Skip to main content
CVE-2026-56787 MEDIUM POC This Month

Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.

Denial Of Service Buffer Overflow Rtklib
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-55699 MEDIUM POC PATCH GHSA This Month

Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when a malicious package with specially crafted bin keys is installed. Packages carrying ".", "..", or "" as bin object keys in their manifest bypass pnpm's bin-name guard; subsequent global remove, update, or add-replacement operations re-derive those names and pass them through path.join(globalBinDir, binName) into removeBin, resolving to the bin directory itself or its parent. No public exploit has been identified at time of analysis, but fixed versions 10.34.2 and 11.5.3 are available and should be applied immediately given the supply-chain delivery mechanism.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-55180 MEDIUM POC PATCH GHSA This Month

{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and credentials. When a developer clones and runs pnpm install in a crafted repository, the package manager resolves dependency requests against attacker-controlled registry endpoints, transmitting whatever environment variables (tokens, API keys, credentials) the victim has set in their shell. Critically, this exfiltration occurs during dependency resolution - before lifecycle scripts execute - meaning mitigations like --ignore-scripts do not prevent the data leak. No public exploit or CISA KEV listing is identified at time of analysis.

Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-10824 MEDIUM POC PATCH This Month

Unauthenticated access to Masteriyo LMS WordPress plugin's course-progress REST API controller exposes all users' learning records to read and permanent deletion. All plugin versions before 2.2.1 are affected due to a missing authorization check on the REST endpoint, meaning any unauthenticated HTTP client can target arbitrary user IDs. A publicly available proof-of-concept exists per WPScan; however, EPSS sits at just 0.14% (3rd percentile), suggesting opportunistic exploitation has not yet materialized at scale despite the low barrier to entry.

WordPress Information Disclosure Masteriyo Lms
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-56769 MEDIUM POC PATCH This Month

Server-side request forgery in Huly Platform's /import endpoint allows authenticated workspace users to coerce the front pod into making arbitrary HTTP requests to internal infrastructure. Any valid workspace account can supply attacker-controlled URLs; the server fetches them, leaking internal service responses - including cloud metadata credentials - back to the attacker. A publicly available exploit exists per the GitHub issue tracker, though active exploitation has not been confirmed by CISA KEV. The CVSS 4.0 vector assigns SC:H, flagging high confidentiality impact on subsequent (internal) systems as the primary risk.

SSRF Platform
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2025-60465 MEDIUM POC This Month

Use-after-free in MP4Box's filter pipeline core (gf_filter_pid_inst_swap in filter_pid.c) allows local attackers to crash the application - and potentially achieve memory corruption beyond DoS - by supplying a crafted media file. Publicly available exploit code exists for this vulnerability, hosted on GitHub in a dedicated proof-of-concept repository. The EPSS score is low (0.17%, 6th percentile) with no CISA KEV listing, suggesting the public POC is research-grade rather than part of active exploitation campaigns, but the barrier to triggering a crash is low for any attacker with file delivery capability.

Memory Corruption Denial Of Service Use After Free N A
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-48529 MEDIUM POC PATCH GHSA This Month

Lockdown mode in GitHub MCP Server HTTP deployments (versions 0.22.0-1.1.1) fails to isolate per-user GraphQL credentials due to a process-global singleton that retains the first authenticated user's client for the lifetime of the process. All subsequent users' IsSafeContent checks-the security gate that decides whether content from external contributors is sanitized before reaching the AI model-are evaluated under the first user's GitHub token and identity, producing wrong access control decisions for every user except the first. A publicly available proof-of-concept confirms the singleton pointer collision; no active exploitation (CISA KEV) has been confirmed at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2025-60473 MEDIUM POC This Month

NULL pointer dereference in GPAC MP4Box's filter pipeline traversal function crashes the application when processing a specially crafted media file. Affected versions prior to 26.02.0 fail to validate the `pidi->pid` pointer before dereferencing it inside `gf_filter_in_parent_chain` (filter_pid.c:2176), enabling a local attacker to cause a Denial of Service by supplying a malicious input file. No public exploit identification as KEV, but a publicly available proof-of-concept exists on GitHub; EPSS of 0.17% (6th percentile) reflects low observed exploitation probability consistent with the local-only, user-interaction-required attack vector.

Denial Of Service Null Pointer Dereference Gpac
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-56774 MEDIUM POC PATCH This Month

Authenticated session hijacking via IDOR in Kanboard through 1.2.52 allows any low-privilege user to mass-invalidate the persistent 'Remember Me' sessions of arbitrary users, including administrators, by enumerating sequential integer session IDs against the unguarded `removeSession` endpoint. The root-cause fix - scoping `RememberMeSessionModel::remove()` to the requesting user's own `user_id` - is confirmed in commit 928c68a via PR #5831. A publicly available proof-of-concept exists on GitHub (issue #5829); this vulnerability is not currently listed in the CISA KEV catalog, though the trivially low exploitation barrier warrants prompt patching.

Authentication Bypass Denial Of Service Kanboard
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57521 MEDIUM POC PATCH This Month

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user via an IDOR vulnerability in the PreviewInvoiceController endpoints. The missing ManageOrganizationBillingRequirement authorization check permits a valid session holder to supply an arbitrary organizationId and retrieve Stripe-derived billing details - including tax totals, subscription status, and customer data - for organizations they do not belong to. A public proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at the time of analysis.

Authentication Bypass Server
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56779 MEDIUM POC PATCH This Month

Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role to coerce the application server into making arbitrary HTTP requests to attacker-controlled destinations via the `downloadCallbackUrl` and `download_url` parameters on ToolSerializer endpoints. An attacker can pivot through the MaxKB host to probe and extract data from internal network services - cloud metadata APIs, internal databases, adjacent microservices - that would otherwise be inaccessible from outside the network perimeter. A public proof-of-concept exists at GitHub issue #6272; this is not confirmed actively exploited (not in CISA KEV).

SSRF Maxkb
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-60466 MEDIUM POC This Month

Use-after-free in MP4Box's filter pipeline (gf_filter_pid_get_packet, filter_core/filter_pid.c) crashes the application when processing a crafted media file, resulting in Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0. A publicly available proof-of-concept exploit exists, though exploitation requires local access and user interaction - the CVSS vector (AV:L/UI:R) and low EPSS score of 0.17% indicate limited real-world automated exploitation risk. No confirmed active exploitation (CISA KEV not listed).

Memory Corruption Denial Of Service Use After Free Gpac
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-44622 MEDIUM CISA This Month

Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the zero-prerequisite exposure in an OT/energy infrastructure context represents a meaningful credential leakage risk for affected operators.

Information Disclosure Evoke Csms
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-54479 MEDIUM CISA This Month

Authentication bypass and denial-of-service in Evoke Systems' Evoke CSMS electric-vehicle charging station management system stems from predictable WebSocket session identifiers derived from charging station IDs, with no enforcement against duplicate session reuse. Remote unauthenticated attackers can guess or reuse a session identifier to impersonate another charging station/user, or flood the backend with valid session requests to exhaust resources. Reported to CISA by ICS-CERT (advisory ICSA-26-176-02); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Evoke Csms
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-9718 MEDIUM CISA This Month

Denial-of-service in Schneider Electric PowerLogic P7 power monitoring devices allows an authenticated attacker to crash a network-exposed service by sending a specially crafted request that triggers a reachable assertion (CWE-617), fully disrupting availability. The CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite (PR:H) that constrains exploitation to actors with administrative credentials, while the availability impact is rated high (VA:H) with no confidentiality or integrity consequences. No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis.

Denial Of Service Powerlogic P7
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-48995 MEDIUM POC PATCH GHSA This Month

Missing integrity verification in pnpm's GitHub codeload dependency resolution (versions prior to 10.33.4 and 11.0.7) enables a compromised or man-in-the-middle `codeload.github.com` server to deliver arbitrary malicious tarballs that pnpm installs without hash validation. Any developer project that sources dependencies from GitHub via pnpm is exposed when running `pnpm install` on affected versions, with potential for arbitrary code execution during the install lifecycle. No public exploit code exists and there is no CISA KEV listing, but the theoretical impact includes full developer workstation compromise and downstream supply chain contamination.

Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56788 MEDIUM POC This Month

Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.

Denial Of Service Buffer Overflow Information Disclosure Rtklib
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-9651 MEDIUM CISA This Month

Incorrect file permission assignment on Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units exposes password hashes stored in system files to unauthorized reading by privileged local users. An attacker who has already obtained privileged local access to the RTU can read these improperly protected files, extract credential hashes, and perform offline cracking to achieve account compromise. No public exploit code exists at time of analysis, and the vulnerability has not been listed in CISA KEV, but the high confidentiality impact on credential material in OT/ICS environments warrants attention.

Authentication Bypass Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-50017 MEDIUM PATCH GHSA This Month

Credential leakage in pnpm package manager versions prior to 10.34.0 and 11.4.0 exposes a developer's unscoped npm authentication token to attacker-controlled registries. When a project-level .npmrc overrides the registry URL without supplying its own auth token, pnpm incorrectly inherits and forwards the user's globally-configured unscoped _authToken to that foreign registry as an Authorization header. No public exploit has been identified at time of analysis, though the real-world impact is severe - a captured npm token can enable supply chain attacks via malicious package publishing.

Node.js Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54448 MEDIUM POC PATCH GHSA This Month

Decompression bomb (zip bomb) in Trivy's Helm chart scanner causes denial of service via OOM kill when processing a crafted .tgz archive. Affected versions prior to 0.71.0 use io.ReadAll without any size cap on tar entries inside Helm chart archives, allowing a small compressed file to expand to gigabytes in memory. An attacker who can place a malicious archive in any path that Trivy is directed to scan can reliably crash the Trivy process. No public exploit or CISA KEV listing at time of analysis.

Denial Of Service Trivy Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-49319 MEDIUM This Month

Rolling-code authentication in the Alps Alpine RKES (FCC ID CWTR53R0, 433 MHz) can be bypassed by an attacker within RF range who captures two consecutive key fob transmissions and replays them in sequence to lock or unlock the target vehicle. Replaying the first captured signal causes the receiver to enter a vulnerable state, after which replaying the second signal completes a successful unauthorized lock or unlock operation. No active exploitation confirmed per CISA KEV and no public exploit code identified, though the attack is technically accessible to anyone with commodity software-defined radio hardware given CVSS AV:A/AC:L/PR:N.

Information Disclosure Remote Keyless Entry System Rkes R53R0
NVD
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-53196 MEDIUM PATCH This Month

Heap buffer overflow in the Linux kernel's io_ti USB serial driver (get_manuf_info()) lets a malicious USB device overflow a 10-byte kmalloc buffer by up to ~16 KB when attached to a host using this driver. The driver trusts the EEPROM-supplied descriptor Size field (validated only against TI_MAX_I2C_SIZE, not the destination buffer), enabling kernel memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and the issue is not in CISA KEV.

Memory Corruption Linux Buffer Overflow
NVD VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-57454 MEDIUM PATCH This Month

Out-of-bounds heap read in Vim 9.2.0320-9.2.0678 allows a crafted undo or swap file to disclose adjacent heap memory or crash the editor when a victim opens it. The flaw resides in the text property (textprop) subsystem: a maliciously encoded virtual-text property with an oversized tp_text_offset is converted directly to a heap pointer without bounds validation in both the undo-restoration path (um_goto_line) and the display path (get_text_props). The CVSS 4.0 score of 6.8 (Medium) reflects local-only exploitation requiring active user interaction; no public exploit is confirmed at time of analysis, though the fix commit includes detailed test scaffolding constituting a near-complete attack blueprint.

Buffer Overflow Information Disclosure Vim Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-13282 MEDIUM PATCH This Month

Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.

Memory Corruption Denial Of Service Use After Free Google Suse +1
NVD VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-55411 MEDIUM PATCH This Month

Cross-tenant credential decryption in ToolJet prior to 3.20.1780-lts allows any authenticated user to retrieve plaintext data-source secrets belonging to any other organization on the same instance. The POST /api/data-sources/decrypt endpoint omits the ValidateDataSourceGuard present on all neighboring routes and performs no organization-scoped lookup, meaning a valid session from any tenant is sufficient to exfiltrate database passwords, API keys, and other stored secrets across tenant boundaries. No public exploit has been identified at time of analysis, but the attack is mechanically trivial for any user with a valid account and knowledge of a target credential_id.

Authentication Bypass Tooljet
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-56129 MEDIUM This Month

Physical memory exposure in the Generic IO & Memory Access Driver for Toshiba and Dynabook PCs allows any locally logged-in user - without administrative privileges - to access physical memory by invoking an insufficiently access-controlled IOCTL interface. Physical memory access of this kind typically enables both reading sensitive in-memory data (credentials, encryption keys, kernel structures) and writing to arbitrary memory addresses, making the effective impact broader than the vendor CVSS C:N rating suggests. No public exploit or CISA KEV listing has been identified at time of analysis; this was disclosed via JPCERT/JVN and a Sharp/Dynabook security advisory.

Information Disclosure Generic Io Memory Access Driver
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-4522 MEDIUM PATCH This Month

Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Microsoft Passwordless
NVD
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-9153 MEDIUM PATCH This Month

Arbitrary file read in Rapid7's InsightConnect Sed Plugin on Linux exposes sensitive host filesystem contents to authenticated attackers through an unsanitized expression parameter. All versions are affected per the CPE wildcard, and exploitation requires only a low-privilege authenticated InsightConnect session over the network with no user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CWE-22 path traversal class is well-understood and mechanically straightforward to exploit once authentication is obtained.

Path Traversal Insightconnect Sed Plugin
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-48944 MEDIUM This Month

Path traversal in the K2 extension for Joomla (versions 1.0-2.26) allows authenticated Authors to copy arbitrary web-readable files - including Joomla's database credential file `configuration.php` and OS files such as `/etc/passwd` - into a publicly accessible directory for retrieval. The article-save handler's `attachment[N][existing]` POST parameter is concatenated with `JPATH_SITE/` and passed directly to `JFile::copy()` without stripping `../` sequences or enforcing a source-path allow-list, making traversal trivial. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the confidentiality impact is severe on multi-author Joomla sites where Author accounts may be widely distributed.

Path Traversal PHP K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-9154 MEDIUM PATCH This Month

Arbitrary file write in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated attacker supply a crafted expression parameter to write attacker-controlled content to any filesystem path the plugin process can reach. The flaw (CWE-22 path traversal) carries a CVSS 7.1 with high integrity impact and there is no public exploit identified at time of analysis, but it is dangerous because arbitrary writes can be leveraged toward code execution or configuration tampering within the SOAR plugin runtime.

Path Traversal Insightconnect Sed Plugin
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-9705 MEDIUM PATCH This Month

Keycloak's client registration service fails to invalidate Registration Access Tokens (RATs) when an administrator explicitly disables a client, allowing any holder of a previously issued RAT to re-enable that client and reset its secret. Affected product is Red Hat Build of Keycloak (all versions per available CPE data). An attacker who retains or obtains a valid RAT for a disabled client can restore its operational status, reset OAuth2/OIDC credentials, and resume unauthorized API access - directly undermining an administrator's intentional revocation action. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Red Hat Build Of Keycloak
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54037 MEDIUM PATCH This Month

Rate limiter bypass in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server resources via the POST /api/convos/duplicate endpoint, which performs identical expensive database operations as /api/convos/fork but was inadvertently omitted from the CVE-2025-7105 remediation scope. Operators who applied the prior fix may believe resource exhaustion was fully mitigated - they remain exposed through this overlooked parallel endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low exploitation complexity and bypass nature make this operationally significant for multi-tenant or publicly accessible LibreChat deployments.

Denial Of Service Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54024 MEDIUM PATCH This Month

Unrestricted file upload to the POST /api/convos/import endpoint in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server disk space and memory, causing a denial of service. The root cause is an incomplete remediation of CVE-2024-11171: while file size limits were added to the shared multer factory, the import endpoint's independent multer instance was never updated, and the application-level fallback guard (CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES) is commented out in .env.example by default. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation complexity for any authenticated user makes this a meaningful operational risk for public-facing or open-registration deployments.

Denial Of Service File Upload Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56013 MEDIUM This Month

Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12079 MEDIUM This Month

Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.

WordPress SQLi Dokan Pro
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54033 MEDIUM PATCH This Month

Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trivial low-complexity nature makes it readily exploitable once an account exists.

SSRF Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54027 MEDIUM PATCH This Month

LibreChat's POST /api/files/images endpoint lacks the authorization check that was correctly applied to the POST /api/files route in a prior patch, allowing any authenticated user to upload files into arbitrary agents' tool_resources (including context and execute_code environments) without ownership or EDIT permission verification. All LibreChat deployments prior to 0.8.4-rc1 are affected across any multi-user configuration. No active exploitation has been confirmed (not in CISA KEV), but the bypass is trivially exercisable by any valid session holder who knows a target agent ID.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48943 MEDIUM This Month

Mass-assignment in the K2 Extension for Joomla (versions up to 2.24 per CVE description, up to 2.26 per EUVD-2026-39438) allows any registered Joomla user to overwrite hidden database columns - notes, image, and plugins - in their own #__k2_users row by injecting the K2UserForm=1 parameter into a standard com_users profile.save POST request. The attack is automatable per SSVC assessment, but impact is constrained to the attacker's own user record, with no current active exploitation identified. The plugins column exposure warrants particular scrutiny, as it may influence per-user K2 component behavior in ways beyond simple data tampering.

Information Disclosure K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48941 MEDIUM This Month

Unauthorized folder deletion in the K2 Extension for Joomla (versions 1.0 through 2.26) exposes a public-facing `item.checkin` task that accepts an unauthenticated `sigProFolder` query parameter and passes it directly to `JFolder::delete()` under `/media/k2/galleries/`, with no authorization check whatsoever (CWE-862). Any unauthenticated remote attacker can trigger deletion of gallery directories simply by crafting an HTTP request - no session, token, or credentials required. No public exploit code has been identified at time of analysis, though SSVC rates this as automatable with partial technical impact, meaning scripted bulk targeting of affected Joomla installations is straightforward.

Authentication Bypass K2 Extension For Joomla
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54029 MEDIUM PATCH This Month

Broken object-level authorization in LibreChat's message deletion endpoint allows any authenticated user to permanently delete messages belonging to other users. Affected are all LibreChat deployments prior to 0.8.4-rc1. By supplying their own valid conversationId for middleware validation while targeting a victim's messageId in the underlying MongoDB query, an attacker bypasses the per-user authorization check and irreversibly removes arbitrary messages. No public exploit or CISA KEV listing exists at time of analysis, but the flaw is straightforward to exploit once a valid messageId is obtained.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-56050 MEDIUM This Month

Improper access control in PPOM for WooCommerce (all versions through 33.0.18) enables unauthenticated remote attackers to bypass access controls and perform unauthorized operations affecting the integrity and availability of affected WooCommerce stores. Classified under CWE-284 and confirmed as an authentication bypass by Patchstack, the flaw exposes plugin-managed product option data to manipulation or disruption without requiring any credentials. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

Authentication Bypass WordPress Ppom For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57429 MEDIUM This Month

Broken access control in the Slim SEO WordPress plugin through version 4.6.2 allows authenticated users holding the Contributor role to bypass authorization checks and access restricted data, yielding a high confidentiality impact per CVSS C:H. The flaw is rooted in CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user holds sufficient privileges before executing certain privileged actions. No public exploit code and no CISA KEV listing exist at time of analysis; however, low attack complexity and no required user interaction make this straightforward to exploit by any valid contributor-level account holder.

Authentication Bypass Slim Seo
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57619 MEDIUM This Month

Sensitive data exposure in Elementor Website Builder for WordPress (versions <= 4.1.3) allows contributor-level authenticated users to access protected information due to missing authorization checks (CWE-862). The vulnerability stems from insufficient capability verification before exposing sensitive data to lower-privileged roles, enabling a contributor to retrieve data they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk on any site with untrusted contributor accounts.

Authentication Bypass Information Disclosure Elementor Website Builder
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-2508 MEDIUM This Month

Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.

WordPress SQLi Gravity Bookings
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54226 MEDIUM This Month

Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Apache Integer Overflow
NVD VulDB
CVSS 4.0
6.4
EPSS
0.3%
CVE-2026-10833 MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the `configurablePrefix` attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. No public exploit code or CISA KEV listing is present in the available intelligence, but Wordfence's disclosure paired with publicly accessible source-level Trac links substantially lowers the effort required to develop a working exploit.

WordPress XSS Gutenberg Essential Blocks Page Builder For Gutenberg Blocks Patterns
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-57235 MEDIUM PATCH This Month

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.

Buffer Overflow Information Disclosure Nokogiri Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-6094 MEDIUM PATCH This Month

Heap buffer overread in wolfSSL's PKCS7 EnvelopedData parser allows network-reachable attackers to trigger a low-impact availability disruption or potential memory disclosure by supplying a crafted S/MIME or CMS message. The root cause is a missing integer-overflow-safe bounds check before XMEMCPY calls in wc_PKCS7_DecodeEnvelopedData, wc_PKCS7_DecodeAuthEnvelopedData, and wc_PKCS7_DecodeEncryptedData - all three paths lacked validation that idx + encryptedContentSz does not exceed the input buffer. No public exploit code has been identified at time of analysis, and wolfSSL's own CVSS 4.0 vector classifies attack requirements as present (AT:P), meaning exploitation is not straightforwardly reliable.

Buffer Overflow Information Disclosure Wolfssl
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-12340 MEDIUM PATCH This Month

Out-of-bounds heap read in wolfSSL's SM2/SM3 certificate parser exposes applications to remote denial of service when processing malformed certificates. During Subject Key Identifier computation in SM3wSM2 certificate verification, the library unconditionally reads 65 bytes from the public key field without first validating that the key is at least that long - a crafted certificate with a sub-65-byte public key triggers a heap over-read, crashing the process. This vulnerability is scoped exclusively to wolfSSL builds compiled with SM2 support (--enable-sm2 or --enable-all), and no public exploit or CISA KEV listing exists at time of analysis.

Denial Of Service Buffer Overflow Information Disclosure Wolfssl
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56771 MEDIUM PATCH This Month

Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.

SSRF Information Disclosure Newsblur
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy