Skip to main content
CVE-2026-56694 MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The `handleChannelApprovalResponse` function accepted any `connect:ag-X` callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. No active exploitation has been confirmed (not listed in CISA KEV), and an upstream fix is available in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (PR #2566).

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-64105 MEDIUM PATCH This Month

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Authentication Bypass Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-6458 MEDIUM This Month

Broken GCM integrity in Caliptra Core Runtime Firmware 2.0.0-2.1.0 allows an adjacent, low-privileged attacker to silently tamper with ciphertext produced by the streaming AES-256-GCM API when called with empty AAD. The root defect - a missing save of the hardware GHASH accumulator state after the first streaming update call - causes the final authentication tag to exclude the first batch of processed ciphertext, nullifying the integrity guarantee of authenticated encryption for that block. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Core Runtime Firmware
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-11772 MEDIUM Monitor

Reflected XSS in DRIMO CMS search functionality allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL containing a malicious payload in the `q` parameter. All versions are affected via the CPE wildcard (cpe:2.3:a:drimo:drimo_cms:*), and the product has been declared End of Life - no security patch will be issued. The sole vendor-acknowledged mitigation, confirmed by CERT-PL, is deletion of the `info.php` file; no public exploit code or KEV listing has been identified at time of analysis.

XSS PHP Drimo Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-48492 MEDIUM PATCH GHSA This Month

{object}/selectlist API endpoints allows any authenticated user-regardless of permissions-to enumerate the full user directory, assets, accessories, consumables, and licenses using only a valid session cookie. Affected versions prior to 8.5.1 expose usernames, display names, employee numbers, and user IDs for all active accounts, providing an ideal launchpad for credential stuffing, password spraying, and social engineering. No public exploit identified at time of analysis; vendor-released patch is available in version 8.5.1.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.4%
CVE-2026-52807 MEDIUM PATCH GHSA This Month

Stored DOM-based XSS in Gogs versions prior to 0.14.3 allows any repository user with write access to inject JavaScript via a crafted milestone name, which executes in another user's browser when they open the New Issue page and interact with the milestone dropdown. The flaw is an incomplete fix for the earlier GHSA-vgjm-2cpf-4g7c, which patched view_content.tmpl but missed the identical sink in new_form.tmpl. A working PoC is published in the GitHub advisory, but no public exploit identified at time of analysis in CISA KEV or EPSS-tracked sources.

XSS Docker
NVD GitHub
CVSS 4.0
4.8
EPSS
0.5%
CVE-2026-12163 MEDIUM PATCH This Month

Stored cross-site scripting in Fortra File Integrity Monitoring (FIM) versions prior to 9.4.0.1 allows a highly privileged authenticated user to inject persistent script content into node or database configuration fields within the Asset View UI component. When another user subsequently views the affected Asset View page, the stored payload executes in their browser context rather than being safely escaped, enabling session hijacking, credential theft, or unauthorized UI manipulation against that victim. No public exploit code has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at time of analysis.

XSS Fortra File Integrity Monitoring Fim
NVD VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-12892 MEDIUM This Month

Heap out-of-bounds read in GStreamer's gst-plugins-bad H.264 parser allows an attacker to crash a media application or leak a single byte of heap memory by tricking a victim into opening a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units. Affected systems span Red Hat Enterprise Linux versions 6 through 10 where gst-plugins-bad is installed. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; the narrow 1-byte read, required user interaction, and local attack vector substantially limit real-world exploitation impact.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-12164 MEDIUM PATCH This Month

Incorrect privilege assignment in Fortra File Integrity Monitoring (FIM) versions prior to 9.4.0 causes the `tetool import` command to assign elevated or incorrect effective permissions to newly created users when FIM is actively running during import. The flaw is compounded when the import operation also creates or modifies roles or role-permission relationships, meaning users may silently receive access levels beyond what was configured. No public exploit has been identified at time of analysis, and the CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite that limits realistic exposure to administrative misuse or insider threat scenarios.

Information Disclosure File Integrity Monitoring Fim
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-34917 MEDIUM This Month

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID against the XML-RPC API, which is normally restricted to admin-level users. This authentication bypass (CWE-287) grants unauthorized API access, enabling the attacker to chain this foothold with additional API-level vulnerabilities to escalate impact beyond the base CVSS score suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis; the issue was disclosed via HackerOne and a fix was implemented by recording session context alongside session data.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.3%
CVE-2026-12891 MEDIUM This Month

Out-of-bounds read in the GStreamer gst-plugins-bad H.266/VVC parser allows a remote attacker to leak up to 8 bytes of application memory by delivering a crafted video file with a manipulated aspect ratio indicator value. Affected platforms include Red Hat Enterprise Linux 8, 9, and 10 wherever gst-plugins-bad processes H.266/VVC content. No public exploit code or active exploitation has been identified at time of analysis; the limited read window and user-interaction requirement constrain practical impact, but the network-reachable vector and zero-authentication requirement lower the delivery barrier.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-34913 MEDIUM This Month

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their own trackers to advertising campaigns owned by other managers on the same instance via campaign-trackers.php. The flaw enables unauthorized manipulation of campaign-tracker ownership relationships, corrupting attribution data and potentially introducing unauthorized tracking into other managers' campaigns. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-44957 MEDIUM This Month

Missing access control on XML-RPC API modify methods in Revive Adserver 6.0.6 and earlier permits authenticated low-privileged users to reassign entities to arbitrary parent entities, corrupting ownership relationships across campaigns, zones, or banners. This flaw is not independently exploitable - it requires chaining with CVE-2026-34917 or the presence of third-party API extensions that expose modify methods to low-privileged users, materially narrowing real-world risk. A vendor fix adding parent-entity access validation has been issued; no public exploit has been identified at time of analysis.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-34912 MEDIUM This Month

Revive Adserver 6.0.6 and earlier fails to enforce ownership validation when linking banners or campaigns to ad zones via the zone-include.php script or the platform API, allowing any authenticated low-privileged user to associate their zones with advertising assets owned by other managers on the same installation. This breaks the intended multi-tenant ownership isolation, producing inconsistent cross-account zone-to-banner and zone-to-campaign relationships that disrupt legitimate advertiser operations. No public exploit has been identified and there is no CISA KEV listing; however, the low attack complexity and network accessibility via both the web interface and API make exploitation straightforward for any authenticated platform user.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-0864 MEDIUM PATCH This Month

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via configparser.write() to smuggle arbitrary keys and values into the resulting INI-style configuration file by embedding carriage return (\r) characters. All CPython versions are listed as affected per the NVD CPE wildcard, and any Python application that writes attacker-influenced data to config files via configparser is a candidate target. No public exploit has been identified at time of analysis; CVSS 4.0 scores this at 4.1 (Medium) with high privilege requirements and specific attack conditions.

Code Injection Cpython Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.1%
CVE-2025-13162 MEDIUM CISA This Month

Uncontrolled Search Path Element (DLL hijacking) in ABB Control Builder A and 800xA for Advant Master enables a local low-privileged attacker to achieve high-integrity code execution on industrial engineering workstations. Affected versions span Control Builder A through 1.4/4 and 800xA for Advant Master through 6.2.0-1, covering multiple release branches of ABB's flagship OT automation suite. No public exploit or CISA KEV listing is identified at time of analysis, limiting immediate mass-exploitation risk, though OT environments running these ICS platforms warrant targeted patching prioritization given integrity-impact severity.

Abb Information Disclosure Control Builder A 800Xa For Advant Master
NVD
CVSS 4.0
4.1
EPSS
0.1%
CVE-2026-55654 LOW PATCH Monitor

OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.

Buffer Overflow Denial Of Service SSH Information Disclosure Red Hat Enterprise Linux 10 +6
NVD VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2025-15619 LOW Monitor

HCL Connections exposes a broken access control flaw that permits a low-privileged, authenticated user to view data they should not be authorized to access, but only under one specific scenario. Classified under CWE-284 (Improper Access Control), the vulnerability requires network access, low privileges, and user interaction, limiting its real-world exploitation surface considerably. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 3.5 reflects a genuinely low-severity finding.

Authentication Bypass Connections
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2026-57062 LOW Monitor

GnuPG's gpgsm component through version 2.5.20 improperly validates AES-GCM authentication tag length during CMS parsing, accepting a 4-byte ICV where the cryptographic standard mandates 12 bytes. This validation failure means gpgsm will process CMS-formatted messages with a truncated integrity check value, undermining the authentication guarantee that AES-GCM is specifically designed to provide. No public exploit has been identified at time of analysis; the low CVSS score of 2.9 reflects constrained attack conditions, though the related CVE-2026-34182 warrants cross-referencing as it may share the same code path.

Information Disclosure Gnupg
NVD
CVSS 3.1
2.9
EPSS
0.1%
CVE-2026-57053 LOW PATCH Monitor

Out-of-bounds reads of uninitialized memory in GNU libidn before version 1.44 are triggerable through the ToUnicode IDNA APIs when malformed internationalized domain name input is processed by the vulnerable function `idna_to_unicode_internal`. Applications statically or dynamically linked against affected libidn versions that pass attacker-influenced hostname strings to these APIs are exposed to integrity and availability disruption. No public exploit has been identified at time of analysis, and the successor library libidn2 is explicitly confirmed unaffected, providing a viable migration path for defenders.

Buffer Overflow Libidn
NVD VulDB
CVSS 3.1
2.5
EPSS
0.1%
CVE-2026-55542 LOW PATCH GHSA Monitor

Signature image retrieval in Snipe-IT's S3-backed deployments bypasses authorization, allowing any authenticated user to obtain a 5-minute pre-signed S3 URL for acceptance signature images they are not permitted to view. The flaw exists in ActionlogController.php where the S3 code path returns a signed URL before the authorize() call is reached - a call that is correctly enforced only in the local-file code path. Affected are all Snipe-IT deployments on versions <= 8.5.0 configured to use S3 storage; no public exploit code exists and this CVE is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.4%
CVE-2026-56379 CRITICAL PATCH Act Now

Command injection in ImageMagick's SVG decoder (coders/svg.c) lets attackers smuggle arbitrary MVG (Magick Vector Graphics) drawing commands inside an SVG file that execute when the image is rendered, affecting versions before 7.1.2-15 and 6.9.13-40 (and the Magick.NET bindings before 14.10.3). Because ImageMagick frequently processes untrusted, user-uploaded images on servers, a crafted SVG can achieve high-impact abuse of the internal MVG rendering pipeline. There is no public exploit identified at time of analysis and it is not on CISA KEV; EPSS is low at 0.91% (55th percentile), but SSVC flags exploitation as automatable.

Command Injection Imagemagick
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.9%
CVE-2026-56371 MEDIUM PATCH This Month

Memory exhaustion in ImageMagick's TXT file coder (coders/txt.c) leaks heap allocations each time a crafted TXT file carrying a texture attribute is processed and GetTypeMetrics subsequently fails. Affected are ImageMagick before 7.1.2-15 and 6.9.13-40, and transitively Magick.NET NuGet packages before 14.10.3. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deterministic failure path makes repeated triggering straightforward in any service that accepts and processes user-supplied TXT files through ImageMagick.

Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-55519 LOW PATCH GHSA Monitor

Improper authorization in Snipe-IT v8.4.0 permits any authenticated user holding generic asset edit permissions to delete files attached to any asset across the entire system, bypassing both ownership and company assignment boundaries. The flaw exists in both the web and API file deletion controllers, where a class-level policy check is applied instead of the required instance-level check, constituting a classic IDOR (CWE-285). No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch exists in version 8.4.1.

Authentication Bypass
NVD GitHub
CVE-2026-55483 MEDIUM PATCH GHSA This Month

Privilege escalation in Snipe-IT's user creation endpoint allows any authenticated holder of the `users.create` permission to provision new accounts with full admin privileges. The `store()` method in both the web UI and API `UsersController` correctly strips the superuser flag from user-creation payloads submitted by non-superusers, but applies no equivalent check to the admin permission, creating a direct path from delegated HR or department-lead roles to full administrative control over the Snipe-IT instance. A vendor-released patch is available in version 8.6.0; no public exploit has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVE-2026-54503 CRITICAL Act Now

Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.

XSS Denial Of Service RCE
NVD
CVE-2026-55248 CRITICAL Act Now

Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Denial Of Service RCE
NVD
CVE-2026-55099 CRITICAL Act Now

Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Denial Of Service RCE
NVD
CVE-2026-55247 CRITICAL Act Now

Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.

XSS Denial Of Service RCE
NVD
CVE-2026-54134 HIGH PATCH GHSA This Week

Arbitrary file exfiltration in OctoPrint versions through 1.11.7 and 2.0.0rc1-rc2 allows authenticated users with the FILE_UPLOAD permission to move any host file readable by the OctoPrint process into the upload folder, where it can then be downloaded. This is an incomplete-fix recurrence of CVE-2025-48067; reserved internal form fields can still be smuggled to Flask via query parameters or Tornado/Werkzeug parser differentials. No public exploit identified at time of analysis, and patches are available in 1.11.8 and 2.0.0rc3.

File Upload Python
NVD GitHub
CVE-2026-35163 MEDIUM PATCH GHSA This Month

Stored XSS in OctoPrint's Suppressed Command Notifications feature enables injection of arbitrary HTML and JavaScript into browser popups triggered by specially crafted G-code print files. Versions up to and including 1.11.7 and pre-release builds 2.0.0rc1 and 2.0.0rc2 are affected. An attacker who successfully delivers a malicious G-code file to a victim can execute scripts in the victim's authenticated browser session, enabling exfiltration of sensitive OctoPrint configuration (including API keys and credentials for privileged users), unauthorized actions within the instance, or disruption of active print jobs. No public exploit has been identified at time of analysis, and the vulnerability was responsibly disclosed.

XSS
NVD GitHub
CVE-2026-44956 NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-44961 NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-44960 NONE Awaiting Data

Stored XSS in Revive Adserver allows arbitrary JavaScript execution in an administrator's browser by embedding payloads in usernames that are later rendered unsanitized in the audit log details view. The attack persists in the platform's audit trail and fires when any admin reviews the affected log entries - a routine administrative activity, not a rare or unusual trigger. No public exploit has been identified at time of analysis, but the vendor has confirmed a fix by adding proper HTML output escaping to the audit log details rendering path.

XSS Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-55556 CRITICAL PATCH Act Now

Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.

Buffer Overflow Denial Of Service Suse
NVD GitHub
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy