Skip to main content
CVE-2026-33692 HIGH PATCH GHSA This Week

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.

Apache Docker Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-46608 HIGH PATCH GHSA This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python Authentication Bypass Kubernetes +1
NVD GitHub
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-48505 HIGH PATCH GHSA This Week

Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.

Race Condition Information Disclosure Filament
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-10845 HIGH PATCH This Week

Authentication bypass in IBM WebSphere Application Server 8.5 and 9.0 allows remote attackers to gain unauthorized access to JAX-WS web service applications without valid credentials. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but a vendor patch is available via IBM support advisory 7276597.

IBM Authentication Bypass Websphere Application Server
NVD VulDB
CVSS 3.1
7.3
EPSS
0.4%
CVE-2026-50132 HIGH PATCH GHSA This Week

Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.

Open Redirect Redis Authentication Bypass CSRF
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-41046 HIGH PATCH This Week

Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.

Path Traversal Denial Of Service Qsnapper Suse
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-6645 HIGH PATCH This Week

Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.3 reflecting local vector with attack requirements and user interaction.

Information Disclosure Microsoft
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-56424 HIGH PATCH This Week

Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. Vendor patches are available via multiple MISP GitHub commits; no public exploit identified at time of analysis.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56314 HIGH PATCH This Week

Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56221 HIGH PATCH This Week

SQL injection in Capgo (cap-go) before 12.128.2 allows authenticated users with read-level API keys to access analytics data belonging to other tenants by injecting arbitrary SQL through multiple unparameterized parameters in cloudflare.ts. The flaw stems from direct string interpolation of request-body values into Cloudflare Analytics Engine queries, enabling cross-tenant data exposure. No public exploit identified at time of analysis, though a VulnCheck advisory and an upstream GitHub Security Advisory document the issue.

SQLi Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56280 HIGH PATCH This Week

Privilege inversion in Cap-go (Capgo) before 12.128.2 lets holders of read-only API keys cancel running native builds by abusing the GET /build/logs/:jobId SSE endpoint. On client disconnect the server invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission enforced on POST /build/cancel/:jobId. No public exploit identified at time of analysis, but the issue is trivially reproducible against any deployment exposing the log stream.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-54353 HIGH PATCH GHSA This Week

Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.

Kubernetes SSRF
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-8918 HIGH This Week

Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. CVSS 4.0 base score is 7.1 with high attack complexity and high privileges required, reflecting that exploitation needs an existing administrative foothold.

Denial Of Service Armoury Crate
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-10658 HIGH This Week

Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Zephyr Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-6653 HIGH PATCH This Week

Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. The flaw was disclosed by Canonical and tracked in GNOME GitLab work item 1058 and Ubuntu Launchpad bug 2141260.

Use After Free Denial Of Service Memory Corruption Libxml2
NVD VulDB
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-41573 HIGH PATCH GHSA This Week

LDAP injection in OpenAM (Open Identity Platform) versions <= 16.0.6 allows authenticated attackers to inject arbitrary LDAP metacharacters via the `_queryId` parameter on the CREST REST API user/group endpoints, enabling user enumeration and blind LDAP injection. The flaw stems from `IdentityResourceV1.queryCollection()` explicitly setting `escapeQueryId=false`, regressing the escape protection added for CVE-2021-29156. No public exploit identified at time of analysis, but the issue is fixed upstream in release 16.1.1.

Denial Of Service
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy