Skip to main content
CVE-2026-9271 MEDIUM POC PATCH This Month

Vulnerability Title

Information Disclosure Keepinmind Dashboard Notes
NVD WPScan VulDB Exploit-DB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-12066 MEDIUM POC This Month

Weak password recovery in PbootCMS up to 3.2.12 allows remote unauthenticated attackers to take over user accounts by manipulating the `checkcode`, `username`, `password`, and `email` parameters in the `retrieve` function of `apps/home/controller/MemberController.php`. The recovery mechanism fails to adequately validate or protect the verification token, enabling bypass of the intended authentication challenge during the password reset flow. A public proof-of-concept exploit explicitly titled 'Account-Takeover' is available on GitHub, elevating the realistic risk beyond the conservative base score of 6.9.

PHP Information Disclosure Pbootcms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-50244 MEDIUM CISA This Month

Fleet enumeration in the Naxclow smart home platform (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows unauthenticated remote callers to precisely map active device populations by exploiting a registration endpoint that allocates sequential device identifiers without validating caller ownership of the supplied account identifier. Each API call returns a high-water batch counter that directly reveals fleet size, making reconnaissance deterministic and low-noise rather than a side-channel inference. No public exploit code has been identified at time of analysis, but the zero-privilege, network-accessible attack surface and ICS-CERT reporting context (ICSA-26-162-02) indicate meaningful real-world exposure for residential and small-business physical security deployments.

Authentication Bypass Smart Doorbell X3 X Smart Home V720 Ix Cam
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42932 MEDIUM CISA This Month

Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform, V720, and IX Cam - allows unauthenticated remote attackers to build a complete inventory of active devices deployed in the field. The identifier scheme combines fixed manufacturing prefixes with sequential counters (CWE-340), and the platform compounds this by exposing an endpoint that reveals the current identifier high-water mark, effectively handing attackers a starting point for a full sweep. Reported by ICS-CERT under ICSA-26-162-02, this is a platform-wide architectural flaw; no public exploit or KEV listing is confirmed at time of analysis, but the low complexity and zero-authentication barrier make opportunistic enumeration trivially achievable.

Information Disclosure Smart Doorbell X3 X Smart Home V720 Ix Cam
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-50099 MEDIUM CISA This Month

WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attacker with brief physical access to recover host network SSID, PSK, and negotiated WPA keys printed in cleartext to a labeled, production-accessible UART debug console. The UART interface drops to an unauthenticated interactive RT-Thread shell, enabling arbitrary memory reads and full firmware extraction - escalating a credential-theft opportunity into a platform for deeper firmware-level compromise. Reported via CISA ICS-CERT advisory ICSA-26-162-02; no public exploit code identified, though the attack requires only commodity serial hardware and minimal technical knowledge.

Information Disclosure Smart Doorbell X3 X Smart Home V720 Ix Cam
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-50008 MEDIUM PATCH GHSA This Month

Parse Server's operator-configured route firewall (`routeAllowList`) is bypassed in versions 9.8.0 through 9.9.1-alpha.3 when external clients POST to the `/batch` endpoint with sub-requests targeting routes the operator intended to block. The Express middleware enforcing the allow-list runs only against the outer HTTP request URL; the `/batch` handler dispatches each embedded sub-request to the internal router without re-running that check. Inner authorization controls - Parse authentication, ACL, and CLP - remain in effect, bounding actual data exposure to whatever those controls permit, but the route-level security boundary is defeated entirely. No public exploit has been identified and EPSS is 0.08%, though operators relying on `routeAllowList` as a primary access-control layer are directly and materially affected.

Authentication Bypass Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-53726 MEDIUM PATCH GHSA This Month

Unauthenticated relation membership disclosure in Parse Server allows any client holding only standard public API credentials to read objects linked through a Relation field that is explicitly hidden by protectedFields, or linked to a parent object that is inaccessible under its ACL or class-level permissions. By supplying only a known or guessed owning object's objectId, a remote unauthenticated caller can enumerate all objects in a protected relation or use the $relatedTo operator as a membership oracle - confirming whether a specific child object is privately linked to a given parent. This directly undermines applications that use Parse Server's access control primitives to protect sensitive relationships such as private group memberships, block lists, or account-to-resource associations. No public exploit identified at time of analysis; vendor-released patches exist at versions 8.6.80 and 9.9.1-alpha.6.

Authentication Bypass Node.js Oracle Parse Server
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-11844 MEDIUM PATCH This Month

Arbitrary file read via path traversal in IEI Integration Corp's iVEC TANK-XM811 edge computing platform exposes sensitive system files to privileged remote attackers. The CVSS 4.0 vector (AV:N/PR:H/VC:H) confirms network-accessible exploitation requiring high-privilege credentials, with full confidentiality impact on the vulnerable system and no integrity or availability impact. No public exploit code or CISA KEV listing is identified at time of analysis; the vulnerability was reported by Taiwan CERT (TWCERT) and affects all known firmware versions per CPE wildcard.

Path Traversal Ivec Tank Xm811
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42604 MEDIUM PATCH This Month

Unauthenticated access to the `POST /openid/config` endpoint in Actual Budget sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration-including the OAuth2 `client_secret`-to any caller who can supply the bootstrap password. Because the endpoint enforces no rate limiting, the bootstrap password itself is brute-forceable, compounding the exposure. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation probability; however, internet-exposed instances with OIDC configured are at meaningful risk of credential harvesting.

Authentication Bypass Actual
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-12060 MEDIUM PATCH This Month

Unauthorized camera and microphone access in Heptabase by Hepta Platforms is achievable by unauthenticated remote attackers who social-engineer a victim into opening a malicious webpage inside the application, exploiting an exposed dangerous method (CWE-749) that bypasses normal permission gating. The attack yields high confidentiality impact - real-time audio and video capture - with no privileges required on the attacker's side, constrained only by the need for active victim interaction. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the surveillance-class outcome makes it attractive for targeted campaigns.

Authentication Bypass Heptabase
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-50026 MEDIUM PATCH This Month

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and modify resources without permission. All Frappe installations on the 15.x branch prior to 15.107.0 and the 16.x branch prior to 16.17.0 are affected. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% reflects minimal current exploitation activity, though the attack requires no credentials or special preconditions.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44208 MEDIUM PATCH This Month

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthenticated network callers who can bypass access controls and write discussion data to resources they do not own. All Frappe deployments running versions prior to 15.107.0 (v15 branch) or 16.17.0 (v16 branch) are affected, with impact limited to low-severity integrity writes and no confidentiality or availability consequence. No public exploit code exists and EPSS probability is 0.03% (9th percentile), indicating low opportunistic exploitation pressure despite the unauthenticated network attack vector.

Authentication Bypass Frappe
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-53568 MEDIUM PATCH This Month

Stored XSS in Frappe's Report and List View components allows injection of persistent JavaScript payloads that execute in the browsers of any user who subsequently accesses the affected views. All Frappe deployments on the v15 branch prior to 15.107.2 and v16 branch prior to 16.17.4 are affected per the GitHub security advisory GHSA-rx63-c3fh-8926. No public exploit has been identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects low current exploitation probability, though the network-accessible nature of Frappe instances keeps this relevant for organizations running unpatched versions.

XSS Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44206 MEDIUM PATCH This Month

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthenticated remote attackers via a vulnerable endpoint. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, making this accessible to any internet-facing instance. While limited to low confidentiality impact (VC:L) with no integrity or availability consequences, schema information can inform targeted follow-on attacks against the application's data layer. No public exploit has been identified at time of analysis, and EPSS of 0.02% (7th percentile) indicates low current exploitation probability.

Information Disclosure Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44207 MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration details of arbitrary users to any authenticated account. The flaw exists in versions prior to 15.107.0 (v15 branch) and 16.17.0 (v16 branch), allowing a low-privilege authenticated attacker to enumerate and read email settings belonging to other users by manipulating object references in requests. No public exploit has been identified and the issue is not listed in CISA KEV, though the low EPSS score (0.02%) and network-accessible vector warrant patching, particularly for multi-tenant Frappe deployments.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44205 MEDIUM PATCH This Month

Stored cross-site scripting in Frappe's user profile image section enables script injection that executes in the browsers of any user who views the compromised profile. Affected versions are all Frappe releases prior to 15.106.0. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.02% (7th percentile) reflects low observed exploitation activity, though stored XSS in a shared framework carries inherent persistence risk across all applications built on Frappe.

XSS Frappe
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47739 MEDIUM PATCH This Month

Stored cross-site scripting in the Frappe framework's Note feature allows a low-privileged attacker to persist malicious JavaScript that executes in the browsers of users who subsequently view the poisoned note. All Frappe deployments on the v15 branch prior to 15.106.0 and the v16 branch prior to 16.16.0 are affected. No public exploit or CISA KEV listing exists at time of analysis; vendor-confirmed patches are available and should be applied promptly given the ease of exploitation once an attacker holds any valid user account.

XSS Frappe
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-50560 MEDIUM POC PATCH GHSA This Month

Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack functionally equivalent to HTTP/2 Rapid Reset (CVE-2023-44487) but with a distinct on-wire signature. Affected Netty versions prior to 4.1.135.Final and 4.2.15.Final fully process and proxy incoming requests to the origin before encountering an exception during response header serialization, consuming server resources without completing responses. No public exploit has been identified at time of analysis, and EPSS stands at 0.02% (5th percentile), though the attack technique parallels a well-documented catastrophic DDoS class.

Denial Of Service Netty Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41581 MEDIUM PATCH This Month

SQL Injection in the Frappe full-stack web framework's get_blog_list function allows unauthenticated remote attackers to manipulate database queries, leading to limited data read and write access. Frappe versions prior to 15.106.0 (v15 branch) and 16.16.0 (v16 branch) are affected across all deployments that expose the blog module. No public exploit code has been identified and exploitation probability is very low per EPSS (0.02%), though the network-accessible, unauthenticated attack surface warrants prompt patching for internet-facing instances.

SQLi Frappe
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-53820 MEDIUM PATCH This Month

OpenClaw's bundled MCP loopback session-spawn path fails to enforce its exec denylist, allowing authenticated low-privilege callers to execute commands that should be restricted. Affected versions are all OpenClaw releases prior to 2026.5.12. An attacker with local, authenticated access can spawn MCP sessions through the loopback path to gain command reach exceeding their authorized scope, resulting in high integrity impact on the vulnerable system. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45775 MEDIUM PATCH This Month

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisite deployment to retrieve backup archives belonging to a co-hosted site on the same server. Backup files typically contain full database dumps, private messages, user credentials, and email addresses, making cross-site access a serious trust-boundary violation. No public exploit has been identified and EPSS sits at 0.04% (12th percentile), reflecting the narrow exploitation conditions; vendor-released patches are available across all affected release trains.

Path Traversal Discourse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-53523 MEDIUM POC PATCH GHSA This Month

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redirect OAuth2 callback URLs to attacker-controlled domains, enabling OAuth token theft and account takeover. The flaw resides in the getRedirectURL function (oauth2.go:22-29), which blindly concatenates the HTTP request's Host header with a fixed path when constructing the OAuth2 redirect URL, with no allowlisting or validation performed. A vendor-released patch exists in version 2.2.0; no public exploit has been identified at time of analysis and the vulnerability is not in the CISA KEV catalog.

Open Redirect Nezha
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-54093 MEDIUM PATCH GHSA This Month

Zip-slip path traversal in filebrowser v2.63.5 and earlier (Linux-hosted) allows any authenticated user with Create permission to plant a file whose name contains URL-encoded Windows-style backslash traversal sequences (`%5C`). The Linux server stores the file with a literal backslash in its name, which `filepath.ToSlash()` silently ignores, and the archive download handler emits that name verbatim into zip/tar central directories. When a Windows victim downloads and extracts the archive using Explorer, 7-Zip, WinRAR, or .NET `ZipFile.ExtractToDirectory`, the extractor interprets `\` as a path separator and writes files to arbitrary locations outside the extraction directory - enabling arbitrary file write on the victim's Windows machine. No public exploit identified at time of analysis beyond the full PoC published in the GHSA advisory; EPSS is 0.03% (8th percentile), consistent with the two-party, victim-interaction requirement.

Path Traversal Canonical Microsoft Docker
NVD GitHub
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-11442 MEDIUM This Month

Directory traversal in Allegra's exportReport method exposes arbitrary server-side files to authenticated remote attackers, operating in the context of the underlying service account. The flaw affects all tracked versions per the CPE wildcard (cpe:2.3:a:allegra:allegra:*), with Alltena's 9.0.0 release notes referencing the fix. No public exploit code or CISA KEV listing has been identified at time of analysis, and no EPSS data was provided, but the CVSS 6.5 rating reflects a meaningful confidentiality risk for any internet-facing Allegra deployment where user accounts may be broadly provisioned.

Path Traversal Information Disclosure Allegra
NVD VulDB
CVSS 3.0
6.5
EPSS
1.5%
CVE-2026-48121 MEDIUM PATCH GHSA This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-48914 MEDIUM This Month

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. The primary confirmed impact is a denial of service (DoS) of the QEMU process on the host; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.

Denial Of Service Heap Overflow Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-54092 MEDIUM PATCH GHSA This Month

Unauthenticated denial-of-service in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows remote attackers to exhaust CPU and memory by submitting arbitrarily large passwords to the public /api/login endpoint, which are then passed unchecked into the bcrypt-style CheckPwd hashing routine. Publicly available exploit code exists in the GitHub advisory PoC, and concurrent abuse can crash the container and even destabilize the host Docker daemon. EPSS is low (0.04%) and the issue is not in CISA KEV, but the trivial AV:N/AC:L/PR:N exploitation profile makes it a real availability risk for any internet-exposed instance.

Docker Denial Of Service Python
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-53522 MEDIUM POC PATCH GHSA This Month

Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboard user to exhaust server memory and crash the monitoring service. The two affected endpoints - POST /api/v1/terminal and POST /api/v1/file - each insert a long-lived ioStreamContext into a global Go map with no per-user rate limit, no global semaphore, and no per-server connection cap, making repeated calls a trivial denial-of-service vector. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; the vendor released a patch in version 2.2.0.

Denial Of Service Nezha
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7184 MEDIUM This Month

Remote cluster authentication token disclosure in Mattermost's Secure Connections feature allows authenticated users holding the manage_secure_connections permission to retrieve plaintext inter-cluster credentials via a crafted PATCH request. Affected deployments span versions 10.11.x through 10.11.15, 11.5.x through 11.5.4, and 11.6.x through 11.6.1, with a CVSS-rated High confidentiality impact (6.5). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but successful exploitation could undermine the trust model of federated multi-cluster deployments.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-53520 MEDIUM POC PATCH GHSA This Month

Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host claiming mechanism to preempt all dashboard routing, resulting in complete availability loss for the monitoring platform. The vulnerability stems from CWE-284 (Improper Access Control) - the application fails to properly restrict which authenticated principals may register or override a dashboard Host identity via NAT traversal. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Nezha
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44784 MEDIUM PATCH This Month

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL mode - from the group history log endpoint (/groups/:name/logs.json), affecting versions 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1. An authenticated group owner who holds no admin or moderator privileges can harvest the exposed SMTP password and use it to send mail impersonating the group's email identity from any external mail client, entirely bypassing Discourse's own sending controls. No public exploit code exists and this vulnerability is not listed in CISA KEV; the EPSS score of 0.03% at the 11th percentile reflects the narrow, configuration-dependent attack surface.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-50084 MEDIUM PATCH This Month

Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.

Authentication Bypass Cloud Production Api
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46371 MEDIUM PATCH GHSA This Month

Blind SQL injection in Fleet MDM's Apple MDM commands endpoint allows authenticated Observer-role users to exfiltrate sensitive database column values - including host enrollment secrets, node_key, orbit_node_key, and APNS tokens - via a cursor-based binary search oracle. The `GET /api/v1/fleet/mdm/apple/commands` endpoint accepted an unsanitized `order_key` parameter injected directly into an SQL ORDER BY clause without column validation, exposing all columns on the joined `hosts` and `nano_enrollments` tables. Extracted node_key values enable full host impersonation against Fleet's osquery and Orbit endpoints, making the effective impact materially higher than the 6.5 CVSS base score implies. No public exploit has been identified at time of analysis; vendor-released patch is available in Fleet 4.84.2.

Apple SQLi Oracle
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46370 MEDIUM PATCH GHSA This Month

{id}/hosts accepts the attacker-controlled order_key parameter without column allowlist validation, enabling character-by-character secret reconstruction without secrets ever appearing in response bodies. No public exploit has been identified at time of analysis and no CISA KEV listing was provided, but the attack is deterministic and scriptable against any Fleet deployment where Observer role is broadly granted.

SQLi Oracle
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5792 MEDIUM This Month

Authentication bypass in Related Marketing Cloud (RMC) by Hedef Media Promotion Interactive Media Marketing Inc. exposes unauthenticated remote attackers to credential brute-forcing via a spoofing weakness (CWE-290), allowing them to circumvent authentication controls without prior access. All RMC versions through 12052026 are affected, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no privileges, no user interaction, and no special network positioning. No public exploit code or CISA KEV listing has been identified at time of analysis; the advisory originates from TR-CERT via the Turkish national cybersecurity authority.

Authentication Bypass Related Marketing Cloud Rmc
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9125 MEDIUM This Month

Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.

WordPress XSS Presto Player
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-53521 MEDIUM PATCH GHSA This Month

Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre-populate their server record with nonexistent DDNS profile IDs, then hijack any future victim-owned DDNS profile whose auto-assigned ID collides with a pre-stored value. Affected versions span 2.0.14 through pre-2.1.0 of the self-hosted nezhahq/nezha platform. When the collision occurs, the DDNS worker dispatches DNS updates on behalf of the attacker's server using the victim's DDNS provider credentials and configuration, achieving cross-tenant DNS manipulation and disrupting the victim's legitimate DDNS service. No public exploit identified at time of analysis; vendor-released patch available in version 2.1.0.

Authentication Bypass Nezha
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-50552 MEDIUM POC PATCH GHSA This Month

SSRF in Koel's radio station creation endpoint (POST /api/radio/stations) allows any authenticated non-admin user to coerce the server into issuing HEAD/GET requests to arbitrary internal hosts. The root cause is a missing Laravel `bail` keyword in the URL field validation chain: the SafeUrl rule correctly rejects private/reserved addresses, but without bail, the subsequent HasAudioContentType rule still executes and makes an outbound HTTP request to the attacker-supplied URL. Vendor-released patch version 9.7.1 resolves the issue; no public exploit or CISA KEV listing exists at time of analysis.

SSRF Koel
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-20746 MEDIUM PATCH This Month

PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Java Information Disclosure Pingdirectory
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-53837 MEDIUM PATCH This Month

Improper access control in OpenClaw's Mattermost event handler integration allows remote unauthenticated attackers to bypass direct message (DM) policy enforcement by submitting crafted Mattermost events that deliberately omit channel type metadata. All OpenClaw versions prior to 2026.5.6 are affected. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible and unauthenticated nature of the flaw (PR:N per CVSS 4.0) makes it actionable for deployments that rely on DM policies as a meaningful access control boundary.

Authentication Bypass Mattermost Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-50090 MEDIUM PATCH This Month

Open redirect / OAuth redirect_uri validation bypass in the Aqara Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) allows remote attackers to coerce the IdP into redirecting authorization responses to attacker-controlled hosts due to lax domain-matching logic. With user interaction the flaw can be abused to steal OAuth authorization codes or tokens issued to legitimate Aqara client applications, enabling account takeover of Aqara smart-home accounts. No public exploit identified at time of analysis, though a referenced GitHub repository (xn0tsa/theres-no-place-like-home) and the runZero advisory describe the issue publicly.

Authentication Bypass Cloud Oauth Authorization Endpoint
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44311 MEDIUM PATCH GHSA This Month

Cross-site scripting in Fabric.js (npm: fabric) versions prior to 7.4.0 is triggered when applications export canvas content via `canvas.toSVG()` and render the result into the DOM using `innerHTML`. The `color` field within `colorStops` of a `fabric.Gradient` object is inserted into SVG `<stop>` elements without escaping `"`, `<`, or `>`, allowing crafted input to break attribute context and inject arbitrary HTML. A working proof-of-concept is publicly confirmed against v7.2.0; no active exploitation appears in CISA KEV, and the EPSS score of 0.04% reflects low observed exploitation breadth consistent with the chained conditions required.

XSS Information Disclosure Node.js
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-54397 MEDIUM PATCH This Month

Unauthorized sharing group assignment in MISP's non-REST event edit path allows any authenticated event editor to assign an event to a restricted sharing group they are not a member of by tampering with submitted form data. The REST API path enforced sharing group authorization via Event::_edit(), but the web form save path wrote sharing_group_id directly from POST data without equivalent validation - a classic split-path authorization gap (CWE-863). Successful exploitation leaks the restricted sharing group's name in event listings and corrupts the event's distribution metadata. No public exploit has been identified at time of analysis, and the fix is available as commit 609ff6c from the MISP maintainers (CIRCL).

Authentication Bypass Misp
NVD GitHub
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-50087 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.

Cors Misconfiguration Information Disclosure Aqara Iam Sso Gateway
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-50089 MEDIUM PATCH This Month

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara-domain URLs that silently forward victims to attacker-controlled sites, enabling highly credible phishing campaigns targeting Aqara users and connected IoT ecosystem accounts. The vulnerability is particularly impactful in an SSO context because users are trained to trust authentication-domain URLs, dramatically lowering phishing detection rates. A public proof-of-concept repository exists on GitHub; no confirmed active exploitation per CISA KEV at time of analysis.

Open Redirect Aqara Iam Sso Gateway
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-53839 MEDIUM PATCH This Month

OpenClaw's retry endpoint authentication check performs hostname prefix matching instead of exact hostname comparison, enabling an authenticated attacker to redirect sensitive authentication material to an attacker-controlled endpoint. All versions before 2026.5.7 are affected per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector scores this at 6.0 with high confidentiality impact (VC:H) and a specific attack prerequisite (AT:P); no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-47225 MEDIUM PATCH This Month

Cache isolation failure in Typesense's search engine exposes restricted search results across Scoped Search API Key authorization boundaries. When server-side caching and Scoped API Keys are both active, a specific sequence of requests can cause the cache to serve results to a scoped requester that were originally populated by a less-restricted context, effectively bypassing the embedded filter constraints of that key. Versions prior to 29.1 and 30.2 are affected; vendor-released patches exist in both release lines, with no public exploit identified and an EPSS of 0.05% (15th percentile) confirming low current exploitation probability.

Information Disclosure Typesense
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53827 MEDIUM PATCH This Month

Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53838 MEDIUM PATCH This Month

State mutation in OpenClaw's node pairing reconnection logic allows a low-privilege paired node to escalate its effective authority by confusing the approval scope engine, potentially bypassing access restrictions within the system. Affected versions are all OpenClaw releases before 2026.5.27, as identified by CPE cpe:2.3:a:openclaw:openclaw. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity impact is rated High given an attacker can restore or inflate node authority beyond what was originally sanctioned.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53830 MEDIUM PATCH This Month

Webhook secret revocation bypass in OpenClaw before 2026.4.22 allows callers possessing previously-issued Slack and Zalo webhook secrets to continue submitting accepted events after an operator invokes the secrets.reload function. The stale-secret acceptance window undermines the integrity guarantees of secret rotation, enabling unauthorized webhook payload injection into what operators believe is a secured endpoint. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the integrity impact is rated high per the CVSS 4.0 vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy