Skip to main content
CVE-2026-53423 MEDIUM PATCH This Month

BEAM atom table exhaustion in Elixir's membrane_mp4_plugin (versions 0.3.0-0.36.6) allows denial-of-service by submitting a crafted MP4 file to any application using the library's container parser. The parser passed attacker-controlled 4-byte MP4 box names to String.to_atom/1 without validation; because BEAM atoms are permanent allocations counted against a hard ceiling (~1,048,576 by default), an ~8 MB file with ~1.1 million distinct non-standard box names exhausts the table and aborts the entire BEAM node, collaterally terminating every application co-hosted on that node. No public exploit has been identified at time of analysis; vendor-released patch 0.36.7 resolves the issue.

Denial Of Service Membrane Mp4 Plugin
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48053 MEDIUM PATCH GHSA This Month

Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.

Python Microsoft Docker SSRF Oracle +1
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-53723 MEDIUM PATCH GHSA This Month

XML injection in guzzlehttp/guzzle-services allows unauthenticated remote attackers to smuggle arbitrary XML elements into outgoing API requests by embedding the CDATA terminator `]]>` in attacker-controlled input. The PHP XMLWriter::writeCData() call used by the request serializer for values containing `<`, `>`, or `&` terminates the CDATA section prematurely when the payload contains `]]>`, causing the remainder to be interpreted as raw XML markup by the downstream service. Depending on downstream service behavior, this can enable privilege escalation, parameter boundary bypass, or operation semantic manipulation — the advisory's canonical example shows injection of a `<Role>admin</Role>` element that a receiving service may honor. No public exploit has been identified at time of analysis, and this vulnerability is not in the CISA KEV catalog.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-47177 MEDIUM PATCH This Month

Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to configure the closed-ticket transcript destination to any channel they can read, exposing full private ticket histories to unauthorized parties. The bot fails to enforce parity between the access controls of the original ticket channel and the transcript destination, breaking the confidentiality boundary of the ticketing system. No public exploit code exists and no KEV listing applies; the CVSS 4.0 score of 5.7 reflects the high privilege requirement and passive user interaction needed to trigger exposure.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-47176 MEDIUM PATCH This Month

Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users who should not have access to them. A user holding bot configuration privileges can enable the logging feature and direct logs to a channel they control, causing the bot to forward deleted and edited message content from all channels it can observe - including private channels the configuring user is explicitly excluded from reading. No public exploit has been identified at time of analysis, and a patch was released in version 1.0.4.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2025-7064 MEDIUM CISA This Month

Authentication bypass via primary weakness (CWE-305) in ABB Freelance DCS affects every major release line from 2013 through 2024, allowing a locally authenticated low-privilege user to circumvent the product's authentication mechanism and gain elevated control over the system. The CVSS vector (AV:L/PR:L/I:H) confirms the attacker must already hold a foothold on the host but can then achieve high integrity impact - particularly serious in an industrial control system context where manipulating controller configurations can affect physical processes. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the wide version span and OT deployment context elevate remediation urgency.

Authentication Bypass Abb
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2025-46313 MEDIUM PATCH This Month

macOS logs sensitive user data without adequate redaction, allowing a local application to read that data from system logs without requiring elevated privileges. Affecting all macOS versions prior to Tahoe 26.1, the flaw (CWE-532) stems from insufficient data sanitization in the operating system's logging subsystem. An app running in the user context can exploit this to access confidential information that should be protected, with no public exploit identified at time of analysis and an EPSS probability of 0.02%.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43278 MEDIUM PATCH This Month

Symlink-following vulnerability in Apple macOS prior to 15.4 allows a malicious locally-installed application to access protected user data by exploiting improper handling of UNIX symbolic links. Affected systems are all macOS versions below Sequoia 15.4, per CPE cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*. No public exploit or active exploitation has been identified; the EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Apple has issued a fix in macOS Sequoia 15.4.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-24165 MEDIUM PATCH This Month

Improper access control in Apple macOS allows a locally-executed app to cause unexpected system termination, effectively producing a denial-of-service condition against the host. All three actively-supported macOS release lines - Sequoia, Sonoma, and Ventura - are confirmed affected, with fixes delivered simultaneously across all three branches. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.01% at the 3rd percentile indicates negligible observed exploitation probability at time of analysis.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-30431 MEDIUM PATCH This Month

Protection mechanism failure in Apple macOS allows a locally-installed malicious app running with standard user privileges to access private information that should be restricted by OS-level access controls. Affected versions span three active macOS release trains: Sequoia before 15.4, Sonoma before 14.7.5, and Ventura before 13.7.5. No active exploitation has been confirmed (not in CISA KEV), and CISA SSVC rates exploitation likelihood as none with partial technical impact, placing this in a monitored-but-not-urgent priority tier for most organizations.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-24268 MEDIUM PATCH This Month

Path traversal in Apple macOS prior to Sequoia 15.4 allows a locally-installed application to bypass directory path restrictions and read sensitive user data outside its permitted file system scope. The flaw (CWE-22) stems from insufficient validation of directory path components in macOS path parsing logic, enabling a rogue or compromised app running with standard user privileges to traverse into restricted locations. No public exploit code has been identified and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog; SSVC assessment confirms no known active exploitation at the time of this analysis.

Path Traversal Apple
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43339 MEDIUM PATCH This Month

Sandbox restriction bypass in macOS prior to Tahoe 26.1 allows a locally-installed malicious app to access sensitive user data outside its permitted sandbox scope. The flaw stems from improper access control (CWE-284) in the macOS application sandbox, a core security boundary meant to isolate app access to system resources. SSVC assessment confirms no known active exploitation and the attack is not automatable, while CVSS signals high confidentiality impact limited to local execution with low privileges.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46293 MEDIUM PATCH This Month

Improper symlink resolution in Apple macOS prior to Sequoia 15.4 allows a locally-executing app with standard user privileges to access protected user data that would ordinarily be restricted by macOS privacy controls such as TCC (Transparency, Consent, and Control). Rooted in CWE-59, the flaw enables a malicious app to craft or exploit symbolic links to bypass the OS file-access boundary and read sensitive user data without authorization. No public exploit has been identified at time of analysis, and CISA's SSVC framework rates exploitation as none with partial technical impact.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-30459 MEDIUM PATCH This Month

Unauthorized sensitive user data access in Apple macOS prior to Sequoia 15.4 allows a locally installed app to read private user information due to the presence of vulnerable code that has since been removed. The flaw is classified under CWE-359 (Exposure of Private Personal Information), indicating an API or code path exposed protected data to apps without proper entitlement or permission checks. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; SSVC assesses exploitation as none and technical impact as partial.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2022-42479 MEDIUM This Month

Missing Authorization vulnerability in TemplateHouse Soledad allows Accessing Functionality Not Properly Constrained by ACLs.2.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Soledad
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-25969 MEDIUM This Month

Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels.8.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Contact Form Lead Form Elementor Builder Elementor
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3341 MEDIUM PATCH This Month

Server-side request forgery in IBM Langflow Desktop 1.0.0 through 1.9.2 enables authenticated network-based attackers to coerce the application into issuing arbitrary outbound HTTP requests on their behalf. The vulnerability, classified under CWE-918, can expose internal network topology by proxying requests through the server to otherwise inaccessible hosts, and may serve as a stepping stone for further lateral movement or credential harvesting from cloud metadata services. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM advisory.

SSRF IBM Langflow Desktop
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2022-45813 MEDIUM This Month

Missing Authorization vulnerability in BeRocket Advanced AJAX Product Filters allows Exploiting Incorrectly Configured Access Control Security Levels.6.3.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Ajax Product Filters
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40995 MEDIUM PATCH This Month

X509AuthenticationProvider in Spring Web Services issues fully authenticated tokens from client certificates without enforcing Spring Security's account lifecycle checks, meaning disabled, locked, expired, or credentials-expired accounts can successfully authenticate. This affects all maintained release branches from 3.1.0 through 5.0.1 and was reported by VMware, the Spring project maintainer. No public exploit or CISA KEV listing has been identified at time of analysis, but the bypass is meaningful in environments that rely on account-disablement as the primary deprovisioning control rather than certificate revocation.

Authentication Bypass Java Spring Web Services
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53781 MEDIUM PATCH This Month

Disk exhaustion in Summarize CLI (all versions before 0.17.0) allows remote attackers who control a podcast feed or media URL to cause denial of service by circumventing the tool's enforced media download size limit. The size cap can be bypassed through missing or misreported Content-Length headers, chunked transfer encoding, or deliberately failed HEAD requests, causing the CLI's temp-file download path to stream an unbounded response directly to local storage. No active exploitation has been confirmed (not listed in CISA KEV), no public proof-of-concept has been identified, and EPSS data is unavailable; however, the zero authentication requirement on the attacker side and low attack complexity make this a credible threat for users who process untrusted or third-party feeds.

Denial Of Service Summarize
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-49214 MEDIUM PATCH GHSA This Month

CRLF injection in guzzlehttp/psr7 versions prior to 2.10.2 allows remote unauthenticated attackers to inject arbitrary HTTP headers into outbound requests by embedding carriage-return/line-feed sequences in a user-controlled URI host component. When a PSR-7 request is manually serialized into a raw HTTP/1.x message - for example via Message::toString() - the unvalidated host is copied verbatim into the Host header, enabling an attacker-supplied host like '"\r\nX-Injected: yes"' to append controlled headers to the serialized request. In deployments behind proxies, gateways, or load balancers with HTTP/1.1 connection reuse, this header injection can cascade into HTTP request smuggling or cache poisoning. No public exploit code has been identified at time of analysis, and exploitation through the standard Guzzle HTTP client API is explicitly not affected.

Code Injection Psr7
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48998 MEDIUM PATCH GHSA This Month

Host confusion in guzzlehttp/psr7 (all versions prior to 2.10.2) allows unauthenticated network attackers to supply a malformed Host header - such as `trusted.example@evil.example` - causing the library's URI construction logic to reinterpret the value as URI userinfo and a different host, silently replacing the parsed URI host with the attacker-controlled domain. Applications that rely on the resulting PSR-7 URI host for routing, allow-list enforcement, or forwarding decisions are at risk of sending requests and credentials to unintended destinations. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the conditional impact on forwarding gateways and API proxies built on psr7's server-request parsing functions is concrete.

Information Disclosure Psr7 Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40997 MEDIUM PATCH This Month

Information disclosure in Spring Web Services (Spring-WS) exposes account lifecycle state - such as locked, disabled, or expired status - to remote unauthenticated SOAP clients through verbose exception messages or callback outcomes during authentication processing. Affected are four actively maintained branches (3.1.x through 5.0.x) when the SOAP layer is integrated with Spring Security; the root cause is CWE-209, where error handling fails to normalize Spring Security's typed account-state exceptions into generic authentication failures. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the CVSS 5.3 (Medium) rating reflects genuine reconnaissance utility for account enumeration against exposed SOAP endpoints.

Java Information Disclosure Spring Web Services
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48038 MEDIUM PATCH GHSA This Month

Denial of service in the joi npm validation library (< 18.2.1) is triggered by submitting deeply nested JSON objects against schemas that use recursive `link()` definitions, causing a JavaScript call stack overflow. The untrapped `RangeError` propagates out of joi's link resolver - crashing the Node.js process entirely when `validate()` is invoked without a surrounding `try/catch`, or silently breaking error-handling logic when a `RangeError` is returned where a structured `ValidationError` was expected. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis, but the attack surface is inherently wide given joi's prevalence in Node.js web services.

Denial Of Service
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-50629 MEDIUM PATCH This Month

Log injection in Apache CXF's OAuth2 module (org.apache.cxf:cxf-rt-rs-security-oauth2) permits remote attackers to forge arbitrary log entries by supplying crafted `clientId` values containing control characters or newline sequences in OAuth2 HTTP requests. Affected are CXF 4.2.0-4.2.1 and all 4.1.x versions before 4.1.7; fixed releases 4.2.2 and 4.1.7 were issued June 10, 2026. No public exploit code or active exploitation has been identified at time of analysis; practical impact is confined to log integrity compromise that could mislead security monitoring and incident response processes.

Code Injection Cxf
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-12033 MEDIUM PATCH This Month

Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Buffer Overflow Suse Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-12015 MEDIUM PATCH This Month

Use after free in Autofill in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2023-40200 MEDIUM This Month

Authorization bypass through User-Controlled key vulnerability in Essential Plugin WP Logo Showcase Responsive Slider and Carousel allows Exploiting Incorrectly Configured Access Control Security. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wp Logo Showcase Responsive Slider And Carousel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-12025 MEDIUM PATCH This Month

Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41001 MEDIUM PATCH This Month

Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-46308 MEDIUM PATCH This Month

Improper access control via flawed authorization state management in Apple iOS/iPadOS (before 18.4) and macOS Sequoia (before 15.4) permits a locally installed app to leak sensitive user information without proper authorization. Fixed in iOS 18.4, iPadOS 18.4, and macOS Sequoia 15.4, as confirmed by Apple security advisories. No public exploit code has been identified and no active exploitation is recorded in CISA KEV at time of analysis, though SSVC flags the vulnerability as automatable with partial technical impact.

Authentication Bypass Apple Ios And Ipados
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-46698 MEDIUM PATCH This Month

Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.

PHP WordPress SSRF
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48049 MEDIUM PATCH GHSA This Month

Static file confinement bypass in @hapi/inert (npm, versions 4.0.0-7.1.0) allows remote unauthenticated attackers to read arbitrary files from sibling directories when those directories share a string prefix with the configured serve path. The flaw is a classic CWE-22 path traversal rooted in a faulty string-prefix comparison that fails to enforce a directory separator boundary, meaning a path like /app/static-secret incorrectly passes the confinement check for a serve root of /app/static. No public exploit code has been identified and this CVE is not in CISA KEV, but the attack itself - a single URL-encoded traversal request - is trivially simple once the precondition of a matching-prefix sibling directory is confirmed.

Path Traversal
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-47167 MEDIUM PATCH This Month

Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shell command execution on any Vim build compiled with +ruby support, prior to version 9.2.0496. An attacker who controls .rb step definition files in a repository can craft a regex-terminating payload that escapes a Kernel.eval() argument, enabling full shell access as the victim's user when the developer invokes the [d or ]d step-jump mapping. No public exploit identified at time of analysis, but the patch commit includes a working proof-of-concept demonstrating the injection technique.

Code Injection RCE Vim Suse
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53912 MEDIUM PATCH This Month

Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated user holding inbox or audit log access privileges. The hashed credential appeared unredacted across HTML, JSON, and CSV inbox responses and was also written unredacted into audit log entries, as confirmed by commit 02da6d7 and its accompanying test assertions checking for suppression of the $2y$10$ bcrypt prefix. Exploitation requires PR:H per the CVSS 4.0 vector, no active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Information Disclosure Cerebrate
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-11850 MEDIUM PATCH This Month

Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.

Integer Overflow Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +6
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-40992 MEDIUM PATCH This Month

Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to man-in-the-middle interception of outbound email traffic on adjacent network segments. Three active release lines are affected - 3.4.x through 3.4.16, 3.5.x through 3.5.14, and 4.0.x through 4.0.6 - unless the deploying application has explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to override the insecure default. No public exploit has been identified at time of analysis, but the flaw is present by default in any Spring Boot application that uses the built-in Mail auto-configuration with TLS/SSL and has not applied the corrective property.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-53812 MEDIUM PATCH GHSA This Month

Server-side request forgery in OpenClaw's Playwright-backed browser control allows authenticated low-privilege users to circumvent private-network navigation guards by chaining action-triggered redirects through the Playwright act interaction mechanism. All OpenClaw versions prior to 2026.5.18 are affected, and subsequent browser evaluation APIs can be abused to read the content of private-network pages - including internal services, admin panels, or cloud metadata endpoints reachable from the server. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the subsequent-system confidentiality impact is rated High in the CVSS 4.0 vector, reflecting meaningful data-disclosure potential in cloud-hosted or internally networked deployments.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-11986 MEDIUM This Month

Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. No public exploit has been identified and the vulnerability is not listed in CISA KEV, placing real-world risk in the moderate range with highest relevance to environments with partially trusted delegated administrators.

Information Disclosure Red Hat Build Of Keycloak Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-6338 MEDIUM PATCH This Month

HTTP request smuggling in Kong Gateway Enterprise (3.4, 3.10-3.14 series) enables unauthenticated remote attackers to desynchronize the HTTP/1.1 processing pipeline between Kong and its backend services, achieving high confidentiality and integrity impact against downstream systems. The parsing flaw (CWE-444) exploits ambiguous header interpretation to poison backend request queues, allowing cross-user request hijacking or malicious content injection. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and no active exploitation is confirmed in CISA KEV at time of analysis.

Request Smuggling Information Disclosure
NVD VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-50623 MEDIUM PATCH This Month

Authentication bypass in Apache CXF's OAuth2 TokenIntrospectionService allows unauthenticated network access to the token introspection endpoint due to a missing 'throw' keyword in the internal security context check, causing the guard to silently pass rather than reject unauthorized callers. Affected are deployments using cxf-rt-rs-security-oauth2 versions 4.2.0-4.2.1 and all 4.1.x releases before 4.1.7 that relied solely on CXF's built-in check without independent authentication at the container or gateway layer. No public exploit code or active exploitation has been identified; vendor-confirmed patches (4.2.2 and 4.1.7) were released June 10, 2026.

Apache Authentication Bypass Cxf
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-40986 MEDIUM PATCH This Month

Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Java XSS Spring Web Flow
NVD HeroDevs VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-40996 MEDIUM PATCH This Month

Spring Web Services' Wss4jSecurityInterceptor silently defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's own safer default and permitting inbound WS-Security decryption to accept the weak RSA PKCS#1 v1.5 (rsa-1_5) key transport algorithm. This misconfiguration-by-default affects all four supported release trains (3.1.x, 4.0.x, 4.1.x, 5.0.x) and opens deployed SOAP services to Bleichenbacher-style adaptive chosen-ciphertext attacks against server-side RSA key material unless operators explicitly override the flag. No public exploit has been identified at time of analysis, and the CVSS-assigned high attack complexity (AC:H) reflects the significant number of oracle queries required to mount a practical attack.

Apache Java Information Disclosure Spring Web Services
NVD HeroDevs VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-53809 MEDIUM PATCH GHSA This Month

OpenClaw's embedded runner policy incorrectly resolves provider aliases against other aliases rather than their canonical provider identities, enabling an authenticated local user to bypass intended provider policy restrictions. When the affected provider alias feature is active, a low-privileged attacker can select bundled tool access that falls outside the scope their policy should permit, effectively sidestepping the authorization boundary. No public exploit has been identified and no active exploitation is confirmed via CISA KEV; the local attack vector and required feature enablement materially limit real-world exposure.

Canonical Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-2827 MEDIUM This Month

Stored Cross-Site Scripting in the Open User Map PRO WordPress plugin (versions ≤ 1.4.31) via the 'oum_location_notification' parameter enables unauthenticated attackers to persistently inject arbitrary JavaScript into WordPress pages. The injected payload executes in any visitor's browser upon accessing the affected page, with scope extending beyond the originating application context (S:C). No public exploit code or CISA KEV listing has been identified at time of analysis, but the unauthenticated injection surface lowers the barrier for mass exploitation against unpatched sites.

WordPress XSS
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2022-44630 MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery.16.0. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2024-45636 MEDIUM PATCH This Month

IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

IBM Information Disclosure Security Qradar Edr
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2024-32110 MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wpevently
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49482 MEDIUM This Month

SQL wildcard character injection in ClipBucket v5's subtitle editing endpoint allows authenticated users to overwrite all subtitle titles across every video they own in a single HTTP request. Affected versions are all releases prior to 5.5.3 - #141 of the open-source video sharing platform maintained by MacWarrior. No public exploit exists and the vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism (a single % character) means any authenticated account could cause bulk subtitle data corruption against their own content.

Information Disclosure Clipbucket V5
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2023-32959 MEDIUM This Month

Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels.3.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Metrostore
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy