Skip to main content
CVE-2026-35273 CRITICAL POC KEV THREAT NEWS Emergency

Remote takeover of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 is possible through the Updates Environment Management component via unauthenticated HTTP requests. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network-based exploitation against any internet- or intranet-exposed instance, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' language and the unauthenticated nature make this a high-priority patching target.

Oracle Authentication Bypass Peoplesoft Enterprise Peopletools
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.0%
Threat
5.0
CVE-2026-42647 CRITICAL POC Act Now

Blind SQL injection in Beardev JoomSport (WordPress plugin) through version 5.7.7 allows remote unauthenticated attackers to inject crafted SQL into backend database queries. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality exposure and partial availability impact, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue.

SQLi Joomsport
NVD GitHub
CVSS 3.1
9.3
EPSS
5.2%
CVE-2026-48039 CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.

Python Authentication Bypass Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-11839 CRITICAL Act Now

Remote code execution in Başarsoft Rotaban versions V2026.06.002 through V2026.06.003 (exclusive) allows authenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The flaw stems from missing validation of uploaded file types (CWE-434) and was reported by TR-CERT; no public exploit identified at time of analysis, but the CVSS 9.9 score and scope-change indicator make this a high-priority patch target for any Rotaban deployment.

File Upload Rotaban
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-41699 CRITICAL PATCH Act Now

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.

Deserialization Java RCE Spring For Graphql
NVD VulDB HeroDevs
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-42846 CRITICAL Act Now

Remote command injection in ClipBucket v5 prior to version 5.5.3 - #140 allows authenticated users to execute arbitrary OS commands by submitting a crafted URL through the Remote Play video import feature. The URL is concatenated unescaped into shell commands, so any metacharacter is interpreted by the shell, yielding code execution as the web server user. No public exploit identified at time of analysis, but the vendor-confirmed advisory and trivial exploitation pattern make this a high-priority issue for any internet-exposed deployment.

Command Injection Clipbucket V5
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-45060 CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-49261 CRITICAL PATCH NEWS Act Now

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes by embedding shell metacharacters in a joiner node's name, which the server passes unsanitized to the script defined in wsrep_notify_cmd. Affected branches are 10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.1–11.8.7, and 12.3.1, but only when wsrep_notify_cmd is configured. It carries a vendor CVSS of 9.8; however EPSS is very low (0.05%, 15th percentile) and SSVC marks exploitation as 'none', so there is no public exploit identified at time of analysis and it is not on CISA KEV.

Command Injection Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-49060 CRITICAL Act Now

Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allows remote unauthenticated attackers to elevate privileges on affected sites due to incorrect privilege assignment (CWE-266). With a CVSS 3.1 score of 9.8 and Patchstack-reported network-exploitable characteristics, this issue can lead to full compromise of WooCommerce-backed WordPress stores; no public exploit identified at time of analysis.

Privilege Escalation WordPress Hippoo Mobile App For Woocommerce
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-50628 CRITICAL PATCH Act Now

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inverted IP-binding check rejects requests from the configured bound IP and permits requests from every other source address. The flaw turns an intended IP allowlist into an implicit deny-list of one, enabling remote unauthenticated attackers to reach protected OAuth endpoints from arbitrary networks. EPSS is low (0.04%) and no public exploit identified at time of analysis, but the trivial nature of the logic inversion makes exploitation straightforward once the misbehaving filter is enabled.

Information Disclosure Cxf
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-49875 CRITICAL PATCH Act Now

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to trigger out-of-band external entity resolution via the EndpointReferenceUtils and W3CMultiSchemaFactory classes, which instantiate SAXParserFactory without JAXP hardening. While CVSS scores this 9.8 critical, EPSS reports only 0.02% exploitation probability, and there is no public exploit identified at time of analysis. Successful exploitation could enable data exfiltration, SSRF, or denial-of-service against applications that process attacker-controlled XML through CXF web services.

Apache XXE Cxf
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-48062 CRITICAL PATCH GHSA Act Now

Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).

File Upload PHP RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-38581 CRITICAL Act Now

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7852 CRITICAL PATCH Act Now

Remote code execution in Limatek System Inc. LimRAD NAC versions prior to 5.5.7.3.9 allows unauthenticated remote attackers to upload dangerous file types and achieve Remote Code Inclusion. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects an internet-reachable, no-interaction exploitation path against a network access control appliance, though no public exploit identified at time of analysis. The vulnerability was disclosed by TR-CERT and tracked in Turkish national vulnerability advisory TR-26-0366.

File Upload Limrad Nac
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-12027 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Headless component sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and carries CVSS 9.6 due to scope change and user interaction, though EPSS remains very low (0.03%) and there is no public exploit identified at time of analysis. A vendor patch is available in the stable channel update published June 2026.

Privilege Escalation Google Red Hat
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-47174 CRITICAL PATCH Act Now

Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as the live production Docker image without code review or merge approval. The flaw stems from a GitHub Actions deploy workflow that can be tricked into treating an unmerged pull request build as a main-branch deployment, then checking out the PR commit, building it, pushing it as the `latest` Docker tag, and triggering a Dokploy deployment. No public exploit identified at time of analysis, and CVE is not listed in CISA KEV.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.0%
CVE-2026-47172 CRITICAL PATCH Act Now

Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote attackers to deploy malicious container images to production by opening a pull request from a branch named 'main'. The unprivileged build workflow's head_sha is consumed by a downstream privileged deploy workflow, which then builds and publishes attacker-controlled code as the 'latest' Docker image and triggers production rollout. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-9qf3-c86c-j346) documents the chain end-to-end.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.0%
CVE-2026-4764 CRITICAL PATCH Act Now

Privilege escalation in Google Cloud Dialogflow CX allows authenticated users holding specific IAM roles to abuse the playbook import functionality and potentially take over the entire GCP project. Google has confirmed the issue was patched server-side on 15 March 2026 with no customer action required, and no public exploit has been identified at time of analysis.

Authentication Bypass Google
NVD
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-39494 CRITICAL Act Now

Blind SQL injection in the WordPress plugin Product Filter by WBW (versions up to and including 3.1.2) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries via crafted filter parameters. The CVSS 9.3 score reflects a scope-changed impact (S:C) where the WordPress database can be queried beyond the plugin's own context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Product Filter By Wbw
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-49973 CRITICAL PATCH Act Now

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settings API endpoint during the first-run window to POST the _set_password parameter, persist an arbitrary password hash, and obtain a valid administrative session cookie. The flaw, reported by VulnCheck and tracked as an improper access control (CWE-306) issue, locks the legitimate operator out of their own instance and grants full administrative control. No public exploit identified at time of analysis, but an upstream fix landed in release v0.51.358.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-45177 CRITICAL PATCH Act Now

Authentication bypass in Idira Secrets Manager SaaS Edge prior to version 1.8 allows remote unauthenticated attackers to obtain valid access tokens by submitting specially crafted requests that subvert internal validation logic. Reported by Palo Alto Networks researchers and tracked under CyberArk Security Bulletin CA26-20, the flaw carries a CVSS 4.0 score of 9.1 (Critical) due to high confidentiality and integrity impact on a product whose entire purpose is custody of enterprise secrets. There is no public exploit identified at time of analysis, but the secrets-management use case makes any token theft a high-leverage compromise.

Authentication Bypass Conjur Cloud Edge Finding Only
NVD VulDB
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-9648 CRITICAL PATCH Act Now

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Information Disclosure Crypton Certificate Suse
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-50627 CRITICAL PATCH Act Now

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource Server to replay it against an unrelated Resource Server because the 'aud' (Audience) claim is not validated. Affects Apache CXF 4.2.0 through 4.2.1 and all versions prior to 4.1.7, enabling cross-service authentication bypass with full confidentiality, integrity, and availability impact on the unintended target. No public exploit identified at time of analysis and EPSS is very low (0.02%, 4th percentile), but the fix is straightforward and the issue is structurally severe for federated OAuth2/JWT deployments.

Apache Information Disclosure Cxf
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41005 CRITICAL PATCH Act Now

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remote attackers to forge SAML assertions and impersonate users by exploiting a logic flaw where XML encryption was accepted as a substitute for XML signature verification. Because the Service Provider's public encryption key is published in SAML metadata, any party - not just a trusted Identity Provider - can craft encrypted-but-unsigned assertions that UAA will decrypt and trust, breaking the identity-assurance guarantee of SAML. No public exploit identified at time of analysis, but the cryptographic confusion (CWE-347) is well-understood and the impact (full identity spoofing into the platform IAM) is severe.

Jwt Attack Denial Of Service Uaa Cf Deployment
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-11561 CRITICAL PATCH Act Now

Expression language injection in Soagen Informatics' Apinizer API management platform versions 2026.04.0 through 2026.04.5 allows remote unauthenticated attackers to inject malicious EL expressions that the server evaluates, resulting in arbitrary code execution. The flaw was reported by Turkey's national CERT (TR-CERT) and carries a CVSS 9.8 critical rating, though SSVC currently indicates no observed exploitation and no public exploit identified at time of analysis. A vendor patch is available in version 2026.04.6.

Code Injection Apinizer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy