Skip to main content
CVE-2026-14362 MEDIUM PATCH This Month

Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). No public exploit code exists and CISA KEV listing is not confirmed; however, because memberlist underpins HashiCorp Consul, Nomad, and Vault cluster communication, a single exploitable node crash can disrupt distributed coordination in dependent systems.

Hashicorp Denial Of Service Shared Library
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-59806 MEDIUM PATCH This Month

Open redirect and client-side SSRF in Gradio before 6.20.0 expose cloud infrastructure credentials to network attackers via the /gradio_api/file= endpoint. The file_fetch() function accepts unvalidated HTTP/HTTPS URLs from attacker-controlled FileData responses, enabling redirection of victim browsers to arbitrary destinations including cloud metadata services such as the EC2 instance metadata endpoint (169.254.169.254). Successful exploitation in cloud-hosted Gradio deployments allows retrieval of IAM role credentials, achieving high subsequent-system confidentiality impact. No public exploit or CISA KEV listing is identified at time of analysis; a fix is available in version 6.20.0.

SSRF Open Redirect
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.2%
CVE-2026-12936 MEDIUM This Month

SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.

WordPress SQLi Recurio Ultimate Subscription For Woocommerce
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-59876 MEDIUM PATCH This Month

Prototype pollution in protobuf.js versions 8.2.0 through 8.6.4 allows network-reachable attackers to corrupt JavaScript object prototype chains via the Text Format extension, by supplying a map entry whose key is the reserved JavaScript token `__proto__`, causing the parser to overwrite the prototype of the returned map object instead of creating a literal own-property entry. Exploitation is constrained by high attack complexity - only applications explicitly using the optional `/ext/textformat` module and parsing attacker-controlled input are affected - and real-world impact is limited to partial confidentiality and integrity effects in downstream code that inherits or enumerates poisoned prototype properties. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Information Disclosure Prototype Pollution Protobuf Js
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-56374 MEDIUM PATCH This Month

Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.

Denial Of Service Buffer Overflow Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56359 MEDIUM PATCH This Month

Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.

XSS N8n
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-58657 MEDIUM PATCH This Month

Stored CSS injection in Grav CMS (all 2.0 branch releases through 2.0.0-rc.9) lets a lower-privileged content editor manipulate the visual interface seen by higher-privileged administrators and reviewers. The resize() Markdown media action in Excerpts::processMediaActions() writes caller-controlled values directly into rendered img style attributes without sanitization, despite prior hardening that blocked the ?style= and attribute() vectors. An attacker with editorial access can store a crafted image URL with semicolon-delimited CSS declarations that render a full-viewport overlay when a privileged user views the page, enabling UI redress and content-manipulation attacks. No public exploit has been identified at time of analysis; the vendor-confirmed fix is Grav 2.0.0.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-56283 MEDIUM PATCH This Month

HTML injection in Capgo's organization settings endpoint allows an authenticated attacker to embed malicious HTML into the organization name field, redirecting other users to attacker-controlled phishing sites. Affected versions are all Capgo releases prior to 12.128.2. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack path is low-complexity for any user with organization settings write access.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-6371 MEDIUM This Month

Stored cross-site scripting in Limatek System Inc.'s LimRAD NAC through version 08072026 allows an adjacent-network, low-privileged attacker to inject persistent malicious scripts that execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms that injected script execution crosses into the victim's browser security context, enabling potential session hijacking or credential theft targeting higher-privileged users such as administrators. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor did not respond to TR-CERT's disclosure, leaving no patch available and remediation options limited to compensating controls.

XSS Limrad Nac
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-54344 MEDIUM PATCH This Month

Command injection in ToolJet's GitHub Actions render preview deployment workflow allows any GitHub user capable of commenting on an open pull request to execute arbitrary shell commands on the CI runner and exfiltrate deployment secrets. The root cause is unsanitized interpolation of `github.event.comment.body` directly into a bash conditional within a `run` step, meaning a single malicious PR comment can pivot to full CI runner compromise. No CISA KEV listing exists at time of analysis, but the attack technique - GitHub Actions expression injection - is extremely well-documented publicly, making practical exploitation trivial for any GitHub user with PR commenting rights.

Command Injection Tooljet
NVD GitHub
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-59947 MEDIUM PATCH This Month

Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP Composer
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-14361 MEDIUM PATCH This Month

Path redirection via the writeToFile template helper in consul-template before 0.42.1 allows a local low-privileged attacker to redirect template output outside the intended destination directory or overwrite existing files on the filesystem. Because consul-template routinely renders sensitive secrets from HashiCorp Vault, Consul, and AWS Secrets Manager into local files, successful exploitation can expose those secrets by redirecting writes to attacker-readable locations. No public exploit code or CISA KEV listing is associated with this vulnerability at time of analysis.

Information Disclosure
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-12002 MEDIUM This Month

Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.

WordPress CSRF Smash Balloon Social Photo Feed Easy Social Feeds Plugin
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-12041 MEDIUM This Month

Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Chatra Live Chat Chatbot Cart Saver
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-49830 MEDIUM PATCH GHSA This Month

Local file inclusion in DSpace's OAI-ORE Ingestion Crosswalk allows a collection administrator to expose arbitrary server-side files as ingested bitstreams by supplying or triggering a malicious ORE XML document referencing file:/// URIs. Versions 7.x through 7.6.6, 8.0-8.3, and 9.0-9.2 are confirmed affected; fixed releases (7.6.7, 8.4, 9.3, 10.0) are available per the GitHub security advisory. No public exploit and no CISA KEV listing exist at time of analysis; the CVSS score of 4.4 reflects meaningful constraints on exploitation (high privileges, high complexity).

Privilege Escalation Tomcat
NVD GitHub
CVSS 3.1
4.4
CVE-2026-8472 MEDIUM PATCH This Month

Work item metadata in GitLab EE is exposed to authenticated users holding only minimal project permissions due to missing authorization checks on affected API or web endpoints, enabling unauthorized reads of private project data. Affected deployments span GitLab EE 18.9 through pre-18.11.7, 19.0 through pre-19.0.4, and 19.1 through pre-19.1.2, with patched releases now available from the vendor. No public exploit has been identified at time of analysis, the vulnerability is not listed in CISA KEV, and the CVSS 4.3 Medium score reflects narrow impact - confidentiality-only, metadata-scoped, with no integrity or availability consequence.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15131 MEDIUM PATCH This Month

Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15130 MEDIUM PATCH This Month

Insufficient navigation policy enforcement in Google Chrome prior to 150.0.7871.115 enables site isolation bypass when a user visits a crafted HTML page. A remote, unauthenticated attacker (per CVSS PR:N) can exploit this to read limited cross-origin data, undermining Chrome's core renderer process separation architecture. No public exploit code or active exploitation has been identified; SSVC rates exploitation as none and technical impact as partial, consistent with the moderate CVSS 4.3 score.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-12506 MEDIUM PATCH This Month

Content spoofing in GitLab CE/EE versions 16.5 through 18.x, 19.0, and 19.1 allows authenticated users to construct repositories where the web interface renders content that diverges from the actual downloadable source, exploiting improper Git reference name resolution (CWE-706). The CVSS score of 3.5 (Low) reflects the authentication requirement (PR:L), mandatory viewer interaction (UI:R), and limited integrity-only impact with no confidentiality or availability consequences. No public exploit code or CISA KEV listing has been identified at time of analysis, placing real-world risk firmly in the low tier despite the broad version range affected.

Gitlab Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13151 MEDIUM PATCH This Month

Improper authorization in GitLab Enterprise Edition allows an already-authenticated high-privilege user to modify group-level settings beyond the scope their role should permit. Affecting all EE versions from 16.10 through the patched releases of 18.11.7, 19.0.4, and 19.1.2, the flaw enables unauthorized integrity changes to group-wide policies without any user interaction. No public exploit or active exploitation has been identified at time of analysis, and the PR:H CVSS requirement substantially constrains real-world risk to a narrow set of already-privileged insiders.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15124 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Passwords component (versions prior to 150.0.7871.115) enables a remote attacker to read limited cross-origin data by directing a victim to a crafted HTML page. Chromium's own security team rates this High despite a CVSS base score of 4.3 (Medium), a discrepancy that likely reflects the sensitivity of credential-adjacent subsystem involvement rather than raw exploitability metrics alone. No public exploit identified at time of analysis; vendor patch is available as of the July 2026 stable channel release.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9731 MEDIUM This Month

Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; EPSS data was not supplied.

WordPress CSRF Wp Js Detect
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-59930 MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-15108 MEDIUM PATCH This Month

Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)

Integer Overflow Buffer Overflow Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-55873 MEDIUM PATCH This Month

Authorization collapse in SeaweedFS 4.08-4.33 allows any authenticated low-privileged S3 user to enumerate administrator-owned S3 table bucket names and ARNs via a SigV4 routing flaw. Requests signed with service identifier 'S3Tables' are misrouted to the S3Tables management API, where the authorization logic fails open by collapsing account-less S3 identities into the shared admin account, effectively granting read access to admin-scoped metadata. No public exploit code exists and this CVE is not listed in CISA KEV, but the CVSS vector (PR:L) confirms exploitation requires only a valid low-privilege S3 credential.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-59882 MEDIUM PATCH This Month

Host validation bypass in guzzlehttp/psr7 before 2.12.3 enables URI authority confusion attacks against PHP applications that rely on Uri::getHost() for security-critical decisions. The Uri::assertValidHost() method accepts host strings containing authority delimiters, embedded ports, or malformed IPv6 brackets, causing a semantic split where getHost() returns a sanitized value that disagrees with the actual URI authority used for routing - a classic CWE-436 interpretation conflict exploitable for SSRF allowlist bypass or host-based access control evasion. No public exploit has been identified at time of analysis; vendor-released patch version 2.12.3 resolves the issue.

Information Disclosure Psr7
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14896 MEDIUM PATCH This Month

Cross-namespace authorization bypass in HashiCorp Nomad's dynamic host volumes feature permits an authenticated operator holding host volume delete permissions in one namespace to delete sticky volume claims belonging to jobs in a different namespace. Both Nomad Community Edition and Nomad Enterprise are affected from version 0.4.1 up to 2.0.4, with Enterprise additionally receiving backport fixes in 1.11.8 and 1.10.14. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, limiting immediate risk to multi-tenant deployments where namespace isolation is an enforced security boundary.

Authentication Bypass Hashicorp
NVD VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-53600 MEDIUM POC PATCH GHSA This Month

Differential extraction in async-tar 0.6.0 enables content-smuggling attacks against scan-then-extract pipelines: an attacker who controls the bytes of a tar stream can construct an archive that GNU-tar-based AV scanners see as a single benign blob while async-tar writes a distinct executable payload to disk that the scanner never inspected. The root cause is in poll_next_raw (src/archive.rs), which mis-applies a buffered PAX local-extension size record to an intermediary GNU longname (L) header rather than restricting the override to the following file entry, desyncing the stream cursor from any POSIX-correct parser. No public exploitation in the wild or CISA KEV listing has been identified, but a fully functional proof-of-concept with verbatim captured output is included in the advisory, demonstrating the complete x → L → file smuggling sequence.

Information Disclosure
NVD GitHub
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy