Skip to main content
CVE-2026-12174 HIGH POC This Week

Format string vulnerability in the D-Link DCS-935L 1.10.01 IP camera allows authenticated remote attackers to corrupt memory and likely achieve information disclosure or code execution by manipulating the data argument passed to snprintf within the /web/cgi-bin/greece/rhea HTTP handler. Publicly available exploit code exists per VulDB submission, though this CVE is not on the CISA KEV list. The CVSS 4.0 score of 7.4 reflects high impact on confidentiality, integrity, and availability with low-privilege authentication required.

D-Link Information Disclosure Dcs 935L
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-11624 CRITICAL PATCH Act Now

Missing Origin/Host header validation in Google's MCP Toolbox for Databases (Model Context Protocol server) prior to v0.25.0 allows remote attackers to reach the locally-bound HTTP server via DNS rebinding from a victim's browser, abusing the bridge to issue arbitrary tool/database commands. The fix introduces a new --allowed-hosts startup flag (companion to the existing --allowed-origins) that validates inbound Host headers, though both flags retain an insecure-by-default '*' value with only a startup warning. No public exploit identified at time of analysis; the issue was reported internally by Google.

Information Disclosure Mcp Toolbox For Databases
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-12183 CRITICAL Act Now

Remote unauthenticated authentication bypass in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux allows any HTTP client to obtain administrator-level access by POSTing arbitrary credentials to /php/ajax-login.php, which unconditionally returns userid=1. Downstream privileged endpoints under /php/ajax-main.php and /modules/* fail to validate a server-side session, exposing full control over fuel dispensers, tank gauges, pricing, POS, bank terminals, and relays. No public exploit identified at time of analysis, but a public reference to a proof-of-concept repository (ciprobe/bukts_auth_bypass) suggests trivially reproducible exploitation against ICS/OT infrastructure.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-54230 HIGH This Week

Local privilege escalation via arbitrary root-owned file overwrite affects libreport's ABRT post-create event handler scripts on Red Hat Enterprise Linux 6, 7, and 8. The event scripts write output using shell redirections that lack the O_NOFOLLOW flag, so a local low-privileged user who plants a symlink in a writable crash-dump path can cause the root shell to follow it and clobber any file on the system, which can be leveraged for full system compromise. SSVC rates technical impact as total, but there is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile).

Information Disclosure Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-54228 HIGH This Week

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows any unprivileged local user to win a TOCTOU race against the SetElement method, writing arbitrary text files into root-owned dump directories. By exploiting the gap between dump directory creation and post-create event execution, an attacker bypasses package validation and persists crash data for unpackaged binaries inside privileged paths, with no public exploit identified at time of analysis.

Denial Of Service Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-9848 HIGH This Week

SQL injection in the WP Ticket WordPress plugin (versions up to and including 6.0.4) allows unauthenticated remote attackers to inject arbitrary SQL via the WordPress front-end search query parameter `s`, enabling extraction of sensitive database contents. The flaw stems from concatenating the unslashed search term into a UNION sub-SELECT without using `$wpdb->prepare()`. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network attack vector keeps risk meaningful on exposed sites.

WordPress SQLi Customer Support Ticket System Helpdesk
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9061 LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

XSS WordPress Store Locator Wordpress
NVD WPScan VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-9062 LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

PHP WordPress Store Locator Wordpress Path Traversal
NVD WPScan VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-9109 HIGH This Week

Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows unauthenticated attackers to inject arbitrary JavaScript into translated pages via the /wp-json/gptranslate/v1/request REST endpoint. Because the API key is deterministically derived as sha256(site_url) and exposed in every page's HTML as the gptApiKey JavaScript variable, any visitor can recover it and submit malicious translation payloads that execute in the browsers of subsequent visitors. No public exploit identified at time of analysis, but the exposed key makes exploitation trivial once the technique is known.

WordPress XSS Gptranslate Multilingual Ai Translation For Wordpress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-5513 HIGH This Week

Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. The flaw was reported by Wordfence and the upstream fix landed in changeset 3504922 in the WordPress plugin repository.

WordPress XSS Online Scheduling And Appointment Booking System Bookly
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-54229 HIGH This Week

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows a low-privileged local user to race the ChownProblemDir method against still-running post-create event handlers. By invoking ChownProblemDir while privileged event scripts hold a write lock on the dump directory, the attacker gains filesystem ownership of files being written by root-context handlers, enabling tampering with privileged output and potential privilege escalation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Race Condition Information Disclosure Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-55642 MEDIUM This Month

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared frame counts. Specifically, avidmx_process() in filters/dmx_avi.c:639 fails to validate the frame count before using it as a divisor during Dasher bitrate computation, triggering an uncaught floating-point exception (FPE) when DASH segmentation is invoked. A public proof-of-concept file exists; exploitation requires no authentication or special privileges beyond delivering a malformed AVI-like input to an affected MP4Box instance. EPSS data is not yet available, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Gpac
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-11769 MEDIUM PATCH GHSA This Month

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.

Grafana Path Traversal Kubernetes Privilege Escalation Grafana Operator
NVD VulDB GitHub
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-9629 MEDIUM This Month

Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.

WordPress XSS Canvas
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9134 MEDIUM This Month

Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS Photo Gallery By Foogallery
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3297 MEDIUM This Month

Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.

WordPress XSS Page Builder
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-12175 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6428 MEDIUM PATCH This Month

SQL injection in Koha's reports/catalogue_out.pl grants authenticated staff with the Reports module flag full read access to the Koha MariaDB database, including borrower password hashes, 2FA secrets, API keys, session tokens, and patron PII. The vulnerability traces to a 2008 commit and was overlooked when CVE-2015-4633 patched the same injection class in sibling files. A working single-request proof-of-concept using EXTRACTVALUE error-based extraction has been publicly disclosed; no CISA KEV listing has been confirmed at time of analysis, but the low exploitation barrier for credentialed staff makes this a high-priority remediation.

SQLi Koha
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2025-55648 MEDIUM This Month

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) allows out-of-bounds heap READ when processing a crafted MP4 file containing corrupted stsz (sample-size box) data for an Opus audio track. When a user runs MP4Box with the -dxml flag against a malicious file, gf_opus_parse_packet_header() in av_parsers.c:11297 reads 1 byte beyond a 32-byte heap allocation, 1242 bytes past the base region allocated by Media_GetSample(), potentially leaking adjacent heap memory contents and crashing the process. A public proof-of-concept MP4 file is available; no active exploitation has been recorded in CISA KEV at time of analysis.

Buffer Overflow Denial Of Service Heap Overflow Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55649 MEDIUM This Month

NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the application by supplying a crafted MP4 file with corrupted Elementary Stream Descriptor (ESD) data. The function `gf_media_map_esd()` in `media_tools/isom_tools.c` at line 1359 calls `strlen()` on `esd->URLString` without verifying the pointer is non-NULL, triggering a SEGV when the ESD contains a missing or corrupted URLString field. A public proof-of-concept MP4 file exists; no active exploitation has been confirmed (not in CISA KEV). EPSS data is not available in the provided intelligence.

Denial Of Service Null Pointer Dereference Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55641 MEDIUM This Month

NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted Sample Auxiliary Information (SAI) metadata with an invalid sai_samples count. The function gf_isom_copy_sample_info() in isomedia/isom_write.c:8164 fails to validate pointers after SAI merge handling fails, resulting in a SEGV read at address 0x0 and an application crash. A publicly available proof-of-concept MP4 file exists on GitHub; however, this CVE is not in CISA KEV, and exploitation is constrained to a denial-of-service (process crash) with no code execution or data exposure demonstrated.

Denial Of Service Null Pointer Dereference Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55660 MEDIUM This Month

Stack-based buffer overflow in GPAC's MP4Box tool crashes the process when parsing a crafted MP4 file containing a malformed non-self-delimited Opus packet. The function gf_opus_read_length() in media_tools/av_parsers.c performs a 2-byte out-of-bounds write into a stack-allocated pckh structure at offset 568, confirmed by AddressSanitizer at line 11140. No active exploitation is confirmed in CISA KEV, but a public proof-of-concept MP4 file is available from the reporter, and the CVSS vector (PR:N, UI:R) indicates any user or automated pipeline invoking MP4Box on untrusted Opus-bearing MP4 files is at risk of a process crash.

Denial Of Service Stack Overflow Buffer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55661 MEDIUM This Month

Heap-based buffer overflow in GPAC's MP4Box Opus packet parser exposes file-processing pipelines to heap memory disclosure and application crash when handling a crafted MP4 containing a malformed Opus audio track. Processing a specially constructed file via MP4Box's XML dump mode (-dxml) triggers an out-of-bounds READ of 1 byte beyond a 3-byte heap allocation inside gf_opus_parse_packet_header() at av_parsers.c:11326, with adjacent heap memory potentially leaked as a secondary consequence. No public exploitation has been confirmed (not in CISA KEV), but a functional PoC MP4 file is publicly available on GitHub, lowering the barrier for targeted abuse in automated media-ingestion workflows.

Buffer Overflow Denial Of Service Heap Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55663 MEDIUM This Month

NULL pointer dereference in GPAC's MP4Box media tool crashes the process when importing a crafted MP4 file containing an unknown svcC box nested inside an av01 parent box. The unsupported-box handling path in the ISOBMFF parser leaves the sample entry pointer uninitialized; Track_SetStreamDescriptor() at isomedia/track.c:1677 subsequently dereferences this invalid pointer during bitrate update processing without validation, producing a SEGV. No active exploitation has been confirmed (not in CISA KEV), but a public proof-of-concept MP4 file is available at the reporter's GitHub repository, and the CVSS-assigned severity is 4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55650 MEDIUM This Month

Heap use-after-free in GPAC MP4Box's MPEG-4 LASeR/SVG processing path crashes the tool when parsing a crafted MP4 file with the -svg conversion flag. The flaw occurs in gf_svg_node_del() at svg_types.c:107, where an SVG node is freed and then read again during scene graph teardown via gf_sg_reset()/gf_node_unregister(), confirmed by AddressSanitizer. Impact is limited to availability (process crash/DoS); no confidentiality or integrity impact is demonstrated. A public proof-of-concept MP4 file exists on GitHub; no active exploitation has been confirmed by CISA KEV.

Denial Of Service Memory Corruption Use After Free Gpac
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55647 MEDIUM This Month

Integer overflow in GPAC's MP4Box causes an out-of-memory crash when processing crafted MP4 files with malformed Protection System Specific Header (PSSH) metadata during DASH segmentation. The function mp4_mux_cenc_insert_pssh() in filters/mux_isom.c fails to validate attacker-controlled kid_count and dataSize fields before using them in a buffer size calculation, causing realloc() to request approximately 61 GB (0xe40000100 bytes), which crashes the process. A public proof-of-concept MP4 file is available on GitHub; no active exploitation has been confirmed and no CISA KEV listing exists. The CVSS 3.1 score of 4.3 MEDIUM reflects the user-interaction requirement and limited availability impact.

Denial Of Service Integer Overflow Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55644 MEDIUM This Month

Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containing an invalid BIFS GlobalQuantizer command. Any user or automated pipeline processing an attacker-supplied MP4 file with an affected GPAC build is exposed. Exploitation could yield arbitrary code execution or a reliable crash, depending on heap layout at the time of the free. No public exploit code or CISA KEV listing has been identified at time of analysis.

Denial Of Service Memory Corruption Use After Free Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-54231 MEDIUM This Month

Content injection in libreport's ABRT post-create event handler grants a low-privileged local user the ability to control file content that the root process writes into crash dump directories. When a monitored process crashes, the event handler script queries the systemd journal for matching log entries and writes the results directly to dump directory files without stripping embedded control characters - allowing an attacker who can write syslog messages to pre-position newline-delimited payloads that corrupt or inject arbitrary lines into those root-owned files. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained to local access with low privileges.

Denial Of Service Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-12089 MEDIUM This Month

Arbitrary file read in the LWS Optimize WordPress plugin (versions up to and including 3.3.19) permits authenticated users with Editor-level access or above to retrieve any file readable by the web-server process, including sensitive files such as wp-config.php. The vulnerable `combine_current_css()` function blindly trusts stylesheet href values harvested from page HTML, resolves them to absolute filesystem paths, and passes them to `file_get_contents()` without enforcing a safe-directory boundary or a `.css` extension check - a classic CWE-22 path traversal pattern. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack path is straightforward given the source code is publicly accessible in the WordPress plugin repository.

Path Traversal WordPress Lws Optimize All In One Speed Booster Cache Tools
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-1291 MEDIUM This Month

Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any authenticated user with Author-level access or above to overwrite or create arbitrary gallery shortcode records by supplying a user-controlled `id` parameter. The endpoint `/wp-json/meow-gallery/v1/save_shortcode` performs direct database write operations without verifying ownership of the referenced record, making this a classic CWE-639 (IDOR) pattern. No public exploit or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and wide availability of Author-level accounts in multi-contributor WordPress environments elevate real-world risk above what the CVSS 4.3 score alone suggests.

Authentication Bypass WordPress Meow Gallery
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2470 MEDIUM This Month

Incorrect authorization in the Pagelayer WordPress plugin (versions up to and including 2.0.9) allows authenticated attackers with Contributor-level access to inject arbitrary contact-form mail templates into post metadata via the pagelayer_save_content AJAX handler, which are subsequently consumed without privilege enforcement by the unauthenticated pagelayer_contact_submit endpoint through user-controlled post and form identifiers. The practical impact is attacker-defined control over outbound email templates dispatched from the affected site, exploitable by any registered Contributor without admin interaction. No public exploit has been identified at time of analysis, but the Wordfence advisory notes this vulnerability may be chained with CVE-2026-2442 to further amplify attacker control over outbound email behavior.

Authentication Bypass WordPress Page Builder
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41579 LOW PATCH GHSA Monitor

Host filesystem integrity violations in runc are triggered when the container runtime processes a malicious OCI image where /dev is configured as a symbolic link rather than a directory. An attacker who can deliver such a crafted image - via a public registry, a supply-chain-compromised base image, or a shared CI/CD pipeline - can cause runc to follow the symlink during container device-node initialization, resulting in limited, unintended write operations on the host filesystem outside the container boundary. The vendor-credited reporter (Aleksa Sarai, a known runc maintainer) describes the impact as 'limited host filesystem integrity violations,' falling short of a full container escape. No public exploit has been identified at time of analysis.

Information Disclosure Runc
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-12176 LOW Monitor

Cross-site scripting in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `action` parameter in `/index.php`. Publicly available exploit code exists (CVSS 4.0 E:P), and the attack requires no authentication, only that a victim interact with a crafted URL or request. No vendor-released patch has been identified at time of analysis.

PHP XSS Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-55662 CRITICAL Act Now

Divide-by-zero crash in GPAC's MP4Box tool allows denial of service when processing a crafted MP4 file containing a malformed Opus audio track header. The function gf_opus_parse_packet_header() in media_tools/av_parsers.c:11479 fails to validate that nb_frames is non-zero before performing arithmetic (max = header->nb_frames - 1), triggering a SIGFPE along the Opus dump path. A public proof-of-concept file is available, and no authentication or special privileges are required - only the ability to supply a crafted file to the tool. No confirmed active exploitation (not in CISA KEV); impact is limited to process crash with no code execution potential identified.

Microsoft Denial Of Service
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy