Skip to main content
CVE-2026-11880 LOW POC PATCH Monitor

Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. A public proof-of-concept is available via WPScan; no confirmed active exploitation campaign (CISA KEV) has been identified at time of analysis, and the CVSS base score of 3.1 reflects the limited, integrity-only impact.

WordPress Information Disclosure Fluent Forms
NVD WPScan VulDB
CVSS 3.1
3.1
EPSS
0.1%
CVE-2025-15666 LOW POC Monitor

Heap-based buffer overflow in Open Asset Import Library (Assimp) versions up to 5.4.3 allows a local attacker with low privileges to corrupt heap memory by supplying a crafted 3D model file with manipulated width or height values to the SceneCombiner::Copy function in code/Common/SceneCombiner.cpp. A public proof-of-concept exploit has been disclosed via GitHub issue #6079, elevating real-world risk despite the local-only attack vector. No confirmed patched release has been independently verified at time of analysis, and exploitation conditions require only low-privilege local access with no user interaction beyond loading the malicious file.

Heap Overflow Buffer Overflow Assimp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-44042 LOW Monitor

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authentication Base64 decoder, where a strict greater-than comparison at `repeater/webgui/webutils.c:817` fails to block an input whose length exactly equals the 1024-byte output buffer. Under current code, the outer HTTP request parser incidentally caps Authorization header length before the defect can produce an out-of-bounds write, making this vulnerability practically unexploitable in its present form - but the flaw is real and would become a one-byte stack write if upstream buffering constraints change. No public exploit code exists and the vulnerability is not listed in CISA KEV; this is a latent memory-safety defect requiring patch application as hygiene rather than urgent incident response.

Buffer Overflow Ultravnc
NVD GitHub
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-54260 LOW PATCH Monitor

Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2 expose a resource exhaustion vector where authenticated admin users can submit purposefully crafted image filter specification strings that trigger disproportionately expensive rendition processing on the server, resulting in service degradation for all site users. The vulnerability is constrained to admin-level authenticated users and cannot be triggered by ordinary unauthenticated site visitors, materially limiting real-world attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the low-priority tier for most deployments.

Python Denial Of Service Wagtail
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%
CVE-2026-8387 LOW PATCH Monitor

Zip slip (relative path traversal) in ClearML's StorageManager._extract_to_cache() allows a network-positioned attacker to write arbitrary files to the host filesystem, with confirmed RCE potential via cron job injection, SSH authorized_keys overwrite, or web shell deployment. Affected are all versions up to and including 1.16.5; the official CVSS score of 2.4 with I:L severely understates the real-world impact given the documented RCE paths. No KEV listing and no EPSS data were provided, but the presence of a public bounty report and a confirmed fix commit indicates the issue is verified. The fix is available in version 2.1.6.

Path Traversal RCE Allegroai Clearml
NVD GitHub
CVSS 3.0
2.4
EPSS
0.4%
CVE-2026-54786 LOW PATCH Monitor

Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.

Information Disclosure Wasmtime
NVD GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-58036 LOW PATCH Monitor

Insufficient permission enforcement in MediaWiki's user query API endpoints allows low-privileged authenticated users to access sensitive user information - such as group memberships or account details - that permission controls should restrict. The vulnerability spans four source files: ApiQueryAllUsers.php, ApiQueryUsers.php, PermissionManager.php, and UserGroupManager.php, indicating that the flaw lies in how permission checks are applied (or bypassed) when the API serializes user data. No public exploit code exists and the CVSS 4.0 score of 2.1 reflects the constrained real-world exploitability. No confirmed active exploitation (CISA KEV) has been reported.

PHP Information Disclosure Mediawiki
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-48978 LOW PATCH GHSA Monitor

Unvalidated bearer realm URL handling in oras-go v2 ≤ 2.6.0 enables two distinct attack primitives against users who run oras operations against a malicious, compromised, or man-in-the-middle'd registry: server-side request forgery (SSRF) to internal network endpoints including cloud instance metadata services, and TLS downgrade that exposes user credentials in plaintext. The OCI distribution spec legitimately allows cross-host realm references for split-auth deployments (e.g., Docker Hub's auth.docker.io pattern), but oras-go failed to block private IP literals, loopback addresses, and scheme downgrades from https to http - patterns that are never legitimate under any valid registry trust model. No active exploitation has been confirmed (not in CISA KEV), and a patch is available in v2.6.1.

SSRF Microsoft Docker
NVD GitHub
CVE-2026-49989 LOW POC PATCH GHSA Monitor

{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.

Authentication Bypass Oracle Java Docker
NVD GitHub
CVE-2026-49826 LOW PATCH GHSA Monitor

Open redirect in Concourse's web login flow allows a remote unauthenticated attacker to craft a URL that silently redirects an authenticated user to an arbitrary external site upon completing the login process. Concourse versions prior to 8.2.3 are affected via the `/sky/login` endpoint's `redirect_uri` parameter. While no credentials are leaked server-side, the post-login redirect to an attacker-controlled site creates a high-fidelity phishing vector targeting CI/CD operators and developers - users who typically hold sensitive pipeline secrets and source-code access. No public exploit identified at time of analysis, though the advisory provides a fully working proof-of-concept URL.

Open Redirect
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy