Skip to main content
CVE-2026-7842 MEDIUM POC PATCH This Month

Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized `orderby` and `order` parameters in three admin callbacks - `import_list()`, `url_detail()`, and `file_detail()` - are passed directly into SQL queries without validation or parameterization. A publicly available proof-of-concept exploit exists per WPScan (EUVD-2026-38416), and the CVSS S:C designation confirms that impact extends beyond the plugin itself to the full underlying database; no confirmed active exploitation (CISA KEV) has been documented at time of analysis.

SQLi WordPress Information Disclosure Infility Global
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2025-55639 MEDIUM POC This Month

GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Null Pointer Dereference
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-52815 MEDIUM POC PATCH GHSA This Month

Unauthenticated organization team enumeration in Gogs exposes team IDs, names, descriptions, and permission levels (read/write/admin/owner) to any network-accessible caller without credentials. All versions prior to 0.14.3 are affected - the `GET /api/v1/orgs/:orgname/teams` endpoint was placed in a route group missing the `reqToken()` middleware, meaning the `orgAssignment(true)` middleware loads the org object but enforces no authentication. A publicly available proof-of-concept demonstrates exploitation via a single unauthenticated `curl` command. No KEV listing is present, but the low attack complexity and zero authentication requirement make this a meaningful reconnaissance aid for follow-on attacks against Gogs installations.

Privilege Escalation Information Disclosure
NVD GitHub
CVSS 4.0
5.5
EPSS
1.6%
CVE-2026-48493 MEDIUM POC PATCH NEWS GHSA This Month

{their_own_id}`. The `PreserveUnauthorizedPrivilegedPermissionsAction` class failed to distinguish self-modification from modification of other users, allowing the permission set of the authenticated caller's own account to be silently expanded. No public exploit code or CISA KEV listing exists at time of analysis, but the flaw is practically exploitable by any delegated operator who holds the two prerequisite permissions.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-8378 MEDIUM POC This Month

Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.

XSS WordPress Frontend File Manager Plugin
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-56762 MEDIUM PATCH This Month

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions allows user-controlled input containing CRLF control characters to produce malformed Set-Cookie headers. Affected are all Hono npm releases before 4.12.12. In practice, modern runtimes including Node.js and Cloudflare Workers reject the malformed headers before they are transmitted, meaning confirmed impact is availability loss (runtime errors crashing the response) rather than header injection or response splitting - though theoretical risk exists on less-strict runtimes. No active exploitation is confirmed, and no public exploit code has been identified.

Code Injection Node.js Hono
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56234 MEDIUM PATCH This Month

Unauthenticated access to Capgo's credential validation endpoint before version 12.128.2 enables large-scale password spraying and credential stuffing attacks against user accounts. The `POST /functions/v1/private/validate_password_compliance` Supabase Edge Function accepts requests using only the publicly distributed anon key - a client-side secret embedded in shipped app binaries - with no rate limiting or lockout enforcement. Combined with wildcard CORS headers, any browser-side or scripted attacker can systematically validate username/password pairs at scale, ultimately compromising Capgo accounts and potentially tampering with mobile app live update pipelines. No public exploit code has been identified at time of analysis, but the attack is trivially automatable given the absence of access controls.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-10609 MEDIUM This Month

Privilege escalation via ServiceAccount token exfiltration affects the OpenShift Cluster Logging Operator, allowing a user with delegated editor-level access to the ClusterLogForwarder resource to harvest SA tokens they were never authorized to use. The operator creates ServiceAccount tokens and forwards them to configured log output destinations without verifying whether the ClusterLogForwarder creator holds permission to consume those credentials. An attacker who has obtained an editor role within the logging namespace can weaponize this design gap to exfiltrate high-privilege SA tokens and escalate to broader cluster access. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Logging Subsystem For Red Hat Openshift
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-52809 MEDIUM PATCH GHSA This Month

Password-reset tokens in Gogs self-hosted Git service (versions before 0.14.3) remain valid for the full account-activation lifetime - up to 3 hours by default - regardless of the administrator-configured `RESET_PASSWORD_CODE_LIVES` setting, because `GenerateActivateCode()` hardcodes `conf.Auth.ActivateCodeLives` into the token at generation time. An attacker who obtains an intercepted reset token can exploit it far beyond the intended expiry window to perform full account takeover, exposing all private repositories and source code. No KEV listing at time of analysis, but publicly available exploit code exists within the GitHub Security Advisory GHSA-5c3f-6486-3g7g.

Information Disclosure
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-56692 MEDIUM PATCH This Month

Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-controlled agents. All releases before 2.1.17 are affected; the `forwardAttachedFiles` function validated attachment filenames with `isSafeAttachmentName` but called `fs.copyFileSync` without first resolving symlinks or confirming the resolved path remained inside the agent's outbox directory. A low-privileged agent can craft a symlink with a safe-looking filename, point it at any host file readable by the NanoClaw process, and receive its contents forwarded as a message attachment. No public exploit is identified at time of analysis, though the VulnCheck advisory and GitHub PR diff provide sufficient detail for a technically capable attacker to reproduce exploitation.

Information Disclosure Nanoclaw
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-56301 MEDIUM PATCH This Month

Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socket, enabling unprivileged co-resident users to read arbitrary files - including .env secrets and SSH private keys - through the SSR module pipeline. Affected are Nuxt 4.0.0 through 4.4.6 and Nuxt 3.18.0 through 3.21.6 when running `nuxt dev` on Linux with Node.js 20+, outside Docker or StackBlitz. No public exploit has been identified at time of analysis, but exploitation demands only a local shell account and basic Unix socket programming knowledge; production builds are entirely unaffected.

Privilege Escalation Nuxt
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-56693 MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.17 allows confined agent containers to bypass their architectural confinement boundary by invoking the `create_agent` delivery-action handler without host-side authorization. The handler performed privileged central-database writes - creating agent groups, container configurations, and destinations - gated only by a container-side MCP tool check that, being inside the untrusted container, is trivially bypassed by writing outbound system rows directly. No public exploit identified at time of analysis; a vendor patch is available and the fix is documented in a public GitHub commit.

Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-52673 MEDIUM This Month

SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component

SQLi RCE N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-11820 MEDIUM This Month

Credential exposure in the Ansible nexmo module (plugins/modules/nexmo.py) causes Vonage/Nexmo API keys and secrets to appear in plaintext within HTTP GET request URLs, bypassing the no_log=True protection entirely. The module affects Red Hat Enterprise Linux 8, 9, and 10 deployments, and credentials are captured passively in Ansible verbose output, network proxy logs, SIEM traffic inspection, AWX/Automation Controller debug logs, and Vonage server-side access logs. No public exploit identified at time of analysis, though exploitation requires only read access to any of these log sources.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54518 MEDIUM PATCH GHSA This Month

Jackson-databind's `@JsonView` authorization boundary is bypassed for constructor parameters that combine `@JsonUnwrapped` and `@JsonView` annotations, affecting versions 2.21.0-2.21.3 and 3.0.0-3.1.3. The deserialization code path in `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters without calling `prop.visibleInView(activeView)`, while the standard property path correctly enforces this check. Applications that rely on `@JsonView` as a write-side access control boundary are exposed: an attacker supplying crafted JSON can populate admin-restricted constructor fields even when the application activates a less-privileged view. No public exploit identified at time of analysis; upstream patches are confirmed in 2.21.4 and 3.1.4.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-55653 MEDIUM PATCH This Month

Client-side Denial of Service in OpenSSH's Diffie-Hellman Group Exchange implementation allows a malicious SSH server to crash connecting clients running in FIPS mode. When a victim initiates an SSH connection to an attacker-controlled server, the server sends crafted DH-GEX group parameters that trigger a double free (CWE-415) during FIPS known-group validation, terminating the client process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the constraint that only FIPS-mode clients are affected limits real-world impact to regulated or government environments.

SSH Denial Of Service Microsoft Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49976 MEDIUM PATCH GHSA This Month

Account takeover in Snipe-IT (versions prior to 8.6.0) is achievable by any user holding the `import` permission via a logic flaw in the CSV user-import update path. The `UserImporter.php` code correctly unsets auth fields from the Eloquent model object, but `sanitizeItemForUpdating()` rebuilds its update payload from the raw CSV row (`$this->item`) - not from the model - rendering the unset calls entirely ineffective. An authenticated user with only `import` rights can overwrite any non-admin, non-superuser account's email address and then trigger a password reset to complete a full account takeover. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the vendor-published advisory includes precise source code and a working reproduction path.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
CVE-2026-4610 MEDIUM This Month

Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.

XSS WordPress Profilegrid User Profiles Groups And Communities
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-50193 MEDIUM PATCH GHSA This Month

Uncontrolled resource consumption in jackson-databind 2.10.0 through 2.13.5 allows unauthenticated remote attackers to cause a Denial-of-Service by submitting small (~2kB), deeply nested JSON payloads that trigger a StackOverflowError when a service reads the input via ObjectMapper.readTree() and serializes the resulting JsonNode using JsonNode.toString(). The root cause is recursive serialization in the toString() call path, which was replaced with an iterative IteratorStack-based implementation in version 2.14.0. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Denial Of Service Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 4.0
6.3
EPSS
0.5%
CVE-2026-53926 MEDIUM PATCH This Month

OAuth token persistence in NocoDB allows an attacker who previously obtained a user's OAuth credentials to maintain unauthorized account access even after the victim performs a password change, reset, or recovery - the exact security actions taken to revoke attacker access. All NocoDB versions up to 2026.05.0 (npm package: nocodb) are affected due to `revokeAllOAuthTokensByUser` being implemented as an empty stub in the users service, meaning no OAuth or refresh tokens were ever actually invalidated by any of the three password security flows. No public exploit has been identified at time of analysis, and a vendor-released patch is available in 2026.05.1.

Information Disclosure Nocodb
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-56376 MEDIUM PATCH This Month

Heap use-after-free in ImageMagick's meta coder allows remote attackers to crash the process by submitting a specially crafted image file that triggers a memory allocation failure, causing a single byte write to a stale (freed) pointer. Affected versions are ImageMagick before 7.1.2-15 and 6.9.13-40, as well as Magick.NET NuGet wrapper packages before 14.10.3. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that reliable exploitation requires specific memory allocation failure conditions rather than straightforward request-and-crash triggering.

Use After Free Denial Of Service Memory Corruption Imagemagick Red Hat +1
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-55482 MEDIUM PATCH GHSA This Month

Multi-tenancy isolation is broken in Snipe-IT versions through 8.4.1, allowing authenticated non-superadmin users to reassign assets across company boundaries via the bulk asset update endpoint. The root cause is that `BulkAssetsController::update()` accepts `company_id` directly from HTTP request input without applying the `Company::getIdForCurrentUser()` scoping guard used by every other controller in the codebase. A fix is confirmed in version 8.4.2 via commit d58fda626e8febfeff4cabbc20ba03edfc411e18; no public exploit or CISA KEV listing exists at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.3
CVE-2026-55448 MEDIUM PATCH GHSA This Month

Command injection in mise's GitHub credential resolver executes attacker-controlled shell commands on the victim developer's machine when a malicious `.mise.toml` is placed in a repository and no higher-priority GitHub token environment variable is set. Versions v2026.3.15 through v2026.3.17 (and all releases up to < 2026.6.4) pass `github.credential_command` from untrusted local project config directly to `sh -c` without any trust verification. A working proof-of-concept is confirmed per GHSA-29hf-rm4x-xxph on Docker linux-arm64; no CISA KEV listing at time of analysis, but POC availability elevates practical risk above the moderate CVSS base score.

Command Injection Docker
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-9073 MEDIUM PATCH This Month

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers and authentication tokens through two independent logging paths. The INFO-level logger unconditionally records session identifiers (which function as authentication credentials) in plaintext, while a separate debug-mode logger incompletely sanitizes HTTP request headers, allowing Authorization tokens and API keys to persist in container logs. Any environment forwarding container logs to a centralized SIEM or log aggregation platform materially expands the attack surface beyond local disk access. No public exploit identified at time of analysis, and the CVE does not appear in CISA KEV.

Information Disclosure Red Hat Satellite 6
NVD VulDB
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-48496 MEDIUM PATCH GHSA This Month

Permanent denial of service in opentelemetry-ebpf-profiler versions 0.0.202527 through 0.0.202621 allows any unprivileged co-located process to halt the agent's ELF analysis goroutine by placing a FIFO or special file at a path the profiler will attempt to open via openat2. Once blocked, the processPIDEvents goroutine never recovers, rendering the profiling agent inoperable for the lifetime of the process. No public exploit has been identified at time of analysis; impact is strictly confined to availability of the profiling agent with no data exposure or privilege escalation possible.

Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.2
CVE-2026-55655 MEDIUM PATCH This Month

X11 forwarding session hijacking in OpenSSH enables a local unprivileged attacker sharing a Linux client host to intercept and partially manipulate the victim's forwarded X11 display traffic by squatting on the predictable abstract UNIX domain socket name before the SSH client creates it. Affected deployments span OpenSSH packages across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code has been identified at time of analysis, but successful exploitation yields high-confidence access to sensitive X11 session data including keystrokes, window contents, and clipboard material.

SSH Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +4
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-34915 MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP Adserver
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2026-10857 MEDIUM PATCH This Month

Reflected XSS in AKIN Software E-Commerce (all versions before 1.25.01.06) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into following a crafted URL. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable exploitation requiring no authentication, with a scope change indicating script execution in the browser context outside the originating document. Reported by TR-CERT; no public exploit code or CISA KEV listing identified at time of analysis.

XSS E Commerce
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-56275 MEDIUM PATCH This Month

Server-side request forgery in Flowise's Execute Flow node allows authenticated low-privilege users to coerce the server into issuing HTTP requests to arbitrary internal network addresses by supplying intranet URLs through the base URL configuration field. All flowise and flowise-components npm versions through 3.0.13 are affected due to the Execute Flow code path never invoking the secureFetch wrapper present in httpSecurity.ts. Publicly available exploit code exists in GHSA-9hrv-gvrv-6gf2, including a concrete POST request demonstrating server-side retrieval and echo of internal service responses; no CISA KEV listing indicates active mass exploitation at time of analysis.

SSRF Flowise
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-56114 MEDIUM PATCH This Month

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in `dhcp6_makemessage()` is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the upstream fix commit precisely identifies the trigger, making independent exploit development straightforward.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-56113 MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. Impact is limited to availability (daemon crash); no public exploit or CISA KEV listing exists at time of analysis, but the adjacent-network attack vector and zero-privilege requirement lower the bar for local segment adversaries.

Use After Free Denial Of Service Memory Corruption Dhcpcd
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-55736 MEDIUM PATCH This Month

Private argument injection in the Ash Elixir framework (versions 3.0.0 through 3.29.2) allows end users to set action arguments explicitly marked public?: false, which are designed to be controlled exclusively by trusted server-side code. The filtering logic in both the regular changeset path and the atomic changeset path fails to enforce the public? flag when input parameters arrive as string (binary) keys - the default format for user-supplied JSON or form data. An attacker who submits a string-keyed parameter matching a private argument name can inject an arbitrary value, potentially enabling privilege escalation or integrity violations if that argument drives authorization decisions such as acting_user_id or record ownership. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.

Privilege Escalation Ash
NVD GitHub
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-54323 MEDIUM PATCH This Month

Git credential exposure in Daytona's daemon (all versions prior to 0.185.0) allows a network-positioned attacker to silently harvest HTTP Basic Authorization headers by exploiting a complete absence of TLS certificate validation on both the go-git and native git CLI clone code paths. An attacker with man-in-the-middle capability on clone traffic can present any fraudulent TLS certificate, capture the Git credentials supplied for the clone, and simultaneously inject tampered repository content into the execution sandbox - threatening both credential confidentiality and supply-chain integrity of AI-generated code workflows. No public exploit or active exploitation has been identified at time of analysis; a vendor-released fix is available in version 0.185.0.

RCE Elastic Daytona
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-49870 MEDIUM PATCH GHSA This Month

Unrestricted TOTP brute-forcing on Snipe-IT versions prior to 8.6.0 allows an attacker holding valid password credentials to bypass two-factor authentication by submitting unlimited guesses against the `POST /two-factor` endpoint, which enforces no rate limit, lockout, or attempt counter. With the `google2fa` window configured at 1, three of one million possible codes are valid at any instant, making statistical exhaustion feasible via scripted requests. Successful exploitation yields full session-level account takeover; in optional-2FA deployments the attacker can additionally call `POST /account/profile` to permanently disable 2FA with no re-verification, and admin-privileged attackers can clear other users' 2FA secrets via `POST /api/v1/users/two_factor_reset`. No public exploit has been identified at time of analysis.

PHP Denial Of Service
NVD GitHub
CVSS 3.1
5.9
CVE-2026-50550 MEDIUM PATCH GHSA This Month

Privilege escalation in Snipe-IT allows a low-privileged authenticated user with 'edit users' permission to reset a superadmin's two-factor authentication (2FA), stripping the highest-privilege account of its MFA protection. This CWE-862 (Missing Authorization) flaw affects all Snipe-IT composer releases prior to 8.5.0. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, the high integrity impact and direct erosion of the superadmin's secondary authentication factor make this a meaningful risk wherever the superadmin account is the critical security boundary.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.8
CVE-2026-56117 MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.

Use After Free Memory Corruption Buffer Overflow Dhcpcd
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-52814 MEDIUM PATCH GHSA This Month

File descriptor exhaustion in the Gogs built-in Go SSH server allows unauthenticated remote attackers to render the SSH service completely unavailable. By opening a large number of TCP connections to the SSH port and withholding the SSH-2.0 protocol banner, an attacker forces Gogs to spawn unbounded goroutines that block indefinitely in `golang.org/x/crypto/ssh.NewServerConn`, consuming one file descriptor per connection. Once the OS `ulimit -n` ceiling is breached, the server can accept no new connections and the entire Gogs process begins failing with cascading I/O errors. No public exploitation (KEV) confirmed, but a fully functional Python PoC is publicly disclosed alongside the advisory and the fix is available in v0.14.3.

Google Denial Of Service Python
NVD GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-52804 MEDIUM PATCH GHSA This Month

Privilege escalation in Gogs versions prior to 0.14.3 allows repository admin collaborators to elevate their own access to owner-level by exploiting an off-by-one boundary check in the `ChangeCollaborationAccessMode` function. The web route accepts a raw integer `mode` query parameter, and the faulty guard `mode > AccessModeOwner` evaluates to false when mode equals 4, letting an admin (mode=3) POST `mode=4` to silently receive full owner privileges - including the ability to delete the repository, transfer ownership, and erase wiki data. No public exploit identified at time of analysis, though the advisory includes complete reproduction steps that function as a de facto proof of concept.

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2020-9711 MEDIUM This Month

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure Acrobat Reader
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2020-9713 MEDIUM This Month

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure Acrobat Reader
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52816 MEDIUM PATCH GHSA This Month

Stored XSS in Gogs's Jupyter notebook (.ipynb) preview allows any registered user to inject arbitrary JavaScript via `data:text/html` URIs that survive the bluemonday sanitization pipeline, affecting all versions prior to 0.14.3. The `POST /-/api/sanitize_ipynb` endpoint uses `p.AllowURLSchemes("data")` without MIME-type gating, unlike the safer `IsSafeDataURI` validator used elsewhere in the codebase, and carries no authentication middleware - making it reachable by any account holder. A proof-of-concept is publicly documented in GHSA-3w28-36p9-w929; no CISA KEV listing or EPSS data is available at time of analysis.

XSS
NVD GitHub
CVSS 4.0
5.4
EPSS
0.7%
CVE-2026-11819 MEDIUM This Month

Credential exposure in the Ansible keyring_info module (plugins/modules/keyring_info.py) causes master passwords, SSH key passphrases, and service credentials retrieved from OS-native keystores to be emitted as plaintext in task output, registered variables, and persistent log backends. Any local user with access to Ansible playbook output - including AWX/Tower job logs, Redis or JSON fact caches, and debug task output - can read credentials in full. A proof-of-concept demonstrating plaintext passphrase capture from Ansible output exists, though no confirmed active exploitation (CISA KEV) has been observed. Affected deployments span RHEL 8, 9, and 10 per Red Hat CPE data.

Redis Microsoft Information Disclosure Apple Red Hat Enterprise Linux 10 +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-52802 MEDIUM PATCH GHSA This Month

Open redirect in Gogs versions up to and including 0.14.2 allows unauthenticated remote attackers to craft login URLs that redirect authenticated users to arbitrary external sites after successful login. The root cause is a two-character-only URL validation in the `IsSameSite()` function: the path `/a/../\example.com` passes server-side inspection but resolves to `//example.com` after browsers normalize backslashes to forward slashes. A publicly available proof-of-concept with screenshots exists; this vulnerability is not in CISA KEV and active exploitation has not been confirmed at time of analysis.

Open Redirect Path Traversal
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2026-54557 MEDIUM PATCH GHSA This Month

Path traversal in the mise HTTP backend allows a repository-controlled `.tool-versions` file to direct `mise install` to create symlinks at arbitrary filesystem locations outside the designated mise installs root on Unix-like systems. Affecting mise up to version 2026.5.16, a developer or CI system that runs `mise install` against a malicious project can have executable symlinks silently placed under attacker-chosen `PATH` directories, enabling replacement of trusted commands with attacker-controlled HTTP content. No public exploit identified at time of analysis beyond the detailed proof-of-concept published in GitHub Security Advisory GHSA-f94h-j2qg-fxw3, and no CISA KEV listing confirms active in-the-wild exploitation.

Microsoft Path Traversal
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-4983 MEDIUM PATCH This Month

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a malicious SVG icon and achieve stored cross-site scripting (XSS) when a user navigates directly to the icon URL. On deployments using local storage, script execution occurs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. On deployments backed by external storage (such as open-vsx.org with an S3-backed CDN), execution is confined to the storage origin, reducing impact but still permitting phishing attacks and credential harvesting through attacker-crafted pages.

XSS Eclipse Open Vsx
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-44958 MEDIUM This Month

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or deactivate banner ads regardless of whether those permissions were explicitly granted. The banner-edit.php script evaluated banner status changes based solely on banner edit permissions, treating status modification as implicitly authorized whenever edit access existed. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it straightforward for any credentialed advertiser to abuse.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2026-54515 MEDIUM PATCH GHSA This Month

Per-property @JsonIgnoreProperties filtering in jackson-databind is silently bypassed when the same property also carries @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES), enabling unauthenticated network attackers (per CVSS AV:N/PR:N) to write to fields the application explicitly excluded from deserialization. The flaw spans versions from 2.8.0 through the 2.18.x, 2.19-2.21.x, and 3.1.x release lines and constitutes a mass-assignment integrity risk wherever ignored fields guard sensitive state such as privilege or role attributes. No public exploit tool or CISA KEV listing has been identified at time of analysis; vendor-released patches (2.18.9, 2.21.5, 3.1.4) were published 2026-06-04.

Information Disclosure Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-54516 MEDIUM PATCH GHSA This Month

Integrity bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows unauthenticated network attackers to write to private backing fields that application developers intended as read-only. The flaw occurs when a POJO uses @JsonProperty on a getter with @JsonIgnore on the setter - a common read-only-over-the-wire pattern - and MapperFeature.INFER_PROPERTY_MUTATORS is enabled (the default). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The GHSA advisory characterizes the impact as property tampering and mass assignment; maintainers rate it minor despite a reporter-assessed HIGH severity.

Deserialization Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12969 MEDIUM PATCH This Month

Heap out-of-bounds read in dnsmasq's find_soa() function allows a remote attacker controlling a DNS zone to leak up to 10 bytes of stale heap memory by serving a crafted NXDOMAIN response. The flaw exists because extract_name() is invoked with extrabytes=0 when parsing NS section records, skipping the mandatory boundary check for the 10-byte fixed-length DNS record trailer fields. Confirmed affected platforms include Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4; no public exploit or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +3
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-54517 MEDIUM PATCH GHSA This Month

@JsonView access-control bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows remote attackers to write values into setterless Collection/Map properties that are restricted by a @JsonView annotation, defeating view-based mass-assignment protection during deserialization. The regression was introduced when SetterlessProperty.isMerging() was changed to return true, routing these properties through an unguarded buffering branch in BeanDeserializer._deserializeUsingPropertyBased that lacked the prop.visibleInView(activeView) check applied to creator properties. No public exploit code has been identified and this is not listed in CISA KEV; however, applications relying on @JsonView for security-critical field-level access control - such as role or permission gating - are directly and completely bypassed.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy