Skip to main content
CVE-2026-58446 MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker Presenton
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-11581 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.

WordPress Information Disclosure Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-58450 MEDIUM POC This Month

Open redirect in Invoice Ninja's client portal login (through version 5.13.26) enables unauthenticated attackers to craft login URLs that transparently redirect authenticated victims to attacker-controlled external sites after they complete a legitimate login. The vulnerability stems from the `intended` query parameter being stored in the session without host validation, then emitted verbatim by the `ContactLoginController::authenticated()` handler post-login, making it a reliable phishing vector against Invoice Ninja clients. A publicly available proof-of-concept exists; no CISA KEV listing is present at time of analysis.

Open Redirect Invoiceninja
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-9576 MEDIUM POC PATCH This Month

Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.

WordPress Information Disclosure Fluent Booking
NVD WPScan VulDB
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-10817 MEDIUM PATCH NEWS This Month

Memory overread in Citrix NetScaler ADC and NetScaler Gateway exposes low-confidence partial memory contents to unauthenticated remote attackers when TCP TimeStamp processing is triggered against a misconfigured or specifically configured TCP Profile. The vulnerability is rooted in insufficient input validation (CWE-125) within the TCP TimeStamp handling code path, affecting virtual servers of type Load Balancer, Content Switching, and VPN, as well as configured services. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the network-accessible, zero-privilege attack vector warrants prompt patching given NetScaler's broad enterprise deployment.

Citrix Buffer Overflow Information Disclosure Netscaler Application Delivery Controller Netscaler Gateway
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-50040 MEDIUM PATCH CISA This Month

Reflected XSS in Stonefly Storage Concentrator (SC) and Storage Concentrator Virtual Machine (SCVM) allows an unauthenticated attacker to craft a malicious URL that, when opened by an authenticated storage administrator, causes arbitrary JavaScript to execute within the victim's browser session under the application's origin. The vulnerability stems from unsanitized user-supplied content being echoed directly into 404 error page responses, enabling session cookie theft, unauthorized administrative actions, or user redirection against storage management infrastructure. Reported via ICS-CERT (CISA advisory ICSA-26-181-06), no public exploit code or CISA KEV listing has been identified at time of analysis, though the ICS/OT context amplifies the downstream impact of successful exploitation.

XSS Storage Concentrator Storage Concentrator Virtual Machine
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-58369 MEDIUM PATCH This Month

Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs by repeatedly probing the unprotected /api/orgs/lookup/ endpoint. The LookupOrg handler unconditionally dereferences the session user object, which is nil for unauthenticated callers, triggering a Go panic on every such request; gin's recovery middleware catches each panic and returns HTTP 500, keeping the server alive but writing approximately 37 lines of stack trace per request to the error log. No active exploitation is confirmed in CISA KEV, but the zero-prerequisite attack surface - no credentials, no special configuration, no user interaction - makes low-bandwidth log-flooding trivially achievable by any unauthenticated network attacker.

Denial Of Service Null Pointer Dereference Woodpecker
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2025-71381 MEDIUM PATCH This Month

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. When the CORS `origin` option is configured to anything other than wildcard `*`, the middleware incorrectly promotes client-supplied `Vary` header values from the incoming request directly into the HTTP response - a behavior violating the HTTP specification, which reserves `Vary` as a server-managed response header. In environments using shared caches, CDNs, or reverse proxies, an attacker can craft requests with arbitrary `Vary` values to poison cache entries, potentially causing incorrect CORS policies to be enforced for legitimate downstream users. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Hono
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-57204 MEDIUM PATCH This Month

Memory exhaustion in pypdf prior to 6.13.3 allows unauthenticated remote attackers to cause denial of service by supplying a maliciously crafted PDF. The MAX_DECLARED_STREAM_LENGTH safety cap - designed to bound memory allocation during stream parsing - is bypassed when a PDF content stream omits the /Length value, enabling unbounded memory growth. No active exploitation is confirmed (not in CISA KEV), but the attack surface encompasses any Python application that parses attacker-supplied PDFs, a common pattern in document pipelines and web upload handlers.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56327 MEDIUM PATCH This Month

Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56318 MEDIUM PATCH This Month

Organization UUID enumeration in Capgo before 12.128.2 allows unauthenticated remote attackers to confirm the existence of valid organization identifiers by exploiting differential error responses from the /private/validate_password_compliance endpoint. The endpoint returns distinct HTTP status codes and error message bodies depending on whether a submitted organization ID is malformed, non-existent, or valid - functioning as an unauthenticated oracle. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though automated scripted enumeration is trivially feasible given the low attack complexity (CVSS 4.0 base score 6.9, AV:N/AC:L/PR:N).

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56331 MEDIUM PATCH This Month

Improper error handling in Capgo's /private/accept_invitation endpoint before version 12.128.2 allows unauthenticated network attackers to trigger HTTP 500 Internal Server Error responses by submitting malformed magic_invite_string values, leaking internal processing details in violation of CWE-209. Exploitation requires no privileges or user interaction - only the publicly accessible endpoint and knowledge of its path - making any internet-exposed Capgo instance susceptible to targeted reconnaissance. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the risk is constrained to information disclosure that could support a broader attack chain.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-44947 MEDIUM PATCH This Month

Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after an administrator revokes those permissions from a RoleTemplate, due to a missing cleanup step in the legacy Project Role Template Binding (PRTB) reconciler. Affected versions are Rancher 2.13.0 through 2.13.7 and 2.14.0 through 2.14.3. An attacker with a pre-existing role assignment can continue to bypass PSA policies enforced at the project level, defeating administrative intent and potentially deploying workloads that violate the cluster's security posture. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Rancher
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56277 MEDIUM PATCH This Month

Cross-origin request forgery via a hardcoded CORS wildcard in Flowise's text-to-speech endpoint (versions before 3.1.2) allows any malicious webpage to trigger TTS generation using a victim's stored credentials. The controller file `packages/server/src/controllers/text-to-speech/index.ts` unconditionally sets `Access-Control-Allow-Origin: *`, directly overriding the server's restrictive `getCorsOptions()` CORS policy for that route. No public exploit is identified at time of analysis, but the attack requires only basic web scripting skill given the straightforward CORS bypass mechanism.

Authentication Bypass Flowise
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-35098 MEDIUM PATCH This Month

Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of these two flaws represents a near-trivially exploitable account takeover path against any e-BOK deployment where both vulnerabilities are present.

Information Disclosure E Bok
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-35097 MEDIUM PATCH This Month

KTM System e-BOK enforces a system-wide password policy that restricts all user credentials to exactly six numeric digits, prohibiting alphabetic, special, or extended characters and producing a maximum keyspace of only 1,000,000 possible values (10^6). This CWE-521 (Weak Password Requirements) flaw enables remote unauthenticated brute-force attacks against any customer account, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). No public exploit code or CISA KEV listing exists, but the trivial keyspace means no specialized tooling is required - standard credential automation suffices. CERT-PL reported the issue; a vendor patch was published in June 2026.

Brute Force Information Disclosure E Bok
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-48192 MEDIUM CISA This Month

Code injection via malicious project files in Mendix Studio Pro 10.11 through 11.11 allows arbitrary code execution on a developer's workstation when a victim opens and runs a specially crafted project through the build pipeline. Siemens' own ProductCERT (SSA-779310) reported this flaw, classifying it under CWE-94, with patches available only for the 10.24 and 11.6 long-term support lines. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the breadth of affected versions - spanning the entire 10.x and 11.x release trees - means most active Mendix developer environments are exposed.

Code Injection RCE Mendix Studio Pro 10 11 Mendix Studio Pro 10 12 Mendix Studio Pro 10 13 +23
NVD VulDB
CVSS 4.0
6.8
EPSS
0.2%
CVE-2026-45822 MEDIUM PATCH This Month

Super-linear algorithmic complexity in the decode-uri-component npm package (versions through 0.4.1) allows unauthenticated network attackers to cause severe CPU exhaustion and block the Node.js event loop by submitting crafted strings with large numbers of percent-encoded tokens. The decode() function splits input on '%' and iteratively invokes decodeComponents() in a pattern producing quadratic or worse time growth - 1,400 '%ab' tokens consume approximately 33 seconds of CPU, rendering single-threaded JavaScript runtimes effectively unresponsive. No public exploit is confirmed at time of analysis (CVSS E:U), but the deterministic algorithmic nature makes payload construction trivial for any attacker with a reachable input channel.

Denial Of Service Decode Uri Component
NVD GitHub
CVSS 4.0
6.6
EPSS
0.3%
CVE-2026-11367 MEDIUM This Month

Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress Path Traversal Pixmagix Wordpress Image Editor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-27955 MEDIUM PATCH This Month

{$command}'` invocation without sanitizing single quotes, and the user-controlled `docker_compose_custom_build_command` and `docker_compose_custom_start_command` fields are interpolated directly into that shell string. No public exploit has been identified at time of analysis, but the CVSS scope-change flag (S:C) confirms the critical container-to-host escape dimension, and the injection technique is well-understood - making the practical impact substantially higher than the reported 6.6 base score implies.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
6.6
EPSS
0.2%
CVE-2026-11906 MEDIUM This Month

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated low-privileged user to crash or hang the database server by submitting a crafted SQL query exploiting improper neutralization of special elements in XMLTable-derived column processing logic. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms this is remotely triggerable with minimal privileges, posing a realistic insider-threat or compromised-credential availability risk. No public exploit code or active exploitation has been identified at time of analysis.

IBM Denial Of Service Microsoft Db2
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-36327 MEDIUM PATCH This Month

Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-14010 MEDIUM PATCH This Month

Uninitialized memory use in Chrome's codec subsystem on Windows leaks process memory contents to remote attackers who can direct a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 on Windows are affected; exploitation requires no authentication but does require the victim to visit attacker-controlled content, placing this in the drive-by browsing threat category. No public exploit code has been identified at time of analysis, and Google has released a confirmed fix in stable channel 150.0.7871.47.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13958 MEDIUM PATCH This Month

Uninitialized memory use in the codec subsystem of Google Chrome on Windows exposes potentially sensitive process memory contents to remote attackers via a crafted HTML page. All Chrome for Windows releases prior to 150.0.7871.47 are affected; the flaw is platform-specific and does not affect Chrome on Linux, macOS, or mobile. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, though the CVSS C:H rating reflects meaningful confidentiality risk, and the uninitialized read could serve as a precursor step toward ASLR bypass in a chained attack.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13943 MEDIUM PATCH This Month

Uninitialized memory use in Chrome's CSS engine on Android exposes potentially sensitive process memory contents to remote attackers via a crafted HTML page. Unauthenticated remote attackers can trigger this information leak against any Android Chrome user who visits attacker-controlled content (CVSS PR:N, UI:R), with high confidentiality impact per the CVSS vector. Notably, Chromium's internal severity rating is Medium despite the C:H CVSS impact, suggesting reliable extraction of useful sensitive data may be inconsistent in practice; no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13923 MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome on Android prior to 150.0.7871.47 allows a remote attacker to read potentially sensitive data from process memory by luring a user to a crafted HTML page. The flaw (CWE-457) is confined to the Android GPU code path and requires only user interaction to trigger, with CVSS confirming unauthenticated network delivery and High confidentiality impact. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13906 MEDIUM PATCH This Month

Out-of-bounds read in Google Chrome's Codecs component (prior to 150.0.7871.47) enables remote attackers to leak sensitive data from renderer process memory by delivering a crafted HTML page. The CVSS C:H rating reflects meaningful exposure of in-process data such as session tokens or credentials, though Chromium's own team assessed this as Medium severity, and the sandbox boundary (S:U) limits blast radius to the renderer. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Google Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13873 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's Layout engine prior to 150.0.7871.47 allows remote attackers to leak potentially sensitive data from the renderer process memory by serving a crafted HTML page. User interaction is required - the victim must visit the malicious page - limiting automated mass exploitation. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact, placing real-world urgency below what the CVSS 6.5 score alone might suggest.

Memory Corruption Buffer Overflow Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-9002 MEDIUM PATCH This Month

Denial of service in IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 allows adjacent unauthenticated attackers to crash the WebSphere Application Server JVM by sending malformed XDF-encoded Protocol Buffers messages to the data grid. The XDF decoder fails to enforce bounds on recursive protobuf message nesting depth and attacker-supplied length prefixes, triggering either a StackOverflowError or OutOfMemoryError that takes down the JVM process. No public exploit has been identified at time of analysis, and IBM has released a patch via their support advisory.

IBM Denial Of Service Websphere Extreme Scale
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13810 MEDIUM PATCH This Month

Memory disclosure in Google Chrome for Linux (prior to 150.0.7871.47) allows a remote attacker to read sensitive contents from the browser's process memory by directing a user to a crafted HTML page. The flaw stems from an inappropriate implementation in Chrome's input handling subsystem, and is platform-specific - only Linux builds are affected. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the network-reachable, zero-authentication attack path and high confidentiality impact make patching a near-term priority for Linux desktop environments.

Google Information Disclosure Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13954 MEDIUM PATCH This Month

Insufficient XML policy enforcement in Google Chrome on Android (prior to 150.0.7871.47) exposes process memory contents to remote attackers who can deliver a crafted HTML page. The flaw is classified under CWE-284 (Improper Access Control), allowing the browser's XML handling to bypass intended isolation boundaries and leak potentially sensitive in-process data - such as cookies, credentials, or other runtime state - to an attacker-controlled origin. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified at time of analysis, though the CVSS score of 6.5 (Medium) reflects meaningful real-world risk given the zero-authentication, high-confidentiality-impact profile.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13936 MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Passwords component on Android prior to 150.0.7871.47 allows a remote attacker to extract potentially sensitive information from process memory. Exploitation requires luring a target user to visit a specially crafted HTML page, placing this squarely in the social-engineering-assisted drive-by category. No public exploit code has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) indicates meaningful credential exposure risk given Chrome's role as a primary password manager on Android devices.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13828 MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Enterprise policy implementation exposes sensitive process memory contents to remote attackers who can direct victims to a crafted HTML page. All Chrome desktop releases prior to 150.0.7871.47 are affected. No public exploit code exists and CISA SSVC classifies exploitation status as none, but the high confidentiality impact and zero-privilege-required attack path make prompt patching advisable for enterprise-managed Chrome deployments.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-14125 MEDIUM PATCH This Month

Uninitialized memory use in Chrome's ANGLE graphics layer exposes potentially sensitive process memory contents to remote attackers who can entice a user to visit a crafted HTML page. The flaw affects all Chrome versions prior to 150.0.7871.47, with High confidentiality impact per CVSS despite Google's own Chromium severity rating of Low - a discrepancy suggesting practical extraction of meaningful data is constrained in real-world conditions. No public exploit identified at time of analysis, and no CISA KEV listing; a vendor patch has been released.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13889 MEDIUM PATCH This Month

Side-channel information leakage in WebAuthentication within Google Chrome on iOS (versions prior to 150.0.7871.47) enables a remote attacker to infer cross-origin data by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms network-exploitable impact with high confidentiality loss, constrained by mandatory user interaction and scoped exclusively to the iOS platform. No public exploit identified at time of analysis; EPSS at 0.25% (16th percentile) signals low near-term exploitation probability, and no CISA KEV listing is present.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12388 MEDIUM This Month

Privilege escalation in Red Hat Build of Keycloak's Identity Provider mapper component allows a restricted administrator with IdP management permissions to silently assign the built-in realm-admin role to themselves or other accounts by creating a Hardcoded Role mapper. This bypasses the authorization boundary intended to confine limited administrators within their delegated scope, resulting in full realm takeover. No public exploit code or CISA KEV listing exists at time of analysis; however, the impact is severe in multi-tenant or delegated-administration deployments where IdP management is granted to semi-trusted parties.

Authentication Bypass Red Hat Build Of Keycloak Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-4629 MEDIUM This Month

Privilege escalation in Red Hat Build of Keycloak allows an operator holding the manage-clients permission to inject a hardcoded role mapper into any client configuration, causing the realm-admin role to appear in subsequently issued tokens. This effectively grants the attacker full administrative control over the entire Keycloak realm, overriding scope restrictions that are intended to prevent exactly this delegation boundary crossing. No active exploitation has been confirmed (not listed in CISA KEV), no public proof-of-concept has been identified at time of analysis, and no EPSS data was available; however, the high-impact nature of achieving realm-admin privileges makes this a meaningful insider or delegated-admin threat.

Privilege Escalation Red Hat Build Of Keycloak
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13858 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's bundled FFmpeg video decoding component (all versions prior to 150.0.7871.47) allows a remote attacker to leak renderer process memory contents via a crafted video file. The CVSS vector confirms network reachability with no required privileges (PR:N) but mandates user interaction (UI:R), meaning the victim must process the malicious video. SSVC assessment rates exploitation as none and the attack non-automatable, and no public exploit has been identified at time of analysis; Google has released a patched build at 150.0.7871.47.

Google Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14088 MEDIUM PATCH This Month

Uninitialized memory read in the Canvas API of Google Chrome on Android (prior to 150.0.7871.47) exposes potentially sensitive process memory contents to remote attackers. Exploitation requires luring a target to a crafted HTML page, after which the uninitialized Canvas buffer may leak memory from the renderer process. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Chromium's own security team rates severity as Low despite the NVD CVSS score of 6.5.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14070 MEDIUM PATCH This Month

Integer overflow in Chrome's WebNN (Web Neural Network API) component prior to version 150.0.7871.47 enables remote attackers to read potentially sensitive data from browser process memory by luring a user to a crafted HTML page. The attack requires no privileges and no special configuration, but mandates user interaction - the victim must navigate to a malicious page. No public exploit identified at time of analysis; CISA SSVC rates exploitation as none with partial technical impact, and Google itself assigned a Low Chromium severity, suggesting real-world impact is constrained by browser sandboxing despite the CVSS C:H rating.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14051 MEDIUM PATCH This Month

Uninitialized memory exposure in Google Chrome's GamepadAPI allows an attacker who has already achieved renderer process compromise to read potentially sensitive contents from process memory by serving a crafted HTML page that triggers the flaw. Affected versions are all Chrome releases prior to 150.0.7871.47. While the CVSS base score is 6.5 with high confidentiality impact, Chromium's own severity rating is Low, reflecting the significant prerequisite of prior renderer compromise that dramatically constrains real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis, and a vendor patch is available.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14008 MEDIUM PATCH This Month

Uninitialized memory read in Google Chrome's WebXR subsystem on Android (versions prior to 150.0.7871.47) enables remote attackers to leak sensitive contents from process memory by inducing a victim to visit a crafted HTML page. The root cause is CWE-457 (use of an uninitialized variable) within the WebXR implementation, meaning memory buffers are consumed before being properly zeroed or assigned, exposing whatever residual data the process held. No public exploit or CISA KEV listing is identified at time of analysis, but the CVSS C:H rating reflects the potential for meaningful data exposure including in-memory credentials, tokens, or browsing context.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13904 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Safe Browsing implementation on iOS allows a remote, unauthenticated attacker to circumvent phishing and malicious-site protections via a specially crafted HTML page, affecting all Chrome for iOS versions prior to 150.0.7871.47. The flaw is classified as CWE-693 (Protection Mechanism Failure), meaning the Safe Browsing guard can be rendered ineffective rather than defeated through cryptographic or authentication means. No public exploit or CISA KEV listing has been identified, and the EPSS score of 0.23% (14th percentile) signals low current exploitation probability - but the zero-prerequisite network delivery and high integrity impact make this a meaningful risk for iOS users who have not updated.

Authentication Bypass Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13900 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Chromecast implementation (versions prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to circumvent navigation restrictions via a specially crafted HTML page. This is a post-compromise escalation primitive rather than a standalone entry point - the renderer must already be under attacker control, making this a link in an exploit chain rather than an initial access vector. No public exploit has been identified at time of analysis; EPSS at 0.23% (14th percentile) reflects very low observed exploitation probability, consistent with the chained-exploit requirement.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13881 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebAppInstalls component allows remote attackers to compromise cross-origin integrity via a crafted HTML page, affecting all Chrome versions prior to 150.0.7871.47. The flaw stems from an inappropriate implementation (CWE-346, Origin Validation Error) in the PWA installation subsystem, enabling an attacker to perform unauthorized cross-origin writes or manipulations when a user visits attacker-controlled content. No public exploit identified at time of analysis, and the EPSS score of 0.23% (14th percentile) indicates low near-term exploitation probability, though the ubiquitous deployment of Chrome elevates aggregate exposure.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12085 MEDIUM This Month

Sensitive configuration and secret disclosure in IBM UrbanCode Deploy (7.3-7.3.2.18) and IBM DevOps Deploy (8.0-8.2.1.0) exposes credentials and configuration data to any authenticated low-privilege user via API responses. The exposed secrets can serve as a direct launchpad for privilege escalation or lateral movement within the CI/CD pipeline and connected deployment targets. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS-assigned high confidentiality impact reflects real post-authentication risk.

IBM Information Disclosure Devops Deploy Urbancode Deploy
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13833 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics library on macOS allows a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. Affected are all Chrome versions on Mac prior to 150.0.7871.47. The flaw stems from uninitialized memory use within ANGLE, Chrome's graphics abstraction layer, enabling residual memory contents from other security origins to be read and potentially returned to an attacker-controlled page. No public exploit code or active exploitation has been identified at time of analysis; EPSS is low at 0.23% (13th percentile), consistent with a high-CVSS flaw constrained by both user-interaction and platform requirements.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14065 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables attackers who have already achieved renderer process compromise to escape certain navigation-level security controls via a crafted HTML page. The flaw resides in the PageInfo component, which handles page metadata, security indicators, and related navigation policy enforcement, and fails to adequately validate attacker-controlled input passed from a compromised renderer. With an EPSS of 0.22% (13th percentile), no CISA KEV listing, and a Chromium-internal severity of Low, real-world exploitation risk is currently low despite the CVSS 6.5 medium rating.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14023 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's SanitizerAPI before version 150.0.7871.47 allows a remote attacker to violate cross-origin integrity boundaries through a crafted HTML page that exploits insufficient input validation. The flaw targets a security-critical browser API whose purpose is precisely to prevent unsafe HTML injection, making the bypass particularly notable. EPSS at 0.22% (13th percentile) indicates low near-term exploitation probability, and no active exploitation or public exploit code has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13964 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's WebView component on Android (all versions prior to 150.0.7871.47) allows remote unauthenticated attackers to circumvent enforcement of navigation policies via a specially crafted HTML page, producing high integrity impact with no confidentiality or availability consequence. The CVSS vector (PR:N, UI:R) confirms unauthenticated network exploitation gated on victim interaction, consistent with a social-engineering or malicious-redirect delivery. No public exploit exists and CISA has not added this to KEV; EPSS of 0.22% (13th percentile) and SSVC Exploitation:none collectively indicate low active exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy