Skip to main content
CVE-2026-53518 HIGH PATCH GHSA This Week

Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.

Authentication Bypass Nginx Redis Microsoft
NVD GitHub
CVSS 4.0
7.6
EPSS
0.5%
CVE-2026-51937 HIGH This Week

Sensitive information disclosure in OneBlog V2.3.9 lets remote unauthenticated attackers retrieve WeChat Official Account secrets - the access_token and jsapi_ticket - through unprotected REST endpoints backed by RestApiController.java, JsApiTicketComponent.java, and GetAccessTokenComponent.java. Because these credentials grant control over the linked WeChat public account, disclosure enables account takeover of the integration rather than just data leakage. Classified CWE-306 (Missing Authentication); a referenced public gist appears to contain proof-of-concept details, though EPSS is low (0.26%, 18th percentile) and it is not listed in CISA KEV.

Authentication Bypass Java N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-5799 HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.

Authentication Bypass Ontime
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-5730 HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).

Authentication Bypass Ontime
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14895 HIGH PATCH This Week

Regular-expression denial of service in the String::Util Perl module (versions before 1.36) lets remote unauthenticated attackers exhaust CPU by supplying a string with a long run of whitespace to the trim or rtrim functions. The vulnerable `s/\s*$//u` pattern backtracks quadratically over whitespace runs, so any application feeding untrusted input through these helpers is exposed. No public exploit code has been identified; EPSS is low (0.19%, 9th percentile) and the flaw is not on CISA KEV, indicating no observed active exploitation.

Denial Of Service String
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-6101 HIGH This Week

Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; an upstream fix is present in the plugin repository (changeset 3512870).

WordPress RCE PHP Amp For Wp Accelerated Mobile Pages
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-53479 HIGH PATCH This Week

OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 branches) lets an already-authenticated, high-privileged remote user break out of the appliance's restricted management context and run arbitrary commands as root. Dell rates it Critical because the flaw defeats the platform's protection mechanism and yields full root-level code execution on the backup appliance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Dell explicitly urges customers to upgrade at the earliest opportunity.

Command Injection Dell Powerprotect Data Domain
NVD
CVSS 3.1
7.2
EPSS
1.3%
CVE-2026-55631 HIGH PATCH This Week

Arbitrary file deletion in DataEase (open-source data visualization and analytics platform) before 2.10.24 lets authenticated users delete arbitrary writable files inside the application container via a path traversal in the font management module. The stored fileTransName value is concatenated with the font storage directory and passed unsanitized to FileUtils.deleteFile() when a font record is deleted. No public exploit identified at time of analysis; the CVSS 4.0 base score is 7.2 (VI:H/VA:H), reflecting integrity and availability impact without confidentiality loss.

Path Traversal Dataease
NVD GitHub
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-50007 HIGH PATCH This Week

Privilege escalation via broken authorization in Actual (self-hosted open-source budgeting app) before 26.7.0 lets any shared user holding only user_access on a budget file invoke owner-only file-management endpoints. Because requireFileAccess treats ordinary shared access as sufficient, a low-privileged collaborator can call /delete-user-file, /reset-user-file, and /user-create-key to destroy or reset another user's budget data or rotate its encryption key. No public exploit is identified at time of analysis, and it is not in CISA KEV.

Authentication Bypass Actual
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-14904 HIGH This Week

Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Res
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-57871 HIGH This Week

Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 7.1, driven primarily by high availability impact.

Path Traversal File Upload
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-7017 HIGH PATCH This Week

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.

Information Disclosure Http
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-50530 HIGH PATCH This Week

Insecure Direct Object Reference in DataEase before 2.10.24 lets a holder of any valid share-link token retrieve arbitrary datasets by tampering with the request body. The share-mode chart endpoint POST /de2api/chartData/getData validates only that sceneId matches the resourceId bound to the link token, but never checks that the supplied tableId and field IDs belong to the shared resource, so an attacker can swap in identifiers for datasets they were never granted. No public exploit is identified at time of analysis, but the flaw is trivially exploitable by anyone already given a legitimate share link.

Authentication Bypass Dataease
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-54602 HIGH PATCH This Week

Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM interaction traces via GET /api/core/ai/record/getRecord. The endpoint verifies the caller is logged in but fetches records solely by requestId without checking team ownership, exposing cross-tenant prompts, retrieved RAG chunks, and model completions to any user who can guess or obtain a valid requestId. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but exploitation requires only a low-privilege account and knowledge of a target requestId.

Authentication Bypass Fastgpt
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59704 HIGH PATCH This Week

Broken object-level authorization in Cap's GET /api/video/ai endpoint lets any authenticated user supply arbitrary video IDs to read private AI-generated metadata - titles, summaries, and chapters - belonging to other users, and to trigger unauthorized AI generation that burns the victim's credits. Reported by VulnCheck with a vendor patch (commit 8d48642) available; no public exploit identified at time of analysis, and EPSS/KEV data were not supplied. The flaw combines confidentiality loss over private content with an abusable, cost-incurring side effect.

Authentication Bypass Cap
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57869 HIGH This Week

Unauthorized document disclosure in MicroRealEstate through version 1.0.0-alpha3 lets an authenticated low-privilege user retrieve documents uploaded by other landlords or tenants. The flaw combines a broken object-level authorization check (CWE-639) with document IDs that are generated using a predictable, deterministic pattern, so an attacker can guess or enumerate identifiers and pull files they should not see. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 7.1 reflects high confidentiality impact with no effect on integrity or availability.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57868 HIGH This Week

Sensitive document disclosure in MicroRealEstate through 1.0.0-alpha3 lets an authenticated low-privilege user retrieve PDF documents belonging to other tenants or organizations by manipulating object identifiers passed to the PDF generator. Classified under CWE-639 (IDOR) and CVSS 4.0 7.1, the flaw exposes confidential data (VC:H) without requiring integrity or availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-53530 HIGH POC PATCH GHSA This Week

Denial of service in RaTeX, a Rust LaTeX-rendering library (crate ratex-parser), lets remote attackers crash any service that parses untrusted LaTeX by submitting a 9-byte `\verb` command whose delimiter is a multibyte UTF-8 character (e.g. `\verbéxé`). The parser slices the verbatim argument using byte indices rather than character boundaries, so index 1 lands inside the `é` character and Rust panics; because the release profile sets `panic = "abort"`, the panic terminates the entire process, not just one request. Publicly available exploit code exists (a one-line PoC in the GHSA advisory); no active exploitation is reported.

Denial Of Service
NVD GitHub
CVE-2026-40187 HIGH POC PATCH GHSA This Week

Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. A detailed proof-of-concept is published in the vendor's GitHub Security Advisory (publicly available exploit code exists), though there is no evidence of active exploitation.

Command Injection PHP RCE Docker
NVD GitHub
CVE-2026-34151 HIGH PATCH GHSA This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat Docker
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy