Skip to main content
CVE-2026-54780 LOW PATCH GHSA Monitor

WS-Security DigestMethod validation in CoreWCF's receive pipeline can be bypassed, allowing a remote sender to present XML Digital Signatures that use cryptographically weak per-reference hash algorithms (e.g., SHA-1) even when the configured SecurityAlgorithmSuite explicitly prohibits them. Affected are all CoreWCF.Primitives releases below v1.8.1 and the 1.9.0 release (pre-1.9.1). The service silently accepts these weakened signatures as policy-compliant, undermining the integrity guarantees that the algorithm suite is designed to enforce. No public exploit or CISA KEV listing exists; the vendor has released patches in v1.8.1 and v1.9.1 with no available workaround.

Information Disclosure
NVD GitHub
CVSS 3.1
3.7
EPSS
0.2%
CVE-2026-55866 LOW PATCH GHSA Monitor

Authorization bypass in SpiceDB (versions 1.34.0-1.53.x) causes the permission check engine to return unconditional HAS_PERMISSION when the correct response should be CONDITIONAL_PERMISSION, due to a race condition in the dispatch result cache under concurrent API load. Deployments whose schemas combine intersection or exclusion of caveated and non-caveated relation branches are affected when LookupResources (with a context parameter) and CheckPermission or CheckBulkPermissions are issued concurrently for the same subject and resource while the dispatch cache is active. No public exploit has been identified at time of analysis, and all four triggering conditions must simultaneously hold, making this a low-probability but high-consequence authorization integrity issue for systems relying on SpiceDB as an enforcement boundary.

Authentication Bypass
NVD GitHub
CVSS 3.1
3.7
CVE-2026-49358 LOW POC PATCH GHSA Monitor

Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public `AbstractGenerator::$temporaryFiles` array, which are then passed to `unlink()` without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. No public exploit has been identified at time of analysis, and exploitation is substantially constrained by the requirement for high privileges and local code access.

PHP RCE Php Weasyprint
NVD GitHub VulDB
CVSS 3.1
3.0
EPSS
0.1%
CVE-2026-49231 LOW Monitor

Identity header spoofing in the Apache APISIX OPA (Open Policy Agent) plugin allows low-privileged network attackers to relay forged identity headers to upstream services, potentially assuming elevated privileges on those services. Versions 3.5.0 through 3.16.0 are affected, but only when the OPA plugin is deployed in a non-default configuration that fails to sanitize inbound identity headers before forwarding them. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 2.3 reflects the constrained real-world impact driven by the specific configuration prerequisite and the limitation that only downstream upstream services are affected rather than APISIX itself.

Authentication Bypass Apache Apache Apisix
NVD VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-44046 LOW Monitor

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its default configuration, allowing a low-privileged network attacker to inject spoofed identity information into application logs and manipulate IP-based access control rule evaluation. Rooted in CWE-348 (Use of Less-Trusted Source), the plugin accepts identity claims from a less-trusted input channel rather than authoritative internal state. No public exploit has been identified and the vulnerability is absent from the CISA KEV catalog; the vendor has released a fix in version 3.17.0.

Apache Information Disclosure Apache Apisix
NVD VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-55778 LOW PATCH Monitor

Stored XSS in Parse Server's file upload handler enables authenticated users to bypass the `fileUpload.fileExtensions` blocklist by pairing a non-standard or compound filename extension (e.g., `malicious.svg~`, `malicious.html.bak`) with a dangerous Content-Type header such as `image/svg+xml` or `text/html`. On S3 and GCS storage adapters, which persist and serve the client-supplied Content-Type, the uploaded file is subsequently delivered to browsers with attacker-controlled content, executing arbitrary JavaScript against any victim who opens the file URL. This is the third incomplete-fix iteration of the same vulnerability class (following GHSA-vr5f-2r24-w5hc and GHSA-7wqv-xjf3-x35v), with patches confirmed in versions 8.6.81 and 9.9.1-alpha.11 and no public exploit or CISA KEV listing identified at time of analysis.

File Upload XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-48895 LOW Monitor

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP client headers, causing victim users to be redirected to attacker-controlled sites with potential session token leakage. Exploitation requires active user interaction and specific attack conditions (CVSS 4.0 AT:P, UI:A), yielding a vendor-assigned score of 2.1 (Low) - limiting realistic exposure to targeted phishing scenarios rather than opportunistic mass exploitation. No public exploit code or CISA KEV listing exists at time of analysis; the Apache Software Foundation has released a vendor-confirmed fix in version 3.17.0.

Apache Open Redirect Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-44915 LOW Monitor

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used in its default configuration. Affected are all APISIX deployments running versions 3.0.0 through 3.16.0 with cas-auth enabled. An unauthenticated remote attacker can craft a malicious CAS authentication URL that redirects victims to an attacker-controlled site, enabling session hijacking or credential harvesting. No public exploit or KEV listing is recorded at time of analysis, and the CVSS 4.0 base score of 2.1 reflects the attacker's dependence on user interaction and the absence of direct system-level impact.

Apache Open Redirect Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-49871 LOW Monitor

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration. An attacker who lures a victim to an attacker-controlled webpage can cause the victim's browser to complete a CAS authentication handshake as the attacker's identity within the APISIX gateway. Subsequent API gateway actions performed by the victim are then recorded and authorized under the attacker's account, creating audit trail corruption and potential authorization abuse. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis.

CSRF Apache Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-54896 LOW PATCH GHSA Monitor

Heap buffer overflow in the Ruby Oj gem (versions before 3.17.3) occurs when Oj.dump serializes Exception objects in :object mode with an extreme :indent value. The pre-allocated output buffer does not account for indent padding bytes, allowing writes past the heap region and corrupting adjacent memory. No public exploit identified at time of analysis; the issue is triggered by developer-chosen serialization options rather than typical attacker-supplied input.

Heap Overflow Buffer Overflow
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54898 LOW PATCH GHSA Monitor

Heap use-after-free in the Oj Ruby JSON parser allows malicious SAJ/SAJ2 callback handlers to dereference freed memory by mutating the input JSON string mid-parse, potentially leading to memory disclosure or arbitrary code execution within the Ruby process. The flaw affects the oj gem at versions below 3.17.2 and is triggered when a callback such as hash_start invokes String#replace with a larger payload, causing Ruby to reallocate the backing buffer that the C parser still references. No public exploit identified at time of analysis, but a fully working reproducer is published in the upstream GHSA advisory.

Use After Free Memory Corruption Information Disclosure
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54897 LOW PATCH GHSA Monitor

Heap use-after-free in the Oj Ruby gem's `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) allows a Ruby block executed during iteration to free the underlying document buffer via `doc.close`, after which the native C iterator in `ext/oj/fast.c` dereferences the freed region. The flaw is reachable from pure Ruby and confirmed by an AddressSanitizer report against version 3.17.1, with no public exploit identified at time of analysis but a clear reproducer published in the GHSA advisory. Applications that parse attacker-influenced JSON with Oj::Doc and pass user-supplied callbacks into these iterators are most at risk.

Use After Free Memory Corruption RCE
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54906 LOW PATCH GHSA Monitor

Write-lock mutual exclusion in concurrent-ruby's ReadWriteLock is broken in versions prior to 1.3.7, allowing any thread with a reference to the lock object to prematurely release another thread's active write lock, enabling concurrent writers and data races on protected shared state. Additionally, calling release_read_lock without holding a read lock corrupts the internal atomic counter from 0 to -1, causing all subsequent read acquisitions to fail with Concurrent::ResourceLimitError. Both defects are confirmed reproducible via publicly available proof-of-concept code in the GitHub Security Advisory GHSA-6wx8-w4f5-wwcr; no CISA KEV listing exists, and exploitation is constrained to in-process thread scenarios.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-54905 LOW PATCH GHSA Monitor

Write lock exclusivity is silently violated in concurrent-ruby's `ReentrantReadWriteLock`, confirmed on version 1.3.6 and fixed in 1.3.7. After a single thread acquires the read lock exactly 32,768 times reentrantl, its per-thread `@HeldCount` counter overflows into bit 15, which the implementation also uses as the `WRITE_LOCK_HELD` flag - causing `try_write_lock` to return `true` via the fast-path 'already hold write lock' branch without ever setting the global `RUNNING_WRITER` bit. Other threads receive no signal of an active writer and continue acquiring read locks concurrently, breaking mutual exclusion with no exception raised. A publicly available proof-of-concept reproduces the condition; no public exploit identified as actively exploited (not in CISA KEV).

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-48794 LOW PATCH GHSA Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.3%
CVE-2026-55775 LOW PATCH GHSA Monitor

Namespace path canonicalization in OpenBao (versions 0.1.0 through 2.5.4) allows an authenticated token-holder with delegated namespace management capabilities inside a non-root namespace to operate on the containing (parent) namespace itself, rather than only its children. By passing the reserved literal string 'root' as the target namespace path to any `/sys/namespaces/*` endpoint, the path resolves to the containing namespace after canonicalization - because ACL evaluation occurs before that resolution, the access check passes on the child-scoped policy while the actual operation targets the parent. An attacker exploiting this can look up, delete, lock, or patch custom metadata on the containing namespace, with namespace deletion representing the most severe outcome: destroying all secrets, leases, and policies within it. A working public PoC is published in the GitHub Security Advisory (GHSA-mwr2-wmgp-crj6); no confirmed active exploitation in CISA KEV at time of analysis.

Authentication Bypass Hashicorp
NVD GitHub
CVE-2026-55774 LOW PATCH GHSA Monitor

Cross-namespace lease revocation in OpenBao allows authenticated tenants in one namespace to revoke leases belonging to any other namespace, bypassing multi-tenant ACL boundaries. Affected are all OpenBao versions from 0.1.0 through 2.5.4 (Go module pkg:go/github.com/openbao/openbao). An attacker who knows a lease identifier from a foreign namespace - for example through an intentional or accidental leak - can call sys/leases/revoke/:lease_id and force revocation of that namespace's credentials without any authorization to do so in that namespace. No public exploit has been identified at time of analysis, and this is noted as an incomplete fix of the related CVE-2026-45808.

Authentication Bypass
NVD GitHub VulDB
CVE-2026-49215 LOW PATCH Monitor

CSRF protection bypass in symfony/ux-live-component allowed cross-origin invocation of any server-side #[LiveAction] method against an authenticated victim's session. The library incorrectly relied on the Accept: application/vnd.live-component+html header as a CSRF guard, but per the Fetch specification §3.2.2 this is a CORS-safelisted header, meaning cross-origin fetch() calls can include it without triggering a preflight OPTIONS request. Applications using SameSite=None cookies or those reachable via a same-origin pivot (e.g., XSS on the same domain) are genuinely exposed; Symfony's default SameSite=Lax policy substantially mitigates the risk for standard deployments. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

CSRF
NVD GitHub
CVE-2026-49212 LOW PATCH Monitor

Symfony/ux-live-component's LiveComponentHydrator computes HMAC checksums over prop key/value pairs alone, omitting the component name and slot identifier, enabling cross-component and cross-slot HMAC replay attacks. Any user able to interact with a LiveComponent-enabled page can capture a valid signed props blob minted for component A and submit it as component B's props (when key names overlap), or substitute a `props` blob into the `propsFromParent` slot, bypassing read-only prop integrity protection and forcing server-side component state to attacker-chosen values. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Information Disclosure
NVD GitHub
CVE-2026-49209 LOW PATCH Monitor

Denial of service in symfony/ux-live-component's BatchActionController allows authenticated users to exhaust server CPU, memory, and database connections by submitting a single _batch HTTP request containing an unbounded number of actions. Each action in the client-supplied array triggers a full HttpKernel sub-request - including event subscribers, validators, Doctrine queries, and rendering - with no upper limit on array size. Fixed in versions 2.36.0 and 3.1.0; no public exploit or KEV listing identified at time of analysis.

Denial Of Service
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy