Skip to main content
CVE-2026-56786 CRITICAL POC Act Now

Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.

Memory Corruption Denial Of Service Buffer Overflow RCE Rtklib
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50016 HIGH POC PATCH GHSA This Week

Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a transitive dependency alias, which pnpm then trusts as a filesystem path while linking dependency nodes. During a normal install - even with `pnpm install --ignore-scripts` - this allows a published package to replace paths inside the victim's project with symlinks pointing at attacker-controlled dependency directories, corrupting project integrity and enabling downstream code execution. No public exploit is identified at time of analysis; risk is amplified because the bug fires without lifecycle scripts, defeating the `--ignore-scripts` safety habit.

Path Traversal Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-55698 HIGH POC PATCH GHSA This Week

Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository hijack pnpm's automatic version-switching mechanism. By committing crafted package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml - including matching pnpm and @pnpm/exe versions plus package records and snapshots - an attacker bypasses fresh package-manager resolution and causes pnpm to install and execute attacker-selected bytes when a developer runs pnpm in the cloned repo. No public exploit identified at time of analysis; the high CVSS of 8.8 reflects full confidentiality, integrity, and availability impact, gated only by the user running pnpm against the poisoned repository.

Authentication Bypass Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55697 HIGH POC PATCH GHSA This Week

Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen native binaries as the developer or CI user during a routine install. The flaw stems from pnpm processing configDependencies in pnpm-workspace.yaml before command dispatch: a repo could declare pacquet/@pnpm/pacquet as a config dependency, causing pnpm to resolve a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config and spawn it. Publicly available exploit code exists, though EPSS is low (0.12%, 2nd percentile) and it is not in CISA KEV.

Command Injection Pnpm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5305 HIGH POC PATCH This Week

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.

WordPress XSS Email Address Encoder Email Encoder Premium
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56770 HIGH POC This Week

Denial of service in libais through version 0.15 lets remote unauthenticated attackers crash AIS-processing services and vessel systems by sending malformed AIVDM sentences. The VdmStream::AddLine routine treats an unchecked sentinel value as a vector index when a sentence carries an empty or out-of-range sequential message ID, producing an out-of-bounds vector access (CWE-129) and potential memory corruption. Publicly available exploit code exists and the issue was reported by VulnCheck, though it is not listed in CISA KEV.

Denial Of Service Libais
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56122 HIGH POC This Week

Arbitrary file read in Winstone Servlet Engine (versions through 0.9.10) lets unauthenticated remote attackers retrieve any file readable by the servlet process by embedding dot-dot-slash sequences in HTTP GET request paths to the static-file handler. The flaw stems from missing path sanitization when resolving requests against the configured webroot, and publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV. Impact is confidentiality-only but high, escalating to disclosure of OS-level secrets when the engine runs with elevated privileges.

Path Traversal Winstone Servlet Container
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56766 HIGH POC PATCH This Week

Remote code execution in THC Hydra through 9.7 allows a malicious or attacker-controlled server to compromise the machine running the Hydra brute-force client during NTLM authentication. When Hydra connects to such a server across its SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, or HTTP-Proxy-Urlenum modules, a crafted NTLM Type-2 challenge with an overlong domain string causes the base64-encoded response to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling code execution on hosts lacking stack protection. No public exploit identified at time of analysis, but a vendor patch (commit 9cc84c2) is available, and the issue inverts the usual threat model - the operator of the offensive tool becomes the victim.

Buffer Overflow Stack Overflow RCE Thc Hydra
NVD GitHub VulDB Exploit-DB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-50021 HIGH POC PATCH GHSA This Week

Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered packages install silently because the tarball extraction worker skips hash verification whenever the lockfile resolution has no `integrity` field. An attacker who can both edit `pnpm-lock.yaml` to drop the `integrity:` line and cause the referenced registry URL to serve altered content can push a malicious package through `pnpm install --frozen-lockfile` without any integrity error - a fail-open gap that npm's `npm ci` does not share. Publicly available exploit code exists; EPSS is low (0.12%, 2nd percentile) and the issue is not in CISA KEV.

Node.js Information Disclosure Pnpm
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-60464 HIGH POC This Week

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_load_from_state_internal function of the SEI loader filter (src/filters/sei_load.c). Processing a maliciously crafted MPEG-2 Transport Stream file causes the parser to dereference a dangling pointer, crashing the application. Publicly available exploit code (a PoC test case and write-up) exists, though the issue is not listed in CISA KEV and carries a low EPSS exploitation probability (0.17%, 6th percentile).

Memory Corruption Denial Of Service Use After Free N A
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-38637 HIGH POC This Week

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.

Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-38640 HIGH POC This Week

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a process by supplying a crafted string that reaches a panicking `unwrap()` inside the `__assert_fail` function in /assert/mod.rs. Any program linked against the affected relibc that routes attacker-influenced data through an assertion failure path can be forced to abort. Publicly available exploit code exists, but the issue is not listed in CISA KEV and EPSS is low (0.17%, 6th percentile), indicating no observed widespread exploitation.

Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-9702 HIGH POC PATCH This Week

Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). With CVSS 7.5 and an integrity-only impact, the practical risk is shipment redirection / parcel theft rather than data disclosure.

WordPress Information Disclosure Inpost Pl
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40702 CRITICAL CISA Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure Evoke Csms
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50015 HIGH POC PATCH GHSA This Week

Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contributor abuse the @pnpm/patch-package pipeline, which applies `.patch` files without validating the file paths in their `diff --git` headers. Because patch diff headers are opaque to most code reviewers, an attacker can slip `../../` traversal sequences into a pull request and, when a maintainer runs `pnpm install`, write attacker-controlled content to or delete arbitrary files with the privileges of the installing user. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the moderate-to-high CVSS of 7.3 reflects high integrity and availability impact gated by required user interaction.

Path Traversal Pnpm
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-50014 HIGH POC PATCH GHSA This Week

Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's machine during `pnpm install`. Because pnpm passes the lockfile-controlled `resolution.commit` to `git fetch`/`git checkout` without a `--` separator or 40-hex-character validation, an attacker can substitute the expected commit hash with a Git option such as `--upload-pack=<command>`, which Git executes for SSH and local (file://) transports. Publicly available exploit code exists (POC), but there is no public exploit identified as actively exploited; EPSS is low (0.17%, 7th percentile), consistent with a developer-targeted supply-chain vector rather than mass internet scanning.

Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-45233 HIGH POC This Week

Arbitrary file relocation in HTMLy CMS through version 3.1.1 allows low-privileged authenticated users to move any web-server-writable file by injecting directory traversal sequences into the oldfile parameter of the admin autosave endpoint. Reported by VulnCheck with publicly available exploit code, the flaw stems from passing unsanitized input directly to file_exists() and rename() in admin.php. It is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis despite the available POC.

Path Traversal PHP Htmly
NVD GitHub
CVSS 4.0
7.2
EPSS
0.6%
CVE-2026-57520 HIGH POC PATCH This Week

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.

Authentication Bypass Privilege Escalation Server
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55700 HIGH POC PATCH GHSA This Week

Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised registry overwrite arbitrary files reachable by the user running the command. The tool built a local tarball filename directly from registry-controlled package name and version fields, so a crafted manifest (e.g. a version like `1.0.0/../../evil`) escaped the intended download directory. This is fixed in 11.5.3; no public exploit identified at time of analysis, though the fixing PR (#12303) includes proof-of-traversal test cases.

Path Traversal Pnpm
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-56789 HIGH POC This Week

Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. Publicly available exploit code exists (VulnCheck/GitHub issue #796); there is no public exploit identified as actively exploited, and the CVSS 4.0 impact is limited to availability (VA:H).

Heap Overflow Buffer Overflow Rtklib
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56790 HIGH POC PATCH This Week

Denial of service in CANBoat (the open-source NMEA 2000/CAN bus analyzer) through version 6.22 allows attackers to crash the analyzer by delivering a crafted NMEA-2000 message containing an out-of-range PGN value. The flaw is an off-by-one global buffer overflow in the searchForPgn() binary-search routine in analyzer/pgn.c, where an out-of-range PGN causes a one-element read past the end of the pgnList[] table. Publicly available exploit code exists (FuzzingLabs PoC value 393216 via issue #644), and a vendor patch is available; there is no public exploit identified as actively exploited.

Denial Of Service Buffer Overflow Canboat
NVD GitHub
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-56787 MEDIUM POC This Month

Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.

Denial Of Service Buffer Overflow Rtklib
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56445 HIGH CISA Act Now

Arbitrary file write in the pynetdicom library's qrscp storage SCP application allows a remote, unauthenticated attacker to plant files at attacker-chosen paths on the receiving host. The qrscp C-STORE handler trusts a value taken from an incoming DICOM dataset and passes it into os.path.join() without sanitization, so a crafted instance identifier containing path-traversal sequences escapes the intended storage directory. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.8 and unauthenticated network reachability make this a high-priority issue for any exposed DICOM endpoint.

Path Traversal Pynetdicom Library
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-9717 HIGH CISA Act Now

Authenticated command injection in Schneider Electric PowerLogic P7 power metering devices allows a privileged user to execute arbitrary OS commands with elevated privileges over a network-exposed service, fully compromising device integrity, confidentiality, and availability. The flaw (CWE-78) stems from improper neutralization of special elements passed to an underlying OS command. No public exploit identified at time of analysis, and the device is not listed in CISA KEV; EPSS data was not provided.

Command Injection Powerlogic P7
NVD VulDB
CVSS 4.0
8.6
EPSS
1.0%
CVE-2026-50176 HIGH CISA Act Now

Denial-of-service and credential brute-force exposure in Evoke Systems' Evoke CSMS (an EV charging station management system) stems from its WebSocket API enforcing no rate limit on authentication requests, letting a remote, network-positioned attacker flood the authentication endpoint to exhaust resources or rapidly guess credentials for unauthorized access. CISA's ICS-CERT (advisory ICSA-26-176-02) coordinated this issue, which carries a CVSS 4.0 base of 8.7 driven by high availability impact. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-9716 HIGH CISA Act Now

Denial-of-service in Schneider Electric PowerLogic P7 power metering devices allows remote, unauthenticated attackers to crash the device's HMI and configuration functionality by sending malformed requests to exposed network interfaces. The flaw stems from a NULL pointer dereference (CWE-476) that renders local management and configuration unavailable until recovery. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 4.0 base score of 8.7 reflects a high availability impact with no confidentiality or integrity exposure.

Denial Of Service Null Pointer Dereference Powerlogic P7
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-9650 HIGH CISA Act Now

Credential exposure in Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units & Controllers allows an unauthenticated attacker to recover credentials that are insufficiently protected within device firmware or system files (CWE-522). The recovered credentials can then be used to fully compromise the device when the attacker also has physical access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; vendor advisory SEVD-2026-160-02 covers the affected OT products.

Authentication Bypass Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-55699 MEDIUM POC PATCH GHSA This Month

Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when a malicious package with specially crafted bin keys is installed. Packages carrying ".", "..", or "" as bin object keys in their manifest bypass pnpm's bin-name guard; subsequent global remove, update, or add-replacement operations re-derive those names and pass them through path.join(globalBinDir, binName) into removeBin, resolving to the bin directory itself or its parent. No public exploit has been identified at time of analysis, but fixed versions 10.34.2 and 11.5.3 are available and should be applied immediately given the supply-chain delivery mechanism.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-55180 MEDIUM POC PATCH GHSA This Month

{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and credentials. When a developer clones and runs pnpm install in a crafted repository, the package manager resolves dependency requests against attacker-controlled registry endpoints, transmitting whatever environment variables (tokens, API keys, credentials) the victim has set in their shell. Critically, this exfiltration occurs during dependency resolution - before lifecycle scripts execute - meaning mitigations like --ignore-scripts do not prevent the data leak. No public exploit or CISA KEV listing is identified at time of analysis.

Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-10824 MEDIUM POC PATCH This Month

Unauthenticated access to Masteriyo LMS WordPress plugin's course-progress REST API controller exposes all users' learning records to read and permanent deletion. All plugin versions before 2.2.1 are affected due to a missing authorization check on the REST endpoint, meaning any unauthenticated HTTP client can target arbitrary user IDs. A publicly available proof-of-concept exists per WPScan; however, EPSS sits at just 0.14% (3rd percentile), suggesting opportunistic exploitation has not yet materialized at scale despite the low barrier to entry.

WordPress Information Disclosure Masteriyo Lms
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-12921 HIGH CISA Act Now

Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.

Memory Corruption Denial Of Service Use After Free RCE Daqfactory
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-12473 HIGH CISA Act Now

Server-side request forgery in the Open Health Imaging Foundation (OHIF) DICOM Web Viewer Framework lets an attacker exfiltrate an authenticated user's OIDC Bearer token by abusing the default-enabled DICOMWebProxy and DICOMJSON data sources, which fetch an attacker-supplied URL without validation while OHIF's global auth service silently attaches the victim's token to the outbound request. Any authenticated user lured into loading a malicious viewer link sends their live credential to an attacker-controlled host, enabling identity takeover against the PACS or backend. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the high-impact token leakage and default-configuration exposure make it a meaningful credential-theft risk.

SSRF Dicom Web Viewer Framework
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-56769 MEDIUM POC PATCH This Month

Server-side request forgery in Huly Platform's /import endpoint allows authenticated workspace users to coerce the front pod into making arbitrary HTTP requests to internal infrastructure. Any valid workspace account can supply attacker-controlled URLs; the server fetches them, leaking internal service responses - including cloud metadata credentials - back to the attacker. A publicly available exploit exists per the GitHub issue tracker, though active exploitation has not been confirmed by CISA KEV. The CVSS 4.0 vector assigns SC:H, flagging high confidentiality impact on subsequent (internal) systems as the primary risk.

SSRF Platform
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2025-60465 MEDIUM POC This Month

Use-after-free in MP4Box's filter pipeline core (gf_filter_pid_inst_swap in filter_pid.c) allows local attackers to crash the application - and potentially achieve memory corruption beyond DoS - by supplying a crafted media file. Publicly available exploit code exists for this vulnerability, hosted on GitHub in a dedicated proof-of-concept repository. The EPSS score is low (0.17%, 6th percentile) with no CISA KEV listing, suggesting the public POC is research-grade rather than part of active exploitation campaigns, but the barrier to triggering a crash is low for any attacker with file delivery capability.

Memory Corruption Denial Of Service Use After Free N A
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-71338 CRITICAL Act Now

Arbitrary file write leading to remote code execution in FlowiseAI Flowise (versions <= 2.2.7) lets unauthenticated remote attackers overwrite any file on the host via the /api/v1/document-store/loader/process endpoint. The fileName parameter is passed unsanitized into path.join() inside storageUtils.ts, so ../ sequences escape the storage directory; overwriting package.json injects a malicious start script that executes on the next application restart. Publicly available exploit code exists (vendor GHSA PoC overwriting package.json), and the issue carries a CVSS 4.0 base score of 10.0; no public active-exploitation listing was identified at time of analysis.

Path Traversal RCE Flowise
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.6%
CVE-2026-57700 CRITICAL Act Now

Arbitrary file upload in Daan.Dev's OMGF Pro WordPress plugin (versions through 5.2.6) lets remote attackers upload files of dangerous types, enabling webshell deployment and full site/server takeover. The CVSS 3.1 base score is 10.0 with a scope-changed vector, and the vector's PR:N indicates the flaw is reachable without authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload Omgf Pro
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-48529 MEDIUM POC PATCH GHSA This Month

Lockdown mode in GitHub MCP Server HTTP deployments (versions 0.22.0-1.1.1) fails to isolate per-user GraphQL credentials due to a process-global singleton that retains the first authenticated user's client for the lifetime of the process. All subsequent users' IsSafeContent checks-the security gate that decides whether content from external contributors is sanitized before reaching the AI model-are evaluated under the first user's GitHub token and identity, producing wrong access control decisions for every user except the first. A publicly available proof-of-concept confirms the singleton pointer collision; no active exploitation (CISA KEV) has been confirmed at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-46752 CRITICAL Act Now

Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Path Traversal Buffer Overflow Apache Heap Overflow
NVD VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-8666 CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Traceroute Plugin (Linux, versions below 1.0.3) lets attackers inject arbitrary shell commands through the traceroute action's host, port, max_ttl, count, or time_out parameters, which are concatenated into a shell command without sufficient validation. Successful exploitation grants full command execution in the plugin container with the same impact on confidentiality, integrity, and availability. This was reported by the vendor (Rapid7) with a fix in 1.0.3; there is no public exploit identified at time of analysis, and EPSS sits at a modest 0.55% (42nd percentile).

Command Injection Insightconnect Traceroute Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-8592 CRITICAL PATCH Act Now

Remote OS command injection in Rapid7's InsightConnect AWK Plugin (versions below 1.2.2 on Linux) lets attackers run arbitrary operating-system commands through the process_string action's text or expression parameters, which are unsafely concatenated into a shell command. The CVSS 9.8 rating reflects full confidentiality, integrity, and availability loss with no privileges or user interaction required by the vector. There is no public exploit identified at time of analysis, EPSS is low (0.55%), and CISA SSVC marks exploitation as none, so risk today is potential rather than observed.

Command Injection Insightconnect Awk Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-8665 CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Translate (TR) Plugin on Linux lets remote attackers run arbitrary shell commands by injecting into the 'text' or 'expression' parameters of the TR action, which are concatenated into a shell command without sanitization (CWE-78). All plugin versions before 2.0.3 are affected. There is no public exploit identified at time of analysis and EPSS is low (0.55%), but the flaw yields full system compromise per the vendor's own SSVC 'total' technical-impact rating.

Command Injection Insightconnect Tr Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-8660 CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Ping Plugin (versions before 1.0.4) on Linux lets attackers run arbitrary operating-system commands by injecting shell metacharacters into the host parameter of the plugin's ping action, which is concatenated into a shell command without proper sanitization. Any actor able to influence the host input flowing into this SOAR plugin gains full code execution on the plugin's runtime host. There is no public exploit identified at time of analysis, EPSS is low (0.55%), and CISA's SSVC marks exploitation as 'none' and the flaw as not automatable, so risk is real but not yet observed in the wild.

Command Injection Insightconnect Ping Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-55166 CRITICAL POC PATCH GHSA Act Now

Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.

Python Authentication Bypass SSRF OpenSSL Docker
NVD GitHub
CVSS 3.1
9.9
CVE-2026-54823 CRITICAL Act Now

Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.

Code Injection RCE Widget Options
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-41120 CRITICAL Act Now

Remote code execution affects Dell Wyse Management Suite in all versions prior to WMS 5.5 HF1, stemming from the application's acceptance of extraneous untrusted data alongside trusted data (CWE-349). Per the provided CVSS vector (PR:N), a remote unauthenticated attacker could potentially achieve full code execution against the management server, though the Dell description text characterizes the actor as 'low privileged' - a discrepancy worth verifying. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Dell RCE Wyse Management Suite
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-53176 CRITICAL PATCH Act Now

Remote denial of service in the Linux kernel's iSER (iSCSI Extensions for RDMA) target driver (IB/isert) allows an unauthenticated attacker on the RDMA fabric to crash a storage target node by sending an undersized iSCSI login PDU. The isert_login_recv_done() handler subtracts the 76-byte ISER_HEADERS_LEN from the received byte count without a lower bound, producing a negative signed login_req_len that is later sign-extended into a multi-gigabyte memcpy() length, causing a faulting out-of-bounds copy. Because the login phase precedes iSCSI authentication, no credentials are required; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%).

Linux Denial Of Service
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53247 CRITICAL PATCH Act Now

Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.

Authentication Bypass Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53228 CRITICAL PATCH Act Now

Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and the issue is not in CISA KEV. The vendor-tagged impact is Information Disclosure, which is materially narrower than the assigned CVSS 9.8.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53221 CRITICAL PATCH Act Now

Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. There is no public exploit identified at time of analysis, EPSS probability is low (0.18%), and the issue is not in CISA KEV; the upstream fix is available across multiple stable kernel branches.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53216 CRITICAL PATCH Act Now

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis; despite the auto-assigned 9.8 CVSS, realistic exploitation is constrained to systems running an XDP program on affected Marvell hardware.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
Page 1 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy