Skip to main content
CVE-2019-25760 MEDIUM POC This Month

Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP LFI Easy Shop
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-9822 MEDIUM POC PATCH This Month

Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.

Information Disclosure WordPress Wp Hotel Booking
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-11941 MEDIUM POC PATCH GHSA This Month

Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.

Use After Free Memory Corruption Information Disclosure Denial Of Service Quiche
NVD GitHub VulDB
CVSS 3.1
5.6
EPSS
0.2%
CVE-2026-55791 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.

SSRF RCE Apache XSS Nginx
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56080 MEDIUM PATCH This Month

Capgo's Enforce Password Policy feature in versions before 12.128.2 permanently locks Super Admins out of their organization through a backend state management flaw, constituting a targeted denial-of-service against administrative access. When a Super Admin enables the password policy and successfully changes their password to a policy-compliant value, the backend fails to mark the account compliant, trapping the account in an infinite forced-password-reset loop and severing all organization management access. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite and pure availability impact with no confidentiality or integrity consequence.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56132 MEDIUM PATCH This Month

Heap-based buffer overflow in libexpat before 2.8.2 allows heap memory corruption in applications that process externally-supplied XML with external entity parameter parsing enabled. The flaw resides in the doProlog function of xmlparse.c, where the scaffold backing array (scaffIndex) - used to index DTD content model tree nodes - is reallocated using the child parser's m_groupSize counter, which diverges from the actual allocated capacity of the shared scaffIndex inherited from the parent parser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the upstream fix PR includes a functional reproduction test case confirming exploitability.

Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-55770 MEDIUM PATCH GHSA This Month

LDAP injection in OpenBao versions 0.1.0 through 2.5.4 allows an attacker with a valid low-privileged LDAP account to impersonate arbitrary directory users, including administrators, by supplying filter metacharacters in the username field at login. The root cause is a function selection error in `sdk/helper/ldaputil/client.go`: `EscapeLDAPValue()` (RFC 4514, DN escaping) is used in LDAP filter construction instead of `ldap.EscapeFilter()` (RFC 4515), leaving characters `*`, `(`, `)`, `\`, and NUL unescaped and injectable. Publicly available exploit code exists in the vendor advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

LDAP Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
6.8
CVE-2026-55837 MEDIUM PATCH GHSA This Month

Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.

Python CSRF Information Disclosure Docker Authentication Bypass
NVD GitHub
CVSS 3.1
6.8
CVE-2026-54775 MEDIUM PATCH GHSA This Month

Persistent denial-of-service in CoreWCF.Kafka allows any attacker with write access to a consumed Kafka topic to permanently halt message processing by publishing a single null-value (tombstone) record. Affected versions span all CoreWCF.Kafka releases below 1.8.1 and the 1.9.0 release prior to 1.9.1. The consume pump exits without recovery on the uncaught exception, meaning the endpoint remains silently dead until the service process is manually restarted - no exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-11989 MEDIUM This Month

Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.

Google WordPress SSRF Bit Integrations Form Integration Webhook Spreadsheets Crm Lms Email Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-48129 MEDIUM PATCH This Month

Path traversal in Kestra's `inputFiles` task mechanism allows remote attackers to write arbitrary files to the worker filesystem when flows forward untrusted webhook or execution data as file names. Affected across four release branches (prior to 1.3.19, 1.2.19, 1.1.19, and 1.0.43), exploitation depends on a specific flow design pattern but requires no authentication if the target webhook is publicly accessible. No public exploit code or active exploitation has been identified at time of analysis, but the CVSS integrity impact is rated High due to the ability to create or overwrite files outside the task working directory.

Path Traversal Kestra
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54911 MEDIUM PATCH GHSA This Month

Silent UTF-8 rewriting in UltraJSON (ujson) versions up to and including 5.12.1 allows input validation bypass and data integrity corruption when the reject_bytes=False encoding option is used. Malformed or truncated byte sequences - including invalid continuation bytes and over-read sequences - are silently transformed into different, syntactically valid Unicode characters rather than triggering an error, meaning data that exits ujson.dumps() differs from data that entered it. This creates a validation bypass window for any application that validates raw bytes before serialization, and no public exploit has been identified at time of analysis, though the flaw is fully described with reproducible examples in the GHSA advisory.

Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-27878 MEDIUM PATCH This Month

Grafana Tempo and Enterprise Traces (GET) are vulnerable to an authenticated denial-of-service condition triggered by submitting a TraceQL query containing an excessively large exemplars hint value, causing the Tempo service to allocate unbounded memory until an out-of-memory crash occurs. Any authenticated user with query access - even low-privileged - can exploit this to take down the Tempo tracing backend, disrupting observability pipelines for the entire platform. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Grafana Denial Of Service Enterprise Traces Get Tempo
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49271 MEDIUM PATCH This Month

Out-of-bounds heap read in libheif's uncompressed HEIF decoder allows a remote attacker to crash any application processing crafted HEIF files. Versions prior to 1.22.1 fail to safely validate icef compressed-unit offsets because the addition of unit_offset + unit_size can integer-wrap, bypassing the range check and permitting a C++ vector to be constructed from iterators pointing outside the compressed item buffer. Exploitation requires a user or automated pipeline to open an attacker-supplied HEIF file; no public exploit or CISA KEV listing exists at time of analysis.

Information Disclosure Buffer Overflow Libheif Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54777 MEDIUM PATCH GHSA This Month

Local named pipe interception in CoreWCF.NetNamedPipe allows an authenticated local attacker to hijack WCF inter-process communication by winning a TOCTOU race condition. Affected versions expose a window between GUID publication to shared memory and named pipe creation, during which an attacker can pre-create the pipe and silently intercept or manipulate all NetNamedPipe transport traffic. No public exploit or active exploitation has been identified; fixed versions 1.8.1 and 1.9.1 are available from the vendor.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-55776 MEDIUM PATCH GHSA This Month

OpenBao's transit secrets engine crashes the entire server process when an authenticated caller submits a key-creation request combining an asymmetric key type (rsa-*, ecdsa-*, ed25519) with the derived: true parameter. Affected versions confirmed as 2.5.2 and 2.5.4, with earlier versions also likely vulnerable per the GHSA advisory. The server returns no HTTP response, terminates with exit code 2, and the crash propagates to the entire cluster - making this a high-impact availability denial-of-service requiring only a single authenticated API request. Publicly available exploit code exists in the form of a detailed PoC curl command included in the security advisory; no CISA KEV listing is present at time of analysis.

Docker Denial Of Service Hashicorp Suse
NVD GitHub
CVSS 3.1
6.5
CVE-2026-49359 MEDIUM POC PATCH GHSA This Month

PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.

PHP SSRF Php Weasyprint
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12706 MEDIUM This Month

Use-after-free in FFmpeg's RASC video decoder exposes Red Hat Enterprise Linux AI 3 and Red Hat OpenShift AI deployments to denial-of-service attacks via crafted media files. The decode_move() function retains a raw pointer into a heap-allocated decompressed buffer that is subsequently reallocated during move-table processing, leaving the pointer dangling; reading through it crashes the process. No public exploit or KEV listing has been identified at time of analysis, but the network-accessible attack vector (file delivery over the internet) and lack of authentication prerequisites make this a realistic threat to any environment that processes untrusted AVI content using the affected FFmpeg builds.

Use After Free Memory Corruption Denial Of Service Red Hat Enterprise Linux Ai Rhel Ai 3 Red Hat Openshift Ai Rhoai +2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-8118 MEDIUM This Month

Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.

PHP WordPress Information Disclosure Royal Addons For Elementor Addons And Templates Kit For Elementor
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-4328 MEDIUM This Month

Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.

XSS WordPress SSRF Advanced Import
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12157 MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.

WordPress XSS Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-1856 MEDIUM This Month

Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.

WordPress XSS Creavi Appointment Booking Calendar
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-54899 MEDIUM PATCH GHSA This Month

Heap use-after-free in the Oj Ruby JSON parser (versions prior to 3.17.3) is triggered when an application toggles the symbol_keys option from true to false on a reused Oj::Parser instance. The opt_symbol_keys_set function frees the internal key cache via cache_free but fails to NULL the d->key_cache pointer, so the next parse call dereferences freed memory through cache_intern, potentially leading to memory disclosure, crashes, or controlled corruption. No public exploit identified at time of analysis, and the issue is documented in GitHub Security Advisory GHSA-2cw7-v8ff-p88r.

Use After Free Memory Corruption Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-47341 MEDIUM This Month

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.

Apache Authentication Bypass Apache Apisix
NVD VulDB
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-54502 MEDIUM PATCH GHSA This Month

Stack-based buffer overflow in the Oj Ruby JSON gem (versions prior to 3.17.3) allows a developer-controlled large :indent value passed to Oj.dump to overwrite up to 2 GB of stack memory, crashing the Ruby process. The flaw is reachable only when application code forwards an untrusted or extreme indent value into Oj.dump, and no public exploit identified at time of analysis demonstrates code execution beyond denial of service.

Stack Overflow Buffer Overflow
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54903 MEDIUM PATCH GHSA This Month

Heap corruption in the Ruby Oj JSON parser (`Oj.load`) is triggered when applications process attacker-controlled JSON strings larger than 2 GB containing an escape sequence, due to an integer overflow in `read_escaped_str` that wraps a 32-bit length to a negative value and is then cast to `size_t`, causing `memcpy` to copy ~2 GB out of bounds. Versions of the `oj` gem prior to 3.17.3 are affected, and no public exploit identified at time of analysis; CVSS and EPSS are not provided.

Integer Overflow Denial Of Service
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54902 MEDIUM PATCH GHSA This Month

Use-after-free in the Oj Ruby JSON gem's SAJ parser allows an attacker who can influence parsed JSON content and the SAJ callback handler to crash the Ruby process and potentially corrupt memory. Oj::Parser fails to protect heap-allocated cached object keys of 35 bytes or more from garbage collection, so a GC cycle triggered from inside a hash_end callback frees the key while C code still holds a dangling VALUE pointer. No public exploit identified at time of analysis, but a working reproducer is published in the GHSA advisory.

Use After Free Memory Corruption Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54901 MEDIUM PATCH GHSA This Month

Use-after-free in the Oj Ruby JSON gem (≤ 3.17.1) crashes the host process when Oj::Parser is configured in :usual mode with a custom array_class or hash_class. Because parser_mark fails to register those VALUEs with the Ruby GC, the class object can be reclaimed and the next parse() dereferences freed memory, producing a segfault. A reproducer is published in the GHSA advisory; there is no public exploit identified for remote use and the issue is not listed in CISA KEV.

Use After Free Memory Corruption Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54900 MEDIUM PATCH GHSA This Month

Heap corruption in the Oj Ruby JSON parser allows remote attackers to crash or potentially corrupt memory in applications that parse untrusted JSON with `Oj::Parser` in `:usual` mode when the `create_id` option is enabled. A 65,535-byte object key triggers an integer truncation in `form_attr` (ext/oj/usual.c:63) that turns the buffer length into `(size_t)-1`, causing `memcpy` to write `SIZE_MAX` bytes onto a fixed 65,536-byte cache slab. No public exploit identified at time of analysis beyond the maintainer-supplied reproduction script in GHSA-9cv6-qcjw-4grx.

Python Use After Free Memory Corruption Denial Of Service
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-49230 MEDIUM This Month

Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated network attackers to circumvent JWE token integrity validation and reach services protected by the gateway. The root cause (CWE-354) is improper validation of the JWE authentication tag under the plugin's default configuration, meaning crafted or tampered tokens are accepted as legitimate. No public exploit code and no CISA KEV listing are identified at time of analysis; the vendor-released fix is Apache APISIX 3.17.0.

Apache Authentication Bypass Apache Apisix
NVD VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-9143 MEDIUM This Month

Silent integer truncation in NI grpc-device 2.17.0 and earlier allows unauthenticated network-accessible attackers to corrupt size values processed by the CodeGen component, potentially causing integrity violations in instrument control operations. The root cause is CWE-681 - missing range checks during numeric type conversion in CodeGen - meaning oversized size fields silently lose their high-order bits rather than being rejected or flagged. No CISA KEV listing and no public exploit code have been identified at time of analysis, placing this in a lower operational priority tier despite its medium CVSS 4.0 score of 6.3.

Information Disclosure Grpc Device Instrumentstudio
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-12726 MEDIUM This Month

Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. No public exploit is identified at time of analysis, but successful exploitation yields persistent GitHub repository access through the stolen PAT, extending the blast radius well beyond the AWX system itself.

SSRF Red Hat Ansible Automation Platform 2 Red Hat
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-21768 MEDIUM This Month

HTML injection in HCL Verse for Android's rich text email composition component enables malicious content execution on the local device. The compose-rich-editor library (v1.0.0-rc14) bundled with HCL Verse for Android fails to sanitize HTML input, allowing crafted content to execute in the composition context. With High confidentiality and integrity impact signals in the CVSS vector, successful exploitation could expose sensitive email data or allow unauthorized modification of content; no public exploit code has been identified at time of analysis.

Google Information Disclosure Verse For Android
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-54778 MEDIUM PATCH GHSA This Month

Race condition in CoreWCF.UnixDomainSocket peer identity resolution can cause one connection's POSIX identity to be misattributed to another connection, or crash the host process under contention. The root cause is the library's use of the non-reentrant POSIX functions `getpwuid` and `getgrgid` in concurrent connection handling paths, affecting all CoreWCF.UnixDomainSocket versions below 1.8.1 and 1.9.x versions below 1.9.1. No public exploit or CISA KEV listing has been identified at time of analysis.

Race Condition Denial Of Service
NVD GitHub
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-55846 MEDIUM PATCH GHSA This Month

Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.

Path Traversal Microsoft Java
NVD GitHub
CVSS 3.1
6.2
CVE-2026-55877 MEDIUM PATCH GHSA This Month

Cross-site scripting in Symfony UX Icons (symfony/ux-icons) allows an attacker who controls SVG icon content - via a malicious third-party icon pack, a downloaded icon set, or a tampered Iconify on-demand endpoint - to inject and execute arbitrary JavaScript in the browsers of users who load any page rendering those icons. Two distinct sanitization failures existed: the local-file path in `Icon::fromFile()` only stripped top-level `<script>` children of `<svg>`, ignoring nested scripts and all `on*` event-handler attributes, while the Iconify on-demand path (enabled by default) applied zero sanitization to the remote JSON `body` field before inlining it as HTML. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-55423 MEDIUM PATCH GHSA This Month

Incomplete session termination in Langflow (pip/langflow < 1.7.0) leaves authentication cookies active after logout on shared machines, allowing any subsequent browser user to resume the previous session without credentials. The `/logout` endpoint issued cookie-deletion calls without matching the `httponly`, `samesite`, `secure`, and `domain` attributes used at cookie creation, causing browsers to silently ignore the deletion; the frontend compounded this by also failing to clear `access_token_lf` and `refresh_token_lf` from storage. No public exploit code has been separately catalogued, though the PoC is trivially reproducible (click Logout, press refresh), and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-55847 MEDIUM PATCH GHSA This Month

Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions.

Gitlab Java Jenkins XSS
NVD GitHub
CVSS 3.1
6.1
CVE-2026-55832 MEDIUM PATCH GHSA This Month

Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that `get_external_resources()` in `onnx/src/tensor.rs` passes the attacker-controlled `location` field of ONNX external-data tensors directly to `PathBuf::join()` without sanitization, enabling both absolute-path overrides and relative `../` traversal. A secondary denial-of-service (panic) is possible via out-of-bounds `offset`/`length` values. Publicly available exploit code exists (full PoC confirmed on tract-onnx 0.21.16); no active exploitation has been confirmed by CISA KEV at time of analysis.

Path Traversal Denial Of Service Python RCE
NVD GitHub
CVSS 3.1
6.1
CVE-2026-48141 MEDIUM This Month

Memory exhaustion denial of service in NI grpc-device's BeginSidebandStream RPC endpoint allows authenticated network attackers to crash or destabilize the server by triggering a cumulative memory leak with each invocation. All versions of NI grpc-device up to and including 2.17.0 are affected, along with NI InstrumentStudio as a dependent product. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the network-accessible attack vector makes it relevant for any deployment where the grpc-device server is reachable by untrusted authenticated clients.

Denial Of Service Grpc Device Instrumentstudio
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-54779 MEDIUM PATCH GHSA This Month

SAML token replay protection in CoreWCF.Primitives is silently inoperative when DetectReplayedTokens is explicitly enabled, allowing replay attacks to succeed against WCF services using SAML-based federated authentication. Affected versions of the NuGet package CoreWCF.Primitives include all releases before 1.8.1 and the 1.9.0 release prior to 1.9.1. A network-accessible attacker in possession of a valid, unexpired SAML token can replay it to impersonate a legitimate user, defeating the only control operators may have believed was protecting against token theft - no public exploit code has been identified, and this is not listed in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-54773 MEDIUM PATCH GHSA This Month

Signature substitution in CoreWCF's WS-Security message processing allows a remote unauthenticated attacker to replace the server's cryptographic integrity check with a signature of the attacker's choosing, effectively forging authenticated SOAP messages. Affected versions of CoreWCF.Primitives perform a document-wide lookup for ds:Signature elements rather than scoping verification to the wsse:Security header, so an attacker-injected signature in a preceding SOAP header is found and verified first. Exploitation is constrained by two non-default server-side prerequisites, limiting widespread risk on generic deployments, but the integrity bypass is complete where those conditions are met. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis.

Jwt Attack Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-54762 MEDIUM PATCH GHSA This Month

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.

Nginx Kubernetes Denial Of Service Docker Red Hat +1
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-55568 MEDIUM PATCH GHSA This Month

Silent TLS downgrade in Guzzle's built-in cURL handlers exposes proxy credentials and tunneled connection metadata to network interception when the application is configured to use an https:// proxy but runs against libcurl older than 7.50.2. Affected deployments see proxy authentication headers (Proxy-Authorization, CURLOPT_PROXYUSERPWD), CONNECT target host/port for tunneled HTTPS, and full request headers and bodies for plain HTTP requests transmitted without encryption - with no runtime error or warning from Guzzle or libcurl. No public exploit identified at time of analysis and no CISA KEV listing; however, the CVSS confidentiality impact is rated High (C:H) due to full credential exposure on the proxy leg.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-55187 MEDIUM PATCH GHSA This Month

Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).

Gitlab Python Microsoft Canonical SSRF
NVD GitHub
CVSS 3.1
5.8
EPSS
0.3%
CVE-2026-39998 MEDIUM This Month

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to manipulate header values forwarded by the forward-auth plugin to upstream backend services. The flaw, rooted in improper input validation (CWE-20) of the forward-auth plugin's header handling, enables an attacker to impersonate other identities as seen by backend services that rely on APISIX to assert trustworthy identity context. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified, but the CVSS 4.0 subsequent-system impact metrics (SC:H/SI:H/SA:H) signal that backend services face high-severity consequences if exploited.

Apache Information Disclosure Apache Apisix
NVD VulDB
CVSS 4.0
5.8
EPSS
0.3%
CVE-2026-55767 MEDIUM PATCH GHSA This Month

Cookie domain validation in guzzlehttp/guzzle before 7.12.1 allows cross-origin cookie injection when a shared CookieJar contacts both attacker-controlled and trusted hosts. The flaw stems from SetCookie::matchesDomain() normalizing dot-only Domain values (e.g., 'Domain=.', 'Domain=..') to an empty string, while SetCookie::validate() only rejected strictly empty domains - meaning normalized-empty domains were stored and silently treated as matching every request host. Any application using new Client(['cookies' => true]) or an explicit shared CookieJar that requests data from an attacker-reachable origin is exposed to session fixation or cookie injection against unrelated downstream services. No public exploit or CISA KEV listing has been identified at time of analysis.

Code Injection
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-50195 MEDIUM PATCH GHSA This Month

Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrupt the node-local image cache, causing victim pods to silently execute malicious images in place of legitimate ones. The root cause is missing validation of image references embedded in checkpoint image configurations: containerd trusts attacker-controlled strings in the checkpoint archive to drive image pulls and local tag assignment. Subsequent pods using an IfNotPresent or Never pull policy then inherit the poisoned tag and execute arbitrary code under the victim pod's Kubernetes identity. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis; vendor-released patches are available.

RCE Checkpoint Containerd
NVD VulDB GitHub
CVSS 4.0
5.6
EPSS
0.3%
CVE-2026-49336 MEDIUM POC PATCH GHSA This Month

Credential leakage in @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101 causes Bearer tokens and session cookies to be forwarded to attacker-controlled cross-origin redirect destinations because the default RedirectHandler's header-scrubbing logic silently fails: FetchRequestAdapter lowercases all header keys before the middleware sees them, but scrubSensitiveHeaders performs PascalCase deletes (delete headers.Authorization), targeting keys that no longer exist. This flaw is present in the default middleware chain with no opt-in configuration required, affecting every kiota-generated TypeScript SDK - including Microsoft Graph clients - that uses BaseBearerTokenAuthenticationProvider or any auth provider that sets the Authorization header. Proof-of-concept code exists (CVSS 4.0 E:P), and a vendor patch is available in version 1.0.0-preview.102; no active exploitation has been confirmed in the CISA KEV at time of analysis.

Microsoft Information Disclosure Kiota Typescript
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.7%
CVE-2026-8296 MEDIUM PATCH This Month

Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.

XSS Octopus Server
NVD VulDB
CVSS 4.0
5.6
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy