Skip to main content
CVE-2026-48166 MEDIUM POC PATCH GHSA This Month

Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. The impact is confined to account enumeration - no credentials, session tokens, or other data are exposed - but the disclosed information can seed targeted phishing or credential-stuffing campaigns. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Filament
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2023-33854 MEDIUM PATCH This Month

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

IBM Authentication Bypass Db2 On Cloud Pak For Data And Db2 Warehouse On Cloud Pak For Data
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56326 MEDIUM PATCH This Month

Server-side open redirect in Nuxt's `navigateTo` composable allows unauthenticated network attackers to bypass external-host checks by submitting path-normalized payloads such as `/..//evil.com` or `/.//evil.com`, which WHATWG URL parsing resolves to the protocol-relative URL `//evil.com`. Affected versions are Nuxt 4.0.0-4.4.6 and all 3.x releases before 3.21.7. Because Nuxt documentation presents `navigateTo` as the safe, built-in mechanism for post-login redirects, applications commonly pass unvalidated user-supplied redirect parameters directly to it - making OAuth authorization-code theft and phishing the principal real-world risks. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV.

Open Redirect Nuxt
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56697 MEDIUM PATCH This Month

Open redirect in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 allows remote unauthenticated attackers to redirect victims to arbitrary external hosts by supplying protocol-relative paths such as `//evil.com` to the `reloadNuxtApp` composable. The function's only security gate checks whether the resolved URL's scheme is a script protocol; protocol-relative paths inherit the page's own scheme (`https:`), pass that check, and are then written directly to `window.location.href`. The practical consequence is phishing and OAuth authorization-code theft on any application that forwards user-controlled input into `reloadNuxtApp`. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the GHSA advisory notes this is part of a broader cluster of three URL-handling weaknesses in Nuxt's navigation APIs.

Open Redirect Nuxt
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-9610 MEDIUM PATCH This Month

Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local user to access application resources and functionality not surfaced in the UI by constructing direct URL requests, bypassing the intended UI-driven access control model. The impact is limited to partial confidentiality disclosure (C:L) with no integrity or availability consequence, and no exploitation has been confirmed - no public exploit code exists and this CVE is absent from the CISA KEV catalog. IBM has released a patch addressing all affected versions.

IBM Authentication Bypass Datacap Datacap Navigator
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-46611 MEDIUM PATCH GHSA This Month

DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.

Kubernetes Docker RCE Python Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-44583 MEDIUM PATCH GHSA This Month

Blind Server-Side Request Forgery in Paymenter's PayPal gateway module (versions < 1.5.0) allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP GET requests by supplying a malicious URL in the PAYPAL-CERT-URL HTTP header. The webhook endpoint at /extensions/paypal/webhook passes this header directly to PHP's file_get_contents() with no allowlist, domain validation, or signature pre-check, violating the security intent of PayPal's certificate verification flow. No public exploit has been identified at time of analysis, but the zero-prerequisite attack surface and public advisory disclosure make this an accessible target for any unauthenticated actor who can reach the endpoint.

SSRF
NVD GitHub
CVSS 3.1
5.3
CVE-2026-12863 MEDIUM This Month

Unvalidated redirect in Venueless social login allows phishing attacks by abusing the trusted domain reputation of legitimate event platform instances. Any Venueless deployment with social login enabled is affected across all tracked versions (CPE wildcard), and an attacker can craft a social login URL embedding an arbitrary external redirect destination that executes silently after a victim completes OAuth authentication. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and authentication-flow context make this a credible phishing vector against event attendees and organizers.

Open Redirect Venueless
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-12862 MEDIUM PATCH This Month

Formula injection in Venueless Excel exports allows an attacker with a low-privilege account to embed malicious spreadsheet formulas into user-supplied data fields, which execute when an administrator opens the generated export file. Affected deployments include all versions of Venueless (pretix) as indicated by the wildcard CPE entry. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low attack complexity and the availability of a GitHub security advisory signal a credible, reproducible attack path against administrative workflows.

Code Injection Venueless
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56450 MEDIUM PATCH This Month

Unlimited OTP brute-force against AIL Framework's two-factor authentication endpoint allows an attacker who already possesses a valid account password to bypass the second authentication factor entirely and gain unauthorized account access. The verify_2fa() route accepted an unbounded number of OTP submissions without incrementing a failure counter or enforcing a lockout, and the implementation uses counter-based HOTP rather than time-limited TOTP, removing the time-window throttle that would otherwise constrain brute-force speed. No public exploit code or CISA KEV listing exists at time of analysis, but the prerequisite of a valid password - obtainable via phishing or credential dumps - makes this a realistic threat against any AIL deployment where 2FA is meant to serve as a meaningful access boundary.

Authentication Bypass Ail Framework
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-12580 MEDIUM This Month

Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers to inject persistent JavaScript that executes in other users' browsers on page load. The CVSS 4.0 vector (PR:L/UI:P/SC:L/SI:L) confirms the attacker requires a valid low-privilege account to plant the payload, while victims trigger execution passively by navigating to affected pages - including administrators who may have elevated session privileges worth hijacking. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing real-world risk in the medium tier, concentrated in multi-tenant or shared-user deployments.

XSS Easyflow Net
NVD
CVSS 4.0
5.1
EPSS
0.2%
CVE-2025-64719 MEDIUM PATCH GHSA This Month

Denial of service in Gogs repository and wiki web interfaces allows any authenticated user with write access to permanently break file listing pages by committing a file whose name contains incomplete git pathspec metacharacters. Affected versions are Gogs <= 0.14.2; the web UI for the targeted repository or wiki returns HTTP 500 on every subsequent page load until an administrator removes the malicious file via CLI. Publicly available exploit code exists as documented in the GHSA-3qq3-668m-v9mj advisory with a specific PoC payload; no active exploitation confirmed (not in CISA KEV).

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-12549 MEDIUM This Month

Malformed HTTP Range request handling in libsoup (GNOME's HTTP client/server library, packaged across Red Hat Enterprise Linux 6-10) re-introduces a signed integer underflow originally patched in CVE-2026-2443. A rework commit replaced specific overflow guards with a general signed comparison, meaning a suffix-byte Range request whose length exceeds the resource content size now produces a negative start offset that is passed unclamped to buffer operations, generating malformed HTTP 206 responses and log flooding. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector makes any exposed libsoup HTTP server reachable without credentials.

Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-11994 MEDIUM This Month

Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or update permissions to persist arbitrary HTML/JavaScript in the description field of the report management workflow. Any user - including administrators - who subsequently views the poisoned report will have the malicious script execute in their browser session, enabling session token theft, credential harvesting, or unauthorized UI actions on behalf of the victim. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the stored nature of the payload amplifies impact over reflected XSS variants in shared-user deployments.

XSS Akaunting
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-11943 MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML and JavaScript into their profile name, which is subsequently rendered unsanitized in the document timeline displayed on invoice and bill detail pages. Any other authenticated user - including administrators - who views those pages will have the malicious script execute in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Akaunting
NVD GitHub
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-11942 MEDIUM This Month

Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privileges to embed malicious HTML/JavaScript into record name fields (such as Items), which subsequently executes in any other user's browser session when the reusable delete confirmation dialog renders that name unsanitized. The vulnerability is confirmed by Fluid Attacks security research and affects the shared delete confirmation component across multiple record types. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects the authentication barrier and required victim interaction as meaningful limiting factors.

XSS Akaunting
NVD GitHub
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-46672 MEDIUM PATCH GHSA This Month

CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.

Google RCE Microsoft Node.js
NVD GitHub
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-44273 MEDIUM PATCH This Month

Dell Wyse Management Suite (WMS) versions prior to 2605 ships with default credentials, enabling a high-privileged local attacker to authenticate using those credentials and access sensitive information. Reported by Dell under DSA-2026-247, the flaw is classified under CWE-1392 (Use of Default Credentials) and carries a CVSS 3.1 base score of 6.0, reflecting local-only attack surface constrained by the requirement for high privilege. No public exploit code or CISA KEV listing has been identified at time of analysis.

Dell Information Disclosure Wyse Management Suite Wms
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-46700 MEDIUM PATCH GHSA This Month

Missing authorization on the GET /secret/:name endpoint in @actual-app/sync-server allows any authenticated non-admin BASIC user in OpenID multi-user deployments to enumerate which admin-managed bank-sync integrations are configured - specifically GoCardless, SimpleFIN, and Pluggy AI credential names. The disclosure is existence-only (HTTP 204 vs 404); actual secret values are not returned. No active exploitation is confirmed (not in CISA KEV), but a working PoC is included in the GHSA advisory, and the attack is trivially scriptable for any valid session holder.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-9162 MEDIUM This Month

WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypass that revocation and continue receiving real-time platform events. Affected across four actively maintained release branches (11.7.x, 11.6.x, 11.5.x, 10.11.x), the flaw directly undermines the effectiveness of administrative session revocation - a control relied upon in account-compromise response and offboarding workflows. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS signal is absent from available data, and the vendor-assigned CVSS of 4.3 reflects correctly scoped, medium-severity risk.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44584 MEDIUM PATCH GHSA This Month

Email verification bypass in Paymenter allows authenticated users to retain verified account status after changing their email to an address they do not own or control. The email update function fails to reset the verification column, meaning a user who initially verifies with a legitimate address can subsequently substitute any arbitrary email and keep the verified flag intact. No public exploit has been identified at time of analysis; the vendor-confirmed fix is available in version 1.5.0.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
CVE-2026-50179 MEDIUM PATCH GHSA This Month

CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub
CVSS 3.1
4.2
EPSS
0.3%
CVE-2026-44202 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in OpenAM's /sessionservice endpoint allows authenticated attackers to register arbitrary URLs for session event notifications, causing the IAM server to make outbound HTTP requests to attacker-controlled destinations. Affected versions are org.openidentityplatform.openam:openam-core up to and including 16.0.6; the flaw was patched in release 16.1.1. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low (any valid session), and deployment context - a central enterprise authentication gateway - elevates the downstream risk of internal network reconnaissance or session data exfiltration.

SSRF
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy