code execution. The flaw was reported by Turkey's national CERT (TR-CERT) and carries a CVSS 9.8 critical rating, though SSVC currently indicates no observed exploitation and no public exploit identified at time of analysis. A vendor patch is available in version 2026.04.6.

Code Injection Apinizer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-47238 MEDIUM This Month

ClipBucket v5's subtitle management feature lacks ownership verification, enabling any authenticated user to upload, rename, or delete subtitle tracks on videos belonging to other users. All releases prior to version 5.5.3 - #133 (CPE: cpe:2.3:a:macwarrior:clipbucket-v5) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network accessibility present credible risk in any multi-user ClipBucket deployment.

Authentication Bypass Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-12026 MEDIUM PATCH This Month

Out-of-bounds read in Google Chrome's Video component on ChromeOS exposes process memory to attackers who have already established renderer process compromise. Specifically, an attacker with an existing foothold in the renderer can serve a crafted HTML page to a ChromeOS user and extract potentially sensitive data from memory. No public exploit or CISA KEV listing exists at time of analysis, and EPSS places exploitation probability at 0.03% (11th percentile), indicating low real-world exploitation activity despite the High CVSS confidentiality impact.

Google Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-50630 MEDIUM PATCH This Month

HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authenticate realm parameter to inject arbitrary HTTP headers or split HTTP responses entirely. Affected deployments include cxf-rt-rs-security-oauth2 versions 4.2.0 before 4.2.2 and all versions before 4.1.7. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, but successful exploitation could enable cache poisoning, header injection, or redirection of downstream HTTP clients processing the malformed response.

Code Injection Cxf
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48067 MEDIUM PATCH GHSA This Month

Inconsistent server-side scope enforcement in Filament's AttachAction and AssociateAction Select fields allows an authenticated low-privilege user to associate out-of-scope records by tampering with Livewire component state. Developers can scope which records appear in these Select dropdowns via `recordSelectOptionsQuery()`, but the built-in validation rule did not enforce the same scope - meaning the UI restriction was purely cosmetic and bypassable. Patches are available across all three affected major version lines; no public exploit or CISA KEV listing identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-12024 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DevTools component exposes all Chrome versions prior to 149.0.7827.115 to cross-origin integrity violations when a victim visits a crafted HTML page. The root cause (CWE-346) is insufficient origin validation within DevTools policy enforcement, allowing a remote unauthenticated attacker to circumvent the browser's fundamental isolation boundary and tamper with cross-origin content. No public exploit identified at time of analysis; EPSS of 0.02% (4th percentile) and absence of a CISA KEV listing indicate currently low real-world exploitation pressure despite the High Chromium severity rating.

Authentication Bypass Google Red Hat
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-50634 MEDIUM PATCH This Month

Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-signed requests to inject unvalidated metadata - such as Content-Type or protected HTTP headers - by placing it in the first signature entry of a multi-signature JWS JSON token, even when that entry's signature was never verified. Affected deployments using the cxf-rt-rs-security-jose-jaxrs module may incorrectly trust attacker-controlled content type or header values, steering JAX-RS entity parsing or signed-header consistency checks in unintended ways. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-released patches 4.2.2 and 4.1.7 were published June 10, 2026.

Apache Authentication Bypass Jwt Attack Cxf
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9204 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in GitLab CE/EE's repository import feature allows an authenticated low-privileged user to read arbitrary files from the backend Gitaly server and probe internal network resources by supplying maliciously crafted secondary URLs that bypass input validation. Affected versions span the 18.10, 18.11, and 19.0 release lines, all patched by GitLab on 2026-06-10. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the combination of authentication-only gating and network-accessible entry point makes this a meaningful lateral-movement risk in self-managed GitLab deployments.

Gitlab SSRF
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-53702 MEDIUM This Month

Stack buffer overflow in GStreamer's H.265/HEVC codec parser (gst-plugins-bad) allows remote unauthenticated attackers to crash GStreamer-based applications by delivering a crafted H.265 video file or stream that a user opens. The root cause is an incorrect loop bound in the buffering period SEI message parser: the parser mistakenly uses cpb_cnt_minus1[i] (the current loop index variable) rather than cpb_cnt_minus1[0] from the referenced Sequence Parameter Set, causing the loop to iterate beyond the bounds of stack-allocated CPB delay arrays and corrupt stack memory. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the deterministic parser logic makes crash reproduction straightforward.

Memory Corruption Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +3
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-53701 MEDIUM This Month

Out-of-bounds write in GStreamer's H.266/VVC PPS picture partition parser (`gst-plugins-bad`) allows an attacker to crash media-processing applications - and potentially achieve code execution - by delivering a crafted H.266/VVC media file. The flaw in `gst_h266_parser_parse_picture_partition()` (gsth266parser.c) permits unbounded slice index increments across three fixed-size arrays in `GstH266PPS` during multi-slice-in-tile processing. A proof-of-concept demonstrating at least a 4-byte write exists; no public exploit beyond that initial POC or CISA KEV listing has been identified at time of analysis, though the code structure permits larger writes across multiple iterations which elevates downstream risk above a pure DoS assessment.

Memory Corruption Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +3
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48045 MEDIUM PATCH GHSA This Month

Memory exhaustion and CPU starvation in python-zeroconf before 0.149.12 allows any unauthenticated LAN-adjacent host to OOM-kill or stall the zeroconf process by flooding TC-flagged mDNS queries over UDP/5353. The `AsyncListener.handle_query_or_defer` method retained all TC-bit packets in an unbounded `_deferred[addr]` dictionary - each entry up to 8,966 bytes of raw buffer plus parsed DNS state - with no cap on per-address queue depth or total distinct source addresses, and the per-arrival dedup scan ran O(N) causing quadratic CPU growth as queues expanded. Trivially spoofed source IPs multiply the memory footprint across `_deferred`/`_timers`; on Raspberry Pi-class hardware running Home Assistant, sustained flood traffic causes OOM termination; no public exploit identified at time of analysis.

Python Canonical Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48022 MEDIUM PATCH GHSA This Month

Credential header leakage in @hapi/wreck (npm) versions before 18.1.2 allows an attacker controlling an adjacent port on the same hostname, or capable of forging a redirect response, to capture Authorization, Cookie, and Proxy-Authorization headers from Node.js HTTP client applications. The library's redirect-following logic stripped credential headers only on hostname changes, leaving scheme and port components unchecked - so same-host redirects across ports (e.g., :443 → :8080) and HTTPS-to-HTTP downgrades forwarded credentials intact to the redirect target. No public exploit identified at time of analysis and not listed in CISA KEV, but the patch commit and test cases are publicly available in the GHSA advisory.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40985 MEDIUM PATCH This Month

Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Java Information Disclosure Spring Web Flow
NVD VulDB HeroDevs
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-47173 MEDIUM PATCH This Month

Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @everyone, @here, role mentions, or user mentions into ticket channel messages, causing the bot to trigger mass notifications. All Quest Bot versions prior to 1.0.3 are affected; the bot must hold Discord's 'Mention Everyone' permission for the attack to achieve its full impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-53911 MEDIUM PATCH This Month

Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records of the same entity type by injecting a foreign primary key into CRUD edit requests. The flaw stems from permissive mass-assignment defaults across several entity types - User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection - where the ORM's patchEntity() accepted attacker-controlled id values from request bodies, redirecting the SQL UPDATE to an unrelated row. Because the UserSettings edit endpoint was reachable by all authenticated users, the most accessible exploitation path required only valid session credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, though the integrity impact on Role and User entities carries privilege-escalation potential that elevates real-world severity above the base CVSS score alone.

Authentication Bypass Cerebrate
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-53782 MEDIUM PATCH This Month

Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to coerce the application into fetching transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, and other reserved destinations. The vulnerability is compounded by two bypass mechanisms: DNS rebinding (allowing an attacker to pass an initial hostname check then resolve to an internal target) and unvalidated redirect-following (where intermediate redirect targets are never re-screened). Exploitation exposes internal service responses through the summarization pipeline to the attacker. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified; a vendor patch is available as v0.17.0.

SSRF Summarize
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-11956 MEDIUM This Month

OIDC session cookie exposure in TwiN gatus 5.36.0 allows network-positioned attackers to intercept authentication tokens because the `setSessionCookie` function in `security/oidc.go` sets session cookies without the Secure attribute, permitting transmission over unencrypted HTTP connections. Only deployments with OIDC authentication enabled are affected, and exploitation requires high attack complexity due to mandatory network interception positioning. No public exploit code has been identified; the upstream maintainer has closed the associated GitHub issue (#1689) as 'not planned', meaning no vendor patch will be released.

Information Disclosure Gatus
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-4096 MEDIUM PATCH This Month

HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, though the low-complexity, no-authentication-required attack surface makes this a meaningful risk for any internet-facing deployment.

XSS IBM Devops Plan
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-49949 MEDIUM PATCH This Month

Credential interception in CodexBar before 0.33.0 exposes API keys, bearer tokens, and browser cookies to network-adjacent attackers through the shared ProviderHTTPClient transport's failure to validate redirect destinations. When a user initiates a credentialed request to an AI provider backend, an attacker positioned to inject redirect responses can steer the transport to a cross-origin host or a plaintext HTTP endpoint, causing CodexBar to forward the original credentials to the attacker-controlled destination. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, but the high confidentiality impact warrants prompt patching - especially for users on shared or untrusted networks.

Information Disclosure Codexbar
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53808 MEDIUM PATCH This Month

Approval policy bypass in OpenClaw's Skill Workshop apply flow allows remote attackers to apply workshop configuration changes without completing the required authorization step. Versions prior to 2026.5.6 fail to enforce the `approvalPolicy: pending` gate when agent tool calls include `apply: true`, effectively granting unauthorized write access to skill configurations. No public exploit code has been identified at time of analysis; a vendor-released patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy