Skip to main content
CVE-2026-44512 MEDIUM POC PATCH GHSA This Month

Null pointer dereference in the ONNX Python library's version converter crashes any application that calls `onnx.version_converter.convert_version()` on a crafted model containing an Upsample node with zero inputs, producing an unrecoverable SIGSEGV. Affected versions include at minimum onnx 1.21.0 and 1.22.0, confirmed by a 107-byte public proof-of-concept; the vulnerability is part of a systemic pattern spanning eight adapters. No public active exploitation is confirmed in CISA KEV, but the trivially small PoC eliminates any meaningful exploitation barrier for threat actors targeting ML model conversion pipelines.

Python Denial Of Service Null Pointer Dereference
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-58468 MEDIUM POC This Month

Server-side request forgery in NocoBase through v2.1.20 allows authenticated administrators to issue arbitrary outbound HTTP requests via the serverRequest wrapper, enabling internal network enumeration and cloud instance metadata exfiltration. The attack surface spans workflow request nodes, custom request action buttons, and the AI plugin - all of which accept administrator-supplied URLs without adequate server-side validation. A publicly available proof-of-concept exists per VulnCheck reporting; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis, though the IAM credential theft potential elevates real-world impact significantly for cloud-hosted deployments.

SSRF Nocobase
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-12352 MEDIUM CISA This Month

Authentication bypass in Digi International PortServer TS 1/2/4 and Digi One SP/SP IA/IA serial device servers permits remote unauthenticated attackers to circumvent authorization controls and access restricted device resources. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote, credential-free exploitation but places High Attack Complexity on the flaw, indicating specific preconditions must be met - limiting opportunistic or automated mass exploitation. Impact is strictly confidentiality (C:H/I:N/A:N), meaning successful exploitation exposes restricted data or configuration without enabling modification or service disruption; no public exploit and no CISA KEV listing have been identified at time of analysis.

Authentication Bypass Portserver Ts 1 2 4 Digi One Sp Sp Ia Ia
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-53647 MEDIUM This Month

Unauthenticated information disclosure in FOSSBilling 0.5.3-0.7.2 exposes administrator-defined custom API key configuration fields (`custom_*`) to any caller possessing a valid API key via the guest-tier `serviceapikey/get_info` endpoint. The affected fields may contain business-sensitive operational data including pricing tiers, feature flags, rate limits, expiry overrides, and access scope data as populated by billing administrators. No public exploit has been identified and no CISA KEV listing exists, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any party holding or able to obtain a valid API key. Vendor patch is confirmed available in version 0.8.0.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-55417 MEDIUM PATCH This Month

Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. An unauthenticated attacker who knows a target's numeric user ID can bypass the privacy setting to retrieve all publicly-scoped media and recover the username the victim explicitly chose to hide. No public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Authentication Bypass Chevereto Chevereto Chevereto Rodber Chevereto Free
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-58470 MEDIUM PATCH This Month

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.

Integer Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-12948 MEDIUM CISA This Month

Stored cross-site scripting in the web management interfaces of Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA serial device servers allows a remote, authenticated administrator to persist malicious script payloads in system configuration fields. The injected script executes in the browser of any user who subsequently views the affected configuration pages, enabling session hijacking, credential theft, or UI redress attacks against those users. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 4.8 reflects the high-privilege prerequisite that meaningfully constrains real-world risk.

XSS Digi Portserver Ts Digi One Sp Digi One Sp Ia Digi One Ia
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-14867 MEDIUM PATCH This Month

Insecure credential storage in PcVue exposes built-in user account passwords to any local attacker with low-privileged filesystem access, across all versions prior to 17.0.0. The credentials are stored unprotected in the project's User directory, recoverable without elevated OS privileges. No public exploit code has been identified at time of analysis, but in OT/SCADA environments where PcVue is deployed, recovered credentials could enable unauthorized control of industrial processes.

Information Disclosure Pcvue
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-55490 MEDIUM PATCH This Month

Integer underflow in the OpenWrt Emergency Access Daemon crashes the daemon when any unauthenticated attacker on the local network sends a single crafted UDP packet to it. Affected are all OpenWrt versions prior to v25.12.5. The CVSS adjacent-network vector (AV:A) constrains the attack surface to local or adjacent network segments, but within that context exploitation requires no credentials and no user interaction - a single malformed packet suffices. No public exploit code or CISA KEV listing has been identified at time of analysis; the patch is confirmed available in v25.12.5.

Integer Overflow Denial Of Service Openwrt
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-44877 MEDIUM This Month

Sensitive cryptographic material on HPE Networking Instant On 1830, 1930, and 1960 switches is exposed to remote network actors through an information disclosure vulnerability. Exploitation allows retrieval of cryptographic secrets such as private keys, certificates, or pre-shared credentials, which could subsequently enable man-in-the-middle attacks, traffic decryption, or device impersonation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Information Disclosure Hpe Networking Instant On
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-12799 MEDIUM PATCH This Month

Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49296 MEDIUM PATCH This Month

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full file contents returned. No public exploit has been identified and the issue is not listed in CISA KEV, but it directly undermines per-DAG access control in multi-tenant or team-partitioned Airflow deployments.

Authentication Bypass Apache Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49487 MEDIUM PATCH This Month

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when tasks are in a deferred state. Any authenticated user holding DAG-scoped task-instance read access - a permission commonly granted to non-admin roles - can retrieve API keys, passwords, or other secrets passed by deferred operators into trigger kwargs. Fixed in Apache Airflow 3.3.0; no public exploit code identified at time of analysis, though exploitation is trivially achievable by any authenticated user with the requisite read permission.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48828 MEDIUM PATCH This Month

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read permission to retrieve plaintext values from JSON-typed variables whose key names use secret-suffixed conventions such as `*_password`, `*_token`, or `*_secret`. The redactor function was invoked without passing the variable key, so the `should_hide_value_for_key` check - which is responsible for masking secrets based on key-name patterns - could never fire for JSON-decodable variable values. This affects all deployments prior to 3.3.0 that store sensitive credentials in JSON-typed Airflow Variables under secret-suffixed key names; no public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for authenticated access with a specific permission grant.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48892 MEDIUM PATCH This Month

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permission, because per-key environment variable overrides (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID) generate synthetic config entries whose names are absent from the sensitive_config_values masking list. Affected deployments are those that configure secrets backends such as HashiCorp Vault via these per-key environment variable patterns, exposing credentials like Vault role_id and secret_id through normal API responses. No public exploit has been identified at the time of analysis; the vendor-released fix is apache-airflow 3.3.0.

Hashicorp Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-50811 MEDIUM This Month

Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.

Buffer Overflow Information Disclosure N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-58266 MEDIUM PATCH This Month

Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a victim's system by distributing a maliciously crafted card package (.apkg). The root cause is an origin validation failure (CWE-346) in Anki's internal localhost API, which fails to block iframe-embedded scripts from accessing privileged backend methods such as getImageForOcclusion. Exploitation requires the victim to import the malicious deck; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Anki
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-45016 MEDIUM POC PATCH GHSA This Month

Arbitrary file read in EGroupware's mail composition module allows any authenticated user with mail access to exfiltrate files readable by the web server process. The vulnerability stems from a defective URI scheme check in `api/src/Mail.php` that correctly rejects `data:` URIs but inadvertently permits `file://` URIs, which PHP's `file_get_contents()` resolves natively against the local filesystem. A publicly available proof-of-concept exists demonstrating `/etc/passwd` extraction via a crafted HTML email body; no active exploitation (CISA KEV) has been confirmed at time of analysis.

RCE PHP
NVD GitHub
CVSS 3.1
6.5
CVE-2026-48958 MEDIUM This Month

Incorrect access control in Joomla! CMS exposes com_fields REST API webservices endpoints to users who lack the required permissions, allowing them to create custom field definitions that should be restricted to higher-privileged roles such as Manager or Administrator. The flaw originates from a missing or incorrectly evaluated ACL check in the webservices layer and is confirmed by Joomla's own Security Centre in advisory 20260712. No public exploit has been identified at time of analysis, though the CVSS scope-change metrics indicate potential for significant downstream impact to site content and dependent integrations if unauthorized field definitions are used to inject malicious markup.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.3%
CVE-2026-48947 MEDIUM This Month

Improper access control in Joomla! CMS's com_media webservice endpoints allows privileged users to overwrite media files even when they lack explicit editing permissions. The flaw affects two active release lines - 4.1.0 through 5.4.6 and 6.0.0 through 6.1.1 - and is confirmed by the Joomla Security Centre. The CVSS 4.0 vector (SC:H/SI:H/SA:H) indicates that while the direct impact on the vulnerable system is limited (VI:L), successful exploitation can cascade into high-impact consequences on the broader site or dependent systems. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48955 MEDIUM This Month

Unauthorized access to workflow stage and transition data in Joomla! CMS is possible due to an improper access check in the com_workflow component (CWE-284), allowing authenticated users who lack the necessary workflow management permissions to read internal content publication configuration. The CVSS 4.0 vector assigns high subsequent-system impacts (SC:H/SI:H/SA:H), suggesting the vendor assessed this metadata exposure as a meaningful enabler of broader content pipeline compromise. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48956 MEDIUM This Month

Incorrect access control in Joomla! CMS's com_modules component exposes the module listing interface to frontend users who should not have visibility into installed modules. The flaw stems from CWE-284 (Improper Access Control), where the frontend fails to enforce sufficient privilege checks before returning module enumeration data. No public exploit or CISA KEV listing has been identified at time of analysis, and the EPSS score is not provided in source data, but the CVSS 4.0 score of 6.4 reflects meaningful subsequent-system impact potential stemming from reconnaissance value of the disclosed module inventory.

Authentication Bypass Joomla Cms
NVD
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48957 MEDIUM This Month

Improper access control in Joomla! CMS exposes com_privacy component webservice endpoints to users lacking the required authorization, allowing unauthorized reads of GDPR/privacy datasets. The flaw is classified as CWE-284 and impacts downstream systems at high severity per the vendor-supplied CVSS 4.0 vector, despite requiring high privileges on the vulnerable system itself - a tension that suggests role-boundary bypass rather than fully unauthenticated access. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48948 MEDIUM This Month

Improper access control in Joomla! CMS com_contact component exposes restricted contact records via vcard (VCF) export to authenticated users who should not have access. Affecting versions 3.0.0 through 5.4.6 and 6.0.0 through 6.1.1, the flaw allows an authenticated user to bypass access restrictions and download vcard exports of contacts that have been explicitly restricted from their view. No public exploit code or active exploitation has been identified at time of analysis, but the wide deployment footprint of Joomla and the breadth of affected versions (spanning both the 3.x/5.x and 6.x branches) make patching a priority for sites using the com_contact component.

Authentication Bypass Joomla Cms
NVD
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-11328 MEDIUM This Month

Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

WordPress XSS Exclusive Addons For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-56812 MEDIUM PATCH This Month

Phoenix Framework's Presence JavaScript client allows any user with ordinary channel access to permanently break presence synchronization for all other viewers of an affected channel topic. By joining a channel using a key name that collides with an Object.prototype property (such as '__proto__', 'constructor', or 'toString'), an attacker causes an uncaught TypeError inside Presence.syncState and Presence.syncDiff that halts all further presence updates for every connected viewer until the attacker disconnects. This is not in CISA KEV, no public exploit has been identified, and the CVSS 4.0 score of 6.3 reflects the limited but persistent client-side availability impact with no server-side exposure.

Denial Of Service Phoenix
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-53877 MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54601 MEDIUM PATCH This Month

Cross-tenant authorization bypass in FastGPT (versions 4.14.17 through pre-4.15.0-beta4) permits an authenticated tenant user to inject a foreign tenant's datasetId via the POST /api/core/dataset/collection/create/reTrainingCollection endpoint, corrupting ownership anchors in persisted dataset objects. Downstream dataset, collection, and training endpoints then derive authorization decisions from these poisoned records, granting the attacker cross-tenant read, update, and delete access to another tenant's data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the vendor released version 4.15.0-beta4 as the confirmed fix.

Information Disclosure Fastgpt
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-13356 MEDIUM This Month

Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.

Apple Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-8306 MEDIUM This Month

Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Access Control System Gks
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-7380 MEDIUM This Month

Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the low-complexity, no-privilege attack vector makes this straightforward to weaponize against authenticated users of the access control panel.

XSS Access Control System Gks
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58472 MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.

Integer Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-58471 MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.

Heap Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-54698 MEDIUM PATCH This Month

Row-level authorization bypass in Hasura GraphQL Engine prior to versions 2.49.2 and 2.45.5 permits low-privileged authenticated users to infer the contents of rows their role's permissions should suppress. By submitting crafted where-clause predicates against table computed fields returning SETOF results, an attacker exploits the query response as a boolean oracle - iteratively reconstructing protected column values through binary-search-style probing without ever directly retrieving the restricted rows. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.0 with VC:H reflects meaningful confidentiality exposure specifically in deployments relying on row-level security as a data boundary.

Authentication Bypass Oracle Graphql Engine
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-48952 MEDIUM This Month

Cross-site scripting in Joomla! CMS's com_installer component exposes the administrator backend to script injection via the update list view, stemming from missing output escaping (CWE-79). The CVSS 4.0 vector (PR:H/UI:P/E:U) confirms exploitation is constrained to sessions where a high-privilege administrator views the maliciously influenced update list, substantially limiting the attack surface. No public exploit code or active exploitation has been identified at time of analysis.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48950 MEDIUM This Month

Cross-site scripting in Joomla! CMS com_templates file management view allows a high-privileged attacker to inject unescaped malicious script that executes in the browser of any administrator who subsequently views the affected template file listing. Affected versions span Joomla! 4.0.0 through 5.4.6 and 6.0.0 through 6.1.1. No public exploit identified at time of analysis and the CVSS 4.0 supplemental metric E:U confirms no known active exploitation, but the wide install base and admin-targeting nature of the payload make this relevant to Joomla site operators.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48951 MEDIUM This Month

Cross-site scripting in Joomla! CMS modalreturn layout components enables a high-privileged attacker to inject and execute arbitrary JavaScript in a victim administrator's browser session. The root cause is insufficient output escaping in multiple component layouts that handle modal return values. No public exploit code has been identified and CISA KEV does not list this vulnerability; the CVSS 4.0 exploitation likelihood metric (E:U) further indicates no observed active exploitation at time of analysis.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48953 MEDIUM This Month

Cross-site scripting in Joomla! CMS's generic image output layout enables a high-privileged attacker to inject malicious script payloads that execute in the browsers of other authenticated users who view the affected content. The root cause is absent HTML output escaping in the image rendering component (CWE-79), allowing injected JavaScript to break out of the intended data context. No public exploit has been identified at time of analysis, and exploitation requires a pre-existing high-privileged Joomla account plus passive victim interaction, substantially limiting real-world exposure despite high impact scores on confidentiality and integrity.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48949 MEDIUM This Month

Cross-site scripting in Joomla! CMS multi-factor authentication management views allows a high-privileged attacker to inject persistent malicious scripts that execute in the browser of any administrator who subsequently views the MFA management interface. Affected versions span two major release lines: 4.2.0-5.4.6 and 6.0.0-6.1.1, representing a broad surface across both legacy and current deployments. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation yields high confidentiality and integrity impact against the victim administrator's browser session.

XSS Joomla Cms
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48954 MEDIUM This Month

Stored XSS in Joomla CMS's language override administrative feature allows a high-privileged attacker to inject malicious scripts that execute in the browser of any user who subsequently renders the affected language string. Rooted in CWE-79 (improper output neutralization), the vulnerability requires an administrative account to place the payload but can then target other admins or front-end users. No public exploit code has been identified at time of analysis (CVSS E:U), and the vulnerability is not listed in the CISA KEV catalog.

XSS Joomla Cms
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-53572 MEDIUM POC PATCH GHSA This Month

Connection string injection in KEDA's PostgreSQL scaler allows low-privileged tenants to inject arbitrary libpq connection parameters by embedding tab, newline, or other non-space whitespace characters into ScaledObject or TriggerAuthentication configuration fields. The `escapePostgreConnectionParameter` function in `pkg/scalers/postgresql_scaler.go` only detects literal spaces before quoting values, leaving all other libpq token delimiters unescaped; successful exploitation forces TLS downgrade (sslmode=disable) or redirects database connections to attacker-controlled hosts to steal operator-supplied credentials. A working proof-of-concept YAML payload is included in GitHub advisory GHSA-6w3m-4hhp-775q; no CISA KEV listing was present at time of analysis.

PostgreSQL RCE
NVD GitHub
CVSS 3.1
5.9
CVE-2026-53509 MEDIUM PATCH GHSA This Month

SSRF filter bypass in CKAN MCP Server (@aborruso/ckan-mcp-server) allows a low-privileged remote MCP caller to reach loopback and private network addresses by supplying hostname aliases such as 'ip6-localhost' as the server_url parameter to CKAN tools like ckan_package_search and sparql_query. The prior remediation for CVE-2026-33060 hardened only against dotted IPv4 literals, bracketed IPv6 literals, and the exact string 'localhost', leaving non-canonical loopback aliases unblocked in src/utils/http.ts. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed by CISA KEV; however, the bypass technique is straightforward given knowledge of the prior fix.

SSRF
NVD GitHub
CVSS 3.1
5.7
CVE-2026-50810 MEDIUM This Month

NULL pointer dereference in GPAC's smooth_parse_stream_index() function crashes the application when processing a maliciously crafted MPEG-DASH or Smooth Streaming media file, resulting in denial of service. Affected versions are all GPAC master HEAD builds prior to commit b35c61f104b85fbb16520ac2838d5d2ef70845b5. Exploitation requires local access and user interaction to open a crafted file; a proof-of-concept is publicly available via GitHub Gist, though EPSS sits at 0.17% (7th percentile) and no active exploitation has been confirmed by CISA KEV.

Denial Of Service Null Pointer Dereference N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-36163 MEDIUM This Month

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.

N A XSS
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-36162 MEDIUM This Month

Stored cross-site scripting in LiquidFiles v4.2.7 allows authenticated attackers to inject persistent malicious JavaScript or HTML via the Name parameter of the Upload File Shares API, executing in victims' browsers when they interact with the affected share. The scope-changed CVSS vector (S:C) confirms the payload executes outside the attacker's privilege context, enabling session hijacking, credential theft, or UI redress against other users. A security researcher published a write-up specifically documenting CSP bypass techniques to exploit this flaw, indicating the attack is non-trivial but achievable. No public exploit identified at time of analysis, and EPSS sits at 0.16% (5th percentile), suggesting low automated exploitation pressure.

XSS N A
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-8309 MEDIUM This Month

Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows authenticated remote attackers to inject malicious scripts into web responses. The vulnerability (CWE-79) results from improper neutralization of user-supplied input during web page generation, with scope change (S:C) indicating execution context escapes to the victim's browser. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Access Control System Gks
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-14940 MEDIUM This Month

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to corrupt heap memory and likely crash the LDAP service. The flaw triggers when the server processes an LDAP operation - such as a search request - whose base DN contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), causing an out-of-bounds write during RDN attribute-value pair sorting. Per the confirmed CVSS vector (PR:N), no authentication is required; no public exploit code or CISA KEV listing has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow Red Hat Directory Server 11 Red Hat Directory Server 12 +8
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-53878 MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57870 MEDIUM This Month

Broken object-level access control (BOLA) in MicroRealEstate's Template API through version 1.0.0-alpha3 permits authenticated users to retrieve document templates owned by other organizations on the same platform. Any low-privilege account holder can query template objects belonging to unrelated tenants by supplying arbitrary template identifiers, crossing multi-tenant isolation boundaries. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-59709 MEDIUM PATCH This Month

Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Ghostfolio
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy