Skip to main content
CVE-2026-58453 CRITICAL POC Act Now

Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.

Command Injection Authentication Bypass C492A W6 Wi Fi Ip Camera
NVD GitHub
CVSS 4.0
9.3
EPSS
1.7%
CVE-2026-58457 CRITICAL POC Act Now

Unauthenticated OS command injection in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) lets network-adjacent attackers run arbitrary shell commands as root through the smacfilter_conf handler in the commuos web backend. Publicly available exploit code exists (published by VulnCheck/IEATASICS), and successful exploitation grants full device takeover; the flaw carries a CVSS 4.0 base score of 9.3 but is reachable only by attackers adjacent to the device's network. No public exploit is listed in CISA KEV, so this is proof-of-concept exposure rather than confirmed active exploitation.

Command Injection M300 Wi Fi Repeater
NVD GitHub
CVSS 4.0
9.3
EPSS
1.7%
CVE-2026-58127 CRITICAL POC Act Now

Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck), making this a high-priority issue despite no CISA KEV listing at time of analysis.

Authentication Bypass RCE Pacsgear Mediawriter
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-58126 CRITICAL POC Act Now

Unauthenticated remote code execution in Hyland PACSgear PACS Scan 5.2.1 lets remote attackers gain SYSTEM-level control of medical imaging servers by abusing an exposed .NET Remoting TCP service (PGImageExchQueue.exe) on port 22222. The exposed service grants arbitrary file read/write with no authentication, which is chained with a DLL hijack in the PGImageExchangeQueueSvc.exe service to run code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck); there is no public exploit identified as actively exploited, as it is not listed in CISA KEV.

Authentication Bypass RCE Pacsgear Pacs Scan
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-34107 CRITICAL POC Act Now

OS command injection in Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of translate.php, which is concatenated directly into a PHP exec() call. Publicly available exploit code exists (published as a gist via VulnCheck), and the CVSS 4.0 base score of 9.3 reflects full compromise of confidentiality, integrity, and availability with no authentication or user interaction. There is no public exploit identified as actively exploited in CISA KEV, so the current risk is driven by ease of exploitation and public PoC rather than confirmed in-the-wild abuse.

Command Injection PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-34106 CRITICAL POC Act Now

Remote code execution in Guardian language-system allows unauthenticated attackers to run arbitrary OS commands by injecting shell metacharacters into the 'id' GET parameter of subtitles.php, which is concatenated directly into a PHP exec() call invoking jobs/subtitle_rendering.php. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation, and publicly available exploit code exists (published via VulnCheck), though there is no public exploit identified as being actively used in the wild at time of analysis.

Command Injection PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-57517 CRITICAL POC PATCH Act Now

Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).

SQLi RCE PHP Control Web Panel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-34099 CRITICAL POC Act Now

Unauthenticated SQL injection in Guardian Language System lets remote attackers manipulate the backend database by injecting into the `id` GET parameter of job_info.php, which is concatenated directly into a SQL query with no sanitization. Because no authentication is required (CVSS 4.0 PR:N) and publicly available exploit code exists, any attacker who can reach the endpoint can extract database version, current user, schema names, and table contents via error-based injection. Reported by VulnCheck with a CVSS of 9.3; no public exploit identified as actively used in the wild (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34105 CRITICAL POC Act Now

SQL injection in the Guardian language-system (translate_text.php) lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The CVSS 4.0 vector scores this 9.3 (Critical) with PR:N, and the VulnCheck advisory title labels it unauthenticated, though the CVE description states an authenticated attacker is required - this discrepancy should be verified. Publicly available exploit code exists, but there is no public exploit identified as being actively used in attacks (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34104 CRITICAL POC Act Now

SQL injection in Guardian Language-System's designer.php exposes the entire backend database to attackers who supply a crafted 'name' GET parameter, which is concatenated directly into a SELECT query without sanitization (CWE-89). VulnCheck reports this as remotely reachable and publicly available exploit code exists, though no public exploit is confirmed as actively used in the wild (not in CISA KEV). Note a source conflict: the CVE description labels the attacker 'authenticated' while the VulnCheck advisory and CVSS 4.0 vector (PR:N) describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34103 CRITICAL POC Act Now

SQL injection in Guardian Language-System's subtitles.php lets attackers extract arbitrary database contents by tampering with the id GET parameter, which is concatenated directly into a SELECT query without sanitization. The flaw is error-based and rated critical (CVSS 4.0 base 9.3, VC:H/VI:H/VA:H), publicly available exploit code exists (VulnCheck advisory plus a public gist PoC), and there is no public exploit identified as being used in active attacks. Note a source conflict: the CVE description labels the attacker 'authenticated,' but the CVSS vector (PR:N) and VulnCheck's advisory title both describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34102 CRITICAL POC Act Now

SQL injection in Guardian language-system via the 'id' GET parameter in job_info_get.php lets attackers inject arbitrary SQL into a query against the 'jobs' table, enabling error-based extraction of database contents. The CVSS 4.0 vector (AV:N/PR:N) and VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description text describes an 'authenticated attacker' - a discrepancy defenders should verify. Publicly available exploit code exists (VulnCheck/gist PoC), raising the practical risk despite no confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34101 CRITICAL POC Act Now

SQL injection in Guardian language-system's text_file.php lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The flaw is a classic error-based SQLi (CWE-89) where user input is concatenated directly into a SELECT statement, and publicly available exploit code exists (reported by VulnCheck). No CISA KEV listing exists, so this represents publicly available exploit code rather than confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34100 CRITICAL POC Act Now

Error-based SQL injection in Guardian Language System's media.php allows attackers to extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter (CWE-89). Publicly available exploit code exists (published via a GitHub gist by VulnCheck), and the CVSS 4.0 vector (AV:N/AC:L/PR:N) plus the VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description conversely refers to an 'authenticated attacker' - a discrepancy defenders should verify. No public evidence of active in-the-wild exploitation (not listed in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-44935 CRITICAL PATCH GHSA Act Now

Cross-tenant authorization bypass in Rancher Fleet allows a low-privileged tenant in a multi-tenant environment to read any ConfigMap or Secret across all namespaces of a shared downstream cluster and to deploy cluster-wide resources without being bound to a restricted service account. The flaw (CWE-863, CVSS 9.9) is exploitable by authenticated tenants who abuse valuesFrom in fleet.yaml (via GitRepo) or HelmOp/Bundle resources; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.6%
CVE-2025-15646 CRITICAL PATCH Act Now

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Memory Corruption Information Disclosure Html
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-51947 CRITICAL Act Now

Remote code execution in Pivotal CRM 6.6.4.08 (Aurea) arises from insecure deserialization in the Pivotal.Engine.Client.Services.Conversion.dll component, letting remote attackers run arbitrary code on the server. This is a bypass of the incomplete fix for CVE-2026-39253, and it remains exploitable on systems that only applied the earlier patch-ghi-15381-cwe-502-20251225.zip. No public exploit code has been identified, though public advisories exist for both this issue and its predecessor; EPSS is modest at 0.57% (43rd percentile) and it is not in CISA KEV.

Deserialization RCE N A
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-11387 CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation Sms Alert Sms Otp For Woocommerce Order Notifications Abandoned Cart Recovery
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-52186 CRITICAL Act Now

SQL injection in the UTT nv518G security gateway (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers inject arbitrary SQL through the gohead/sub_463bbc component, which per the advisory escalates to arbitrary code execution on the device. The flaw is unauthenticated (CVSS 9.8, PR:N) and publicly available exploit code exists via a GitHub write-up, though it is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile), indicating no evidence of widespread automated exploitation yet.

SQLi RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-24270 CRITICAL Act Now

Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Nvidia Denial Of Service Information Disclosure Aistore Framework
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-57692 CRITICAL Act Now

Privilege escalation in the LCweb PrivateContent WordPress plugin (all versions up to and including 9.9.2) lets attackers obtain permissions beyond those intended, driven by an incorrect privilege assignment flaw (CWE-266). The Patchstack-assigned CVSS of 9.8 (network, no privileges, no user interaction) implies an attacker could gain administrator-level control over a WordPress site's protected content and settings. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Privatecontent
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-14405 CRITICAL PATCH Act Now

Arbitrary code execution within the renderer sandbox in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) can be triggered when a victim loads a crafted HTML page. The flaw stems from use of uninitialized memory in V8 and, while carrying a high CVSS base score of 9.6, was rated only Low severity by Chromium because code execution is confined inside the renderer sandbox and still requires a separate sandbox escape for full host compromise. No public exploit identified at time of analysis, and CISA's SSVC framework marks exploitation status as none.

RCE Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-14392 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Tint WebGPU shader compiler affects all Desktop builds prior to 150.0.7871.46, where a crafted HTML page triggers an out-of-bounds write (CWE-787) that a remote attacker can leverage to break out of the renderer sandbox. Reported internally by the Chrome team and rated High by Chromium, the flaw carries a CVSS 9.6 due to its scope-changing memory-corruption impact, but there is no public exploit identified at time of analysis and CISA's SSVC records exploitation status as none. A vendor patch is already available, so the practical priority is rapid browser updating rather than emergency mitigation.

Memory Corruption Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14387 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics library affects all desktop builds prior to 150.0.7871.46, where an integer overflow triggered by a crafted HTML page can break out of the renderer sandbox into the more-privileged browser process. A remote attacker who lures a victim to a malicious page could potentially compromise the host beyond the rendering sandbox. There is no public exploit identified at time of analysis, and CISA SSVC scores exploitation as 'none'.

Buffer Overflow Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14382 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker break out of the renderer sandbox when a victim visits a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a critical 9.6 CVSS score due to the scope-changing sandbox escape. Google has shipped a fix and rates the Chromium severity as High; there is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14397 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS (versions prior to 150.0.7871.46) stems from an out-of-bounds write in ANGLE, the graphics abstraction layer that translates WebGL/OpenGL ES calls to native backends (Metal on Mac). A remote attacker who lures a victim to a crafted HTML page can corrupt memory in the GPU/graphics process to potentially break out of the renderer sandbox. There is no public exploit identified at time of analysis; Google rated the Chromium severity as Medium, and CISA's SSVC framework marks exploitation as none, though the CVSS base score is 9.6 due to the scope-changing sandbox-escape impact.

Memory Corruption Buffer Overflow Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14416 CRITICAL PATCH Act Now

Out-of-bounds read in the Dawn WebGPU implementation of Google Chrome before 150.0.7871.46 lets a remote attacker who lures a victim to a crafted HTML page potentially escape the renderer sandbox and disclose out-of-bounds memory. The upstream Chromium team rated the security severity as Low, yet the associated CVSS 3.1 base score is 9.6 due to a scope change and high triad impact. There is no public exploit identified at time of analysis, and the CISA SSVC decision framework records exploitation as none and automatable as no.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14420 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Dawn WebGPU implementation prior to 150.0.7871.46 lets a remote attacker use a crafted HTML page to trigger an out-of-bounds read and write, potentially breaking out of the renderer sandbox. Rated Critical by Chromium with a CVSS of 9.6 (scope-changed), it requires the victim to visit a malicious page but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14411 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim loads a malicious web page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a CVSS 9.6 due to scope change and full CIA impact, though exploitation requires the user to visit attacker-controlled content. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC exploitation status assessed as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14390 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer lets a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox and gain code execution in a higher-privilege context. All Chrome desktop builds prior to 150.0.7871.46 are affected. Chromium rated the underlying use-after-free High severity; no public exploit has been identified at time of analysis and SSVC records exploitation status as none.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14423 CRITICAL PATCH Act Now

Sandbox escape via type confusion in Tint, the WGSL shader compiler within Chrome's Dawn/WebGPU stack, affects Google Chrome desktop versions prior to 150.0.7871.46. A remote attacker who lures a victim to a crafted HTML page can trigger the flaw (CWE-843) to potentially break out of the renderer/GPU sandbox and gain broader access on the host. Rated High by Chromium with a CVSS 9.6 (scope-changed), though there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation status as 'none'.

Memory Corruption Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14425 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component affects all desktop builds prior to 150.0.7871.46, where a use-after-free condition lets a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Chromium rates the severity High and a fixed stable-channel build is available, but SSVC records no observed exploitation and no public exploit identified at time of analysis. The high CVSS (9.6) is driven by the scope change inherent to sandbox escape rather than confirmed real-world abuse.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14419 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics library affects all desktop Chrome builds prior to 150.0.7871.46, where a use-after-free (CWE-416) triggered by a crafted HTML page can let a remote attacker break out of the renderer sandbox. Google rates the Chromium severity Critical and CVSS is 9.6, but there is no public exploit identified at time of analysis and CISA's SSVC records exploitation status as none. A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14417 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Dawn (WebGPU) component affects all desktop builds prior to 150.0.7871.46, where a use-after-free lets a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Google rates the Chromium severity Critical, and the CVSS 3.1 score of 9.6 reflects a scope-changing memory-corruption bug. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor patch is already shipping in the Stable channel.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14424 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS (versions prior to 150.0.7871.46) stems from a use-after-free in Dawn, Chrome's WebGPU/graphics abstraction layer, and allows a remote attacker who lures a victim to a crafted HTML page to potentially break out of the renderer sandbox and gain higher-privileged code execution on the host. The flaw is rated High by Chromium and carries a CVSS 9.6 due to its network attack vector, low complexity, and scope change. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, and CISA's SSVC framework currently marks exploitation as 'none' though technical impact as 'total'.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14398 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim opens a crafted HTML page. Rated Critical by Chromium with a 9.6 CVSS score, the flaw is a use-after-free (CWE-416) requiring only that the target visit a malicious site. No public exploit or active exploitation is identified at time of analysis, and CISA's SSVC assessment lists exploitation as none.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-10539 CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-7840 CRITICAL Act Now

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reach the built-in HTTP administration port (default TCP 80) to overflow a fixed 1000-byte global buffer and corrupt adjacent .bss globals, leading to arbitrary code execution on the host. The flaw lives in wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c, where the request URI is copied via unchecked sprintf before any authentication check runs. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 combined with pre-auth network reachability makes this a high-priority issue.

Memory Corruption Buffer Overflow RCE Ultravnc
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
1.2%
CVE-2026-14439 CRITICAL PATCH Act Now

Privilege-escalating remote code execution in the Git Service shared by Altium Enterprise Server and Altium 365 lets an authenticated user with basic git access abuse post-clone file-manipulation operations to move arbitrary files outside the repository, plant executable script content, and run code as the Git Service account. On multi-tenant Altium 365 cloud nodes this also created a cross-tenant data-exposure path. No public exploit identified at time of analysis; the CVSS 4.0 score of 9.4 (Critical) reflects full confidentiality, integrity and availability impact with only low privileges required.

Path Traversal RCE
NVD
CVSS 4.0
9.4
EPSS
0.6%
CVE-2026-34116 CRITICAL Act Now

OS command injection in Guardian language-system's transcribe.php lets an unauthenticated remote attacker inject arbitrary shell commands through the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication or user interaction is required and the flaw yields full command execution, it maps to a CVSS 4.0 score of 9.3 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, though a public gist writeup and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34111 CRITICAL Act Now

OS command injection in the Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speechmac_text.php concatenates directly into a PHP exec() call. The CVSS 4.0 base score is 9.3 (critical) with full compromise of confidentiality, integrity, and availability, and no authentication or user interaction is needed. No public exploit identified at time of analysis, though a referenced gist and the VulnCheck advisory may contain technical exploitation detail.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34110 CRITICAL Act Now

OS command injection in Guardian language-system allows an unauthenticated remote attacker to execute arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of complex_start.php, which is passed unsanitized into a PHP exec() call. No authentication or user interaction is required, and the CVSS 4.0 score of 9.3 (Critical) reflects full compromise of confidentiality, integrity, and availability. A public gist demonstrating the flaw means publicly available exploit code exists, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34108 CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker execute arbitrary operating-system commands on the hosting server. The flaw arises because text.php passes the user-controlled 'id' GET parameter straight into a PHP exec() call without sanitization, allowing shell metacharacters to break out of the intended command. The CVSS 4.0 base score is 9.3 (network vector, no privileges, no user interaction); no public exploit is identified at time of analysis, though a referenced gist and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34117 CRITICAL Act Now

Unauthenticated OS command injection in the Guardian language-system PHP application lets remote attackers run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter of text_to_subtitles.php, which is concatenated directly into a PHP exec() call. Any internet-reachable instance can be fully compromised without credentials or user interaction, and the CVSS 4.0 base score of 9.3 reflects full confidentiality, integrity, and availability loss. No public exploit identified at time of analysis, though a VulnCheck advisory and a technical gist describe the exact vulnerable code path.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34115 CRITICAL Act Now

OS command injection in Guardian language-system's transcribe_amazon.php allows an unauthenticated remote attacker to run arbitrary operating-system commands on the host. The id GET parameter is concatenated directly into a PHP exec() call that shells out to a transcription job, so appending shell metacharacters (e.g. ; | `) yields command execution with the privileges of the web server. No authentication or user interaction is required (PR:N/UI:N), and a public gist reference exists that may contain proof-of-concept details, though active exploitation is not confirmed in CISA KEV.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34114 CRITICAL Act Now

OS command injection in Guardian Language System's translate_text.php allows unauthenticated remote attackers to execute arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication is required and the CVSS 4.0 vector is AV:N/AC:L/PR:N/UI:N, exploitation is trivial and yields full command execution in the web server's context. There is no public exploit identified at time of analysis, though a VulnCheck advisory and a public gist document the flaw.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34113 CRITICAL Act Now

Unauthenticated OS command injection in Guardian language-system's speech_text.php allows remote attackers to execute arbitrary shell commands by injecting metacharacters into the id GET parameter, which is passed unsanitized into a PHP exec() call. No authentication is required (CVSS 4.0 base 9.3), giving full read/write/availability impact on the host. A referenced GitHub gist and a VulnCheck advisory document the flaw, indicating publicly available exploit details, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34112 CRITICAL Act Now

OS command injection in the Guardian language-system's speechmac.php enables unauthenticated remote attackers to run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. No credentials or user interaction are required, so any network-reachable instance can be fully compromised. This is a CWE-78 flaw carrying a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis, though a referenced gist may contain proof-of-concept material.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34109 CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speech.php passes unsanitized into a PHP exec() call. Rated CVSS 4.0 9.3 (Critical) with a fully remote, no-privilege, no-interaction vector, this is a direct pre-auth RCE. No CISA KEV listing or EPSS score is present in the provided data, and no confirmed public exploit is identified, though a referenced GitHub gist and a VulnCheck advisory document the flaw.

Command Injection PHP
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-23537 CRITICAL PATCH Act Now

Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker write attacker-controlled JSON to the host filesystem, bypassing the endpoint's path restrictions to overwrite application configuration or startup scripts. Because no credentials are required (CVSS 9.1, PR:N), any network-reachable attacker can corrupt system integrity, cause denial of service through disk exhaustion, or potentially achieve remote code execution. This flaw also ships in Red Hat OpenShift AI (RHOAI), which bundles Feast; there is no public exploit identified at time of analysis and it is not in CISA KEV.

Authentication Bypass Denial Of Service RCE Feast Feature Server Red Hat Openshift Ai Rhoai
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.6%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy