Skip to main content
CVE-2026-59800 CRITICAL POC PATCH GHSA Act Now

Remote unauthenticated OS command injection in 9Router before 0.4.44 lets attackers run arbitrary commands as root via the POST /api/tunnel/tailscale-install endpoint, which is excluded from the dashboard authorization middleware. The attacker-supplied sudoPassword field is piped to the stdin of a 'sudo -S sh' child process; when sudo does not prompt for a password, sh interprets that value as a shell command. Active exploitation evidence was reported by the Shadowserver Foundation on 2026-07-04; this is not (yet) listed in CISA KEV, and no public exploit code is referenced in the supplied data.

Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
1.4%
CVE-2026-58473 CRITICAL POC PATCH Act Now

Instance-wide LLM configuration hijacking in Cognee before 1.2.0 lets any remote attacker self-register a normal account and overwrite the global LLM provider settings through the /api/v1/settings endpoint, which performs no admin or superuser authorization check. Because the configuration is held in a process-wide singleton cache, a single call redirects every user's LLM operations to an attacker-controlled endpoint, exfiltrating prompts, uploaded documents, extracted entities, and knowledge-graph content. This is confirmed publicly available exploit code exists (reported by VulnCheck, with a released vendor patch in v1.2.0), and the CVSS 4.0 score is 9.3 (Critical).

Authentication Bypass Cognee
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34048 CRITICAL PATCH Act Now

Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. No public exploit identified at time of analysis, but the low complexity and low privilege bar make it a high-priority patch.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-34047 CRITICAL PATCH Act Now

Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. No public exploit identified at time of analysis, and there is no CISA KEV listing, but the fix is confirmed in release v4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-34037 CRITICAL PATCH Act Now

Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-14345 CRITICAL Act Now

Remote code execution in the WPFunnels (Funnel Builder for WooCommerce) WordPress plugin versions up to and including 3.12.7 lets attackers write attacker-controlled 'postData' into a PHP-includeable .log file that wpfnl_show_log later renders with include_once, yielding server-side code execution. The initial injection is fully unauthenticated because the nonce guarding the optin endpoint is publicly emitted on every funnel step page, though execution only fires once an administrator opens the poisoned log via the Log Settings View while the 'Enable Logs' toggle is active. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the pre-auth injection combined with a maximal 9.8 CVSS score makes it a high-priority patch for any exposed WooCommerce funnel deployment.

WordPress RCE File Upload
NVD VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-33264 CRITICAL PATCH Act Now

Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. The practical severity depends heavily on how much a deployment trusts its DAG authors, since exploitation requires the ability to submit a DAG.

Deserialization RCE Apache Apache Airflow
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-53481 CRITICAL PATCH Act Now

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Dell Path Traversal Powerprotect Data Domain
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-53483 CRITICAL PATCH Act Now

Improper authentication in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 branches) lets an unauthenticated, remote attacker bypass authentication and gain unauthorized access that Dell says can escalate to complete system control. Dell rates it critical (CVSS 9.8, CWE-287). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network-facing, no-privilege attack profile makes it a high-priority patch for backup/data-protection infrastructure.

Authentication Bypass Dell Powerprotect Data Domain
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-13019 CRITICAL PATCH Act Now

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the exposed function is an administrative/portal API reachable over the network with no credentials, successful access could lead to disclosure or manipulation of portal content and configuration.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-13020 CRITICAL PATCH Act Now

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten-password recovery mechanism (CWE-640) that a remote, unauthenticated attacker can manipulate to assume ownership of another user's account. The flaw carries a CVSS 9.8 rating because it is network-reachable with no authentication or user interaction, yielding full compromise of confidentiality, integrity, and availability of the targeted account. There is no public exploit identified at time of analysis and EPSS is low (0.22%, 13th percentile), and CISA's SSVC framework records exploitation as none, indicating no observed in-the-wild activity despite the critical score.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-37270 CRITICAL Act Now

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-37271 CRITICAL Act Now

Improper authentication in Fire-Boltt FB BGS001 smartwatch firmware MOY-JS14-2.0.4 lets a nearby attacker replay previously captured Bluetooth Low Energy (BLE) GATT Write Request packets to trigger device functionality without valid session validation. The device accepts write commands over BLE without sufficient authentication, so an attacker within radio range who has observed legitimate traffic can reissue those commands. A public technical writeup/PoC exists on GitHub (EmbdCDACHyd), but there is no evidence of active exploitation (SSVC Exploitation: none) and EPSS is low at 0.21% (11th percentile).

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14739 CRITICAL PATCH Act Now

Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. Reported by CPANSec with a vendor patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.19%, 8th percentile).

Memory Corruption Buffer Overflow Dbi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-12375 CRITICAL PATCH Act Now

Full site takeover of WordPress installations running Uncanny Automator Pro before 7.3.0.6, caused by a supply-chain compromise of the vendor's build/distribution infrastructure that shipped a backdoored plugin build to customers. The injected backdoor hands unauthenticated attackers a working administrator session and beacons the site's secret keys and administrator details to attacker-controlled servers. This is a trojanized-update incident rather than a coding flaw; no public exploit is identified at time of analysis and EPSS probability is low (0.15%, 4th percentile), consistent with the threat being embedded in the code itself rather than requiring an external exploit.

WordPress Code Injection
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-53552 CRITICAL POC GHSA Act Now

Cross-namespace privilege escalation in goploy (zhenorzz/goploy through 1.17.5 and develop HEAD) lets any authenticated user holding the low-privilege `manager` role in their own namespace read, overwrite, plant, or delete project files in ANY other tenant's project, and rewrite any project's git remote URL, because the `/project/addFile`, `/project/editFile`, `/project/removeFile`, and `/project/edit` handlers act on body-supplied project/file row ids without verifying the target belongs to the caller's namespace. The rewritten git remote escalates to remote code execution on the next deploy, when goploy runs `git remote set-url origin <attacker-url>` and pulls attacker-controlled code under the goploy service account. A detailed proof-of-concept exists demonstrating all four primitives against the published Docker image, though no active exploitation has been reported.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
9.6
CVE-2026-53513 CRITICAL PATCH GHSA Act Now

Server-side request forgery in the @better-auth/sso plugin (versions >= 0.1.0 through < 1.6.11, and 1.7.0-beta.x) lets any authenticated Better Auth session register an OIDC provider with attacker-controlled endpoint URLs, which the auth server then fetches during callback and reflects into the user profile - a non-blind SSRF exposing cloud metadata (IMDS 169.254.169.254), internal APIs, and localhost-bound services like Redis. When trustEmailVerified is enabled it escalates to full account takeover via forged emailVerified claims. Carrying a CVSS 9.6 (scope-changed) rating with no public exploit identified at time of analysis, the flaw was reported by Vaadata and fixed in 1.6.11.

SSRF Redis
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-59705 CRITICAL PATCH Act Now

Unauthenticated data theft, tampering, and denial-of-service affects mem0's OpenMemory API server (openmemory/api component), where several API routers are mounted without any authentication middleware. Because CVSS 4.0 vector shows PR:N and CWE-306 (Missing Authentication for a Critical Function), remote attackers can pass arbitrary user_id values to read, overwrite, or delete any user's stored memories, and can trigger a global pause to break the service for everyone. Reported by VulnCheck with a vendor patch commit available; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Mem0
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-59707 CRITICAL PATCH Act Now

Server-side request forgery in LocalAI's POST /models/apply endpoint lets unauthenticated remote attackers coerce the server into issuing HTTP GET requests to arbitrary internal, private, and loopback addresses, with partial response bodies disclosed back through error messages. The flaw stems from passing attacker-controlled gallery URL fields into gallery.GetGalleryConfigFromURLWithContext without validation, giving attackers a network pivot from the internet into otherwise unreachable back-end services. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and the CVSS 4.0 base score is 9.2 (Critical).

SSRF Localai
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-59706 CRITICAL PATCH Act Now

Sensitive information disclosure and server-side request forgery in mem0's self-hosted server let unauthenticated remote attackers steal stored LLM provider credentials and pivot into internal infrastructure. Because the /api/v1/config/ endpoints require no authentication (CWE-306), an attacker can GET plaintext secrets such as OpenAI API keys and PUT a malicious ollama_base_url to coerce the server into requesting internal-only addresses like cloud instance metadata (IMDS). CVSS 4.0 rates this 9.2 (Critical); there is no public exploit identified at time of analysis, but the attack is trivial and reported by VulnCheck.

Authentication Bypass SSRF Mem0
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-14740 CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53512 CRITICAL PATCH GHSA Act Now

Confidential-client impersonation in better-auth below 1.6.11 lets an attacker who holds any leaked refresh_token and the public client_id mint fresh access tokens and rotated refresh tokens indefinitely. The deprecated oidcProvider() and mcp() plugins expose an OAuth 2.0 token endpoint whose refresh_token grant authenticates solely on the bound refresh-token row plus a matching client_id, never verifying the registered client_secret - a regression, since the same plugins' authorization_code grant does enforce the secret. No public exploit identified at time of analysis; the flaw was reported by @subhanUmer and fixed by the maintainers, with no CISA KEV listing or EPSS score supplied in the input.

Authentication Bypass XSS Canonical
NVD GitHub
CVSS 4.0
9.1
EPSS
0.3%
CVE-2026-4375 CRITICAL Act Now

Remote code execution affects the DoLeads Integrator and wp2epub WordPress plugins (both versions through 0.65), which WPScan reports have been observed being leveraged to run arbitrary code on a blog once installed. The plugins are reachable via a broader flaw that lets unauthorized users install 'unclosed'/withdrawn extensions from the wordpress.org repository, turning plugin installation into a code-execution primitive. No public exploit has been identified at time of analysis, and EPSS remains very low (0.15%, 5th percentile), indicating no observed widespread exploitation despite the high CVSS.

WordPress Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-27823 CRITICAL PATCH GHSA Act Now

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. Where self-registration is enabled the entire chain becomes reachable pre-authentication. No public exploit has been identified, but the advisory documents a complete, reproducible technique.

File Upload Path Traversal RCE PHP
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy