Skip to main content
CVE-2026-53861 MEDIUM PATCH GHSA This Month

OpenClaw's macOS Swift exec feature fails to correctly evaluate combined POSIX inline-command flags against its configured command allowlist, enabling a local low-privileged attacker to execute shell content that should be blocked. Affected versions are all OpenClaw releases before 2026.5.6 on macOS. Exploitation depends on an operator-configured allowlist being in place - when that allowlist is configured, a local user can bypass it entirely by using combined flag forms (e.g., `-abc` instead of `-a -b -c`), achieving high confidentiality and integrity impact. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Apple Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-54287 MEDIUM PATCH GHSA This Month

Cookie integrity failure in the Hono AWS Lambda adapter (npm/hono < 4.12.25) causes multiple Set-Cookie response headers to be merged into a single comma-separated value, violating RFC 6265 and producing unparseable cookie strings on ALB single-header mode (the default deployment) and VPC Lattice v2. Applications setting more than one cookie per response - including session tokens and CSRF cookies - will find those cookies silently dropped or misparsed by clients, potentially breaking authentication flows or defeating CSRF protections without any visible server-side error. No public exploit is identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the defect is deterministic and triggers automatically on any multi-cookie response in affected deployments.

CSRF
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49860 MEDIUM PATCH GHSA This Month

WebSocket connections in Deno 2.8.0 and earlier silently bypass `--deny-net` network sandbox rules by exploiting a missing post-DNS-resolution IP check - the runtime validates the destination hostname but never validates the IP address that hostname resolves to, enabling a classic DNS-rebinding-style SSRF (CWE-918) within the permission system. Any script running under `deno run` with `--deny-net` restrictions can weaponize an attacker-controlled domain to reach blocked hosts such as localhost or cloud metadata endpoints (e.g., 169.254.169.254). No public exploit has been identified at time of analysis, and the issue is specific to the WebSocket API; `Deno.connect` and `fetch()` are addressed in a companion advisory.

SSRF
NVD GitHub
CVSS 3.1
5.2
EPSS
0.1%
CVE-2026-49859 MEDIUM PATCH GHSA This Month

Deno's fetch() API in versions through 2.8.0 fails to validate resolved IP addresses against --deny-net policy rules, enabling sandbox escape to network destinations explicitly blocked by operators. Scripts executing under a --deny-net restriction can craft or leverage attacker-controlled DNS entries that pass hostname-level checks but resolve to denied IPs such as localhost or internal RFC-1918 addresses, silently bypassing the network isolation boundary. No active exploitation is confirmed (not in CISA KEV), no public proof-of-concept code has been identified, and the vendor has released a confirmed patch in version 2.8.1.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.2
EPSS
0.1%
CVE-2026-49983 MEDIUM PATCH GHSA This Month

Deno's `process.loadEnvFile()` Node.js compatibility API silently bypasses the runtime's capability-based `env` permission system, allowing environment variable injection into `process.env` without holding any `env` permission. Deno versions v2.3.0 through v2.8.0 are affected: a program (or any imported dependency) that calls `process.loadEnvFile()` while operating under `--deny-env` or a restricted `--allow-env=ALLOWLIST` can have its environment mutated by any party able to write or control a `.env` file covered by the program's `--allow-read` grant. No public exploit has been identified at time of analysis, and no CISA KEV listing was found in the provided data, but the advisory is fully public and the bypass mechanism is well-described.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.2
EPSS
0.1%
CVE-2026-50133 MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Hugo's content pipeline affects all versions prior to v0.162.0 when the site ingests HTML content from untrusted sources. Hugo emitted the body of any content file mapped to the text/html media type verbatim into the rendered output, making sites backed by CMS editors, external content adapters, or automated import pipelines potential XSS delivery vehicles to end users. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the risk is material for any Hugo deployment that does not fully trust every source populating the /content directory or content adapter pipeline.

XSS
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-49460 MEDIUM PATCH GHSA This Month

Denial-of-service in the pypdf Python library allows an attacker to cause excessive CPU consumption by supplying a crafted PDF containing a FlateDecode stream with a PNG predictor filter. Any application using pypdf to parse untrusted PDFs is affected on versions prior to 6.12.2. No public exploit is identified at time of analysis, but the attack surface is broad given pypdf's use in document processing pipelines; no special authentication is required to exploit applications that accept user-supplied PDFs.

Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-9507 MEDIUM PATCH This Month

Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.

Information Disclosure Osticket
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-10639 MEDIUM PATCH This Month

Use-after-free in Zephyr RTOS's ICMPv4 echo handler allows any unauthenticated remote host to trigger memory corruption or a crash by sending a standard ICMP ping to an affected device. The defect exists in all versions from v1.14 (2019) through v4.4.0, where `icmpv4_handle_echo_request()` reads from a freed `net_pkt` struct after transferring packet ownership to the TX path - violating a contract explicitly documented in `net_core.c`. No public exploit code exists and this CVE does not appear in CISA KEV, but the zero-privilege, network-reachable attack surface makes it a meaningful risk for internet-exposed embedded and IoT deployments running Zephyr with ICMP statistics enabled.

Use After Free Memory Corruption Denial Of Service Zephyr
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-48783 MEDIUM PATCH This Month

Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.

Information Disclosure Postiz App
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-54289 MEDIUM PATCH GHSA This Month

Header chain truncation in Hono's Lambda@Edge adapter silently discards all but the last value of repeated request headers, undermining IP-based access control and audit integrity for applications deployed on AWS Lambda@Edge. The adapter incorrectly uses `Headers.set` instead of `Headers.append` when converting CloudFront's multi-value header format, meaning headers such as `X-Forwarded-For`, `Forwarded`, and `Via` are reduced to a single entry before reaching application middleware. Affected deployments using Hono versions prior to 4.12.25 on Lambda@Edge may experience weakened IP restriction logic or loss of hop-chain audit data; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-8484 MEDIUM Monitor

Heap corruption in fusesource Jansi's JNI native layer exposes Java applications to denial-of-service through application crashes. The JNI wrapper around the ioctl() system call omits array-size bounds checking before passing the argument array into native heap memory, enabling a heap buffer overflow condition reachable by any local actor who can influence that code path. No fix will be released - the project is confirmed unmaintained at the time CVE-2026-8484 was assigned, and all known versions carry this defect. No public exploit code or active KEV-confirmed exploitation has been identified at time of analysis.

Heap Overflow Buffer Overflow Jansi
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-46772 MEDIUM This Month

Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-12313 MEDIUM PATCH This Month

Sandbox escape with information disclosure in Mozilla Firefox's Process Sandboxing component allows a remote attacker to break out of the browser sandbox and read sensitive data from the host environment when a user visits attacker-controlled content. Affected versions span all Firefox releases prior to 152 and all Firefox ESR releases prior to 140.12, patched by Mozilla in mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis and SSVC signals no current exploitation activity, keeping real-world urgency at moderate priority despite the scope-changing nature of the flaw.

Privilege Escalation Mozilla Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-12311 MEDIUM PATCH This Month

Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Mozilla Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-27783 MEDIUM PATCH GHSA This Month

Missing repository-unit authorization on three Gitea API endpoints allows authenticated users with only non-Code unit access (e.g., an Issues-only organization team member) to read `.gitea/ISSUE_TEMPLATE/*` and `issue_config.yaml` files from the Code default branch of a private repository. The CVSS score of 4.3 (PR:L, C:L) accurately reflects the narrow scope: exploitation is limited to those specific configuration files, not arbitrary source code. A proof of concept is publicly documented in the vendor advisory (GHSA-3fwp-p5rj-2pxf); no active exploitation is confirmed in the CISA KEV catalog at time of analysis.

Gitea Authentication Bypass RCE
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-25714 MEDIUM PATCH GHSA This Month

Public-only scoped API tokens in Gitea bypass their declared scope constraints and expose private organization membership data through two distinct code defects in `routers/api/v1/api.go`: the `/user/orgs` route omits the `checkTokenPublicOnly()` middleware entirely, and the `checkTokenPublicOnly` function contains a Go switch-case logic flaw that skips the user-visibility check on multi-category routes. This is an incomplete remediation of CVE-2025-68941 introduced by PR #32204, affecting all Gitea instances running version 1.26.1 and earlier. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the attack is trivially reproducible from the published advisory steps.

Gitea Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10780 MEDIUM This Month

Insecure Direct Object Reference in the Static Block WordPress plugin (versions ≤2.2) allows contributor-level authenticated users to read the full post_content of any post - including private, draft, and pending posts created by administrators - by embedding the [static_block_content id="X"] shortcode and triggering a preview. The shortcode handler in static-block.php calls get_post() with an attacker-supplied numeric ID and outputs the result without any post-status or capability verification. No public exploit code has been identified at time of analysis and this is not listed in CISA KEV, but the attack is low-complexity and requires only a standard contributor WordPress account.

Authentication Bypass WordPress Static Block
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12117 MEDIUM PATCH This Month

Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.

Information Disclosure Hashicorp Devolutions Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-11890 MEDIUM PATCH This Month

Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.

Information Disclosure Devolutions Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-53900 MEDIUM This Month

Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handling mechanism incorrectly preserving cookies from an initial PDF request across cross-origin HTTP redirects. This violates same-origin cookie isolation, enabling a malicious site to inject arbitrary cookies into requests directed at an unrelated target domain and potentially manipulate session or authentication state on that domain. No public exploit code has been identified and no CISA KEV listing exists; the CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low-complexity remote exploitability contingent on user interaction, and Mozilla has shipped a vendor-released patch in Firefox for iOS 152.0.

Mozilla Apple Code Injection Firefox For Ios
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12320 MEDIUM PATCH This Month

Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152.

Mozilla Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12303 MEDIUM PATCH This Month

Out-of-bounds read in Firefox's WebGPU graphics component exposes browser memory contents to remote attackers who can lure a user to a malicious webpage. All Firefox versions prior to 152 are affected, with the vulnerability stemming from incorrect boundary conditions during GPU-accelerated rendering operations. No public exploit or active exploitation has been identified at time of analysis; exploitation requires user interaction, limiting opportunistic mass exploitation despite the zero-authentication requirement on the attacker side.

Mozilla Information Disclosure Buffer Overflow Suse Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-52846 MEDIUM PATCH GHSA This Month

The `stripHTML` template function in Caddy web server can be bypassed with malformed HTML input such as `<<>img src=x onerror=alert()>`, allowing injected HTML tags to survive sanitization and reach the browser as executable markup, resulting in client-side XSS. Affected versions are Caddy v2 <= 2.11.3 and Caddy v1 <= 1.0.5; exploitation requires the templates middleware to be active and untrusted input to be processed via `stripHTML` and rendered without further escaping. A publicly available proof-of-concept exists per the GitHub security advisory GHSA-vcc4-2c75-vc9v; no active exploitation is confirmed in CISA KEV at time of analysis.

XSS
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-46771 MEDIUM This Month

Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.

Authentication Bypass Java Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
4.1
EPSS
0.1%
CVE-2026-0157 MEDIUM Awaiting Data

In RtcpHeader::decodeRtcpHeader, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-0155 MEDIUM Awaiting Data

In ImsMediaBitReader::ReadByteBuffer, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.2%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy