Skip to main content
CVE-2026-53255 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel Bluetooth management (MGMT) interface lets a local user with Bluetooth privileges trigger a one-byte read past the advertising-data buffer by submitting a malformed MGMT_OP_ADD_ADVERTISING request. The flaw lives in tlv_data_is_valid(), which inspects the type octet at data[i+1] before confirming the current TLV element fits in the buffer; KASAN flags it as a vmalloc-out-of-bounds read. No public exploit identified at time of analysis and EPSS risk is low (0.17%), consistent with a local-only kernel memory-safety bug rather than a remotely weaponizable one.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53138 HIGH PATCH This Week

Out-of-bounds read and unbounded-iteration denial of service in the Linux kernel's AMD Display (amdgpu DC) driver arises when the bios_parser/bios_parser2 code walks VBIOS record chains that lack a proper 0xFF terminator record. A local attacker able to supply a malformed VBIOS image can force hundreds of thousands of probe-time iterations (with record_size=1) and, near the image boundary, trigger struct casts that read past the 2-byte header validated by GET_IMAGE. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), consistent with a local, firmware-dependent memory-safety bug rather than a broadly exploited remote flaw.

Linux Amd Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53132 HIGH PATCH This Week

Denial of service in the Linux kernel's virtio vsock transport allows a local actor to exhaust kernel memory by flooding the socket with zero-length packets flagged VIRTIO_VSOCK_SEQ_EOM, which bypass receive-buffer accounting and grow the skb receive queue without bound. The flaw affects the vsock/virtio guest-host communication path and carries CVSS 7.1 (A:H, scope-changed); EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis. Note a data conflict: the input tags it 'Information Disclosure', but the CVSS vector (C:N/I:N/A:H) and the description describe a memory-exhaustion availability issue, not disclosure.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54040 HIGH PATCH This Week

Authentication-bypass weakness in LibreChat before 0.8.4-rc1 lets an attacker who already holds a valid session silently regenerate all of a victim's two-factor backup codes via POST /api/auth/2fa/backup/regenerate, which never asks for a current TOTP token or an existing backup code. With fresh codes in hand, the attacker can bypass 2FA at login or turn 2FA off entirely, neutralizing the account's second factor. EPSS is low (0.15%, 5th percentile) and no active exploitation is recorded, but proof-of-concept exploitation is acknowledged in the SSVC framework.

Authentication Bypass Librechat
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-4930 HIGH This Week

Reduced cryptographic key protection in Silicon Labs' SiXG301 SYMCRYPTO hardware engine (exposed via the Simplicity SDK PSA crypto library) allows an attacker who already has on-device code execution to weaken the engine's Differential Power Analysis (DPA) countermeasures by forcing low-entropy seed values, making AES/hashing keys far easier to recover through subsequent power-analysis side-channel attacks. The flaw affects embedded systems built on the SiXG301 SoC and was reported by Silicon Labs. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation also requires physical access to the device for the power measurements.

RCE Simplicity Sdk
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-47154 HIGH PATCH This Week

Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending a malformed Simple Metering GetProfileResponse message that triggers an out-of-bounds read while iterating interval entries, terminating the process. Exploitation requires the attacker to be an authenticated member of the Zigbee network and only affects devices implementing the Simple Metering cluster. No public exploit identified at time of analysis, and no information leakage back to the sender was observed.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47153 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigbee network to crash a target node by sending a malformed Level Control 'Step' command that triggers a divide-by-zero (CWE-369) fault and terminates the process. Only nodes implementing the Level Control cluster are affected, and exploitation requires the attacker to already be an authenticated member of the network (CVSS 4.0 PR:L, VA:H). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Emberznet
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47152 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to crash the host process via a malformed Level Control 'Move' command that triggers a divide-by-zero fault. Only deployments where the target device supports the Level Control cluster are affected, and exploitation requires the attacker to be an authenticated member of the Zigbee network (PR:L). No public exploit identified at time of analysis; this is not on CISA KEV.

Information Disclosure Emberznet
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47151 HIGH PATCH This Week

Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network device to corrupt Door Lock schedule state by sending malformed ClearWeekdaySchedule messages. Only devices implementing the Door Lock cluster are affected, and the corruption is bounded in size and location, primarily threatening availability/integrity rather than data disclosure. No public exploit identified at time of analysis; a vendor patch is available.

Memory Corruption Buffer Overflow Emberznet
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47150 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network device to crash the host process by sending malformed IAS Zone enrollment messages, which trigger an out-of-bounds write to the state table. Only nodes that support the IAS Zone (security sensor) cluster are affected, and the attacker must already hold a valid place on the Zigbee network (PR:L). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Memory Corruption Buffer Overflow Emberznet
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47149 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending Door Lock cluster messages containing malformed or out-of-range user identifiers, which trigger an out-of-bounds table read (CWE-125) that terminates the process. Only devices that implement the Door Lock cluster are affected, and no data is leaked back to the sender. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47148 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash a target by sending malformed GetGroupMembership commands, which cause repeated out-of-bounds reads past the message payload and terminate the process. Only devices implementing the Groups cluster are affected, and no information leakage to the sender was observed despite the read primitive. There is no public exploit identified at time of analysis, no CISA KEV listing, and the impact is availability-only (process termination), not code execution or data disclosure.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47147 HIGH PATCH This Week

Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device send malformed Over-The-Air (OTA) update requests that drive the OTA Server cluster parser past buffer boundaries, leaking a small, size- and location-limited amount of RAM back to the requester and potentially disrupting the OTA service. Only nodes that implement the OTA Server cluster are affected, and exploitation requires prior network membership (PR:L authenticated). No public exploit is identified and the CVE is not in CISA KEV; the CVSS 4.0 base score of 7.1 is driven mainly by high availability impact (VA:H) rather than data theft.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47146 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash a target by sending malformed Color Control cluster messages that trip a reachable assertion and terminate the process. Only devices implementing the Color Control cluster (typically color-capable lighting) are affected, and the attacker must already be a member of the Zigbee network. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Emberznet
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-47145 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash the target by sending malformed Color Control cluster messages, which trigger a reachable assertion that terminates the process. Only devices implementing the Color Control cluster (typically Zigbee lighting/color-capable nodes and coordinators) are affected. Vendor-rated CVSS 4.0 7.1 with availability-only impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Emberznet
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-4526 HIGH PATCH This Week

Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined Zigbee device to crash the process by sending malformed global ZCL (Zigbee Cluster Library) messages that trigger out-of-bounds reads in the framework parsing logic. The flaw affects availability only - no information leakage back to the sender was observed despite the dataset's 'Information Disclosure' tag. A vendor patch is available, and there is no public exploit identified at time of analysis.

Buffer Overflow Information Disclosure Emberznet
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56071 HIGH This Week

Cross-site scripting in the Forminator WordPress plugin (versions 1.53.1 and earlier, by WPMU DEV) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C, score 7.1) confirms no authentication is required but that user interaction triggers the payload, and the changed scope means the injected script runs in a security context beyond the vulnerable component. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Forminator
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56042 HIGH This Week

Stored/reflected Cross-Site Scripting in the Advanced Order Export For WooCommerce WordPress plugin (by AlgolPlus) affects all versions up to and including 4.0.9, letting a remote attacker inject script that executes in the browser of a victim who views attacker-controlled order/export data. The flaw carries a CVSS 7.1 rating driven by a scope change (attacker script runs outside the vulnerable component's security context) and requires victim interaction; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.

WordPress XSS Advanced Order Export For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56014 HIGH This Week

Stored or reflected cross-site scripting in the Averta Master Slider WordPress plugin (versions 3.11.2 and earlier) lets unauthenticated remote attackers inject script that executes in a victim's browser, but only after the victim interacts with attacker-supplied content (UI:R). The CVSS:3.1 vector's scope change (S:C) reflects that injected code runs in the browser's trust context rather than the plugin's, enabling session theft or actions on behalf of the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV.

XSS Master Slider
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56006 HIGH This Week

Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.

XSS H5P
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56005 HIGH This Week

Stored/reflected Cross-Site Scripting in Melapress's WP Activity Log WordPress plugin (versions <= 5.6.3.1, reported by Patchstack) lets a low-privileged Subscriber-level user inject script that executes in another user's browser, with a CVSS-rated scope change (S:C) meaning the payload can affect resources beyond the plugin's own security context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; direct impact is limited (C:L/I:L/A:L) but the cross-context scope and low attack complexity make it relevant for sites that allow open registration.

XSS Wp Activity Log
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-55092 HIGH PATCH This Week

Arbitrary file write in Aqua Security's Trivy scanner (prior to 0.71.1) allows an attacker who can make Trivy fetch an attacker-controlled OCI artifact to write layer content anywhere on the host filesystem. Trivy trusts the org.opencontainers.image.title manifest annotation as the output filename without sanitization, so a crafted value containing path-traversal sequences escapes the intended download directory (CWE-22). No public exploit has been identified at time of analysis; the CVSS 4.0 score is 7.0 (high), driven by high integrity and availability impact requiring user interaction.

Path Traversal Trivy Suse
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-46732 HIGH This Week

Local privilege escalation in Dell Display and Peripheral Manager (DDPM) for Mac, versions prior to 2.3, lets a low-privileged local user win a race condition (CWE-362) to gain elevated privileges. The flaw stems from improper synchronization around a shared resource, and successful exploitation yields full compromise of confidentiality, integrity, and availability on the host. No public exploit identified at time of analysis, and EPSS is negligible (0.07%); CISA SSVC marks exploitation as none but technical impact as total.

Dell Race Condition Information Disclosure Display And Peripheral Manager
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-50017 MEDIUM PATCH GHSA This Month

Credential leakage in pnpm package manager versions prior to 10.34.0 and 11.4.0 exposes a developer's unscoped npm authentication token to attacker-controlled registries. When a project-level .npmrc overrides the registry URL without supplying its own auth token, pnpm incorrectly inherits and forwards the user's globally-configured unscoped _authToken to that foreign registry as an Authorization header. No public exploit has been identified at time of analysis, though the real-world impact is severe - a captured npm token can enable supply chain attacks via malicious package publishing.

Node.js Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54448 MEDIUM POC PATCH GHSA This Month

Decompression bomb (zip bomb) in Trivy's Helm chart scanner causes denial of service via OOM kill when processing a crafted .tgz archive. Affected versions prior to 0.71.0 use io.ReadAll without any size cap on tar entries inside Helm chart archives, allowing a small compressed file to expand to gigabytes in memory. An attacker who can place a malicious archive in any path that Trivy is directed to scan can reliably crash the Trivy process. No public exploit or CISA KEV listing at time of analysis.

Denial Of Service Trivy Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-49319 MEDIUM This Month

Rolling-code authentication in the Alps Alpine RKES (FCC ID CWTR53R0, 433 MHz) can be bypassed by an attacker within RF range who captures two consecutive key fob transmissions and replays them in sequence to lock or unlock the target vehicle. Replaying the first captured signal causes the receiver to enter a vulnerable state, after which replaying the second signal completes a successful unauthorized lock or unlock operation. No active exploitation confirmed per CISA KEV and no public exploit code identified, though the attack is technically accessible to anyone with commodity software-defined radio hardware given CVSS AV:A/AC:L/PR:N.

Information Disclosure Remote Keyless Entry System Rkes R53R0
NVD
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-53196 MEDIUM PATCH This Month

Heap buffer overflow in the Linux kernel's io_ti USB serial driver (get_manuf_info()) lets a malicious USB device overflow a 10-byte kmalloc buffer by up to ~16 KB when attached to a host using this driver. The driver trusts the EEPROM-supplied descriptor Size field (validated only against TI_MAX_I2C_SIZE, not the destination buffer), enabling kernel memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and the issue is not in CISA KEV.

Memory Corruption Linux Buffer Overflow
NVD VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-57454 MEDIUM PATCH This Month

Out-of-bounds heap read in Vim 9.2.0320-9.2.0678 allows a crafted undo or swap file to disclose adjacent heap memory or crash the editor when a victim opens it. The flaw resides in the text property (textprop) subsystem: a maliciously encoded virtual-text property with an oversized tp_text_offset is converted directly to a heap pointer without bounds validation in both the undo-restoration path (um_goto_line) and the display path (get_text_props). The CVSS 4.0 score of 6.8 (Medium) reflects local-only exploitation requiring active user interaction; no public exploit is confirmed at time of analysis, though the fix commit includes detailed test scaffolding constituting a near-complete attack blueprint.

Buffer Overflow Information Disclosure Vim Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-13282 MEDIUM PATCH This Month

Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.

Memory Corruption Denial Of Service Use After Free Google Suse +1
NVD VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-55411 MEDIUM PATCH This Month

Cross-tenant credential decryption in ToolJet prior to 3.20.1780-lts allows any authenticated user to retrieve plaintext data-source secrets belonging to any other organization on the same instance. The POST /api/data-sources/decrypt endpoint omits the ValidateDataSourceGuard present on all neighboring routes and performs no organization-scoped lookup, meaning a valid session from any tenant is sufficient to exfiltrate database passwords, API keys, and other stored secrets across tenant boundaries. No public exploit has been identified at time of analysis, but the attack is mechanically trivial for any user with a valid account and knowledge of a target credential_id.

Authentication Bypass Tooljet
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-56129 MEDIUM This Month

Physical memory exposure in the Generic IO & Memory Access Driver for Toshiba and Dynabook PCs allows any locally logged-in user - without administrative privileges - to access physical memory by invoking an insufficiently access-controlled IOCTL interface. Physical memory access of this kind typically enables both reading sensitive in-memory data (credentials, encryption keys, kernel structures) and writing to arbitrary memory addresses, making the effective impact broader than the vendor CVSS C:N rating suggests. No public exploit or CISA KEV listing has been identified at time of analysis; this was disclosed via JPCERT/JVN and a Sharp/Dynabook security advisory.

Information Disclosure Generic Io Memory Access Driver
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-4522 MEDIUM PATCH This Month

Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Microsoft Passwordless
NVD
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-9153 MEDIUM PATCH This Month

Arbitrary file read in Rapid7's InsightConnect Sed Plugin on Linux exposes sensitive host filesystem contents to authenticated attackers through an unsanitized expression parameter. All versions are affected per the CPE wildcard, and exploitation requires only a low-privilege authenticated InsightConnect session over the network with no user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CWE-22 path traversal class is well-understood and mechanically straightforward to exploit once authentication is obtained.

Path Traversal Insightconnect Sed Plugin
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-48944 MEDIUM This Month

Path traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-readable files - including Joomla's database credential file `configuration.php` and OS files such as `/etc/passwd` - into a publicly accessible directory for retrieval. The article-save handler's `attachment[N][existing]` POST parameter is concatenated with `JPATH_SITE/` and passed directly to `JFile::copy()` without stripping `../` sequences or enforcing a source-path allow-list, making traversal trivial. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the confidentiality impact is severe on multi-author Joomla sites where Author accounts may be widely distributed.

Path Traversal PHP K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-9154 MEDIUM PATCH This Month

Arbitrary file write in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated attacker supply a crafted expression parameter to write attacker-controlled content to any filesystem path the plugin process can reach. The flaw (CWE-22 path traversal) carries a CVSS 7.1 with high integrity impact and there is no public exploit identified at time of analysis, but it is dangerous because arbitrary writes can be leveraged toward code execution or configuration tampering within the SOAR plugin runtime.

Path Traversal Insightconnect Sed Plugin
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-9705 MEDIUM PATCH This Month

Keycloak's client registration service fails to invalidate Registration Access Tokens (RATs) when an administrator explicitly disables a client, allowing any holder of a previously issued RAT to re-enable that client and reset its secret. Affected product is Red Hat Build of Keycloak (all versions per available CPE data). An attacker who retains or obtains a valid RAT for a disabled client can restore its operational status, reset OAuth2/OIDC credentials, and resume unauthorized API access - directly undermining an administrator's intentional revocation action. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Red Hat Build Of Keycloak
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54037 MEDIUM PATCH This Month

Rate limiter bypass in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server resources via the POST /api/convos/duplicate endpoint, which performs identical expensive database operations as /api/convos/fork but was inadvertently omitted from the CVE-2025-7105 remediation scope. Operators who applied the prior fix may believe resource exhaustion was fully mitigated - they remain exposed through this overlooked parallel endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low exploitation complexity and bypass nature make this operationally significant for multi-tenant or publicly accessible LibreChat deployments.

Denial Of Service Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54024 MEDIUM PATCH This Month

Unrestricted file upload to the POST /api/convos/import endpoint in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server disk space and memory, causing a denial of service. The root cause is an incomplete remediation of CVE-2024-11171: while file size limits were added to the shared multer factory, the import endpoint's independent multer instance was never updated, and the application-level fallback guard (CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES) is commented out in .env.example by default. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation complexity for any authenticated user makes this a meaningful operational risk for public-facing or open-registration deployments.

Denial Of Service File Upload Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56013 MEDIUM This Month

Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12079 MEDIUM This Month

Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.

WordPress SQLi Dokan Pro
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54033 MEDIUM PATCH This Month

Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trivial low-complexity nature makes it readily exploitable once an account exists.

SSRF Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54027 MEDIUM PATCH This Month

LibreChat's POST /api/files/images endpoint lacks the authorization check that was correctly applied to the POST /api/files route in a prior patch, allowing any authenticated user to upload files into arbitrary agents' tool_resources (including context and execute_code environments) without ownership or EDIT permission verification. All LibreChat deployments prior to 0.8.4-rc1 are affected across any multi-user configuration. No active exploitation has been confirmed (not in CISA KEV), but the bypass is trivially exercisable by any valid session holder who knows a target agent ID.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48943 MEDIUM This Month

Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438) allows any registered Joomla user to overwrite hidden database columns - notes, image, and plugins - in their own #__k2_users row by injecting the K2UserForm=1 parameter into a standard com_users profile.save POST request. The attack is automatable per SSVC assessment, but impact is constrained to the attacker's own user record, with no current active exploitation identified. The plugins column exposure warrants particular scrutiny, as it may influence per-user K2 component behavior in ways beyond simple data tampering.

Information Disclosure K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48941 MEDIUM This Month

Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.checkin` task that accepts an unauthenticated `sigProFolder` query parameter and passes it directly to `JFolder::delete()` under `/media/k2/galleries/`, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. No public exploit code has been identified at time of analysis, though SSVC rates this as automatable with partial technical impact, meaning scripted bulk targeting of affected Joomla installations is straightforward.

Authentication Bypass K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54029 MEDIUM PATCH This Month

Broken object-level authorization in LibreChat's message deletion endpoint allows any authenticated user to permanently delete messages belonging to other users. Affected are all LibreChat deployments prior to 0.8.4-rc1. By supplying their own valid conversationId for middleware validation while targeting a victim's messageId in the underlying MongoDB query, an attacker bypasses the per-user authorization check and irreversibly removes arbitrary messages. No public exploit or CISA KEV listing exists at time of analysis, but the flaw is straightforward to exploit once a valid messageId is obtained.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56050 MEDIUM This Month

Improper access control in PPOM for WooCommerce (all versions through 33.0.18) enables unauthenticated remote attackers to bypass access controls and perform unauthorized operations affecting the integrity and availability of affected WooCommerce stores. Classified under CWE-284 and confirmed as an authentication bypass by Patchstack, the flaw exposes plugin-managed product option data to manipulation or disruption without requiring any credentials. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

Authentication Bypass WordPress Ppom For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57429 MEDIUM This Month

Broken access control in the Slim SEO WordPress plugin through version 4.6.2 allows authenticated users holding the Contributor role to bypass authorization checks and access restricted data, yielding a high confidentiality impact per CVSS C:H. The flaw is rooted in CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user holds sufficient privileges before executing certain privileged actions. No public exploit code and no CISA KEV listing exist at time of analysis; however, low attack complexity and no required user interaction make this straightforward to exploit by any valid contributor-level account holder.

Authentication Bypass Slim Seo
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57619 MEDIUM This Month

Sensitive data exposure in Elementor Website Builder for WordPress (versions <= 4.1.3) allows contributor-level authenticated users to access protected information due to missing authorization checks (CWE-862). The vulnerability stems from insufficient capability verification before exposing sensitive data to lower-privileged roles, enabling a contributor to retrieve data they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk on any site with untrusted contributor accounts.

Authentication Bypass Information Disclosure Elementor Website Builder
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-2508 MEDIUM This Month

Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.

WordPress SQLi Gravity Bookings
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54226 MEDIUM This Month

Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Apache Integer Overflow
NVD VulDB
CVSS 4.0
6.4
EPSS
0.3%
Prev Page 6 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy