Skip to main content
CVE-2026-50643 MEDIUM Monitor

Out-of-bounds read in 8cc, a small C compiler by rui314, allows a local attacker to crash the compiler and potentially disclose compiler process memory by supplying a crafted source file containing malicious #line directives or GNU linemarkers with oversized line numbers. The vulnerability arises because attacker-controlled filename and line number metadata embedded in source files is accepted and used without bounds validation when 8cc accesses internal source line arrays. No patch is available at time of analysis; the maintainer did not respond to CERT-PL's coordinated disclosure. No public exploit identified at time of analysis, though CERT-PL confirmed the vulnerability at commit b480958.

Information Disclosure Buffer Overflow 8Cc
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-11982 MEDIUM PATCH This Month

Stored XSS in Grav CMS's grav-plugin-api (Admin2) allows a low-privileged editor to persist malicious JavaScript in page content via the PATCH /pages API endpoint, which then executes in any administrator's or visitor's browser when the affected page is loaded. The root cause is that the API's partial-field validation path (validateChangedFields()) ran only type and required-field checks but omitted the XSS safety gate (Validation::checkSafety()), a check the classic Admin interface correctly enforced - creating a trust-boundary bypass exclusive to the REST API path. Publicly available exploit code exists via the Fluid Attacks advisory and the vendor's own regression test suite; no active exploitation (CISA KEV) has been confirmed.

XSS Grav Plugin Api
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54221 MEDIUM This Month

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. No public exploit code or active exploitation has been identified at time of analysis; vendor contact was unsuccessful, leaving patch status unresolved.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54219 MEDIUM This Month

Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into post content and user profile fields, which then executes silently in any visitor's browser upon viewing the affected page. The vulnerability was discovered and disclosed by CERT-PL after unsuccessful vendor contact attempts, leaving remediation status unresolved. No public exploit code has been identified and no active exploitation is confirmed, but the persistent nature of the injection vector makes this a meaningful risk to forum users and administrators alike.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-11791 MEDIUM This Month

Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race against active LDAP query worker threads. The `attr_syntax_swap_ht()` function bypasses the refcount-based deferred deletion mechanism used throughout the attribute syntax subsystem, directly freeing nodes that concurrent worker threads may still hold references to. Affected products span Red Hat Directory Server 11, 12, and 13 across RHEL 6 through 10; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.0 reflects the high-complexity, high-privilege prerequisites that substantially reduce real-world risk.

Use After Free Memory Corruption Denial Of Service Red Hat Directory Server 11 Red Hat Directory Server 12 +6
NVD VulDB
CVSS 3.1
5.0
EPSS
0.3%
CVE-2026-11360 MEDIUM This Month

SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress SQLi Advanced Order Export For Woocommerce
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-10736 MEDIUM This Month

SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.

WordPress SQLi Tutor Lms Elearning And Online Course Solution
NVD
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-11776 MEDIUM This Month

SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-11777 MEDIUM This Month

SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-55661 MEDIUM PATCH GHSA This Month

Stored XSS in TinaCMS rich-text rendering allows any content author with editor-level access to inject `javascript:` or `data:text/html` URLs into Slate link/image nodes, which execute in the browsers of editors and site visitors when affected content is viewed. Both `tinacms` (< 3.9.3) and `@tinacms/mdx` (< 2.1.7) are confirmed affected, with the vulnerable path covering case-variant, whitespace-padded, and control-character-obfuscated scheme bypass techniques indicating deliberate evasion of naive sanitization. No public exploit or CISA KEV listing exists; vendor-released patches are available.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-22674 MEDIUM PATCH This Month

Stored cross-site scripting in Hashgraph Guardian through 3.5.0 allows an authenticated user holding the STANDARD_REGISTRY role to inject persistent JavaScript payloads into the branding configuration's companyName field via the branding API endpoint. The injected script executes in every authenticated user's browser on every page load due to unsanitized innerHTML assignments in both the BrandingService and BrandingComponent Angular classes. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the fix diff is publicly visible in GitHub PR #6190, lowering the barrier for exploit development.

XSS Guardian
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-12047 MEDIUM PATCH This Month

HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.

Microsoft Google XSS Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-55890 MEDIUM PATCH GHSA This Month

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. A deterministic proof-of-concept ships with the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-55254 MEDIUM PATCH GHSA This Month

Denial-of-service via unbounded factorial evaluation affects NCalc (NCalc.Core and NCalcSync NuGet packages) prior to v6.1.1, allowing remote attackers to exhaust CPU resources or trigger non-terminating computation loops by submitting expressions with extremely large factorial operands such as 9223372036854775807! (Int64.MaxValue). The root cause is CWE-190 integer overflow in MathHelper.cs's factorial calculation logic, which previously lacked bounds validation, allowing operands well beyond any representable result to be passed directly to the computation loop. No public exploit or CISA KEV listing has been identified at time of analysis, though the triggering expressions are trivially constructable and documented in the advisory itself.

Integer Overflow Denial Of Service
NVD GitHub
CVSS 3.1
4.8
CVE-2026-48986 MEDIUM PATCH This Month

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo, sshd, or login on Linux systems using USB hardware authentication. The flaw is in usb_get_process_parent_id(), which fails to initialize *ppid on failure; pusb_local_login() reuses the same variable as both input and output in a process-tree traversal loop, so if /proc/<pid>/stat becomes unreadable mid-authentication (e.g., an ancestor process exits during the auth window), the PID is never advanced and the loop never terminates. No public exploit has been identified and KEV listing is absent; the vendor-released patch is version 0.9.2, which is strongly recommended given the criticality of the affected authentication stack components.

Denial Of Service Pam Usb
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-48984 MEDIUM PATCH This Month

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP) bytes read from removable media - resident in freed heap memory because the xfree() helper calls free() without first zeroing the buffer. On any system where a secondary use-after-free condition or heap inspection primitive is present within the same pam_usb process, an attacker could recover pad values or other credential material from those freed regions, potentially undermining the hardware authentication guarantee pam_usb is designed to provide. This is a defense-in-depth hardening gap patched in 0.9.2; no confirmed active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-11358 MEDIUM This Month

Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject persistent malicious scripts into pages served to any visiting user. Affected are all versions through 3.0.6, but only under specific deployment conditions: WordPress multisite networks or installations where the unfiltered_html capability has been explicitly disabled. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.4 reflects the elevated prerequisites and limited per-incident impact, though scope-changed XSS can still enable session theft and secondary phishing in affected deployments.

WordPress XSS Orbit Fox
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-48934 MEDIUM PATCH This Month

TLS session resumption in Node.js fails to bind reusable sessions to the originally authenticated host, enabling an information disclosure pathway. Affected versions are Node.js 26.x prior to 26.3.1 (Current channel), as disclosed in the June 2026 security release. An attacker with low network-level privilege can cause a cached TLS session-established and authenticated against one hostname-to be reused for a distinct, attacker-influenced host, potentially bypassing host-based authentication. No public exploit code or CISA KEV listing is present at time of analysis.

Information Disclosure Node Js
NVD GitHub VulDB
CVSS 3.0
4.3
EPSS
0.3%
CVE-2026-12111 MEDIUM This Month

Sensitive customer PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.01) allows any authenticated user with Contributor-level access to exfiltrate booking records from calendars they do not own. The root cause is an IDOR (Insecure Direct Object Reference) in the cpabc_appointments_calendar_load2() function: the function enforces only a broad role check (edit_posts capability) without verifying that the requesting user owns the calendar ID supplied via the id parameter. Exposed records include customer names, email addresses, phone numbers, booking times, and freeform comments, making this a meaningful PII breach risk on multi-author WordPress installations. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

WordPress Information Disclosure Appointment Booking Calendar
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10623 MEDIUM This Month

Unauthorized cross-teacher quiz rule tampering in the PressPrimer Quiz WordPress plugin (all versions ≤ 2.3.0) is possible via an IDOR flaw in the plugin's REST API, where the `rule_id` parameter is accepted without ownership validation. Any authenticated user holding a custom-level role or above - such as a teacher - can supply arbitrary `rule_id` values to modify or delete quiz rules belonging to other teachers. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 3.1 score of 4.3 (PR:L, I:L) reflects the authentication requirement and integrity-only impact.

Authentication Bypass WordPress Pressprimer Quiz Ai Quiz Maker Exam Builder Lms Assessment Plugin
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10023 MEDIUM This Month

Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.

Authentication Bypass WordPress Dokan
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9199 MEDIUM This Month

Authorization bypass in Equalize Digital Accessibility Checker for WordPress (all versions ≤ 1.42.1) allows authenticated author-level users to dismiss, ignore, or restore accessibility audit records belonging to posts they do not own. The flaw lies in the plugin's REST API handler accepting the attacker's own issue ID as a sufficient authorization token, and the `largeBatch=true` parameter then triggers a bulk operation that propagates the action across all site-wide issues sharing the same 'object' value - including those on administrator-owned posts. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; however, the Wordfence advisory includes direct source code references confirming the vulnerable logic.

Authentication Bypass WordPress Equalize Digital Accessibility Checker Wcag Ada Eaa And Section 508 Compliance
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11357 MEDIUM This Month

Sensitive information exposure in Kadence Blocks (WordPress plugin) versions up to and including 3.7.5 allows authenticated contributors to read the site's Kadence license key, license owner email, api_key, api_email, and license domain directly from the browser console via the JavaScript global window.kadence_blocks_params.proData. The credentials are serialized client-side through the editor_assets_variables mechanism and require no server-side manipulation to extract. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11784 MEDIUM This Month

Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.

CSRF WordPress Optimole Optimize Images Convert Webp Avif Cdn Lazy Load Image Optimization
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-54319 MEDIUM PATCH GHSA This Month

Path traversal in Daytona's sandbox volume mount handling (versions <= 0.185.0) allowed a crafted volume reference containing traversal sequences to theoretically resolve the runner's bind-mount source path outside the intended per-volume base directory, with a worst-case impact of cross-tenant read/write access to other tenants' FUSE-mounted volume data. Critically, the vendor confirmed the vulnerability was NOT exploitable in any released version: volume references pass through UUID-type database validation before reaching the runner, structurally rejecting traversal payloads and producing a server-side validation error instead of an unintended mount. No public exploit has been identified and the CVE carries no CISA KEV listing, consistent with a latent code-path defect rather than an active attack surface.

Canonical Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-55669 MEDIUM PATCH GHSA This Month

Authentication bypass in ZITADEL's external JWT Identity Provider allows a legitimate user of a co-tenant service sharing the same enterprise IdP to authenticate to ZITADEL using a token issued for a different relying party. Affected versions span ZITADEL 3.0.0-3.4.11 and 4.0.0-4.11.0; the flaw arises because ZITADEL correctly validates the JWT cryptographic signature and `iss` claim but entirely omits validation of the `aud` claim, violating RFC 7519 audience binding semantics. No public exploit has been identified at time of analysis, and exploitation is tightly constrained to specific enterprise topologies where multiple services share a single trusted IdP.

Authentication Bypass Google
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-48936 LOW PATCH Monitor

Node.js Permission Model fails to apply net scope guards to pipe open and chmod operations, enabling a local authenticated user to bypass intended access control boundaries enforced by the experimental Permission Model. Affected is Node.js v26.x prior to v26.3.1 (Current release line), disclosed in the June 2026 security release. Rated Low severity by the Node.js team; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Node Js
NVD GitHub
CVSS 3.0
3.3
EPSS
0.1%
CVE-2026-48935 LOW PATCH Monitor

Node.js permission model bypass via FileHandle.utimes() allows local low-privilege users to modify file timestamps on paths outside their permitted write scope. Affecting Node.js 26.x before v26.3.1, this flaw is only exploitable when the experimental permission model is explicitly enabled via --experimental-permission, substantially limiting exposure. No public exploit code or active exploitation has been identified at time of analysis, and the vendor-released patch (v26.3.1) is confirmed available as of 2026-06-18.

Privilege Escalation Node Js
NVD GitHub VulDB
CVSS 3.0
3.3
EPSS
0.1%
CVE-2026-12102 LOW Monitor

Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.

Authentication Bypass WordPress Userswp Front End Login Form User Registration User Profile Members Directory Plugin For Wp
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.3%
CVE-2026-55671 LOW PATCH GHSA Monitor

Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. No public exploit code has been identified at time of analysis; however, the vulnerability was independently reported by 13+ researchers, and a vendor patch is available in v4.15.2 with no backport for the v3.x branch.

Microsoft SSRF
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.3%
CVE-2026-8668 LOW PATCH Monitor

Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.

Information Disclosure Chef360
NVD VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-55670 LOW PATCH GHSA Monitor

Cross-tenant user record leakage in ZITADEL versions 4.0.0-4.15.1 and 3.0.0-3.4.11 allows an organization administrator to inadvertently gain full access to a user record provisioned in a different tenant due to stale aggregate-ID ownership mappings persisting in the event store after user deletion. When a new user is later provisioned in a separate organization using the same ID as a previously deleted user, the event store's owner-resolution logic retrieves the original organization's mapping and incorrectly routes all new provisioning events there. No public exploit has been identified, CISA KEV listing is absent, and the vendor explicitly characterizes this as a non-targetable, low-practical-risk multi-tenancy isolation anomaly that cannot be forced or automated by a malicious actor.

Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.3%
CVE-2026-55170 LOW PATCH GHSA Monitor

OpenFGA's authorization Check API returns incorrect results when MySQL is configured as the datastore and authorization policies depend on case-sensitive user string differentiation. MySQL's default case-insensitive collations cause two distinct user identifiers - identical except for letter casing - to match the same stored authorization tuple, producing an 'allowed' response for a user identity that should be denied. This constitutes an improper policy enforcement flaw (GHSA-cf98-j28v-49v6) that can silently bypass fine-grained access controls in any deployment meeting the two required preconditions. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-40457 LOW PATCH Monitor

Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the `dbrecover.php` and `netremap.php` modules. The `db`, `id`, and `mapto` GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. No public exploit has been identified at time of analysis, exploitation is not confirmed in CISA KEV, and the CVSS 4.0 score of 2.1 reflects genuinely constrained impact due to the required victim interaction and specific attack preconditions.

PHP XSS Lms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-48617 LOW PATCH Monitor

Pre-NVD disclosure via GitHub release '2026-06-18, Version 26.3.1 (Current), @aduh95' (nodejs/node). This is a security release. ### Notable Changes * (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High * (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High * (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium * (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium * (CVE-2026-48928) tls: fix case-sensitive SNI context matching

Authentication Bypass
NVD GitHub VulDB
CVSS 3.0
1.8
EPSS
0.2%
CVE-2026-54711 LOW GHSA Monitor

Credential exposure in pghoard (Aiven's PostgreSQL backup tool) causes database usernames and passwords sourced from .pgpass files to be written in plaintext to debug-level logs. Versions up to and including 2.1.0 are affected per CPE data, though the vendor advisory specifies the fix lands in 2.7.1. Any party with read access to debug log output - including operators, centralized log aggregation systems, or co-tenants in shared logging pipelines - can recover full database credentials. No public exploit code or CISA KEV listing exists at time of analysis, but the straightforward nature of the disclosure (passive credential leakage) makes exploitation trivially easy once log access is obtained.

Information Disclosure
NVD GitHub
CVE-2026-55701 MEDIUM PATCH GHSA This Month

Authentication bypass in the githubreceiver component of opentelemetry-collector-contrib (versions ≤ 0.150.0) allows unauthenticated attackers to inject arbitrary webhook payloads into the OpenTelemetry observability pipeline. The `required_headers` configuration field is validated at startup but never enforced by `handleReq()` at request time, meaning any HTTP POST to the webhook endpoint is accepted regardless of header values. The risk is compounded when the `Secret` field is left at its empty default, which causes `github.ValidatePayload` to skip HMAC verification entirely - leaving deployments that rely solely on `required_headers` for auth with zero effective authentication. No public exploit code exists at time of analysis, but the advisory provides sufficient implementation detail to trivially reproduce the bypass.

Authentication Bypass
NVD GitHub
CVE-2026-55617 MEDIUM PATCH GHSA This Month

Session replay attacks against Hydro competitive programming judge instances become viable because logout and session renewal flows create new tokens without invalidating the previous server-side session. An attacker who has captured a victim's stale sid cookie - via network interception, browser theft, or prior session compromise - can replay that cookie over HTTP or HTTPS at any point after logout and retain full authenticated access as the victim. The vulnerability affects hydrooj npm package versions 4.10.4 through 5.0.1; no public exploit or KEV listing is identified, but the attack primitive is straightforward once a stale cookie is obtained.

Authentication Bypass
NVD GitHub
CVE-2026-55887 HIGH PATCH GHSA This Week

Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the `docker run` command line. A malicious OCI image author can craft an `io.docker.server.metadata` label that YAML-unmarshals into runtime-shaping fields of the `catalog.Server` struct, causing the gateway to append attacker-chosen flags like `-v /:/host` and `-u root` when launching the MCP server container. No public exploit identified at time of analysis, but the upstream advisory describes a full exploitation path.

Privilege Escalation RCE Docker
NVD GitHub
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy