Skip to main content
CVE-2026-57895 HIGH This Week

Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. The CVSS 4.0 base score is 8.5 (High), reflecting complete confidentiality, integrity, and availability impact despite the local attack vector.

Privilege Escalation RCE Pupsman
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-56437 HIGH This Week

Local privilege escalation to arbitrary code execution affects Fuji Electric's Pupsman UPS management software in all versions prior to 3.9.0, where the installer insecurely loads a DLL from its own directory. A local attacker who can drop a malicious DLL into the folder containing the installer can have it executed with SYSTEM privilege the next time the installer is run. No public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitation requires local file placement plus a victim executing the installer (UI:A).

RCE Pupsman
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-59261 HIGH PATCH This Week

Credential exposure in OpenClaw before 2026.5.28 lets a lower-trust actor who can write to a workspace's configured input paths plant a dotenv file that overrides trusted provider credentials, causing sensitive secrets to leak across intended trust boundaries. VulnCheck reported the issue and it is fixed in 2026.5.28; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The vendor CVSS 4.0 base score is 8.4 (High), reflecting high confidentiality and integrity impact but requiring local path access and user interaction.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-56297 HIGH PATCH This Week

Remote code execution and denial of service in FreeRDP before 3.22.0 stem from a use-after-free in the dynamic virtual channel manager (drdynvc), where `dvcman_channel_close` and `dvcman_call_on_receive` access `channel_callback` without proper synchronization (CWE-362). A malicious or compromised RDP server can race DYNVC_DATA and DYNVC_CLOSE messages to free a channel callback while another thread still uses it, corrupting the client heap. This is a client-side flaw affecting anyone connecting to an attacker-controlled server; no public exploit identified at time of analysis, and it is not listed in CISA KEV. FreeRDP is a widely used open-source implementation of the Microsoft Remote Desktop Protocol, embedded in clients such as Remmina, GNOME Connections, Weston, and numerous commercial and VDI products. The bug lives in the drdynvc (Dynamic Virtual Channel) subsystem, which multiplexes optional channels (clipboard, audio, device redirection, etc.) over the RDP connection and processes them on a dedicated client thread. Per CWE-362 (concurrent execution using shared resource with improper synchronization / race condition), `dvcman_channel_close` (handling DYNVC_CLOSE) can free the `channel_callback` structure while `dvcman_call_on_receive` (handling DYNVC_DATA) is concurrently dereferencing it, producing a heap use-after-free. Because the RDP server dictates the timing and ordering of DYNVC_DATA and DYNVC_CLOSE PDUs, a hostile server controls the race window. The published CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H) yields 8.3 (High), driven mainly by high availability impact with lower confidentiality/integrity impact — consistent with a heap corruption that reliably crashes the client (DoS) but only potentially yields RCE. AC:H correctly reflects that success depends on winning a non-deterministic thread race, which is unreliable and may require many attempts. There is no EPSS score, no KEV listing, and no confirmed public POC in the provided data, so exploitation pressure is currently low-to-unknown; the RCE and Denial Of Service tags reflect potential impact, not observed attacks. One nuance to verify: the vector uses UI:N/PR:N, but this is a client-side vulnerability requiring the victim to connect to a malicious server — a real-world limiting factor that raw CVSS understates. Net: a legitimate patch priority for fleets whose users connect to untrusted or reachable RDP endpoints, but not an emergency mass-exploitation scenario given AC:H and no evidence of exploitation. FreeRDP (the open-source RDP client/library and its FreeRDP-based clients) at all versions prior to 3.22.0 are affected; the flaw is fixed in FreeRDP 3.22.0. No CPE strings were provided in the input, so exact downstream package ranges (e.g., distribution builds of Remmina or the freerdp2/freerdp3 packages) should be confirmed against vendor trackers. Authoritative details are in the FreeRDP GitHub Security Advisory GHSA-3mv2-5q57-2v8h (https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mv2-5q57-2v8h) and the VulnCheck advisory (https://www.vulncheck.com/advisories/freerdp-use-after-free-via-race-condition-in-drdynvc-channel-callback). Vendor-released patch: FreeRDP 3.22.0 — upgrade all FreeRDP libraries and any FreeRDP-based clients (Remmina, GNOME Connections, xrdp clients, etc.) to 3.22.0 or later, rebuilding or updating downstream distribution packages that bundle the library. Until patched, reduce exposure by only connecting to trusted, known-good RDP servers and avoiding connections to untrusted or attacker-influenced hosts, since the malicious behavior originates server-side; where feasible, restrict outbound RDP (TCP 3389) from client machines to an allowlist of approved servers via egress firewall rules (trade-off: breaks ad-hoc connections to new servers). If specific dynamic virtual channels are not required, disabling optional channel redirections (clipboard, drive, audio) narrows the attack surface of drdynvc but does not fully eliminate the race and reduces functionality. Follow guidance in GHSA-3mv2-5q57-2v8h (https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mv2-5q57-2v8h) and the VulnCheck advisory (https://www.vulncheck.com/advisories/freerdp-use-after-free-via-race-condition-in-drdynvc-channel-callback). An attacker stands up or compromises an RDP server and lures a victim into connecting with a vulnerable FreeRDP client (e.g., via a malicious .rdp file, phishing link, or a man-in-the-middle position). Once connected, the server rapidly interleaves DYNVC_DATA and DYNVC_CLOSE messages on a dynamic virtual channel to win the race and trigger the heap use-after-free in the client's drdynvc thread, crashing the client or, with careful heap grooming, potentially executing code in the client process. No public POC is identified at this time, and the AC:H race condition makes reliable code execution difficult. Exploitation requires the victim to establish an RDP session to an attacker-controlled or compromised server running against a FreeRDP client before 3.22.0, and the connection must use the drdynvc dynamic virtual channel path. The attacker must then concurrently send DYNVC_DATA and DYNVC_CLOSE messages on a dynamic virtual channel to win a timing race in `channel_callback` access. Limiting factors: the attacker must control the RDP server side (this is a client-side vulnerability, so it cannot be triggered against an unwilling client that never connects), the exploit depends on winning a non-deterministic thread race (CVSS AC:H) so it is unreliable and may require repeated attempts, and reliable code execution beyond a crash requires heap-layout control. No authentication to the malicious server is needed, but the user must initiate the outbound connection. Lure victim to malicious RDP server → Client opens dynamic virtual channel (drdynvc) → Server races DYNVC_DATA and DYNVC_CLOSE → Trigger heap use-after-free on channel_callback → Crash client or execute code in client process Affected/fixed version (before 3.22.0; fixed in 3.22.0), root cause, and functions are confirmed by the FreeRDP GitHub Security Advisory GHSA-3mv2-5q57-2v8h and the VulnCheck advisory. CVSS 4.0 vector, 8.3 score, and CWE-362 are provided in the input; RCE is described as potential, not demonstrated. Not listed in CISA KEV and no EPSS score or public POC was provided, so real-world exploitation status is unknown; downstream package version ranges are not confirmed due to absent CPE data. high core open-source RDP library embedded in many Linux remote-desktop clients CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H Client-side flaw needing the victim to connect to a malicious server (UI:R) and to win a thread race (AC:H); heap corruption gives high availability impact with limited C/I. CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Denial Of Service Race Condition RCE Freerdp
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-15122 HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows prior to 150.0.7871.115 allows an attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page, chaining a codec input-validation flaw into higher-privileged host-process compromise. The bug is rated High by Chromium and carries a CVSS 8.3 with a scope-changing vector reflecting the sandbox-boundary crossing. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Microsoft Google
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-15120 HIGH PATCH This Week

Sandbox escape in Google Chrome's Core component on Windows (versions prior to 150.0.7871.115) lets an attacker who has already compromised the renderer process break out of the sandbox and reach the higher-privileged browser process via a crafted HTML page. The flaw is a CWE-416 use-after-free rated High by Chromium and CVSS 8.3, with a scope change reflecting the renderer-to-browser boundary crossing. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but as the second stage of a browser exploit chain it is a meaningful patch priority.

Memory Corruption Google Microsoft Denial Of Service Use After Free
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-15119 HIGH PATCH This Week

Sandbox escape in Google Chrome's GetUserMedia (WebRTC media capture) implementation allows an attacker who has already compromised the renderer process to break out of the browser sandbox by exploiting a race condition via a crafted HTML page, affecting all desktop Chrome builds prior to 150.0.7871.115. Rated High by Chromium and scored CVSS 8.3, this is a second-stage exploitation primitive typically chained after an initial renderer RCE; no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available in the 150.0.7871.115 Stable channel release.

Information Disclosure Race Condition Google
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-54423 HIGH PATCH This Week

Access-control bypass in OpenStack Ironic before 37.0.1 lets an Ironic user who is authorized to deploy nodes via the IPMI management interface invoke the send_raw deploy step to issue arbitrary IPMI commands directly to a node's BMC, sidestepping the permission model Ironic normally enforces on management actions. This is an authenticated privilege-boundary flaw (CVSS 8.2, PR:H) affecting bare-metal provisioning environments; no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2026-55575 HIGH PATCH This Week

{{ huge_array | pop }}` trigger an O(N) full clone of an attacker-influenced array that bypasses the engine's configured memoryLimit budget, enabling denial of service through memory exhaustion. The `pop` array filter in src/filters/array.ts clones its input via `[...toArray(v)]` without routing the allocation through `this.context.memoryLimit.use(...)`, so the safety guard applications rely on is silently defeated. There is no public exploit identified at time of analysis, EPSS/KEV data was not supplied, and the impact is limited to availability (no confidentiality or integrity loss).

Denial Of Service Liquidjs
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-58525 HIGH PATCH This Week

Security feature bypass in Microsoft Edge (Chromium-based) allows a remote, unauthenticated attacker to circumvent a browser security control over the network when a user is lured into interacting with attacker-controlled content. The scope-changing CVSS 8.2 vector and high confidentiality impact suggest the bypass can expose sensitive information beyond the browser's normal security boundary. Reported by Microsoft's own security team; no public exploit identified at time of analysis.

Authentication Bypass Microsoft Google Edge Chromium
NVD VulDB
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-59731 HIGH PATCH This Week

Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected routes by exploiting an inconsistency between how the framework decodes URL paths for auth decisions versus route matching. Because authorization runs against a path that hit the iterative URL-decoder limit while later rewrite matching applies an extra decodeURI(), a request that appears benign at the auth gate resolves to a guarded route afterward, exposing protected content. No public exploit has been identified at time of analysis, but the fix in 6.4.8 and a published GitHub Security Advisory confirm the flaw.

Information Disclosure Astro
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-49825 HIGH PATCH GHSA This Week

Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV.

XSS Python Canonical Mozilla
NVD GitHub
CVSS 3.1
8.2
CVE-2026-59818 HIGH PATCH This Week

Certificate revocation bypass in etcd affects clusters running versions before 3.5.32 and before 3.6.13 that are configured with --listen-client-http-urls to serve HTTP and gRPC client traffic on separate listeners. In that split-listener mode the --client-crl-file Certificate Revocation List is silently ignored on the gRPC listener, so a client presenting a certificate the operator has explicitly revoked can still complete mutual-TLS authentication and gain full read/write access to the key-value store. There is no public exploit identified at time of analysis and EPSS is low (0.36%), but the technical impact is total for anyone relying on CRL-based deauthorization.

Information Disclosure Etcd
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-54591 HIGH PATCH This Week

Arbitrary file write in the AsyncSSH Python library (versions prior to 2.23.1) allows a malicious or compromised SSH server to plant files anywhere on an SCP client's filesystem when a user initiates a file-copy operation against it. Because the SCP client trusts server-supplied filenames verbatim, a hostile server can return names containing ../ sequences to escape the intended download directory, enabling code execution or system tampering. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-35552 HIGH This Week

Privilege-boundary bypass in CAXperts UPVWebServices (2.4.2212.603-2.7.6) and the companion UDiTH Portal (2026.0.0-2026.2.0) lets any authenticated low-privilege user reach an administrative API endpoint that lacks an authorization check, enabling them to deactivate the application's license and disable the service. Rated CVSS 8.1 by the reporter, this is a broken-access-control (CWE-862) issue affecting engineering-portal deployments. There is no public exploit identified at time of analysis, EPSS is low (0.20%, 10th percentile), and it is not listed in CISA KEV, though SSVC rates the technical impact as total.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-49464 HIGH PATCH GHSA This Week

Insecure Direct Object Reference in NL Portal's Taak V2 module (nl.nl-portal:taak) versions 1.5.0 through 3.0.0 lets any authenticated portal user holding a valid 'burger' OAuth token complete and tamper with another user's task by supplying its task ID. Because the submitTaakV2 GraphQL mutation never verified task ownership, an attacker can overwrite another user's submitted form data (verzondenData) and read that user's previously entered personal data returned in the GraphQL response, breaking both integrity and confidentiality. No public exploit is identified at time of analysis, but the flaw is trivially exploitable by any logged-in user against a horizontally-adjacent task object.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
CVE-2026-54652 HIGH This Week

{service} endpoint to download raw Frigate and nginx logs. Those logs record request query strings containing auto-generated admin passwords and camera credentials, so a viewer can harvest them and re-authenticate as administrator. No public exploit identified at time of analysis, but the flaw is mechanically trivial to abuse once any viewer session exists, and no fixed release has been identified.

Privilege Escalation Nginx
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-3688 HIGH This Week

Privilege escalation via Insecure Direct Object Reference in the WCFM Membership (WooCommerce Memberships for Multivendor Marketplace) WordPress plugin versions up to and including 2.11.10 lets authenticated users holding at least vendor-level access manipulate the 'wcfmvm_membership_change' AJAX action to reassign any user's account to the 'wcfm_vendor' role by altering their membership plan. Because the action never checks whether the caller is authorized to modify the targeted user, a low-privileged marketplace vendor can tamper with arbitrary accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS of 8.1 and network-reachable authenticated vector make it a meaningful multivendor-store risk.

Authentication Bypass WordPress Wcfm Membership Woocommerce Memberships For Multivendor Marketplace
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-60102 HIGH PATCH This Week

OS command injection in the Horde_Vfs_Smb driver of the Horde Virtual File System (VFS) API before 3.0.1 lets authenticated users execute arbitrary shell commands on the server. The flawed _escapeShellCommand() method fails to neutralize shell command-substitution sequences, so attacker-controlled filenames passed through routine file operations are interpolated into a double-quoted /bin/sh -c context and executed via proc_open() before smbclient runs. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch (v3.0.1) exists and the CVSS 4.0 base score is 7.7 (High).

Command Injection File Upload Vfs
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
1.8%
CVE-2026-49832 HIGH PATCH GHSA This Week

Remote code execution in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated administrator to execute arbitrary Java via Velocity templates used to render COAR Notify/LDN messages, using reflection to escape the templating sandbox. Exploitation requires valid DSpace administrator credentials and is most impactful when chained with the related LDN path-traversal flaw (GHSA-9qm4-rh6w-pq5x). No public exploit identified at time of analysis, and CVSS is 8.0 (High).

Path Traversal Code Injection Tomcat RCE Java
NVD GitHub
CVSS 3.1
8.0
CVE-2026-55999 HIGH PATCH This Week

Local privilege escalation via heap buffer overflow in the X.Org Server (versions before 21.1.24) and Xwayland (before 24.1.13) allows a local user holding an X connection to corrupt heap memory by supplying a malicious PCX font. The flaw lives in the SetFont code path, where missing glyph boundary checks let an oversized or malformed glyph write past its heap allocation, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis; EPSS is low at 0.28% and CISA SSVC rates exploitation as none.

Buffer Overflow Heap Overflow X Server Xwayland
NVD VulDB
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-39822 HIGH PATCH This Week

Sandbox escape in the Go standard library's os.Root API (os package) on Unix systems allows filesystem operations meant to be confined to a directory to reach files outside it. When a path's final component is a symbolic link and the path ends in a trailing slash (e.g. root.Open("symlink/")), os.Root improperly dereferences that symlink to a location outside the root, defeating the traversal protection the API is designed to enforce. Affects Go before 1.25.12, 1.26.5, and 1.27.0-rc.2; no public exploit is identified at time of analysis and it is not in CISA KEV.

Information Disclosure Os
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-22927 HIGH This Week

Local privilege escalation in Omnissa Workspace ONE Tunnel for Windows lets an authenticated low-privileged local user abuse a path-traversal weakness (CWE-22) to gain higher (likely SYSTEM) privileges on the endpoint. The flaw affects the Windows Tunnel client used for per-app VPN in Workspace ONE managed fleets; no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high across confidentiality, integrity, and availability, but exploitation is confined to attackers who already have a local foothold on the machine.

Privilege Escalation Path Traversal Microsoft Workspace One Tunnel
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-57240 HIGH This Week

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigger stale field-pointer dereferences after the script deletes form fields, corrupting memory and crashing the application. The flaw affects Foxit PDF Editor 14.0.4 and earlier and Foxit PDF Reader 2026.1.1 and earlier and requires the victim to open a malicious file. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Foxit's own CVSS of 7.8 (C:H/I:H/A:H) implies potential code execution beyond the crash described.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13126 HIGH This Week

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows a crafted PDF containing embedded JavaScript to free page objects and trigger a dangling write to pop-up annotation objects. An attacker who convinces a user to open a malicious document can crash the application and potentially achieve arbitrary code execution in the user's context. No public exploit identified at time of analysis; the flaw was reported privately by Foxit.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13127 HIGH This Week

Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Reader (≤2026.1.1) arises when a crafted PDF's embedded JavaScript rewrites the document to alter the page structure, freeing the underlying page objects while the thumbnail renderer continues to reference them - a classic use-after-free (CWE-416). A victim who merely opens the file triggers the dangling reference, causing an application crash and, given the CVSS confidentiality/integrity impact, a plausible path to code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13128 HIGH This Week

Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a crafted PDF whose embedded JavaScript deletes the current page, after which subsequent scripts dereference now-freed document-view properties and crash the application. This is a CWE-416 use-after-free reported by Foxit; no public exploit identified at time of analysis, and it is not listed in CISA KEV. The documented impact is an application crash, though the underlying memory-corruption class warrants caution about potential escalation.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13129 HIGH This Week

Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attackers to crash the application and potentially corrupt memory when a victim opens a malicious PDF whose embedded JavaScript walks a deliberately damaged form-field tree. The bug is a use-after-free (CWE-416): field traversal leaves the program holding a freed/invalid form object, and dereferencing that invalid pointer causes the crash. No public exploit identified at time of analysis; disclosure originates from Foxit's own security bulletin.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57238 HIGH This Week

Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the embedded JavaScript engine, where a form field object is deleted and then re-accessed, crashing the application. The flaw affects PDF Editor through 13.2.4, 14.0.4, and 2026.1.1, and PDF Reader through 2026.1.1, and was reported by Foxit. No public exploit has been identified at time of analysis, though CVSS scores the impact as high across confidentiality, integrity, and availability, implying potential exploitation beyond a simple crash.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57242 HIGH This Week

Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4, and 2026.1.1) allows a remote attacker to execute arbitrary code or crash the application when a victim opens a maliciously crafted PDF. The flaw stems from JavaScript-driven form modifications that leave page-related objects with incomplete lifecycle management, so the application dereferences freed/invalid objects on page-state changes. No public exploit identified at time of analysis, and it is not listed in CISA KEV; while the description emphasizes a crash, the CVSS vector rates full confidentiality, integrity, and availability impact, consistent with exploitable memory corruption.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57245 HIGH This Week

Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attacker to trigger a use-after-free when a victim opens a maliciously crafted PDF whose hyperlink annotation objects use abnormal relationships and field combinations. The flaw manifests as an invalid pointer write during object destruction; while the vendor description only confirms an application crash, the vendor-assigned CVSS (C:H/I:H/A:H) and CWE-416 classification indicate potential for arbitrary code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57246 HIGH This Week

Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin processes abnormally constructed signature objects: JavaScript triggers signature verification, but the plugin copies an anomalous string without validating its arguments, corrupting memory. A local victim who opens a crafted PDF is affected, and while the vendor describes the outcome as an application crash, the CVSS High confidentiality/integrity/availability impacts indicate potential for code execution. No public exploit identified at time of analysis.

Buffer Overflow Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57248 HIGH This Week

Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embedded JavaScript writes annotation attributes without sufficient object-type and argument validation, corrupting the internal annotation structure so the application faults during subsequent object release (CWE-763). Local exploitation requires a user to open a crafted PDF; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV. The vendor rates full confidentiality, integrity, and availability impact (CVSS 7.8), though Foxit tags it as Denial of Service.

Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57249 HIGH This Week

Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows a crafted PDF to crash the application when its embedded JavaScript resets annotation status and then triggers a reset-form additional action, causing the parser to re-enter and dereference freed objects. Local victims who open a malicious document are affected; the CVSS 3.1 base score is 7.8. No public exploit was identified at time of analysis, and the issue is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57251 HIGH This Week

Denial of service in Foxit PDF Editor and Foxit PDF Reader arises when the application renders a PDF containing cloud-style annotation/border appearances, because the code that builds that geometry omits an upper-bound limit and consistency checks. A local attacker who convinces a user to open a malicious PDF can trigger an out-of-bounds array access that crashes the application; no public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV. Although the NVD vector claims high confidentiality and integrity impact, the vendor description and tags describe only a crash.

Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57252 HIGH This Week

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to crash the application when its embedded JavaScript deletes pages and removes attachment annotations while the attachment panel still references freed pointers. A victim must open the malicious document (UI:R), and no public exploit has been identified at time of analysis. Although the reported behavior is an application crash, Foxit's own CVSS scoring rates confidentiality, integrity, and availability all High, implying potential for code execution beyond denial of service.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57254 HIGH This Week

Type-confusion memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF containing an abnormal annotation object - one referenced by other objects - to bypass proper type checking during parsing, corrupting memory and crashing the application. Exploitation requires a user to open the malicious file locally (UI:R); there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so the current confirmed impact is denial of service, though the CWE-843 class leaves open potential for code execution.

Memory Corruption Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57237 HIGH This Week

Use-after-free memory corruption in Foxit PDF Editor (≤14.0.4, ≤13.2.4, ≤2026.1.1) and Foxit PDF Reader (≤2026.1.1) allows an attacker to corrupt object state and read an illegal memory address when a victim opens a crafted PDF that manipulates form-field properties via embedded JavaScript. The immediate observed impact is an application crash (denial of service), but the CWE-416 root cause and the vendor's CVSS confidentiality/integrity ratings indicate potential for arbitrary code execution in the context of the user. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57244 HIGH This Week

Use-after-free memory corruption in Foxit PDF Editor (≤14.0.4) and Foxit PDF Reader (≤2026.1.1) allows a crafted PDF containing malicious form-reset JavaScript to trigger a stale control-pointer dereference, crashing the application and potentially enabling arbitrary code execution in the victim's context. Exploitation requires the user to open a booby-trapped document; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Foxit, the reporting vendor, has issued a security bulletin covering the affected versions.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57247 HIGH This Week

Use-after-free during PDF field processing in Foxit PDF Editor and Foxit PDF Reader allows a crafted document to delete the current page and then reuse now-dangling field objects, causing an illegal memory read and application crash. Affects Foxit PDF Editor through 14.0.4 / 2026.1.1 and Foxit PDF Reader through 2026.1.1; exploitation requires a user to open a malicious PDF. No public exploit identified at time of analysis and the flaw is not in CISA KEV; vendor (Foxit) reported it and tags it primarily as denial of service / memory corruption.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57250 HIGH This Week

Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader is triggered when JavaScript embedded in a malicious PDF resets form fields and re-enters the interface, causing the application to invoke a method on a freed native object. An attacker who convinces a user to open a crafted PDF can crash the application, and because the flaw is a use-after-free (CWE-416), it carries potential for memory-corruption abuse beyond denial of service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57256 HIGH This Week

Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF containing embedded JavaScript to trigger a use-after-free (CWE-416) when the script manipulates a list box field and the form is subsequently reset. A victim who merely opens the malicious document can have the application dereference a dangling pointer to freed form-field memory; Foxit itself reported the flaw and CVSS rates it 7.8. No public exploit or CISA KEV listing exists, so this is no public exploit identified at time of analysis, though use-after-free in a scriptable PDF engine is a classic path toward code execution.

Memory Corruption Denial Of Service Use After Free Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57260 HIGH This Week

Out-of-bounds memory access in Foxit PDF Editor and Foxit PDF Reader occurs when the application parses a malformed Unity 3D object embedded in a PDF, resolving attacker-influenced data as a pointer and dereferencing it as a valid address. A victim who opens a crafted PDF triggers the flaw (CVSS 7.8, UI:R), which manifests as a crash but, given the CWE-787 out-of-bounds write classification and High confidentiality/integrity/availability impact, carries potential for memory corruption and code execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Memory Corruption Buffer Overflow Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57239 HIGH This Week

Local privilege escalation in Foxit PDF Editor and Foxit PDF Reader (Windows) lets a low-privileged user place executable files that a high-privilege process later runs directly, yielding code execution as NT AUTHORITY\SYSTEM. The flaw stems from an untrusted search path (CWE-427) where the application loads and executes attacker-writable binaries without validating their origin. There is no public exploit identified at time of analysis, EPSS is low (0.11%, 2nd percentile), and SSVC reports no observed exploitation, so this is a locally-exploitable escalation rather than a remotely wormable threat.

Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-60105 HIGH PATCH This Week

Server-side request forgery in Monsta FTP before 2.14.5 lets an unauthenticated remote attacker coerce the server into making HTTP requests to internal-only services and exfiltrate the responses. The flaw lives in the fetchRemoteFile action, where the isBlockedIP() SSRF filter fails to recognize IPv4-mapped IPv6 addresses, so blocklisted internal ranges can be reached anyway; a CSRF token is trivially obtainable from the public getSystemVars endpoint. Impact is notable because the primary abuse case is stealing cloud instance metadata credentials, though no public exploit is identified at time of analysis.

CSRF SSRF
NVD VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-14373 HIGH PATCH This Week

Host namespace escape in HashiCorp Nomad and Nomad Enterprise lets an authenticated job submitter bypass the allow_privileged control for the Docker task driver, launching containers in host PID/network/IPC namespaces to read data from the host or co-located workloads on the same client node. The flaw stems from missing authorization enforcement (CWE-862) and carries a CVSS 7.7 with a changed scope, reflecting cross-tenant impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Hashicorp Docker Nomad Nomad Enterprise
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-55874 HIGH PATCH This Week

Cross-bucket object disclosure in SeaweedFS S3 API gateway (versions prior to 4.34) allows an authenticated identity scoped to a single bucket to read objects from other buckets by injecting dot-dot (../) path segments into the X-Amz-Copy-Source header of CopyObject and UploadPartCopy requests. Because the gateway performs a server-side copy without normalizing or rejecting traversal segments, the bucket-level access boundary is bypassed. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the fix in 4.34 is confirmed via the vendor security advisory and source commit.

Path Traversal
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-14244 HIGH This Week

Arbitrary file disclosure in the Jssor Slider by jssor.com WordPress plugin (all versions through 3.1.24) lets unauthenticated remote attackers traverse the filesystem via the 'url' parameter and read the contents of any file the web server can access, such as wp-config.php. Wordfence disclosed the flaw and points to the plugin's admin controller code; no public exploit is identified at time of analysis and it is not listed in CISA KEV. EPSS was not provided, but the network-reachable, unauthenticated nature of the bug makes it an attractive scanning target.

WordPress Path Traversal Jssor Slider By Jssor Com
NVD VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-59892 HIGH PATCH This Week

Denial of service in OpenTelemetry JavaScript (@opentelemetry/propagator-jaeger) before 2.9.0 allows an unauthenticated remote attacker to crash a Node.js service by sending a malformed percent-encoded uber-trace-id or uberctx-* HTTP header. The JaegerPropagator passes header values to decodeURIComponent() without catching the resulting URIError, so the uncaught exception terminates the process. No public exploit identified at time of analysis, and this is not listed in CISA KEV; the fix is version 2.9.0.

Node.js Information Disclosure Opentelemetry Js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56669 HIGH PATCH This Week

Denial of service in the Elysia TypeScript web framework (versions prior to 1.4.29) lets remote unauthenticated attackers exhaust server CPU by submitting multipart/form-data requests containing many unique key-value pairs. Elysia's form-data normalization uses getAll in a way that scales quadratically with the number of fields, so a single crafted request can consume disproportionate processing time and stall the event loop. A public technical write-up demonstrating the quadratic behavior exists, but there is no evidence of active exploitation; EPSS was not provided.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy