Skip to main content
CVE-2026-53916 HIGH PATCH This Week

Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the broker by streaming non-terminating header bytes that the JVM buffers without limit until memory is exhausted. All three affected Maven artifacts (apache-activemq, activemq-all, activemq-stomp) are impacted in versions before 5.19.8 and in the 6.0.0-6.2.6 range. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity network attack surface against a widely-deployed enterprise broker makes this a credible denial-of-service risk for any deployment with an exposed STOMP port.

Information Disclosure Apache Activemq
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-56017 HIGH PATCH This Week

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.

Denial Of Service Null Pointer Dereference JavaScript
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-54475 HIGH PATCH This Week

Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Apache Authentication Bypass Activemq Activemq Broker
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-13676 HIGH PATCH This Week

Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. No public exploit is identified at time of analysis, but the bypass is trivially reproducible and primarily enables SSRF-style integrity attacks.

Authentication Bypass Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-41896 HIGH PATCH This Week

Webhook signature forgery in Coolify (self-hosted PaaS) before 4.0.0-beta.474 lets unauthenticated remote attackers trigger arbitrary application deployments. Because the per-application manual_webhook_secret_github field is nullable with no default, newly created applications carry a null HMAC key; PHP's hash_hmac() silently coerces null to an empty string, so the expected X-Hub-Signature-256 becomes a deterministic value any attacker can compute offline. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but exploitation is trivial against affected default configurations.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-49049 HIGH POC This Week

Improper access control in the Helix3 template framework extension for Joomla (versions 1.0 through 3.1.1) exposes an AJAX handler task that lets remote unauthenticated attackers delete arbitrary files, write arbitrary JSON files, and modify template parameters. Because the handler performs no authentication or authorization check, an attacker can corrupt site configuration or destroy files without credentials. There is no public exploit identified at time of analysis, but the issue is automatable per CISA SSVC and carries a CVSS 7.5 (High) due to its network-reachable, unauthenticated integrity impact.

Authentication Bypass Helix3 Extension For Joomla
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-51221 HIGH This Week

Denial of service in EIPStackGroup OpENer (commit 76b95c), an open-source EtherNet/IP stack, allows remote attackers to crash the device by sending a crafted Common Packet Format (CPF) packet that triggers a buffer overflow in the Get_Attribute_List handler. The flaw is network-reachable without authentication or user interaction (CVSS 7.5, availability-only impact), and SSVC indicates proof-of-concept exploit code exists and that exploitation is automatable. EPSS is low (0.17%, 7th percentile) and the CVE is not on CISA KEV, so there is no public evidence of active exploitation yet.

Authentication Bypass Denial Of Service Buffer Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55844 HIGH PATCH This Week

Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the configured SSID allowlist meant to gate internal-network access. Because the app falls back to the internal URL whenever no other URL is available, it can transmit the user's authentication token to the internal endpoint while the device is connected to an untrusted or insecure Wi-Fi network, enabling interception. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; vendor advisory GHSA-cm5v-547m-qh5h confirms the fix in 2025.5.0.

Apple Information Disclosure Core
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13515 HIGH This Week

Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory by sending an oversized startIp argument to the formSetPPTPServer handler at /goform/SetPptpServerCfg, potentially achieving denial of service or arbitrary code execution on the device. The flaw is reachable over the network and publicly available exploit code exists, though it is not listed in CISA KEV and the CVSS 4.0 vector indicates low-privilege (authenticated) access is required. EPSS data was not provided, so widespread automated exploitation cannot be confirmed.

Tenda Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13516 HIGH This Week

Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote, low-privileged attackers corrupt memory by supplying an oversized shareSpeed value to the fromSetWifiGusetBasic handler at /goform/WifiGuestSet, enabling denial of service and potential remote code execution on the device. Publicly available exploit code exists, though there is no public exploit identified as actively used in the wild. The EPSS-style risk is moderate per the CVSS 4.0 base score of 7.4 (HIGH), and CISA KEV does not list it.

Tenda Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-13562 HIGH This Week

Memory corruption in the Edimax EW-7478APC wireless access point (firmware 1.04) lets a remote, low-privileged user overflow a buffer by submitting an oversized selSSID value to the /goform/formiNICSiteSurvey POST handler. Publicly available exploit code exists, and the vendor did not respond to disclosure, leaving deployed devices without an official fix. Successful exploitation can crash the device or potentially run attacker-controlled code on the embedded firmware; there is no public exploit identified as actively exploited (not in CISA KEV) and no EPSS score was provided.

Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-13564 HIGH This Week

Stack-based buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets remote attackers corrupt memory via an oversized pppUserName parameter sent to the formPPPoESetup handler at /goform/formPPPoESetup, potentially leading to crash or arbitrary code execution on the device. Publicly available exploit code exists, but there is no public exploit identified as actively used in the wild. The CVSS 4.0 vector indicates network reach with low privileges required (PR:L), and the vendor did not respond to disclosure, so no fix is available.

Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.8%
CVE-2026-13563 HIGH This Week

Stack-based buffer overflow in the Edimax EW-7478APC (firmware 1.04) wireless access point lets an authenticated remote attacker corrupt memory by sending an oversized L2TPUserName argument to the formL2TPSetup handler at /goform/formL2TPSetup. Publicly available exploit code exists, though it is not listed in CISA KEV and carries a CVSS 4.0 base score of 7.4. The vendor was notified but did not respond, leaving the flaw unpatched.

Buffer Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-12912 HIGH PATCH This Week

Heap-based buffer overflow in libtiff's PixarLog codec decoder lets attackers crash or potentially execute code in any application that decodes a maliciously crafted PixarLog-compressed TIFF using the PIXARLOGDATAFMT_8BITABGR output format with a specific stride value. Any software linking libtiff for TIFF decoding is exposed, with impact ranging from denial of service to potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Heap Overflow Denial Of Service Buffer Overflow RCE
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-55957 HIGH This Week

Authentication bypass in Apache Tomcat (7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.100, 10.1.0-M1-10.1.36, 11.0.0-M1-11.0.4) lets remote attackers authenticate without supplying the correct password when the JNDIRealm is configured to validate credentials via GSSAPI bind. The flaw (CWE-304, Missing Critical Step in Authentication) means the realm accepts a bind as successful even when the password verification step is effectively skipped. There is no public exploit identified at time of analysis, EPSS risk is low (0.21%, 12th percentile), and it is not listed in CISA KEV.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-22078 HIGH This Week

Local privilege escalation in OPPO's O+ Connect arises because its inter-process communication (IPC) service accepts client connections without authenticating them, letting any external application on the same device invoke privileged operations through the IPC channel. With CVSS 7.3 (scope-changed, high availability impact) and CWE-266 incorrect privilege assignment, a low-privileged local process can perform sensitive actions it should not be authorized for. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure O Connect
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-54370 HIGH PATCH This Week

Local privilege escalation in the Linux acl package (libacl/getfacl/setfacl/chacl) before version 2.4.0 lets an unprivileged local user who controls a component of a pathname win a TOCTOU race, redirecting privileged file-ACL operations to arbitrary files. By swapping a path component for a symlink between the lstat() validation and the follow-on stat()/chown()/chmod()/acl_get_file()/acl_set_file() calls, an attacker can manipulate ownership and ACLs on targets they should not control, yielding root-equivalent escalation. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is fixed upstream.

Privilege Escalation Acl
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-43725 HIGH PATCH This Week

Sandbox escape in Apple's WebKit browser engine (Safari, iOS/iPadOS, and macOS Tahoe before 26.5.2) lets a malicious website process restricted web content outside the browser sandbox, undermining the isolation that confines untrusted web pages. The flaw stems from improper input validation (CWE-20), was reported by Apple itself, and requires a victim to visit attacker-controlled content (UI:R); CVSS 7.1 reflects limited confidentiality, integrity, and availability impact across a changed scope. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-56783 HIGH PATCH This Week

Cleartext credential exposure in Parseable before 2.9.2 lets any authenticated user holding the GetAlert action - including low-privilege reader roles - retrieve webhook tokens, basic-auth credentials, and internal endpoint URLs for every configured notification target by calling GET /api/v1/targets. The exposure stems from secret-masking logic that was commented out, so the API serializes stored secrets verbatim. No public exploit has been identified at time of analysis, but the issue is trivially reproducible against any instance with notification targets configured and is fixed in release v2.9.2.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57951 HIGH PATCH This Week

Cross-operation information disclosure in Mythic C2 framework versions before 3.4.0.60 allows any authenticated operator or spectator to read payload build artifacts belonging to operations they are not assigned to. A broken Hasura GraphQL permission filter on the payload_build_step table contains an always-true _or clause, neutralizing the operation-scoped row-level access control and exposing step_stdout, step_stderr, step_name, and step_description across every operation on the server. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is publicly committed and the conditions are trivial for any logged-in low-privilege user.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57949 HIGH This Week

Broken object-level authorization (IDOR) in the ruoyi-vue-pro CRM module lets any authenticated user read arbitrary follow-up records via the GET /admin-api/crm/follow-up-record/get endpoint, which fails to verify record ownership. Because record IDs are sequential integers, a low-privileged user can enumerate IDs to harvest other users' follow-up notes, file attachments, scheduling data, and linked business-entity references. No public exploit or active exploitation has been reported; the issue is fixed upstream in commit c779a47.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-43701 HIGH PATCH This Week

Sandbox escape in Apple's WebKit/Safari web content engine allows a malicious website to process restricted web content outside the sandbox on Safari, iOS/iPadOS, and macOS prior to 26.5.2. Reported by Apple and classed as an improper access-control flaw (CWE-284), it requires a victim to load attacker-controlled content (UI:R) and carries CVSS 7.1 with a scope change, reflecting that breaking out of the sandbox crosses a security boundary. There is no public exploit identified at time of analysis and EPSS is low (0.16%), though CISA's SSVC framework rates the technique as automatable with partial technical impact.

Authentication Bypass Apple Ios And Ipados
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57338 HIGH This Week

Reflected cross-site scripting in the ARForms WordPress plugin (versions 7.1.2 and earlier) lets an unauthenticated remote attacker inject script into a victim's browser when the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can affect the broader WordPress session/DOM context rather than only the form. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Arforms
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57337 HIGH This Week

Cross-site scripting in the PluginOps Landing Page Builder WordPress plugin (versions <= 1.5.3.5) lets unauthenticated remote attackers inject script that executes in a victim's browser, with a scope change (S:C) indicating the payload can affect resources beyond the vulnerable component. The flaw requires victim interaction (UI:R) such as visiting a crafted link or page, and yields low-level confidentiality, integrity, and availability impact (CVSS 7.1). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Landing Page Builder
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57336 HIGH This Week

Cross-site scripting in the Jobify WordPress job-board theme (Astoundify) through version 4.3.2 lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim is lured into triggering a crafted request or link. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs outside the vulnerable component's own boundary, enabling session theft or actions in the WordPress context. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

XSS Jobify
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57333 HIGH This Week

Reflected cross-site scripting in the Link Whisper Free WordPress plugin (versions 0.9.4 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The scope-change CVSS vector (S:C) indicates the injected script can affect resources beyond the vulnerable plugin context, such as the broader WordPress admin or site session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; reported by Patchstack.

XSS Link Whisper Free
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57332 HIGH This Week

Improper authorization in the Wallet System for WooCommerce WordPress plugin (versions 2.7.6 and earlier) lets low-privileged authenticated users — subscriber-level accounts — perform wallet actions reserved for higher roles, enabling manipulation of stored wallet balances and transactions. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a 7.1 (High) CVSS score driven by high integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Wallet System For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57320 HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.

XSS Bear
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57346 HIGH This Week

Authenticated path traversal in the Epiphyt Embed Privacy WordPress plugin (versions up to and including 1.12.3) lets a low-privileged user supply a crafted pathname that escapes the plugin's intended directory, enabling arbitrary file deletion on the host as reflected by the Patchstack advisory title. The CVSS 7.1 vector (C:N/I:L/A:H) shows the primary danger is availability — deleting files such as wp-config.php or core assets can break or take down the site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-53404 HIGH PATCH This Week

Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-47426 HIGH PATCH GHSA This Week

Cross-client token impersonation in OpenAM Community Edition (Open Identity Platform fork) through 16.0.6 allows any registered OAuth2 client to forge private_key_jwt client assertions and mint access tokens in the name of any other client that publishes its keys via a jwks_uri, with no knowledge of the victim's signing key. The flaw, rooted in improper authentication (CWE-287) in the OAuth2 token endpoint, lets an attacker holding any client registration impersonate other clients across every realm hosted by the OpenAM process. There is no public exploit identified at time of analysis, no CVSS or EPSS data was supplied, and the issue is not listed in CISA KEV; it was fixed in version 16.1.1.

Authentication Bypass
NVD GitHub
CVE-2026-47424 HIGH PATCH GHSA This Week

Authenticated remote code execution in Open Identity Platform OpenAM Community Edition through 16.0.6 lets any user able to author or edit server-side scripts escape the scripting sandbox and run OS commands as the OpenAM application-server account. Because the sandbox's default class allow/deny lists fail to contain script execution, a sub-realm RealmAdmin can pivot from realm-scoped administration to full JVM/host compromise, affecting every realm the process serves. No public exploit has been identified at time of analysis, and the issue is fixed in 16.1.1.

RCE
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy