Skip to main content
CVE-2026-5923 MEDIUM PATCH This Month

Cross-Site Request Forgery in HP IP phones' web management interface allows an attacker who has obtained a stolen session cookie to submit unauthorized state-changing requests that modify the phone's webpage contents, with integrity and availability rated high (VI:H/VA:H) in the vendor-supplied CVSS 4.0 vector. The CVSS 4.0 score of 6.0 reflects the attack conditions prerequisite (AT:P) of prior cookie theft, low-level privilege requirement (PR:L), and passive user interaction (UI:P), meaningfully limiting opportunistic exploitation. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF
NVD
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-59924 MEDIUM PATCH This Month

Path traversal in Mistune's Include plugin allows reading arbitrary files from the server filesystem when processing attacker-controlled markdown. Applications using md.read() with the Include plugin on markdown content supplied by external users are exposed: a crafted include directive can escape the intended markdown base directory to access any file readable by the running process. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 3.3.0.

Python Path Traversal Mistune
NVD GitHub
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-54590 MEDIUM PATCH This Month

{ENV}) unblocked, enabling escape via Python's Path.expanduser() and _expand_val() expansion. No public exploit has been identified at time of analysis, and CVSS AC:H reflects the prerequisite server-side configuration; however, successful exploitation achieves high integrity impact by enabling authentication with key material from arbitrary filesystem locations.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-58501 MEDIUM PATCH This Month

Server-Side Request Forgery in Python Zeep 4.0.0 through 4.3.2 allows an attacker who can influence WSDL or XSD content parsed by the library to bypass the explicit `Settings.forbid_external` security control, causing the server to issue HTTP or HTTPS requests to attacker-chosen URLs via transitive xsd:import, xsd:include, wsdl:import, or lxml entity and DTD references. The vulnerability is particularly significant because it defeats a documented security setting that developers actively configure to prevent external fetching - applications relying on this control are silently unprotected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

SSRF Python Python Zeep
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-5922 MEDIUM PATCH This Month

Stored cross-site scripting in HP IP phone WebUI allows a low-privileged authenticated attacker to inject malicious script content into configuration parameters, which the phone's web management interface later renders unsanitized to visiting users. When an administrator browses the affected WebUI page, the injected payload executes in their browser session, producing a High integrity impact within the WebUI context. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; HP has published advisory HPSBPY04108 addressing the issue.

XSS
NVD
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-44918 MEDIUM PATCH This Month

Insufficient access controls in OpenStack Ironic's parent/child node hierarchy allow authenticated users to access or manipulate resources belonging to nodes outside their authorization scope. Affected objects include Volume Targets and Volume Connectors - which carry iSCSI storage credentials in boot-from-volume deployments - as well as Port and Portgroup objects (hardened as defense-in-depth in the same patch set). No public exploit identified at time of analysis and the CVE carries no CVSS score in the input data, but the exposure of iSCSI credentials in affected environments represents a meaningful lateral-movement risk within bare-metal cloud infrastructure.

Authentication Bypass
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2026-15167 MEDIUM PATCH This Month

Denial of service in Wireshark's DBS Etherwatch dissector affects release branches 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a malformed capture file or crafted packet can crash the application. The flaw is a stack-based buffer overflow (CWE-121) that manifests only as an availability impact - no confidentiality or integrity loss and no confirmed code execution - carrying a 7.5 (High) CVSS. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-15170 MEDIUM PATCH This Month

Heap-based buffer overflow in Wireshark's Z39.50 protocol dissector crashes the application when processing malformed Z39.50 PDUs, resulting in denial of service. Affected versions span the 4.4.x branch (4.4.0-4.4.16) and 4.6.x branch (4.6.0-4.6.6). An attacker can trigger the crash by persuading an analyst to open a crafted packet capture file or by injecting malicious Z39.50 traffic onto a monitored network segment; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15166 MEDIUM PATCH This Month

Stack-based buffer overflow in Wireshark's IEEE 802.11 (Wi-Fi) protocol dissector crashes the application, resulting in denial of service across versions 4.6.0-4.6.6 and 4.4.0-4.4.16. An attacker with the ability to deliver a malicious packet capture file, or inject crafted 802.11 frames into a live capture session, can crash the Wireshark process on a victim analyst's machine. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; vendor-released patches (4.6.7 and 4.4.17) are available.

Buffer Overflow Denial Of Service Stack Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15165 MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0 through 4.6.6 lets a remote attacker crash the application by feeding it a malformed TLS packet using the Encrypted Client Hello (ECH) extension, triggering a heap buffer overflow in the ECH decryptor. No authentication or user interaction beyond processing the traffic is required, though impact is limited to availability (analyzer crash) with no code execution or data disclosure claimed. Publicly available exploit code exists per SSVC (POC), EPSS is low at 0.14% (4th percentile), and it is not listed in CISA KEV.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-50812 MEDIUM This Month

NULL pointer dereference in SQLite's Session Extension crashes any application that passes attacker-controlled changeset blobs to sqlite3changeset_apply_v3(). Affected releases include SQLite 3.53.1 and all trunk builds prior to check-in e807d4e3798efd53. Impact is limited to availability - the process crashes - but because SQLite is embedded ubiquitously, the blast radius depends entirely on how widely consuming applications expose this code path to untrusted input. A public proof-of-concept gist is referenced in the CVE record; no public exploit identified at time of analysis beyond that demonstrator, and the vulnerability is not listed in CISA KEV.

Denial Of Service Null Pointer Dereference N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15172 MEDIUM PATCH This Month

The FMP/NOTIFY protocol dissector in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 crashes when processing malformed packet data, resulting in a denial of service against the application. Exploitation requires a victim to open a crafted packet capture file or analyze injected traffic, making this a social-engineering-dependent vector rather than a remotely triggerable flaw. A vendor-released patch is available in versions 4.6.7 and 4.4.17; no public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Wireshark
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15174 MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 is caused by a heap-based buffer overflow in the Catapult DCT2000 protocol dissector, crashing the application when a crafted capture file is opened. The CVSS local attack vector (AV:L) and required user interaction (UI:R) constrain exploitation to scenarios where an analyst is socially engineered into opening a malicious capture file - no remote or unauthenticated network exploitation path exists. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; vendor-released fixes are available in 4.6.7 and 4.4.17.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15171 MEDIUM PATCH This Month

Wireshark's SSH protocol dissector crashes via a null pointer dereference (CWE-476) in versions 4.4.0-4.4.16 and 4.6.0-4.6.6, enabling denial of service against any analyst or engineer running an affected build. The flaw is triggered locally when Wireshark processes malformed SSH protocol data, whether from a live capture or a crafted packet capture file, causing the application to crash and disrupting network analysis workflows. No active exploitation has been confirmed in CISA KEV, and no public exploit code is known at time of analysis.

Denial Of Service Null Pointer Dereference Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15164 MEDIUM PATCH This Month

Denial of service in Wireshark's ciscodump remote capture utility (extcap) affects versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a heap-based buffer overflow (CWE-122) can crash the capture tool. An attacker able to feed crafted data to a running ciscodump session can terminate the process, disrupting live packet capture. A POC is referenced by CISA's SSVC assessment (no public exploit code independently identified), it is not in CISA KEV, and EPSS is very low at 0.10% (1st percentile), indicating minimal likelihood of widespread exploitation.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15173 MEDIUM PATCH This Month

The pcapng file parser in Wireshark 4.6.0 through 4.6.6 contains a heap-based buffer overflow (CWE-122) that crashes the application, resulting in denial of service. An attacker must convince a user to open a specially crafted pcapng capture file, making this a social-engineering-dependent attack with no network-facing exploitation path. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a vendor patch is available in Wireshark 4.6.7.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-49833 MEDIUM PATCH GHSA This Month

Path traversal via the COAR Notify / Linked Data Notifications (LDN) service in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated DSpace administrator to reference arbitrary filesystem paths as LDN inbound-pattern templates, causing those files to be read and interpreted as Apache Velocity templates. While no public exploit or active exploitation has been identified, the vulnerability was demonstrated as part of a proven attack chain in which an administrator stages a malicious Velocity payload in a predictable file location and triggers its execution, enabling either sensitive file disclosure or arbitrary Java code execution via Velocity template injection. No special conditions (KEV, public PoC) are confirmed at time of analysis.

Java Path Traversal Tomcat Apache
NVD GitHub
CVSS 3.1
5.5
CVE-2026-49831 MEDIUM PATCH GHSA This Month

Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. No public exploit or CISA KEV listing exists; the vendor-assigned CVSS 3.1 score of 5.5 (PR:H, A:H) correctly reflects that high-privilege credentials are required but the availability impact from overwriting configuration or binary files can be severe.

Java Path Traversal Denial Of Service Tomcat
NVD GitHub
CVSS 3.1
5.5
CVE-2026-6896 MEDIUM PATCH This Month

Stored/reflected cross-site scripting in GitLab Enterprise Edition lets an authenticated user holding Developer-role permissions inject arbitrary scripts that execute in a victim user's browser session, enabling session hijacking or actions performed as the victim. It affects a broad version range (13.11 through 18.11.6, 19.0.x before 19.0.4, and 19.1.x before 19.1.2) and stems from improper sanitization of user-supplied input. There is no public exploit identified at time of analysis, though the flaw was disclosed through a HackerOne bug-bounty report.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-13320 MEDIUM PATCH This Month

Stored/reflected cross-site scripting in GitLab CE/EE (all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2) lets an authenticated user inject unsanitized input that executes arbitrary JavaScript in a victim's browser session, enabling session hijacking or actions on the victim's behalf. The scope-changed CVSS 7.3 reflects that the payload crosses a security boundary into another user's context. There is no public exploit identified at time of analysis, though the flaw originated from a HackerOne bug bounty submission and vendor patches are already available.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-11903 MEDIUM PATCH This Month

Stored/reflected cross-site scripting in the Ad Hoc Transfer module of Progress MOVEit Transfer lets an authenticated low-privilege user inject script that executes in another user's browser session, per the CVSS PR:L/UI:R vector. Affected builds are 2026.0.0 before 2026.0.1, 2025.1.0 before 2025.1.4, and 2025.0.0 before 2025.0.8. No public exploit identified at time of analysis, though MOVEit Transfer's history as a mass-exploitation target (prior GoAnywhere/MOVEit campaigns) makes prompt patching prudent.

XSS Moveit Transfer
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-59996 MEDIUM PATCH This Month

Path traversal in the scp utility of OpenSSH before 10.4 causes files to be written into the parent directory of the intended destination during remote-to-remote copy operations. The root cause is CWE-23 (Relative Path Traversal): scp fails to canonicalize or sanitize paths when relaying data between two remote hosts, allowing an attacker controlling a malicious endpoint to influence where transferred files land. No public exploit identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; the CVSS AC:H and UI:R metrics significantly constrain real-world exploitability.

SSH Information Disclosure Openssh
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-59995 MEDIUM PATCH This Month

Path traversal in the OpenSSH sftp client before version 10.4p1 allows an attacker-controlled server to write downloaded files outside the user's intended target directory when the 'sftp server:/path .' bulk-download syntax is used. Affected are all OpenSSH deployments where users sftp from untrusted or attacker-controlled hosts, which in practice spans virtually every Linux and Unix environment. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the ubiquity of OpenSSH elevates aggregate exposure despite the moderate per-instance severity.

SSH Information Disclosure Openssh
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-59997 MEDIUM PATCH This Month

OpenSSH's internal-sftp subsystem silently discards all command-line arguments beyond position 9, allowing authenticated SFTP users to bypass security restrictions that administrators intended to enforce via those later-positioned arguments. All OpenSSH releases before 10.4 are affected when sshd_config supplies more than nine arguments to the internal-sftp subsystem, which is a non-default but legitimate administrative pattern used for directory restriction, read-only enforcement, and umask control. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; however, sites relying on complex internal-sftp argument chains for access policy enforcement face a direct, silent policy bypass.

SSH Information Disclosure Openssh
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-8315 MEDIUM This Month

Stored cross-site scripting in Mediküm Web (by Webbeyaz Web Design) enables authenticated low-privilege attackers to persist malicious scripts that execute in the browsers of other users who view the affected pages. All versions through 08072026 are affected per the CVE scope, with the CVSS scope-change metric (S:C) confirming cross-boundary execution into victim browser sessions. Critically, the vendor has confirmed the product is no longer supported, meaning no patch will be issued - organizations still running this software have no vendor remediation path. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Medik M Web
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-42505 MEDIUM PATCH This Month

Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; however, exploitation requires no authentication or user interaction and is accessible to any network-level adversary with passive traffic visibility.

Information Disclosure Crypto Tls
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-59926 MEDIUM PATCH This Month

Cross-site scripting in Mistune (Python Markdown parser) prior to version 3.2.1 allows injection of arbitrary HTML attributes via the Admonition directive's `:class:` option, critically bypassing HTMLRenderer escape mode even when it is explicitly enabled. Applications that render user-controlled Markdown with admonition directives and serve the resulting HTML to web browsers are exposed to stored or reflected XSS, enabling session hijacking, credential theft, or malicious DOM manipulation. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v3.2.1.

XSS Python Mistune
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-14500 MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal Bulk Order Update For Woocommerce
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59257 MEDIUM PATCH This Month

SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. No public exploit or CISA KEV listing is identified at time of analysis; however, deployments exposing such workflows to untrusted networks face high-severity database confidentiality and integrity risk.

SQLi N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-59927 MEDIUM PATCH This Month

Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.

Python Denial Of Service Mistune
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59875 MEDIUM PATCH This Month

Process termination via crafted tar archive affects node-tar prior to 7.5.17, where NUL bytes in PAX path and linkpath header records are not sanitized before being passed to Node.js filesystem calls. Any application using node-tar to extract untrusted archives is susceptible to denial of service through an uncaught exception that crashes the Node.js process. No confirmed active exploitation or public exploit code has been identified at time of analysis; however, the low attack complexity (CVSS AC:L, PR:N) makes this trivial to trigger wherever attacker-controlled archive input reaches a vulnerable node-tar instance.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12097 MEDIUM This Month

Authorization bypass in the User Management WordPress plugin (versions ≤ 1.2) permits unauthenticated network attackers to overwrite the plugin's export field configuration stored in the uiewp_export_field WordPress option, determining which user fields - including password hashes - are bundled into CSV exports and how columns are interpreted during user imports. Reported by Wordfence, the flaw stems from CWE-862 (Missing Authorization), meaning the plugin performs no privilege check before accepting these writes. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the ability to preconfigure exports to surface password hashes represents a meaningful secondary confidentiality risk beyond the raw CVSS 5.3 Medium score.

Authentication Bypass WordPress User Management
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-7492 MEDIUM PATCH This Month

Private project existence disclosure in GitLab CE/EE (versions 9.1 through 18.11.x, 19.0.x, and 19.1.x) enables low-privilege GitLab account holders to confirm whether a private project exists via improperly authorized cross-project reference pages. The flaw stems from missing authorization controls (CWE-862) on reference resolution endpoints, leaking project existence metadata to users who have no authorized access to the targeted private project. No public exploit exists and this vulnerability is not listed in CISA KEV; GitLab has released patches across all three affected version branches.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-60124 MEDIUM This Month

Authorization bypass in MISP's EventsController::importModule() allows authenticated users or read-only API key holders with event view access to persist unauthorized data modifications to events. When an import module returns results in the misp_standard format, the write path skips the modification-rights check applied by all other module result handling paths, allowing a view-only principal to inject or overwrite event content they have no permission to edit. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the integrity impact on shared threat intelligence events is operationally significant for MISP deployments where data provenance and access segregation are critical.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-60125 MEDIUM This Month

Incorrect authorization in MISP versions through 2.5.42 allows authenticated users from restricted organizations to invoke import modules that their organization has been explicitly blocked from using via the Plugin.Import_<module>_restrict configuration. The importModule() function relied on getEnabledModule() - a single-module lookup that lacks per-organisation restriction awareness - rather than the restriction-enforcing getEnabledModules(), creating a logical bypass exploitable by any authenticated user who knows a restricted module's name. Depending on the targeted module and the attacker's event permissions, this can result in unauthorized import or modification of MISP event data; no public exploit exists and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56776 MEDIUM PATCH This Month

{workflowId}/test-runs/new endpoint incorrectly validates the workflow:read scope instead of the required workflow:execute scope, enabling any project-level viewer to invoke the internal workflow runner without execute privileges. This results in unintended outbound API calls and data mutations to downstream connected systems - a meaningful integrity risk in multi-tenant RBAC deployments. No public exploit or CISA KEV listing exists at time of analysis.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-59897 MEDIUM PATCH This Month

Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. Affected versions span 4.3.3 through 4.12.26; no public exploit identified at time of analysis, though the GitHub advisory confirms the issue and a fix is released in v4.12.27.

Information Disclosure Hono
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-59253 MEDIUM PATCH This Month

Improper authorization in n8n before 2.28.0 enables authenticated users to assign workflows to folders belonging to foreign projects by supplying crafted payloads during workflow creation. The flaw (CWE-639) bypasses project and folder ownership checks entirely, allowing logical integrity violations across organizational boundaries in multi-project deployments. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept code has been identified at time of analysis, though the vendor has released a fix in version 2.28.0.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-58654 MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP RCE File Upload
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56778 MEDIUM PATCH This Month

Authorization bypass in n8n's Public API execution retry endpoint allows authenticated read-only users to trigger workflow executions they should not be permitted to run. The endpoint incorrectly authorizes requests against the workflow:read scope rather than the required workflow:execute scope, collapsing the intended permission boundary between read and execute access. This affects n8n instances before 2.25.7 and 2.26.x before 2.26.2 where workflows are shared across users or projects; no public exploit has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56775 MEDIUM PATCH This Month

Incorrect authorization in n8n's evaluation test-run API endpoints allows authenticated project viewers to perform state-changing operations reserved for users with execute permissions. On Enterprise and Cloud deployments running Advanced Permissions with projects and viewer roles configured, an authenticated project:viewer can start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they have only read access to - bypassing the intended workflow:execute scope gate. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS 4.0 score of 5.3 (PR:L) reflects the authenticated, low-complexity nature of the flaw.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56298 MEDIUM PATCH This Month

Capgo's app information endpoint retains EXIF metadata in uploaded images, leaking sensitive geolocation coordinates and device information to any party with image access. Versions prior to 12.128.2 are affected. An authenticated attacker or any user who can view uploaded app-information images can retrieve full EXIF payloads - including GPS coordinates, timestamps, and device identifiers - from files that the platform should have sanitized. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; however, the attack requires only low-privilege network access and trivial tooling such as exiftool.

Information Disclosure
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56293 MEDIUM PATCH This Month

Incomplete state management in Capgo's transfer_app() function allows low-privileged authenticated users to retain or cause loss of access to deployment history records across organizations. Specifically, the function fails to update the deploy_history.owner_org field during inter-organization application transfers in all versions before 12.128.2, creating a persistent stale authorization grant. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-56217 MEDIUM PATCH This Month

Policy bypass in Capgo's OTA update enforcement allows holders of app-scoped API keys to downgrade encrypted app bundles to an unencrypted state by directly manipulating the app_versions table through PostgREST. Affected versions are all Capgo releases prior to 12.128.2. An attacker in possession of an app-scoped 'all' API key can nullify organization-level encrypted-bundle policies, silently stripping the cryptographic protections applied to over-the-air mobile updates and enabling distribution of unencrypted bundles to end-user devices. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15033 MEDIUM This Month

OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. No vendor patch is available at time of analysis - the project maintainer has not responded to the issue report filed on GitHub (issue #74), and no KEV listing exists. EPSS data was not provided, so broad exploitation probability cannot be quantified.

Command Injection Check Peer Dependencies
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
1.1%
CVE-2026-5459 MEDIUM This Month

Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. No public exploit has been identified at time of analysis, but the zero-privilege, low-complexity attack path makes this straightforward to weaponize against any site monetizing through this plugin's membership features.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-60092 MEDIUM This Month

Stored XSS in AVideo's Meet plugin allows an anonymous, unauthenticated attacker to inject arbitrary JavaScript into privileged administrator and host browser sessions by supplying a malicious HTTP User-Agent header when joining any public meeting. The getMeetInfo.json.php endpoint persists the raw User-Agent value in meet_join_log.user_agent, bypassing AVideo's xss_esc() setter and omitting htmlspecialchars() at the output layer in the Participants management panel, where it renders in authenticated host and admin sessions. No vendor patch was available at the time of disclosure; no public exploit code or CISA KEV listing has been identified.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-57439 MEDIUM PATCH This Month

Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.

XSS Cyberchef
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-56273 MEDIUM PATCH This Month

Path traversal in Flowise's Faiss and SimpleStore vector store implementations allows any holder of a valid API token to write vector store data to arbitrary filesystem locations, creating a practical path to remote code execution or data exfiltration on the hosting server. All Flowise deployments prior to version 3.1.0 are affected when either of these two vector store backends is configured. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the post-authentication exploitation path is low-complexity, making timely patching critical especially in multi-tenant or shared deployments where API tokens are broadly distributed.

Path Traversal RCE
NVD GitHub
CVSS 4.0
4.9
EPSS
0.3%
CVE-2026-11827 MEDIUM PATCH This Month

Credential disclosure in GitLab Enterprise Edition allows an authenticated maintainer-role user to retrieve another user's stored credentials through insufficient authorization controls. All GitLab EE versions from 9.5 through the patched releases (18.11.7, 19.0.4, and 19.1.2) are affected, representing a broad historical exposure window spanning multiple major releases. No public exploit identified at time of analysis; the vulnerability was disclosed via HackerOne responsible disclosure (report 3720483), and GitLab has issued patched versions.

Gitlab Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy