Skip to main content
CVE-2026-10733 MEDIUM PATCH This Month

Denial of service on the GitLab CI/CD Catalog page is achievable by any authenticated user across a broad version range (17.0 through pre-patch releases of 18.10, 18.11, and 19.0) due to improper sanitization of user-supplied content. The low-privilege, network-accessible attack vector means any GitLab account holder can trigger the condition without elevated permissions or complex setup. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited availability impact (A:L) constrains real-world severity, though the wide version exposure across three concurrent release branches broadens organizational risk.

Gitlab XSS Denial Of Service
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2022-47150 MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery.0.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47781 HIGH POC PATCH GHSA This Week

Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.

Python Privilege Escalation Code Injection RCE Suse
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-50645 HIGH PATCH This Week

Denial of service in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 allows remote unauthenticated attackers to exhaust server resources by sending messages containing an unbounded number of attachment headers during deserialization. The flaw stems from missing input limits in the message deserialization path and can be triggered without authentication or user interaction. EPSS rates real-world exploitation probability as low (0.02%) and no public exploit identified at time of analysis, but SSVC flags the attack as automatable.

Apache Denial Of Service Cxf
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-50631 HIGH PATCH This Week

Refresh token replay in Apache CXF's OAuth2 provider lets remote attackers concurrently exchange a single leaked refresh token for multiple valid access tokens, breaking the single-use property defenders rely on. The flaw lives in AbstractOAuthDataProvider and only manifests when deployments set 'recycleRefreshTokens' to false. No public exploit identified at time of analysis, and EPSS sits at 0.02% (4th percentile), but SSVC scores technical impact as 'total' due to the OAuth trust implications.

Information Disclosure Cxf
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-41000 LOW PATCH Monitor

Replay attack protections in Spring Web Services are silently ineffective across multiple major branches due to Wss4jSecurityInterceptor failing to wire configured Apache WSS4J ReplayCache instances into the RequestData object at validation time. Operators who believe UsernameToken nonce replay, Timestamp replay, and SAML one-time-use checks are enforced are unknowingly running without those controls. A network-positioned attacker can intercept and replay valid WS-Security tokens - including credentials and SAML assertions - to re-execute previously-authorized SOAP operations, with no public exploit identified at time of analysis and no CISA KEV listing.

Apache Java Information Disclosure Spring Web Services
NVD VulDB HeroDevs
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-12017 LOW PATCH Monitor

Site isolation bypass in Google Chrome's Extensions implementation (prior to 149.0.7827.115) enables an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. This is a chained exploit primitive - it cannot be weaponized standalone and requires a preceding renderer compromise, limiting its practical severity despite the network delivery vector. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis. The low CVSS score of 3.1 reflects the high attack complexity and constrained confidentiality impact.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-12032 LOW PATCH Monitor

Site isolation bypass in Google Chrome for Android (versions prior to 149.0.7827.115) enables an attacker who has already achieved renderer process compromise to cross origin boundaries via a crafted HTML page, potentially exposing password data managed by the browser's Passwords component. The vulnerability is rooted in CWE-346 (Origin Validation Error) - Chrome's Passwords implementation on Android fails to properly enforce origin checks in the context of a compromised renderer. No public exploit identified at time of analysis; the low CVSS base score of 3.1 reflects that exploitation is dependent on a prior renderer compromise, making this a chained-exploitation concern rather than a standalone critical risk.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-47175 LOW PATCH Monitor

Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Discord mention permissions to send @everyone or @here notifications they are not themselves permitted to send. Moderation commands that echo user-supplied reason text in public channel replies do not suppress Discord's mention parser, creating a permission boundary bypass within the Discord API privilege model. No public exploit code exists and no active exploitation has been confirmed, though the conditions for abuse are operationally common in Discord servers where bots hold mention permissions above their moderating users.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-47188 LOW PATCH Monitor

Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger mass pings against all server members. Versions prior to 1.0.5 of this open-source Discord moderation bot pass user-controlled reason strings directly into public bot messages without setting Discord's allowedMentions restriction, unlike other moderation commands that already suppress mention parsing. An attacker with moderator-level Discord permissions can embed @everyone or @here in any ban or warn reason to force mass notification delivery to all guild members. No active exploitation has been confirmed and no public exploit code has been identified at the time of analysis.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-48050 HIGH PATCH GHSA This Week

Unauthenticated information disclosure and CPU-exhaustion DoS in Basekick Labs Arc (versions prior to v26.06.1) expose Go's net/http/pprof debug handlers on the public API port without any token check. Remote attackers can fetch heap and goroutine profiles to leak in-memory secrets (live SQL strings, decoded msgpack records, cached *TokenInfo entries) and invoke /debug/pprof/profile?seconds=N to pin a CPU core for arbitrary durations. No public exploit identified at time of analysis, though the vulnerability is trivial to exercise with curl.

Information Disclosure
NVD GitHub
EPSS
0.1%
CVE-2026-48007 HIGH PATCH GHSA This Week

Information disclosure in Element Call 0.5.17 through 0.19.3 causes the application to send full visited URLs (including URL fragments) to a configured PostHog analytics server via the `$initial_person_info`, `$session_entry_url`, and `$current_url` fields. On standalone SPA deployments such as call.element.io that encode call encryption passwords in the URL fragment, this can leak those passwords to anyone with access to the PostHog data, enabling decryption of the associated E2EE media streams. No public exploit identified at time of analysis; the issue was disclosed and patched by the vendor in 0.19.4.

Google Information Disclosure
NVD GitHub
EPSS
0.0%
CVE-2026-47780 MEDIUM GHSA This Month

Improper input validation in free5GC UDR (versions <= 1.4.3) allows any actor with network access to the UDR Service Based Interface to inject arbitrary non-3GPP-compliant identifiers into the EE subscription data path, causing persistent database pollution of the UDR subscriber data store. The flaw originates from a catch-all regex branch (`|.+`) in `HandleCreateEeSubscriptions` and `HandleQueryeesubscriptions` within `api_datarepository.go` that nullifies all preceding format-specific checks for IMSI, NAI, MSISDN, EXTID, GCI, and GLI identifiers. A publicly available proof-of-concept - published in the GHSA advisory - confirms that attacker-controlled `ueId` strings are accepted with HTTP 201, persisted, and retrievable via HTTP 200, demonstrating a fully exploitable integrity violation with no patch available at time of analysis.

RCE
NVD GitHub
EPSS
0.1%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy