Skip to main content
CVE-2026-57950 HIGH This Week

Broken access control in the ErpSaleOrderController of ruoyi-vue-pro (through version 2026.05) lets authenticated users holding only shipment-level 'erp:sale-out' permissions perform full create, read, update, and delete operations on financially sensitive ERP sale orders. The controller enforces the wrong permission namespace ('erp:sale-out' instead of the intended 'erp:sale-order'), so low-privileged warehouse/shipment operators effectively gain order-management authority. No public exploit identified at time of analysis and the issue is not in CISA KEV; an upstream fix exists as commit 5d1fd70.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-13165 HIGH PATCH This Week

Remote code execution in SzafirHost (KIR's Szafir electronic-signature host application) arises from a ZIP/JAR parser-confusion flaw: signature verification reads the archive's Central Directory while extraction reads local file headers sequentially, letting an attacker who controls the served native-library archive smuggle an unsigned malicious DLL/SO/DYLIB past the signature check. Versions prior to 1.2.2 are affected; the injected library is written to the native temp directory and loaded, yielding code execution on the victim's machine. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

RCE File Upload Szafirhost
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-54371 HIGH PATCH This Week

Local privilege escalation in the attr package's getfattr and setfattr utilities (versions before 2.6.0) allows an attacker who controls a pathname component to swap it for a symbolic link during directory hierarchy traversal, redirecting attribute operations to arbitrary files. When these utilities are invoked by a privileged process over an attacker-influenced path, the attacker can read or write extended attributes on files outside their authority, leading to escalation to higher privileges. The flaw was reported by VulnCheck; no public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Acl
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-54369 HIGH PATCH Monitor

Local privilege escalation in the Linux acl utilities (libacl) before version 2.4.0 arises because the pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() follow symbolic links during ACL read/write operations. An attacker who controls any component of a pathname processed by a privileged caller can substitute a symlink to redirect ACL operations to arbitrary files, manipulating access control lists outside their authority. No public exploit identified at time of analysis, and the issue is not in CISA KEV; risk is gated on a privileged process operating on attacker-influenced paths.

Privilege Escalation Acl
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-57960 HIGH This Week

Unauthenticated attendee PII exposure in Hi.Events through 1.9.0 lets remote attackers retrieve full attendee lists — including names, emails, and personal information — by hitting the public check-in list endpoints, which treat the check-in list's short_id as the only access control. Beyond reading data, an attacker who knows or guesses a short_id can also create and delete check-in records without authentication. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is tracked via an upstream GitHub fix.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-57955 HIGH This Week

SQL injection in SigNoz observability platform (versions through 0.130.1) lets authenticated, low-privileged users inject arbitrary ClickHouse queries through the unsanitized rule ID path parameter of the alert-history endpoints. By URL-encoding quote characters that break out of the interpolated rule ID, an attacker can read every stored trace, log, and metric, and can abuse ClickHouse's url() table function to pivot into server-side request forgery against internal services. This is CWE-89 with a documented SSRF secondary impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF SQLi
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.2%
CVE-2025-2902 HIGH This Week

Improper authorization in the Maintenance Utility of Hitachi Virtual Storage Platform (VSP) enterprise storage arrays allows an authenticated low-privileged user to perform actions beyond their authorization, undermining the integrity and availability of the storage controller. The flaw affects the VSP E-series, VSP 5000-series, and VSP G/F-series families running pre-fix DKCMAIN and GUM firmware, and was reported by Hitachi itself; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Hitachi Virtual Storage Platform E390 E590 E790 E990 E1090 E390H E590H E790H E1090H Hitachi Virtual Storage Platform 5100 5500 5100H 5500H 5200 5600 5200H 5600H Hitachi Virtual Storage Platform G130 G150 G350 G370 G700 G900 F350 F370 F700 F900
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-9676 MEDIUM POC PATCH This Month

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

WordPress CSRF F4 Post Tree
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57959 HIGH This Week

Promo code usage-limit bypass in Hi.Events through version 1.9.0 lets remote attackers redeem restricted/limited promo codes an unlimited number of times by exploiting a time-of-check/time-of-use gap between synchronous reservation validation and the asynchronous UpdateEventStatisticsJob that increments the usage counter. Because validation reads order_usage_count before the background job updates it, an attacker can sequentially reserve and complete many discounted orders - no concurrent/racing requests are even required. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 base score is 8.2, reflecting high integrity impact on the platform's discount/pricing controls.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-53426 HIGH PATCH This Week

Unauthenticated denial-of-service in MDEx, an Elixir/Erlang CommonMark parsing library, lets an attacker crash the entire BEAM virtual machine by feeding a crafted JSON document to MDEx.parse_document/2's {:json, ...} source. Because each unique node_type value is interned as a permanent BEAM atom that is never garbage collected, a single deeply nested document can mint hundreds of thousands of atoms and exhaust the ~1,048,576-atom table, aborting every process on the node. The flaw affects mdex 0.4.3 through 0.13.1, is fixed in 0.13.2, and has no public exploit identified at time of analysis.

Denial Of Service Mdex
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-43735 HIGH PATCH This Week

The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.

Apple Ios And Ipados CSRF
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13752 HIGH PATCH This Week

SQL injection in Snowflake CLI versions 1.1.0 through 3.18.x (fixed in 3.19) lets crafted parameter values reach vulnerable command paths and execute unintended SQL within the user's active Snowflake session. An authenticated CLI user who is fed malicious input - via social engineering, a poisoned repository configuration, or compromised automation - can have arbitrary statements run against their session, with impact bounded by that session's privileges. No public exploit identified at time of analysis; EPSS is very low (0.11%, 1st percentile) and the SSVC exploitation status is 'none', so this is a not-yet-exploited but high-technical-impact issue.

SQLi Snowflake Cli
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-57999 HIGH This Week

Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a logged-in web UI user run arbitrary OS commands as root through the tailscale.do_login RPC method. Because the user-supplied loginserver and loginserver_authkey values are placed inside a double-quoted shell string, $() and backtick substitutions are evaluated by the outer shell, turning configuration input into command execution. Reported by VulnCheck with a published GHSA advisory; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Command Injection Luci
NVD GitHub
CVSS 4.0
7.7
EPSS
1.2%
CVE-2026-55607 HIGH PATCH This Week

Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repository break out of the macOS seatbelt sandbox by abusing git worktree handling. By creating a worktree named ".git" and combining symlink manipulation with git fsmonitor execution, an attacker can overwrite files in the user's home directory such as .zshenv to achieve code execution outside the sandbox. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is realistic since it only requires a user to clone and open a booby-trapped repo; it is fixed in 2.1.163.

Path Traversal RCE Claude Code
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.7%
CVE-2026-43724 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in Apple iOS, iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to write kernel memory or force unexpected system termination by supplying improperly validated input to a privileged interface. Apple resolved the flaw through improved input sanitization. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and CISA SSVC records exploitation status as none, though it rates the technical impact as total and considers it automatable.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-57919 HIGH This Week

Local privilege escalation in Matrix42 Empirum (versions before 25.5 and 26.x before 26.2) lets any authenticated low-privileged user gain SYSTEM execution by abusing the PBackupVSS.exe service's named pipe. The pipe \\.\pipe\PBackupVSS is created with an overly permissive DACL granting GENERIC_READ/GENERIC_WRITE to all authenticated users, so an attacker can send crafted IPC messages that drive the SYSTEM-level service into running an attacker-supplied shadow.exe from a controlled working directory. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation is mechanically straightforward once on the host.

Privilege Escalation N A
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-56285 HIGH PATCH This Week

Server-side request forgery in Nitter's /video media proxy endpoint lets unauthenticated remote attackers coerce the server into fetching arbitrary URLs and returning their HTTP responses, including AWS/GCP cloud metadata endpoints and internal-only network resources. The flaw stems from two compounding errors: the proxy never validates that target URLs belong to Twitter/X domains, and it ships with a hardcoded default HMAC signing key, so an attacker can locally compute the valid HMAC signature required for any URL of their choosing. No public exploit has been identified at time of analysis, but the technical details and the fixing commit are public.

SSRF
NVD GitHub
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-56780 HIGH PATCH This Week

{pk}/password/ endpoint, which fails to enforce object-level authorization (CWE-639 IDOR). By simply supplying another user's primary key, a domain-scoped admin can take over the highest-privileged account and gain full control of the mail platform. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is upstream in PR #4038 (commit a1878c4).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-34592 HIGH PATCH This Week

Cross-team data exposure in Coolify (self-hostable PaaS) before 4.0.0-beta.471 allows any authenticated user to read servers and projects owned by other teams by supplying their object IDs directly. The flaw is a broken object-level authorization (IDOR) where lookups are never scoped to the requester's team, breaching the multi-tenant boundary. No public exploit identified at time of analysis, and the issue is resolved in 4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-36848 HIGH This Week

Path traversal in the H-VUE web management subsystem of Gigamon GigaVUE-OS (GVOS) versions 5.16.1 and earlier allows remote attackers to read arbitrary files outside the intended web root, exposing sensitive system data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity, unauthenticated exploitation with high confidentiality impact but no integrity or availability effect. A researcher GitHub repository tracking this CVE suggests proof-of-concept material may exist, but there is no public exploit explicitly confirmed and no CISA KEV listing at time of analysis.

Path Traversal Gigavue Os
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-8023 HIGH PATCH This Week

Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve any readable file on the mounted filesystem volume by abusing path-traversal sequences against a registered static-filesystem resource. Affecting Zephyr v4.0.0 through v4.4.0 with CONFIG_FILE_SYSTEM enabled and a static-FS resource registered, the flaw stems from the raw request path being concatenated to the web root without canonicalization in both the HTTP/1 and HTTP/2 front-ends. No public exploit identified at time of analysis, but the bug is trivial to trigger (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) and a vendor patch is available.

Path Traversal Information Disclosure Zephyr
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-57948 HIGH This Week

Session hijacking in Pinpoint (open-source APM) through version 3.1.0 stems from the pinpointJwt session cookie being issued without the HttpOnly and Secure flags, letting client-side JavaScript read it via document.cookie and allowing it to traverse cleartext HTTP. An attacker who can land a stored or reflected XSS payload, or who can sniff network traffic, can steal the JWT session token and impersonate the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; the CVSS 4.0 base score is 7.6.

XSS
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-56018 HIGH PATCH This Week

Uncontrolled memory consumption in the Perl module JavaScript::Minifier::XS before version 0.16 lets remote attackers exhaust a long-lived process's memory by repeatedly triggering minify() calls. The XS cleanup code frees only the NodeSet structures while leaking every per-token contents buffer (and the entire NodeSet on the empty-list early-return paths), so each invocation leaks heap memory until the process is OOM-killed. CISA's SSVC marks exploitation as automatable with partial technical impact; no public exploit has been identified and it is not in CISA KEV, though the leak is trivially reachable in any service that minifies attacker-supplied JavaScript.

Denial Of Service JavaScript
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-53917 HIGH PATCH This Week

Denial of service in Apache ActiveMQ (versions before 5.19.8, and 6.0.0 before 6.2.7) lets an authenticated user crash the broker by sending a crafted OpenWire message whose property map declares an excessively large encoded size. Because the map is unmarshaled without validating the declared size against actual payload bounds, the broker pre-allocates massive memory and hits an OutOfMemory condition. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the low attack complexity and availability of a vendor patch make it a practical operational concern for exposed brokers.

Denial Of Service Apache Activemq Activemq Broker
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-53916 HIGH PATCH This Week

Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the broker by streaming non-terminating header bytes that the JVM buffers without limit until memory is exhausted. All three affected Maven artifacts (apache-activemq, activemq-all, activemq-stomp) are impacted in versions before 5.19.8 and in the 6.0.0-6.2.6 range. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity network attack surface against a widely-deployed enterprise broker makes this a credible denial-of-service risk for any deployment with an exposed STOMP port.

Information Disclosure Apache Activemq
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-56017 HIGH PATCH This Week

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.

Denial Of Service Null Pointer Dereference JavaScript
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-54475 HIGH PATCH This Week

Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Apache Authentication Bypass Activemq Activemq Broker
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-13676 HIGH PATCH This Week

Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. No public exploit is identified at time of analysis, but the bypass is trivially reproducible and primarily enables SSRF-style integrity attacks.

Authentication Bypass Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-41896 HIGH PATCH This Week

Webhook signature forgery in Coolify (self-hosted PaaS) before 4.0.0-beta.474 lets unauthenticated remote attackers trigger arbitrary application deployments. Because the per-application manual_webhook_secret_github field is nullable with no default, newly created applications carry a null HMAC key; PHP's hash_hmac() silently coerces null to an empty string, so the expected X-Hub-Signature-256 becomes a deterministic value any attacker can compute offline. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but exploitation is trivial against affected default configurations.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-49049 HIGH POC This Week

Improper access control in the Helix3 template framework extension for Joomla (versions 1.0 through 3.1.1) exposes an AJAX handler task that lets remote unauthenticated attackers delete arbitrary files, write arbitrary JSON files, and modify template parameters. Because the handler performs no authentication or authorization check, an attacker can corrupt site configuration or destroy files without credentials. There is no public exploit identified at time of analysis, but the issue is automatable per CISA SSVC and carries a CVSS 7.5 (High) due to its network-reachable, unauthenticated integrity impact.

Authentication Bypass Helix3 Extension For Joomla
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-51221 HIGH This Week

Denial of service in EIPStackGroup OpENer (commit 76b95c), an open-source EtherNet/IP stack, allows remote attackers to crash the device by sending a crafted Common Packet Format (CPF) packet that triggers a buffer overflow in the Get_Attribute_List handler. The flaw is network-reachable without authentication or user interaction (CVSS 7.5, availability-only impact), and SSVC indicates proof-of-concept exploit code exists and that exploitation is automatable. EPSS is low (0.17%, 7th percentile) and the CVE is not on CISA KEV, so there is no public evidence of active exploitation yet.

Authentication Bypass Denial Of Service Buffer Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55844 HIGH PATCH This Week

Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the configured SSID allowlist meant to gate internal-network access. Because the app falls back to the internal URL whenever no other URL is available, it can transmit the user's authentication token to the internal endpoint while the device is connected to an untrusted or insecure Wi-Fi network, enabling interception. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; vendor advisory GHSA-cm5v-547m-qh5h confirms the fix in 2025.5.0.

Apple Information Disclosure Core
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13515 HIGH This Week

Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory by sending an oversized startIp argument to the formSetPPTPServer handler at /goform/SetPptpServerCfg, potentially achieving denial of service or arbitrary code execution on the device. The flaw is reachable over the network and publicly available exploit code exists, though it is not listed in CISA KEV and the CVSS 4.0 vector indicates low-privilege (authenticated) access is required. EPSS data was not provided, so widespread automated exploitation cannot be confirmed.

Tenda Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13516 HIGH This Week

Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote, low-privileged attackers corrupt memory by supplying an oversized shareSpeed value to the fromSetWifiGusetBasic handler at /goform/WifiGuestSet, enabling denial of service and potential remote code execution on the device. Publicly available exploit code exists, though there is no public exploit identified as actively used in the wild. The EPSS-style risk is moderate per the CVSS 4.0 base score of 7.4 (HIGH), and CISA KEV does not list it.

Tenda Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13562 HIGH This Week

Memory corruption in the Edimax EW-7478APC wireless access point (firmware 1.04) lets a remote, low-privileged user overflow a buffer by submitting an oversized selSSID value to the /goform/formiNICSiteSurvey POST handler. Publicly available exploit code exists, and the vendor did not respond to disclosure, leaving deployed devices without an official fix. Successful exploitation can crash the device or potentially run attacker-controlled code on the embedded firmware; there is no public exploit identified as actively exploited (not in CISA KEV) and no EPSS score was provided.

Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-13564 HIGH This Week

Stack-based buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets remote attackers corrupt memory via an oversized pppUserName parameter sent to the formPPPoESetup handler at /goform/formPPPoESetup, potentially leading to crash or arbitrary code execution on the device. Publicly available exploit code exists, but there is no public exploit identified as actively used in the wild. The CVSS 4.0 vector indicates network reach with low privileges required (PR:L), and the vendor did not respond to disclosure, so no fix is available.

Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.8%
CVE-2026-13563 HIGH This Week

Stack-based buffer overflow in the Edimax EW-7478APC (firmware 1.04) wireless access point lets an authenticated remote attacker corrupt memory by sending an oversized L2TPUserName argument to the formL2TPSetup handler at /goform/formL2TPSetup. Publicly available exploit code exists, though it is not listed in CISA KEV and carries a CVSS 4.0 base score of 7.4. The vendor was notified but did not respond, leaving the flaw unpatched.

Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-12912 HIGH PATCH This Week

Heap-based buffer overflow in libtiff's PixarLog codec decoder lets attackers crash or potentially execute code in any application that decodes a maliciously crafted PixarLog-compressed TIFF using the PIXARLOGDATAFMT_8BITABGR output format with a specific stride value. Any software linking libtiff for TIFF decoding is exposed, with impact ranging from denial of service to potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Heap Overflow Denial Of Service Buffer Overflow RCE
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-55957 HIGH This Week

Authentication bypass in Apache Tomcat (7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.100, 10.1.0-M1-10.1.36, 11.0.0-M1-11.0.4) lets remote attackers authenticate without supplying the correct password when the JNDIRealm is configured to validate credentials via GSSAPI bind. The flaw (CWE-304, Missing Critical Step in Authentication) means the realm accepts a bind as successful even when the password verification step is effectively skipped. There is no public exploit identified at time of analysis, EPSS risk is low (0.21%, 12th percentile), and it is not listed in CISA KEV.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-22078 HIGH This Week

Local privilege escalation in OPPO's O+ Connect arises because its inter-process communication (IPC) service accepts client connections without authenticating them, letting any external application on the same device invoke privileged operations through the IPC channel. With CVSS 7.3 (scope-changed, high availability impact) and CWE-266 incorrect privilege assignment, a low-privileged local process can perform sensitive actions it should not be authorized for. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure O Connect
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-54370 HIGH PATCH This Week

Local privilege escalation in the Linux acl package (libacl/getfacl/setfacl/chacl) before version 2.4.0 lets an unprivileged local user who controls a component of a pathname win a TOCTOU race, redirecting privileged file-ACL operations to arbitrary files. By swapping a path component for a symlink between the lstat() validation and the follow-on stat()/chown()/chmod()/acl_get_file()/acl_set_file() calls, an attacker can manipulate ownership and ACLs on targets they should not control, yielding root-equivalent escalation. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is fixed upstream.

Privilege Escalation Acl
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-43725 HIGH PATCH This Week

Sandbox escape in Apple's WebKit browser engine (Safari, iOS/iPadOS, and macOS Tahoe before 26.5.2) lets a malicious website process restricted web content outside the browser sandbox, undermining the isolation that confines untrusted web pages. The flaw stems from improper input validation (CWE-20), was reported by Apple itself, and requires a victim to visit attacker-controlled content (UI:R); CVSS 7.1 reflects limited confidentiality, integrity, and availability impact across a changed scope. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Apple Information Disclosure Ios And Ipados
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-56783 HIGH PATCH This Week

Cleartext credential exposure in Parseable before 2.9.2 lets any authenticated user holding the GetAlert action - including low-privilege reader roles - retrieve webhook tokens, basic-auth credentials, and internal endpoint URLs for every configured notification target by calling GET /api/v1/targets. The exposure stems from secret-masking logic that was commented out, so the API serializes stored secrets verbatim. No public exploit has been identified at time of analysis, but the issue is trivially reproducible against any instance with notification targets configured and is fixed in release v2.9.2.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57951 HIGH PATCH This Week

Cross-operation information disclosure in Mythic C2 framework versions before 3.4.0.60 allows any authenticated operator or spectator to read payload build artifacts belonging to operations they are not assigned to. A broken Hasura GraphQL permission filter on the payload_build_step table contains an always-true _or clause, neutralizing the operation-scoped row-level access control and exposing step_stdout, step_stderr, step_name, and step_description across every operation on the server. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is publicly committed and the conditions are trivial for any logged-in low-privilege user.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57949 HIGH This Week

Broken object-level authorization (IDOR) in the ruoyi-vue-pro CRM module lets any authenticated user read arbitrary follow-up records via the GET /admin-api/crm/follow-up-record/get endpoint, which fails to verify record ownership. Because record IDs are sequential integers, a low-privileged user can enumerate IDs to harvest other users' follow-up notes, file attachments, scheduling data, and linked business-entity references. No public exploit or active exploitation has been reported; the issue is fixed upstream in commit c779a47.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-43701 HIGH PATCH This Week

Sandbox escape in Apple's WebKit/Safari web content engine allows a malicious website to process restricted web content outside the sandbox on Safari, iOS/iPadOS, and macOS prior to 26.5.2. Reported by Apple and classed as an improper access-control flaw (CWE-284), it requires a victim to load attacker-controlled content (UI:R) and carries CVSS 7.1 with a scope change, reflecting that breaking out of the sandbox crosses a security boundary. There is no public exploit identified at time of analysis and EPSS is low (0.16%), though CISA's SSVC framework rates the technique as automatable with partial technical impact.

Authentication Bypass Apple Ios And Ipados
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57338 HIGH This Week

Reflected cross-site scripting in the ARForms WordPress plugin (versions 7.1.2 and earlier) lets an unauthenticated remote attacker inject script into a victim's browser when the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can affect the broader WordPress session/DOM context rather than only the form. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Arforms
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57337 HIGH This Week

Cross-site scripting in the PluginOps Landing Page Builder WordPress plugin (versions <= 1.5.3.5) lets unauthenticated remote attackers inject script that executes in a victim's browser, with a scope change (S:C) indicating the payload can affect resources beyond the vulnerable component. The flaw requires victim interaction (UI:R) such as visiting a crafted link or page, and yields low-level confidentiality, integrity, and availability impact (CVSS 7.1). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Landing Page Builder
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57336 HIGH This Week

Cross-site scripting in the Jobify WordPress job-board theme (Astoundify) through version 4.3.2 lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim is lured into triggering a crafted request or link. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs outside the vulnerable component's own boundary, enabling session theft or actions in the WordPress context. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

XSS Jobify
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57333 HIGH This Week

Reflected cross-site scripting in the Link Whisper Free WordPress plugin (versions 0.9.4 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The scope-change CVSS vector (S:C) indicates the injected script can affect resources beyond the vulnerable plugin context, such as the broader WordPress admin or site session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; reported by Patchstack.

XSS Link Whisper Free
NVD
CVSS 3.1
7.1
EPSS
0.1%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy