Skip to main content
CVE-2026-36027 MEDIUM POC This Month

Arbitrary code execution on Code27 Companion Hub (firmware SQ3A.220705.003.A1) is achievable by a physically proximate attacker through improper access controls on the device's USB debugging (ADB) interface. The Android Debug Bridge component fails to enforce adequate restrictions, allowing an unauthenticated attacker with physical USB access to execute arbitrary commands at elevated privilege. A publicly available proof-of-concept exploit exists on GitHub, and SSVC assessment rates the technical impact as total despite no confirmed active exploitation in the wild.

RCE Google N A
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.3%
CVE-2026-36028 MEDIUM POC This Month

Kiosk restriction bypass in the Code 27 Companion Hub allows an attacker with physical device access to perform a factory reset that completely circumvents the kiosk protection mechanism, granting full control over the device. The flaw (CWE-288) represents a protection mechanism failure where an alternate path - the factory reset function - is not gated by the same access controls as the restricted kiosk environment. A publicly available proof-of-concept exploit exists on GitHub, and while SSVC rates exploitation status as none and EPSS sits at 0.21% (11th percentile), the availability of working exploit code lowers the barrier for opportunistic physical-access attacks.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-29007 MEDIUM This Month

Out-of-bounds read in U-Boot's TCP stack (net/tcp.c, tcp_rx_state_machine()) allows remote unauthenticated attackers to corrupt bootloader TCP connection state by sending a crafted packet with deliberately mismatched IP total length and TCP data offset fields. Affected builds span U-Boot through 2026.04-rc3, but only when compiled with CONFIG_PROT_TCP - a non-default option. Impact is disruption of TCP window calculations via corruption of rmt_win_scale and rmt_timestamp variables, potentially breaking network-based boot sequences. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.

Buffer Overflow Information Disclosure U Boot
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-59938 MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-3110 MEDIUM This Month

HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.

Request Smuggling Information Disclosure Access Server Red Hat
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59937 MEDIUM PATCH This Month

Uncontrolled resource consumption in pypdf prior to 6.14.0 allows unauthenticated remote attackers to cause denial of service by submitting a crafted PDF containing repeated malformed cross-reference streams. The library's XRef table recovery routine performs unbounded work on such inputs, leading to excessive CPU time consumption and effectively hanging or severely degrading any application that processes attacker-supplied PDFs. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56284 MEDIUM PATCH This Month

Unauthenticated information disclosure in Capgo (Cap-go/capgo) before 12.128.2 exposes sensitive organization metrics through a misconfigured Supabase PostgREST RPC endpoint. The Supabase function public.get_total_metrics(org_id) is accessible to the anon role using only the publicly distributed sb_publishable_* key, meaning any external party can query it without credentials. By iterating valid organization UUIDs against POST /rest/v1/rpc/get_total_metrics, attackers can confirm organization existence and harvest usage data including monthly active users, bandwidth consumption, and install counts. No public exploit or CISA KEV listing exists at time of analysis; the EPSS signal is absent from provided data but the low exploitation complexity suggests elevated opportunistic risk.

Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-35211 MEDIUM PATCH This Month

Elasticsearch Painless script injection via OpenCTI's GraphQL API allows any authenticated user holding the KNOWLEDGE capability to submit computationally expensive, unvalidated scripts that saturate Elasticsearch cluster CPU, degrading or denying service for the entire platform. All OpenCTI deployments prior to version 7.260401.0 are affected, with the vulnerability residing in the exposed 'script' FilterOperator of the GraphQL API. No public exploit code or CISA KEV listing is confirmed at time of analysis; a vendor-released patch is available in version 7.260401.0.

Code Injection Elastic RCE Opencti
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-60001 MEDIUM PATCH This Month

OpenSSH sshd before version 10.4 fails to consistently enforce its built-in minimum authentication delay, undermining the rate-limiting defense designed to slow credential-guessing attacks against SSH services. All OpenSSH releases prior to 10.4 are affected across all platforms, enabling unauthenticated remote attackers to submit authentication attempts at a rate higher than the daemon intends to permit. No public exploit code has been identified and the vulnerability is absent from CISA KEV; however, the trivial attack complexity combined with OpenSSH's near-universal deployment footprint makes prompt patching appropriate.

SSH Denial Of Service Openssh
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-6280 MEDIUM This Month

Nomysem, an education and consulting management platform by Turkish vendor NOMYSOFT Informatics, exposes sensitive information to authenticated low-privilege users due to incompatible ACL policies that fail to properly constrain access to restricted functionality. Network-accessible endpoints can be reached by any valid account holder, yielding high-confidentiality-impact data exposure without requiring elevated rights or user interaction. No public exploit code has been identified at time of analysis; however, the vendor failed to respond to coordinated disclosure, leaving the vulnerability unpatched.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-15154 MEDIUM This Month

ReDoS vulnerability in the guardrails-detectors component of Red Hat OpenShift AI enables adjacent-network attackers to submit specially crafted regular expressions to the public detection API, triggering catastrophic backtracking that pins a worker process at 100% CPU indefinitely. The availability impact extends beyond the component itself - the entire guardrails-mediated LLM pipeline is rendered non-functional. No public exploit identified at time of analysis, but exploitation requires no authentication and trivial effort from an adjacent network position.

Red Hat Denial Of Service Openshift Ai
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57259 MEDIUM This Month

XXE injection in Foxit PDF Editor and Foxit PDF Reader exposes any local file readable by the victim user when they open a maliciously crafted document disguised as a PDF. The parser processes documents that are not structurally valid PDFs, resolving attacker-controlled external XML entities that reference local filesystem paths via file:// or similar protocols, enabling out-of-band exfiltration of sensitive local files. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is gated by user interaction (UI:R), limiting opportunistic mass exploitation.

XXE Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59896 MEDIUM PATCH This Month

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. No public exploit has been identified at time of analysis, but the C:H CVSS impact rating reflects that leaked context values frequently carry sensitive per-user material such as authentication state, session tokens, or profile data.

Race Condition Information Disclosure Hono
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59998 MEDIUM PATCH This Month

OpenSSH sshd before version 10.4 silently ignores the GSSAPIStrictAcceptorCheck configuration directive when the server is integrated with Windows Active Directory, defeating a security control that administrators rely on to enforce GSSAPI acceptor name validation during Kerberos-based SSH authentication. This undocumented behavior means AD-joined SSH servers may accept GSSAPI authentications against unintended Kerberos service principals regardless of how the option is configured, yielding limited confidentiality and integrity impact. No public exploits or active exploitation have been identified; the CVSS AC:H rating reflects the specific environmental prerequisites required for exploitation.

SSH Microsoft Information Disclosure Openssh
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-15109 MEDIUM PATCH This Month

Uninitialized memory use in Chrome's ANGLE graphics layer exposes potentially sensitive process memory contents to remote attackers across all desktop Chrome versions prior to 150.0.7871.115. The flaw is triggered by a crafted HTML page requiring user interaction, limiting automated mass exploitation - consistent with SSVC classifying it as non-automatable with partial technical impact. No public exploit code exists and EPSS sits at 0.18% (7th percentile), but Chrome's ubiquitous deployment footprint and the high confidentiality impact still justify prompt patching.

Information Disclosure Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-58494 MEDIUM PATCH This Month

Wasmtime's WASI filesystem implementation allows a sandboxed WebAssembly guest to overwrite host files that were intentionally exposed as read-only preopens. The wasmtime-wasi component checks directory-level permissions during hard-link creation (path_link) and rename (path_rename) operations but fails to verify that the source and destination preopens carry matching FilePerms flags - meaning FilePerms::READ enforcement is bypassed at the operation level. Affected versions span multiple major release trains (prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1); no public exploit code or CISA KEV listing is present at time of analysis, but the scope change from guest sandbox to host filesystem makes this a meaningful sandbox-escape class defect.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-49463 MEDIUM PATCH GHSA This Month

Broken object-level authorization in the nl-portal-backend-libraries GraphQL API exposes sensitive personal data belonging to arbitrary users to any authenticated caller. Two resolvers - document content retrieval (all published versions of nl.nl-portal:documenten-api since 0.2.2.RELEASE, 2023) and the besluiten (decisions) module (nl.nl-portal:besluiten 1.5.0-3.0.0) - were declared without a CommonGroundAuthentication parameter, causing the Spring framework to never bind the authenticated principal into the call path and leaving ownership checks impossible at the resolver level. The two endpoints chain naturally: an attacker enumerates decision records and their attached document IDs via the besluit queries, then exfiltrates raw document content through the document endpoint; decisions frequently contain government benefit, permit, and objection rulings, giving the exposure high real-world sensitivity. No public exploit has been identified at time of analysis, and this was discovered during a structured penetration testing engagement in May 2026.

Java Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-49455 MEDIUM POC PATCH GHSA This Month

Cross-Site Request Forgery in Waku's RSC request dispatcher allows a remote attacker to invoke any state-mutating 'use server' server action with a victim's session cookies by exploiting the complete absence of Origin header validation in the core request handler at packages/waku/src/lib/utils/request.ts. Both the RSC path prefix branch (exploitable via Content-Type: text/plain, no preflight) and the progressive-enhancement HTML form branch (exploitable via multipart/form-data) are unguarded, with opaque-origin contexts such as sandboxed iframes and browser extension pages additionally exploitable via Origin: null. The reporter confirmed a working proof-of-concept against waku 1.0.0-beta.0 with dynamic verification on 2026-05-17; all HTTP adapters share the same vulnerable dispatcher and no patched version has been identified at time of analysis.

CSRF
NVD GitHub
CVSS 3.1
6.5
CVE-2026-10570 MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6740 MEDIUM This Month

Stored cross-site scripting in the Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder WordPress plugin (versions through 4.7.4) enables authenticated contributors to persistently inject malicious JavaScript via the unsanitized 'commentIcon' parameter, executing in any visitor's browser on affected pages. The CVSS Scope:Changed metric reflects that attacker-controlled code crosses trust boundaries into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of privileged users such as site administrators. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress XSS Nexter Blocks Gutenberg Blocks Page Builder Ai Website Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6459 MEDIUM This Month

Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low on sites that permit contributor or author registration.

WordPress XSS Essential Addons For Elementor Popular Elementor Templates Widgets
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6742 MEDIUM This Month

Stored Cross-Site Scripting in the Advanced iFrame WordPress plugin (versions through 2026.1) allows authenticated contributors to permanently inject malicious scripts into WordPress pages via the unsanitized 'additional' parameter. Any site visitor loading an affected page will execute the attacker's payload in their browser, enabling session hijacking, credential theft, or defacement. No public exploit has been identified at time of analysis, and a fix has been committed to the WordPress plugin repository per Wordfence reporting.

WordPress XSS Advanced Iframe
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-14785 MEDIUM This Month

Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.

WordPress XSS Website Builder By Seedprod Theme Builder Landing Page Builder Coming Soon Page Maintenance Mode
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-59802 MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-15063 MEDIUM This Month

Unproxied metrics port exposure in the gorch service template of trustyai-service-operator (part of Red Hat OpenShift AI) allows any pod on the cluster network to access orchestrator and detector metrics endpoints while bypassing kube-rbac-proxy authentication. The flaw manifests specifically when authentication is enabled - the configuration that should be protective is the same one under which the bypass exists. CVSS PR:L confirms exploitation requires a pod already running on the cluster network, limiting blast radius to actors with at least minimal cluster access. No public exploit code identified and no CISA KEV listing at time of analysis.

Authentication Bypass Red Hat Openshift Ai Rhoai
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-15044 MEDIUM This Month

Unauthenticated cluster-internal access to TrustyAI Service Operator's gorch and NemoGuardrails deployments is possible when a specific security setting is not explicitly enabled at deployment time. Any workload running within the same Kubernetes or OpenShift cluster can reach these AI guardrail and orchestration service endpoints without presenting credentials, exposing sensitive inference data and enabling limited unauthorized model interactions. No public exploit has been identified at time of analysis, but the low-complexity adjacent attack vector and low-privilege prerequisite make this a realistic lateral movement risk in shared or multi-tenant cluster environments.

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-39179 MEDIUM This Month

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality.

SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-39178 MEDIUM This Month

SQL injection in SOGo's allContactSearch endpoint permits authenticated users to inject arbitrary SQL via the unsanitized search parameter, affecting all SOGo releases before 5.12.7. An attacker with a valid SOGo account can manipulate backend SQL queries to read, alter, or partially disrupt contact database contents - confirmed by both the upstream fix commit and the vendor's 5.12.7 release announcement. EPSS sits at the 5th percentile (0.15%) and no CISA KEV listing exists, indicating no public exploit identified at time of analysis despite the straightforward CWE-89 root cause.

SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-55668 MEDIUM PATCH This Month

Symlink-based path traversal in File Browser prior to 2.63.16 allows an authenticated low-privilege user with Create and Modify permissions to write attacker-controlled files outside their designated scope. The flaw resides in ScopedFs, which validates only the nearest existing ancestor of a dangling symlink - leaving it in-scope - and then follows the symlink during file creation, landing the resulting file in an arbitrary location on the underlying filesystem. No public exploit has been identified at time of analysis, but the scope-change characteristic (S:C in the CVSS vector) means successful exploitation extends impact beyond the web application's permission boundary.

Path Traversal
NVD GitHub
CVSS 3.1
6.3
EPSS
0.3%
CVE-2026-56360 MEDIUM PATCH This Month

Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-14250 MEDIUM This Month

Privilege escalation in the Themehunk Login Registration WordPress plugin (versions up to and including 1.0.2) allows unauthenticated attackers to self-register accounts with elevated roles - including editor - by supplying an arbitrary 'role' parameter to the publicly exposed /thlogin/v1/register REST endpoint. The handle_frontend_register() function validates the supplied role only against get_editable_roles(), which returns every administratively configurable role on the site, then passes it directly to wp_insert_user() without restricting it to the subscriber level expected for public self-registration. Exploitation is conditioned on public user registration being enabled on the target site; no public exploit code or CISA KEV listing has been identified at time of analysis.

Privilege Escalation WordPress Th Login Registration
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-59820 MEDIUM PATCH This Month

Path traversal in LiteLLM's Skills archive extraction enables authenticated users with access to specific LLM API routes to write arbitrary files outside the intended server extraction directory by uploading a crafted ZIP archive containing path traversal entries. Affected versions are all LiteLLM releases prior to 1.83.7-stable; the CPE confirms the entire berriai/litellm product line is in scope. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity and availability impact is rated High in the vendor-provided CVSS 4.0 vector, making this a meaningful risk for any LiteLLM deployment that exposes the Skills upload feature to untrusted authenticated users.

Path Traversal Litellm
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.3%
CVE-2026-58191 MEDIUM PATCH This Month

Reflected cross-site scripting in Appium's base-driver allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser on the Appium server origin. All Appium installations prior to 10.7.0 unconditionally expose three test routes whose `compileLodashTemplate` handler reflects unsanitized user-controlled inputs - the `throwError` query parameter, the `comments` POST field, and the `User-Agent` request header - directly into rendered HTML without output encoding. No public exploit has been identified at time of analysis, but the zero-authentication requirement and permanently-mounted test routes make any network-reachable Appium server an attack surface with no opt-out mechanism below the fix version.

XSS Appium Base Driver
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-59890 MEDIUM PATCH This Month

Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Python Apple Setuptools
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-11798 MEDIUM This Month

Reflected Cross-Site Scripting in the Super Socializer WordPress plugin (versions up to and including 7.14.5) enables unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'heateor_mastodon_share' parameter, discovered and reported by Wordfence with source-level confirmation at helper.php lines 1243-1246. Successful exploitation requires social engineering a victim into clicking a crafted URL, after which the payload executes within the victim's browser session in the context of the target WordPress site. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 6.1 (Medium) rating reflects the mandatory user-interaction requirement that constrains opportunistic mass exploitation.

WordPress XSS Social Share Social Login And Social Comments Plugin Super Socializer
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59923 MEDIUM PATCH This Month

Cross-site scripting in Mistune Python Markdown parser (all versions before 3.3.0) allows attacker-controlled Markdown content containing percent-encoded javascript: URIs to bypass the HTMLRenderer.safe_url() URL sanitization filter and execute arbitrary script in victim browsers. The bypass works because safe_url() checks the raw string without first decoding percent-encoded characters, so schemes like %6Aavascript: or %6aVaScRiPt: evade detection while remaining valid to browsers. Any web application that renders user-supplied or attacker-influenced Markdown through Mistune and serves the output to other users is exposed. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS Python Mistune
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59929 MEDIUM PATCH This Month

Cross-site scripting in Mistune prior to 3.3.0 stems from an incomplete URI scheme blocklist in the `safe_url` filter, permitting legacy and chained schemes (`feed:`, `jar:`, `livescript:`, `mocha:`, `ms-its:`, `mk:`, `res:`, `view-source:`) to pass unchecked into rendered `href` and `src` attributes. Any web application that accepts user-supplied Markdown, renders it via Mistune's HTML renderer, and serves the output to other users' browsers is exposed to stored or reflected XSS. No public exploit or CISA KEV listing has been identified at time of analysis; however, the CVSS 6.1 score with scope change (S:C) reflects genuine cross-session impact when the victim interacts with attacker-controlled content.

XSS Python Mistune
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59895 MEDIUM PATCH This Month

Server-side rendering XSS in Hono's hono/css module (versions 4.0.0 through 4.12.26) allows injection of arbitrary HTML markup by exploiting the cx() function's failure to HTML-escape input before marking it as safe. When untrusted data flows into a cx() call used in a JSX class attribute during SSR, attackers can break out of the attribute context and inject arbitrary markup or script into the rendered page delivered to victims. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 6.1 Medium score with Scope:Changed reflects the cross-context server-to-browser impact.

XSS Hono
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15128 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's Forms implementation prior to version 150.0.7871.115 permits remote, unauthenticated attackers to inject arbitrary scripts or HTML across any browser origin by luring a victim to a crafted HTML page. The Scope:Changed metric in the CVSS vector reflects the defining characteristic of UXSS: unlike conventional XSS, the injected script executes outside the attacker-controlled page's origin, effectively bypassing the Same-Origin Policy and threatening any concurrent browser session. No public exploit code or confirmed active exploitation has been identified at time of analysis; SSVC rates exploitation as none and the attack as non-automatable due to the required user interaction.

XSS Google
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15127 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's WebGL implementation prior to version 150.0.7871.115 allows remote attackers to bypass the Same-Origin Policy and inject arbitrary scripts or HTML into cross-origin contexts via a crafted HTML page. The vulnerability carries a scope change (S:C) in its CVSS vector, reflecting the cross-origin boundary violation inherent to UXSS. No public exploit has been identified at time of analysis, and CISA's SSVC assessment marks exploitation status as none with no automatable exploitation path, reducing immediate real-world urgency despite the sensitivity of cross-origin script execution.

XSS Google
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59946 MEDIUM PATCH This Month

Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be chmod'd world-readable and world-executable. Any user running `composer install`, `composer update`, or `composer require` against a package whose `bin` entry contains `..` path segments is vulnerable - Composer follows the traversal and applies chmod outside the intended package install directory. This is a supply chain attack vector affecting Composer prior to 2.2.29 and 2.10.2; no public exploit or CISA KEV listing is identified at time of analysis, but the impact to developer and CI/CD environments is significant given the confidentiality risk of exposing sensitive host files.

Path Traversal PHP Composer
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-59883 MEDIUM PATCH This Month

Cookie domain suffix-matching bypass in Guzzle PHP HTTP client (prior to 7.12.3) allows cross-host cookie disclosure, cookie injection, and session fixation when an application makes requests to multiple IP-address-based or bare-numeric-domain hosts within a shared CookieJar session. The SetCookie::matchesDomain() method incorrectly applied suffix-matching logic - valid for FQDN hierarchies - to numeric domain identifiers such as 192.168.0.1, [::1], and bare labels like 1, meaning a cookie set by one numeric host could be forwarded to a structurally related but distinct host. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 7.12.3.

Code Injection PHP Guzzle
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57258 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader's PRC 3D file header parser crashes the application and may leak process memory when a victim opens a specially crafted PDF. Affected version ranges span Foxit PDF Reader through 2026.1.1 and multiple Foxit PDF Editor release branches through 13.2.4, 14.0.4, and 2026.1.1. No public exploit code or confirmed active exploitation has been identified at time of analysis; the CVSS availability impact is rated High due to a reliable application crash on trigger, with a minor confidentiality component from out-of-bounds memory exposure.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-50813 MEDIUM This Month

Session Extension information disclosure in SQLite before Fossil check-in 869a51ae84df exposes sensitive process memory when adversarially crafted changesets are processed through the changeset concat or changegroup merge code paths. A local attacker who can deliver a malicious changeset to an application using the Session Extension API can leak heap memory contents and likely crash the process, yielding both low confidentiality and high availability impact consistent with an out-of-bounds read pattern. No active exploitation has been confirmed by CISA KEV, though a researcher gist is referenced that may represent proof-of-concept material; no public exploit is independently confirmed at time of analysis.

N A Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57241 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader allows a local attacker to crash the application and potentially expose adjacent memory contents by delivering a specially crafted PDF containing malicious JavaScript. The JavaScript manipulates page and document objects to desynchronize internal page-related state from the renderer's trusted page count; when the renderer subsequently accesses page objects using the stale index, it reads beyond valid memory bounds. No public exploit identified at time of analysis and no CISA KEV listing, but the broad affected version ranges across multiple major release branches (13.x, 14.x, and 2026.x) means a large proportion of unpatched Foxit deployments are exposed.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57243 MEDIUM This Month

Foxit PDF Reader and PDF Editor crash with potential memory disclosure when processing maliciously crafted PDF documents containing JavaScript that causes reentrancy during page opening or form formatting. The reentrancy leaves the document object in an inconsistent state; when the application subsequently attempts to dereference stale page metadata, it reads from an invalid memory address (CWE-125 out-of-bounds read), resulting in application termination and limited memory content exposure. No public exploit code or active exploitation has been identified at time of analysis; exploitation requires a local user interaction to open a crafted PDF file.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57253 MEDIUM This Month

Out-of-bounds read in Foxit PDF Reader and PDF Editor allows a local attacker to crash the application and potentially disclose limited memory contents by delivering a specially crafted PDF containing a malformed image object. The vulnerability triggers when the renderer encounters an abnormal image object, causes it to enter an incorrect processing branch, and subsequently dereferences an invalid buffer pointer during scan line conversion. No public exploit code has been identified and no CISA KEV listing exists, but the CVSS availability impact is rated High, meaning successful exploitation reliably causes application termination.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57255 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader crashes the application and exposes limited memory contents when a victim opens a specially crafted PDF embedding a semantically malformed color space function. Affected versions span multiple branches across both Editor and Reader products, confirmed through EUVD-2026-42198. No public exploit code or active exploitation has been identified at time of analysis; however, the low attack complexity and file-based delivery mechanism make this a plausible phishing lure in targeted campaigns against organizations relying on Foxit products.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57257 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and PDF Reader during PRC (Product Representation Compact) 3D content parsing crashes the application and leaks limited memory content. Affects multiple concurrent release trains including versions 2026.1.1, 14.0.4, and 13.2.4 and earlier. Exploitation requires a victim to open a specially crafted PDF containing a malicious PRC entity - no public exploit has been identified at time of analysis.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8310 MEDIUM This Month

Reflected XSS in Mediküm Web, a Turkish healthcare web application by Webbeyaz Web Design, enables unauthenticated remote attackers to inject and execute malicious scripts in victims' browsers by tricking them into visiting a crafted URL. All versions through 08072026 are affected with no patch available or forthcoming, as the vendor has confirmed the product is end-of-life and unsupported. No public exploit code or active exploitation has been identified at time of analysis, but the permanent unpatched status makes decommissioning the only definitive remediation.

XSS Medik M Web
NVD
CVSS 3.1
6.1
EPSS
0.1%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy