Skip to main content
CVE-2026-44877 MEDIUM This Month

Sensitive cryptographic material on HPE Networking Instant On 1830, 1930, and 1960 switches is exposed to remote network actors through an information disclosure vulnerability. Exploitation allows retrieval of cryptographic secrets such as private keys, certificates, or pre-shared credentials, which could subsequently enable man-in-the-middle attacks, traffic decryption, or device impersonation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Information Disclosure Hpe Networking Instant On
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-12799 MEDIUM PATCH This Month

Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49296 MEDIUM PATCH This Month

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full file contents returned. No public exploit has been identified and the issue is not listed in CISA KEV, but it directly undermines per-DAG access control in multi-tenant or team-partitioned Airflow deployments.

Authentication Bypass Apache Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49487 MEDIUM PATCH This Month

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when tasks are in a deferred state. Any authenticated user holding DAG-scoped task-instance read access - a permission commonly granted to non-admin roles - can retrieve API keys, passwords, or other secrets passed by deferred operators into trigger kwargs. Fixed in Apache Airflow 3.3.0; no public exploit code identified at time of analysis, though exploitation is trivially achievable by any authenticated user with the requisite read permission.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48828 MEDIUM PATCH This Month

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read permission to retrieve plaintext values from JSON-typed variables whose key names use secret-suffixed conventions such as `*_password`, `*_token`, or `*_secret`. The redactor function was invoked without passing the variable key, so the `should_hide_value_for_key` check - which is responsible for masking secrets based on key-name patterns - could never fire for JSON-decodable variable values. This affects all deployments prior to 3.3.0 that store sensitive credentials in JSON-typed Airflow Variables under secret-suffixed key names; no public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for authenticated access with a specific permission grant.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48892 MEDIUM PATCH This Month

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permission, because per-key environment variable overrides (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID) generate synthetic config entries whose names are absent from the sensitive_config_values masking list. Affected deployments are those that configure secrets backends such as HashiCorp Vault via these per-key environment variable patterns, exposing credentials like Vault role_id and secret_id through normal API responses. No public exploit has been identified at the time of analysis; the vendor-released fix is apache-airflow 3.3.0.

Hashicorp Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-50811 MEDIUM This Month

Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.

Buffer Overflow Information Disclosure N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-58266 MEDIUM PATCH This Month

Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a victim's system by distributing a maliciously crafted card package (.apkg). The root cause is an origin validation failure (CWE-346) in Anki's internal localhost API, which fails to block iframe-embedded scripts from accessing privileged backend methods such as getImageForOcclusion. Exploitation requires the victim to import the malicious deck; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Anki
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-45016 MEDIUM POC PATCH GHSA This Month

Arbitrary file read in EGroupware's mail composition module allows any authenticated user with mail access to exfiltrate files readable by the web server process. The vulnerability stems from a defective URI scheme check in `api/src/Mail.php` that correctly rejects `data:` URIs but inadvertently permits `file://` URIs, which PHP's `file_get_contents()` resolves natively against the local filesystem. A publicly available proof-of-concept exists demonstrating `/etc/passwd` extraction via a crafted HTML email body; no active exploitation (CISA KEV) has been confirmed at time of analysis.

RCE PHP
NVD GitHub
CVSS 3.1
6.5
CVE-2026-48958 MEDIUM This Month

Incorrect access control in Joomla! CMS exposes com_fields REST API webservices endpoints to users who lack the required permissions, allowing them to create custom field definitions that should be restricted to higher-privileged roles such as Manager or Administrator. The flaw originates from a missing or incorrectly evaluated ACL check in the webservices layer and is confirmed by Joomla's own Security Centre in advisory 20260712. No public exploit has been identified at time of analysis, though the CVSS scope-change metrics indicate potential for significant downstream impact to site content and dependent integrations if unauthorized field definitions are used to inject malicious markup.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.3%
CVE-2026-48947 MEDIUM This Month

Improper access control in Joomla! CMS's com_media webservice endpoints allows privileged users to overwrite media files even when they lack explicit editing permissions. The flaw affects two active release lines - 4.1.0 through 5.4.6 and 6.0.0 through 6.1.1 - and is confirmed by the Joomla Security Centre. The CVSS 4.0 vector (SC:H/SI:H/SA:H) indicates that while the direct impact on the vulnerable system is limited (VI:L), successful exploitation can cascade into high-impact consequences on the broader site or dependent systems. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48955 MEDIUM This Month

Unauthorized access to workflow stage and transition data in Joomla! CMS is possible due to an improper access check in the com_workflow component (CWE-284), allowing authenticated users who lack the necessary workflow management permissions to read internal content publication configuration. The CVSS 4.0 vector assigns high subsequent-system impacts (SC:H/SI:H/SA:H), suggesting the vendor assessed this metadata exposure as a meaningful enabler of broader content pipeline compromise. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48956 MEDIUM This Month

Incorrect access control in Joomla! CMS's com_modules component exposes the module listing interface to frontend users who should not have visibility into installed modules. The flaw stems from CWE-284 (Improper Access Control), where the frontend fails to enforce sufficient privilege checks before returning module enumeration data. No public exploit or CISA KEV listing has been identified at time of analysis, and the EPSS score is not provided in source data, but the CVSS 4.0 score of 6.4 reflects meaningful subsequent-system impact potential stemming from reconnaissance value of the disclosed module inventory.

Authentication Bypass Joomla Cms
NVD
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48957 MEDIUM This Month

Improper access control in Joomla! CMS exposes com_privacy component webservice endpoints to users lacking the required authorization, allowing unauthorized reads of GDPR/privacy datasets. The flaw is classified as CWE-284 and impacts downstream systems at high severity per the vendor-supplied CVSS 4.0 vector, despite requiring high privileges on the vulnerable system itself - a tension that suggests role-boundary bypass rather than fully unauthenticated access. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48948 MEDIUM This Month

Improper access control in Joomla! CMS com_contact component exposes restricted contact records via vcard (VCF) export to authenticated users who should not have access. Affecting versions 3.0.0 through 5.4.6 and 6.0.0 through 6.1.1, the flaw allows an authenticated user to bypass access restrictions and download vcard exports of contacts that have been explicitly restricted from their view. No public exploit code or active exploitation has been identified at time of analysis, but the wide deployment footprint of Joomla and the breadth of affected versions (spanning both the 3.x/5.x and 6.x branches) make patching a priority for sites using the com_contact component.

Authentication Bypass Joomla Cms
NVD
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-11328 MEDIUM This Month

Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

WordPress XSS Exclusive Addons For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-56812 MEDIUM PATCH This Month

Phoenix Framework's Presence JavaScript client allows any user with ordinary channel access to permanently break presence synchronization for all other viewers of an affected channel topic. By joining a channel using a key name that collides with an Object.prototype property (such as '__proto__', 'constructor', or 'toString'), an attacker causes an uncaught TypeError inside Presence.syncState and Presence.syncDiff that halts all further presence updates for every connected viewer until the attacker disconnects. This is not in CISA KEV, no public exploit has been identified, and the CVSS 4.0 score of 6.3 reflects the limited but persistent client-side availability impact with no server-side exposure.

Denial Of Service Phoenix
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-53877 MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54601 MEDIUM PATCH This Month

Cross-tenant authorization bypass in FastGPT (versions 4.14.17 through pre-4.15.0-beta4) permits an authenticated tenant user to inject a foreign tenant's datasetId via the POST /api/core/dataset/collection/create/reTrainingCollection endpoint, corrupting ownership anchors in persisted dataset objects. Downstream dataset, collection, and training endpoints then derive authorization decisions from these poisoned records, granting the attacker cross-tenant read, update, and delete access to another tenant's data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the vendor released version 4.15.0-beta4 as the confirmed fix.

Information Disclosure Fastgpt
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-13356 MEDIUM This Month

Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.

Apple Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-8306 MEDIUM This Month

Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Access Control System Gks
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-7380 MEDIUM This Month

Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.

XSS Access Control System Gks
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58472 MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.

Integer Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-58471 MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.

Heap Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-54698 MEDIUM PATCH This Month

Row-level authorization bypass in Hasura GraphQL Engine prior to versions 2.49.2 and 2.45.5 permits low-privileged authenticated users to infer the contents of rows their role's permissions should suppress. By submitting crafted where-clause predicates against table computed fields returning SETOF results, an attacker exploits the query response as a boolean oracle - iteratively reconstructing protected column values through binary-search-style probing without ever directly retrieving the restricted rows. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.0 with VC:H reflects meaningful confidentiality exposure specifically in deployments relying on row-level security as a data boundary.

Authentication Bypass Oracle Graphql Engine
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-48952 MEDIUM This Month

Cross-site scripting in Joomla! CMS's com_installer component exposes the administrator backend to script injection via the update list view, stemming from missing output escaping (CWE-79). The CVSS 4.0 vector (PR:H/UI:P/E:U) confirms exploitation is constrained to sessions where a high-privilege administrator views the maliciously influenced update list, substantially limiting the attack surface. No public exploit code or active exploitation has been identified at time of analysis.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48950 MEDIUM This Month

Cross-site scripting in Joomla! CMS com_templates file management view allows a high-privileged attacker to inject unescaped malicious script that executes in the browser of any administrator who subsequently views the affected template file listing. Affected versions span Joomla! 4.0.0 through 5.4.6 and 6.0.0 through 6.1.1. No public exploit identified at time of analysis and the CVSS 4.0 supplemental metric E:U confirms no known active exploitation, but the wide install base and admin-targeting nature of the payload make this relevant to Joomla site operators.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48951 MEDIUM This Month

Cross-site scripting in Joomla! CMS modalreturn layout components enables a high-privileged attacker to inject and execute arbitrary JavaScript in a victim administrator's browser session. The root cause is insufficient output escaping in multiple component layouts that handle modal return values. No public exploit code has been identified and CISA KEV does not list this vulnerability; the CVSS 4.0 exploitation likelihood metric (E:U) further indicates no observed active exploitation at time of analysis.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48953 MEDIUM This Month

Cross-site scripting in Joomla! CMS's generic image output layout enables a high-privileged attacker to inject malicious script payloads that execute in the browsers of other authenticated users who view the affected content. The root cause is absent HTML output escaping in the image rendering component (CWE-79), allowing injected JavaScript to break out of the intended data context. No public exploit has been identified at time of analysis, and exploitation requires a pre-existing high-privileged Joomla account plus passive victim interaction, substantially limiting real-world exposure despite high impact scores on confidentiality and integrity.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48949 MEDIUM This Month

Cross-site scripting in Joomla! CMS multi-factor authentication management views allows a high-privileged attacker to inject persistent malicious scripts that execute in the browser of any administrator who subsequently views the MFA management interface. Affected versions span two major release lines: 4.2.0-5.4.6 and 6.0.0-6.1.1, representing a broad surface across both legacy and current deployments. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation yields high confidentiality and integrity impact against the victim administrator's browser session.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48954 MEDIUM This Month

Stored XSS in Joomla CMS's language override administrative feature allows a high-privileged attacker to inject malicious scripts that execute in the browser of any user who subsequently renders the affected language string. Rooted in CWE-79 (improper output neutralization), the vulnerability requires an administrative account to place the payload but can then target other admins or front-end users. No public exploit code has been identified at time of analysis (CVSS E:U), and the vulnerability is not listed in the CISA KEV catalog.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-53572 MEDIUM POC PATCH GHSA This Month

Connection string injection in KEDA's PostgreSQL scaler allows low-privileged tenants to inject arbitrary libpq connection parameters by embedding tab, newline, or other non-space whitespace characters into ScaledObject or TriggerAuthentication configuration fields. The `escapePostgreConnectionParameter` function in `pkg/scalers/postgresql_scaler.go` only detects literal spaces before quoting values, leaving all other libpq token delimiters unescaped; successful exploitation forces TLS downgrade (sslmode=disable) or redirects database connections to attacker-controlled hosts to steal operator-supplied credentials. A working proof-of-concept YAML payload is included in GitHub advisory GHSA-6w3m-4hhp-775q; no CISA KEV listing was present at time of analysis.

PostgreSQL RCE
NVD GitHub
CVSS 3.1
5.9
CVE-2026-53509 MEDIUM PATCH GHSA This Month

SSRF filter bypass in CKAN MCP Server (@aborruso/ckan-mcp-server) allows a low-privileged remote MCP caller to reach loopback and private network addresses by supplying hostname aliases such as 'ip6-localhost' as the server_url parameter to CKAN tools like ckan_package_search and sparql_query. The prior remediation for CVE-2026-33060 hardened only against dotted IPv4 literals, bracketed IPv6 literals, and the exact string 'localhost', leaving non-canonical loopback aliases unblocked in src/utils/http.ts. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed by CISA KEV; however, the bypass technique is straightforward given knowledge of the prior fix.

SSRF
NVD GitHub
CVSS 3.1
5.7
CVE-2026-50810 MEDIUM This Month

NULL pointer dereference in GPAC's smooth_parse_stream_index() function crashes the application when processing a maliciously crafted MPEG-DASH or Smooth Streaming media file, resulting in denial of service. Affected versions are all GPAC master HEAD builds prior to commit b35c61f104b85fbb16520ac2838d5d2ef70845b5. Exploitation requires local access and user interaction to open a crafted file; a proof-of-concept is publicly available via GitHub Gist, though EPSS sits at 0.17% (7th percentile) and no active exploitation has been confirmed by CISA KEV.

Denial Of Service Null Pointer Dereference N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-36163 MEDIUM This Month

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.

N A XSS
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-36162 MEDIUM This Month

Stored cross-site scripting in LiquidFiles v4.2.7 allows authenticated attackers to inject persistent malicious JavaScript or HTML via the Name parameter of the Upload File Shares API, executing in victims' browsers when they interact with the affected share. The scope-changed CVSS vector (S:C) confirms the payload executes outside the attacker's privilege context, enabling session hijacking, credential theft, or UI redress against other users. A security researcher published a write-up specifically documenting CSP bypass techniques to exploit this flaw, indicating the attack is non-trivial but achievable. No public exploit identified at time of analysis, and EPSS sits at 0.16% (5th percentile), suggesting low automated exploitation pressure.

XSS N A
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-8309 MEDIUM This Month

Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows authenticated remote attackers to inject malicious scripts into web responses. The vulnerability (CWE-79) results from improper neutralization of user-supplied input during web page generation, with scope change (S:C) indicating execution context escapes to the victim's browser. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Access Control System Gks
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-14940 MEDIUM This Month

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to corrupt heap memory and likely crash the LDAP service. The flaw triggers when the server processes an LDAP operation - such as a search request - whose base DN contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), causing an out-of-bounds write during RDN attribute-value pair sorting. Per the confirmed CVSS vector (PR:N), no authentication is required; no public exploit code or CISA KEV listing has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow Red Hat Directory Server 11 Red Hat Directory Server 12 +8
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-53878 MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57870 MEDIUM This Month

Broken object-level access control (BOLA) in MicroRealEstate's Template API through version 1.0.0-alpha3 permits authenticated users to retrieve document templates owned by other organizations on the same platform. Any low-privilege account holder can query template objects belonging to unrelated tenants by supplying arbitrary template identifiers, crossing multi-tenant isolation boundaries. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-59709 MEDIUM PATCH This Month

Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Ghostfolio
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-44342 MEDIUM PATCH GHSA This Month

Cross-site request forgery in new-api's OAuth account binding endpoints allows an unauthenticated network attacker to silently rebind a logged-in user's email or WeChat identity to attacker-controlled credentials by luring the victim to a malicious page. Affected are all deployments running versions prior to v0.12.0-alpha.1 where the GET-based bind endpoints are reachable. No public exploit has been identified at time of analysis, and the default SameSite=Strict cookie configuration substantially limits real-world exploitability to environments that have weakened or overridden that default.

CSRF
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-26053 MEDIUM This Month

Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.

Information Disclosure Command Centre Server
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-34198 MEDIUM PATCH This Month

Password reset poisoning in Coolify prior to 4.0.0-beta.471 enables unauthenticated account takeover by injecting a forged X-Forwarded-Host header during a password reset request. Two compounding middleware failures make this possible: TrustProxies trusts all proxy sources unconditionally, and TrustHosts is rendered inoperable by a circular caching dependency, meaning the Host header is never validated. The reset URL is generated from the spoofed request host, so the victim's reset token is delivered to an attacker-controlled domain. No public exploit is identified at time of analysis, but the attack is low-friction and the fix is confirmed in version 4.0.0-beta.471.

Information Disclosure Coolify
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-55647 MEDIUM PATCH This Month

Stored XSS in DataEase dashboard text components allows any authenticated user with edit access to inject HTML containing executable event handlers that fire silently in the browser of every subsequent dashboard viewer, including unauthenticated shared-link recipients. All versions prior to 2.10.24 are affected due to the use of Vue's v-html directive to render stored component content without server-side sanitization. No public exploit or active exploitation has been confirmed at time of analysis; a vendor-released patch is available in version 2.10.24.

XSS Dataease
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-53648 MEDIUM This Month

File path collision in FOSSBilling's downloadable product service allows an authenticated administrator to silently overwrite another product's stored file by uploading a file with an identical original filename. Because FOSSBilling stores uploaded files at a path derived solely from md5(<original filename>), two uploads sharing the same filename map to the same storage location - the later upload wins, and customers downloading the earlier product receive the substituted file instead. No public exploit exists and this is not in CISA KEV, but the integrity and information-disclosure impact are concrete: customers may receive incorrect - potentially confidential - product files. Version 0.8.1 patches the issue.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-13199 MEDIUM PATCH This Month

Predictable KASLR offsets and RNG seeds in Raspberry Pi 5 and Compute Module 5 EEPROM firmware undermine kernel address space layout randomization across all affected devices and reboots. Because the entropy source is deterministic, any attacker who can identify the firmware version can predict kernel memory addresses, reducing KASLR to a known-offset bypass. This does not itself enable code execution, but it significantly lowers the bar for chaining with any memory-corruption vulnerability targeting these devices. No public exploit code has been identified at time of analysis and this is not listed in the CISA KEV catalog.

Information Disclosure Raspberry Pi 5 And Compute Module 5
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-58315 MEDIUM This Month

Cross-site request forgery in SEIKO EPSON Web Config allows a remote, unauthenticated attacker to trigger unintended configuration changes on Epson network devices by luring an authenticated administrator into visiting a malicious web page. The vulnerability (CWE-352) requires no privileges on the attacker's side but depends on an active, authenticated Web Config session on the victim's browser. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

CSRF
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2024-56141 MEDIUM This Month

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Java Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-42147 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Coolify prior to v4.0.0-beta.474 enables an authenticated user holding storage management permissions to coerce the application server into issuing HTTP requests to arbitrary internal addresses, including cloud instance metadata services. The vulnerable code path is Coolify's S3 storage endpoint testConnection() function, which blindly fetches the caller-supplied URL after only superficial format validation. No public exploit or CISA KEV listing exists at time of analysis, but cloud-hosted deployments face elevated risk because successful exploitation can expose cloud provider credentials via metadata endpoints such as AWS IMDSv1.

SSRF Coolify
NVD GitHub
CVSS 3.1
4.9
EPSS
0.3%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy