Skip to main content
CVE-2026-43708 MEDIUM PATCH This Month

Cross-origin data exfiltration in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) allows a malicious website to read data belonging to a different origin due to insufficient input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-delivered without authentication, requiring only that the victim visits an attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis, and vendor-released patches are available for all affected platforms.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57676 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV, though the low complexity and low privilege requirement (PR:L, AC:L per CVSS) mean any registered WordPress user on an affected site could trivially exploit it.

Authentication Bypass Simple User Avatar
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-56457 MEDIUM This Month

HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged authenticated user with log access to read plaintext sensitive values - such as credentials, API tokens, or configuration secrets - that should be masked or redacted. All versions are potentially affected per the CPE wildcard, and the network-accessible nature (AV:N/PR:L) makes this a meaningful insider threat and lateral movement risk in enterprise CI/CD environments. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure Hcl Devops Deploy Hcl Launch
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-48717 MEDIUM PATCH GHSA This Month

PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. No public exploit has been identified at time of analysis, and a patch is available in version 16.1.1.

Authentication Bypass Microsoft
NVD GitHub
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy