Skip to main content
CVE-2026-43713 MEDIUM PATCH This Month

Sensitive data leakage in Apple Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2 exposes users to cross-site data disclosure when visiting a malicious or compromised website. The root cause is a permissions enforcement deficiency (CWE-1264) that allows a web context to access data beyond its intended permission boundary. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.17% (6th percentile) indicates low observed exploitation probability at time of analysis; however, the unauthenticated, low-complexity network vector makes this a realistic target for drive-by attacks once details become public.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-55956 MEDIUM This Month

Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.

Authentication Bypass Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-43707 MEDIUM PATCH This Month

Denial-of-service memory corruption in Apple's WebKit engine affects Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2, where processing maliciously crafted web content triggers an unexpected process crash. The CVSS vector scores only availability impact (A:H) with no confidentiality or integrity loss, indicating a crash rather than code execution. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.16%), consistent with a browser-rendering DoS reported internally by Apple rather than an actively exploited threat.

Apple Buffer Overflow Ios And Ipados
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-43721 MEDIUM PATCH This Month

Clipboard data disclosure in Apple Safari (and the shared WebKit engine on iOS, iPadOS, and macOS) before version 26.5.2 lets a malicious website silently read or hijack clipboard contents without user interaction or permission, rated CVSS 7.5 (confidentiality-only). Apple has shipped fixes in Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2, and the issue was reported internally by Apple. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-43700 MEDIUM PATCH This Month

Cross-origin information disclosure in Apple Safari, iOS, iPadOS, and macOS Tahoe (all versions before 26.5.2) allows an attacker who can direct a user to maliciously crafted web content to read sensitive data from other origins, violating the Same-Origin Policy. The flaw stems from inadequate tracking of security origins in the WebKit engine (CWE-346), and is notable because on iOS and iPadOS all browsers are mandated to use WebKit, meaning every browser on those platforms is affected. No public exploit or CISA KEV listing is identified at time of analysis; Apple has released patches across all affected platforms.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-55955 MEDIUM This Month

Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.

Authentication Bypass Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13601 MEDIUM This Month

Sandbox-escaping information disclosure in Yelp (the GNOME help viewer) lets a malicious Flatpak application read arbitrary user-readable files on the host. By using the OpenURI portal to open crafted help content that embeds an untrusted CSS stylesheet inside a structured SVG document, an attacker abuses an overly permissive Content Security Policy supplied by yelp-xsl to force Yelp to evaluate local XML inclusions and exfiltrate file contents via remote CSS resource requests, defeating Flatpak's intended isolation. The flaw was disclosed publicly (GNOME developer blog by Michael Catanzaro, May 2026) and tracked by Red Hat; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Enterprise Linux Yelp
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57340 MEDIUM This Month

Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity and zero-privilege requirement make this accessible to unsophisticated attackers.

Authentication Bypass WordPress Japanized For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57339 MEDIUM This Month

Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. No public exploit code and no CISA KEV listing are confirmed at time of analysis, placing current real-world exploitation risk in the moderate range.

Authentication Bypass Business Directory
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57334 MEDIUM This Month

Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attackers to perform restricted actions without authorization. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, though the unauthenticated, low-complexity nature of the vulnerability lowers the bar for casual abuse.

Authentication Bypass Wp User Frontend
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57330 MEDIUM This Month

Stored Cross-Site Scripting in the MasterStudy LMS WordPress plugin (versions <= 3.7.27) allows authenticated subscriber-level users to inject malicious scripts that execute in the browsers of higher-privileged users such as administrators. The vulnerability carries a Scope:Changed CVSS vector, meaning successful exploitation breaks the browser security boundary and can impact resources beyond the plugin itself - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber role) widens the attacker pool considerably on sites with open or paid user registration.

XSS Masterstudy Lms
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57328 MEDIUM This Month

Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subscriber-level users to inject arbitrary JavaScript that executes in other users' browsers. The scope-change indicator in the CVSS vector (S:C) confirms the payload can cross trust boundaries - most critically, scripts injected by a low-privilege subscriber can execute in the context of a higher-privilege user such as an administrator. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Business Directory
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13538 LOW POC PATCH Monitor

Command injection in Wavlink WL-NU516U1-A router firmware (M16U1_V240425) allows authenticated remote attackers to execute arbitrary OS commands by submitting crafted POST parameters to the wireless CGI configuration handler. The affected function sub_401D68 within /cgi-bin/wireless.cgi fails to sanitize the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters before passing them to OS-level commands. A public proof-of-concept exploit is confirmed available on GitHub; this CVE is not currently listed in CISA's KEV catalog, but the vendor has already released a patched firmware.

Command Injection Wl Nu516U1 A
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.3%
CVE-2026-57946 MEDIUM PATCH This Month

Unauthenticated access to private playlist data in Invidious before v2.20260626.0 is possible via a broken authorization check on the RSS feed playlist endpoint. By supplying a known playlist ID to this endpoint, a remote attacker with no credentials can retrieve the full contents of a private playlist, the owner's email address, and all associated video entries. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v2.20260626.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-57947 MEDIUM This Month

Server-side request forgery in Pinpoint APM through version 3.1.0 allows authenticated users with low privileges to register internal or cloud-metadata URLs as alarm webhook targets due to missing URL validation on the webhook registration endpoint. By deliberately triggering alarm threshold breaches, an attacker can coerce the Pinpoint server to issue outbound POST requests to internal hosts, cloud metadata services (such as AWS IMDS at 169.254.169.254), or other non-routable internal infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 subsequent-system confidentiality impact is rated High, reflecting the potential to enumerate internal services or harvest cloud credentials.

Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-57997 MEDIUM PATCH This Month

JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. No public exploit code is identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is substantially bounded by the prerequisite of jwtSecret compromise, reflected in the CVSS 4.0 score of 6.3 with High Complexity and Presence-of-attack-requirement modifiers.

Authentication Bypass Strapi
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-13581 LOW POC Monitor

OS command injection in the Edimax EW-7478APC wireless access point firmware 1.04 allows a network-reachable authenticated attacker to execute arbitrary OS commands on the device by manipulating the `rootAPmac` parameter in POST requests to `/goform/formStaDrvSetup`. A public proof-of-concept exploit is available, indexed by VulDB and documented externally, and the vendor did not respond to responsible disclosure - making a vendor-released patch unlikely in the near term. The provided CVSS 4.0 score of 2.1 appears to significantly understate actual impact, as OS command injection on embedded Linux network devices typically yields full device compromise rather than the 'Low' impact across all three dimensions assigned in the vector.

Command Injection Ew 7478Apc
NVD VulDB
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-13748 MEDIUM PATCH This Month

Path traversal in Snowflake CLI versions prior to 3.19 enables arbitrary local file exfiltration to Snowflake cloud services when a victim processes attacker-controlled project or repository content. The CLI fails to restrict file path resolution during deployment or SQL template processing, allowing crafted project files to reference and transmit content from outside the intended project directory boundary to Snowflake-hosted artifacts. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog; upgrade to version 3.19 is required as the vendor documents no supported workarounds.

Path Traversal Snowflake Cli
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-57327 MEDIUM This Month

Broken access control in MainWP WordPress plugin versions 6.1.1 and below allows authenticated subscribers to bypass authorization checks and perform actions restricted to higher-privileged roles. The CVSS vector (PR:L, AC:L, AV:N) confirms any low-privileged WordPress account - the subscriber role being the lowest default - is sufficient for network-based exploitation with no special complexity. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the minimal barrier to obtaining a subscriber account on sites with open registration makes this a meaningful risk for multi-user or membership-based installations.

Authentication Bypass Mainwp
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-13757 MEDIUM This Month

Stack exhaustion in p11-kit's RPC server crashes the daemon and any dependent cryptographic services on affected Red Hat systems. The vulnerability exists in the PKCS#11 RPC message parsing layer, where two attribute-handling functions form a mutually-recursive call chain with no depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes - allowing any local user or process with socket access to crash the server by sending a single crafted request. No public exploit or active exploitation has been identified at time of analysis, and impact is limited to availability (denial of service) with no confidentiality or integrity consequence.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +3
NVD VulDB GitHub
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-13549 LOW POC Monitor

Authorization bypass in CodeAstro Complaint Management System 1.0 exposes the deletereport endpoint to unauthenticated arbitrary deletion of complaint reports and associated files. The deletereport function in application/controllers/Report.php accepts a caller-supplied report identifier without verifying ownership or authorization, enabling any remote user to delete any report by manipulating that identifier. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, indicating no confirmed widespread active exploitation.

Authentication Bypass PHP Complaint Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13536 LOW POC Monitor

Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.

XSS Gotohttp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-52760 MEDIUM PATCH This Month

Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious JavaScript via a crafted JMS message ID, which executes in the browser of any administrator who browses the affected queue. The browse page renders message IDs without HTML sanitization, enabling privilege escalation from producer to administrator via session hijacking or credential theft. No public exploit identified at time of analysis and not listed in CISA KEV; rated moderate severity by Apache, consistent with the authentication prerequisite and required user interaction.

XSS Apache Activemq Activemq Web
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13540 LOW POC PATCH Monitor

Server-side request forgery in GitBucket up to version 4.46.1 allows authenticated users to coerce the application server into issuing HTTP requests to arbitrary internal or private network hosts by supplying a crafted URL to the repository creation "clone from existing repository" feature. The flaw resides in `Git.cloneRepository.setURI()` within `RepositoryCreationService.scala`, where user-supplied URL input reaches JGit without validation against private address ranges. A public exploit exists (GitHub issue #4044), though no CISA KEV listing is present - no confirmed active exploitation at time of analysis. An upstream patch is available as commit 487a9b980f56aa73b6a044b1e86a92eed5043215 via PR #4056.

SSRF Gitbucket
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13544 LOW POC Monitor

Improper access control in Feehi CMS up to version 2.1.1 allows low-privileged remote attackers to perform unauthorized operations against the /api/users API endpoint. Exploitation of CWE-284 at this endpoint enables access to or manipulation of user data beyond what the authenticated role should permit, representing an authentication bypass at the authorization layer. A public exploit exists per GitHub issue #89; no vendor patch or response has been issued as of analysis time, leaving the exposure unmitigated.

Authentication Bypass Cms
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13535 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the ID argument passed to the GetFileInfo function within the View Endpoint. The vulnerability resides in hrsystem/application/models/Employee_model.php and can result in unauthorized read and write access to the underlying database. A public exploit has been published on GitHub, elevating practical risk despite the authentication requirement and moderate CVSS 4.0 score of 5.3.

SQLi PHP Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13532 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/departmentDoctor.php` endpoint to database manipulation via the unsanitized `deptid` parameter, allowing a remote low-privileged attacker to read, modify, or corrupt backend database records. The CVSS 4.0 vector (PR:L) confirms that a valid application account is required, limiting opportunistic exploitation. A public proof-of-concept exploit is available on GitHub (linked from VulDB), and no vendor patch has been identified at time of analysis, making compensating controls the only available remediation path.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13572 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the billing endpoint /insertbillingrecord.php to database manipulation by low-privileged remote attackers via the unsanitized patientid parameter. A public exploit has been disclosed on GitHub, lowering the barrier to exploitation significantly despite a low CVSS 4.0 base score of 2.1. No CISA KEV listing exists, but the combination of a publicly available proof-of-concept and access to potentially sensitive patient health and billing records elevates real-world concern beyond what the numeric score alone conveys.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13548 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctortimings.php` endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privilege authenticated attacker to read, modify, or partially disrupt backend database contents. The CVSS 4.0 vector (PR:L) confirms that some form of application authentication is required, limiting opportunistic mass exploitation, but a publicly available proof-of-concept exploit on GitHub materially lowers the barrier for targeted attacks. No patch has been released; the vulnerability is not listed in the CISA KEV catalog, but the sensitivity of healthcare data in scope makes it a meaningful risk for any production deployment.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13542 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctorprofile.php` endpoint to remote exploitation via the `doctorname` parameter, allowing an authenticated attacker to execute arbitrary SQL commands against the backend database. Affected systems risk unauthorized access to, modification of, or partial disruption of sensitive medical and staff records stored within the application. A public proof-of-concept exploit has been disclosed on GitHub (CVSS 4.0 E:P), significantly lowering the technical barrier for exploitation despite the moderate base score; no CISA KEV listing is present at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13541 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the backend database to authenticated remote attackers through the `newpassword` parameter of `/doctorchangepassword.php`. An attacker holding low-privilege credentials - such as a doctor account - can craft malicious SQL payloads to read, modify, or potentially delete database records. A public exploit exists per the CVSS 4.0 E:P modifier and a referenced GitHub issue; no active exploitation has been confirmed by CISA KEV.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13531 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the /department.php endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privileged authenticated attacker to read, modify, or delete hospital database contents. The CVSS 4.0 vector (PR:L) confirms a valid user account is required, constraining but not eliminating risk for internet-exposed instances. A public exploit has been released on GitHub, materially increasing the likelihood of opportunistic abuse against deployed instances.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13530 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the Appointment Handler endpoint `/appointmentdetail.php` to remote database manipulation via the unsanitized `editid` parameter. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and a public proof-of-concept exploit is available on GitHub, materially lowering the bar for exploitation. While not listed in CISA KEV, the combination of network reachability, trivial exploitation complexity, and live PoC code makes this a concrete risk for any organization running this codebase in production.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13525 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 allows a low-privileged authenticated remote attacker to manipulate the `emid` parameter in the Update_Earn_Leave endpoint, triggering time-based blind SQL injection against the underlying database. The vulnerability resides in the `emselectByCode` function within `application/models/Employee_model.php`, where unsanitized input is passed directly into SQL query construction. A public proof-of-concept exploit is available on GitHub; no active exploitation has been confirmed by CISA KEV at time of analysis.

SQLi PHP Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13520 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/appointmentapproval.php` Appointment Handler endpoint to database manipulation via the `editid` parameter, allowing low-privileged remote attackers to read, modify, or delete backend data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-exploitability with minimal attack complexity once credentials are obtained, and a public proof-of-concept has been disclosed on GitHub, substantially lowering the attacker skill threshold. No active exploitation is confirmed by CISA KEV, but the medical context of the affected system - which likely stores sensitive patient and appointment records - amplifies the potential impact of even a limited SQL injection.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-57956 MEDIUM This Month

Broken tenant isolation in SigNoz through 0.130.1 allows authenticated users from one organization to read, modify, and delete alert rules belonging to entirely separate organizations by directly supplying a target rule UUID via API. The alert rule store predicates omit organization ID filtering - a textbook Insecure Direct Object Reference (CWE-639) - collapsing the multi-tenant access boundary. No active exploitation is confirmed (not in CISA KEV) and no public POC has been independently confirmed, though the referenced GitHub issue may expose sufficient technical detail for manual exploitation by any credentialed user on a shared SigNoz instance.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.2%
CVE-2026-13537 LOW POC Monitor

Cross-site request forgery in CodeAstro Human Resource Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - specifically department deletion - by tricking an authenticated user into visiting a crafted malicious page. The exploit targets the department deletion endpoint and publicly available proof-of-concept code has been published on GitHub, lowering the bar for exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of a public PoC, network-accessible attack vector, and no required attacker privileges makes this an accessible target for opportunistic attackers against organizations running this software.

CSRF Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13579 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated patient users to database-level attacks via the `/patientchangepassword.php` endpoint. The `newpassword` parameter is passed unsanitized into SQL queries, allowing an authenticated attacker to manipulate backend database operations - potentially reading, modifying, or deleting patient records. A public proof-of-concept exploit exists (GitHub issue linked from VulDB report), though no active exploitation has been confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects the limited real-world severity due to the authentication prerequisite and constrained impact scope.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13578 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientdetail.php` endpoint to database manipulation via the unsanitized `editid` parameter, reachable by any low-privileged authenticated user over the network. A public proof-of-concept exploit is available (referenced via GitHub issue), lowering the skill barrier for exploitation against any deployed instance. The CVSS 4.0 score of 2.1 reflects low per-impact ratings across confidentiality, integrity, and availability, but SQL injection vulnerabilities routinely exceed their scored impact bounds when database accounts carry excess privileges - no public exploitation has been confirmed in CISA KEV.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-57326 MEDIUM This Month

Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attackers without any authentication to inject and store arbitrary JavaScript that executes in the context of a victim's browser when they visit an affected page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-accessible exploitation requiring no privileges, with a scope change indicating the payload crosses from the plugin's execution context into the victim's browser session. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated nature and low complexity lower the barrier to abuse significantly.

XSS Business Directory
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-13567 LOW POC Monitor

Cross-site scripting in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to inject malicious scripts via the feedback form's fname, femail, faddress, or fmessage parameters handled by /Frontend/Feedback.php. The CVSS 4.0 score of 2.1 (Low) reflects the UI:P requirement - a victim must interact with the crafted content for the payload to execute, limiting autonomous exploitation. A public proof-of-concept is available via GitHub, though no confirmed active exploitation (CISA KEV) has been recorded.

XSS PHP Online Music Site
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-57943 MEDIUM PATCH This Month

Broken object-level authorization (BOLA/IDOR) in LibrePhotos prior to version 1.0.0 allows any authenticated user to read private photos belonging to other users by manipulating shared_to relationship parameters in the SetPhotosShared endpoint without server-side ownership validation. The attack vector is network-accessible and requires only a low-privilege account, delivering high confidentiality impact against victim photo libraries. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available as version 1.0.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-57952 MEDIUM PATCH This Month

Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile configurations to authenticated operators from separate operations. Four webhook REST endpoints - c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook - fail to verify that a submitted payload UUID belongs to the caller's operation, allowing an operator in Operation A to retrieve the full C2 profile configuration of Operation B by supplying a known UUID. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.0 reflects high complexity due to the prerequisite of obtaining a cross-operation UUID.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-13569 LOW POC Monitor

SQL injection in EyouCMS up to version 1.7.1 allows remote authenticated attackers with high privileges to manipulate database queries via the click_like argument in the /index.php API component. The CVSS 4.0 score is 2.0, heavily discounted by the PR:H requirement, yet confidentiality, integrity, and availability impacts are all rated Low. A public proof-of-concept exists via a GitHub issue report; the vendor has not acknowledged or patched the vulnerability. No active exploitation has been confirmed (not listed in CISA KEV).

SQLi PHP Eyoucms
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13574 LOW POC Monitor

Heap-based buffer overflow in LLVM llvm-project through version 22.1.6 allows a local low-privilege attacker to crash affected LLVM tooling by supplying a crafted bitcode file that triggers an out-of-bounds heap write in the GCRelocateInst::getBasePtr function within the Bitcode File Handler component. The LLVM project was notified via a GitHub issue report but has not yet responded or released a patch. A proof-of-concept exploit has been publicly disclosed, and no active exploitation is confirmed in CISA KEV.

Heap Overflow Buffer Overflow Llvm Project
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-13573 LOW POC Monitor

Stack-based buffer overflow in LLVM's ValueSymbolTable module (llvm-project versions up to 22.1.6) allows a local, low-privileged attacker to crash the LLVM process by triggering a malformed invocation of llvm::StringMap::insert in /lib/IR/ValueSymbolTable.cpp, resulting in limited availability impact only - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector. A proof-of-concept exploit has been publicly released, lowering the barrier to triggering the crash in affected developer or CI/CD environments. No active exploitation has been confirmed by CISA KEV, and the LLVM project had not issued a patch or public response as of disclosure.

Buffer Overflow Stack Overflow Llvm Project
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-13523 LOW POC PATCH Monitor

Unbounded zlib decompression in GPAC up to version 26.02.0 allows a local low-privileged attacker to cause resource exhaustion via a crafted highly-compressed (zip-bomb) payload processed by the ISOBMFF parser and associated filter modules. The affected function `gf_gz_decompress_payload_ex()` in `src/utils/base_encoding.c` applies no ceiling on inflated output size, enabling disproportionate memory or CPU consumption. A public proof-of-concept exists (GitHub issue #3588), but no active exploitation is confirmed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the local-only attack surface and limited availability-only impact.

Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-13742 MEDIUM This Month

Honeywell IQ MultiAccess physical access control software, all versions through V28, improperly verifies digital signatures on downloaded files due to a time-of-check/time-of-use (TOCTOU) race condition, allowing a local low-privileged attacker to replace a legitimately verified file with a malicious one in the window between signature check and file consumption. Successful exploitation yields high integrity and availability impact on the vulnerable system, as the replaced file may execute attacker-controlled code or corrupt system components. No public exploit identified at time of analysis; Honeywell has released patches V27 SP1 and V28 SP1.

Honeywell Information Disclosure Iq Multiaccess
NVD
CVSS 4.0
5.9
EPSS
0.1%
CVE-2026-13568 MEDIUM This Month

Privilege escalation via role parameter manipulation in SourceCodester Inventory Management System 1.0 allows unauthenticated remote attackers to self-assign elevated roles during user registration. The vulnerability resides in /api/users_handler.php, where the application fails to enforce server-side restrictions on the role argument at the User Registration Endpoint, enabling account creation with admin-level privileges. A public proof-of-concept exploit is available, lowering the skill bar for abuse against any exposed instance; no CISA KEV listing exists, so confirmed active exploitation in the wild has not been established.

Authentication Bypass PHP Inventory Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-43722 MEDIUM PATCH This Month

Kernel state disclosure in Apple iOS, iPadOS, and macOS Tahoe allows a locally installed app to leak sensitive kernel memory through insufficiently sanitized input. All versions prior to iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 are affected. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.19% (9th percentile), indicating minimal current threat actor interest despite the kernel-level information exposure.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy