Skip to main content
CVE-2026-49337 MEDIUM PATCH This Month

Unbounded heap growth in libde265 prior to version 1.0.20 allows remote attackers to exhaust process memory by delivering a crafted H.265 bitstream, resulting in denial of service. The flaw in `decoder_context::read_slice_NAL()` (decctx.cc:481) unconditionally attaches slice segment headers to finished picture objects regardless of whether an active image unit exists; in continuous streaming contexts these headers are never freed, enabling attacker-controlled memory accumulation without bound. No active exploitation is confirmed (not listed in CISA KEV) and no public POC has been identified at time of analysis, but the network-accessible, no-privileges-required vector makes any application consuming untrusted H.265 content an exposure surface.

Denial Of Service Libde265
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-49288 MEDIUM PATCH GHSA This Month

Unauthorized resource disclosure in Statamic CMS allows any authenticated Control Panel user to read metadata and content for entries, assets, users, roles, and groups beyond their assigned permissions. All v5 releases prior to 5.73.23 and all v6 releases prior to 6.20.0 are affected. Exploitation is read-only - no data can be modified - and no public exploit has been identified at time of analysis, but the flaw is significant for multi-tenant deployments relying on Statamic's role-based access controls to segregate content.

Information Disclosure Cms
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9013 MEDIUM This Month

Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. No public exploit code or active exploitation (CISA KEV) is confirmed at time of analysis, though the attack path is straightforward for any authenticated WordPress user.

Authentication Bypass WordPress Information Disclosure Bogo
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10779 MEDIUM This Month

Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.

Authentication Bypass WordPress Classified Listing Ai Powered Classified Ads Business Directory
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11775 MEDIUM This Month

Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the `useradminsimplifier_options_page` function performs no valid nonce check before invoking `uas_save_admin_options()`, which unconditionally overwrites the `useradminsimplifier_options` database entry. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA's Known Exploited Vulnerabilities catalog.

CSRF WordPress User Admin Simplifier
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-54780 LOW PATCH GHSA Monitor

WS-Security DigestMethod validation in CoreWCF's receive pipeline can be bypassed, allowing a remote sender to present XML Digital Signatures that use cryptographically weak per-reference hash algorithms (e.g., SHA-1) even when the configured SecurityAlgorithmSuite explicitly prohibits them. Affected are all CoreWCF.Primitives releases below v1.8.1 and the 1.9.0 release (pre-1.9.1). The service silently accepts these weakened signatures as policy-compliant, undermining the integrity guarantees that the algorithm suite is designed to enforce. No public exploit or CISA KEV listing exists; the vendor has released patches in v1.8.1 and v1.9.1 with no available workaround.

Information Disclosure
NVD GitHub
CVSS 3.1
3.7
EPSS
0.2%
CVE-2026-55866 LOW PATCH GHSA Monitor

Authorization bypass in SpiceDB (versions 1.34.0-1.53.x) causes the permission check engine to return unconditional HAS_PERMISSION when the correct response should be CONDITIONAL_PERMISSION, due to a race condition in the dispatch result cache under concurrent API load. Deployments whose schemas combine intersection or exclusion of caveated and non-caveated relation branches are affected when LookupResources (with a context parameter) and CheckPermission or CheckBulkPermissions are issued concurrently for the same subject and resource while the dispatch cache is active. No public exploit has been identified at time of analysis, and all four triggering conditions must simultaneously hold, making this a low-probability but high-consequence authorization integrity issue for systems relying on SpiceDB as an enforcement boundary.

Authentication Bypass
NVD GitHub
CVSS 3.1
3.7
CVE-2026-49358 LOW POC PATCH GHSA Monitor

Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public `AbstractGenerator::$temporaryFiles` array, which are then passed to `unlink()` without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. No public exploit has been identified at time of analysis, and exploitation is substantially constrained by the requirement for high privileges and local code access.

PHP RCE Php Weasyprint
NVD GitHub VulDB
CVSS 3.1
3.0
EPSS
0.1%
CVE-2026-49231 LOW Monitor

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to relay forged identity headers to upstream services, potentially assuming elevated privileges on those services. Versions 3.5.0 through 3.16.0 are affected, but only when the OPA plugin is deployed in a non-default configuration that fails to sanitize inbound identity headers before forwarding them. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 2.3 reflects the constrained real-world impact driven by the specific configuration prerequisite and the limitation that only downstream upstream services are affected rather than APISIX itself.

Authentication Bypass Apache Apache Apisix
NVD VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-44046 LOW Monitor

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its default configuration, allowing a low-privileged network attacker to inject spoofed identity information into application logs and manipulate IP-based access control rule evaluation. Rooted in CWE-348 (Use of Less-Trusted Source), the plugin accepts identity claims from a less-trusted input channel rather than authoritative internal state. No public exploit has been identified and the vulnerability is absent from the CISA KEV catalog; the vendor has released a fix in version 3.17.0.

Apache Information Disclosure Apache Apisix
NVD VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-55778 LOW PATCH Monitor

Stored XSS in Parse Server's file upload handler enables authenticated users to bypass the `fileUpload.fileExtensions` blocklist by pairing a non-standard or compound filename extension (e.g., `malicious.svg~`, `malicious.html.bak`) with a dangerous Content-Type header such as `image/svg+xml` or `text/html`. On S3 and GCS storage adapters, which persist and serve the client-supplied Content-Type, the uploaded file is subsequently delivered to browsers with attacker-controlled content, executing arbitrary JavaScript against any victim who opens the file URL. This is the third incomplete-fix iteration of the same vulnerability class (following GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), with patches confirmed in versions 8.6.81 and 9.9.1-alpha.11 and no public exploit or CISA KEV listing identified at time of analysis.

File Upload XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-48895 LOW Monitor

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP client headers, causing victim users to be redirected to attacker-controlled sites with potential session token leakage. Exploitation requires active user interaction and specific attack conditions (CVSS 4.0 AT:P, UI:A), yielding a vendor-assigned score of 2.1 (Low) - limiting realistic exposure to targeted phishing scenarios rather than opportunistic mass exploitation. No public exploit code or CISA KEV listing exists at time of analysis; the Apache Software Foundation has released a vendor-confirmed fix in version 3.17.0.

Apache Open Redirect Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-44915 LOW Monitor

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used in its default configuration. Affected are all APISIX deployments running versions 3.0.0 through 3.16.0 with cas-auth enabled. An unauthenticated remote attacker can craft a malicious CAS authentication URL that redirects victims to an attacker-controlled site, enabling session hijacking or credential harvesting. No public exploit or KEV listing is recorded at time of analysis, and the CVSS 4.0 base score of 2.1 reflects the attacker's dependence on user interaction and the absence of direct system-level impact.

Apache Open Redirect Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-49871 LOW Monitor

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration. An attacker who lures a victim to an attacker-controlled webpage can cause the victim's browser to complete a CAS authentication handshake as the attacker's identity within the APISIX gateway. Subsequent API gateway actions performed by the victim are then recorded and authorized under the attacker's account, creating audit trail corruption and potential authorization abuse. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis.

CSRF Apache Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-54896 LOW PATCH GHSA Monitor

Heap buffer overflow in the Ruby Oj gem (versions before 3.17.3) occurs when Oj.dump serializes Exception objects in :object mode with an extreme :indent value. The pre-allocated output buffer does not account for indent padding bytes, allowing writes past the heap region and corrupting adjacent memory. No public exploit identified at time of analysis; the issue is triggered by developer-chosen serialization options rather than typical attacker-supplied input.

Heap Overflow Buffer Overflow
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54898 LOW PATCH GHSA Monitor

Heap use-after-free in the Oj Ruby JSON parser allows malicious SAJ/SAJ2 callback handlers to dereference freed memory by mutating the input JSON string mid-parse, potentially leading to memory disclosure or arbitrary code execution within the Ruby process. The flaw affects the oj gem at versions below 3.17.2 and is triggered when a callback such as hash_start invokes String#replace with a larger payload, causing Ruby to reallocate the backing buffer that the C parser still references. No public exploit identified at time of analysis, but a fully working reproducer is published in the upstream GHSA advisory.

Use After Free Memory Corruption Information Disclosure
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54897 LOW PATCH GHSA Monitor

Heap use-after-free in the Oj Ruby gem's `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) allows a Ruby block executed during iteration to free the underlying document buffer via `doc.close`, after which the native C iterator in `ext/oj/fast.c` dereferences the freed region. The flaw is reachable from pure Ruby and confirmed by an AddressSanitizer report against version 3.17.1, with no public exploit identified at time of analysis but a clear reproducer published in the GHSA advisory. Applications that parse attacker-influenced JSON with Oj::Doc and pass user-supplied callbacks into these iterators are most at risk.

Use After Free Memory Corruption RCE
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54906 LOW PATCH GHSA Monitor

Write-lock mutual exclusion in concurrent-ruby's ReadWriteLock is broken in versions prior to 1.3.7, allowing any thread with a reference to the lock object to prematurely release another thread's active write lock, enabling concurrent writers and data races on protected shared state. Additionally, calling release_read_lock without holding a read lock corrupts the internal atomic counter from 0 to -1, causing all subsequent read acquisitions to fail with Concurrent::ResourceLimitError. Both defects are confirmed reproducible via publicly available proof-of-concept code in the GitHub Security Advisory GHSA-6wx8-w4f5-wwcr; no CISA KEV listing exists, and exploitation is constrained to in-process thread scenarios.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54905 LOW PATCH GHSA Monitor

Write lock exclusivity is silently violated in concurrent-ruby's `ReentrantReadWriteLock`, confirmed on version 1.3.6 and fixed in 1.3.7. After a single thread acquires the read lock exactly 32,768 times reentrantl, its per-thread `@HeldCount` counter overflows into bit 15, which the implementation also uses as the `WRITE_LOCK_HELD` flag - causing `try_write_lock` to return `true` via the fast-path 'already hold write lock' branch without ever setting the global `RUNNING_WRITER` bit. Other threads receive no signal of an active writer and continue acquiring read locks concurrently, breaking mutual exclusion with no exception raised. A publicly available proof-of-concept reproduces the condition; no public exploit identified as actively exploited (not in CISA KEV).

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-48794 LOW PATCH GHSA Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.3%
CVE-2026-55775 LOW PATCH GHSA Monitor

Namespace path canonicalization in OpenBao (versions 0.1.0 through 2.5.4) allows an authenticated token-holder with delegated namespace management capabilities inside a non-root namespace to operate on the containing (parent) namespace itself, rather than only its children. By passing the reserved literal string 'root' as the target namespace path to any `/sys/namespaces/*` endpoint, the path resolves to the containing namespace after canonicalization - because ACL evaluation occurs before that resolution, the access check passes on the child-scoped policy while the actual operation targets the parent. An attacker exploiting this can look up, delete, lock, or patch custom metadata on the containing namespace, with namespace deletion representing the most severe outcome: destroying all secrets, leases, and policies within it. A working public PoC is published in the GitHub Security Advisory (GHSA-mwr2-wmgp-crj6); no confirmed active exploitation in CISA KEV at time of analysis.

Authentication Bypass Hashicorp
NVD GitHub
CVE-2026-55774 LOW PATCH GHSA Monitor

Cross-namespace lease revocation in OpenBao allows authenticated tenants in one namespace to revoke leases belonging to any other namespace, bypassing multi-tenant ACL boundaries. Affected are all OpenBao versions from 0.1.0 through 2.5.4 (Go module pkg:go/github.com/openbao/openbao). An attacker who knows a lease identifier from a foreign namespace - for example through an intentional or accidental leak - can call sys/leases/revoke/:lease_id and force revocation of that namespace's credentials without any authorization to do so in that namespace. No public exploit has been identified at time of analysis, and this is noted as an incomplete fix of the related CVE-2026-45808.

Authentication Bypass
NVD GitHub VulDB
CVE-2026-55185 MEDIUM PATCH GHSA This Month

Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.

Microsoft Apple CSRF Open Redirect Mozilla +1
NVD GitHub
CVE-2026-55828 MEDIUM PATCH GHSA This Month

Symlink-chain path traversal in the go.qbee.io/transport library's extractTar routine allows a crafted tar archive to write or overwrite files one directory level above the intended extraction path. Applications using this library with elevated privileges - specifically qbee-agent, which runs as root - face the most severe impact, as exploitation enables root-privileged arbitrary file writes outside the extraction sandbox. No public exploit is identified at time of analysis; vendor-released patch v1.26.25 resolves the issue.

Path Traversal
NVD GitHub
CVE-2026-55795 MEDIUM PATCH GHSA This Month

Craft Commerce's CartController exposes a coupon code brute-force vector by conditionally applying rate limiting only when the 'number' parameter is present in a request. Unauthenticated attackers targeting the session-based cart endpoint can omit the 'number' parameter entirely, bypassing IP-based rate limiting and submitting unlimited coupon code guesses via automated requests. Affected versions span the entire 4.x line through 4.11.1 and the 5.x line through 5.6.4; a proof-of-concept is referenced in the advisory, and no public exploit identified at time of analysis beyond the disclosed PoC reproduction steps.

Information Disclosure
NVD GitHub
CVE-2026-49216 MEDIUM PATCH This Month

Stored cross-site scripting in symfony/ux-autocomplete allows an attacker who can write user-controlled data to an AJAX autocomplete endpoint to execute arbitrary JavaScript in the browser of any user who subsequently loads a page containing an affected autocomplete widget. The Stimulus controller's `_createAutocompleteWithRemoteData()` function interpolates the `text` field from AJAX responses directly into HTML template literals without sanitization, causing the browser to parse and execute embedded markup. The vulnerability affects composer package versions 2.2.0-2.36.0 and 3.0.0-3.1.0; a vendor-released patch is available, and no active exploitation has been confirmed (not in CISA KEV).

XSS
NVD GitHub
CVE-2026-49215 LOW PATCH Monitor

CSRF protection bypass in symfony/ux-live-component allowed cross-origin invocation of any server-side #[LiveAction] method against an authenticated victim's session. The library incorrectly relied on the Accept: application/vnd.live-component+html header as a CSRF guard, but per the Fetch specification §3.2.2 this is a CORS-safelisted header, meaning cross-origin fetch() calls can include it without triggering a preflight OPTIONS request. Applications using SameSite=None cookies or those reachable via a same-origin pivot (e.g., XSS on the same domain) are genuinely exposed; Symfony's default SameSite=Lax policy substantially mitigates the risk for standard deployments. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

CSRF
NVD GitHub
CVE-2026-49212 LOW PATCH Monitor

Symfony/ux-live-component's LiveComponentHydrator computes HMAC checksums over prop key/value pairs alone, omitting the component name and slot identifier, enabling cross-component and cross-slot HMAC replay attacks. Any user able to interact with a LiveComponent-enabled page can capture a valid signed props blob minted for component A and submit it as component B's props (when key names overlap), or substitute a `props` blob into the `propsFromParent` slot, bypassing read-only prop integrity protection and forcing server-side component state to attacker-chosen values. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Information Disclosure
NVD GitHub
CVE-2026-49211 MEDIUM PATCH This Month

Unescaped SQL LIKE wildcards in symfony/ux-autocomplete allow unauthenticated network attackers to turn the autocomplete endpoint into a broad data matcher or blind boolean oracle against all entity columns. Because BaseEntityAutocompleteType defaults to security => false and searchable_fields defaults to all entity properties, versions >= 2.2.0 < 2.36.0 and >= 3.0.0 < 3.1.0 expose potentially sensitive entity data to any caller who sends % or _ as the query parameter. No public exploit has been identified at time of analysis, but the attack requires only standard HTTP tooling; patches are available in 2.36.0 and 3.1.0.

SQLi Information Disclosure Oracle
NVD GitHub
CVE-2026-49210 MEDIUM PATCH This Month

Cross-site scripting in symfony/ux-live-component allows network-accessible attackers to inject arbitrary HTML - including script tags - into re-rendered Live Component responses by supplying a malicious tag name via client-controlled JSON. Affected versions span composer/symfony/ux-live-component >= 2.8.0 < 2.36.0 and >= 3.0.0 < 3.1.0. Direct exploitation is constrained to applications with permissive CORS or same-origin pivot contexts; under default configuration the required Accept header provides partial protection that makes this a defense-in-depth gap rather than an immediately weaponizable internet-wide threat. No public exploit and no CISA KEV listing are confirmed at time of analysis.

XSS
NVD GitHub
CVE-2026-49209 LOW PATCH Monitor

Denial of service in symfony/ux-live-component's BatchActionController allows authenticated users to exhaust server CPU, memory, and database connections by submitting a single _batch HTTP request containing an unbounded number of actions. Each action in the client-supplied array triggers a full HttpKernel sub-request - including event subscribers, validators, Doctrine queries, and rendering - with no upper limit on array size. Fixed in versions 2.36.0 and 3.1.0; no public exploit or KEV listing identified at time of analysis.

Denial Of Service
NVD GitHub
CVE-2026-49208 MEDIUM PATCH This Month

Business logic bypass in Symfony UX LiveComponent (symfony/ux-live-component) allows any client to manipulate writable `#[LiveProp]` date fields to arbitrary points in time by submitting relative PHP date strings such as '+10 years' or 'tomorrow' - inputs the application would never generate legitimately. Applications that gate time-sensitive features (trial periods, discount windows, scheduling logic, subscription expiry) on these date props are exposed to unauthorized temporal state manipulation. No public exploit has been identified and no CVSS has been assigned by the vendor, but the attack surface exists wherever writable format-less DateTimeInterface props are present in security-relevant components.

Information Disclosure
NVD GitHub
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy