Skip to main content
CVE-2026-53830 MEDIUM PATCH This Month

Webhook secret revocation bypass in OpenClaw before 2026.4.22 allows callers possessing previously-issued Slack and Zalo webhook secrets to continue submitting accepted events after an operator invokes the secrets.reload function. The stale-secret acceptance window undermines the integrity guarantees of secret rotation, enabling unauthorized webhook payload injection into what operators believe is a secured endpoint. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the integrity impact is rated high per the CVSS 4.0 vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53824 MEDIUM PATCH This Month

OpenClaw before version 2026.4.24 permits users whose slash command tokens have been explicitly revoked to continue issuing slash commands during the active monitor refresh window, violating the expected access boundary. The flaw stems from a revocation propagation lag: the token invalidation state is not synchronously enforced but instead depends on a periodic monitor cycle, allowing a briefly stale authorization check to pass. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact depends heavily on the duration of the monitor refresh interval and the sensitivity of slash commands exposed by the operator.

Microsoft Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53725 MEDIUM PATCH GHSA This Month

Parse Server 9.8.0-9.9.0 exposes raw MFA TOTP secrets and recovery codes through the /verifyPassword and /login endpoints when the _User class-level permission (CLP) is configured to deny get operations. An attacker with knowledge of a victim's username and password can call /verifyPassword without a session token or MFA token and receive the victim's plaintext TOTP secret and recovery codes in the response, completely defeating the second authentication factor. No public exploit has been identified at time of analysis; a patch exists in version 9.9.1-alpha.5, and the EPSS score of 0.04% (13th percentile) reflects limited opportunistic exploitation so far.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48613 MEDIUM This Month

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. No public exploit identified at time of analysis, and EPSS data was not provided.

SQLi Phpbb
NVD VulDB
CVSS 3.0
5.9
EPSS
0.0%
CVE-2017-20240 MEDIUM PATCH This Month

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Crypt Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-49993 MEDIUM POC PATCH GHSA This Month

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.

Information Disclosure Nuxt
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48154 MEDIUM PATCH GHSA This Month

Concurrent map access without synchronization in pilinux/gorest's InMemorySecret2FA store causes an unrecoverable process crash across all versions through 1.12.1. Nine handler sites in login.go and twoFA.go share a bare Go map with no sync.RWMutex, meaning any two concurrent HTTP requests involving 2FA operations can trigger Go's built-in race detector to throw a fatal, non-catchable error that terminates the entire server process. No public exploit identified at time of analysis, though a proof-of-concept bash script is included in the GHSA advisory; vendor-released patch version 1.12.2 is confirmed.

Race Condition Denial Of Service
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-41155 MEDIUM This Month

Insufficient compartmentalization in the Imagination Technologies Graphics DDK kernel module enables a local, low-privileged attacker to abuse shared secure GPU memory allocations to either covertly pass data between otherwise isolated secure GPU processes or disrupt a peer process, causing image corruption and GPU hardware recovery events. Multiple DDK release trains spanning versions 1.18 RTM through 26.1 RTM are confirmed affected per EUVD-2026-36606. No public exploit exists and SSVC confirms no observed exploitation, but the 'Information Disclosure' tag in the advisory signals a confidentiality dimension that the official CVSS C:N metric does not fully capture.

Information Disclosure Graphics Ddk
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7019 MEDIUM PATCH This Month

Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Office Open XML (OOXML) file, causing a Denial-of-Service condition. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - all products that consume the same Gen Digital VPS (virus definition) update stream. No active exploitation or public exploit code has been identified at time of analysis; the impact is limited to availability (AV process crash) with no confidentiality or integrity consequences.

Microsoft Stack Overflow Buffer Overflow Apple Avast Antivirus +4
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7018 MEDIUM PATCH This Month

Null pointer dereference in the Avira Antivirus scanning engine crashes the antivirus process when it parses a specially crafted malformed Windows PE file. All platform deployments - Windows, macOS, and Linux - running engine builds prior to 8.3.70.64 are affected, making this a cross-platform availability risk. No public exploit identified at time of analysis and no CISA KEV listing; however, the ease of crafting a malformed PE file as a trigger lowers the practical barrier for targeted disruption of endpoint protection.

Denial Of Service Microsoft Apple Null Pointer Dereference Avira Antivirus
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7010 MEDIUM PATCH This Month

Stack overflow via uncontrolled recursion crashes the antivirus scanning process across all Gen Digital consumer and business products when a crafted malformed PDF is scanned. Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux are all affected through a shared Gen Digital virus definition engine (VPS builds before 25021208). An attacker who can place a specially crafted PDF on a target system - or deliver it via email or download - can force a denial-of-service of the antivirus process; no public exploit has been identified at time of analysis.

Microsoft Apple Buffer Overflow Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7006 MEDIUM PATCH This Month

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a malformed Windows PE file. Five Gen Digital products share a common virus definition update stream - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - making all simultaneously vulnerable until the shared definition stream reaches build VPS 25022500. No public exploit has been identified at time of analysis; the impact is limited to a Denial-of-Service of the antivirus process with no confidentiality or integrity loss, and the CVSS score of 5.5 reflects the local, user-interaction-dependent nature of the attack.

Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7005 MEDIUM PATCH This Month

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a specially crafted malformed Windows PE file, causing a Denial-of-Service across five Gen Digital products - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus - on Windows, macOS, and Linux. The vulnerability resides in the virus definition update stream rather than the product binary itself, meaning all five products sharing the same Gen Digital VPS stream are simultaneously exposed until updated to definition build VPS 25031700 or later. No public exploit code has been identified at time of analysis, and CVSS scores this at medium severity (5.5) reflecting local access and required user interaction as meaningful limiting factors.

Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-50012 MEDIUM PATCH This Month

Squid caching proxy is affected by CVE-2026-50012, disclosed via the oss-security mailing list on 2026-06-12 as a pre-NVD advisory. No technical details - description, affected versions, vulnerability class, or impact - have been made available in the current intelligence snapshot. The advisory was bundled with a sibling disclosure (CVE-2026-47729) from the same Squid maintainer post, suggesting a coordinated release, but no further differentiation between the two CVEs is derivable from available data. No exploitation, no KEV listing, and no EPSS score are present at time of analysis.

Information Disclosure
NVD VulDB GitHub
CVSS 3.1
5.5
CVE-2026-47223 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.

Microsoft Google Information Disclosure Buffer Overflow Nanazip
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47222 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.

Microsoft Information Disclosure Denial Of Service Google Buffer Overflow +1
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44783 MEDIUM PATCH This Month

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of content into staff-only whisper threads visible to moderators and staff. Affected release trains span 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1, with all fixes confirmed by the vendor in the GitHub Security Advisory. An attacker holding only a standard forum account can exploit the reply mechanism to post messages that surface inside privileged staff whisper channels, potentially poisoning internal moderation communications or probing staff responses for sensitive operational detail. No public exploit is identified at time of analysis, and EPSS places exploitation probability at the 9th percentile.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53606 MEDIUM PATCH This Month

Cross-site scripting in sanitize-html prior to 2.17.5 allows low-privileged attackers to inject executable `javascript:` URIs through HTML attributes that the library's scheme-blocking logic never inspects. The `naughtyHref()` function gates dangerous URI schemes only for attributes listed in `allowedSchemesAppliedToAttributes` (defaulting to `href`, `src`, and `cite`), leaving attributes such as `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, and `lowsrc` entirely unchecked. Applications that explicitly permit any of these attributes in their sanitize-html configuration are vulnerable; no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

XSS Node.js Sanitize Html
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-50082 MEDIUM PATCH This Month

Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.

Authentication Bypass Cloud Developer Portal
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-54395 MEDIUM PATCH This Month

Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (' → ') and enabling string breakout. No public exploit code has been identified at time of analysis, and the fix has been committed upstream by the MISP maintainers at CIRCL.

XSS Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-28898 MEDIUM PATCH GHSA This Month

HTTP/2-to-HTTP/1.1 request smuggling in swift-nio-http2 (versions prior to 1.44.1) allows unauthenticated remote attackers to inject arbitrary HTTP headers or smuggle entire requests to backend systems in reverse-proxy configurations. The codecs HTTP2FramePayloadToHTTP1ServerCodec and HTTP2ToHTTP1ServerCodec fail to strip CR, LF, or NUL control characters from HTTP/2 pseudo-header values such as :path and :authority before writing them into the HTTP/1.1 output, enabling the binary-safe HTTP/2 layer to act as a covert channel for control characters that become structural delimiters in HTTP/1.1. No public exploit has been identified at time of analysis, but this vulnerability is a direct extension of two prior confirmed CRLF injection flaws in the same library family (GHSA-7fj7-39wj-c64f and GHSA-cq87-8r7h-962v), indicating a recurring pattern that lowers the technical barrier for exploitation.

Code Injection Request Smuggling
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-45014 MEDIUM This Month

Stored cross-site scripting in ApostropheCMS up to and including version 4.29.0 allows an attacker who controls a user account to inject malicious script into the draft version tooltip via an unsanitized display name field. Any editor or administrator who subsequently views that tooltip in the CMS backend will execute the attacker's payload in their browser, enabling session hijacking or unauthorized action execution. No public exploit has been identified at time of analysis and no patched version is available per the vendor advisory.

XSS Node.js Apostrophe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54394 MEDIUM PATCH This Month

Path traversal in MISP's OrganisationsController::getOrgLogo allows a low-privileged authenticated user to read arbitrary .png or .svg files from outside the intended organisation logo directory by injecting traversal sequences into organisation-controlled fields such as the organisation name, id, or uuid. All MISP versions prior to the patch commit b865deb are affected across any deployment where untrusted accounts hold write access to organisation fields. No public exploit code or CISA KEV listing exists at time of analysis; however, the attack requires only low-privilege access and no user interaction, making it practically exploitable in typical multi-tenant MISP deployments.

Path Traversal Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54396 MEDIUM PATCH This Month

User email enumeration in MISP's AuthKey edit endpoint allows any authenticated user holding AuthKey-edit permission to discover the email addresses of arbitrary platform users by manipulating a single POST parameter. The flaw exists in the validation-error rendering path of AuthKeysController.php, where the user dropdown was populated from attacker-controlled request body data rather than the persisted AuthKey owner, enabling systematic iteration over numeric user IDs. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivially reproducible from the description and patch diff alone.

Information Disclosure Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11847 MEDIUM PATCH This Month

Path traversal in IEI Integration Corp's iVEC TANK-XM811 Virtualization Edge Computer enables authenticated remote attackers to create directories at arbitrary system paths outside the application's intended scope. The flaw (CWE-22) resides in the network-accessible management interface, where user-supplied path input is not sufficiently sanitized before use in filesystem operations. No public exploit code or active exploitation has been identified at time of analysis, and the impact is constrained to unauthorized directory creation rather than file read, write, or code execution.

Path Traversal Ivec Tank Xm811
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54362 MEDIUM PATCH This Month

Incorrect authorization in MISP's event template builder exposes organisation-private galaxy definitions to any authenticated user due to a PHP operator-precedence bug that silently voids the intended access-control filter. In multi-tenant MISP deployments, authenticated non-site-admin users can enumerate all enabled galaxies - including organisation-only custom galaxies belonging to other organisations - through the template builder galaxy list. No active exploitation is confirmed (not listed in CISA KEV), but the low exploitation barrier (any valid account, no special privileges) makes this a meaningful metadata-disclosure risk wherever multiple organisations share a MISP instance.

Authentication Bypass PHP Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-50020 MEDIUM POC PATCH GHSA This Month

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.

Request Smuggling Information Disclosure Netty Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47264 MEDIUM PATCH This Month

Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users via a serializer that omits visibility filtering. Affected release lines are 2026.1.x (before 2026.1.4), 2026.3.x (before 2026.3.1), and 2026.4.x (before 2026.4.1), with the root cause being that DetailedTagSerializer#tag_group_names returned all group memberships without consulting the requesting user's permissions. An unauthenticated attacker can enumerate the names of tag groups restricted to specific user groups or non-visible categories, potentially leaking the internal structure of private forum spaces; no public exploit code has been identified at time of analysis and EPSS is 0.04% (11th percentile), indicating negligible observed exploitation activity.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45085 MEDIUM PATCH This Month

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both information disclosure and unauthorized write actions: calendar event API payloads expose the associated chat channel's last message - potentially a private DM - to unauthenticated users, while separate flaws allow read-only users to create chat threads, authors to restore their own deleted messages after losing channel access, and moderators reviewing flagged messages to inadvertently view unrelated DM content. Vendor-released patches exist for all supported branches; no public exploit identified at time of analysis and EPSS is 0.04% (11th percentile), but the unauthenticated DM disclosure warrants prompt patching on public-facing instances.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-49854 MEDIUM PATCH GHSA This Month

Out-of-bounds memory read in Tornado's optional C extension `tornado.speedups` exposes up to 3 bytes of uninitialized memory via a missing length validation in the `websocket_mask` function. Applications running Tornado versions prior to 6.5.6 with the native extension active and `xsrf_cookies=True` are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS stands at 0.04% (11th percentile), consistent with the low exploitation probability for a constrained information-disclosure primitive. Vendor-released patch is Tornado 6.5.6.

Python Buffer Overflow
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-54398 MEDIUM PATCH This Month

Sharing group authorization bypass in MISP's object add/edit workflow allows an authenticated user with object-editing permissions to assign objects and their contained attributes to sharing groups they are not authorized to access or view. The flaw stems from a structural data merging step in ObjectsController.php that silently relocates field keys, causing the sharing group validation check to evaluate a stale, already-removed data path and thus never fire. An attacker exploiting this can probe the existence and names of non-visible sharing groups and improperly alter the distribution metadata of objects and embedded attributes. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-6046 MEDIUM This Month

Private message interception in Mattermost affects versions 11.6.x through 11.6.1, 11.5.x through 11.5.4, and 10.11.x through 10.11.16, allowing a low-privileged attacker to receive plugin-generated direct messages intended for bot accounts. The flaw stems from the bot registration flow failing to verify that a claimed username actually belongs to a bot account, enabling an attacker who pre-registers a human account using a predictable plugin bot username to silently hijack those message channels. No public exploit code exists at time of analysis, and exploitation requires both an existing user account and advance knowledge of the target bot's username.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8694 MEDIUM This Month

Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell Universal 2026.1.7 and earlier due to improper access control (CWE-306). Any network-reachable attacker without credentials can retrieve the full OpenAPI specification of internally defined REST APIs, exposing endpoint paths, parameters, and operational structure that administrators intended to be non-public. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, zero-authentication network vector makes enumeration trivially automatable.

Authentication Bypass Powershell Universal
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-53867 MEDIUM PATCH This Month

Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-43872 MEDIUM PATCH This Month

Path traversal across multiple endpoints in Actual, the open-source self-hosted personal finance application, allows authenticated low-privilege users to write files outside intended server directories in all versions prior to 26.5.0. The CVSS 4.0 vector confirms network-accessible exploitation with low-privilege authentication required and impact limited to write operations on the vulnerable system only - no confidentiality or availability impact is indicated. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.03% (8th percentile) reflects minimal observed exploitation interest at time of analysis.

Path Traversal Actual
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47182 MEDIUM PATCH This Month

Improper access control in Frappe Framework (all versions prior to 16.17.4) allows any authenticated user to retrieve private files by guessing their server-side file path, bypassing intended authorization restrictions. The flaw is classified under CWE-284 (Improper Access Control) and affects the file-serving layer of the framework, which underlies widely deployed applications such as ERPNext. No public exploit code has been identified at time of analysis, and exploitation probability is very low per EPSS (0.02%, 7th percentile), though the low attack complexity makes it straightforward for any credentialed user to attempt.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-12058 MEDIUM This Month

Vivo PcSuite's connection confirmation pop-up - a security gate that prompts users to authorize PC-to-device connections - can be bypassed by an adjacent unauthenticated attacker, rooted in CWE-807 (Reliance on Untrusted Inputs in a Security Decision). All versions of PcSuite are listed as affected per the wildcard CPE (cpe:2.3:a:vivo:pcsuite:*:*:*:*:*:*:*:*), and the attack requires only adjacent network positioning with no privileges or user interaction. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, keeping real-world urgency moderate.

Authentication Bypass Pcsuite
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-9641 MEDIUM PATCH This Month

Crypt::PBKDF2 for Perl prior to version 0.261630 ships with critically weak password-hashing defaults - HMAC-SHA1 as the pseudorandom function and only 1,000 iterations - leaving derived keys and stored passwords highly vulnerable to offline brute-force attacks. Applications that do not explicitly override these defaults expose any compromised credential store to cracking at rates orders of magnitude faster than OWASP-recommended configurations (220,000-1,400,000 iterations depending on algorithm). No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV, but the structural nature of CWE-916 means all previously generated hashes using the weak defaults remain exploitable even after upgrading the library unless proactively rehashed.

Information Disclosure Crypt Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44967 MEDIUM PATCH This Month

Memory exhaustion in opentelemetry-cpp OTLP HTTP exporters (traces, metrics, logs) prior to 1.27.0 allows an attacker who controls the configured collector endpoint - or occupies a MITM position on the network path - to crash the instrumented process by returning an arbitrarily large HTTP response body. The curl-based HTTP client read response data into an unbounded in-memory buffer via io-equivalent copy with no size limit, making peak heap allocation entirely attacker-controlled. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) indicates low opportunistic exploitation probability, though the targeted threat model (supply-chain-adjacent collector compromise) is realistic in telemetry-heavy environments.

Information Disclosure Opentelemetry Cpp
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44976 MEDIUM PATCH This Month

Improper access control in Frappe prior to 16.17.4 permits any authenticated user to modify any field in any Onboarding Step record, bypassing expected privilege restrictions. Affected deployments running versions below 16.17.4 expose their onboarding configuration data to unauthorized tampering by low-privileged users. EPSS is extremely low (0.02%, 5th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA KEV, suggesting no observed active exploitation at time of analysis.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44975 MEDIUM PATCH This Month

Missing authorization in Frappe allows any authenticated low-privileged user to invoke the onboarding reset function and wipe onboarding state for all users system-wide, affecting all releases before 15.107.2 and 16.17.4. The CWE-862 root cause indicates the reset endpoint performs no role or privilege check before executing a privileged, system-wide operation. No public exploit code exists and EPSS sits at 0.02% (5th percentile), placing real-world exploitation risk at the lower end despite the disruptive potential of forcing every user through onboarding flows on next login.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-1836 MEDIUM PATCH This Month

Credential exposure in Redmine allows any local attacker with access to a previously-used browser session to recover plaintext login credentials stored by the application after form submission. The flaw (CWE-257) affects all tracked Redmine versions per NVD CPE data and represents a classic insecure credential storage issue. No public exploit has been identified at time of analysis, and exploitation is constrained to local attack vectors requiring prior user interaction.

Information Disclosure Redmine
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-49347 MEDIUM PATCH This Month

Ticket panel resource exhaustion in Quest Bot (open-source Discord bot, all versions prior to 1.1.8) allows any Discord user with panel access to flood a server with unlimited ticket channels and database records. Each modal submission unconditionally spawns a new Discord channel and database entry with no duplicate-ticket check and no rate limiting, enabling trivial availability denial of the ticketing system. No active exploitation (KEV) or public exploit code has been identified; vendor-released patch version 1.1.8 is confirmed available.

Denial Of Service Questbot
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54393 MEDIUM PATCH This Month

Stored cross-site scripting in MISP's setHomePage endpoint allows an authenticated user to persist an arbitrary JavaScript payload as their homepage setting when the Overmind theme is active, which later executes in any victim's browser upon viewing the News page and clicking the "Continue to homepage" link. The root cause is a theme-conditional code path in UserSettingsController that called setSettingInternal() directly, bypassing the validate_homepage validator that enforces a leading slash on path values, combined with an unescaped output sink in app/View/News/index.ctp. No public exploit has been identified at time of analysis; exploitation is bounded by the Overmind-theme-only precondition and mandatory victim interaction.

XSS Misp
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-53722 MEDIUM POC PATCH GHSA This Month

Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capable URLs (javascript:, vbscript:) that execute in the application's origin when a victim clicks a crafted link, affecting all Nuxt v3 versions prior to 3.21.7 and v4 versions prior to 4.4.7. Exploitation is contingent on application code that binds attacker-controlled input - such as query parameters, CMS link fields, or user-supplied profile URLs - directly to the component's to or href props without prior sanitization. No public exploit code has been identified and the EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability; vendor-released patches are available in versions 3.21.7 and 4.4.7.

XSS Nuxt
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-10715 MEDIUM This Month

Improper authorization in Camaleon CMS 2.9.2 allows any low-privileged authenticated user to overwrite draft content belonging to other users by supplying an arbitrary post_id to the administrator draft autosave endpoint. The application authenticates the requesting user but performs no ownership check, meaning a contributor or editor can silently corrupt unpublished drafts they do not own. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Authentication Bypass Camaleon Cms
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-54357 MEDIUM PATCH This Month

Improper authorization in MISP permits an authenticated organization administrator to read or overwrite user settings and login profile data belonging to site administrator accounts that share the same organization. The ACL checks in UserLoginProfilesController, UserSettingsController, and the UserSetting model correctly scoped operations by org_id membership but failed to exclude users holding site-admin roles, allowing a lower-privileged admin to cross the intended privilege boundary. No public exploit has been identified at time of analysis; a patch is available via a CIRCL-reported upstream commit.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-54055 MEDIUM PATCH This Month

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to redirect writes to attacker-controlled filesystem paths. The root cause is a missing O_NOFOLLOW flag in the os.open() call within kitty's file transmission protocol: between the initial symlink validation stat-check and the actual file open, an attacker can insert a symlink, causing the write to follow it to an arbitrary destination - a classic TOCTOU race. No public exploit code exists and EPSS sits at 0.01% (1st percentile), indicating no observed exploitation; however, successful exploitation enables high-integrity-impact file overwrites that can facilitate local privilege escalation. Version 0.47.2 resolves the issue.

Privilege Escalation Kitty Suse
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-50009 MEDIUM PATCH GHSA This Month

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an on-path attacker to derive the reset token for active connections and terminate them via spoofed Stateless Reset packets. The default HMAC-based generators expose a deterministic relationship between the source connection ID visible in QUIC headers and the server's stateless reset token - after a source-CID rotation, an observer can compute the token from the new connection-ID bytes. No public exploit identified at time of analysis; the CVSS 4.8 Medium rating reflects the on-path attacker prerequisite (AC:H), which meaningfully limits opportunistic exploitation.

Information Disclosure Denial Of Service Netty
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-50088 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com) allows a malicious website to read authenticated responses from any victim developer who visits it, exposing portal data tied to IoT/smart-home developer accounts. The flaw is a permissive CORS policy (CWE-942) that trusts untrusted origins; runZero disclosed it and no public exploit identified at time of analysis, though the technique is well-known and trivially scriptable.

Cors Misconfiguration Information Disclosure Aqara Developer Portal Aqara Developer Test Portal
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy