Skip to main content
CVE-2026-10659 MEDIUM PATCH This Month

Kernel denial-of-service in Zephyr RTOS v4.4.0's Dhara flash translation layer driver crashes the system during FTL disk initialization when a flash error coincides with the journal-resume checkpoint scan. The driver's dhara_nand_read/erase/prog/copy callbacks unconditionally dereference the caller-supplied err pointer, but the upstream Dhara library legitimately passes NULL during its binary search in find_last_checkblock(), triggering a NULL write and kernel fault. No public exploit code has been identified and this CVE is absent from the CISA KEV catalog; exploitation is gated on specific flash media conditions (uncorrectable ECC, bad block, or induced fault) occurring on a checkpoint page at mount time, constraining real-world risk to physical or supply-chain threat models.

Denial Of Service Checkpoint Null Pointer Dereference Zephyr
NVD GitHub
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-10834 MEDIUM PATCH This Month

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
4.6
EPSS
0.1%
CVE-2026-14969 MEDIUM This Month

Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. An attacker with privileged filesystem-level read access to the LDBM database files can exploit this to determine whether any two encrypted attribute values are identical, leaking relational information about the directory without recovering plaintext. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 Red Hat Directory Server 13 Red Hat Enterprise Linux 10 +6
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-48891 MEDIUM PATCH This Month

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted DAG identifiers to authenticated users who lack read permission on those DAGs. The endpoint correctly filters top-level serialized DAG keys against the caller's ACL but leaks referenced DAG IDs through `dep.source` and `dep.target` fields of trigger and sensor dependency entries, enabling cross-team DAG enumeration in multi-tenant deployments. This is a residual gap from an incomplete fix for CVE-2026-28563; no public exploit has been identified at time of analysis, and a vendor patch is available in apache-airflow 3.3.0.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-34170 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Coolify's GitHub App integration exposes internal network services and cloud metadata endpoints to authenticated low-privilege users. Versions prior to 4.0.0-beta.471 allow any authenticated user to set the GithubApp api_url field to an arbitrary URL - including RFC 1918 private addresses or cloud instance metadata endpoints like 169.254.169.254 - which Coolify then fetches server-side without restriction. No public exploit identified at time of analysis, but the attack pattern is well understood and particularly dangerous in cloud-hosted deployments where metadata endpoints may expose IAM credentials.

SSRF Coolify
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-53487 MEDIUM POC PATCH GHSA This Month

Cluster-level RBAC bypass in Kite (github.com/zxh326/kite) v0.12.2 allows any authenticated user to retrieve aggregate inventory and capacity data from Kubernetes clusters they are not authorized to access. By supplying an arbitrary cluster name in the `x-cluster-name` header, a low-privileged user scoped to one cluster can enumerate node counts, pod counts, namespace counts, service counts, and CPU/memory resource totals from other configured clusters. No public exploit identified at time of analysis, though the reporter provided and validated a working Go proof-of-concept test demonstrating the bypass.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
4.3
CVE-2026-14935 LOW Monitor

GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. No public exploit code exists and no CISA KEV listing has been issued; however, the flaw is architecturally significant because it silently voids a key WebRTC security guarantee rather than causing an obvious crash.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-34149 LOW PATCH Monitor

Command injection in Coolify's DatabaseBackupJob allows authenticated users holding database management permissions to execute arbitrary OS commands on managed servers by embedding shell metacharacters in database credentials or MongoDB collection exclusion names. All Coolify releases prior to 4.0.0-beta.471 are affected. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; however, the practical impact substantially exceeds the official CVSS 3.3 Low rating because successful exploitation grants attacker-controlled shell execution on production infrastructure managed by the platform.

Command Injection Coolify
NVD GitHub
CVSS 3.1
3.3
EPSS
0.2%
CVE-2026-42201 LOW PATCH Monitor

OS command injection in Coolify's database service configuration API allows authenticated administrators to execute arbitrary shell commands within Docker container contexts by embedding shell metacharacters into database credential fields. All Coolify versions prior to 4.0.0-beta.474 are affected, covering deployments managing Redis, KeyDB, Dragonfly, ClickHouse, PostgreSQL, and MySQL services. No public exploit code has been identified at time of analysis, and the CVSS PR:H requirement confines the attack surface to already-privileged admin accounts, positioning this as a post-compromise escalation risk rather than an initial access vector.

Command Injection Docker Coolify
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.2%
CVE-2026-42145 LOW PATCH Monitor

Coolify's database backup restore file upload endpoint accepts uploads without enforcing any file type or size constraints, enabling an authenticated user to degrade service availability by uploading oversized or unexpected files. All releases prior to 4.0.0-beta.474 are affected per CPE cpe:2.3:a:coollabsio:coolify. No public exploit code exists and the vulnerability is not listed in CISA KEV; with a CVSS score of 3.1 and availability-only impact, this represents a low-priority issue for most operators, especially given the authenticated access requirement.

PHP File Upload Coolify
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-42172 LOW PATCH Monitor

Sanctum API tokens in Coolify never expire prior to v4.0.0-beta.474, meaning any token that is leaked or stolen remains permanently valid until an administrator manually revokes it. This affects the self-hosted server, application, and database management platform across all versions below 4.0.0-beta.474. An attacker who obtains a valid API token via secondary means retains indefinite read access to the Coolify API without natural time-bounded expiry as a safeguard. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained real-world impact.

Information Disclosure Coolify
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-27844 LOW Monitor

Uncaught Exception in the Gallagher Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to force a controller restart by sending specific crafted requests, causing a temporary denial of service. Affected versions span Gallagher Command Centre 9.20 through 9.50 (pre-patch) and all versions of 9.10 and earlier. No public exploit code exists and no active exploitation has been identified; the high privilege requirement substantially limits real-world attack surface to insider or compromised-operator scenarios.

Denial Of Service Controller 7000 And 6000
NVD VulDB
CVSS 3.1
2.7
EPSS
0.2%
CVE-2026-27790 LOW Monitor

Gallagher Command Centre's T20 Readers component crashes and restarts when an authenticated, high-privilege operator sends specific crafted requests, causing a temporary denial of service. Exploitation requires existing operator-level credentials and authorization - this cannot be triggered by unauthenticated or low-privilege users. The vulnerability carries a CVSS 2.7 (Low) score with no public exploit code and no CISA KEV listing, indicating minimal real-world threat beyond insider misuse or compromised operator accounts.

Denial Of Service T 20 Readers
NVD
CVSS 3.1
2.7
EPSS
0.2%
CVE-2026-28378 LOW Monitor

Cross-organization authorization bypass in Grafana OSS and Enterprise allows an authenticated Org Admin to delete public dashboards owned by a different organization by supplying the target dashboard's identifiers to the deletion endpoint. The missing tenant-isolation check on the delete operation means any Org Admin - regardless of their organizational scope - can reach and destroy dashboards across organizational boundaries. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained impact and prerequisite of an existing Org Admin credential.

Grafana Enterprise Grafana Oss Authentication Bypass
NVD VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-48588 LOW PATCH Monitor

Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-59153 LOW PATCH GHSA Monitor

Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). The practical severity varies significantly by browser: implementations with Private Network Access (PNA) protections block such requests by default, limiting real-world impact to older or less-restrictive browser configurations. No public exploit identified at time of analysis, though security researcher Tavis Ormandy (Google Project Zero) publicly discussed the issue on X, indicating independent researcher awareness.

Information Disclosure Anki
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-53508 MEDIUM PATCH GHSA This Month

Security-control bypass in oasdiff v1.13.2-v1.18.0 silently negates the `--allow-external-refs=false` safety flag when loading OpenAPI specifications via the git-revision input form (`rev:path`, e.g. `main:openapi.yaml`), leaving callers exposed to SSRF and local file disclosure despite explicitly intending to sandbox untrusted spec processing. Malicious `$ref` URIs embedded in a spec - pointing to internal HTTP endpoints or local filesystem paths - are resolved on the git-revision load path even when the policy is set, while the file-path and URL load paths correctly enforce the restriction. No public exploit code has been identified at time of analysis and the vulnerability is not in CISA KEV; vendor-released patch v1.18.1 is available.

SSRF
NVD GitHub
CVE-2026-53533 MEDIUM PATCH GHSA This Month

SMTP command injection in aiosmtplib (all versions through 5.1.0) enables any attacker who can influence email addresses passed to SMTP.mail(), SMTP.rcpt(), SMTP.vrfy(), SMTP.expn(), or the higher-level SMTP.sendmail() to inject arbitrary SMTP protocol commands by embedding CR/LF bytes in the address string. Applications that accept sender or recipient addresses from untrusted input - web forms, APIs - and forward them to these methods without CR/LF sanitization are at risk of session desynchronization, client-side denial of service via SMTP client hang, or delivery of attacker-crafted email through the victim application's SMTP connection. No vendor-released patch version is confirmed from available data at time of analysis, and no public exploit has been identified.

Command Injection Denial Of Service
NVD GitHub
CVE-2026-53531 MEDIUM POC PATCH GHSA This Month

Unbounded recursive descent in the RaTeX Rust crate ratex-parser crashes the entire host process when fed deeply nested LaTeX input. The mutual recursion across parse_expression, parse_atom, and parse_group in crates/ratex-parser/src/parser.rs carries no depth guard, so roughly 200,000 nested braces (~400 KB of input, or far less on async worker threads with 512 KB stacks) exhausts the native OS stack and triggers a fatal SIGABRT from which the process cannot recover. In any server-side math rendering deployment that accepts untrusted LaTeX, this constitutes a reliable unauthenticated denial-of-service; publicly available exploit code confirms trivial reproduction with a Python one-liner.

Denial Of Service
NVD GitHub
CVE-2026-53530 HIGH POC PATCH GHSA This Week

Denial of service in RaTeX, a Rust LaTeX-rendering library (crate ratex-parser), lets remote attackers crash any service that parses untrusted LaTeX by submitting a 9-byte `\verb` command whose delimiter is a multibyte UTF-8 character (e.g. `\verbéxé`). The parser slices the verbatim argument using byte indices rather than character boundaries, so index 1 lands inside the `é` character and Rust panics; because the release profile sets `panic = "abort"`, the panic terminates the entire process, not just one request. Publicly available exploit code exists (a one-line PoC in the GHSA advisory); no active exploitation is reported.

Denial Of Service
NVD GitHub
CVE-2026-40187 HIGH POC PATCH GHSA This Week

Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. A detailed proof-of-concept is published in the vendor's GitHub Security Advisory (publicly available exploit code exists), though there is no evidence of active exploitation.

Command Injection PHP RCE Docker
NVD GitHub
CVE-2026-34151 HIGH PATCH GHSA This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat Docker
NVD GitHub
CVE-2026-27823 CRITICAL PATCH GHSA Act Now

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.

File Upload Path Traversal RCE PHP
NVD GitHub
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy