Skip to main content
CVE-2026-56290 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated arbitrary file upload in the Joomlack Page Builder CK extension for Joomla allows remote attackers to upload executable (PHP) files and achieve full remote code execution on the host. Any Joomla site running this extension is exposed to complete compromise without credentials. No public exploit identified at time of analysis, though the CVSS 4.0 threat metric (E:A) supplied by the scoring source signals observed exploitation activity, and the maximum 10.0 score plus AU:Y (automatable) indicate this is highly attractive for mass scanning.

Authentication Bypass File Upload Joomlack Fr Page Builder Ck Extension For Joomla
NVD VulDB GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
0.2%
Threat
5.0
CVE-2026-57498 CRITICAL POC PATCH Act Now

Cross-team authorization bypass in Coolify (open-source self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated, low-privileged member of one team to deploy and manipulate resources belonging to other teams. While the REST API controllers correctly enforce ownership via Server::whereTeamId($teamId), several Livewire web UI components trust attacker-supplied server_id and destination_uuid URL query parameters with no team-ownership check (CWE-639). No public exploit identified at time of analysis, but the CVSS 9.6 rating and trivially manipulable parameters make this a high-priority fix for any multi-tenant Coolify deployment.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-56782 CRITICAL POC PATCH Act Now

Unauthenticated database exfiltration and overwrite in Gorse (the open-source Go recommendation engine) before 0.5.10 lets remote attackers hit the /api/dump and /api/restore endpoints whenever admin_api_key is unset - the out-of-the-box default - bypassing authentication entirely. Attackers can dump the full backing dataset (user records, items, and feedback containing PII) or restore/overwrite it with arbitrary data. No public exploit is identified at time of analysis, but the flaw is trivially reachable on any default deployment, and the vendor (VulnCheck) rates it CVSS 4.0 9.3 (critical).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-34594 HIGH POC PATCH This Week

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permissions execute arbitrary commands as root on managed servers. The 'network' parameter in the Destination Network Management feature is passed unsanitized into shell commands, yielding full root-level remote code execution on the host. No public exploit identified at time of analysis; the issue is fixed in 4.0.0-beta.471.

Command Injection RCE Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2026-34597 HIGH POC PATCH This Week

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authenticated user run arbitrary commands on the deployment host. The flaw is an OS command injection in the Nixpacks build pack: the user-supplied install_command build parameter is concatenated unsanitized into a shell command executed during the build phase, allowing escape from the build context to host-level command execution. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but the path to abuse is straightforward for any user who can configure a deployment.

Command Injection RCE Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-40521 HIGH POC PATCH This Week

Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to plant a PHP web shell. The handler fails to validate the unique_name parameter, so traversal sequences write attacker-controlled files outside the attachments directory and into the web root, and because file extensions are not validated, an uploaded PHP file executes as the web server user. Publicly available exploit code exists and a vendor patch is available, though the issue is not listed in CISA KEV.

Path Traversal RCE PHP Frontaccounting
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-13763 HIGH POC HOSTED Monitor

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.

Request Smuggling Authentication Bypass Aws Application Load Balancer
NVD GitHub
CVSS 4.0
7.9
EPSS
0.5%
CVE-2026-13762 HIGH POC HOSTED Monitor

WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. AWS remediated it server-side with no customer action required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Request Smuggling Authentication Bypass Amazon Cloudfront
NVD GitHub
CVSS 4.0
7.9
EPSS
0.5%
CVE-2026-13545 HIGH POC This Week

OS command injection in the D-Link DCS-935L Wi-Fi network camera (firmware 1.10.01) lets a remote attacker inject arbitrary operating-system commands through the UID POST parameter handled by the sub_400E40 function in setconf.cgi. The CVSS 4.0 vector requires low privileges (PR:L), so an attacker needs some level of authenticated/session access, after which they gain full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (disclosed via VulDB), though there is no public exploit identified as actively exploited in the wild.

Command Injection D-Link Dcs 935L
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
1.6%
CVE-2026-44840 HIGH POC PATCH GHSA This Week

DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. A working PoC exists (publicly available exploit code exists); the issue is not in CISA KEV and no active exploitation is reported, but server-side execution of injected blocks is confirmed, enabling schema/data enumeration and resource exhaustion.

Denial Of Service Nosql Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-10083 HIGH POC PATCH NEWS This Week

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

WordPress XSS Apcu Manager
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13539 HIGH POC PATCH This Week

Stack-based buffer overflow in the Wavlink WL-NU516U1-A wireless range extender (firmware M16U1_V240425) lets a remote, low-privileged attacker corrupt memory by sending an oversized Guest_ssid POST parameter to the sub_407504 function in /cgi-bin/wireless.cgi. The flaw was reported by VulDB, publicly available exploit code exists, and it carries a CVSS 4.0 base score of 7.4; there is no evidence of active exploitation in CISA KEV at this time.

Buffer Overflow Stack Overflow Wl Nu516U1 A
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13519 HIGH POC This Week

Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory via the 'page' parameter handled by the fromNatStaticSetting function at the /goform/NatStaticSetting endpoint. Publicly available exploit code exists, and the CVSS 4.0 vector (PR:L) indicates an authenticated user on the device's web interface can trigger high confidentiality, integrity and availability impact. There is no public exploit identified as actively used in the wild - exploitation is proof-of-concept only at this time.

Buffer Overflow Tenda Stack Overflow Jd12L
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13518 HIGH POC This Week

Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets a remote attacker corrupt memory by manipulating the 'page' parameter handled by the fromAddressNat function at the /goform/addressNat endpoint, potentially achieving code execution or device crash. Publicly available exploit code exists and the issue was disclosed by VulDB, though there is no public exploit identified as actively exploited in the wild. With a CVSS 4.0 base score of 7.4 and PR:L, exploitation requires some level of authenticated access to the web management interface.

Buffer Overflow Tenda Stack Overflow Jd12L
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13517 HIGH POC This Week

Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) allows remote attackers to corrupt memory by manipulating the security_5g argument sent to the formWifiBasicSet handler at /goform/WifiBasicSet, potentially achieving denial of service or arbitrary code execution on the device. The flaw is network-reachable but, per the CVSS 4.0 vector, requires low-level authentication (PR:L), and publicly available exploit code exists. There is no public exploit identified as actively exploited in CISA KEV, and the EPSS score was not provided.

Buffer Overflow Tenda Stack Overflow Jd12L
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13583 HIGH POC This Week

Buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets remote attackers corrupt memory by sending an oversized ShareName or SelectName argument to the formUSBFolder handler at /goform/formUSBFolder. The flaw is reachable over the network and publicly available exploit code exists, though no active exploitation has been reported. Per the CVSS 4.0 vector it requires low-level authentication (PR:L) but yields full confidentiality, integrity, and availability impact on the device.

Buffer Overflow Ew 7478Apc
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-13582 HIGH POC This Week

Remote buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets an authenticated attacker corrupt memory through the formUSBAccount handler at /goform/formUSBAccount by supplying oversized UserName or Password values in a POST request, enabling likely code execution or device crash. The flaw is remotely reachable and publicly available exploit code exists (proof-of-concept, CVSS 4.0 base 7.4), though there is no public exploit identified as actively used in the wild. The vendor was notified but did not respond, so no fix is expected.

Buffer Overflow Ew 7478Apc
NVD VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13580 HIGH POC This Week

Buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets remote attackers overflow a buffer by manipulating the selSSID parameter in a POST request to the /goform/formQoS endpoint, potentially crashing the device or executing code on it. The flaw is network-reachable and publicly available exploit code exists (disclosed via VulDB and a Notion writeup), but it is not listed in CISA KEV and no active exploitation has been confirmed. The vendor was notified but did not respond, and no patched firmware has been published.

Buffer Overflow Ew 7478Apc
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-40524 HIGH POC PATCH This Week

SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC permission read arbitrary database contents by injecting into the unparameterized filter_type parameter of a SQL IN() clause. The flaw enables boolean-based blind extraction of sensitive journal-entry and general-ledger data using reliable response-size differentials. Publicly available exploit code exists and a vendor patch shipped in 2.4.20, though there is no public exploit identified as actively exploited.

SQLi Frontaccounting
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-40523 HIGH POC PATCH This Week

SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding the SA_GLANALYTIC permission run arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters in all releases prior to 2.4.20. Attackers can extract arbitrary database contents via UNION-based injection or knock the application offline by amplifying SLEEP() across JOINed result sets to exhaust database connections. Publicly available exploit code exists (VulnCheck/Jiva Security writeup), but the issue is not in CISA KEV, so it is no public exploit identified as actively exploited.

SQLi Denial Of Service Frontaccounting
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-40522 HIGH POC PATCH This Week

SQL injection in FrontAccounting before 2.4.20 allows authenticated attackers to extract arbitrary database contents by injecting UNION SELECT payloads into the PARAM_0 POST parameter of the Bank Statement report handler (rep601.php). Attackers with valid low-privilege accounts can dump usernames, password hashes, and email addresses from the users table, with results rendered into the generated PDF report. Publicly available exploit code exists and a vendor patch was released in 2.4.20; the flaw is not listed in CISA KEV and no active exploitation is confirmed.

SQLi Frontaccounting
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-7656 MEDIUM POC PATCH This Month

Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacent on-link attacker inject spoofed Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages because an operator-precedence bug in subsys/net/ip/ipv6_nbr.c silently skips every RFC 4861 sanity check whenever the (always-present) ICMPv6 code is 0. Because the bypassed checks include the Hop-Limit==255 on-link proof, even off-link/remote attackers may have forged ND packets accepted, enabling default-router/DNS/SLAAC hijacking and neighbor-cache poisoning for man-in-the-middle, redirection, and denial of service. A vendor patch exists (commit 095f064c) but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Denial Of Service Zephyr
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-50229 MEDIUM POC PATCH This Month

Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter.

XSS Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-57331 CRITICAL Act Now

Arbitrary file deletion in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions <= 7.4.8) lets an authenticated low-privilege 'Performer' account delete files outside the intended directory via path traversal. Because deleting critical WordPress files such as wp-config.php can force the site into setup mode and enable full takeover, the impact crosses a security boundary (scope change) and is rated CVSS 9.9. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Paid Videochat Turnkey Site
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-13528 MEDIUM POC PATCH This Month

Path traversal in the ruoyi-vue-pro file upload endpoint exposes unauthenticated remote attackers to arbitrary file read and write operations via the `generateUploadPath` function in `FileServiceImpl.java`. All versions up to 2026.04-jdk8-SNAPSHOT are confirmed affected across both the YunaiV (GitHub) and zhijiantianya (Gitee) vendor distributions. Publicly available exploit code exists via GitHub issue #1146; no CISA KEV listing is present, but the unauthenticated network vector combined with a public proof-of-concept materially elevates operational risk above the CVSS 4.0 base score of 6.9 alone.

Java Path Traversal File Upload Ruoyi Vue Pro
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13546 MEDIUM POC This Month

Unauthenticated access to the /api/articles REST API endpoint in Feehi CMS up to version 2.1.1 exposes article management functions without any credential verification, allowing remote attackers to interact with CMS content at low complexity and zero privilege. A publicly available proof-of-concept exploit exists via a GitHub issue report. The vendor has not responded to the disclosure, leaving installations without an official patch; no KEV listing indicates no confirmed mass exploitation at time of analysis, but the no-authentication network vector makes this trivially accessible to any internet-facing attacker.

Authentication Bypass Cms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13592 MEDIUM POC This Month

Out-of-bounds write in CIPster's EtherNet/IP Message Handler exposes industrial automation devices to remote memory corruption through the BufWriter::append function. Unauthenticated remote attackers reachable on the EtherNet/IP network can send crafted protocol messages to corrupt adjacent memory, with potential for service disruption or, with further research, arbitrary code execution on embedded OT devices. A public proof-of-concept exploit (poc.zip) has been released, materially increasing risk for OT/ICS operators running this open-source CIP stack despite the moderate CVSS 4.0 score of 5.5.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13533 MEDIUM POC This Month

Unauthenticated remote file and directory exposure in agentejo Cockpit CMS 0.12.2 and earlier allows attackers to access files outside the web root via path traversal through the htaccess Handler's YAML configuration loader. The root cause is CWE-552 (Files or Directories Accessible to External Parties), triggered by unsafe processing of /config/config.yaml via the Spyc::YAMLLoad function, which can expose sensitive configuration data including credentials or internal path structures. A public exploit proof-of-concept exists on GitHub; no vendor patch has been issued, as the vendor did not respond to coordinated disclosure.

Path Traversal Information Disclosure Cockpit Cms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13547 MEDIUM POC This Month

Unrestricted file upload in Hanwang e-Face General Management Platform 6.3.5.4 exposes unauthenticated remote attackers to arbitrary file upload via the /manage/resourceUpload/upload.do endpoint, with no input validation on file type or content per CWE-434. The CVSS 4.0 vector (PR:N, AC:L, AT:N) confirms the endpoint requires no authentication and is reachable over the network without special conditions. A publicly available proof-of-concept exploit has been disclosed via a Feishu wiki document, meaning exploitation tooling is accessible to low-skilled actors; this CVE is not yet listed in the CISA KEV catalog at time of analysis.

File Upload E Face General Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13521 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `course_year_section` parameter in /preview5.php. The input is passed directly into SQL queries without sanitization (CWE-89), enabling data extraction, modification, or availability disruption. A public proof-of-concept exploit is available on GitHub, and no patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13566 MEDIUM POC This Month

Unauthenticated SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes backend database contents via the `course_year_section` parameter in `/preview3.php`. The CVSS 4.0 vector confirms network-accessible, no-authentication, no-interaction exploitation (AV:N/AC:L/PR:N/UI:N), and exploit code is publicly available (E:P on GitHub). No active exploitation is confirmed in CISA KEV, but the public POC lowers the bar for opportunistic attacks against any publicly exposed instance.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13551 MEDIUM POC This Month

SQL injection in itsourcecode Baptism Information Management System 1.0 exposes database contents to remote unauthenticated attackers via the ID parameter in /editBaptism.php. A publicly available proof-of-concept exploit exists on GitHub, enabling data exfiltration or modification without any credentials or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/E:P) confirms low-complexity remote exploitation with no special conditions required, and no vendor-released patch has been identified.

SQLi PHP Baptism Information Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13550 MEDIUM POC This Month

SQL injection in itsourcecode Baptism Information Management System 1.0 exposes the `/delbaptism.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this requires no authentication or user interaction against any network-accessible instance. A public proof-of-concept exploit exists on GitHub, making this immediately weaponizable against any exposed deployment, though the application is not listed in CISA KEV and its niche footprint substantially limits aggregate exposure.

SQLi PHP Baptism Information Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13527 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview4.php` endpoint to unauthenticated remote attackers via the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-prerequisite network exploitation against default deployments, with low-level impact across confidentiality, integrity, and availability of the backend database. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept has been disclosed on GitHub (E:P maturity confirmed), meaningfully lowering the barrier for opportunistic and automated attacks against academic institutions running this software.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13526 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_class.php` endpoint to unauthenticated remote database manipulation via the unsanitized `ID` parameter. Per the CVSS 4.0 vector (PR:N, UI:N, AC:L), no authentication or user interaction is required to initiate the attack, and a public proof-of-concept exploit is available on GitHub. No vendor patch has been identified at time of analysis, leaving deployments with no vendor-sanctioned remediation path.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13571 MEDIUM POC This Month

Price parameter manipulation in SourceCodester Simple Food Ordering System 1.0 allows unauthenticated remote attackers to submit orders at arbitrary prices by modifying the item_price argument in POST requests to /cart.php. The server trusts client-supplied price data without server-side validation, enabling business logic bypass (CWE-840) that could result in financial loss for system operators. A public proof-of-concept exploit is available on GitHub; however, this vulnerability is not currently listed in the CISA KEV catalog.

Information Disclosure PHP Simple Food Ordering System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13565 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes database contents through the unsanitized ID parameter in /edit_class1.php, exploitable by unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required and the attack is fully remote with no user interaction. A public proof-of-concept has been disclosed on GitHub, lowering the exploitation barrier; the product is not currently listed in the CISA KEV catalog.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-41052 CRITICAL PATCH GHSA Act Now

Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to improperly escalate their privileges beyond their assigned project scope, per advisory GHSA-vx8h-4prv-g744. Affected releases are 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.4 and scope-changing impact mean a successful escalation can compromise cluster-wide confidentiality, integrity, and availability.

Privilege Escalation Rancher
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-11720 CRITICAL PATCH Act Now

{{.id}} to sensitive endpoints such as /admin/secrets. Carries a CVSS 4.0 base score of 9.3 (critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Mcp Toolbox For Databases
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-37637 CRITICAL Act Now

Remote code execution in Alexantr filemanager v1.0 lets remote attackers run arbitrary code through the filemanager.php component, mapped to CWE-94 (code injection). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw requiring no authentication or user interaction, and publicly available exploit code exists (GitHub POC by SLO-CYBER-SEC). SSVC rates exploitation as proof-of-concept with total technical impact and automatable=yes, but it is not on CISA KEV and no EPSS score was provided.

Code Injection PHP RCE N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-39868 CRITICAL PATCH Act Now

Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to corrupt kernel memory or trigger unexpected system termination via malformed input that bypasses validation. Reported by Apple internally and fixed with improved input validation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Despite a high CVSS of 9.1, the practical attack surface is bound to code already executing on the device as an app.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-58000 HIGH PATCH This Week

Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user with OpenVPN protocol configuration access run arbitrary commands as root. The flaw lives in the generateKey ubus method, where the cl_meta parameter is passed unescaped into a popen() shell call. No public exploit has been identified at time of analysis, but a vendor advisory (GHSA-pm9w-522m-8rrh) and fix commit exist, and the CVSS 4.0 score of 8.7 reflects full confidentiality, integrity, and availability impact on the affected device.

Command Injection Luci
NVD GitHub
CVSS 4.0
8.7
EPSS
1.4%
CVE-2026-25707 HIGH PATCH This Week

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Path Traversal Denial Of Service Libzypp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-13749 HIGH PATCH This Week

Arbitrary code execution in Snowflake CLI versions prior to 3.19 lets an attacker run code in the context of any developer who bundles or deploys an attacker-supplied Snowpark project. The flaw lives in the Snowpark annotation processor callback template, where untrusted project content is interpolated directly into generated Python code (CWE-94). No public exploit has been identified at time of analysis, but the attack is straightforward and high-impact (CVSS 8.8) given that it executes with the victim's local privileges; exploitation hinges on the victim running the bundling/deployment workflow against malicious content.

Code Injection Python RCE Snowflake Cli
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-43715 HIGH PATCH This Week

Memory corruption in Apple's WebKit browser engine (Safari and the system WebView on iOS, iPadOS, and macOS before 26.5.2) allows a remote attacker to corrupt process memory when a victim loads maliciously crafted web content. The flaw is a use-after-free (CWE-416) and carries a CVSS 8.8 with required user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Apple reported and patched it in coordinated releases on 2026 advisories.

Memory Corruption Buffer Overflow Apple Use After Free Ios And Ipados
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-13744 HIGH PATCH This Week

SQL injection in Snowflake CLI versions 1.2.2 through 3.18.x allows an attacker to execute unintended SQL statements within a victim's authenticated Snowflake session by planting crafted repository content, project configuration, manifest, or specification input. When a developer processes that attacker-controlled content through a vulnerable command path, the injected SQL runs with the victim's session privileges, enabling data theft, modification, or destruction up to that user's authorization level. There is no public exploit identified at time of analysis, exploitation is not confirmed in CISA KEV, and EPSS is low at 0.31% (23rd percentile), reflecting the user-interaction requirement.

SQLi Snowflake Cli
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-12856 HIGH PATCH This Week

Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.

Java RCE Red Hat Openshift Dev Spaces
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-43705 HIGH PATCH This Week

Memory corruption via type confusion in Apple's WebKit browser engine allows attackers to corrupt memory by luring a victim to maliciously crafted web content, affecting Safari, iOS/iPadOS, and macOS before version 26.5.2. The flaw (CWE-843) is network-reachable but requires user interaction (visiting a page), and no public exploit has been identified at time of analysis. Apple has shipped patches across Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2.

Memory Corruption Apple Buffer Overflow Ios And Ipados
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-43731 HIGH PATCH This Week

Memory corruption via use-after-free in Apple's WebKit browser engine allows remote attackers to corrupt memory when a victim processes maliciously crafted web content on Safari, iOS/iPadOS, or macOS prior to 26.5.2. The CVSS 3.1 score of 8.8 reflects network-reachable exploitation requiring only that a user open a malicious page; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Successful exploitation typically serves as the initial stage of a browser-based attack chain (often paired with a sandbox escape) to achieve code execution in the renderer.

Memory Corruption Buffer Overflow Apple Use After Free Ios And Ipados
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56124 HIGH PATCH This Week

Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. No public exploit identified at time of analysis, but the data is exposed in plain HTML source on every page, making extraction trivial; CVSS 4.0 base is 8.7 (High).

Information Disclosure Phpuploader
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy