Skip to main content
CVE-2026-28496 CRITICAL POC PATCH Act Now

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. No public exploit identified at time of analysis, but a related auth-bypass chain (GHSA-78x5-c8gw-8279) is documented by VulnCheck and could lower the practical privilege bar.

Ssti RCE Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
9.4
EPSS
1.9%
CVE-2026-52813 CRITICAL POC PATCH GHSA Act Now

Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.

Docker RCE PostgreSQL Path Traversal
NVD GitHub
CVSS 3.1
10.0
EPSS
1.1%
CVE-2026-50160 CRITICAL Act Now

Unauthenticated mass assignment in Hoppscotch self-hosted exposes the JWT_SECRET and SESSION_SECRET to full attacker control via a single HTTP POST request to the onboarding endpoint, enabling forged authentication tokens for any user including administrators. All self-hosted deployments running version 2026.4.1 and earlier are affected during the initial onboarding window or when re-onboarding is enabled. A working proof of concept is publicly available and the attack is fully automatable with no credentials, no user interaction, and no special tooling required.

Information Disclosure Hoppscotch
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-52806 CRITICAL PATCH GHSA Act Now

Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.

Command Injection Docker Apple Privilege Escalation Ubuntu +3
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2026-27604 CRITICAL PATCH Act Now

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged `/api/system/*` admin API methods because the `system` role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.

CSRF Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-54350 CRITICAL PATCH GHSA Act Now

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.

SQLi Canonical Docker PostgreSQL Elastic +2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-11807 CRITICAL PATCH Act Now

Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plaintext OAuth tokens, vault passwords, and SSH keys by sending forged Worker messages to the Event-Driven Ansible websocket endpoint. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions on activation_id values, enabling lateral credential theft across tenants. No public exploit identified at time of analysis, but the low attack complexity and scope-changed CVSS of 9.6 make this a high-priority patch.

Hashicorp Authentication Bypass Red Hat Ansible Automation Platform 2 5 Red Hat Ansible Automation Platform 2 6 Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-54588 CRITICAL Act Now

Account takeover in Poweradmin versions prior to 4.2.4 and 4.3.3 allows remote unauthenticated attackers to hijack OIDC and SAML authentication flows by poisoning the HTTP Host header used to construct the redirect_uri sent to the Identity Provider. By tricking a victim into clicking a crafted login link, the attacker causes the IdP to deliver the authorization code to an attacker-controlled host, yielding full account access with no credentials required. No public exploit identified at time of analysis, though the upstream advisory and patched releases describe the issue in detail.

Information Disclosure Poweradmin
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-53662 CRITICAL Act Now

Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover of any authenticated user by abusing the unvalidated continue query parameter on /auth/login, which is passed directly to SvelteKit's redirect() without scheme or origin checks. The payload executes attacker-controlled JavaScript inside Immich's origin and uses the victim's session to mint an all-permission API key, yielding persistent compromise. No public exploit identified at time of analysis, but the upstream fix commit and a detailed GHSA advisory describe the flaw clearly enough to derive a working PoC.

XSS Immich
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-44089 CRITICAL Act Now

Stack-based buffer overflow in the Totolink EX1200L router's login handler (cgi-bin/cstecgi.cgi) allows remote attackers on the adjacent network to crash the device or execute arbitrary code as root. Confirmed on firmware 9.3.5u.6146_B20201023 with no public exploit identified at time of analysis, but vendor contact attempts by CERT-PL were unsuccessful so no patch is available. CVSS 4.0 of 9.4 reflects unauthenticated exploitation with full impact on both the device and downstream systems.

Buffer Overflow Stack Overflow Ex1200L
NVD VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-56258 CRITICAL PATCH Act Now

Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED_OUTPUT_DIR via symlinks and a TOCTOU race on the output_path parameter of the /screenshot and /pdf endpoints, potentially escalating to code execution where the runtime user can write to executable or cron paths. No public exploit identified at time of analysis, but the API is unauthenticated by default and the GHSA confirms the issue was found in an internal security audit.

RCE Path Traversal Crawl4ai
NVD GitHub
CVSS 4.0
9.2
EPSS
0.7%
CVE-2026-56315 CRITICAL PATCH Act Now

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation by crafting malicious pickle files that import unblocked Python standard library modules. The tool's blocklist (scanner.py _unsafe_globals) omits at least seven stdlib modules - including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib - exposing eight functions that execute arbitrary commands via subprocess or os.system. Publicly available exploit code exists in the GHSA advisory, demonstrating CLEAN scan results for files that achieve full RCE on load; this is especially concerning because picklescan is relied on by HuggingFace Hub and similar ML pipelines.

RCE Python Picklescan
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-12866 CRITICAL Act Now

Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.

RCE Code Injection Expr Eval
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.5%
CVE-2026-11374 CRITICAL PATCH Act Now

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.

Zoho Information Disclosure Manageengine Adselfservice Plus Manageengine Recovery Manager Plus Manageengine M365 Manager Plus +1
NVD VulDB
CVSS 3.1
9.0
EPSS
1.2%
CVE-2026-35019 CRITICAL PATCH Act Now

Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. Exploitation requires an active administrator session and network reachability to the management interface; no KEV listing or confirmed public exploit exists at time of analysis, though the hardcoded-key nature makes the attack highly automatable once the key is disclosed.

Authentication Bypass Nf20Mesh
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-9733 CRITICAL PATCH Act Now

CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable default state parameter built from a SHA-1 hash of leaked epoch time and Perl's weak rand(). Remote attackers can guess or precompute valid state values to forge OAuth2 authorization responses and bind a victim's session to an attacker-controlled identity. No public exploit identified at time of analysis, EPSS is low (0.19%, 8th percentile), and a vendor patch is available.

CSRF Mojolicious
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52811 CRITICAL PATCH GHSA Act Now

Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.

Apple Linux CSRF Ubuntu Microsoft +3
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.5%
CVE-2026-56379 CRITICAL PATCH Act Now

Command injection in ImageMagick's SVG decoder (coders/svg.c) lets attackers smuggle arbitrary MVG (Magick Vector Graphics) drawing commands inside an SVG file that execute when the image is rendered, affecting versions before 7.1.2-15 and 6.9.13-40 (and the Magick.NET bindings before 14.10.3). Because ImageMagick frequently processes untrusted, user-uploaded images on servers, a crafted SVG can achieve high-impact abuse of the internal MVG rendering pipeline. There is no public exploit identified at time of analysis and it is not on CISA KEV; EPSS is low at 0.91% (55th percentile), but SSVC flags exploitation as automatable.

Command Injection Imagemagick
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.9%
CVE-2026-54503 CRITICAL Act Now

Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.

XSS Denial Of Service RCE
NVD
CVE-2026-55248 CRITICAL Act Now

Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Denial Of Service RCE
NVD
CVE-2026-55247 CRITICAL Act Now

Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.

XSS Denial Of Service RCE
NVD
CVE-2026-55099 CRITICAL Act Now

Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Denial Of Service RCE
NVD
CVE-2026-55556 CRITICAL PATCH Act Now

Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.

Buffer Overflow Denial Of Service Suse
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy