Skip to main content
CVE-2026-44342 MEDIUM PATCH GHSA This Month

Cross-site request forgery in new-api's OAuth account binding endpoints allows an unauthenticated network attacker to silently rebind a logged-in user's email or WeChat identity to attacker-controlled credentials by luring the victim to a malicious page. Affected are all deployments running versions prior to v0.12.0-alpha.1 where the GET-based bind endpoints are reachable. No public exploit has been identified at time of analysis, and the default SameSite=Strict cookie configuration substantially limits real-world exploitability to environments that have weakened or overridden that default.

CSRF
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-26053 MEDIUM This Month

Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.

Information Disclosure Command Centre Server
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-34198 MEDIUM PATCH This Month

Password reset poisoning in Coolify prior to 4.0.0-beta.471 enables unauthenticated account takeover by injecting a forged X-Forwarded-Host header during a password reset request. Two compounding middleware failures make this possible: TrustProxies trusts all proxy sources unconditionally, and TrustHosts is rendered inoperable by a circular caching dependency, meaning the Host header is never validated. The reset URL is generated from the spoofed request host, so the victim's reset token is delivered to an attacker-controlled domain. No public exploit is identified at time of analysis, but the attack is low-friction and the fix is confirmed in version 4.0.0-beta.471.

Information Disclosure Coolify
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-55647 MEDIUM PATCH This Month

Stored XSS in DataEase dashboard text components allows any authenticated user with edit access to inject HTML containing executable event handlers that fire silently in the browser of every subsequent dashboard viewer, including unauthenticated shared-link recipients. All versions prior to 2.10.24 are affected due to the use of Vue's v-html directive to render stored component content without server-side sanitization. No public exploit or active exploitation has been confirmed at time of analysis; a vendor-released patch is available in version 2.10.24.

XSS Dataease
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-53648 MEDIUM This Month

File path collision in FOSSBilling's downloadable product service allows an authenticated administrator to silently overwrite another product's stored file by uploading a file with an identical original filename. Because FOSSBilling stores uploaded files at a path derived solely from md5(<original filename>), two uploads sharing the same filename map to the same storage location - the later upload wins, and customers downloading the earlier product receive the substituted file instead. No public exploit exists and this is not in CISA KEV, but the integrity and information-disclosure impact are concrete: customers may receive incorrect - potentially confidential - product files. Version 0.8.1 patches the issue.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-13199 MEDIUM PATCH This Month

Predictable KASLR offsets and RNG seeds in Raspberry Pi 5 and Compute Module 5 EEPROM firmware undermine kernel address space layout randomization across all affected devices and reboots. Because the entropy source is deterministic, any attacker who can identify the firmware version can predict kernel memory addresses, reducing KASLR to a known-offset bypass. This does not itself enable code execution, but it significantly lowers the bar for chaining with any memory-corruption vulnerability targeting these devices. No public exploit code has been identified at time of analysis and this is not listed in the CISA KEV catalog.

Information Disclosure Raspberry Pi 5 And Compute Module 5
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-58315 MEDIUM This Month

Cross-site request forgery in SEIKO EPSON Web Config allows a remote, unauthenticated attacker to trigger unintended configuration changes on Epson network devices by luring an authenticated administrator into visiting a malicious web page. The vulnerability (CWE-352) requires no privileges on the attacker's side but depends on an active, authenticated Web Config session on the victim's browser. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

CSRF
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2024-56141 MEDIUM This Month

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Java Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-42147 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Coolify prior to v4.0.0-beta.474 enables an authenticated user holding storage management permissions to coerce the application server into issuing HTTP requests to arbitrary internal addresses, including cloud instance metadata services. The vulnerable code path is Coolify's S3 storage endpoint testConnection() function, which blindly fetches the caller-supplied URL after only superficial format validation. No public exploit or CISA KEV listing exists at time of analysis, but cloud-hosted deployments face elevated risk because successful exploitation can expose cloud provider credentials via metadata endpoints such as AWS IMDSv1.

SSRF Coolify
NVD GitHub
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-10659 MEDIUM PATCH This Month

Kernel denial-of-service in Zephyr RTOS v4.4.0's Dhara flash translation layer driver crashes the system during FTL disk initialization when a flash error coincides with the journal-resume checkpoint scan. The driver's dhara_nand_read/erase/prog/copy callbacks unconditionally dereference the caller-supplied err pointer, but the upstream Dhara library legitimately passes NULL during its binary search in find_last_checkblock(), triggering a NULL write and kernel fault. No public exploit code has been identified and this CVE is absent from the CISA KEV catalog; exploitation is gated on specific flash media conditions (uncorrectable ECC, bad block, or induced fault) occurring on a checkpoint page at mount time, constraining real-world risk to physical or supply-chain threat models.

Denial Of Service Checkpoint Null Pointer Dereference Zephyr
NVD GitHub
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-10834 MEDIUM PATCH This Month

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
4.6
EPSS
0.1%
CVE-2026-14969 MEDIUM This Month

Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. An attacker with privileged filesystem-level read access to the LDBM database files can exploit this to determine whether any two encrypted attribute values are identical, leaking relational information about the directory without recovering plaintext. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 Red Hat Directory Server 13 Red Hat Enterprise Linux 10 +6
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-48891 MEDIUM PATCH This Month

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted DAG identifiers to authenticated users who lack read permission on those DAGs. The endpoint correctly filters top-level serialized DAG keys against the caller's ACL but leaks referenced DAG IDs through `dep.source` and `dep.target` fields of trigger and sensor dependency entries, enabling cross-team DAG enumeration in multi-tenant deployments. This is a residual gap from an incomplete fix for CVE-2026-28563; no public exploit has been identified at time of analysis, and a vendor patch is available in apache-airflow 3.3.0.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-34170 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Coolify's GitHub App integration exposes internal network services and cloud metadata endpoints to authenticated low-privilege users. Versions prior to 4.0.0-beta.471 allow any authenticated user to set the GithubApp api_url field to an arbitrary URL - including RFC 1918 private addresses or cloud instance metadata endpoints like 169.254.169.254 - which Coolify then fetches server-side without restriction. No public exploit identified at time of analysis, but the attack pattern is well understood and particularly dangerous in cloud-hosted deployments where metadata endpoints may expose IAM credentials.

SSRF Coolify
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-53487 MEDIUM POC PATCH GHSA This Month

Cluster-level RBAC bypass in Kite (github.com/zxh326/kite) v0.12.2 allows any authenticated user to retrieve aggregate inventory and capacity data from Kubernetes clusters they are not authorized to access. By supplying an arbitrary cluster name in the `x-cluster-name` header, a low-privileged user scoped to one cluster can enumerate node counts, pod counts, namespace counts, service counts, and CPU/memory resource totals from other configured clusters. No public exploit identified at time of analysis, though the reporter provided and validated a working Go proof-of-concept test demonstrating the bypass.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
4.3
CVE-2026-53508 MEDIUM PATCH GHSA This Month

Security-control bypass in oasdiff v1.13.2-v1.18.0 silently negates the `--allow-external-refs=false` safety flag when loading OpenAPI specifications via the git-revision input form (`rev:path`, e.g. `main:openapi.yaml`), leaving callers exposed to SSRF and local file disclosure despite explicitly intending to sandbox untrusted spec processing. Malicious `$ref` URIs embedded in a spec - pointing to internal HTTP endpoints or local filesystem paths - are resolved on the git-revision load path even when the policy is set, while the file-path and URL load paths correctly enforce the restriction. No public exploit code has been identified at time of analysis and the vulnerability is not in CISA KEV; vendor-released patch v1.18.1 is available.

SSRF
NVD GitHub
CVE-2026-53533 MEDIUM PATCH GHSA This Month

SMTP command injection in aiosmtplib (all versions through 5.1.0) enables any attacker who can influence email addresses passed to SMTP.mail(), SMTP.rcpt(), SMTP.vrfy(), SMTP.expn(), or the higher-level SMTP.sendmail() to inject arbitrary SMTP protocol commands by embedding CR/LF bytes in the address string. Applications that accept sender or recipient addresses from untrusted input - web forms, APIs - and forward them to these methods without CR/LF sanitization are at risk of session desynchronization, client-side denial of service via SMTP client hang, or delivery of attacker-crafted email through the victim application's SMTP connection. No vendor-released patch version is confirmed from available data at time of analysis, and no public exploit has been identified.

Command Injection Denial Of Service
NVD GitHub
CVE-2026-53531 MEDIUM POC PATCH GHSA This Month

Unbounded recursive descent in the RaTeX Rust crate ratex-parser crashes the entire host process when fed deeply nested LaTeX input. The mutual recursion across parse_expression, parse_atom, and parse_group in crates/ratex-parser/src/parser.rs carries no depth guard, so roughly 200,000 nested braces (~400 KB of input, or far less on async worker threads with 512 KB stacks) exhausts the native OS stack and triggers a fatal SIGABRT from which the process cannot recover. In any server-side math rendering deployment that accepts untrusted LaTeX, this constitutes a reliable unauthenticated denial-of-service; publicly available exploit code confirms trivial reproduction with a Python one-liner.

Denial Of Service
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy