Skip to main content
CVE-2026-14440 HIGH This Week

TLS certificate misissuance affecting Cloudflare Universal SSL zones lets an attacker who controls an ACME account at a CA in the auto-managed CAA RRset obtain a browser-trusted certificate for a victim domain, because Cloudflare's authoritative DNS serves a permissive auto-managed CAA RRset that supersedes customer-set records and drops RFC 8657 accounturi/validationmethods bindings. The result is a bypass of account-binding and validation-method-binding protections end-to-end, enabling MITM against the affected domain. Reported by Cloudflare (researcher David Osipov) with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.6 with high attack complexity and a present attack requirement.

Information Disclosure Universal Ssl
NVD
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-24266 HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux (versions through 26.03) allows a remote attacker to crash the service by triggering a use-after-free (CWE-416) condition, per the NVIDIA product-security advisory. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/A:H) indicates network-reachable, unauthenticated exploitation with high availability impact but no confidentiality or integrity effect. No public exploit identified at time of analysis, and CISA SSVC rates exploitation status as 'none' with an EPSS of 0.54% (41st percentile), consistent with no observed activity.

Memory Corruption Nvidia Denial Of Service Use After Free Triton Inference Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-20214 HIGH PATCH This Week

Denial of service in ClamAV's FSG file format parser allows an unauthenticated remote attacker to crash the scanning engine, and potentially achieve broader memory-corruption impact, by submitting a crafted FSG-compressed portable executable to be scanned. The flaw stems from an out-of-bounds buffer write during FSG decompression, affecting any deployment that scans attacker-supplied files. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the network-reachable, no-authentication, no-interaction nature (CVSS 7.5) makes it a meaningful availability risk for mail/file-scanning gateways.

Buffer Overflow Secure Endpoint Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-20213 HIGH PATCH This Week

Denial of service in ClamAV's PE (Portable Executable) file format parser lets an unauthenticated, remote attacker crash the scanning engine by submitting a crafted PE file for scanning, triggering an out-of-bounds buffer write (CWE-120). Reported by Cisco PSIRT (ClamAV's maintainer), the flaw carries CVSS 7.5 with an availability-only impact; the advisory notes memory corruption could 'possibly' enable expanded impacts beyond DoS. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Buffer Overflow Secure Endpoint Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-54399 HIGH This Week

Denial of service in Apache HttpComponents Core (HttpCore) 5.0-alpha through 5.4.2 and the 5.5 beta line up to 5.5-beta1 allows a remote unauthenticated attacker to exhaust server memory by sending HTTP/1.1 messages containing an excessive number of headers or excessively long headers. The HTTP/1.1 message parser accumulates this header data without enforcing sane bounds, letting a single crafted request drive availability loss (CVSS 7.5, A:H only). There is no public exploit identified at time of analysis, and CISA's SSVC assessment rates exploitation as 'none' with only partial technical impact.

Denial Of Service Apache Httpcomponents Core
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-54428 HIGH This Week

Memory exhaustion denial-of-service in Apache HttpComponents Core's HTTP/2 HPACK decoder allows remote attackers to crash Java services by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement is processed. The root cause is a timing gap in the connection handshake: the server's configured maximum header list size limit is not enforced until after the SETTINGS ACK exchange completes, leaving a window during which an attacker can flood the decoder with arbitrarily large compressed header data. Affected artifacts are org.apache.httpcomponents.core5:httpcore5-h2 versions 5.4.2 and earlier and 5.5-beta1 and earlier. No public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Apache Httpcomponents Core
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-20244 HIGH PATCH This Week

Denial of service in ClamAV's DMG file format parser allows a remote, unauthenticated attacker to crash the scanning engine by submitting a crafted Apple Disk Image (DMG) for inspection. The flaw stems from an integer overflow triggered during boundary checks on DMG content and manifests only on 32-bit builds of ClamAV; memory corruption raises the theoretical possibility of expanded impact beyond a crash, though only DoS is described. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Buffer Overflow Secure Endpoint Clamav Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-20243 HIGH PATCH This Week

Denial of service in ClamAV's ALZ archive parser allows an unauthenticated, remote attacker to crash the scanning engine by submitting a crafted ALZ file, with the vendor noting possible expanded impact beyond DoS. The flaw is a heap out-of-bounds write triggered during scanning, and because ClamAV is commonly deployed as an automated mail/upload gateway scanner, an attacker only needs to get a malicious file scanned. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Buffer Overflow Secure Endpoint Clamav Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-20217 HIGH PATCH This Week

Availability-impacting out-of-bounds write in ClamAV's PESpin file-format parser lets an unauthenticated remote attacker crash the scanning engine by submitting a crafted PESpin-packed file for scanning. Because ClamAV frequently sits inline on mail gateways, file-upload paths, and proxies, a single malicious sample can terminate the scanning process and produce a denial of service; the memory corruption may permit expanded impact beyond DoS though only crash impact is confirmed. There is no public exploit identified at time of analysis and it is not on CISA KEV, with EPSS not provided.

Buffer Overflow Secure Endpoint Clamav Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-20216 HIGH PATCH This Week

Denial of service in ClamAV's InstallShield file format parser allows a remote, unauthenticated attacker (per CVSS PR:N) to crash the scanning engine and temporarily exhaust system resources by submitting a specially crafted InstallShield file for scanning. The flaw stems from improper handling of temporary resources during file scanning (CWE-770), impacting availability only (C:N/I:N/A:H) with no code execution or data exposure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network attack vector and low complexity make it easy to trigger anywhere ClamAV automatically scans attacker-supplied files.

Denial Of Service Secure Endpoint Clamav Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-20215 HIGH PATCH This Week

Denial of service in ClamAV's 7z archive scanner allows a remote, unauthenticated attacker to crash the scanning process by submitting a crafted 7z file, resulting in an out-of-bounds heap write (CWE-120). Because ClamAV is commonly deployed inline on mail gateways and upload-scanning pipelines, a single malicious attachment can be delivered without any interaction or credentials. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, though Cisco (ClamAV's maintainer) rates confidentiality/integrity impact as none and availability as high.

Buffer Overflow Secure Endpoint Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-13468 HIGH This Week

{chart}/{type}/ REST route. The plugin route skips the capability checks that WordPress's core REST endpoint for this non-public custom post type enforces (which correctly returns HTTP 401), exposing otherwise-restricted data. Rated CVSS 7.5 (confidentiality-only); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Visualizer Tables Charts Manager With Built In Ai Generator
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-12923 HIGH This Week

Arbitrary zero-argument PHP function invocation in the Youtube Showcase (Video Gallery - YouTube Gallery, Playlist & Video Grid) plugin for WordPress affects all versions up to and including 4.0.3, letting authenticated Subscriber-level users abuse the emd_delete_file() AJAX handler to call any callable PHP function name with no arguments. Because the handler validates only a nonce and omits a current_user_can() capability check, low-privileged accounts can trigger functions such as phpinfo(), get_defined_vars(), or error_get_last() to disclose sensitive server and application data. No public exploit identified at time of analysis and the issue is not in CISA KEV, so risk is currently theoretical but credible given the low privilege bar.

WordPress LFI Information Disclosure PHP Video Gallery Youtube Gallery Playlist Video Grid
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56150 HIGH This Week

Denial of service in Elastic Fleet Server (versions 8.0.0-8.19.10 and 9.0.0-9.2.4) allows remote attackers to exhaust memory by sending a specially crafted request to an upload endpoint, driving excessive allocation until the server becomes unresponsive. The flaw is a resource-throttling failure (CWE-770) with availability-only impact and no confidentiality or integrity loss. No public exploit identified at time of analysis; EPSS is low (0.30%, 22nd percentile) and CISA SSVC records no observed exploitation.

Denial Of Service Fleet Server
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11823 HIGH This Week

SQL injection in the BookingPress Appointment Booking Pro WordPress plugin (versions up to and including 5.7.1) allows unauthenticated attackers to inject SQL through the 'store_service_date' POST parameter of the bpa_assign_staffmember_to_slots() function, enabling extraction of sensitive database contents such as user credentials and PII. The flaw stems from stripslashes_deep() being applied to user input before it is concatenated directly into a LIKE clause without $wpdb->prepare(). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; no EPSS score was provided in the input.

WordPress SQLi Bookingpress Appointment Booking Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12575 HIGH This Week

Denial of service in Delta Electronics DVP80ES3 programmable logic controllers arises from an improper resource shutdown or release flaw (CWE-404) that lets remote unauthenticated attackers exhaust or corrupt device resources. Per the CVSS vector the impact is limited to availability (A:H) with no confidentiality or integrity loss, meaning a successful attacker can crash or hang the PLC and disrupt the controlled industrial process. No public exploit identified at time of analysis; the issue is documented in Delta advisory Delta-PCSA-2026-00009, which bundles it with CVE-2026-12576 and CVE-2026-12577.

Information Disclosure Dvp80Es3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14193 HIGH This Week

Denial-of-service in the Delta Electronics DVP80ES300T programmable logic controller allows remote unauthenticated attackers to crash the device by triggering an improper array-index validation flaw (CWE-129). Per the CVSS vector the impact is limited to availability (A:H) with no confidentiality or integrity loss, so a successful attack halts PLC operation rather than exposing data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

Information Disclosure Dvp80Es300T
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-1239 HIGH This Week

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.

Authentication Bypass WordPress Ninja Forms The Contact Form Builder That Grows With You
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14409 HIGH PATCH This Week

Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

RCE Google Privilege Escalation Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54712 HIGH PATCH This Week

Denial of service in OpenTelemetry Java Instrumentation before 2.27.0 lets an attacker who can reach an RMI endpoint on an instrumented JVM send an oversized context-propagation payload that triggers excessive memory allocation. The RMI payload reader caps the number of context entries but never bounds the aggregate size of the strings it reads, so a single crafted request can exhaust heap and crash or stall the JVM. No public exploit is identified at time of analysis, EPSS is low (0.24%), and CISA SSVC records no observed exploitation, but the flaw is network-reachable and unauthenticated wherever RMI instrumentation is enabled and exposed.

Java Denial Of Service Opentelemetry Java Instrumentation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52190 HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets a remote attacker crash the device by sending crafted input to the gohead/sub_448384 (FUN_00448384) handler, triggering a stack-based buffer overflow. The CVSS 3.1 vector marks it network-reachable and unauthenticated with high availability impact but no confidentiality or integrity effect. Publicly available exploit code exists via a GitHub CVE report; there is no CISA KEV listing and no EPSS score in the provided data.

Buffer Overflow Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14426 HIGH PATCH This Week

Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-20458 HIGH This Week

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a rogue base station to corrupt modem memory via a missing bounds check (out-of-bounds write, CWE-787). Once a target UE camps on the attacker-controlled cell, exploitation requires no user interaction and no pre-existing privileges, potentially yielding privilege escalation within the modem subsystem. Tracked in MediaTek's July 2026 Product Security Bulletin (Patch ID MOLY01402160); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Privilege Escalation Buffer Overflow Mediatek Chipset
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-38891 HIGH This Week

Denial of service in the gazebo_plugins package (v3.9.0), specifically the differential-drive controller gazebo_ros_diff_drive.cpp, lets attackers crash the affected simulation/robot-control node by publishing a specially crafted geometry_msgs::Twist velocity command. Any actor able to reach the relevant ROS topic can trigger the fault because the plugin fails to validate the incoming message before processing it (CWE-20). Reported via MITRE with a public proof-of-concept (demo video and technical write-up); not listed in CISA KEV, and EPSS exploitation probability is low at 0.15% (5th percentile).

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-36912 HIGH This Week

Denial of service in Aleksoid1978 MPC-BE (Media Player Classic - Black Edition) prior to commit 4341cb3 lets an attacker crash the player by supplying a crafted MP4 file that triggers a NULL pointer dereference in the bundled Bento4 AP4_AtomSampleTable::GetSample() routine. A proof-of-concept is referenced (SSVC exploitation: poc), but there is no public exploit identified as weaponized and it is not in CISA KEV; impact is limited to availability with no code execution, data disclosure, or integrity loss. EPSS is low at 0.15% (5th percentile), consistent with a crash-only bug that requires a victim to open a malicious file.

Denial Of Service Null Pointer Dereference N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-12576 HIGH This Week

Denial of service in Delta Electronics DVP80ES3 programmable logic controllers arises from a failure to enforce message integrity on a communication channel (CWE-924), allowing remote, unauthenticated attackers to inject or tamper with protocol messages and disrupt device availability. Per the vendor CVSS vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H), the confirmed impact is loss of availability of this industrial controller with no privileges or user interaction required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the network-reachable, no-auth profile of an ICS device makes it operationally significant.

Information Disclosure Dvp80Es3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-50151 HIGH PATCH GHSA This Week

Credential leakage in oras-go v2 (oras.land/oras-go) lets a malicious or compromised OCI registry steal a client's Authorization credentials by returning a cross-host Location header during monolithic blob upload; oras-go follows the redirect and reuses the original bearer/basic credentials on the PUT to the attacker-controlled host, also yielding client-side SSRF to an arbitrary cross-host target. Any Go application that pushes artifacts using oras-go v2.6.0 (and likely earlier v2.x) is affected. Rated CVSS 7.5 (High); no CISA KEV listing and no public exploitation, but the reporter includes a local proof-of-concept reproduction harness (poc.zip), and a fixed release (v2.6.1) is available.

SSRF Canonical
NVD GitHub
CVSS 3.1
7.5
CVE-2026-46487 HIGH PATCH GHSA This Week

Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. There is no public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable on any public-facing instance, making disclosure of non-public catalog records trivial once the triggering condition is known.

Authentication Bypass Elastic Information Disclosure
NVD GitHub
CVSS 3.1
7.5
CVE-2026-20191 HIGH This Week

Arbitrary file read in Cisco Catalyst Center lets an unauthenticated, remote attacker retrieve files from a restricted container by sending a crafted HTTP request that abuses insufficient input validation (path traversal, CWE-22). Rated CVSS 7.5 (confidentiality-only impact), it exposes sensitive container-side data without any credentials or user interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Cisco
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-14181 HIGH PATCH This Week

Denial of service in @fastify/middie 9.1.0 through 9.3.2 lets remote unauthenticated attackers crash the Node.js process by sending request paths with malformed percent-encoded sequences. The standalone engine's URL normalization step fails to catch a synchronous decoder exception, terminating the process and taking down all connected clients until manual restart. Only applications that invoke middie.run directly on the standalone engine API are affected; there is no public exploit identified at time of analysis, and no EPSS or KEV data was provided.

Node.js Denial Of Service Fastify Middie
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55790 HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the Craft CMS control panel lets an attacker holding only a free GitHub account run JavaScript in an administrator's authenticated session. The payload is planted in the title of a craftcms/cms GitHub issue and executes when a Craft admin uses the CraftSupport widget's 'Give feedback' screen and searches a term that surfaces the poisoned issue. Affects Craft CMS 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15; no public exploit identified at time of analysis, and it is not in CISA KEV.

XSS
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-12579 HIGH This Week

Authentication bypass in the Delta Electronics AS228T programmable logic controller allows remote attackers to circumvent authentication controls and gain unauthorized access to controller functions over the network, threatening the integrity and availability of the industrial process it governs. The CVSS 3.1 base score is 7.4 (High), driven by high integrity and availability impact (I:H/A:H) with no confidentiality loss, but tempered by high attack complexity (AC:H). At the time of analysis there is no public exploit identified and the flaw is not listed in CISA KEV; no EPSS value was supplied.

Authentication Bypass As228T
NVD VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-7830 HIGH This Week

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication handshake and recover plaintext usernames and passwords. The rfbUltraVNC_MsLogonIIAuth scheme relies on a Diffie-Hellman exchange whose prime fits in an unsigned 64-bit integer and a private exponent derived from time(NULL)-seeded libc rand(), both of which are trivially solvable, so an attacker who sniffs or man-in-the-middles the exchange derives the shared key in seconds to a minute. There is no public exploit identified at time of analysis and no EPSS/KEV signal supplied; CVSS is 7.4 (AC:H reflecting the need to observe the handshake), and MS-Logon III (X25519 + AES-256-GCM) is not affected.

Microsoft Information Disclosure Ultravnc
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-49857 HIGH POC PATCH GHSA This Week

Server-Side Request Forgery in auth-fetch-mcp v3.0.1 lets an attacker who controls the url argument of the auth_fetch or download_media MCP tools reach loopback and private-range services that the built-in assertSafeUrl() guard is supposed to block. The bypass works by encoding the target as an IPv4-mapped IPv6 literal (e.g. http://[::ffff:127.0.0.1]:PORT/), which Node's WHATWG URL parser normalizes to ::ffff:7f00:1 so the private-IP check falls through. A detailed, reproduced proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no vendor-released patch identified at time of analysis. CVSS 3.1 is 7.4 (High); EPSS was not provided.

Node.js SSRF Docker Google
NVD GitHub
CVSS 3.1
7.4
CVE-2026-57736 HIGH This Week

Sensitive data exposure in the HubSpot (Leadin) WordPress plugin versions up to and including 11.3.51 allows a low-privileged authenticated user to retrieve embedded sensitive information that is inserted into data sent by the plugin. Reported by Patchstack and tracked as CWE-201 with a CVSS 7.4 (scope-changed), there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The realistic impact is limited to information disclosure of secrets or private data the plugin transmits, without evidence of widespread or automated exploitation.

Information Disclosure Hubspot
NVD VulDB
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-57723 HIGH This Week

Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.12) is reachable via a cross-site request forgery flaw that lets an attacker abuse a path-traversal-capable file operation. By tricking a logged-in administrator into visiting a malicious page, a remote unauthenticated attacker can forge a request that deletes arbitrary files on the WordPress host, potentially disabling the site. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

CSRF Path Traversal Vikbooking Hotel Booking Engine Pms
NVD VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-54263 HIGH PATCH This Week

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious URL that executes JavaScript in the browser of a higher-privilege administrator who opens it, enabling actions to be performed with the victim's credentials. All Wagtail installations before 7.0.8, 7.3.3 and 7.4.2 are affected - the flaw lives in the dynamic image URL generator view and exists even on sites that never enabled the dynamic image serve view. No public exploit identified at time of analysis, and the issue is not reachable by anonymous site visitors without a Wagtail admin account.

XSS Python Wagtail
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-7829 HIGH This Week

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrupt stack memory via the web GUI allow/deny rule parser, ultimately achieving code execution on the repeater host. The flaw (CWE-787, out-of-bounds write) is reachable only after admin login, but that barrier is significantly weakened when chained with CVE-2026-7839 (default password), which can hand an attacker the required credentials. There is no public exploit identified at time of analysis and no EPSS/KEV data supplied, so this is currently a credentialed, chainable RCE rather than a confirmed mass-exploited threat.

Memory Corruption Buffer Overflow RCE Ultravnc
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-7517 HIGH This Week

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.

WordPress XSS Custom Payment Gateways For Woocommerce
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-58263 HIGH PATCH This Week

Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. No public exploit identified at time of analysis, and the flaw is fixed in 4.12.28.

XSS Jodit
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-12142 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.

WordPress XSS Nex Forms Ultimate Forms Plugin For Wordpress
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-58451 HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP Imp
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55153 HIGH PATCH This Week

Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. No public exploit identified at time of analysis and it is not in CISA KEV, so treat it as a patch-now supply-chain issue rather than an actively exploited one.

Deserialization Java Mchange Commons Java
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-50284 HIGH PATCH GHSA This Week

Broken authorization in Craft CMS lets a low-privilege authenticated user destroy other users' assets on a shared volume. AssetsController::actionDeleteFolder() checks only the deleteAssets:<volume-uid> permission for the target folder but never enforces deletePeerAssets:<volume-uid>, while the underlying Assets::deleteFoldersByIds() cascades deletion to every descendant folder and asset regardless of who uploaded them. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the vendor patched it in 4.17.15 and 5.9.22.

Authentication Bypass Cms
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-53902 HIGH This Week

Privilege escalation in MyComplianceOffice (MCO) compliance platform version 25.3.3.1 lets an authenticated user add themselves to arbitrary groups via the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint, which fails to enforce authorization on group changes. By supplying a valid group ID - obtainable through the application's own group picker API or guessable via brute force - a low-privileged account can inherit the permissions of higher-privileged groups. Reported by CERT-PL; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Privilege Escalation Mco
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-11880 LOW POC PATCH Monitor

Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. A public proof-of-concept is available via WPScan; no confirmed active exploitation campaign (CISA KEV) has been identified at time of analysis, and the CVSS base score of 3.1 reflects the limited, integrity-only impact.

WordPress Information Disclosure Fluent Forms
NVD WPScan VulDB
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-13760 HIGH PATCH This Week

OS command injection in AWS aws-cdk-lib lets an actor who controls a dependency version string in a project's package.json run arbitrary commands on the host executing the CDK toolchain. The flaw lives in the OsCommand helper of the NodejsFunction Docker bundling pipeline, which passes unsanitized version strings into a shell during nodeModules installation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; AWS has released a fixed version (v2.260.0).

Command Injection Docker Aws Cdk
NVD GitHub
CVSS 4.0
7.0
EPSS
0.6%
CVE-2026-50163 HIGH PATCH GHSA This Week

Arbitrary CWD-file read and inode-tampering in the oras-go v2 content/file tar extractor allows an attacker who controls an OCI artifact to hardlink files from the pulling process's working directory into the extract tree. When a victim runs 'oras pull' (or any Go program using oras-go/v2/content/file) against a malicious layer marked with the io.deis.oras.content.unpack annotation, the flawed ensureLinkPath helper validates a resolved hardlink target but passes the original relative Linkname to os.Link, causing link(2) to resolve it against the process CWD instead of the extract base. Publicly available exploit code exists (detailed PoC and regression test in the advisory); this is not listed in CISA KEV and no active exploitation is confirmed.

Linux Ubuntu Path Traversal Kubernetes
NVD GitHub
CVSS 3.1
7.1
CVE-2026-39379 HIGH PATCH GHSA This Week

Reflected cross-site scripting in GeoNetwork lets a remote attacker run arbitrary JavaScript in a victim's authenticated session by luring them to a crafted service URL. Because the not-found/unauthorized error page is an AngularJS application, attacker-controlled request content reflected into that page is evaluated as a client-side template expression (AngularJS sandbox escape) rather than shown as inert text. No public exploit is identified at time of analysis, and the flaw is not on CISA KEV.

XSS
NVD GitHub
CVSS 3.1
7.1
CVE-2026-58517 MEDIUM PATCH This Month

Authentication bypass in the Wikimedia Foundation's WikiLambda extension for MediaWiki allows unauthenticated remote attackers to circumvent access controls via improper neutralization of input terminator characters (CWE-288). Affected are all WikiLambda deployments running versions prior to 1.43.9, 1.44.6, and 1.45.4 across the supported MediaWiki release branches. No public exploit or CISA KEV listing has been identified at time of analysis, though the network-accessible, zero-prerequisite attack vector warrants prompt patching.

Authentication Bypass Mediawiki Wikilambda Extension
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
Prev Page 4 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy