Skip to main content
CVE-2026-48282 CRITICAL POC KEV THREAT Emergency

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and earlier enables remote, unauthenticated attackers to write or access files outside intended directories and achieve arbitrary code execution in the context of the current user. Rated CVSS 10.0 with a changed scope and no user interaction required, this is among the most severe ColdFusion flaws possible. No public exploit identified at time of analysis, but the impact and trivial attack complexity make it a top patching priority.

Path Traversal RCE Coldfusion
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
1.0%
Threat
5.0
CVE-2026-8451 HIGH POC PATCH NEWS This Week

Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable.

Citrix Information Disclosure Buffer Overflow Netscaler Application Delivery Controller Netscaler Gateway
NVD VulDB GitHub
CVSS 4.0
8.8
EPSS
0.5%
CVE-2026-48313 CRITICAL POC Act Now

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets remote attackers (PR:N) read arbitrary files outside the intended web scope and perform limited writes, with no user interaction required. The scope-change (S:C) and high confidentiality impact drive a 9.3 critical rating, meaning a successful read can expose secrets - configuration, credentials, and source - that compromise components beyond ColdFusion itself. No public exploit is identified at time of analysis and the issue is not in CISA KEV, but ColdFusion's history of weaponized path-traversal and file-disclosure bugs makes prompt patching prudent.

Path Traversal Coldfusion
NVD VulDB
CVSS 3.1
9.3
EPSS
0.5%
CVE-2026-58172 CRITICAL POC PATCH Act Now

IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. Publicly available exploit code exists (VulnCheck advisory plus a reproducer in PR #2406), though there is no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Ocelot
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-58166 HIGH POC PATCH This Week

Arbitrary file write and delete in OpenBMB ChatDev through 2.2.0 lets unauthenticated remote attackers control destination paths on the server by abusing the multipart filename in the upload session endpoint. Because save_upload_file joins the attacker-supplied filename onto the temp directory without sanitization, a traversal or absolute-path filename redirects both the write and the subsequent cleanup unlink to arbitrary host locations. Publicly available exploit code exists and a vendor fix is available (commit 4fd4da6); there is no public exploit identified as actively exploited in CISA KEV at time of analysis.

Path Traversal File Upload Chatdev
NVD GitHub
CVSS 4.0
8.8
EPSS
0.6%
CVE-2026-11589 HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-58375 HIGH POC This Week

Unauthenticated report data exfiltration in JimuReport (JeecgBoot) through version 2.5.0 lets remote attackers export the full contents of any report via the POST /jmreport/auto/export endpoint. Because the handler carries the @JimuNoLoginRequired annotation, JimuReportTokenInterceptor skips all authentication and the export service never checks the auto-export configuration flag, so any guessed report id is rendered and streamed back. Publicly available exploit code exists; the disclosure comes from VulnCheck and the CVSS 4.0 base score is 8.7 (High), driven by high confidentiality impact with no privileges or user interaction required.

Authentication Bypass Jimureport
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-58165 HIGH POC PATCH This Week

Privilege escalation in OpenZiti through 2.0.0 lets an authenticated non-admin identity that holds fine-grained enrollment-management permissions mint an enrollment for any identity - including the built-in default administrator - and then redeem the resulting one-time token via the unauthenticated client enrollment API to receive a client certificate that authenticates as that admin, granting full control of the controller and the entire zero-trust overlay. The root cause is a missing authorization check (CWE-862) in the enrollment creation path. Publicly available exploit details exist (reported by VulnCheck, GitHub issue #4010) and a vendor fix is available; no public exploit identified as actively used at time of analysis.

Authentication Bypass Privilege Escalation Ziti
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-58377 HIGH POC This Week

Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController and OpenApiPermissionController endpoints, which are missing Shiro authorization annotations, to fully manage OpenAPI AK/SK credentials. Because the list endpoint returns secret keys in plaintext, any logged-in user can harvest every Access Key/Secret Key pair and then create, modify, or delete them, enabling credential theft and unauthorized invocation of the OpenAPI surface. Publicly available exploit code exists and the issue was reported by VulnCheck, though it is not listed in CISA KEV.

Authentication Bypass Jeecgboot
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-11590 HIGH POC This Week

Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.

WordPress SQLi Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-56413 CRITICAL PATCH CISA Act Now

Unauthenticated remote code execution in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets attackers run arbitrary commands as root by sending a crafted packet to the ms_service.pl listener on TCP port 9000. The flaw was reported through CISA ICS-CERT (advisory ICSA-26-181-06) and carries the maximum CVSS 4.0 base score of 10.0; no public exploit has been identified at time of analysis, but the combination of network reachability, zero authentication, and root-level impact makes this a top-priority issue for any exposed device.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
3.1%
Threat
4.1
CVE-2026-56415 CRITICAL PATCH CISA Act Now

Unauthenticated remote command injection in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets remote attackers run arbitrary OS commands as root by sending a crafted HTTP request to the debug.pl script, which processes attacker input without sanitization. Rated CVSS 4.0 10.0 and reported through CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis. This is a complete-compromise primitive requiring no credentials or user interaction.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
3.1%
Threat
4.1
CVE-2026-50003 CRITICAL CISA Emergency

Path traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled files to arbitrary locations on a DCMTK client host whenever that client retrieves objects using bit-preserving C-GET storage mode. Because the client trusts server-supplied storage paths, both relative (../) and absolute paths escape the chosen output directory, enabling overwrite of client-side files and potential code execution. Reported via CISA ICS-CERT (medical advisory ICSMA-26-181-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Dcmtk Toolkit
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-58372 HIGH POC PATCH This Week

Cross-tenant object deletion in SeaweedFS before 4.34 lets an authenticated S3 principal holding write access to just one bucket destroy arbitrary objects in other tenants' buckets through the S3 gateway's DeleteMultipleObjectsHandler. By embedding ../ sequences in object keys inside the DeleteObjects XML request body, an attacker exploits a confused-deputy gap where path validation never inspected body keys. Publicly available exploit code exists (reported by VulnCheck) and a vendor patch shipped in release 4.34; the flaw is not listed in CISA KEV.

Path Traversal Seaweedfs
NVD GitHub
CVSS 4.0
7.2
EPSS
0.8%
CVE-2026-50110 CRITICAL PATCH CISA Act Now

Credential exposure in StoneFly Storage Concentrator (SC) and its virtual machine variant (SCVM) lets an attacker recover plaintext credentials for numerous internal services from a configuration file where they are stored using reversible encoding rather than encryption. The hardcoded accounts cover databases, licensing, replication, and third-party integrations, so recovering them grants pivoting access across multiple interconnected systems. Reported to NVD via CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis and the vector is local (AV:L).

Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-55721 CRITICAL PATCH CISA Act Now

SQL injection in StoneFly Storage Concentrator (SC and SCVM) lets an unauthenticated remote attacker read sensitive database contents by injecting through the cookie value handled by the login.pl and debug.pl CGI scripts. Successful exploitation discloses session tokens, password hashes, and stored secret keys, enabling authentication bypass and broader compromise of the storage appliance. There is no public exploit identified at time of analysis, and the issue is tracked under CISA ICS advisory ICSA-26-181-06.

SQLi
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-58376 HIGH POC PATCH This Week

SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.

SQLi Information Disclosure PHP Dolibarr
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-58176 HIGH POC PATCH This Week

Broken function-level authorization in RuoYi-Vue-Plus through 5.6.2 allows any authenticated low-privileged user to manipulate workflow approval tasks - including reassigning pending approvals to arbitrary users, urging tasks, and enumerating all pending and completed tasks - by exploiting the absence of permission annotations on FlwTaskController endpoints under /workflow/task. This directly defeats segregation of duties in organizational approval chains, enabling a standard user to redirect approvals meant for specific roles and potentially approve transactions or actions they should never have authority over. A publicly available exploit is referenced in the project's GitHub issue tracker; no CISA KEV listing has been confirmed at time of analysis, suggesting targeted rather than widespread exploitation.

Authentication Bypass Ruoyi Vue Plus
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-58448 HIGH POC PATCH This Week

Information disclosure in the yudao-cloud BPM (business process management) module before 2026.06 lets any authenticated user read arbitrary workflow process-instance records by passing a caller-controlled process-instance ID to a GET endpoint that lacks the @PreAuthorize authorization check. Exposed data includes submitted form variables, approver identities, approval/rejection comments, and raw BPMN XML, with no ownership or tenant validation enforced. Publicly available exploit code exists and a vendor patch is available; the issue is not listed in CISA KEV.

Authentication Bypass Yudao Cloud
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58447 HIGH POC PATCH This Week

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.

Authentication Bypass Invidious
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58446 MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker Presenton
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-52868 HIGH CISA Act Now

Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist records stored outside the intended per-Application-Entity (AE) directory. In multi-area or multi-tenant deployments this breaks departmental and clinic-level data separation, exposing patient scheduling and demographic data across boundaries; the issue was disclosed through CISA's ICS Medical advisory ICSMA-26-181-01 with no public exploit identified at time of analysis.

Path Traversal Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-44628 HIGH CISA Act Now

Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash the service with a single crafted DICOM query when the server is provisioned with a valid Called AE Title, a storage directory, the expected lockfile, and at least one matching worklist record. The flaw stems from a type-confusion condition (CWE-843) and carries a CVSS 4.0 base score of 8.7 driven entirely by high availability impact (VA:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, though it was reported through the ICS-CERT/ICSMA medical-advisory channel.

Memory Corruption Denial Of Service Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-50254 HIGH CISA Act Now

Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process memory by repeatedly sending a single crafted connection request (CWE-401 memory leak), eventually crashing the service so it stops accepting connections until an operator manually restarts it. In the default single-process deployment mode the leak accumulates per connection and brings the listener down quickly. CVSS 4.0 scores this 8.7 (High), driven entirely by availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-35505 HIGH CISA Act Now

Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (availability-only impact), reported through CISA ICS-CERT medical advisory ICSMA-26-181-01.

Information Disclosure Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-13207 HIGH CISA Act Now

Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. Successful exploitation returns sensitive user and role data without any credentials. No public exploit identified at time of analysis, though the technique is trivially reproducible and the issue is documented in a CISA ICS advisory (ICSA-26-181-02).

Authentication Bypass Fuxa Scada Hmi
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-12578 HIGH CISA Act Now

Arbitrary code execution in Delta Electronics DTMSoft arises from unsafe deserialization of untrusted data during project file parsing (CWE-502), allowing an attacker who supplies a malicious DTMSoft project file to run code in the context of the user who opens it. The flaw is local and requires victim interaction (opening the crafted file) rather than remote network exploitation, and impacts confidentiality, integrity, and availability fully. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; no EPSS score was supplied.

Deserialization RCE Dtmsoft
NVD
CVSS 4.0
8.4
EPSS
0.4%
CVE-2026-48276 CRITICAL POC Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote attacker upload a file of a dangerous type (e.g., a CFML/JSP payload) and execute it in the context of the current user, with no user interaction required. The CVSS 3.1 base score is the maximum 10.0 with a changed scope, reflecting that successful exploitation breaches the ColdFusion process boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but ColdFusion's history of weaponized file-upload/RCE bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48277 CRITICAL Act Now

Remote code execution in Adobe ColdFusion (versions 2025.9, 2023.20 and earlier) lets a remote attacker run arbitrary code in the context of the current user with no authentication and no user interaction, per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scored 10.0 with a changed scope. The root cause is improper input validation (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Coldfusion
NVD VulDB
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48286 CRITICAL Act Now

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Adobe RCE Adobe Campaign Classic Acc
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2026-10134 CRITICAL Act Now

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary Python via the flow `tool_code` mechanism, gaining full control of the Langflow process. Because the scope changes (S:C), the attacker can read every process secret, read and tamper with all flows, conversations, messages, uploads and saved components in the database, reach internal services and cloud metadata endpoints, and pivot across tenants on the same instance. This is a maximum-severity (CVSS 10.0) flaw, though no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection IBM File Upload RCE Langflow
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-13782 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Chromium rates the underlying use-after-free as Critical, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%). A vendor patch is available and the flaw is a classic second-stage chain component rather than a standalone entry point.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-48281 CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier lets a remote attacker run code in the context of the current user with no authentication and no user interaction. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS of 10.0 with a changed scope, meaning impact can extend beyond the vulnerable component. No public exploit identified at time of analysis, but ColdFusion's history of weaponized RCE bugs makes this a high-priority patch.

RCE Coldfusion
NVD VulDB
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48283 CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases stems from an unrestricted dangerous-file-type upload (CWE-434) that lets a remote attacker drop and execute a malicious payload, such as a CFM/CFML webshell, in the context of the running ColdFusion user. Rated CVSS 10.0 with a changed scope, it requires no user interaction and, per the provided vector, no authentication. No public exploit identified at time of analysis, though ColdFusion's history of weaponized upload bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-10109 CRITICAL NEWS Act Now

Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake. Because the flaw is reachable before any login, any client able to reach the database listener can trigger it, and the CVSS 3.1 base score of 9.8 reflects full compromise of confidentiality, integrity, and availability. No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection IBM RCE Db2
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-7873 CRITICAL PATCH Act Now

Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-system commands and read sensitive files such as stored credentials, escalating from low-privileged application access to full host compromise. Rated CVSS 9.9 with a scope-changing vector, the flaw enables lateral movement once an attacker holds any valid Langflow account. No public exploit identified at time of analysis, but a vendor patch is available.

Code Injection IBM RCE Langflow Oss
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-13772 CRITICAL PATCH Act Now

Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.

IBM Information Disclosure Websphere Extreme Scale
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-11581 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.

WordPress Information Disclosure Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-9711 CRITICAL Act Now

Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis.

WordPress SQLi Eventon Pro Wordpress Virtual Event Calendar Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-8452 HIGH PATCH NEWS This Week

Denial of service and memory corruption in Citrix NetScaler ADC and NetScaler Gateway allows remote unauthenticated attackers to trigger unpredictable or erroneous appliance behavior when the device is deployed as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with no authentication, and the high confidentiality impact suggests memory contents may be exposed alongside the DoS condition. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Citrix Denial Of Service Buffer Overflow Netscaler Application Delivery Controller Netscaler Gateway
NVD VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-7871 CRITICAL PATCH Act Now

Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443.

Deserialization IBM Redis RCE Langflow Oss
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-8655 HIGH PATCH NEWS This Week

Denial of service in Citrix NetScaler ADC and NetScaler Gateway stems from multiple memory overflow conditions that produce unpredictable or erroneous behavior when the appliance is configured for specific DNS or load-balancing roles. Remote unauthenticated attackers can send crafted traffic to a vulnerable appliance to crash or destabilize it, with the CVSS 4.0 score of 8.8 driven primarily by high availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Citrix Oracle Denial Of Service Buffer Overflow Netscaler Application Delivery Controller +1
NVD VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-7803 CRITICAL PATCH Act Now

Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the host by submitting flow definitions containing nodes with missing or empty component type fields. The improper input validation (CWE-20) lets malformed node specifications bypass type checks and reach unsafe execution paths in the low-code AI workflow engine. The CVSS vector (AV:N/PR:N) indicates network-reachable, pre-authentication exploitation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

IBM RCE Langflow Oss
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-11541 CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.

Request Smuggling IBM Information Disclosure Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12073 CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation Profilegrid User Profiles Groups And Communities
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-37106 CRITICAL Act Now

Remote code execution is claimed in DokuWiki 2025-05-14b "Librarian" (build 56.2) via the register function in inc/auth.php, which security intelligence maps to CWE-640 (weak password-recovery mechanism) - a mismatch that suggests account-takeover-to-code-execution rather than a direct memory-corruption RCE. The CVSS 3.1 score of 9.8 (network, no authentication, no user interaction) implies any internet-facing DokuWiki instance is at risk, and publicly available exploit code exists (a public gist proof-of-concept plus SSVC 'poc' exploitation status), though EPSS remains low at 0.26% (17th percentile), indicating no observed mass exploitation yet. Reported by MITRE and tracked as ENISA EUVD-2026-40863, it is tagged PHP/RCE but is not listed in CISA KEV.

RCE PHP
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-13776 CRITICAL PATCH Act Now

Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).

Memory Corruption Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-7663 CRITICAL PATCH Act Now

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.24%, 15th percentile), indicating exploitation has not yet become widespread.

Authentication Bypass IBM Langflow Oss
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-13775 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop prior to 150.0.7871.47 stems from a use-after-free in the GPU process, letting a remote attacker who has already compromised the renderer break out of the browser sandbox via a crafted HTML page. Google rates the Chromium severity as Critical, and a fix is available in the Stable channel update. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.22% (13th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14104 CRITICAL PATCH Act Now

Sandboxed remote code execution in Google Chrome desktop before 150.0.7871.47 lets a remote attacker run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page, exploiting insufficient input validation in the WebAppInstalls component. Google rates the Chromium severity as Low because execution is contained within the sandbox and no escape is included, and there is no public exploit identified at time of analysis. EPSS is low (0.21%, 12th percentile) and CISA SSVC records exploitation status as none.

RCE Google Suse
NVD
CVSS 3.1
9.8
EPSS
0.2%
Page 1 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy