Skip to main content
CVE-2026-59800 CRITICAL POC PATCH GHSA Act Now

Remote unauthenticated OS command injection in 9Router before 0.4.44 lets attackers run arbitrary commands as root via the POST /api/tunnel/tailscale-install endpoint, which is excluded from the dashboard authorization middleware. The attacker-supplied sudoPassword field is piped to the stdin of a 'sudo -S sh' child process; when sudo does not prompt for a password, sh interprets that value as a shell command. Active exploitation evidence was reported by the Shadowserver Foundation on 2026-07-04; this is not (yet) listed in CISA KEV, and no public exploit code is referenced in the supplied data.

Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
1.4%
CVE-2026-58473 CRITICAL POC PATCH Act Now

Instance-wide LLM configuration hijacking in Cognee before 1.2.0 lets any remote attacker self-register a normal account and overwrite the global LLM provider settings through the /api/v1/settings endpoint, which performs no admin or superuser authorization check. Because the configuration is held in a process-wide singleton cache, a single call redirects every user's LLM operations to an attacker-controlled endpoint, exfiltrating prompts, uploaded documents, extracted entities, and knowledge-graph content. This is confirmed publicly available exploit code exists (reported by VulnCheck, with a released vendor patch in v1.2.0), and the CVSS 4.0 score is 9.3 (Critical).

Authentication Bypass Cognee
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-23697 HIGH POC This Week

Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided.

PHP Apache RCE File Upload Vtiger Crm
NVD VulDB
CVSS 4.0
8.7
EPSS
0.8%
CVE-2026-23698 HIGH POC This Week

Authenticated remote code execution in Vtiger CRM through version 8.4.0 lets an administrator upload a crafted ZIP archive through the ModuleManager import feature and drop executable PHP files directly into the web-root modules/ directory, yielding a persistent web shell. Because Apache resolves and executes those PHP files before Vtiger's routing layer runs, the resulting shell bypasses the application's authentication entirely and survives independently of the attacker's login session. Publicly available exploit code exists (VulnCheck / Jiva Security), though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

PHP Apache RCE File Upload Vtiger Crm
NVD VulDB
CVSS 4.0
8.6
EPSS
0.9%
CVE-2026-57851 HIGH POC This Week

Local privilege escalation in MSI Feature Manager (GameGaraj) stems from its bundled KernCoreLib64.sys kernel driver exposing IOCTL handlers that any logged-on user can reach without administrator rights, granting arbitrary physical memory read/write and unrestricted I/O port access. Any low-privileged user on an affected Windows host can leverage this to manipulate kernel objects, tamper with kernel callbacks, bypass Protected Process Light (PPL), and disable endpoint security. Publicly available exploit code exists (published by VulnCheck), though there is no public exploit identified as being used in active attacks at time of analysis.

Privilege Escalation Kerncorelib64 Sys
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-58583 HIGH POC PATCH This Week

Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys version 1.0.7.2 lets a standard user map arbitrary physical memory via the \Device\PhysicalMemory object and gain kernel-level control. The flaw affects Lenovo systems shipping this signed color-management driver and is fixed in version 1.0.7.6. Publicly available exploit code exists; there is no public exploit identified as actively exploited (not in CISA KEV), though the vulnerability was reported by CISA (cisa-cg).

Privilege Escalation Lenovo Microsoft Color Management Driver
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-49471 HIGH POC PATCH GHSA This Week

Remote code execution in the Oraios Serena MCP coding toolkit (prior to v1.5.2) lets a malicious webpage hijack a developer's local coding agent via DNS rebinding. Serena's built-in web dashboard runs an unauthenticated Flask API on a fixed, predictable port with no auth, no CSRF protection, and no Host-header validation, so any site the victim visits while Serena is running can write attacker-controlled content into the agent's persistent memory store; because the agent autonomously reads that memory and can invoke execute_shell_command with shell=True, this chains to code execution on the developer's machine. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.

Authentication Bypass CSRF Python RCE Serena
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-42953 HIGH CISA Act Now

Arbitrary code execution via an out-of-bounds write (CWE-787) affects an industrial control system product covered by CISA ICS advisory ICSA-26-188-06, where an attacker can corrupt memory past an allocated buffer to run code in the context of the affected application. The CVSS 4.0 vector (AV:L/UI:A) indicates the flaw is triggered locally and requires a victim to actively interact - consistent with opening a malicious file or project in engineering/HMI software. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high-impact memory corruption and DHS ICS-CERT reporting warrant prompt patching in OT environments.

Memory Corruption Buffer Overflow RCE
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-49033 HIGH CISA Act Now

Local arbitrary code execution affects an unspecified industrial control system (ICS) product reported through CISA ICS-CERT (advisory ICSA-26-188-06). A stack-based buffer overflow (CWE-121) lets an attacker who can supply crafted input trigger memory corruption and run arbitrary code once a local user interacts with the malicious data, fully compromising confidentiality, integrity, and availability. No public exploit identified at time of analysis and the affected vendor/product is not disclosed in the available data.

Buffer Overflow Stack Overflow RCE
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-42958 HIGH CISA Act Now

Arbitrary code execution in an unnamed ICS/OT application arises from a use-after-free (CWE-416) triggered when the software parses a specially crafted file, letting an attacker run code in the context of the current process. The flaw was reported through CISA's ICS-CERT (advisory ICSA-26-188-06) and carries a CVSS 4.0 base score of 8.4; exploitation is local and requires a user to open the malicious file. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Buffer Overflow Use After Free RCE
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-34048 CRITICAL PATCH Act Now

Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. No public exploit identified at time of analysis, but the low complexity and low privilege bar make it a high-priority patch.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-34047 CRITICAL PATCH Act Now

Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. No public exploit identified at time of analysis, and there is no CISA KEV listing, but the fix is confirmed in release v4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-34037 CRITICAL PATCH Act Now

Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-14345 CRITICAL Act Now

Remote code execution in the WPFunnels (Funnel Builder for WooCommerce) WordPress plugin versions up to and including 3.12.7 lets attackers write attacker-controlled 'postData' into a PHP-includeable .log file that wpfnl_show_log later renders with include_once, yielding server-side code execution. The initial injection is fully unauthenticated because the nonce guarding the optin endpoint is publicly emitted on every funnel step page, though execution only fires once an administrator opens the poisoned log via the Log Settings View while the 'Enable Logs' toggle is active. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the pre-auth injection combined with a maximal 9.8 CVSS score makes it a high-priority patch for any exposed WooCommerce funnel deployment.

WordPress RCE File Upload
NVD VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-33264 CRITICAL PATCH Act Now

Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. The practical severity depends heavily on how much a deployment trusts its DAG authors, since exploitation requires the ability to submit a DAG.

Deserialization RCE Apache Apache Airflow
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-53481 CRITICAL PATCH Act Now

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Dell Path Traversal Powerprotect Data Domain
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-53483 CRITICAL PATCH Act Now

Improper authentication in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 branches) lets an unauthenticated, remote attacker bypass authentication and gain unauthorized access that Dell says can escalate to complete system control. Dell rates it critical (CVSS 9.8, CWE-287). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network-facing, no-privilege attack profile makes it a high-priority patch for backup/data-protection infrastructure.

Authentication Bypass Dell Powerprotect Data Domain
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-13019 CRITICAL PATCH Act Now

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the exposed function is an administrative/portal API reachable over the network with no credentials, successful access could lead to disclosure or manipulation of portal content and configuration.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-13020 CRITICAL PATCH Act Now

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten-password recovery mechanism (CWE-640) that a remote, unauthenticated attacker can manipulate to assume ownership of another user's account. The flaw carries a CVSS 9.8 rating because it is network-reachable with no authentication or user interaction, yielding full compromise of confidentiality, integrity, and availability of the targeted account. There is no public exploit identified at time of analysis and EPSS is low (0.22%, 13th percentile), and CISA's SSVC framework records exploitation as none, indicating no observed in-the-wild activity despite the critical score.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-37270 CRITICAL Act Now

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-37271 CRITICAL Act Now

Improper authentication in Fire-Boltt FB BGS001 smartwatch firmware MOY-JS14-2.0.4 lets a nearby attacker replay previously captured Bluetooth Low Energy (BLE) GATT Write Request packets to trigger device functionality without valid session validation. The device accepts write commands over BLE without sufficient authentication, so an attacker within radio range who has observed legitimate traffic can reissue those commands. A public technical writeup/PoC exists on GitHub (EmbdCDACHyd), but there is no evidence of active exploitation (SSVC Exploitation: none) and EPSS is low at 0.21% (11th percentile).

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14739 CRITICAL PATCH Act Now

Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. Reported by CPANSec with a vendor patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.19%, 8th percentile).

Memory Corruption Buffer Overflow Dbi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-12375 CRITICAL PATCH Act Now

Full site takeover of WordPress installations running Uncanny Automator Pro before 7.3.0.6, caused by a supply-chain compromise of the vendor's build/distribution infrastructure that shipped a backdoored plugin build to customers. The injected backdoor hands unauthenticated attackers a working administrator session and beacons the site's secret keys and administrator details to attacker-controlled servers. This is a trojanized-update incident rather than a coding flaw; no public exploit is identified at time of analysis and EPSS probability is low (0.15%, 4th percentile), consistent with the threat being embedded in the code itself rather than requiring an external exploit.

WordPress Code Injection
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-53552 CRITICAL POC GHSA Act Now

Cross-namespace privilege escalation in goploy (zhenorzz/goploy through 1.17.5 and develop HEAD) lets any authenticated user holding the low-privilege `manager` role in their own namespace read, overwrite, plant, or delete project files in ANY other tenant's project, and rewrite any project's git remote URL, because the `/project/addFile`, `/project/editFile`, `/project/removeFile`, and `/project/edit` handlers act on body-supplied project/file row ids without verifying the target belongs to the caller's namespace. The rewritten git remote escalates to remote code execution on the next deploy, when goploy runs `git remote set-url origin <attacker-url>` and pulls attacker-controlled code under the goploy service account. A detailed proof-of-concept exists demonstrating all four primitives against the published Docker image, though no active exploitation has been reported.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
9.6
CVE-2026-53513 CRITICAL PATCH GHSA Act Now

Server-side request forgery in the @better-auth/sso plugin (versions >= 0.1.0 through < 1.6.11, and 1.7.0-beta.x) lets any authenticated Better Auth session register an OIDC provider with attacker-controlled endpoint URLs, which the auth server then fetches during callback and reflects into the user profile - a non-blind SSRF exposing cloud metadata (IMDS 169.254.169.254), internal APIs, and localhost-bound services like Redis. When trustEmailVerified is enabled it escalates to full account takeover via forged emailVerified claims. Carrying a CVSS 9.6 (scope-changed) rating with no public exploit identified at time of analysis, the flaw was reported by Vaadata and fixed in 1.6.11.

SSRF Redis
NVD GitHub
CVSS 3.1
9.6
CVE-2026-44512 MEDIUM POC PATCH GHSA This Month

Null pointer dereference in the ONNX Python library's version converter crashes any application that calls `onnx.version_converter.convert_version()` on a crafted model containing an Upsample node with zero inputs, producing an unrecoverable SIGSEGV. Affected versions include at minimum onnx 1.21.0 and 1.22.0, confirmed by a 107-byte public proof-of-concept; the vulnerability is part of a systemic pattern spanning eight adapters. No public active exploitation is confirmed in CISA KEV, but the trivially small PoC eliminates any meaningful exploitation barrier for threat actors targeting ML model conversion pipelines.

Python Denial Of Service Null Pointer Dereference
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-59705 CRITICAL PATCH Act Now

Unauthenticated data theft, tampering, and denial-of-service affects mem0's OpenMemory API server (openmemory/api component), where several API routers are mounted without any authentication middleware. Because CVSS 4.0 vector shows PR:N and CWE-306 (Missing Authentication for a Critical Function), remote attackers can pass arbitrary user_id values to read, overwrite, or delete any user's stored memories, and can trigger a global pause to break the service for everyone. Reported by VulnCheck with a vendor patch commit available; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Mem0
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-59707 CRITICAL PATCH Act Now

Server-side request forgery in LocalAI's POST /models/apply endpoint lets unauthenticated remote attackers coerce the server into issuing HTTP GET requests to arbitrary internal, private, and loopback addresses, with partial response bodies disclosed back through error messages. The flaw stems from passing attacker-controlled gallery URL fields into gallery.GetGalleryConfigFromURLWithContext without validation, giving attackers a network pivot from the internet into otherwise unreachable back-end services. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVSS 4.0 base score is 9.2 (Critical).

SSRF Localai
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-59706 CRITICAL PATCH Act Now

Sensitive information disclosure and server-side request forgery in mem0's self-hosted server let unauthenticated remote attackers steal stored LLM provider credentials and pivot into internal infrastructure. Because the /api/v1/config/ endpoints require no authentication (CWE-306), an attacker can GET plaintext secrets such as OpenAI API keys and PUT a malicious ollama_base_url to coerce the server into requesting internal-only addresses like cloud instance metadata (IMDS). CVSS 4.0 rates this 9.2 (Critical); there is no public exploit identified at time of analysis, but the attack is trivial and reported by VulnCheck.

Authentication Bypass SSRF Mem0
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-58468 MEDIUM POC This Month

Server-side request forgery in NocoBase through v2.1.20 allows authenticated administrators to issue arbitrary outbound HTTP requests via the serverRequest wrapper, enabling internal network enumeration and cloud instance metadata exfiltration. The attack surface spans workflow request nodes, custom request action buttons, and the AI plugin - all of which accept administrator-supplied URLs without adequate server-side validation. A publicly available proof-of-concept exists per VulnCheck reporting; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis, though the IAM credential theft potential elevates real-world impact significantly for cloud-hosted deployments.

SSRF Nocobase
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-14740 CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53512 CRITICAL PATCH GHSA Act Now

Confidential-client impersonation in better-auth below 1.6.11 lets an attacker who holds any leaked refresh_token and the public client_id mint fresh access tokens and rotated refresh tokens indefinitely. The deprecated oidcProvider() and mcp() plugins expose an OAuth 2.0 token endpoint whose refresh_token grant authenticates solely on the bound refresh-token row plus a matching client_id, never verifying the registered client_secret - a regression, since the same plugins' authorization_code grant does enforce the secret. No public exploit identified at time of analysis; the flaw was reported by @subhanUmer and fixed by the maintainers, with no CISA KEV listing or EPSS score supplied in the input.

Authentication Bypass XSS Canonical
NVD GitHub
CVSS 4.0
9.1
CVE-2026-4375 CRITICAL Act Now

Remote code execution affects the DoLeads Integrator and wp2epub WordPress plugins (both versions through 0.65), which WPScan reports have been observed being leveraged to run arbitrary code on a blog once installed. The plugins are reachable via a broader flaw that lets unauthorized users install 'unclosed'/withdrawn extensions from the wordpress.org repository, turning plugin installation into a code-execution primitive. No public exploit has been identified at time of analysis, and EPSS remains very low (0.15%, 5th percentile), indicating no observed widespread exploitation despite the high CVSS.

WordPress Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-11610 HIGH PATCH This Week

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LDAP client to crash the server by sending an oversized UNBIND packet over a SASL integrity-protected connection. The oversized data overflows a fixed 512-byte heap receive buffer in sasl_io_recv() (sasl_io.c), and in FreeIPA / Red Hat IdM any domain user, enrolled host, or service account with a valid Kerberos ticket can trigger it after GSSAPI authentication. There is no public exploit identified at time of analysis, and this flaw is distinct from the earlier CVE-2025-14905 schema.c overflow, which did not fix this code path.

Heap Overflow Denial Of Service Buffer Overflow Red Hat Red Hat Directory Server 11 +8
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-42200 HIGH PATCH This Week

Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. No public exploit identified at time of analysis, though the fix commit and security advisory publicly disclose the vulnerable code path.

PostgreSQL Path Traversal PHP Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-14474 HIGH This Week

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user with write access to any subtree to inject a malicious sudoRole object and gain root-level sudo on every SSSD-enrolled host. The flaw exists because, when ldap_sudo_search_base is left unset, SSSD searches the entire directory tree for sudoRole objects, trusting rules planted anywhere in the DIT. Rated CVSS 8.8 by Red Hat and reported against RHEL 6 through 10 and OpenShift Container Platform 4; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-42143 HIGH PATCH This Week

OS command injection in Coolify (self-hosted server/application/database management platform) versions prior to 4.0.0-beta.471 allows an authenticated low-privileged member to run arbitrary commands as root on managed servers by embedding shell metacharacters in persistent volume names, which are interpolated unescaped into shell commands during volume operations. The CVSS 3.1 score is 8.8 (High) with a network vector requiring only low privileges. No public exploit identified at time of analysis; an upstream fix commit and a tagged patched release exist.

Command Injection Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-34034 HIGH PATCH This Week

Authenticated command injection in Coolify (self-hosted server/application/database management platform) before 4.0.0-beta.466 lets a user with access to a server's Sentinel settings embed shell metacharacters in the sentinel_token value, which is passed unsanitized into a shell command and executed on the host the next time Sentinel is restarted (CWE-78). The flaw yields full host command execution with confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor has released a fixed build (v4.0.0-beta.466) with an available upstream commit.

Command Injection Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-34168 HIGH PATCH This Week

OS command injection in Coolify (self-hosted server/app management platform) before 4.0.0-beta.471 lets an authenticated user embed shell metacharacters in a LocalPersistentVolume storage name, which is interpolated unescaped into docker volume shell commands and executed on managed servers when the associated resource is deleted. Rated CVSS 8.8 (CWE-78), it yields arbitrary command execution on downstream hosts controlled by the Coolify instance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in release 4.0.0-beta.471.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-34152 HIGH PATCH This Week

Command injection in Coolify before 4.0.0-beta.471 lets an authenticated user break out of the pre-deployment and post-deployment command fields and run arbitrary shell statements on the target deployment server. The supplied commands are single-quote escaped but then piped through an SSH heredoc transport that preserves newlines, so newline-delimited injected statements survive escaping and execute during deployment. No public exploit is identified at time of analysis, though the fixing pull request and commit are public and make the root cause easy to reconstruct; CVSS is 8.8 (High).

Command Injection Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-34158 HIGH PATCH This Week

OS command injection in Coolify, the open-source self-hostable server/application/database management PaaS, allows an authenticated user with permission to edit application settings (versions prior to 4.0.0-beta.469) to run arbitrary commands on the managed host. The flaw lives in the executeInDocker() helper, which wraps user-controlled values in single quotes without escaping embedded quotes, letting an attacker break out of the quoted shell context during deployments and escape the intended Docker container confinement. No public exploit identified at time of analysis; this is not listed in CISA KEV.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-34058 HIGH PATCH This Week

OS command injection in Coolify's self-hosted server-management platform (all versions prior to 4.0.0-beta.471) lets any authenticated team member execute arbitrary shell commands on any managed remote server. The flaw lives in the Livewire Server\Resources component, whose public startUnmanaged/stopUnmanaged/restartUnmanaged methods take a browser-supplied container ID and interpolate it unescaped into SSH-executed shell commands. No public exploit identified at time of analysis and it is not in CISA KEV, but the trivially low complexity (CVSS 8.8) makes exploitation straightforward for anyone with a team account.

Command Injection Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-34057 HIGH PATCH This Week

OS command injection in Coolify's self-hosted server/app management platform lets an authenticated user achieve remote code execution on the underlying host via a malicious database import container name. The database import Livewire component passes client-controlled container and server properties into shell commands without locking or validation, so any low-privileged authenticated user can inject arbitrary commands. Rated CVSS 8.8 and fixed in 4.0.0-beta.471; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Command Injection PHP Coolify
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-57867 HIGH This Week

Authentication bypass in MicroRealEstate (open-source property/real-estate management platform) through version 1.0.0-alpha3 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) login flow to authenticate as any user. Because the OTP tokens are not tracked in server-side state, codes are not invalidated or rate-limited across attempts, collapsing the effective keyspace and enabling account takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-34035 HIGH PATCH This Week

OS command injection in Coolify (self-hosted server/application/database management platform) before 4.0.0-beta.466 lets an authenticated user execute arbitrary commands on the host by supplying log drain secret or environment values that are interpolated into shell commands without proper encoding. Because Coolify orchestrates the underlying host, the injected commands run with the platform's host-level context, effectively yielding host takeover. No public exploit identified at time of analysis; this is not in CISA KEV and no POC is referenced, so risk is driven by the ease of authenticated exploitation rather than confirmed in-the-wild activity.

Command Injection Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14380 HIGH PATCH This Week

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.

Code Injection RCE Dbi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55633 HIGH PATCH This Week

Remote code execution in DataEase before 2.10.24 allows an authenticated attacker to bypass the prior H2 zip-protocol and file-dropper hardening by uploading a ZIP archive masquerading as a font file (.ttf) via the FontManage.saveFile endpoint, then invoking the H2 database zip protocol against it to execute arbitrary code on the server. The flaw is a regression that defeats an earlier fix, and carries a CVSS 4.0 score of 8.7 (High). No public exploit has been identified at time of analysis, but the vendor GitHub Security Advisory (GHSA-8x36-774q-pwqg) and two remediation commits are published.

RCE File Upload Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-13696 HIGH This Week

Privilege-escalation-capable LDAP injection in HAVELSAN Liman MYS (all releases before Master.1107) lets an authenticated attacker inject unsanitized special characters into LDAP queries, subverting directory-backed authentication and authorization logic. Because Liman is typically wired into corporate LDAP/Active Directory for login, a successful injection can expose directory data, bypass access controls, and manipulate query results. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; risk is driven by the high CVSS 8.8 rating rather than confirmed in-the-wild activity.

Code Injection LDAP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-53729 HIGH PATCH This Week

{id} route is explicitly whitelisted from authentication, exported data files can be pulled by fully unauthenticated remote attackers, matching the vendor's CVSS 4.0 PR:N rating (8.7, High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial ID-enumeration attack pattern makes exploitation straightforward once the endpoint is reachable.

Authentication Bypass Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56811 HIGH PATCH This Week

Denial of service in the Phoenix Framework (Elixir) affects any endpoint mounting a Phoenix.Socket with a reachable WebSocket or LongPoll channel transport, in versions from 0.11.0 up to the fixed 1.5.15, 1.6.17, 1.7.24, and 1.8.9. Because transports place no cap on channels joined per connection, one unauthenticated client can stream unlimited phx_join messages down a single connection to spawn hundreds of thousands of channel processes and exhaust the BEAM process table, taking the whole node offline. Rated CVSS 4.0 8.7 (availability-only impact); no public exploit identified at time of analysis, though the mechanics are described in detail in the vendor advisory.

Denial Of Service Phoenix
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy