Skip to main content
CVE-2026-12795 MEDIUM POC This Month

Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoint to unauthenticated remote attackers, enabling authentication bypass against versions up to 1.82.2. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is network-exploitable with no privileges or user interaction required. A public proof-of-concept has been disclosed on GitHub, elevating practical risk beyond the moderate base score alone; no active exploitation has been confirmed by CISA KEV at the time of analysis.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-12773 MEDIUM POC This Month

Authentication bypass in BerriAI LiteLLM versions 1.59.0 through 1.59.8 allows unauthenticated remote attackers to circumvent the UserAPIKeyAuth function within the experimental MCP Proxy server component, gaining unauthorized access to protected LLM proxy functionality without valid credentials. A public proof-of-concept exploit is confirmed available via GitHub gist (YLChen-007), materially lowering the bar for exploitation. No CISA KEV listing is present at time of analysis, but the network-accessible, zero-authentication attack surface combined with an available PoC warrants urgent remediation prioritization for any deployment with the MCP server component exposed.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-12775 MEDIUM POC This Month

SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-56299 MEDIUM PATCH This Month

Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56316 MEDIUM PATCH This Month

Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56411 MEDIUM PATCH This Month

Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56410 MEDIUM PATCH This Month

Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56408 MEDIUM PATCH This Month

Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56407 MEDIUM PATCH This Month

Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56406 MEDIUM PATCH This Month

Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56405 MEDIUM PATCH This Month

Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56404 MEDIUM PATCH This Month

Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56403 MEDIUM PATCH This Month

Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56236 MEDIUM PATCH This Month

Symlink-following vulnerabilities in Capgo CLI before version 12.128.2 (npm @capgo/cli < 7.84.6) allow an attacker who controls a repository to overwrite arbitrary files on a developer's machine and expose sensitive signing credentials when the developer runs CLI login or build credential operations inside that repository. Three distinct issues are present: unsafe writeFileSync on .capgo and .capgo-credentials.json without symlink validation, and global credential files written with world-readable 664 permissions instead of the required 0600. A proof-of-concept demonstrating the .capgo clobber is publicly documented in the GitHub Security Advisory GHSA-8mpm-q7mh-8fvh. No CISA KEV listing exists at time of analysis, but exploitability is straightforward given the PoC and low attack complexity.

Information Disclosure Cli
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-56409 MEDIUM PATCH This Month

Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-56378 MEDIUM PATCH This Month

Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.

Information Disclosure Denial Of Service Buffer Overflow Imagemagick Red Hat
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56367 MEDIUM PATCH This Month

Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.

Information Disclosure Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56412 MEDIUM PATCH This Month

Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.

Information Disclosure Use After Free Memory Corruption Libexpat Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-56384 MEDIUM PATCH This Month

Missing authorization in the Craft CMS `assets/preview-thumb` Control Panel endpoint allows any authenticated low-privilege CP user to obtain signed transform preview URLs for private assets they are not permitted to view, by supplying an attacker-controlled `assetId`. Affected installations span the 4.x branch (4.0.0-RC1 through 4.17.7) and 5.x branch (5.0.0-RC1 through 5.9.13); patches are available in 4.17.8 and 5.9.14. No public exploit or active exploitation has been identified at time of analysis.

Authentication Bypass Cms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56385 MEDIUM PATCH This Month

Authorization bypass in Craft CMS's `assets/preview-file` endpoint exposes private asset preview content to authenticated low-privileged users who lack view permission on the targeted asset. Affected installations running Craft CMS 4.0.0-RC1 through 4.17.7 or 5.0.0-RC1 through 5.9.13 with mixed-privilege users and private assets are vulnerable to unauthorized disclosure of preview HTML and private asset image routes. No public exploit or CISA KEV listing has been identified; patches are available in versions 4.17.8 and 5.9.14.

Authentication Bypass Cms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56383 MEDIUM PATCH This Month

Stored XSS in Craft CMS's Table field component allows an authenticated administrator to persist arbitrary JavaScript via the Row Heading column type's default values, executing in the browser of any subsequent user who views a page rendering the affected table field. Affected deployments span Craft CMS 4.5.0-beta.1 through 4.16.18 and 5.0.0-RC1 through 5.8.22; patches are available in 4.16.19 and 5.8.23. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the GHSA advisory published a working proof-of-concept payload, and real-world risk is substantially constrained by the non-default allowAdminChanges production setting.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-56393 MEDIUM PATCH This Month

Stored XSS in Craft CMS 4.x and 5.x allows an authenticated administrator to persist malicious JavaScript payloads in settings fields - section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels - that execute in other users' control-panel browser sessions when those pages are visited. The attack surface spans seven distinct injection points across the admin settings UI, all sharing the same root defect in Twig template rendering. No public exploit identified at time of analysis, though a proof of concept is documented in the upstream security advisory GHSA-4mgv-366x-qxvx, and the upstream CHANGELOG characterizes the severity as low.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-56381 MEDIUM PATCH This Month

Stored XSS in Craft CMS (versions 5.0.0-RC1 through 5.8.21) allows an admin-level attacker to permanently embed malicious JavaScript into the User Permissions page by crafting a user group name with an unsanitized HTML payload. The script executes in the browser of any user who subsequently opens the Permissions tab on a user's edit page, creating a persistent cross-user attack vector within the control panel. Vendor-confirmed proof-of-concept steps are publicly documented in GHSA-g3hp-vvqf-8vw6; no confirmed active exploitation or CISA KEV listing at time of analysis.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy