Skip to main content
CVE-2026-38976 HIGH This Week

Denial of service in the mruby/c lightweight Ruby VM (all releases through 3.4.1) arises from a NULL pointer dereference in op_super()/OP_SUPER within src/vm.c, where a runtime guard for a top-level 'super' call is missing. When the interpreter executes a script that invokes 'super' outside of any method context, the VM dereferences a NULL pointer and crashes. There is no public exploit identified at time of analysis, and the low EPSS score (0.15%, 5th percentile) reflects limited exploitation interest; impact is confined to availability (CWE-476).

Denial Of Service Null Pointer Dereference N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-46592 HIGH PATCH This Week

Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets an attacker steer which backend SOAP operation gets invoked. Because the operationName / operationNamespace selection headers lacked the Camel/camel prefix, HttpHeaderFilterStrategy failed to strip them at the HTTP boundary, so in any route bridging an HTTP consumer (e.g. platform-http) into a cxf: producer, an HTTP client could inject these headers and force CxfProducer to call a different WSDL operation than intended - for example swapping a read for a destructive write. No public exploit is identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV.

Information Disclosure Microsoft Apache Apache Camel
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13708 HIGH PATCH This Week

Uncontrolled memory consumption in the Perl module Imager::File::JPEG (before 1.003, and bundled in Imager before 1.032) lets remote attackers exhaust process memory by submitting a JPEG containing many repeated APP13 (Photoshop/IPTC) markers. The i_readjpeg_wiol handler leaks the heap payload of every APP13 marker except the last on each read, so long-lived services that decode attacker-supplied images accumulate leaks until the process is killed, causing denial of service. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix (Imager::File::JPEG 1.003 / Imager 1.032) is available and the trigger is trivial to craft.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55075 HIGH PATCH GHSA This Week

Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. CVSS is 7.4 (High) with no public exploit identified at time of analysis; the issue was privately reported by Anthropic's Security Team.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.5%
CVE-2026-55076 HIGH PATCH GHSA This Week

Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go `bool` type assertion on the `email_verified` claim failed open when an IdP returned the claim as a non-boolean (e.g. the string "false") or omitted it entirely, and an unconditional email-based account fallback then matched the attacker's session to the victim's account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was privately disclosed by Anthropic's Security Team and fixed across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.5%
CVE-2026-55436 HIGH PATCH GHSA This Week

Man-in-the-middle interception affects the Coder AI Bridge Proxy (aibridgeproxyd), introduced in Coder v2.30.0, where the goproxy default transport set InsecureSkipVerify:true and only used a secure transport when an upstream proxy was configured. In the default no-upstream-proxy configuration, outbound HTTPS to the Coder access URL accepted any TLS certificate, letting an on-path attacker decrypt traffic and steal Coder session tokens, BYOK provider API keys, and full prompt/completion bodies. CVSS 7.4 (High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk hinges on an attacker already holding a network-adjacent position.

Code Injection
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-46588 HIGH This Week

Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote attackers to trigger information disclosure and limited integrity/availability effects against exposed Camel integration endpoints. The CVSS 3.1 base score is 7.3 (High) with a fully remote, unauthenticated vector, and the Apache-issued advisory tags the flaw as Information Disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege vector warrants prompt patching.

Information Disclosure Apache Apache Camel
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-46587 HIGH This Week

Improper input validation in Apache Camel - the open-source Java integration framework - affects versions through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0, and per the Apache-published advisory carries partial (Low) impact to confidentiality, integrity, and availability. Tagged as an Information Disclosure issue, it is remotely reachable per the CVSS network vector and appears to let a remote attacker submit malformed input that the framework fails to properly validate, potentially exposing limited data or perturbing message processing. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Apache Apache Camel
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-49042 HIGH This Week

Improper input validation in Apache Camel versions 4.8.0 through 4.18.2 and 4.19.0 through 4.20.0 allows remote unauthenticated attackers to send crafted input that the framework fails to validate, yielding limited information disclosure and partial integrity/availability impact per the CVSS vector. The flaw is reported directly by the Apache Software Foundation and is fixed in 4.18.3 and 4.21.0; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. The moderate 7.3 (High) score reflects easy network reachability but limited per-impact severity (C:L/I:L/A:L).

Information Disclosure Apache Apache Camel
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-43866 HIGH PATCH This Week

Untrusted JMS deserialization in Apache Camel's JMS-family components (camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, camel-activemq6) lets an attacker who can publish an ObjectMessage to a consumed queue or topic inject arbitrary Exchange state - body, IN/OUT headers, properties, variables, exchange id and exception - into a Camel route. It affects 3.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x when mapJmsMessage (the default) is enabled and Camel acts as a JMS consumer. This is a bypass of the earlier CVE-2026-40860 hardening, requires no gadget chain (only java.lang/java.util types), carries CVSS 7.3, and has no public exploit identified at time of analysis (EPSS 0.18%).

Deserialization Microsoft Apache Apache Camel
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-55077 HIGH PATCH GHSA This Week

{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.6%
CVE-2025-59617 HIGH This Week

Local privilege escalation and memory corruption in Qualcomm Snapdragon chipset drivers allows a malicious application to trigger a use-after-free by issuing multiple IOCTL calls that reference the same buffer file descriptor. The flaw affects a broad range of Snapdragon mobile, compute, connectivity (FastConnect/WCN/WCD/WSA) and XR platforms, and successful exploitation can corrupt kernel memory to gain high impact on confidentiality, integrity and availability. There is no public exploit identified at time of analysis, EPSS risk is very low (0.09%), and CISA SSVC rates exploitation as none.

Memory Corruption Buffer Overflow Use After Free Snapdragon
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-55501 HIGH PATCH GHSA This Week

Brute-force protection bypass in the 9router dashboard (npm package 9router) lets remote attackers defeat the login lockout by rotating the attacker-controlled X-Forwarded-For header on each request, giving every attempt a fresh rate-limit bucket. Because the CVSS vector is PR:N/UI:N, unauthenticated remote attackers can target any instance directly exposed or sitting behind a proxy that does not overwrite forwarding headers, enabling unlimited password guessing and, against default or weak credentials, full administrative takeover. A working exploit is published in the GitHub Security Advisory (GHSA-7cfm-pqrj-xgq7); the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.3
EPSS
0.5%
CVE-2026-54433 HIGH PATCH This Week

Cross-site scripting in Roundcube Webmail allows remote attackers to inject arbitrary script into a victim's authenticated mail session, with the CVSS scope-change flag indicating the payload can affect resources beyond the vulnerable component (e.g. the surrounding webmail DOM/session). The flaw was fixed in releases 1.6.17 and 1.7.2 announced on 2026-07-05 and was reported through Ubuntu's security tracker; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is rated CVSS 7.2 driven largely by the scope change, though confidentiality and integrity impact are each only Low and availability is unaffected.

XSS Webmail
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-58213 HIGH PATCH This Week

Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, newline, carriage return, form feed) inside publish and Will topics, which corrupt the NATS wire protocol when the topic is converted to a NATS subject and forwarded across leaf node connections. Fixed in nats-server v2.12.9 and v2.14.1, the flaw (GHSA-qrcv-3558-gj4f, CWE-74) is tagged Information Disclosure and lets a low-privileged publisher influence how messages are framed and routed to other connections. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Nats Server
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-55514 HIGH PATCH This Week

Denial of service in vLLM 0.12.0 through 0.23.x lets any authorized API caller crash the entire inference server by submitting a pure prompt-embeddings payload to the /v1/completions endpoint when a model using M-RoPE (multimodal rotary position embedding) is loaded. The malformed request trips a reachable assertion in the EngineCore process, which terminates the whole server rather than rejecting the single request. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in vLLM 0.24.0.

Denial Of Service Vllm
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59196 HIGH PATCH This Week

Arbitrary file write via path traversal in pnpm prior to 10.34.4 and 11.7.0 lets a crafted lockfile place or overwrite files outside the intended hoisted node_modules directory when a victim installs dependencies. A malicious pnpm-lock.yaml can supply an alias containing traversal sequences (e.g. ../) to escape the module directory, or use reserved aliases like .bin or .pnpm to clobber pnpm-owned layout, enabling integrity compromise of the install tree. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is remotely deliverable through shared repositories or packages and requires only that a user run an install.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-59194 HIGH PATCH This Week

Arbitrary file deletion in pnpm before 10.34.4 and 11.7.0 allows a malicious project to delete any file reachable by the user when they run 'pnpm patch-remove'. A crafted patch entry escapes the configured patches directory via path traversal (CWE-22), so cloning or installing an attacker-controlled repository and running the patch-remove command destroys files outside the project. No public exploit identified at time of analysis and it is not on CISA KEV; exploitation requires the victim to run the specific command against poisoned configuration.

Path Traversal Pnpm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-21383 HIGH This Week

Sensitive key material can be exposed in Qualcomm Snapdragon platforms because AES-GCM key wrapping is performed with a hardcoded/static initialization vector instead of a unique per-call nonce. A local, low-privileged attacker who can collect multiple wrapped outputs can exploit the resulting IV/nonce reuse to recover confidentiality and forge integrity of wrapped keys. There is no public exploit identified at time of analysis, and the issue is disclosed via Qualcomm's July 2026 security bulletin.

Information Disclosure Snapdragon
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-55787 HIGH POC PATCH GHSA This Week

Server-side request forgery in flyto-core (Python pip package) lets an authenticated workflow author bypass the built-in SSRF guard by encoding internal targets as IPv6 transition-form literals (IPv4-mapped `::ffff:127.0.0.1`, 6to4 `2002::/16`, or NAT64 `64:ff9b::/96`), causing the `http.get` atomic module and ~10 sibling fetch modules to perform outbound reads against loopback, RFC 1918, and cloud instance-metadata endpoints and return the response body. The reporter provides a full working end-to-end reproduction against a clean install of default-branch HEAD, so publicly available exploit code exists, though there is no evidence of active exploitation and no CISA KEV listing. CVSS 3.1 base is 7.1 (High); no EPSS score was supplied.

SSRF Python Google
NVD GitHub
CVSS 3.1
7.1
CVE-2026-13705 HIGH PATCH This Week

Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. No public exploit is identified at time of analysis and it is not listed in CISA KEV; a vendor patch shipped in 1.032.

Buffer Overflow Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-40047 CRITICAL PATCH Act Now

Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).

Command Injection Path Traversal Microsoft Apache Apache Camel
NVD VulDB
CVSS 3.1
9.1
EPSS
0.8%
CVE-2026-44934 HIGH PATCH This Week

Information disclosure in SUSE Rancher AI Agent 1.0 before 1.0.2 writes API keys and raw LLM response text (which may contain sensitive data) into logfiles when the DEBUG loglevel is enabled, letting a local attacker with access to those logs harvest credentials and confidential model output. Rated CVSS 4.0 base 7.0, the flaw requires local access and high privileges plus a non-default debug configuration. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Rancher
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-25271 HIGH This Week

Local privilege escalation via memory corruption in Qualcomm Snapdragon platforms occurs when asynchronous input parameters are validated and then re-read after modification, a time-of-check/time-of-use race that yields total compromise of confidentiality, integrity, and availability. Affecting a broad range of Snapdragon connectivity, WCD codec, WSA, and compute SoCs, a local low-privileged attacker who can win the race can corrupt memory and gain elevated code execution. No public exploit has been identified at time of analysis and EPSS is negligible (0.09%), but the CVSS 7.0 and 'total' SSVC technical impact make it a meaningful firmware/driver patch target.

Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-54764 MEDIUM PATCH This Month

Header injection in Traefik's ForwardAuth middleware allows unauthenticated remote attackers to manipulate the X-Forwarded-Port value sent to authentication backends, enabling bypass of port-based authorization checks. Affected are all Traefik v2.x prior to v2.11.51, v3.6.x from 3.0.0 prior to v3.6.22, and v3.7.x from 3.7.0 prior to v3.7.6. The flaw persists even when the trustForwardHeader: false safeguard is active, because the port derivation logic reads the original incoming request rather than the sanitized forwarded context. No public exploit code has been identified at time of analysis, and vendor-released patches are available.

Authentication Bypass Traefik
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-14792 MEDIUM PATCH This Month

Improper access control in Formbricks 5.0.0 allows remote unauthenticated attackers to bypass authorization checks in the link survey handler, enabling unauthorized manipulation of survey data with limited integrity and availability impact. The flaw resides in the Survey Handler component (apps/web/modules/survey/link/actions.ts) and is tagged as an authentication bypass, confirmed by the CVSS 4.0 PR:N metric indicating no credentials are required. No active exploitation has been confirmed and no public exploit code has been identified; a patch is available as release candidate 5.1.0-rc.1.

Authentication Bypass Formbricks
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-53935 MEDIUM PATCH GHSA This Month

Traffic hijacking in Cilium's CiliumLocalRedirectPolicy (CLRP) mechanism allows a cluster user with RBAC permission to create CLRPs to specify arbitrary ClusterIPs via the addressMatcher field, redirecting service traffic across namespace boundaries and circumventing the namespace-scoping guarantees that serviceMatcher is designed to enforce. Affected versions span Cilium v1.17 (all prior to v1.17.16), v1.18.2-v1.18.9, and v1.19.0-v1.19.3. A compounding secondary behavior causes complete service translation failure when a maliciously crafted CLRP is deleted, enabling a denial-of-service condition against any targeted Service. No public exploit has been identified at time of analysis, and exploitation is constrained to users holding elevated cluster RBAC privileges; this is not confirmed actively exploited (CISA KEV).

Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.3%
CVE-2026-43925 MEDIUM PATCH This Month

Unauthenticated mass assignment in FOSSBilling's client self-registration endpoint (all versions prior to 0.8.0) allows any visitor to inject an arbitrary client group identifier during signup, bypassing group-based access controls on promotional codes. Attackers who successfully place themselves into a privileged group can redeem group-restricted discount codes and receive unauthorized price reductions. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 6.9 reflects a limited, integrity-only impact with no confidentiality or availability consequence, and the erroneous 'RCE' source tag should be disregarded as inconsistent with the description and impact metrics.

RCE
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-9182 CRITICAL Act Now

Unrestricted file upload in Esri ArcGIS Server (all versions through 12.0) lets a remote, unauthenticated attacker push arbitrary files to an exposed administrative/upload endpoint, per CVSS PR:N. Esri self-reported the flaw (CWE-434) and rates it critical (CVSS 9.8), and successful upload of an executable payload can lead to full server compromise. There is no public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile), indicating it is not yet a mass-exploitation target.

File Upload Arcgis Server
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-43927 MEDIUM PATCH This Month

Race condition in FOSSBilling's cart checkout flow allows authenticated clients to exploit promo codes beyond their configured usage limits by submitting concurrent checkout requests. Affected versions prior to 0.8.0 fail to atomically check and increment promo code usage counts (CWE-367), enabling a single limited-use or one-time-use code to be redeemed unlimited times. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the attack is straightforward to automate for any authenticated user with knowledge of a valid promo code.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-33734 MEDIUM PATCH This Month

SQL injection in FOSSBilling's Massmailer module exposes the application database to read access by authenticated administrators who can supply crafted filter values during mass email message updates. Affected versions span 0.6.0 through 0.7.2, with the fix shipped in version 0.8.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the high confidentiality impact (VC:H per CVSS 4.0) means a malicious or compromised administrator account could extract sensitive billing and client data from the underlying database.

SQLi Fossbilling
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-24013 CRITICAL PATCH Act Now

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile) despite the 9.1 CVSS, so exploitation is not confirmed in the wild.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-46454 CRITICAL PATCH Act Now

Unauthenticated Camel control-header injection in Apache Camel's camel-cometd component (4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets any client that completes a Bayeux/CometD handshake inject internal headers such as CamelHttpUri, CamelFileName or CamelJmsDestinationName into the Camel Exchange, hijacking the behaviour of downstream producers. Because a CometdComponent installs no Bayeux SecurityPolicy by default, no authentication is required (PR:N), and the injected headers survive internal direct/seda/vm hops. Reported by Apache with a fix in 4.21.0; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (9th percentile).

RCE Microsoft Apache Apache Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-43867 CRITICAL PATCH Act Now

Java object deserialization in the Apache Camel camel-pqc component allows code execution in the key-management application when an attacker who can write to the backing AWS Secrets Manager secret stores a malicious serialized payload. The flaw affects Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x, where AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() calls a raw ObjectInputStream.readObject() with no class filter, so gadget side effects fire before the KeyMetadata cast. Rated CVSS 9.8 by Apache, but exploitation genuinely requires IAM write access to the specific secret; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (8th percentile).

Deserialization Hashicorp RCE Apache Apache Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-46455 CRITICAL PATCH Act Now

Authentication token-lifetime bypass in the Apache Camel Keycloak component (camel-keycloak) affects versions 4.18.0-4.18.2 and 4.19.0-4.20.x, allowing expired or not-yet-valid Keycloak access tokens to be accepted as valid. The KeycloakSecurityHelper builds its TokenVerifier via withChecks() with only subject and issuer checks, so Keycloak's IS_ACTIVE exp/nbf validation is never installed, and any route relying on this helper will trust tokens outside their intended lifetime. NVD scores it CVSS 9.8, though EPSS is low (0.15%, 5th percentile) and there is no public exploit identified at time of analysis.

Information Disclosure Apache Apache Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-55438 MEDIUM PATCH GHSA This Month

Cross-origin request forgery via CORS same-owner bypass in Coder's subdomain workspace app proxy allows an authenticated attacker to exfiltrate data from a victim's workspace apps. The flaw exists across Coder release lines 2.29 through 2.34, and was disclosed by Anthropic's Security Team. No public exploit exists and no CISA KEV listing is present, but the vulnerability is directly exploitable against any deployment with wildcard subdomain routing enabled, making prompt patching critical for affected configurations.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-55430 MEDIUM PATCH GHSA This Month

Cross-boundary information disclosure in Coder's workspace app proxy allows an attacker who controls a shared workspace app to read a victim user's private app responses by forging the X-Forwarded-Host header. The proxy trusts this client-supplied header for routing decisions while simultaneously authorizing the request with the victim's own session cookie - which the browser attaches to any subdomain because cookies are scoped to the wildcard parent domain - enabling the attacker to steer responses from private apps back through their own JavaScript. Exploitation requires subdomain app routing (wildcard hostname) to be enabled and the victim to visit the attacker's shared app; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-55079 MEDIUM PATCH GHSA This Month

Uncontrolled memory allocation in Coder's provisioner daemon allows an authenticated user to crash the entire coderd deployment with a single ~50-byte network message. The vulnerability exists in the NewDataBuilder function within provisionersdk/proto/dataupload.go, which blindly allocates a byte slice using a client-supplied FileSize field from a DataUpload DRPC message, with no upper-bound validation. By declaring a massive FileSize value such as 1 TiB, an attacker with provisioner daemon credentials can trigger a Go runtime out-of-memory abort, terminating coderd and denying service to all users of the deployment. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-55078 MEDIUM PATCH GHSA This Month

Denial of service in Coder's coderd server allows any authenticated user with file-upload access to exhaust server memory by uploading a crafted zip bomb via POST /api/v2/files, crashing the service before RBAC checks execute. Affected versions span all supported release lines prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR). No public exploit has been identified at time of analysis; the impact is strictly an availability loss - the advisory explicitly confirms no data disclosure or code execution is possible, contradicting the 'RCE' tag present in the intelligence feed.

Denial Of Service RCE
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-55434 MEDIUM PATCH GHSA This Month

Memory exhaustion in Coder's AI Bridge feature allows an authenticated member-level user to crash the entire control plane by sending arbitrarily large HTTP request bodies to provider endpoints such as `/api/v2/aibridge/anthropic/v1/messages`. Because AI Bridge runs in-process with `coderd`, a single crafted request can grow heap memory until the OS terminates the process, taking down the API server, workspace coordinator, and DERP relay simultaneously. No public exploit has been identified at time of analysis, but the vendor credits Anthropic's Security Team (ANT-2026-22443) with independent discovery, indicating external security research attention. Patched versions are available for the affected v2.33 and v2.34 release lines.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58207 MEDIUM PATCH This Month

Denial of service in NATS Server (nats-io/nats-server) affects the HTTP monitoring endpoints /connz and /subsz, where attacker-controlled offset and limit pagination parameters trigger a signed integer overflow (Offset+Limit wrapping from math.MaxInt64 to math.MinInt64), producing invalid slice bounds and a server panic. Any client able to reach the monitoring interface can crash the broker, disrupting all connected messaging clients. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the upstream fix clamps offsets using min/max bounds.

Information Disclosure Integer Overflow Nats Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58251 MEDIUM PATCH This Month

CVE-2026-58251 has been reported by Ubuntu with no description, CVSS score, CWE classification, or technical details available at time of analysis. The affected component, attack vector, and impact are entirely unknown. No exploitation status, patch availability, or severity rating can be determined from the provided intelligence.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58252 MEDIUM PATCH This Month

CVE-2026-58252 is attributed to Ubuntu per vendor reporting, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The vulnerability cannot be characterized beyond its association with the Ubuntu platform. Security teams should consult Ubuntu Security Notices (USN) directly for authoritative details as this record is effectively unpopulated.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-41899 MEDIUM PATCH This Month

Unauthenticated access to Coolify's POST /api/feedback endpoint allows any remote attacker to forward arbitrary content directly to the operator's configured Discord webhook, enabling spam flooding, content injection, and webhook rate-limit abuse. All self-hosted Coolify instances prior to 4.0.0-beta.474 are affected, with CVSS AV:N/AC:L/PR:N/UI:N confirming zero-barrier network exploitation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the trivial exploit conditions (plain unauthenticated HTTP POST) make automated abuse straightforward.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-55646 MEDIUM POC PATCH This Month

Memory exhaustion in vLLM 0.22.0-0.23.0 allows authenticated API callers to crash or destabilize the inference server by uploading arbitrarily large audio files. The `/v1/audio/transcriptions` and `/v1/audio/translations` endpoints invoke `request.file.read()` to fully buffer multipart uploads into process memory before the `VLLM_MAX_AUDIO_CLIP_FILESIZE_MB` size guard is evaluated, meaning the size limit is checked only after the damage is done. No public exploit is identified at time of analysis; vendor-confirmed fix is available in version 0.24.0.

Denial Of Service Vllm
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-34050 MEDIUM PATCH This Month

Missing authorization in Coolify's Settings/Updates Livewire component allows any authenticated non-admin user to access the Updates settings page and modify auto-update behavior or trigger update checks. Affected versions span all releases prior to 4.0.0-beta.471 of the self-hosted server management platform. No public exploit code or CISA KEV listing exists at time of analysis, but the network-accessible nature and low authentication bar (any valid account) make this a meaningful integrity risk in multi-tenant or shared Coolify deployments.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-32718 MEDIUM PATCH This Month

Incorrect authorization in Coolify's API layer allows any holder of a read-scoped API token to invoke mutating validation endpoints - including cloud token validation and server validation - that should require write-level privileges. All Coolify deployments prior to version 4.0.0-beta.466 are affected. No public exploit or active exploitation has been identified at time of analysis, but the low attack complexity and network accessibility via API make this straightforward to abuse for any user who has been issued even a minimal API token.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14803 MEDIUM PATCH This Month

Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. No public exploit has been identified and EPSS sits at 0.19% (8th percentile), but the attack is conceptually trivial given the published patch diff and OSS-Security advisory.

Denial Of Service Mojo
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14898 MEDIUM PATCH This Month

Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. No active exploitation is confirmed (not listed in CISA KEV), no public proof-of-concept is identified, and EPSS sits at 0.16% (6th percentile), indicating low current exploitation probability despite the high-value target profile of affected users.

Apple Information Disclosure Codex Desktop App For Macos
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12154 MEDIUM This Month

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.

WordPress XSS Google Reviews Widgets For Google Tripadvisor Yelp Recommendations
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy