Skip to main content
CVE-2025-71355 HIGH PATCH This Week

Static-analysis bypass in Picklescan before 0.0.25 lets attackers smuggle malicious pickle files past its malware scanner, leading to arbitrary OS command execution when a victim deserializes the file. Picklescan's denylist fails to flag unsafe Numpy globals, so a reduce method invoking numpy.testing._private.utils.runstring can import os and run commands while being reported as safe. No public exploit has been identified at time of analysis, though VulnCheck's advisory documents the exact gadget; the issue is not in CISA KEV. CVSS 4.0 base score is 7.6.

Deserialization RCE Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.6%
CVE-2025-71371 HIGH PATCH This Week

Malicious-pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle weaponized pickle files past the scanner by abusing `code.InteractiveInterpreter.runcode` inside a `__reduce__` method, leading to arbitrary code execution when the file is later deserialized with `pickle.load()`. picklescan is a security scanner specifically meant to flag dangerous pickles (e.g. in ML model files), so a gap in its blocklist directly defeats the control users rely on. Reported by VulnCheck with an assigned CVSS 4.0 score of 7.6; no public exploit and no CISA KEV listing identified at time of analysis.

Deserialization RCE Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.5%
CVE-2025-71350 HIGH PATCH This Week

Malicious-pickle detection bypass in picklescan before 0.0.28 lets attackers smuggle remote-code-execution payloads past the scanner by hiding them in a pickle reduce method that invokes torch.utils.collect_env.run, which picklescan's blocklist failed to flag. Because picklescan is the gatekeeper many ML pipelines rely on to vet untrusted models (notably scanning Hugging Face artifacts), a 'clean' verdict on a weaponized file directly leads to command execution when the victim deserializes it. Reported by VulnCheck with a fix in 0.0.28; no public exploit identified at time of analysis and not listed in CISA KEV.

Deserialization Picklescan
NVD GitHub
CVSS 4.0
7.6
EPSS
0.4%
CVE-2026-49451 HIGH PATCH GHSA This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE Privilege Escalation Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-49432 HIGH PATCH This Week

Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or exhaust the broker by sending a negative content-length value. On the NIO STOMP transport the attacker streams body bytes to grow the per-connection command buffer past configured limits and force an out-of-memory condition, while the blocking STOMP transport instead throws an abnormal transport exception that closes the affected connection. The flaw affects ActiveMQ, ActiveMQ All, and ActiveMQ Stomp before 5.19.8 and the 6.0.0-6.2.6 line; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Apache Apache Activemq Apache Activemq All Apache Activemq Stomp
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-50734 HIGH PATCH This Week

Denial of service in Apache ActiveMQ (Client, broker, and All distributions) before 5.19.8 and 6.x before 6.2.7 lets a remote unauthenticated attacker crash the broker by sending a crafted WireFormatInfo frame containing an oversized size value during the pre-authentication protocol negotiation. Because the size is consumed before any authentication occurs, the broker attempts a massive memory allocation, triggering an out-of-memory condition and process crash. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the fix is shipped in 6.2.7 and 5.19.8.

Denial Of Service Apache Apache Activemq Client Apache Activemq Apache Activemq All
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-11806 HIGH This Week

Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none; EPSS is low at 0.50% (39th percentile).

Request Smuggling IBM Information Disclosure Websphere Application Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-50750 HIGH PATCH This Week

Remote denial of service in Apache ActiveMQ (versions 5.19.7 and 6.2.6) allows an unauthenticated attacker to exhaust broker heap memory and crash the service with an OutOfMemory error. The flaw is a regression introduced by the fix for CVE-2026-49270: an attacker repeatedly sends OpenWire BrokerInfo commands while never sending the expected ConnectionInfo, causing unbounded state accumulation until the broker dies. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network reachability makes it a credible availability threat to exposed brokers.

Denial Of Service Apache Apache Activemq Broker Apache Activemq Apache Activemq All
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-12243 HIGH This Week

Arbitrary file disclosure in NLTK 3.9.4 lets remote attackers read any file accessible to the Python process by passing percent-encoded path-traversal sequences (e.g. ..%2f) into nltk.data.load() or nltk.data.find(). The flaw is an incomplete fix for GitHub Issue #3504: the _UNSAFE_NO_PROTOCOL_RE guard only matches literal ../ while url2pathname() decodes the encoded form after the check runs, so the validation is bypassed. No public exploit identified at time of analysis, though it was reported through a huntr.com bounty; it is not listed in CISA KEV and no EPSS score was supplied.

Python Path Traversal Nltk Nltk Red Hat
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2026-49434 HIGH PATCH This Week

Improper input validation in Apache ActiveMQ lets an attacker who can write or modify LDAP entries matching the broker's configured searchBase and searchFilter instantiate transports that are otherwise denied inside the broker JVM. By doing so the attacker can force the broker to fetch an attacker-controlled URL and spawn a second BrokerService within the same JVM, an integrity-impacting condition affecting Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All before 5.19.8 and 6.x before 6.2.7. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Apache Apache Activemq Broker Apache Activemq Apache Activemq All
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-14164 HIGH PATCH This Week

Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RAR5 archives via a double-free (CWE-415) of the stale filtered_buf pointer. Reported by Red Hat and affecting libarchive as shipped across Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, the flaw is triggered purely by parsing a malicious archive entry. No public exploit has been identified and the issue is not in CISA KEV; impact is limited to availability (CVSS 7.5, A:H only) with no code execution or data exposure claimed.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +5
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-58015 HIGH PATCH This Week

Arbitrary file disclosure in GLib's GDBus client affects the DBUS_COOKIE_SHA1 SASL authentication mechanism, where the client fails to validate the server-supplied cookie_context parameter. A malicious or compromised D-Bus server can send a cookie_context containing path traversal sequences, forcing the client to read attacker-chosen files and leak their contents by confirming guessed values against the returned authentication hash. No public exploit has been identified and it is not in CISA KEV; EPSS is low at 0.30% (22th percentile), consistent with the SSVC assessment of no known exploitation.

Path Traversal Information Disclosure Glib Enterprise Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57585 HIGH PATCH This Week

Denial of service in the msgpack-python serialization library (versions prior to 1.2.1) lets remote attackers crash a process via an out-of-bounds read when an application reuses an Unpacker instance after a previously raised error was caught. Sending malformed MessagePack data that triggers an error, then feeding further data to the same Unpacker, can drive the process to a SEGV. No public exploit has been identified at time of analysis, and EPSS data was not provided, but the CVSS 3.1 score of 7.5 (availability-only) reflects a straightforward, unauthenticated crash condition.

Memory Corruption Python Use After Free Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58011 HIGH PATCH This Week

Out-of-bounds read of two bytes in GLib's g_date_time_get_ymd() (glib/gdatetime.c) lets attackers corrupt date output and trigger logic errors that may cause denial of service when an application processes an invalid GDateTime produced by g_date_time_add_full(). It affects the GNOME GLib core utility library shipped across Red Hat Enterprise Linux 6 through 10, with fixes in GLib 2.88.1 and 2.86.5. There is publicly available exploit code exists per SSVC (proof-of-concept), no confirmed active exploitation, and EPSS is low at 0.27% (19th percentile).

Denial Of Service Buffer Overflow Information Disclosure Glib Enterprise Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11595 HIGH This Week

Directory traversal (CWE-22) in the administrative console's integrated help system of IBM WebSphere Application Server (traditional) 8.5 and 9.0 lets remote attackers read sensitive files outside the intended help-content directory, disclosing confidential information. CVSS 7.5 reflects unauthenticated network reach with high confidentiality impact but no integrity or availability effect. There is no public exploit identified at time of analysis, and the low EPSS score (0.27%, 19th percentile) plus SSVC 'Exploitation: none' indicate no observed exploitation to date.

IBM Path Traversal Websphere Application Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13925 HIGH PATCH This Week

Inappropriate implementation in Downloads in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)

RCE Microsoft Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13855 HIGH PATCH This Week

Remote code execution in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in the Ozone platform layer, allowing a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page to execute arbitrary code in the browser context. Rated High by Chromium and CVSS 7.5, exploitation is gated by required user interaction and high attack complexity. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13831 HIGH PATCH This Week

Out-of-bounds read/write (use-after-free) in Google Chrome's GPU component lets a remote attacker who has already compromised the renderer process run arbitrary code - though still confined inside the sandbox - by serving a crafted HTML page to a Chrome build prior to 150.0.7871.47. Google rates the Chromium severity High and has shipped a fixed Stable-channel build; there is no public exploit identified at time of analysis and EPSS puts near-term exploitation probability at just 0.26%.

Memory Corruption Google Buffer Overflow Use After Free RCE +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13802 HIGH PATCH This Week

Remote code execution in Google Chrome (Views UI component) prior to 150.0.7871.47 allows a remote attacker to execute arbitrary code by luring a victim to a crafted HTML page and inducing specific UI gestures that trigger a use-after-free. Rated High by Chromium and CVSS 7.5, the flaw is elevated in complexity by its requirement for user interaction, and no public exploit has been identified at time of analysis; EPSS probability is low at 0.26%.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13794 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows before version 150.0.7871.47 allows an attacker to run arbitrary code by luring a victim to a crafted HTML page and getting them to perform specific UI gestures against the WebAppInstalls component. Chromium rates the flaw High severity; no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), indicating the attack is not yet broadly commoditized despite the serious impact.

RCE Microsoft Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13968 HIGH PATCH This Week

Arbitrary code execution in Google Chrome's DevTools component (versions prior to 150.0.7871.47) lets a remote attacker run code inside the renderer sandbox after luring a victim into performing specific UI gestures with a malicious file. Rated Medium by Chromium but scored CVSS 7.5, the flaw stems from insufficient validation of untrusted input (CWE-20); no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.24% (15th percentile).

RCE Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13807 HIGH PATCH This Week

Remote code execution in Google Chrome on iOS prior to 150.0.7871.47 stems from a use-after-free in the browser's Import component, allowing a remote attacker who lures a victim into opening a malicious file and performing specific UI gestures to execute arbitrary code. Rated High by Chromium and CVSS 7.5, the flaw has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), consistent with its high attack complexity and required user interaction. A vendor patch is available in the June 2026 Stable channel update.

Memory Corruption Google Apple Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52198 HIGH This Week

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_425994 component

Denial Of Service Buffer Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52193 HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) allows a remote attacker to crash the device by triggering a buffer overflow in the gohead/sub_447CAC web-server routine. Publicly available exploit code exists (referenced GitHub CVEreport analysis) but it is not listed in CISA KEV; EPSS is low at 0.22% (13th percentile), indicating no observed widespread exploitation. Note a data conflict: the description and tags describe a DoS, yet the supplied CVSS vector encodes a confidentiality impact (C:H/A:N) rather than availability.

Denial Of Service Buffer Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52196 HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets a remote, unauthenticated attacker crash the device by triggering a buffer overflow in the gohead web-service function sub_416f28 (FUN_00416f28). Publicly available exploit code exists (referenced PoC on GitHub), though the flaw is not listed in CISA KEV and EPSS scores it at just 0.22% (13th percentile), indicating low observed exploitation activity. Impact is limited to availability - no code execution or data exposure is claimed in the source data.

Denial Of Service Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52195 HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3 v3.2.7-210919-161313) allows a remote, unauthenticated attacker to crash the device by triggering a buffer overflow in the gohead web-service handler at function sub_472f08 (FUN_00472f08). The CVSS 3.1 score of 7.5 reflects availability-only impact (A:H, C:N/I:N) over the network with no privileges or user interaction. EPSS is low (0.22%, 13th percentile) and the CVE is not in CISA KEV; a third-party technical write-up exists on GitHub, but no active exploitation is confirmed.

Denial Of Service Buffer Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13891 HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions component (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out via a crafted HTML page. Rated Medium by Chromium and CVSS 7.5, it stems from insufficient validation of untrusted input (CWE-20) and requires user interaction plus a pre-existing renderer foothold. There is no public exploit identified at time of analysis, EPSS is low (0.22%, 12th percentile), and it is not on CISA KEV.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14064 HIGH PATCH This Week

Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13856 HIGH PATCH This Week

Privilege escalation in Google Chrome for Android before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out further by feeding a crafted HTML page into the Speech component, which fails to validate untrusted input (CWE-20). Google rated it Medium severity; a fix has shipped in the Stable channel, EPSS is low (0.21%, 11th percentile), and there is no public exploit identified at time of analysis. This is a sandbox-escape-class chaining bug rather than a standalone remote drive-by, since it presupposes a prior renderer compromise.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13824 HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions subsystem before version 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of that context and gain elevated privileges by delivering a crafted HTML page. Google rates the Chromium severity as High, and the assigned CVSS is 7.5 (AV:N/AC:H). There is no public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and CISA's SSVC framework records exploitation status as none, indicating this is currently a patch-and-move-on issue rather than an active threat.

Privilege Escalation Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13814 HIGH PATCH This Week

Heap corruption via a use-after-free in the Views UI component of Google Chrome allows a remote attacker who serves a crafted HTML page and lures a user into performing specific UI gestures to potentially execute code in the browser process. All desktop Chrome builds prior to 150.0.7871.47 are affected; Google rates the Chromium severity as High and has shipped a fix. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52197 HIGH This Week

Denial of service in the UTT nv518G router (firmware nv518GV3v3.2.7-210919-161313) allows a remote attacker to crash or hang the device by sending crafted input to the gohead/sub_44af70 (FUN_0044af70) component of its embedded web/management service. Rated CVSS 7.5 (availability-only impact), the flaw is network-reachable without authentication or user interaction but does not expose or alter data. A public technical writeup analyzing the vulnerable function exists on GitHub; there is no public evidence of active exploitation and EPSS scores it low (0.20%, 11th percentile).

Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14115 HIGH PATCH This Week

Privilege escalation in Google Chrome's Cast component before 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to escape renderer-level restrictions and gain higher privileges via a crafted HTML page. Rated Low severity by Chromium despite a 7.5 CVSS, it functions as a second-stage sandbox-escape primitive rather than a standalone initial-access bug. There is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile), indicating minimal near-term mass-exploitation risk.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-12084 HIGH This Week

Sensitive information disclosure and unauthorized privileged actions in IBM DevOps Deploy (formerly UrbanCode Deploy/UCD) versions 8.1.0 through 8.1.2.6 and 8.2.0 through 8.2.1.0 stem from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict requests to trusted domains. An attacker who lures an authenticated user to a malicious web page can leverage the victim's session across origins to read confidential data and invoke privileged operations. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile), consistent with CISA SSVC scoring exploitation as 'none'.

IBM Cors Misconfiguration Information Disclosure Devops Deploy
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-14114 HIGH PATCH This Week

Inappropriate implementation in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a malicious file. (Chromium security severity: Low)

Information Disclosure Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-57081 HIGH This Week

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.

Information Disclosure Net
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57080 HIGH This Week

Remote memory exhaustion in the Net::BitTorrent Perl module (all versions through 2.0.1) lets any unauthenticated peer in a torrent swarm crash the downloading process by abusing the peer-wire protocol's length-prefix framing. Because the decoder buffers an entire announced message before processing and trusts an attacker-supplied length prefix of up to ~4 GiB, a single malicious peer can drive the victim's memory toward exhaustion. There is no public exploit identified at time of analysis and no CISA KEV listing, but the attack is trivial and requires no authentication; EPSS data was not provided.

Denial Of Service Net
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-10652 HIGH PATCH This Week

Out-of-bounds read in the Zephyr RTOS DNS resolver (subsys/net/lib/dns) lets a malicious, spoofed, or on-path DNS server - or any LAN node when mDNS/LLMNR is enabled - return crafted truncated TXT or SRV records that leak residual receive-pool memory to the application, and in some configurations crash the device. It affects Zephyr v4.3.0 and v4.4.0; the SSVC framework records a proof-of-concept, so publicly available exploit code exists, though EPSS is low (0.20%, 10th percentile) and there is no public evidence of active exploitation. The disclosed data is bounded (~64 bytes for TXT, ~6 for SRV) and read-only, but can expose stale contents of prior DNS packets.

Denial Of Service Buffer Overflow Information Disclosure Zephyr
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-8864 HIGH PATCH This Week

Local privilege escalation in the HP Fan Control App lets a low-privileged local user gain SYSTEM/administrator-level execution on affected HP endpoints. The flaw stems from CWE-428 (Unquoted Search Path or Element), a classic Windows weakness where a privileged service or process resolves an executable or library from an attacker-controllable path. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.

HP Privilege Escalation Hp Fan Control App
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-58170 HIGH PATCH This Week

Trading mandate forgery in HKUDS Vibe-Trading before 0.1.10 lets an admitted (low-privileged) caller supply a proposal identifier containing path traversal sequences so the application loads an attacker-controlled JSON file as an authoritative live trading mandate. Because ceiling/limit validation is skipped when ceilings are absent, the attacker fully controls the committed mandate, enabling unauthorized live trades. A vendor patch exists and the issue was reported by VulnCheck, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal File Upload Vibe Trading
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.4%
CVE-2026-8141 HIGH This Week

Stored cross-site scripting in the Ajax Load More - Filters WordPress plugin (all versions through 3.4.1) lets unauthenticated attackers persist arbitrary JavaScript via the 'taxonomy_include_children' parameter, which then executes in the browser of any user who loads an affected page. Wordfence rates it CVSS 7.2 with a changed scope, reflecting that injected script runs in the context of other site visitors and administrators. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Ajax Load More Filters
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-56249 HIGH PATCH This Week

Privilege-bound authorization bypass in Capgo before 12.128.2 lets any authenticated user holding the app.create_channel permission overwrite existing channels by reusing their names, hijacking ownership and rewriting production channel configurations. The flaw stems from a logic mismatch between the existence-validation check and the upsert operation in the channel-creation endpoint, enabling tampering with live release channels. No public exploit identified at time of analysis; reported by VulnCheck with a vendor security advisory available.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-10513 HIGH This Week

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.

WordPress XSS Webmention
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-58374 HIGH PATCH This Week

Denial of service in hostapd 2.11 through pre-2.12 development snapshots (built with CONFIG_IEEE80211BE) lets an unauthenticated attacker within wireless range crash the access-point daemon by sending a crafted Wi-Fi 7 (802.11be) Multi-Link association request. A malformed Multi-Link Element or Per-STA Profile subelement supplies a link_id of 15 that overruns the 15-entry (0-14) links[] array, causing an out-of-bounds write before the 4-way handshake. No public exploit identified at time of analysis; EPSS is low (0.29%, 20th percentile) and CISA SSVC rates exploitation as none.

Denial Of Service Buffer Overflow Hostapd
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-56328 HIGH PATCH This Week

Release-routing integrity failure in Capgo before 12.128.2 lets an authorized app or channel manager covertly steer which update bundle unnamed clients receive. Because the platform permits multiple public channels per app/platform to coexist and silently resolves channel-less /updates requests to a single hidden 'winner' channel, a low-privileged insider can manipulate default update state and serve a chosen bundle to clients that did not specify a channel. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48806 HIGH PATCH GHSA This Week

Sandbox __toString() policy enforcement in Twig is bypassed via dynamic array mapping keys, allowing sandboxed template authors to invoke __toString() on arbitrary context objects without sandbox policy checks. This is a residual bypass of the previously patched CVE-2026-47732, rooted in ArrayExpression failing to declare dynamic mapping keys as string-coercion sites through CoercesChildrenToStringInterface. The reliable demonstrated impact is unauthorized disclosure of sensitive data returned by __toString() on objects that the sandbox was explicitly configured to protect - no public KEV listing exists, but a clear proof-of-concept is embedded in the advisory.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58167 HIGH PATCH This Week

Credential disclosure in Nightingale (n9e) before 9.0.0-beta.2 lets any authenticated Standard-role (low-privilege) user retrieve full datasource configurations via POST /api/n9e/datasource/list, exposing plaintext database passwords, HTTP bearer tokens, basic-auth passwords, and mTLS client keys. Reported by VulnCheck and fixed in v9.0.0-beta.2, this missing-authorization flaw effectively turns a read-only monitoring account into a pivot point against every connected downstream system. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Nightingale
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48807 HIGH PATCH GHSA This Week

Sandbox policy bypass in Twig PHP template engine allows sandboxed template authors to trigger `__toString()` calls on objects explicitly blocked by `SecurityPolicy::$allowedMethods`, through two distinct coercion paths: `Traversable` inputs to the `join` and `replace` filters, and PHP's implicit spaceship-operator coercion inside the `in`/`not in` operator implementation. Beyond unauthorized method invocation, the `in` operator can be chained into a character-by-character equality oracle, enabling reconstruction of the full string value of sensitive objects - such as tokens or credentials passed into the render context - without any direct method invocation being permitted. This is a residual bypass of CVE-2026-47732; no public exploit code has been identified at time of analysis, and the issue is patched in Twig v3.27.0.

Oracle Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56320 HIGH PATCH This Week

Broken authorization in Capgo before 12.128.2 lets an authenticated attacker forge device records against any application by supplying an arbitrary org_id to POST /private/create_device, which the backend trusts without checking it matches the target app's owning organization. The CVSS 4.0 score of 7.1 reflects high integrity impact with low privileges required and no user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56286 HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
CVSS 4.0
7.0
EPSS
0.4%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy