Skip to main content
CVE-2026-53325 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's AMD64 AGP driver crashes systems running in virtualized environments without physical AMD northbridge hardware. Broken error propagation in `agp_amd64_probe()` - comparing `cache_nbs()` return value against exactly `-1` rather than `< 0` - masks the `-ENODEV` error code, allowing the driver to proceed with initialization, ultimately causing a General Protection Fault in `amd64_fetch_size()` when `node_to_amd_nb(0)` returns NULL. No public exploit has been identified at time of analysis, EPSS is 0.18% (7th percentile), and impact is confined to local denial of service via kernel crash; patches are confirmed available across multiple stable branches.

Linux Amd Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-10648 MEDIUM PATCH This Month

Denial of service in Zephyr RTOS v4.4.0 allows an attacker with access to a serial, UART, or shell-console interface to crash an affected embedded device by exhausting the MCUmgr shared buffer pool and triggering a NULL pointer dereference. The defect in mcumgr_serial_process_frag() (CWE-476) was introduced during the MCUmgr rework and manifests in default builds where assertion checks are compiled out, making the write-through-NULL a hard fault rather than a caught assertion. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but exploitation is straightforward for any attacker with interface access.

Denial Of Service Null Pointer Dereference Zephyr
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-13750 MEDIUM PATCH This Month

Snowflake CLI versions prior to 3.19 write plaintext credentials - including passwords, authentication tokens, and private key material - to persistent local debug log files due to CWE-532 (Insertion of Sensitive Information into Log File). Any local user account with read access to the affected user's log directory can harvest these credentials without needing application-level privileges. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the confidentiality impact is rated high given that full credential material may be exposed.

Information Disclosure Snowflake Cli
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-13559 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `ID` parameter of `/single-list_sale.php?action=add` to remote, unauthenticated query manipulation, enabling attackers to read or modify database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required to reach the endpoint, and the E:P modifier confirms publicly available exploit code referenced via a GitHub CVE disclosure. No patch has been issued; this is not currently listed in CISA KEV, indicating no confirmed mass exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13555 MEDIUM This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin user-management endpoint to remote database manipulation via the unsanitized Name parameter in /admin/mod_users/controller.php?action=add. The CVSS 4.0 vector assigns no privilege requirement (PR:N) and low complexity (AC:L), though the admin-panel path raises a discrepancy worth verifying - the endpoint may be accessible without authentication if the application does not enforce session controls on admin routes. A public proof-of-concept exploit exists (E:P in the CVSS 4.0 supplemental data), elevating immediate risk despite the absence of a CISA KEV listing.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13553 MEDIUM This Month

Unrestricted file upload in itsourcecode Online Hotel Management System 1.0 allows remote attackers to upload arbitrary files - including PHP webshells - via the `image` parameter of `/admin/mod_amenities/controller.php?action=add`. The CVSS 4.0 vector assigns PR:N (no privileges required), corroborated by the 'Authentication Bypass' tag, indicating the admin-facing endpoint is reachable without credentials. A published proof-of-concept exploit exists; no patch has been identified at time of analysis.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-13552 MEDIUM This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin amenities controller to remote database manipulation via the unsanitized amen_id parameter at /admin/mod_amenities/controller.php?action=edit. A publicly available proof-of-concept exploit has been confirmed (CVSS 4.0 E:P modifier; VulDB submission 843569; GitHub issue Hh-176/CVE#3), enabling unauthenticated or low-privileged remote attackers to read, modify, or corrupt hotel management database records. No vendor patch has been identified at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13746 MEDIUM PATCH This Month

Snowflake CLI versions prior to 3.19 permit self-injection SQL execution through improper neutralization of local CLI parameters in Cortex SQL and object listing command paths, where crafted argument values cause the tool to construct and execute unintended SQL within the authenticated user's existing Snowflake session. Exploitation is structurally constrained to self-injection - the attacker must themselves supply the malicious values via local CLI arguments, and impact cannot exceed the privileges already held by the current session context. No public exploit code has been identified and no active exploitation is confirmed; the vendor-assigned CVSS score of 3.6 (Low) accurately reflects the narrow attack surface and bounded impact.

SQLi Snowflake Cli
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57953 MEDIUM PATCH This Month

Authorization bypass in Mythic C2 framework before 3.4.0.60 allows authenticated spectator-role users to perform write operations against the eventing_import_automatic_webhook endpoint, which is incorrectly registered under spectator-permitted middleware. Spectator accounts - intended to be read-only observers of red team operations - can exploit this misconfiguration to create and delete automation workflows and EventGroups, effectively escalating their privilege within an active operation. No public exploit code has been identified and no CISA KEV listing exists; a vendor-released patch is available in v3.4.0.60.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-43704 MEDIUM PATCH This Month

Use-after-free memory corruption in Apple Safari (and the broader iOS/iPadOS/macOS Tahoe platform) allows a malicious web extension to trigger an unexpected process crash, resulting in a denial-of-service condition. Affected versions span all Safari, iOS/iPadOS, and macOS Tahoe releases prior to 26.5.2, with Apple-confirmed fixes available across all three platforms. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; the high attack complexity and requirement for a pre-installed malicious extension meaningfully constrain real-world risk.

Memory Corruption Apple Denial Of Service Use After Free Ios And Ipados
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13534 LOW POC PATCH Monitor

Authorization bypass in CherryHQ Cherry Studio up to version 1.9.7 allows authenticated remote attackers to cross user/agent memory isolation boundaries by manipulating memory content to produce SHA-256 hash collisions in the MemoryService deduplication logic. The vulnerable CherryIN Preload API component computed memory hashes solely from content, without scoping them to userId or agentId, enabling crafted inputs to match records belonging to other users. A public exploit exists per GitHub issue #15411, and a vendor patch is available via PR #15413; the vendor notes the memory feature is slated for removal in v2.

Authentication Bypass Cherry Studio
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-57945 MEDIUM PATCH This Month

{uid} API endpoint allows any authenticated non-admin user to overwrite another user's profile information by substituting an arbitrary user identifier in the request path. Affected are all PhotoPrism deployments running versions prior to 260601-a7d098548 that host multiple user accounts. No active exploitation has been confirmed by CISA KEV and no public exploit code is known at time of analysis, though the attack requires only a valid low-privileged session and knowledge of a target user's UID.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57954 MEDIUM This Month

Sort-expression permission bypass in Yahoo Elide through 7.1.17 allows authenticated network attackers to leak relative values of @ReadPermission-protected fields by sorting API collections on forbidden field names. The flaw exists in SortingImpl.getValidSortingRules, which accepts client-controlled sort keys without verifying the caller's read authorization, exposing a classic side-channel across both JSON:API and GraphQL read endpoints. No public exploit code has been identified and no CISA KEV listing exists, but the attack is low-complexity for any authenticated user on an affected deployment.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-13595 MEDIUM PATCH This Month

Heap use-after-free read in libblkid (util-linux) enables unauthenticated local attackers to crash udisks or leak root-process heap data by presenting a crafted block device image during nested partition probing. BSD, Minix, Solaris x86, and UnixWare partition table parsers cache raw pointers into a dynamically allocated partition array; when subsequent partition additions trigger array reallocation, those pointers become stale and dereference freed memory. Because udev and udisks invoke libblkid automatically as root on block-device hot-plug events, USB insertion alone is sufficient to trigger the flaw without any user interaction or authentication. No public exploit identified at time of analysis.

Memory Corruption Denial Of Service Use After Free Information Disclosure Red Hat Enterprise Linux 10 +7
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-10647 MEDIUM PATCH This Month

USB CDC-NCM network driver in Zephyr RTOS through v4.4.0 permanently deadlocks the shared network egress thread when a USB bus suspend coincides with outbound device traffic, requiring a reboot to recover. The defect in `cdc_ncm_send()` ignores the return value of `usbd_ep_enqueue()` and unconditionally blocks on a completion semaphore that only the (never-fired) bulk-IN ISR can signal - halting not just CDC-NCM traffic but all egress on other interfaces sharing the TX thread. No public exploit code or active exploitation has been identified; the trigger is routine USB host power management, making this an availability risk for any embedded Zephyr device using USB virtual Ethernet.

Buffer Overflow Information Disclosure Zephyr
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-54889 MEDIUM PATCH This Month

Cross-site scripting in MDEx (Elixir Markdown library by leandrocp), versions 0.8.3 through 0.13.1, allows any attacker who can supply Markdown content to inject javascript: URLs that execute in the browser of any user who views the downstream-rendered output. The MDEx to_delta/2 function copies link, wikilink, and image URLs verbatim into Quill Delta attributes without a scheme allowlist, meaning a crafted payload like [click](javascript:alert(document.cookie)) survives intact; when a downstream renderer such as quill-delta-to-html converts that Delta to HTML, the javascript: scheme becomes an executable href. No public exploit has been identified at time of analysis, though the attack requires only standard Markdown syntax, and a vendor-released patch is available in version 0.13.2.

XSS Mdex
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-57965 MEDIUM This Month

Integer overflow in spice-vdagent's message parsing allows a malicious or compromised SPICE host to crash the guest VM's vdagent daemon by delivering a specially crafted message that triggers a downstream heap buffer overflow. Affected deployments span spice-vdagent as packaged in Red Hat Enterprise Linux 6 through 10, where the daemon runs inside guests handling host-to-guest SPICE protocol communications. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is structurally constrained by the requirement that the attacking SPICE host itself be untrusted or already compromised prior to the attack.

Integer Overflow Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
5.1
EPSS
0.1%
CVE-2026-57958 MEDIUM This Month

Reflected XSS in Mixpost through version 2.6.0 enables unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by delivering crafted OAuth callback URLs containing malicious error query parameters. The OAuth callback controller fails to sanitize error parameters before routing them through Laravel flash messages, which are then rendered by Vue's v-html directive without HTML escaping - creating a direct injection path into the DOM. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make delivery straightforward once a victim is identified.

XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-43743 MEDIUM PATCH This Month

Race condition in Apple iOS, iPadOS, and macOS Tahoe allows a locally-running app with standard privileges to trigger unexpected system termination. Rooted in improper state handling during concurrent operations (CWE-362), exploitation is constrained by high attack complexity due to the timing-dependent nature of race conditions. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Apple Race Condition Information Disclosure Ios And Ipados
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-57966 MEDIUM This Month

Path traversal in spice-vdagent enables a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system during file transfer operations. Affecting Red Hat Enterprise Linux versions 6 through 10, the flaw stems from unsanitized filenames supplied by the SPICE host before use by the vdagent process, allowing writes at the privilege level of the logged-in guest user. No public exploit is identified at time of analysis, and exploitation requires prior control of the SPICE host - a high-privilege precondition that substantially constrains realistic risk despite the high integrity impact.

Path Traversal Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-43708 MEDIUM PATCH This Month

Cross-origin data exfiltration in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) allows a malicious website to read data belonging to a different origin due to insufficient input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-delivered without authentication, requiring only that the victim visits an attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis, and vendor-released patches are available for all affected platforms.

Apple Information Disclosure Ios And Ipados
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57676 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV, though the low complexity and low privilege requirement (PR:L, AC:L per CVSS) mean any registered WordPress user on an affected site could trivially exploit it.

Authentication Bypass Simple User Avatar
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-56457 MEDIUM This Month

HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged authenticated user with log access to read plaintext sensitive values - such as credentials, API tokens, or configuration secrets - that should be masked or redacted. All versions are potentially affected per the CPE wildcard, and the network-accessible nature (AV:N/PR:L) makes this a meaningful insider threat and lateral movement risk in enterprise CI/CD environments. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure Hcl Devops Deploy Hcl Launch
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-55276 CRITICAL PATCH Act Now

Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53434 CRITICAL Act Now

Improper handling of a Certificate Revocation List (CRL) error condition in Apache Tomcat's FFM-based (Foreign Function & Memory / OpenSSL) connector allows revoked client certificates to be accepted during mutual TLS authentication, defeating revocation checking. The flaw affects Tomcat 9.0.83-9.0.118, 10.1.0-M7-10.1.55, and 11.0.0-M1-11.0.22 when a CRL is configured on the FFM connector, letting an attacker holding a revoked-but-otherwise-valid client certificate reach protected resources. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though the CVSS base score is 9.1 (CWE-390).

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53404 HIGH PATCH This Week

Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.

Information Disclosure Tomcat Apache Apache Tomcat
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-13758 LOW PATCH Monitor

Non-constant-time AEAD authentication tag comparison in CryptX before 0.088_001 for Perl exposes a timing oracle in the streaming decrypt_done path, enabling authentication tag forgery across five AEAD cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, and OCB. An attacker who can submit many candidate tags for a fixed nonce and ciphertext while precisely measuring response timing can recover the expected tag byte-by-byte and forge authenticated messages. No public exploit code exists and CISA has not listed this in KEV; EPSS is 0.23% (13th percentile), consistent with SSVC's 'Exploitation: none' rating at time of disclosure.

Oracle Information Disclosure Cryptx
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2025-0824 LOW Monitor

Firmware update signature bypass in Hitachi Virtual Storage Platform One Block models 23, 24, 26, and 28 allows an authenticated remote attacker to supply unvalidated firmware packages, potentially compromising storage array integrity and availability. The root cause is CWE-347 (Improper Verification of Cryptographic Signature), and the 'Jwt Attack' tag suggests the firmware validation chain relies on a JWT-based signing mechanism that can be circumvented under specific conditions. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the self-disclosure by Hitachi with a coordinated patch release indicates vendor-confirmed severity.

Jwt Attack Information Disclosure Hitachi Virtual Storage Platform One Block 23 24 26 28
NVD VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-57957 LOW Monitor

CORS misconfiguration in Papermark through version 0.22.0 enables unauthenticated remote attackers to silently perform credentialed cross-origin file uploads into authenticated victims' datarooms and read credentialed server responses. The TUS-based viewer upload endpoint reflects arbitrary caller Origins while returning Access-Control-Allow-Credentials: true, violating the fundamental CORS security contract and allowing any attacker-controlled webpage to abuse a victim's active session. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; exploitation is constrained by the requirement for victim user interaction.

Cors Misconfiguration Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-13560 LOW Monitor

OS command injection in Edimax EW-7478APC 1.04 allows a remote low-privileged attacker to execute arbitrary operating system commands by manipulating the submit-url parameter in POST requests to the /goform/formAccept endpoint. The vendor was notified prior to public disclosure but did not respond, leaving the vulnerability unpatched. A public proof-of-concept exploit has been disclosed, and the CVSS 4.0 impact metrics (VC:L/VI:L/VA:L) appear to significantly understate the realistic impact of OS command injection on an embedded network device, which typically yields full system control.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-53427 LOW PATCH Monitor

Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.

XSS Mdex Mdex Native
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-13556 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject malicious JavaScript via the Name argument in a POST request to /admin/mod_users/controller.php?action=edit. The vulnerability requires a victim to interact with the crafted content (CVSS 4.0 UI:P), limiting its reach but not eliminating risk against administrative users. A publicly disclosed proof-of-concept exploit exists per VulDB submission 843586, though no public exploit identified at time of analysis in CISA KEV.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-13554 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 enables remote attackers to inject arbitrary JavaScript via the Name parameter in the amenities management POST handler at /admin/mod_amenities/controller.php?action=add. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) confirms no authentication or special attack conditions are required to submit the payload, but passive user interaction - an admin browsing the amenities panel - is needed to trigger execution. A proof-of-concept exploit has been publicly disclosed via GitHub (VulDB submission 843584), though no active exploitation has been confirmed by CISA KEV.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-13522 LOW Monitor

Out-of-bounds read in Investintech SlimPDFReader through version 2.0.14 exposes users to application crashes when processing maliciously crafted PDF files, exploitable remotely with passive user interaction. The vulnerable function `SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0` within `SlimPDFReader.exe` fails to validate buffer boundaries during PDF parsing, resulting in a low-severity availability impact (application crash/DoS) with no confirmed confidentiality or integrity effect despite the 'Information Disclosure' tag in source metadata. No public exploit identified at time of analysis beyond the CVSS 4.0 E:P maturity indicator, and no patch will ever be released as the product is confirmed end-of-life.

Buffer Overflow Information Disclosure Slimpdfreader
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-13561 LOW Monitor

OS command injection in the Edimax EW-7478APC wireless access point (firmware 1.04) allows remote attackers with low-privilege credentials to execute arbitrary operating system commands by manipulating the rootAPmac parameter in a POST request to /goform/formiNICbasic. A public proof-of-concept exploit is available, materially lowering the barrier to exploitation. The vendor did not respond to coordinated disclosure, leaving no official patch path for affected devices.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-13557 LOW Monitor

Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the unsanitized `Name` parameter in POST requests to `/admin/mod_room/controller.php?action=add`. The CVSS 4.0 base score of 2.1 reflects constrained real-world impact: only vulnerable-system integrity is affected (VI:L), user interaction is required (UI:P), and no confidentiality or availability impact is assessed. A publicly available exploit exists (E:P per CVSS 4.0 supplemental vector), but no active exploitation has been confirmed via CISA KEV, consistent with the niche deployment footprint of this free PHP educational project.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-41991 LOW PATCH Monitor

Arbitrary file overwrite in GNU gzip's gzexe utility allows a local attacker to corrupt victim-accessible files via a symlink attack exploiting predictable temporary filename construction. When mktemp is absent from the user's PATH, gzexe falls back to PID-based temp file naming without exclusive creation or existence checks, enabling a TOCTOU race where a pre-planted symlink redirects the write to an attacker-chosen target. No public exploit or CISA KEV listing exists at time of analysis; impact is limited to low-integrity file overwrite with a CVSS 4.0 score of 2.0.

Information Disclosure Gzip
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-13570 LOW Monitor

Stored cross-site scripting in SourceCodester Inventory Management System 1.0 allows a low-privileged remote attacker to inject arbitrary JavaScript via the `full_name` parameter of the User Registration Endpoint at `/api/users_handler.php`. When a privileged user such as an administrator subsequently views the stored user data, the malicious script executes in their browser context, enabling session hijacking, credential theft, or UI redress. Public exploit code exists per VulDB (E:P in CVSS 4.0 vector); however, this vulnerability is not listed in CISA KEV and carries a low CVSS 4.0 base score of 2.0, indicating limited real-world severity.

XSS PHP Inventory Management System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13558 LOW Monitor

Stored cross-site scripting in CodeAstro Complaint Management System 1.0 allows a low-privileged authenticated user to inject persistent malicious scripts via the Report Title field at the /report/addreport endpoint, which then execute in the context of any administrator who views the submitted report. The GitHub-published proof-of-concept confirms the payload is stored and surfaces in the admin panel, enabling session hijacking or admin-context actions without further attacker interaction after initial submission. A public exploit has been released; however, no active exploitation has been confirmed by CISA KEV.

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2026-11979 LOW PATCH Monitor

Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. Real-world risk is very low: exploitation requires local access, deliberate user invocation of a non-default shell mode, and an attack precondition - reflected in the CVSS 4.0 score of 1.8 - with no public exploit or active exploitation identified. Notably, libxml2 maintainers disputed the security classification, treating this as a bug rather than a vulnerability.

Buffer Overflow Stack Overflow RCE Libxml2
NVD VulDB
CVSS 4.0
1.8
EPSS
0.2%
CVE-2026-13513 LOW Monitor

Insufficient data authenticity verification in MyScaleDB's vector index cache key function allows authenticated remote users to obtain stale or inconsistent vector search results following mutation operations on indexed columns. Versions through 1.8.0 are affected. A proof-of-concept exploit is publicly available (CVSS 4.0 E:P), though the very low base score of 1.3, high attack complexity, and required authenticated access substantially constrain real-world exploitation impact. No confirmed active exploitation exists - this is not on the CISA KEV list.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2026-13591 LOW Monitor

Improper authorization in DeepMyst Mysti 0.4.0 permits authenticated remote attackers to bypass access controls in the Contact Tracking component by supplying a manipulated `_channelType` argument to the `_isTrackedConversation` function in `src/managers/ChannelBridge.ts`. The CVSS 4.0 score of 1.3 reflects genuine low severity - all CIA impacts are rated Low and no subsequent system scope is affected. Publicly available exploit code exists (CVSS E:P confirmed), but no active exploitation has been confirmed by CISA KEV, and high attack complexity (AC:H) with required authenticated access (PR:L) substantially limits opportunistic abuse.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-13514 LOW Monitor

Chess Play and Learn (chess.com) Android app versions up to 4.9.42 expose application backup files to unauthorized parties through a misconfiguration in AndroidManifest.xml that enables Android's backup mechanism without adequate authorization controls. Physical access to the target device is required to exploit this issue. A public proof-of-concept is available, exploitation probability is very low given the physical access requirement, and the vendor has acknowledged the issue while noting it falls outside their bug bounty scope.

Authentication Bypass Google
NVD GitHub VulDB
CVSS 4.0
0.9
EPSS
0.1%
CVE-2026-48717 MEDIUM PATCH GHSA This Month

PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. No public exploit has been identified at time of analysis, and a patch is available in version 16.1.1.

Authentication Bypass Microsoft
NVD GitHub
CVE-2026-47426 HIGH PATCH GHSA This Week

Cross-client token impersonation in OpenAM Community Edition (Open Identity Platform fork) through 16.0.6 allows any registered OAuth2 client to forge private_key_jwt client assertions and mint access tokens in the name of any other client that publishes its keys via a jwks_uri, with no knowledge of the victim's signing key. The flaw, rooted in improper authentication (CWE-287) in the OAuth2 token endpoint, lets an attacker holding any client registration impersonate other clients across every realm hosted by the OpenAM process. There is no public exploit identified at time of analysis, no CVSS or EPSS data was supplied, and the issue is not listed in CISA KEV; it was fixed in version 16.1.1.

Authentication Bypass
NVD GitHub
CVE-2026-47424 HIGH PATCH GHSA This Week

Authenticated remote code execution in Open Identity Platform OpenAM Community Edition through 16.0.6 lets any user able to author or edit server-side scripts escape the scripting sandbox and run OS commands as the OpenAM application-server account. Because the sandbox's default class allow/deny lists fail to contain script execution, a sub-realm RealmAdmin can pivot from realm-scoped administration to full JVM/host compromise, affecting every realm the process serves. No public exploit has been identified at time of analysis, and the issue is fixed in 16.1.1.

RCE
NVD GitHub
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy