Skip to main content
CVE-2026-14324 MEDIUM PATCH This Month

Denial-of-service via NULL pointer dereference in PipeWire's RAOP (Remote Audio Output Protocol) module affects Red Hat Enterprise Linux 8, 9, and 10. The RAOP module fails to enforce an upper bound on Content-Length values in incoming requests and does not validate the return value of pw_array_add(); when a sufficiently large Content-Length triggers an allocation failure, the unchecked NULL return causes a crash of the PipeWire daemon, resulting in complete loss of audio services. No special authentication is required from the adjacent network, and no public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 +2
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-9107 MEDIUM This Month

Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.

WordPress XSS Kali Forms Contact Form Drag And Drop Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13246 MEDIUM This Month

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13733 MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.60) allows authenticated contributors to persistently inject arbitrary JavaScript via the `no_data_msg` shortcode attribute, executing in any subsequent visitor's browser context. The vulnerability exploits a bypass in WordPress's `wp_kses_post` sanitization: the filter strips disallowed HTML tokens at save time but does not neutralize C-style escape sequences embedded in shortcode attribute values, which are silently reconstructed into raw `<script>` tags at render time. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deliberate evasion technique elevates risk on multi-contributor WordPress deployments.

WordPress XSS Download Manager
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13443 MEDIUM This Month

Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references to the vulnerable rendering path, lowering the barrier to exploitation.

WordPress XSS Tutor Lms Elearning And Online Course Solution
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12135 MEDIUM This Month

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.

WordPress XSS Fv Flowplayer Video Player
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12732 MEDIUM This Month

Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.

WordPress XSS Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11380 MEDIUM This Month

Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. No public exploit has been identified at time of analysis and the CVE does not appear in CISA KEV; however, a fix has been committed to the WordPress plugin repository.

WordPress XSS Jetwidgets For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-2387 MEDIUM This Month

Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.

WordPress XSS Event Organiser
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12374 MEDIUM PATCH This Month

Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. A proof-of-concept exists per the CVSS 4.0 supplemental metric E:P, and the AU:Y (Automatable) tag indicates the exploit chain can be scripted - elevating practical urgency despite the absence of a CISA KEV listing.

Authentication Bypass Apple Sdp Client
NVD
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-5220 MEDIUM This Month

Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and cross-scope impact make this a meaningful lateral escalation risk within DivvyDrive deployments.

XSS Divvydrive
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-10095 MEDIUM This Month

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.

WordPress XSS Wp Photo Album Plus
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-54908 MEDIUM PATCH This Month

Remote denial of service in pion/dtls (Go's DTLS implementation) versions prior to 3.1.4 allows an unauthenticated network attacker to crash any application built on this library by sending a crafted ECDHE_PSK ServerKeyExchange message during the DTLS handshake. The CWE-125 out-of-bounds read triggers a Go runtime panic, immediately terminating the host process. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; a vendor-released patch exists in version 3.1.4.

Denial Of Service Buffer Overflow Information Disclosure Dtls
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54756 MEDIUM PATCH This Month

Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.

Information Disclosure Prototype Pollution Jodit
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-53904 MEDIUM This Month

Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.

Denial Of Service Mco
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-36909 MEDIUM This Month

A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Null Pointer Dereference
NVD GitHub
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-12754 MEDIUM This Month

Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable `layoutstyle` parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and a patched version (1.8.13) is available per plugin Trac references.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13015 MEDIUM This Month

Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.

WordPress XSS PHP Google Wp Google Review Slider
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-6685 MEDIUM This Month

Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleaved read/write operations on fragmented volumes. The condition `fp->sect - sect < cc` in f_read() and f_write() uses unsigned arithmetic - when `sect` exceeds `fp->sect`, the subtraction wraps to a large unsigned value, bypassing the required cache flush and leaving stale or inconsistent data on disk. A proof-of-concept exists per SSVC assessment, and technical impact is rated Total, though physical access is required per the CVSS vector. No confirmed active exploitation (not in CISA KEV).

Integer Overflow Information Disclosure Fatfs
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-49981 MEDIUM PATCH GHSA This Month

Sandbox allow-list bypass in the Twig PHP templating engine lets attacker-supplied filters, tags, and functions run unchecked when a shared Environment mixes sandboxed and non-sandboxed renders. The filter/tag/function SecurityPolicy check was computed once in the Template constructor and cached in $loadedTemplates, so any later sandbox state change or a pre-warmed template left a stale (typically empty) verdict, defeating the sandbox. Fixed in Twig 3.27.0; no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
6.0
EPSS
0.4%
CVE-2026-55793 MEDIUM POC PATCH GHSA This Month

Stored XSS in Craft CMS 5.0.0-RC1 through 5.9.22 allows an author-level control panel user to execute arbitrary JavaScript in the session of an admin or any privileged user with saveEntries permission on the same Structure section. The vulnerability arises from an HTML encode/decode mismatch: the server safely escapes an entry title into a data-title attribute, but jQuery's .data() method re-decodes the value before it is concatenated back into HTML without re-escaping, bypassing the initial sanitization. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the vendor shipped a fix in version 5.9.23.

XSS
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.4%
CVE-2026-58025 MEDIUM PATCH This Month

Deserialization of untrusted data in MediaWiki's wiki import subsystem and logging infrastructure exposes installations to PHP object injection, with high integrity impact on affected systems. Specifically, the WikiImporter, WikiRevision, and LogEntryBase components process attacker-controlled serialized data without sufficient validation, allowing a high-privileged authenticated user to trigger unintended object instantiation or code execution paths. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, vendor-confirmed patches are available in releases 1.43.9, 1.44.6, 1.45.4, and 1.46.0.

Deserialization PHP Mediawiki
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-55577 MEDIUM PATCH This Month

Heap buffer overflow in ImageMagick's MVG decoder allows remote unauthenticated attackers to trigger an out-of-bounds write by supplying a specially crafted image file, resulting in denial of service. Affected are all ImageMagick deployments prior to versions 6.9.13-51 (legacy v6 branch) and 7.1.2-26 (current v7 branch). No public exploit code or active exploitation has been identified at time of analysis; however, the network-accessible vector and zero-privilege requirement make this relevant for any service that accepts and processes user-supplied images.

Buffer Overflow Imagemagick
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-49858 MEDIUM POC PATCH GHSA This Month

Cross-user attribute structure leakage in API Platform Core's JSON:API and HAL serializers exposes the schema layout of security-gated properties to lower-privileged users through improper cache reuse. Versions from 2.6.0 up to 4.1.29, 4.2.26, and 4.3.12 are affected across the core, hal, and json-api packages. The component structure computed for a higher-privileged user's request can be served from cache to a subsequent lower-privileged user's request, bypassing the per-request evaluation of #[ApiProperty(security: ...)] predicates. No public exploit identified at time of analysis; vendor-released patches are available.

Information Disclosure Core Api Platform Hal Api Platform Json Api
NVD GitHub
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-56016 MEDIUM PATCH This Month

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

Authentication Bypass Cgi
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-14406 MEDIUM PATCH This Month

Out of bounds read in V8 in Google Chrome prior to 150.0.7871.46 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-57722 MEDIUM This Month

Stored cross-site scripting in the ShortPixel Enable Media Replace WordPress plugin (all versions through 4.2.1) allows an authenticated attacker with high-level privileges to inject persistent malicious scripts via the media replacement workflow, which then execute in the browser context of any WordPress user who subsequently views the affected content. The scope change confirmed by the CVSS vector (S:C) means a compromised editor-level account could be leveraged to target administrator sessions, enabling privilege escalation within the WordPress admin interface. No public exploit code or CISA KEV listing has been identified at time of analysis; the Patchstack advisory is the primary confirmed intelligence source.

XSS Enable Media Replace
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-50139 MEDIUM PATCH GHSA This Month

Download-limit enforcement in goshs (Go Simple HTTP Server) v2.0.9 and earlier can be bypassed by racing concurrent HTTP requests against a limited-use share token, allowing a single token to be redeemed more times than the operator configured. The TOCTOU flaw in `ShareHandler` means every concurrent goroutine observes the same pre-increment `Downloaded` counter, each passes the limit check, and each is served the file - completely defeating one-shot or low-count share-link controls. A working proof-of-concept is publicly documented in the GitHub security advisory (GHSA-j48m-h7xq-2xpj) with 5/5 consistent reproductions; no active exploitation is confirmed in CISA KEV.

Race Condition Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-10540 MEDIUM PATCH This Month

Weak password hash storage in BMC Control-M/Enterprise Manager exposes account credentials to offline recovery attacks if an attacker gains access to the credential database. Affected are unsupported versions 9.0.20.x and potentially earlier legacy releases, meaning no vendor patch will be issued for these branches - upgrade to a supported release is the only vendor-endorsed remediation. The CVSS 4.0 vector (AV:L/PR:H/AT:P) confirms exploitation requires local, high-privilege access and specific attack conditions, significantly constraining real-world risk; no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Control M Enterprise Manager
NVD VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-36910 MEDIUM This Month

An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Buffer Overflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-36911 MEDIUM This Month

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-12480 MEDIUM PATCH This Month

Arbitrary HDF5 file read in Keras up to 3.13.2 enables information disclosure when a victim loads a crafted model file, representing an incomplete patch for the prior CVE-2026-1669. The flaw lies in two specific code paths - `H5IOStore._verify_dataset()` and `file_editor.py` - which omit the `dataset.is_virtual` check, allowing a malicious HDF5 Virtual Dataset (VDS) to silently redirect reads to attacker-specified paths on the local filesystem. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the attack surface is realistic in ML supply chain and model-sharing contexts.

Information Disclosure Red Hat
NVD GitHub
CVSS 3.0
5.5
EPSS
0.1%
CVE-2026-55597 MEDIUM PATCH This Month

Heap buffer over-write in ImageMagick's JP2 (JPEG 2000) encoder - present in all versions prior to 7.1.2-26 - allows an attacker to crash the process by supplying a maliciously crafted JP2 image file, resulting in a denial-of-service condition. The root cause is CWE-682 (Incorrect Calculation): argument handling logic in the JP2 encoder computes incorrect bounds, leading to an out-of-bounds heap write. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Imagemagick
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-55510 MEDIUM PATCH This Month

Use-after-free in ImageMagick's 8BIM profile parser crashes the process when a specially crafted image is identified, affecting all releases prior to 6.9.13-51 (legacy branch) and 7.1.2-26 (current branch). The vulnerability is triggered by a specific format string embedded in the 8BIM metadata profile, causing memory corruption that results in a denial-of-service condition. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the intelligence feed.

Memory Corruption Use After Free Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-55628 MEDIUM PATCH This Month

Policy bypass in ImageMagick's `-concatenate` operation allows local users to read from and write to filesystem paths that the configured security policy explicitly prohibits. All versions prior to 7.1.2-26 are affected. An attacker or unprivileged local user can invoke ImageMagick with `-concatenate` to circumvent path-based access controls defined in ImageMagick's policy.xml, effectively nullifying a primary hardening control relied upon in restricted or multi-tenant deployments. No public exploit code or CISA KEV listing is identified at time of analysis.

Information Disclosure Imagemagick
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-14330 MEDIUM PATCH This Month

Stack exhaustion via multiple unbounded alloca() calls in the PulseAudio protocol server on Red Hat Enterprise Linux 8, 9, and 10 allows a local low-privileged attacker to crash the audio daemon, resulting in denial of service. The root cause (CWE-770) is the absence of size validation on attacker-controlled protocol parameters before passing them to alloca(), a stack-based allocator with no OS-enforced ceiling. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-7828 MEDIUM This Month

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging function win_log(), where a malloc size calculation wraps around on 32-bit builds when processing oversized URIs, producing an undersized heap allocation followed by an unchecked strcpy. Remote unauthenticated attackers can trigger this path by sending a maximally-sized URI to the repeater HTTP port, with practical impact bounded by the 153,600-byte HTTP receive buffer and currently assessed at availability disruption rather than reliable code execution. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Integer Overflow Buffer Overflow Ultravnc
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2026-54720 MEDIUM PATCH This Month

Cross-site scripting in Silverstripe Framework's 'Insert media from web' CMS feature allows a remote unauthenticated attacker to inject malicious JavaScript by supplying a specially crafted embed URL that a CMS editor then inserts into content. All Silverstripe Framework installations prior to version 6.2.2 are affected. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it a credible risk for any deployment where CMS editors process externally sourced media.

XSS PHP Silverstripe Framework
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-58029 MEDIUM PATCH This Month

Authentication API endpoints and Special pages in MediaWiki expose low-severity confidentiality and integrity weaknesses exploitable by unauthenticated remote attackers who can induce victim user interaction. Five files spanning account-linking and credential management operations - ApiChangeAuthenticationData, ApiLinkAccount, ApiRemoveAuthenticationData, SpecialLinkAccounts, and SpecialUnlinkAccounts - are affected across all MediaWiki releases prior to the fixed branches 1.43.9, 1.44.6, 1.45.4, and the forthcoming 1.46.0. No public exploit code and no active exploitation have been identified at time of analysis; real-world risk is constrained by the user-interaction prerequisite and the limited impact scope.

PHP Mediawiki Authentication Bypass
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2026-49997 MEDIUM PATCH GHSA This Month

SurrealDB's automatic graph edge cleanup mechanism bypasses edge-table permission clauses, allowing authenticated low-privilege users to delete edge records and observe hidden edge contents they are not authorized to access. When a node is deleted, the `Document::purge_edges` routine fires with permissions explicitly disabled (`opt.clone().with_perms(false)`), meaning the edge table's `PERMISSIONS FOR delete` and `PERMISSIONS FOR select` clauses are never consulted. This is a confirmed authorization bypass (CWE-285) fixed in version 3.1.0; no public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-6283 MEDIUM This Month

Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was disclosed by TR-CERT with a corresponding patch available.

XSS Divvydrive
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-58032 MEDIUM PATCH This Month

Cross-site scripting in MediaWiki's JavaScript API client layer (resources/src/mediawiki.Api/index.js) allows network-accessible, unauthenticated attackers to inject malicious scripts that execute in a victim's browser upon user interaction. All MediaWiki deployments prior to versions 1.43.9, 1.44.6, 1.45.4, and 1.46.0 are affected, covering a broad range of wiki installations worldwide. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and lack of authentication requirement elevate concern for public-facing deployments.

XSS Mediawiki
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58033 MEDIUM PATCH This Month

Sensitive information exposure in MediaWiki's InfoAction.php allows unauthenticated remote actors to obtain restricted page metadata through the 'Info' action endpoint. All MediaWiki versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9 are affected across all deployment configurations. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and lack of authentication requirements make opportunistic discovery straightforward for any actor who can reach the wiki.

PHP Information Disclosure Mediawiki
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58030 MEDIUM PATCH This Month

Cross-site scripting in the Wikimedia Foundation SyntaxHighlight_GeSHi MediaWiki extension allows authenticated users to inject unsanitized input via the syntax highlighting interface, with malicious script executing in victims' browsers upon page view. The flaw originates in includes/SyntaxHighlight.php and affects all versions prior to branch-specific fixes at 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality impact scoped to the vulnerable system.

XSS PHP Syntaxhighlight Geshi
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-58027 MEDIUM PATCH This Month

Sensitive abuse filter configuration data in Wikimedia Foundation's AbuseFilter MediaWiki extension is exposed to authenticated low-privilege users via the QueryAbuseFilters API endpoint (includes/Api/QueryAbuseFilters.php). Authenticated wiki users on affected installations (all versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9) can retrieve private or restricted filter rule details they should not be authorized to access. No active exploitation has been confirmed (not listed in CISA KEV) and no public proof-of-concept exploit is known at time of analysis, but the moderate CVSS 4.0 score of 5.3 reflects real risk to wikis relying on confidential filter logic for abuse prevention.

PHP Information Disclosure Abusefilter
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-12127 MEDIUM This Month

CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from `get_reply_to_address()` applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by `wpforms_sanitize_textarea_field()` to pass unstripped into raw mail header concatenation. Exploitation requires a specific non-default site configuration but demands no authentication or elevated interaction beyond a standard form submission; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress Authentication Bypass Wpforms Ai Form Builder For Wordpress Contact Forms Payment Forms Survey Form Quiz More
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14340 MEDIUM This Month

Incorrect authorization in GitHub Enterprise Server allows an attacker who has obtained a victim's user-to-server token - issued by a GitHub App installation - to perform write operations on any public repository, regardless of whether that installation was explicitly granted access to the target repository. Affected installations span all GHES versions prior to 3.22, with fixes backported to six supported release trains. The CVSS 4.0 score is 5.3 (medium); no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Enterprise Server
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-50283 MEDIUM PATCH GHSA This Month

Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.

Authentication Bypass Cms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-53909 MEDIUM This Month

Unrestricted file upload in MyComplianceOffice MCO version 25.3.3.1 allows an authenticated low-privileged attacker to upload files of arbitrary types by bypassing client-side-only validation controls. The CVSS 4.0 vector confirms network-accessible exploitation with low complexity, requiring only a valid low-privileged account and a web proxy to intercept and modify upload requests. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

File Upload Mco
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53903 MEDIUM This Month

Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve trading document PDFs belonging to other customers by manipulating a user-supplied document identifier at the fetchPdfStatement API endpoint. The application performs no ownership or authorization check beyond confirming the user is logged in, enabling horizontal privilege escalation across customer accounts. No public exploit code or active exploitation has been identified at time of analysis, but predictable document ID patterns make automated enumeration feasible, raising real-world risk in financial compliance environments where trading statements contain sensitive regulatory and transactional data.

Authentication Bypass Mco
NVD
CVSS 4.0
5.3
EPSS
0.2%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy