Skip to main content
CVE-2026-49814 HIGH PATCH This Week

Arbitrary OS command execution in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025 and LTS2024 branches) lets a high-privileged, remotely-authenticated attacker run operating-system commands on the backup appliance by injecting special characters into an OS command context. The flaw was reported by Dell and is addressed in advisory DSA-2026-278; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because it grants full command execution on a data-protection appliance, successful exploitation can compromise the confidentiality, integrity and availability of backup data.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
CVSS 3.1
7.2
EPSS
1.2%
CVE-2026-53478 HIGH This Week

Authenticated OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70) lets a high-privileged remote attacker inject arbitrary operating-system commands and execute them on the appliance. Successful exploitation yields full confidentiality, integrity, and availability impact (CVSS 7.2), effectively giving an authenticated administrator command execution on the underlying OS of a backup/data-protection system. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
CVSS 3.1
7.2
EPSS
1.2%
CVE-2026-49815 HIGH PATCH This Week

OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 maintenance branches) lets an authenticated high-privileged remote attacker execute arbitrary operating-system commands on the appliance via improperly neutralized special characters (CWE-78). Because the attacker already holds elevated privileges, the flaw functions as a privilege-boundary and integrity break - turning administrative access into full underlying-OS command execution with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Dell and fixed in advisory DSA-2026-278.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
CVSS 3.1
7.2
EPSS
1.1%
CVE-2026-58379 HIGH This Week

Heap-based buffer overflow in GIMP's Paint Shop Pro (PSP) image format parser lets an attacker achieve arbitrary code execution or crash the application when a victim opens a maliciously crafted PSP file. The flaw stems from incorrect buffer-size arithmetic on low bit-depth images, and affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; exploitation requires local file-open interaction (CVSS 7.3).

Heap Overflow Denial Of Service Buffer Overflow RCE Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2022-4990 HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to bypass security validation and access restricted memory blocks. Rated high severity (CVSS 7.3). No vendor patch available.

Privilege Escalation Ai Suite 3
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-9148 HIGH This Week

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. No public exploit identified at time of analysis, but exploitation requires no authentication and the source-level root cause is documented in the WordPress plugin trac.

WordPress XSS Comments Wpdiscuz
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-13040 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.

WordPress XSS CSRF Nex Forms Ultimate Forms Plugin For Wordpress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57988 HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.5%
CVE-2026-20779 HIGH PATCH This Week

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted multiple times instead of being invalidated after first use, weakening 2FA on both the web login flow and the Basic Auth X-Gitea-OTP header path. An attacker who observes a legitimate TOTP code (via interception, shoulder-surfing, or logging) can replay it within its validity window to authenticate as the victim. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in Gitea 1.26.3.

Gitea Information Disclosure Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.1
EPSS
0.5%
CVE-2026-57977 HIGH PATCH This Week

Spoofing in Microsoft Edge (Chromium-based) arises from a cross-site scripting (CWE-79) flaw that lets a network-based, unauthenticated attacker inject script into a generated web page, producing a convincing spoofed browser context after the victim interacts with malicious content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R, C:L/I:H) reflects a high-integrity spoofing impact gated only by user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-28740 HIGH PATCH This Week

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds general repository access but has NOT been granted the Code unit permission read private source content by reusing Git LFS objects to authorize otherwise-restricted source objects. The flaw (CWE-639, tracked as GHSA-2m9v-5q2g-58vq) enables horizontal privilege escalation to confidential code within a repository. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch shipped in 1.26.3.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-58297 HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-58296 HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy