Skip to main content
CVE-2026-12958 HIGH PATCH This Week

Arbitrary file write in AWS Language Servers (versions prior to 1.69.0) allows a local attacker to escape the workspace trust boundary by tricking a user into opening a workspace containing a maliciously crafted symbolic link. Because the language server fails to validate symlink targets, files written through normal language-server operations can land at arbitrary paths on disk, enabling tampering with sensitive files outside the workspace. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Language Servers For Aws
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-12957 HIGH PATCH NEWS This Week

Arbitrary code execution in AWS Language Servers prior to version 1.65.0 allows attackers to run commands on a developer's machine when a victim opens and trusts a maliciously crafted workspace. The flaw stems from improper trust boundary enforcement (CWE-732) that causes commands embedded in project configuration files to execute automatically. No public exploit identified at time of analysis, but the requirement for only passive user interaction (workspace trust prompt) makes this a credible developer-targeting threat.

RCE Language Servers For Aws
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-45048 HIGH PATCH GHSA This Week

Authenticated privilege escalation in OpenAM Community Edition through 16.0.6 allows a low-privileged user to retrieve raw session tokens belonging to arbitrary other users via the session management RPC endpoint, which fails to enforce ownership or privilege checks. Capturing an administrator's session token enables full account takeover of higher-privileged accounts. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-vvhj-w2jq-263q) has been published by the Open Identity Platform maintainers.

Information Disclosure
NVD GitHub
CVSS 3.1
8.5
CVE-2026-56785 HIGH PATCH This Week

Stored cross-site scripting in FlatPress (commits prior to 10be83c) allows unauthenticated remote attackers to inject persistent HTML and JavaScript via the name, URL, and email fields of comment and contact forms. The payloads execute in any viewer's browser - including administrators reviewing comments in the admin panel - and weak URL scheme validation additionally permits javascript: and data: URI injection. No public exploit identified at time of analysis, but the patch and a third-party advisory disclose the affected sinks in detail.

XSS Flatpress
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-54320 HIGH PATCH This Week

Authentication bypass in Daytona prior to 0.184.0 allows attackers to join organizations via pending invitations using unverified email addresses. The invitation accept and decline paths failed to enforce email verification (unlike organization creation), so on OIDC identity providers permitting self-service signup with pre-verification sessions, an attacker registering an email matching a pending invite can claim it and inherit the assigned role - up to Owner. No public exploit identified at time of analysis, but the path to full Owner-level organization takeover makes this a high-priority fix.

Elastic RCE Authentication Bypass Daytona
NVD GitHub
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-55830 HIGH PATCH This Week

Sandbox escape in RestrictedPython (zopefoundation/RestrictedPython, GHSA-ffg3-p8fm-mjx2) allows an authenticated attacker who can execute code within the restricted Python environment to break out of that sandbox and execute arbitrary Python on the underlying host. This affects Plone deployments that rely on RestrictedPython to safely run through-the-web (TTW) Python Scripts and TALES expressions. Disclosed June 2026 as part of a coordinated Plone security release; no public exploit code or CISA KEV listing identified at time of analysis, but the 8.3 high severity and scope-changing nature make it a meaningful risk for any Zope/Plone installation where untrusted or semi-trusted users can author Python scripts.

Authentication Bypass Python
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-45049 HIGH PATCH GHSA This Week

Session token disclosure in OpenAM Community Edition through 16.0.6 allows a remote attacker to harvest an authenticated victim's raw OpenAM session credential by tricking them into visiting a crafted URL that abuses the Cross-Domain Single Sign-On (CDSSO) servlet to POST the token to an attacker-controlled endpoint. Successful exploitation enables full session hijacking against deployments where CDSSO is enabled and a specific non-default hardening configuration is absent. No public exploit identified at time of analysis, but the upstream advisory (GHSA-r9pv-5rpp-vm8g) confirms the flaw and ships a fix in 16.1.1.

Information Disclosure
NVD GitHub
CVSS 3.1
8.3
CVE-2026-34914 HIGH This Week

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary SQL through the clientid parameter of zone-include.php due to missing input sanitisation. The flaw, rated CVSS 8.3 with PR:L, enables attackers with any valid account to exfiltrate or tamper with ad-server data; no public exploit identified at time of analysis, though a HackerOne report describing the issue is publicly referenced.

SQLi PHP Adserver
NVD
CVSS 3.0
8.3
EPSS
0.3%
CVE-2026-11972 HIGH PATCH This Week

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. No public exploit identified at time of analysis, but the upstream fix and a reproducer test case are both published on GitHub.

Denial Of Service Cpython Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-39253 HIGH This Week

Remote code execution in Pivotal CRM 6.6.04.08 Smart Client arises from insecure deserialization in the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components, allowing remote attackers to execute arbitrary code on affected installations. The vendor (Aurea/Pivotal) has published a remediation advisory and a researcher has released a public technical advisory, but the issue is not currently listed in CISA KEV and SSVC indicates no observed exploitation. CVSS 8.1 reflects high impact tempered by high attack complexity, while no public exploit identified at time of analysis is corroborated by SSVC's 'Exploitation: none'.

Deserialization RCE N A
NVD VulDB
CVSS 3.1
8.1
EPSS
0.8%
CVE-2026-11833 HIGH CISA This Week

Information disclosure in Yokogawa FAST/TOOLS (R9.01-R10.04) and CI Server (R1.01-R1.04) allows unmodified network attackers to retrieve CI Server configuration data via the embedded web server. The leaked settings can be leveraged as reconnaissance fuel for follow-on attacks against the SCADA/automation environment. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Information Disclosure Fast Tools Ci Server
NVD VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-54512 HIGH POC PATCH GHSA This Week

PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. No public exploit identified at time of analysis, but the GHSA advisory includes a proof-of-concept configuration and payload structure.

Canonical Deserialization Jackson Databind Suse
NVD GitHub HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-54513 HIGH PATCH GHSA This Week

Allowlist bypass in jackson-databind's BasicPolymorphicTypeValidator (PTV) allows attackers to instantiate non-allowlisted classes by wrapping them in arrays (e.g., EvilType[]), defeating a control intended to block deserialization gadget chains. Affects versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 when applications use allowIfSubTypeIsArray() alongside an explicit concrete-type allowlist. No public exploit identified at time of analysis, but the upstream fix and full root-cause writeup are public on GitHub.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-52801 HIGH PATCH GHSA This Week

Local repository import and blind SSRF in Gogs versions prior to 0.14.3 allows authenticated users to bypass clone-address validation via the Mirror Settings feature. The SaveAddress path in repository Mirror Settings omitted the validation applied to New Migration, letting any authenticated user point a mirror at a local filesystem path or internal address. No public exploit identified at time of analysis beyond the reporter's PoC; not listed in CISA KEV.

SSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-55173 HIGH PATCH GHSA This Week

{, } and stripped doubled && but left the single & background operator intact at the same execAsync() sh -c sink. Publicly available exploit code exists (a PHP PoC harness is included in the advisory), but the vulnerability is not in CISA KEV at time of analysis.

Command Injection PHP
NVD GitHub
CVSS 3.1
8.1
CVE-2026-11940 HIGH PATCH This Week

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filters and create a symlink pointing outside the destination directory, enabling out-of-destination file reads or writes when extractall() is later used or the resulting symlink is followed. The flaw is an incomplete fix of CVE-2025-4330: a hardlink referencing a symlink stored at a deeper path than the hardlink itself causes the fallback to validate the symlink at its archived (deep) location but recreate it at the hardlink's shallower path, making a previously 'contained' relative target escape the extraction root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Cpython
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.6%
CVE-2020-9695 HIGH This Week

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Adobe Buffer Overflow Memory Corruption Acrobat Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12112 HIGH PATCH This Week

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Authentication Bypass Privilege Escalation Red Hat Satellite 6
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-54555 HIGH PATCH This Week

Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Rtk
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-55488 HIGH PATCH GHSA This Week

Arbitrary file read in motionEye versions before 0.44.0 lets remote attackers retrieve any file readable by the motionEye process by supplying an absolute path to the media playback, download, and preview handlers. The flaw stems from os.path.join() discarding the configured media directory when given an absolute path, compounded by MoviePlaybackHandler deliberately overriding Tornado's StaticFileHandler path-safety checks. A proof-of-concept exists and the CVSS 4.0 exploit-maturity is rated Proof-of-Concept, but there is no public evidence of active exploitation.

Canonical Python Path Traversal
NVD GitHub
CVSS 4.0
7.7
EPSS
0.6%
CVE-2026-53925 HIGH PATCH GHSA This Week

Arbitrary file write and command execution in Glances (Python system monitoring tool) versions 4.0.8 through 4.5.4 allows attackers with the ability to modify glances.conf to abuse shell-like operators (`>`, `|`, `&&`) interpreted by the `secure_popen()` function inside AMP module command configuration. The flaw bypasses the `--disable-config-exec` mitigation introduced for CVE-2026-33641, since that flag only blocks backtick execution in `config.get_value()` and not operator parsing in `secure_popen()`. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-3vwc-qwhc-3mj7), but no public exploit identified in active campaigns at time of analysis.

Python Path Traversal Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-54329 HIGH PATCH GHSA This Week

Cross-tenant data injection in the Snipe-IT Accessories API (versions <= 8.6.1) lets a low-privileged authenticated user in one company write persistent accessory records into another company's inventory by supplying a foreign company_id in the API request body. The flaw only manifests when Full Multiple Companies Support (FMCS) is enabled, and it breaks tenant isolation because the API store/update path mass-assigns company_id without the enforcement the web UI applies. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix and a regression test are publicly visible in the vendor commit, making the mechanism easy to reproduce.

Code Injection
NVD GitHub
CVSS 3.1
7.7
EPSS
0.4%
CVE-2025-71376 HIGH PATCH This Week

Detection bypass in picklescan versions prior to 0.0.29 allows attackers to smuggle arbitrary code execution payloads through malicious pickle files by leveraging idlelib.autocomplete.AutoComplete.fetch_completions inside the __reduce__ method. Because the scanner does not flag this built-in Python function as dangerous, victims who rely on picklescan to vet PyTorch models or other pickle artifacts will load attacker-controlled code under pickle.load(). Publicly available exploit code exists (in the GHSA advisory), though no active in-the-wild exploitation has been reported.

Deserialization Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.3%
CVE-2025-71370 HIGH PATCH This Week

Detection bypass in picklescan before 0.0.28 allows attackers to embed malicious torch.jit.unsupported_tensor_ops.execWrapper calls in pickle files that evade the scanner and execute arbitrary code when later loaded via pickle.load(). Publicly available exploit code exists in the GHSA advisory, and the flaw directly undermines the security guarantee picklescan is meant to provide for PyTorch model files. No CISA KEV listing and no EPSS data are provided, but the scanner bypass nature makes this a meaningful supply-chain risk for ML pipelines.

RCE Deserialization Picklescan
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.4%
CVE-2025-71365 HIGH PATCH This Week

Detection bypass in picklescan before 0.0.33 allows attackers to smuggle arbitrary code through malicious pickle files by abusing numpy.f2py.crackfortran.myeval in a __reduce__ method, which the scanner fails to flag as dangerous. Any ML pipeline or model-hosting workflow that trusts picklescan's verdict before calling pickle.load() will execute attacker-controlled commands; publicly available exploit code exists in the GHSA advisory, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact contingent on user interaction.

RCE Deserialization Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.3%
CVE-2025-71341 HIGH PATCH This Week

Detection bypass in picklescan prior to 0.0.29 allows attackers to smuggle remote code execution payloads through pickle files that the scanner incorrectly classifies as safe. The library fails to flag the built-in profile.Profile.runctx function when used in a __reduce__ method, so a downstream pickle.load() of the scanned file executes arbitrary Python. Publicly available exploit code exists in the GHSA-6vqj-c2q5-j97w advisory, though no active exploitation has been reported.

RCE Deserialization Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.5%
CVE-2025-61018 HIGH This Week

An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Denial Of Service N A SQLi
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61020 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote unauthenticated attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_strip_in_join query-optimization component. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects network-reachable, no-auth exploitation with high availability impact and no confidentiality or integrity loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61023 HIGH This Week

Denial of service in OpenLink Virtuoso (open-source edition) v7.2.11 allows attackers to crash the database server by submitting crafted SQL statements that mishandle the internal st_compare comparison routine. The flaw affects availability only (CVSS A:H, no confidentiality or integrity impact) and carries a 7.5 base score; EPSS is low (0.15%, 5th percentile) with no public exploit identified at time of analysis and no CISA KEV listing. Despite the CWE-89 (SQL Injection) classification, the reported effect is a service crash rather than data manipulation or extraction.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61019 HIGH This Week

Denial of service in OpenLink Virtuoso Open-Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that mishandle the sqlo_key_part_best query-optimizer routine. The flaw carries no confidentiality or integrity impact (availability-only, CVSS 7.5) and there is no public exploit identified at time of analysis; EPSS is low at 0.15% (4th percentile), and it is not listed in CISA KEV. The only public reference is the upstream GitHub issue (#1222) tracking the crash.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61027 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database engine by submitting crafted SQL statements that mishandle the internal t_set_push routine. The flaw carries availability-only impact (CVSS 7.5, A:H) with no confidentiality or integrity loss. EPSS is low (0.15%, 4th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV - so risk is theoretical rather than actively exploited.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61028 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that reach the time_t_to_dt date/time conversion routine. The defect is availability-only (no data exposure or integrity loss) and is tracked publicly via GitHub issue #1233; it carries a CVSS 3.1 base score of 7.5 but a low EPSS of 0.15% (4th percentile), and there is no public exploit identified at time of analysis and no evidence of active exploitation.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61021 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_natural_join_cond query-optimizer component. The flaw carries no confidentiality or integrity impact but fully degrades availability (CVSS 7.5, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.15%), indicating limited near-term exploitation likelihood; only a GitHub issue documenting the defect is published.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61025 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sslr_qst_get component. The flaw is classified under CWE-89 (SQL injection class) but the documented impact is availability-only with no confidentiality or integrity loss per the CVSS vector. No public exploit identified at time of analysis, and the issue is tracked only via an upstream GitHub issue (#1229) rather than a tagged fixed release.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61029 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting specially crafted SQL statements that trigger a flaw in the sqlo_untry query-optimization component. The CVSS 7.5 score reflects unauthenticated network exploitability with high availability impact, but no public exploit identified at time of analysis and the issue is currently tracked only as an upstream GitHub issue without a released fix.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61022 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition v7.2.11 allows remote attackers to crash the database engine by submitting crafted SQL statements that mishandle column predicate processing inside the sqlo_tb_col_preds query optimizer component. CVSS 7.5 reflects high availability impact with no authentication required, though no public exploit identified at time of analysis and the issue is tracked only as an upstream GitHub bug report.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61024 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_try_in_loop SQL optimizer component. No public exploit identified at time of analysis, though SSVC indicates a proof-of-concept exists in the referenced GitHub issue. The flaw is tagged as SQLi-class (CWE-89) but the demonstrated impact is availability-only, with no confidentiality or integrity loss per the CVSS vector.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56815 HIGH This Week

Symlink following in pwnlift's Blazor upload handler permits arbitrary file write with elevated system privileges when the application is deployed in a privileged (root or high-privilege) context. All pwnlift releases before commit d7a95449d9ee1ea09ec1529286685f6187afbbed are affected through the upload component in Components/Pages/Home.razor. No public exploit has been identified at time of analysis; an upstream fix is available via the referenced GitHub commit.

Information Disclosure Pwnlift
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-5818 HIGH This Week

Firmware verification bypass in Caliptra Core Runtime Firmware versions 2.0.0 through 2.0.1 and 2.1.0 allows an attacker with high privileges to load unverified MCU firmware during a hitless update. The flaw resides in the ActivateFirmwareCmd::activate_fw module, where an incorrect check of a function return value causes the Root-of-Trust to skip authentication of the Microcontroller Unit firmware image. No public exploit identified at time of analysis, and the issue was responsibly disclosed by the Caliptra project itself.

Authentication Bypass Core Runtime Firmware
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-52808 HIGH PATCH GHSA This Week

Privilege escalation in Gogs self-hosted Git service (versions < 0.14.3) allows write-level repository collaborators to perform admin-only operations via three API endpoints (PATCH /issue-tracker, PATCH /wiki, POST /mirror-sync) that are incorrectly gated by reqRepoWriter() instead of reqRepoAdmin(). Authenticated collaborators can inject attacker-controlled external tracker/wiki URLs to redirect repository visitors to phishing sites, disable native features, or trigger mirror syncs. No public exploit identified at time of analysis, though a detailed proof-of-concept appears in the GitHub Security Advisory.

Privilege Escalation
NVD GitHub
CVSS 3.1
7.1
EPSS
0.5%
CVE-2026-52810 HIGH PATCH GHSA This Week

Improper authorization in Gogs (self-hosted Git service) versions before 0.14.3 lets a read-only user write to repositories they should only be able to fetch from. The Git Smart HTTP handler derives the access policy from the client-supplied ?service= query parameter rather than the actual RPC path, so a POST to /repo.git/git-receive-pack carrying ?service=git-upload-pack is authorized as a read while the receive-pack (push) code path still executes. A working PoC is published in the GHSA advisory, so publicly available exploit code exists; it is not listed in CISA KEV and no active exploitation has been reported.

Authentication Bypass Python
NVD GitHub
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-23513 HIGH PATCH This Week

Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and order records belonging to other clients by abusing SQL operator precedence in list-endpoint search queries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low complexity and low-privilege requirement make it a meaningful confidentiality risk for multi-tenant deployments. The flaw was remediated in version 0.8.0 released 2026-05-28.

Authentication Bypass Fossbilling
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-52812 HIGH PATCH GHSA This Week

Cross-tenant information disclosure in Gogs (self-hosted Git service) before 0.14.3 lets any user with write access to a single repository read the byte-for-byte contents of Git LFS objects belonging to private repositories they cannot otherwise access. Because LFS storage is content-addressed by OID alone while authorization is tracked per-repo, an attacker who learns a victim object's OID can bind it to their own repo via the upload endpoint - which skips hash verification on the dedupe path - and then download the original private bytes. The GHSA advisory publishes a complete working proof-of-concept; there is no evidence of active in-the-wild exploitation.

Information Disclosure
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56695 HIGH PATCH This Week

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume and /summary slash commands, which were incorrectly registered with remote_invocable=True by default, to enumerate and load arbitrary saved session snapshots by ID. Successful exploitation exposes another user's private prompts, credentials, tool outputs, and file paths exchanged through shared gateway channels (e.g. Slack threads). No public exploit identified at time of analysis, but a vendor patch and detailed test cases (PR #276) make the issue easy to weaponize.

Authentication Bypass Openharness
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56116 HIGH PATCH This Week

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon by repeatedly sending crafted IPv6 Router Advertisements with zero-lifetime Route Information options. The unfreed allocations in routeinfo_findalloc() accumulate linearly until the daemon crashes, disrupting DHCP client functionality on the affected host. No public exploit identified at time of analysis, but the upstream fix (commit 708b4a5) is available.

Denial Of Service Dhcpcd
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-54318 HIGH PATCH This Week

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.

Google Authentication Bypass Core
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-56402 HIGH PATCH This Week

Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. Publicly available exploit code exists via the upstream patch diff, but no active exploitation is currently confirmed.

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2025-62180 HIGH This Week

Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.

Authentication Bypass Pega Infinity
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56701 HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure Grav
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56762 MEDIUM PATCH This Month

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions allows user-controlled input containing CRLF control characters to produce malformed Set-Cookie headers. Affected are all Hono npm releases before 4.12.12. In practice, modern runtimes including Node.js and Cloudflare Workers reject the malformed headers before they are transmitted, meaning confirmed impact is availability loss (runtime errors crashing the response) rather than header injection or response splitting - though theoretical risk exists on less-strict runtimes. No active exploitation is confirmed, and no public exploit code has been identified.

Code Injection Node.js Hono
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy