Skip to main content
CVE-2026-53521 MEDIUM PATCH GHSA This Month

Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre-populate their server record with nonexistent DDNS profile IDs, then hijack any future victim-owned DDNS profile whose auto-assigned ID collides with a pre-stored value. Affected versions span 2.0.14 through pre-2.1.0 of the self-hosted nezhahq/nezha platform. When the collision occurs, the DDNS worker dispatches DNS updates on behalf of the attacker's server using the victim's DDNS provider credentials and configuration, achieving cross-tenant DNS manipulation and disrupting the victim's legitimate DDNS service. No public exploit identified at time of analysis; vendor-released patch available in version 2.1.0.

Authentication Bypass Nezha
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-50552 MEDIUM POC PATCH GHSA This Month

SSRF in Koel's radio station creation endpoint (POST /api/radio/stations) allows any authenticated non-admin user to coerce the server into issuing HEAD/GET requests to arbitrary internal hosts. The root cause is a missing Laravel `bail` keyword in the URL field validation chain: the SafeUrl rule correctly rejects private/reserved addresses, but without bail, the subsequent HasAudioContentType rule still executes and makes an outbound HTTP request to the attacker-supplied URL. Vendor-released patch version 9.7.1 resolves the issue; no public exploit or CISA KEV listing exists at time of analysis.

SSRF Koel
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-20746 MEDIUM PATCH This Month

PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Java Information Disclosure Pingdirectory
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-53837 MEDIUM PATCH This Month

Improper access control in OpenClaw's Mattermost event handler integration allows remote unauthenticated attackers to bypass direct message (DM) policy enforcement by submitting crafted Mattermost events that deliberately omit channel type metadata. All OpenClaw versions prior to 2026.5.6 are affected. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible and unauthenticated nature of the flaw (PR:N per CVSS 4.0) makes it actionable for deployments that rely on DM policies as a meaningful access control boundary.

Authentication Bypass Mattermost Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-50090 MEDIUM PATCH This Month

Open redirect / OAuth redirect_uri validation bypass in the Aqara Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) allows remote attackers to coerce the IdP into redirecting authorization responses to attacker-controlled hosts due to lax domain-matching logic. With user interaction the flaw can be abused to steal OAuth authorization codes or tokens issued to legitimate Aqara client applications, enabling account takeover of Aqara smart-home accounts. No public exploit identified at time of analysis, though a referenced GitHub repository (xn0tsa/theres-no-place-like-home) and the runZero advisory describe the issue publicly.

Authentication Bypass Cloud Oauth Authorization Endpoint
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44311 MEDIUM PATCH GHSA This Month

Cross-site scripting in Fabric.js (npm: fabric) versions prior to 7.4.0 is triggered when applications export canvas content via `canvas.toSVG()` and render the result into the DOM using `innerHTML`. The `color` field within `colorStops` of a `fabric.Gradient` object is inserted into SVG `<stop>` elements without escaping `"`, `<`, or `>`, allowing crafted input to break attribute context and inject arbitrary HTML. A working proof-of-concept is publicly confirmed against v7.2.0; no active exploitation appears in CISA KEV, and the EPSS score of 0.04% reflects low observed exploitation breadth consistent with the chained conditions required.

XSS Information Disclosure Node.js
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-12131 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.

PHP SQLi Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-54397 MEDIUM PATCH This Month

Unauthorized sharing group assignment in MISP's non-REST event edit path allows any authenticated event editor to assign an event to a restricted sharing group they are not a member of by tampering with submitted form data. The REST API path enforced sharing group authorization via Event::_edit(), but the web form save path wrote sharing_group_id directly from POST data without equivalent validation - a classic split-path authorization gap (CWE-863). Successful exploitation leaks the restricted sharing group's name in event listings and corrupts the event's distribution metadata. No public exploit has been identified at time of analysis, and the fix is available as commit 609ff6c from the MISP maintainers (CIRCL).

Authentication Bypass Misp
NVD GitHub
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-50087 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.

Cors Misconfiguration Information Disclosure Aqara Iam Sso Gateway
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-50089 MEDIUM PATCH This Month

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara-domain URLs that silently forward victims to attacker-controlled sites, enabling highly credible phishing campaigns targeting Aqara users and connected IoT ecosystem accounts. The vulnerability is particularly impactful in an SSO context because users are trained to trust authentication-domain URLs, dramatically lowering phishing detection rates. A public proof-of-concept repository exists on GitHub; no confirmed active exploitation per CISA KEV at time of analysis.

Open Redirect Aqara Iam Sso Gateway
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-53839 MEDIUM PATCH This Month

OpenClaw's retry endpoint authentication check performs hostname prefix matching instead of exact hostname comparison, enabling an authenticated attacker to redirect sensitive authentication material to an attacker-controlled endpoint. All versions before 2026.5.7 are affected per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector scores this at 6.0 with high confidentiality impact (VC:H) and a specific attack prerequisite (AT:P); no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-47225 MEDIUM PATCH This Month

Cache isolation failure in Typesense's search engine exposes restricted search results across Scoped Search API Key authorization boundaries. When server-side caching and Scoped API Keys are both active, a specific sequence of requests can cause the cache to serve results to a scoped requester that were originally populated by a less-restricted context, effectively bypassing the embedded filter constraints of that key. Versions prior to 29.1 and 30.2 are affected; vendor-released patches exist in both release lines, with no public exploit identified and an EPSS of 0.05% (15th percentile) confirming low current exploitation probability.

Information Disclosure Typesense
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53827 MEDIUM PATCH This Month

Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-12130 LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated low-privilege user to inject persistent malicious script via the `protitle` argument on the `/Projects/Add_Projects` endpoint. When any other authenticated user (e.g., an HR administrator) subsequently views the Projects Management Page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public proof-of-concept exploit is hosted on GitHub, lowering the bar for exploitation, though KEV listing is absent and the CVSS 4.0 score of 2.0 reflects the constrained impact scope.

XSS Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-12129 LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated remote attacker to inject persistent malicious scripts via the `todo_data` parameter at the `/dashboard/add_tod` endpoint. When a higher-privileged user subsequently views the to-do list in the dashboard, the stored payload executes silently in their browser context, enabling session hijacking or unauthorized privileged actions. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, but the low barrier to exploitation for any authenticated user elevates practical risk above the CVSS 4.0 score of 2.0 implies.

XSS Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-53838 MEDIUM PATCH This Month

State mutation in OpenClaw's node pairing reconnection logic allows a low-privilege paired node to escalate its effective authority by confusing the approval scope engine, potentially bypassing access restrictions within the system. Affected versions are all OpenClaw releases before 2026.5.27, as identified by CPE cpe:2.3:a:openclaw:openclaw. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity impact is rated High given an attacker can restore or inflate node authority beyond what was originally sanctioned.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53830 MEDIUM PATCH This Month

Webhook secret revocation bypass in OpenClaw before 2026.4.22 allows callers possessing previously-issued Slack and Zalo webhook secrets to continue submitting accepted events after an operator invokes the secrets.reload function. The stale-secret acceptance window undermines the integrity guarantees of secret rotation, enabling unauthorized webhook payload injection into what operators believe is a secured endpoint. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the integrity impact is rated high per the CVSS 4.0 vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53824 MEDIUM PATCH This Month

OpenClaw before version 2026.4.24 permits users whose slash command tokens have been explicitly revoked to continue issuing slash commands during the active monitor refresh window, violating the expected access boundary. The flaw stems from a revocation propagation lag: the token invalidation state is not synchronously enforced but instead depends on a periodic monitor cycle, allowing a briefly stale authorization check to pass. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact depends heavily on the duration of the monitor refresh interval and the sensitivity of slash commands exposed by the operator.

Microsoft Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53725 MEDIUM PATCH GHSA This Month

Parse Server 9.8.0-9.9.0 exposes raw MFA TOTP secrets and recovery codes through the /verifyPassword and /login endpoints when the _User class-level permission (CLP) is configured to deny get operations. An attacker with knowledge of a victim's username and password can call /verifyPassword without a session token or MFA token and receive the victim's plaintext TOTP secret and recovery codes in the response, completely defeating the second authentication factor. No public exploit has been identified at time of analysis; a patch exists in version 9.9.1-alpha.5, and the EPSS score of 0.04% (13th percentile) reflects limited opportunistic exploitation so far.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48613 MEDIUM This Month

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. No public exploit identified at time of analysis, and EPSS data was not provided.

SQLi Phpbb
NVD VulDB
CVSS 3.0
5.9
EPSS
0.0%
CVE-2017-20240 MEDIUM PATCH This Month

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Crypt Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-49993 MEDIUM POC PATCH GHSA This Month

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.

Information Disclosure Nuxt
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-48154 MEDIUM PATCH GHSA This Month

Concurrent map access without synchronization in pilinux/gorest's InMemorySecret2FA store causes an unrecoverable process crash across all versions through 1.12.1. Nine handler sites in login.go and twoFA.go share a bare Go map with no sync.RWMutex, meaning any two concurrent HTTP requests involving 2FA operations can trigger Go's built-in race detector to throw a fatal, non-catchable error that terminates the entire server process. No public exploit identified at time of analysis, though a proof-of-concept bash script is included in the GHSA advisory; vendor-released patch version 1.12.2 is confirmed.

Race Condition Denial Of Service
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-41155 MEDIUM This Month

Insufficient compartmentalization in the Imagination Technologies Graphics DDK kernel module enables a local, low-privileged attacker to abuse shared secure GPU memory allocations to either covertly pass data between otherwise isolated secure GPU processes or disrupt a peer process, causing image corruption and GPU hardware recovery events. Multiple DDK release trains spanning versions 1.18 RTM through 26.1 RTM are confirmed affected per EUVD-2026-36606. No public exploit exists and SSVC confirms no observed exploitation, but the 'Information Disclosure' tag in the advisory signals a confidentiality dimension that the official CVSS C:N metric does not fully capture.

Information Disclosure Graphics Ddk
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7019 MEDIUM PATCH This Month

Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Office Open XML (OOXML) file, causing a Denial-of-Service condition. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - all products that consume the same Gen Digital VPS (virus definition) update stream. No active exploitation or public exploit code has been identified at time of analysis; the impact is limited to availability (AV process crash) with no confidentiality or integrity consequences.

Microsoft Stack Overflow Buffer Overflow Apple Avast Antivirus +4
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7018 MEDIUM PATCH This Month

Null pointer dereference in the Avira Antivirus scanning engine crashes the antivirus process when it parses a specially crafted malformed Windows PE file. All platform deployments - Windows, macOS, and Linux - running engine builds prior to 8.3.70.64 are affected, making this a cross-platform availability risk. No public exploit identified at time of analysis and no CISA KEV listing; however, the ease of crafting a malformed PE file as a trigger lowers the practical barrier for targeted disruption of endpoint protection.

Denial Of Service Microsoft Apple Null Pointer Dereference Avira Antivirus
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7010 MEDIUM PATCH This Month

Stack overflow via uncontrolled recursion crashes the antivirus scanning process across all Gen Digital consumer and business products when a crafted malformed PDF is scanned. Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux are all affected through a shared Gen Digital virus definition engine (VPS builds before 25021208). An attacker who can place a specially crafted PDF on a target system - or deliver it via email or download - can force a denial-of-service of the antivirus process; no public exploit has been identified at time of analysis.

Microsoft Apple Buffer Overflow Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7006 MEDIUM PATCH This Month

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a malformed Windows PE file. Five Gen Digital products share a common virus definition update stream - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - making all simultaneously vulnerable until the shared definition stream reaches build VPS 25022500. No public exploit has been identified at time of analysis; the impact is limited to a Denial-of-Service of the antivirus process with no confidentiality or integrity loss, and the CVSS score of 5.5 reflects the local, user-interaction-dependent nature of the attack.

Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7005 MEDIUM PATCH This Month

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a specially crafted malformed Windows PE file, causing a Denial-of-Service across five Gen Digital products - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus - on Windows, macOS, and Linux. The vulnerability resides in the virus definition update stream rather than the product binary itself, meaning all five products sharing the same Gen Digital VPS stream are simultaneously exposed until updated to definition build VPS 25031700 or later. No public exploit code has been identified at time of analysis, and CVSS scores this at medium severity (5.5) reflecting local access and required user interaction as meaningful limiting factors.

Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-50012 MEDIUM PATCH This Month

Squid caching proxy is affected by CVE-2026-50012, disclosed via the oss-security mailing list on 2026-06-12 as a pre-NVD advisory. No technical details - description, affected versions, vulnerability class, or impact - have been made available in the current intelligence snapshot. The advisory was bundled with a sibling disclosure (CVE-2026-47729) from the same Squid maintainer post, suggesting a coordinated release, but no further differentiation between the two CVEs is derivable from available data. No exploitation, no KEV listing, and no EPSS score are present at time of analysis.

Information Disclosure
NVD VulDB GitHub
CVSS 3.1
5.5
CVE-2026-47223 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.

Microsoft Google Information Disclosure Buffer Overflow Nanazip
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47222 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.

Microsoft Information Disclosure Denial Of Service Google Buffer Overflow +1
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44783 MEDIUM PATCH This Month

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of content into staff-only whisper threads visible to moderators and staff. Affected release trains span 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1, with all fixes confirmed by the vendor in the GitHub Security Advisory. An attacker holding only a standard forum account can exploit the reply mechanism to post messages that surface inside privileged staff whisper channels, potentially poisoning internal moderation communications or probing staff responses for sensitive operational detail. No public exploit is identified at time of analysis, and EPSS places exploitation probability at the 9th percentile.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-53606 MEDIUM PATCH This Month

Cross-site scripting in sanitize-html prior to 2.17.5 allows low-privileged attackers to inject executable `javascript:` URIs through HTML attributes that the library's scheme-blocking logic never inspects. The `naughtyHref()` function gates dangerous URI schemes only for attributes listed in `allowedSchemesAppliedToAttributes` (defaulting to `href`, `src`, and `cite`), leaving attributes such as `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, and `lowsrc` entirely unchecked. Applications that explicitly permit any of these attributes in their sanitize-html configuration are vulnerable; no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

XSS Node.js Sanitize Html
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-50082 MEDIUM PATCH This Month

Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.

Authentication Bypass Cloud Developer Portal
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-54395 MEDIUM PATCH This Month

Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (&#039; → ') and enabling string breakout. No public exploit code has been identified at time of analysis, and the fix has been committed upstream by the MISP maintainers at CIRCL.

XSS Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-28898 MEDIUM PATCH GHSA This Month

HTTP/2-to-HTTP/1.1 request smuggling in swift-nio-http2 (versions prior to 1.44.1) allows unauthenticated remote attackers to inject arbitrary HTTP headers or smuggle entire requests to backend systems in reverse-proxy configurations. The codecs HTTP2FramePayloadToHTTP1ServerCodec and HTTP2ToHTTP1ServerCodec fail to strip CR, LF, or NUL control characters from HTTP/2 pseudo-header values such as :path and :authority before writing them into the HTTP/1.1 output, enabling the binary-safe HTTP/2 layer to act as a covert channel for control characters that become structural delimiters in HTTP/1.1. No public exploit has been identified at time of analysis, but this vulnerability is a direct extension of two prior confirmed CRLF injection flaws in the same library family (GHSA-7fj7-39wj-c64f and GHSA-cq87-8r7h-962v), indicating a recurring pattern that lowers the technical barrier for exploitation.

Code Injection Request Smuggling
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-45014 MEDIUM This Month

Stored cross-site scripting in ApostropheCMS up to and including version 4.29.0 allows an attacker who controls a user account to inject malicious script into the draft version tooltip via an unsanitized display name field. Any editor or administrator who subsequently views that tooltip in the CMS backend will execute the attacker's payload in their browser, enabling session hijacking or unauthorized action execution. No public exploit has been identified at time of analysis and no patched version is available per the vendor advisory.

XSS Node.js Apostrophe
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54394 MEDIUM PATCH This Month

Path traversal in MISP's OrganisationsController::getOrgLogo allows a low-privileged authenticated user to read arbitrary .png or .svg files from outside the intended organisation logo directory by injecting traversal sequences into organisation-controlled fields such as the organisation name, id, or uuid. All MISP versions prior to the patch commit b865deb are affected across any deployment where untrusted accounts hold write access to organisation fields. No public exploit code or CISA KEV listing exists at time of analysis; however, the attack requires only low-privilege access and no user interaction, making it practically exploitable in typical multi-tenant MISP deployments.

Path Traversal Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54396 MEDIUM PATCH This Month

User email enumeration in MISP's AuthKey edit endpoint allows any authenticated user holding AuthKey-edit permission to discover the email addresses of arbitrary platform users by manipulating a single POST parameter. The flaw exists in the validation-error rendering path of AuthKeysController.php, where the user dropdown was populated from attacker-controlled request body data rather than the persisted AuthKey owner, enabling systematic iteration over numeric user IDs. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivially reproducible from the description and patch diff alone.

Information Disclosure Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11847 MEDIUM PATCH This Month

Path traversal in IEI Integration Corp's iVEC TANK-XM811 Virtualization Edge Computer enables authenticated remote attackers to create directories at arbitrary system paths outside the application's intended scope. The flaw (CWE-22) resides in the network-accessible management interface, where user-supplied path input is not sufficiently sanitized before use in filesystem operations. No public exploit code or active exploitation has been identified at time of analysis, and the impact is constrained to unauthorized directory creation rather than file read, write, or code execution.

Path Traversal Ivec Tank Xm811
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-54362 MEDIUM PATCH This Month

Incorrect authorization in MISP's event template builder exposes organisation-private galaxy definitions to any authenticated user due to a PHP operator-precedence bug that silently voids the intended access-control filter. In multi-tenant MISP deployments, authenticated non-site-admin users can enumerate all enabled galaxies - including organisation-only custom galaxies belonging to other organisations - through the template builder galaxy list. No active exploitation is confirmed (not listed in CISA KEV), but the low exploitation barrier (any valid account, no special privileges) makes this a meaningful metadata-disclosure risk wherever multiple organisations share a MISP instance.

Authentication Bypass PHP Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-50020 MEDIUM POC PATCH GHSA This Month

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.

Request Smuggling Information Disclosure Netty Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47264 MEDIUM PATCH This Month

Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users via a serializer that omits visibility filtering. Affected release lines are 2026.1.x (before 2026.1.4), 2026.3.x (before 2026.3.1), and 2026.4.x (before 2026.4.1), with the root cause being that DetailedTagSerializer#tag_group_names returned all group memberships without consulting the requesting user's permissions. An unauthenticated attacker can enumerate the names of tag groups restricted to specific user groups or non-visible categories, potentially leaking the internal structure of private forum spaces; no public exploit code has been identified at time of analysis and EPSS is 0.04% (11th percentile), indicating negligible observed exploitation activity.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45085 MEDIUM PATCH This Month

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both information disclosure and unauthorized write actions: calendar event API payloads expose the associated chat channel's last message - potentially a private DM - to unauthenticated users, while separate flaws allow read-only users to create chat threads, authors to restore their own deleted messages after losing channel access, and moderators reviewing flagged messages to inadvertently view unrelated DM content. Vendor-released patches exist for all supported branches; no public exploit identified at time of analysis and EPSS is 0.04% (11th percentile), but the unauthenticated DM disclosure warrants prompt patching on public-facing instances.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-49854 MEDIUM PATCH GHSA This Month

Out-of-bounds memory read in Tornado's optional C extension `tornado.speedups` exposes up to 3 bytes of uninitialized memory via a missing length validation in the `websocket_mask` function. Applications running Tornado versions prior to 6.5.6 with the native extension active and `xsrf_cookies=True` are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS stands at 0.04% (11th percentile), consistent with the low exploitation probability for a constrained information-disclosure primitive. Vendor-released patch is Tornado 6.5.6.

Python Buffer Overflow
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-54398 MEDIUM PATCH This Month

Sharing group authorization bypass in MISP's object add/edit workflow allows an authenticated user with object-editing permissions to assign objects and their contained attributes to sharing groups they are not authorized to access or view. The flaw stems from a structural data merging step in ObjectsController.php that silently relocates field keys, causing the sharing group validation check to evaluate a stale, already-removed data path and thus never fire. An attacker exploiting this can probe the existence and names of non-visible sharing groups and improperly alter the distribution metadata of objects and embedded attributes. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-6046 MEDIUM This Month

Private message interception in Mattermost affects versions 11.6.x through 11.6.1, 11.5.x through 11.5.4, and 10.11.x through 10.11.16, allowing a low-privileged attacker to receive plugin-generated direct messages intended for bot accounts. The flaw stems from the bot registration flow failing to verify that a claimed username actually belongs to a bot account, enabling an attacker who pre-registers a human account using a predictable plugin bot username to silently hijack those message channels. No public exploit code exists at time of analysis, and exploitation requires both an existing user account and advance knowledge of the target bot's username.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8694 MEDIUM This Month

Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell Universal 2026.1.7 and earlier due to improper access control (CWE-306). Any network-reachable attacker without credentials can retrieve the full OpenAPI specification of internally defined REST APIs, exposing endpoint paths, parameters, and operational structure that administrators intended to be non-public. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, zero-authentication network vector makes enumeration trivially automatable.

Authentication Bypass Powershell Universal
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-53867 MEDIUM PATCH This Month

Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy