Skip to main content
CVE-2026-56099 MEDIUM POC PATCH This Month

Kernel stack memory disclosure in OpenBSD's MPLS input processing exposes arbitrary kernel stack contents to unauthenticated remote attackers via crafted MPLS frames. The flaw exists in `mpls_do_error` within `sys/netmpls/mpls_input.c` (revision 1.81), where a label-stack iterator lacked an upper-bounds guard, allowing a 16-label frame with no Bottom-of-Stack bit to drive an out-of-bounds read. A publicly available exploit exists per the Argus Systems advisory; this vulnerability is not confirmed as actively exploited in the CISA KEV catalog, and the CVSS 4.0 score is 6.9.

Information Disclosure Buffer Overflow Src
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-9815 MEDIUM POC This Month

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote code execution on any WordPress server running an affected installation whose form fields have an empty extension allowlist. The vulnerability is reachable via an unauthenticated AJAX endpoint, requires no privileges or user interaction, and a publicly available proof-of-concept exploit exists per WPScan. Despite the plugin's limited adoption, the combination of a public exploit, zero authentication requirement, and full server-side code execution makes this a materially higher-risk issue than the vendor-assigned CVSS score of 6.5 suggests.

PHP WordPress RCE Magicform
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-55602 MEDIUM PATCH GHSA This Month

Backend routing bypass in http-proxy-middleware allows unauthenticated external attackers to redirect HTTP requests to unintended backends by sending a crafted Host header that acts as a superstring of a configured host+path router key. The vulnerable substring matching logic (`hostAndPath.indexOf(key) > -1` in `src/router.ts`) affects npm package versions 0.16.0 through 3.0.5 and 4.0.0 through v4.0.0-beta.5, enabling bypass of tenant isolation, backend segmentation, or access-control boundaries enforced through proxy routing rules. Publicly available exploit code exists in the GitHub Security Advisory GHSA-64mm-vxmg-q3vj, with vendor-confirmed fixes released as versions 3.0.6 and 4.1.0.

Information Disclosure Docker Red Hat
NVD GitHub VulDB HeroDevs
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56022 MEDIUM PATCH This Month

MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.

Authentication Bypass Webmin
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54105 MEDIUM PATCH HOSTED Monitor

Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.

Authentication Bypass Microsoft Electronic Protest Docketing System Epds Electronic Docketing System Eds
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-50188 MEDIUM PATCH GHSA This Month

HTTP header injection (CRLF injection) in Kirby CMS's `Kirby\Http\Remote` class allows attackers who can influence outgoing request header values to inject or override arbitrary HTTP headers sent to upstream services. Affected are sites running Kirby versions up to 4.9.3 or 5.0.0-alpha.1 through 5.4.3 where custom code, plugins, or integrations pass user-controlled data into the `headers` option of `Remote` requests - the default Kirby installation is not affected. The attack targets the remote service receiving the manipulated request, enabling overrides of security-critical headers such as `Authorization`, `Host`, or `Cookie`, with downstream effects including unauthorized API access or upstream cache poisoning. No public exploit code and no CISA KEV listing have been identified at time of analysis; the 'RCE' tag in the source data appears to be a misclassification of this CWE-93 flaw.

RCE
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56021 MEDIUM This Month

Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file residing within module directories. The root cause is a flawed regular expression (CWE-185) that was intended to restrict accessible file paths but can be bypassed with a crafted request, allowing unauthenticated network attackers to read configuration files that may contain credentials, API keys, or other sensitive deployment data. No public exploit or CISA KEV listing has been identified at time of analysis, though the zero-authentication, network-accessible attack surface makes this straightforward to probe at scale.

Authentication Bypass Webmin
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-47833 MEDIUM PATCH This Month

Symlink-following in Cloud Foundry bpm-release's setupBpmLogs function enables a container-to-host confidentiality breach, allowing a compromised low-privileged process inside a bpm container to manipulate root into chowning an arbitrary host file - including /etc/shadow - to the vcap user. All bpm-release versions prior to v1.4.30 are affected. Once ownership of /etc/shadow is taken, the attacker reads every host password hash via bpm's existing read-only /etc bind mount, effectively breaking the container boundary without requiring any user interaction. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and clear exploitation path make this a credible near-term risk.

Privilege Escalation Bpm Release
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-55205 MEDIUM PATCH This Month

Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint that accumulates unbounded in-memory OAuth flow state and daemon polling threads with each incoming request, enabling remote denial of service without authentication. The root cause - confirmed by vendor release notes and fix commit ce272d9 - is the absence of any deduplication or serialization check before allocating a new flow entry and spawning a worker thread per request. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Denial Of Service Hermes Webui
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-55885 MEDIUM PATCH GHSA This Month

Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.

CSRF Information Disclosure RCE XSS Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-56074 MEDIUM PATCH This Month

Tool approval cache bypass in PraisonAI Agents (praisonaiagents < 4.5.128) allows an LLM agent to execute arbitrary subsequent shell commands without user consent after a single initial approval. The approval system caches decisions keyed only on tool name - once a user approves `execute_command` for any command (e.g., `ls -la`), all further `execute_command` invocations in that agent session bypass the approval prompt entirely. Combined with `os.environ.copy()` passing the full process environment to every subprocess, this enables silent exfiltration of API keys and credentials; a publicly available proof-of-concept is included in the GHSA advisory. No confirmed active exploitation in CISA KEV at time of analysis.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-55392 MEDIUM PATCH This Month

NILFS utilities (nilfs-utils) through version 2.3.0 crash when processing crafted NILFS2 filesystem images due to missing bounds validation on the s_log_block_size superblock field before performing bit-shift operations. Tools including nilfs-tune and dumpseg are affected: an attacker who can persuade a user to process a malicious image can trigger undefined behavior - either oversized shift operations or out-of-memory conditions - resulting in a denial of service via tool crash. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Denial Of Service Nilfs Utils
NVD GitHub VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-48981 MEDIUM PATCH This Month

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. No public exploit identified at time of analysis, but the scope change (S:C in CVSS) reflects that exploitation occurs inside processes running with elevated privileges, amplifying the potential impact of any upstream compromise that enables config tampering.

XXE Pam Usb
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-22551 MEDIUM PATCH This Month

Unconstrained Markdown image rendering in Eclipse Theia's AI chat component, in all versions prior to 1.71.0, enables silent data exfiltration when combined with prompt injection via a malicious workspace. An attacker who delivers a crafted workspace can inject instructions into the AI agent's context, causing it to construct Markdown image tags whose URLs encode sensitive workspace or conversation data; when the IDE renders these images, it issues HTTP GET requests transmitting that data to an attacker-controlled server. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the local-access, active-user-interaction model (CVSS 4.0: 6.7, AV:L/UI:A) correctly reflects that this is a targeted, workspace-delivery attack rather than a remote, unauthenticated threat.

Information Disclosure Eclipse Theia
NVD VulDB
CVSS 4.0
6.7
EPSS
0.2%
CVE-2026-48618 MEDIUM PATCH This Month

Improper hostname normalization in Node.js TLS server-identity verification (fixed in v26.3.1) lets a TLS peer's hostname be evaluated without proper Unicode/case normalization, so identity checks may match a host they should reject. Rated High by the Node.js team (CVSS 7.7, scope-changed, confidentiality-only), it can cause a client to trust the wrong server and expose data carried over the connection. No public exploit identified at time of analysis; this was disclosed pre-NVD via the nodejs/node June 2026 security release and is not listed in CISA KEV.

Information Disclosure Node Js
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-44942 MEDIUM PATCH This Month

Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal Libzypp Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-54695 MEDIUM PATCH GHSA This Month

Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis.

Python Docker Denial Of Service Authentication Bypass OpenSSL +1
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-49205 MEDIUM POC PATCH GHSA This Month

Missing authorization in four write API endpoints of phpMyFAQ prior to version 4.1.4 allows any holder of the shared API key to create categories, create or update FAQs, and post questions regardless of their assigned role permissions. The vulnerability is a partial remediation gap: CVE-2026-24421 previously added `userHasPermission` checks to BackupController, but that fix was not consistently applied to CategoryController::create, FaqController::create, FaqController::update, and QuestionController::create. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.

Authentication Bypass Phpmyfaq
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56024 MEDIUM This Month

Cross-site request forgery in the WP EasyPay WordPress plugin (versions through 4.4.0) enables remote attackers to perform unauthorized administrative actions by tricking an authenticated WordPress administrator into visiting a maliciously crafted page. Missing or insufficient nonce verification on one or more plugin endpoints allows the attacker's forged request to be processed as a legitimate action using the victim's active session. No public exploit code and no CISA KEV listing are present at time of analysis.

CSRF Wp Easypay
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-54683 MEDIUM PATCH GHSA This Month

Improper authorization in nl.nl-portal:documenten-api (NL Portal Backend Libraries) exposes document contents to any authenticated portal user, regardless of document ownership. The flaw persisted across versions 3.0.1 and 3.0.2 despite a prior fix attempt for CVE-2026-49463: the GraphQL fix added an authentication parameter that was never passed to the service layer, and a parallel REST endpoint was left entirely unaddressed and protected only by a misconfigured security rule pointing at the wrong URL. No public exploit in CISA KEV, but a functional proof-of-concept is documented in the vendor advisory, and the CVSS 6.5 (PR:L/C:H) score reflects meaningful real-world impact for citizen and business portal deployments handling sensitive personal documents.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
CVE-2026-2021 MEDIUM This Month

Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Slideshow Gallery Lite
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-8039 MEDIUM This Month

Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.

WordPress XSS Fancy Testimonials
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-11402 MEDIUM This Month

Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the scope-changed (S:C) nature means injected content executes in any site visitor's browser session, enabling session hijacking or credential theft at scale.

WordPress XSS Services Section Block Showcase Service Details In Grid Or Columns
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12098 MEDIUM This Month

Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.

WordPress XSS Powerpress Podcasting Plugin By Blubrry
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12136 MEDIUM This Month

Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though Wordfence has published full technical details including the vulnerable source lines.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-55886 MEDIUM PATCH GHSA This Month

Prototype pollution in the Jodit WYSIWYG editor npm package (versions < 4.12.26) allows mutation of Object.prototype via the public helper API Jodit.modules.Helpers.set(). When an application passes user-controlled or partially user-controlled key paths to this function, an attacker can inject arbitrary properties into the global Object.prototype, enabling logic bypass, denial of service, or secondary security issues throughout the entire JavaScript runtime. A proof-of-concept is publicly available in the GitHub advisory (GHSA-vpmm-x3fm-qr5c); no public exploit identified at time of analysis beyond this PoC, and no CISA KEV listing exists.

Prototype Pollution Node.js Denial Of Service
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54004 MEDIUM PATCH GHSA This Month

Unauthorized file disclosure in Kirby CMS allows unauthenticated remote visitors to access files stored in top-level draft pages by requesting their clean file URL (e.g., /about-us/team.jpg) without authentication, draft-page authorization, or a valid preview token. The clean file redirect mechanism failed to enforce draft access controls before issuing the HTTP redirect to the physical media URL, affecting all Kirby 4 installations where content.fileRedirects has not been explicitly disabled and Kirby 5 installations where the option has been manually enabled. No public exploit or CISA KEV listing has been identified at time of analysis; patches are available in Kirby 4.9.4 and Kirby 5.4.4.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-48980 MEDIUM PATCH This Month

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware USB token authentication by manipulating the XRDP_SESSION, DISPLAY, or TMUX environment variables before invoking setuid binaries such as sudo or su. Because the PAM module calls standard getenv() - which does not sanitize values in privileged contexts - attacker-controlled environment data is used to determine whether the current session is local or remote, potentially defeating the core purpose of hardware-enforced authentication. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the authentication bypass impact makes this a high-priority upgrade for any deployment relying on pam_usb for privileged command gating.

Code Injection Pam Usb
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-12137 MEDIUM This Month

Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable `plugin_options_page()` function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. No public exploit code or CISA KEV listing has been identified at time of analysis; this is a no public exploit identified at time of analysis scenario reported by Wordfence.

WordPress XSS Sysbasics Customize My Account For Woocommerce Dashboard Endpoints Avatar Menu Manager
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-55093 MEDIUM PATCH GHSA This Month

Integer overflow in tract-nnef's NNEF .dat tensor parser allows loading a crafted model archive to produce a Tensor whose reported element count (e.g. 2^61+7) vastly exceeds its 56-byte heap allocation, causing a bounded heap out-of-bounds read during model build and a reliable SIGSEGV (DoS) on any access past the mapped region. Affected are all applications using tract-nnef < 0.21.16, 0.22.0-0.22.2, or 0.23.0-0.23.1 that load attacker-controlled NNEF model archives via the public `model_for_path` / `model_for_read` API. No public exploit is available at time of analysis, though the reporter demonstrated the issue against affected crate versions; no CISA KEV entry exists.

Information Disclosure Buffer Overflow
NVD GitHub
CVSS 3.1
6.1
CVE-2026-12527 MEDIUM This Month

Unauthenticated live video stream access on the V380 IP Camera (firmware AppFHE1_V1.0.6.020230803, Shenzhen Liandian Communication Technology LTD) is achievable by any adjacent-network attacker who directly queries the RTSP media delivery endpoint, entirely bypassing the credential-enforced live-view authentication workflow. The root cause, CWE-306 (Missing Authentication for Critical Function), confirms that the RTSP pipeline lacks the authentication gate applied to the device's primary viewing interface - a structural authorization boundary failure rather than a logic bypass. The CVSS 4.0 supplemental metrics flag this as automatable (AU:Y), urgency Red (U:Red), and safety-impacting (S:P), elevating real-world priority for deployments in sensitive physical security environments despite the adjacent-only attack vector; no public exploit identified at time of analysis, though a researcher's GitHub documentation provides significant technical detail.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-11752 MEDIUM PATCH GHSA This Month

Arbitrary file and environment variable reads on xDS client hosts are possible in Armeria versions 1.38.0 and 1.39.0 via the armeria-xds module's SDS (Secret Discovery Service) implementation. The DataSourceStream class resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any path confinement or allow-listing, enabling a compromised or semi-trusted xDS control plane - or an attacker who can MITM unprotected SDS gRPC streams - to extract TLS private keys, Kubernetes service-account tokens, cloud credential files, and environment variables such as AWS_SECRET_ACCESS_KEY. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the confused-deputy pattern and Kubernetes deployment context make it a high-priority upgrade for affected users.

Kubernetes Java Code Injection
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-56009 MEDIUM This Month

Stored Cross-Site Scripting in the Bricksable for Bricks Builder WordPress plugin (versions through 1.6.83) allows a high-privileged attacker to inject persistent malicious scripts into page builder elements, which then execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms the injected payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the viewing user. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the stored nature of this XSS increases persistence risk relative to reflected variants.

XSS Bricksable For Bricks Builder
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-56007 MEDIUM This Month

Stored XSS in OceanWP's Ocean Product Sharing WordPress plugin (all versions through 2.2.2) allows administrator-level attackers to persist malicious JavaScript into plugin configuration or product sharing fields. When other authenticated users or site visitors load affected product pages, the injected scripts execute in their browsers, enabling session cookie theft, credential harvesting, or unauthorized UI manipulation. No public exploit code has been identified and no active exploitation is confirmed (not in CISA KEV) at time of analysis; real-world risk is constrained by the PR:H requirement.

XSS Ocean Product Sharing
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-55591 MEDIUM PATCH GHSA This Month

Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.

Microsoft Docker Kubernetes Node.js SSRF +2
NVD GitHub
CVSS 3.1
5.8
CVE-2026-48983 MEDIUM PATCH This Month

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-controlled directory, potentially exposing future OTP values before use and undermining hardware-based PAM authentication on Linux. The flaw is a classic TOCTOU pattern in per-device and per-user pad directory creation, fixed as part of a 12-issue security hardening release (0.9.2) triggered by an ongoing audit. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation could permit authentication bypass by a local low-privilege user.

Information Disclosure Pam Usb
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-48982 MEDIUM PATCH This Month

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local race condition (CWE-362), allowing a precisely timed concurrent write to corrupt or reuse the stored OTP pad state. Systems running pam_usb as a PAM module for SSH, sudo, or login are affected on all versions before 0.9.2; successful exploitation could silently degrade hardware authentication integrity, creating a window for USB token replay attacks. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch 0.9.2 resolves this and 11 additional security findings.

Race Condition Information Disclosure Pam Usb
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-12039 MEDIUM PATCH This Month

DNS covert-channel exfiltration in Docker Sandboxes (sbx) prior to v0.33.0 allows untrusted workloads executing inside internet-connected sandboxes to bypass the configured HTTP/S-only egress allowlist by encoding data into DNS subdomain labels. The per-network embedded DNS resolver forwards all queried names to the host resolver without consulting egress policy, undermining the core isolation guarantee that sbx provides for AI agent workloads. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector assigns high confidentiality impact (VC:H), consistent with the ability to exfiltrate arbitrary in-sandbox data - including API keys, environment variables, and workspace secrets - to an attacker-controlled authoritative DNS server.

Authentication Bypass Docker
NVD GitHub
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-12539 MEDIUM PATCH This Month

ICMP egress policy bypass in Docker Sandboxes (sbx) allows untrusted workloads - explicitly including AI agents - to defeat the documented ICMP block and reach arbitrary external hosts after a Docker daemon restart. The authorizer enforcing the ICMP egress restriction is applied only at network-creation time and is never re-applied when the daemon reconstructs network state from disk on restart, leaving the policy unenforced for the lifetime of the rebuilt network. No public exploit has been identified at time of analysis, but the bypass enables network reconnaissance and covert-channel data exfiltration directly contradicting the sbx threat model, which treats sandbox workloads as adversarial.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-48985 MEDIUM PATCH This Month

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when loginctl returns an empty Remote field during session locality checks. The crash terminates the PAM module with SIGSEGV, and depending on PAM stack control flags (required vs. optional), can deny authentication to all users of the affected service - a local denial of service with potentially severe impact on system accessibility. No active exploitation confirmed (not in CISA KEV); vendor-released patch available in version 0.9.2, which also addresses 11 additional security findings discovered during an ongoing audit.

Denial Of Service Null Pointer Dereference Pam Usb
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-48928 MEDIUM PATCH This Month

TLS SNI context matching in Node.js performs case-sensitive hostname comparison, enabling network-accessible low-privileged attackers to bypass intended server-side TLS context selection by varying the casing of the SNI hostname in a ClientHello message. Affected versions prior to 26.3.1 may serve an incorrect TLS certificate or context when a client sends an SNI value with unexpected casing (e.g., 'EXAMPLE.COM' versus 'example.com'), yielding limited confidentiality and integrity impacts in multi-hostname deployments. No public exploit code or active exploitation has been identified; the fix shipped as part of the Node.js June 2026 coordinated security release alongside ten other CVEs.

Authentication Bypass Node Js Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-43915 MEDIUM PATCH This Month

Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject persistent JavaScript that executes in an authenticated administrator's browser when they view the session list. The attack is staged via a crafted USERNAME value in a TURN Allocate request, bridging the TURN protocol surface into the web-admin UI context. In anonymous deployments (--no-auth), no TURN credentials are required for the injection phase, broadening the exposure; in authenticated deployments the attacker must hold valid TURN credentials. No public exploit has been identified and this vulnerability is not listed in CISA KEV.

XSS Coturn Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-55226 MEDIUM PATCH GHSA This Month

Strimzi Kafka Operator versions 1.0.0 and earlier provision the Entity Operator ServiceAccount with combined RBAC rights for both the Topic Operator and User Operator regardless of which sub-operators are actually enabled in the Kafka custom resource, violating the principle of least privilege. When only one of the two sub-operators is deployed, the overly permissive ServiceAccount can access KafkaUser custom resources and namespace Secrets (when the User Operator is absent) or KafkaTopic custom resources (when the Topic Operator is absent). No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the High confidentiality impact (C:H) due to potential Secret access elevates the urgency of patching.

Privilege Escalation Red Hat
NVD GitHub
CVSS 3.1
5.4
CVE-2026-12093 MEDIUM This Month

Authorization bypass in the Simple Membership WordPress plugin (≤4.7.5) enables unauthenticated remote attackers to forcibly deactivate any member account by submitting a forged Stripe charge.refunded webhook payload carrying a known victim subscription ID. The plugin's webhook handler skips HMAC signature verification when the stripe-webhook-signing-secret option is absent - the default installation state - accepting the forged event as legitimate and setting the target account_state to 'inactive', firing cancellation hooks, recording a transaction status change, and dispatching a cancellation notification email. No public exploit has been identified at time of analysis, and no KEV listing exists, but the zero-prerequisite network attack path against default-configured sites elevates practical risk above the 5.3 CVSS score suggests.

Authentication Bypass WordPress Simple Membership
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-12120 MEDIUM This Month

Unauthenticated CSV export of form submission data in the FireBox Popups WordPress plugin (versions up to and including 3.1.7) exposes full personally identifiable information collected by any form on the site. The flaw lies in an unprotected endpoint that accepts a `form_id` parameter without authentication or authorization checks, allowing any remote attacker to enumerate form IDs and download complete submission records. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the trivial exploitation conditions and PII exposure make this a meaningful privacy and compliance risk for affected WordPress deployments.

WordPress Information Disclosure Firebox Popups Increase Sales And Grow Your Email List
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-10029 MEDIUM This Month

Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.

Authentication Bypass Google WordPress Information Disclosure Event Koi Lite Events Calendar Event Management Rsvp And Tickets
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-49274 MEDIUM PATCH GHSA This Month

Missing authorization in Kirby CMS's page picker backend exposes restricted page metadata to authenticated users whose roles have `pages.access` disabled. Affected sites running Kirby up to 4.9.3 or between 5.0.0-alpha.1 and 5.4.3 allow such users to confirm the existence of arbitrary pages and read their title fields by supplying a known page path directly to the picker endpoint - bypassing role-based access controls. No public exploit or active exploitation has been identified; impact is strictly information disclosure with no write capability.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-12049 MEDIUM PATCH This Month

Open redirect in pgAdmin 4's MFA validate and register endpoints allows network-accessible attackers to abuse the authentication flow as a phishing launchpad. Affected versions 6.0 through 9.15 pass the user-supplied 'next' query and form parameter directly to Flask's redirect response without verifying the target is same-origin, meaning a crafted URL such as /mfa/validate?next=https://attacker.example/fake-login silently forwards the victim from a trusted pgAdmin URL to an attacker-controlled site. No public exploit is identified at time of analysis and this CVE is not listed in CISA KEV; however, a reporter-supplied PoC was confirmed by the vendor and is documented in the upstream regression test suite.

Open Redirect Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-12050 MEDIUM PATCH This Month

{gid}/{sid}) permits a low-privilege authenticated user with an active PostgreSQL session to inject additional SQL statements by exploiting unsafe str.format() interpolation of the user-supplied 'value' field. Affected versions span pgAdmin 4 from 1.0 through 9.15; a patch was released in version 9.16. The injected SQL executes only under the authenticated user's existing database role, so no privilege boundary is crossed - the principal risk is bypass of application-layer controls that restrict the Query Tool while leaving the restore-point endpoint accessible. No public exploit or active exploitation confirmed at time of analysis.

PostgreSQL SQLi Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-55745 MEDIUM This Month

Cross-site request forgery in Cotonti 1.0.0's Personal File Storage module allows remote attackers to hijack authenticated user sessions to silently modify folder metadata. The folder update action ('a=update') in modules/pfs/inc/pfs.editfolder.php processes state-changing requests without invoking Cotonti's built-in anti-CSRF token validation function cot_check_xg(), enabling an attacker to force a logged-in user to unknowingly expose private folders or alter their descriptions. No public exploit code has been confirmed and the vulnerability is not listed in CISA KEV, but the specific vulnerable code commit is publicly identified by the reporter TuranSec.

CSRF PHP Cotonti
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy