Skip to main content
CVE-2026-59257 MEDIUM PATCH This Month

SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. No public exploit or CISA KEV listing is identified at time of analysis; however, deployments exposing such workflows to untrusted networks face high-severity database confidentiality and integrity risk.

SQLi N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-59927 MEDIUM PATCH This Month

Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.

Python Denial Of Service Mistune
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59875 MEDIUM PATCH This Month

Process termination via crafted tar archive affects node-tar prior to 7.5.17, where NUL bytes in PAX path and linkpath header records are not sanitized before being passed to Node.js filesystem calls. Any application using node-tar to extract untrusted archives is susceptible to denial of service through an uncaught exception that crashes the Node.js process. No confirmed active exploitation or public exploit code has been identified at time of analysis; however, the low attack complexity (CVSS AC:L, PR:N) makes this trivial to trigger wherever attacker-controlled archive input reaches a vulnerable node-tar instance.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12097 MEDIUM This Month

Authorization bypass in the User Management WordPress plugin (versions ≤ 1.2) permits unauthenticated network attackers to overwrite the plugin's export field configuration stored in the uiewp_export_field WordPress option, determining which user fields - including password hashes - are bundled into CSV exports and how columns are interpreted during user imports. Reported by Wordfence, the flaw stems from CWE-862 (Missing Authorization), meaning the plugin performs no privilege check before accepting these writes. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the ability to preconfigure exports to surface password hashes represents a meaningful secondary confidentiality risk beyond the raw CVSS 5.3 Medium score.

Authentication Bypass WordPress User Management
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-7492 MEDIUM PATCH This Month

Private project existence disclosure in GitLab CE/EE (versions 9.1 through 18.11.x, 19.0.x, and 19.1.x) enables low-privilege GitLab account holders to confirm whether a private project exists via improperly authorized cross-project reference pages. The flaw stems from missing authorization controls (CWE-862) on reference resolution endpoints, leaking project existence metadata to users who have no authorized access to the targeted private project. No public exploit exists and this vulnerability is not listed in CISA KEV; GitLab has released patches across all three affected version branches.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-60124 MEDIUM This Month

Authorization bypass in MISP's EventsController::importModule() allows authenticated users or read-only API key holders with event view access to persist unauthorized data modifications to events. When an import module returns results in the misp_standard format, the write path skips the modification-rights check applied by all other module result handling paths, allowing a view-only principal to inject or overwrite event content they have no permission to edit. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the integrity impact on shared threat intelligence events is operationally significant for MISP deployments where data provenance and access segregation are critical.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-60125 MEDIUM This Month

Incorrect authorization in MISP versions through 2.5.42 allows authenticated users from restricted organizations to invoke import modules that their organization has been explicitly blocked from using via the Plugin.Import_<module>_restrict configuration. The importModule() function relied on getEnabledModule() - a single-module lookup that lacks per-organisation restriction awareness - rather than the restriction-enforcing getEnabledModules(), creating a logical bypass exploitable by any authenticated user who knows a restricted module's name. Depending on the targeted module and the attacker's event permissions, this can result in unauthorized import or modification of MISP event data; no public exploit exists and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56776 MEDIUM PATCH This Month

{workflowId}/test-runs/new endpoint incorrectly validates the workflow:read scope instead of the required workflow:execute scope, enabling any project-level viewer to invoke the internal workflow runner without execute privileges. This results in unintended outbound API calls and data mutations to downstream connected systems - a meaningful integrity risk in multi-tenant RBAC deployments. No public exploit or CISA KEV listing exists at time of analysis.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-59897 MEDIUM PATCH This Month

Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. Affected versions span 4.3.3 through 4.12.26; no public exploit identified at time of analysis, though the GitHub advisory confirms the issue and a fix is released in v4.12.27.

Information Disclosure Hono
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-59253 MEDIUM PATCH This Month

Improper authorization in n8n before 2.28.0 enables authenticated users to assign workflows to folders belonging to foreign projects by supplying crafted payloads during workflow creation. The flaw (CWE-639) bypasses project and folder ownership checks entirely, allowing logical integrity violations across organizational boundaries in multi-project deployments. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept code has been identified at time of analysis, though the vendor has released a fix in version 2.28.0.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-58654 MEDIUM PATCH This Month

Unrestricted file upload in Grav API Plugin 1.0.0 allows authenticated users to store arbitrary content - including PHP scripts, SVG with embedded JavaScript, and polyglot payloads - via the avatar upload endpoint by supplying a forged client-declared MIME type beginning with 'image/'. The endpoint performs no server-side content inspection and imposes no extension restriction, so malicious files are written to user/accounts/avatars/ with predictable filenames. Immediate exploitation is partially mitigated by an .htaccess rule that returns HTTP 403 on direct access, but the files persist on disk and represent a latent RCE or stored XSS vector if a co-resident path traversal flaw or server misconfiguration bypasses that control. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal XSS PHP RCE File Upload
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56778 MEDIUM PATCH This Month

Authorization bypass in n8n's Public API execution retry endpoint allows authenticated read-only users to trigger workflow executions they should not be permitted to run. The endpoint incorrectly authorizes requests against the workflow:read scope rather than the required workflow:execute scope, collapsing the intended permission boundary between read and execute access. This affects n8n instances before 2.25.7 and 2.26.x before 2.26.2 where workflows are shared across users or projects; no public exploit has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56775 MEDIUM PATCH This Month

Incorrect authorization in n8n's evaluation test-run API endpoints allows authenticated project viewers to perform state-changing operations reserved for users with execute permissions. On Enterprise and Cloud deployments running Advanced Permissions with projects and viewer roles configured, an authenticated project:viewer can start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they have only read access to - bypassing the intended workflow:execute scope gate. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS 4.0 score of 5.3 (PR:L) reflects the authenticated, low-complexity nature of the flaw.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56298 MEDIUM PATCH This Month

Capgo's app information endpoint retains EXIF metadata in uploaded images, leaking sensitive geolocation coordinates and device information to any party with image access. Versions prior to 12.128.2 are affected. An authenticated attacker or any user who can view uploaded app-information images can retrieve full EXIF payloads - including GPS coordinates, timestamps, and device identifiers - from files that the platform should have sanitized. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; however, the attack requires only low-privilege network access and trivial tooling such as exiftool.

Information Disclosure
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56293 MEDIUM PATCH This Month

Incomplete state management in Capgo's transfer_app() function allows low-privileged authenticated users to retain or cause loss of access to deployment history records across organizations. Specifically, the function fails to update the deploy_history.owner_org field during inter-organization application transfers in all versions before 12.128.2, creating a persistent stale authorization grant. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-56217 MEDIUM PATCH This Month

Policy bypass in Capgo's OTA update enforcement allows holders of app-scoped API keys to downgrade encrypted app bundles to an unencrypted state by directly manipulating the app_versions table through PostgREST. Affected versions are all Capgo releases prior to 12.128.2. An attacker in possession of an app-scoped 'all' API key can nullify organization-level encrypted-bundle policies, silently stripping the cryptographic protections applied to over-the-air mobile updates and enabling distribution of unencrypted bundles to end-user devices. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15033 MEDIUM This Month

OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. No vendor patch is available at time of analysis - the project maintainer has not responded to the issue report filed on GitHub (issue #74), and no KEV listing exists. EPSS data was not provided, so broad exploitation probability cannot be quantified.

Command Injection Check Peer Dependencies
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
1.1%
CVE-2026-5459 MEDIUM This Month

Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. No public exploit has been identified at time of analysis, but the zero-privilege, low-complexity attack path makes this straightforward to weaponize against any site monetizing through this plugin's membership features.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-60092 MEDIUM This Month

Stored XSS in AVideo's Meet plugin allows an anonymous, unauthenticated attacker to inject arbitrary JavaScript into privileged administrator and host browser sessions by supplying a malicious HTTP User-Agent header when joining any public meeting. The getMeetInfo.json.php endpoint persists the raw User-Agent value in meet_join_log.user_agent, bypassing AVideo's xss_esc() setter and omitting htmlspecialchars() at the output layer in the Participants management panel, where it renders in authenticated host and admin sessions. No vendor patch was available at the time of disclosure; no public exploit code or CISA KEV listing has been identified.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-57439 MEDIUM PATCH This Month

Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.

XSS Cyberchef
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-56273 MEDIUM PATCH This Month

Path traversal in Flowise's Faiss and SimpleStore vector store implementations allows any holder of a valid API token to write vector store data to arbitrary filesystem locations, creating a practical path to remote code execution or data exfiltration on the hosting server. All Flowise deployments prior to version 3.1.0 are affected when either of these two vector store backends is configured. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the post-authentication exploitation path is low-complexity, making timely patching critical especially in multi-tenant or shared deployments where API tokens are broadly distributed.

Path Traversal RCE
NVD GitHub
CVSS 4.0
4.9
EPSS
0.3%
CVE-2026-11827 MEDIUM PATCH This Month

Credential disclosure in GitLab Enterprise Edition allows an authenticated maintainer-role user to retrieve another user's stored credentials through insufficient authorization controls. All GitLab EE versions from 9.5 through the patched releases (18.11.7, 19.0.4, and 19.1.2) are affected, representing a broad historical exposure window spanning multiple major releases. No public exploit identified at time of analysis; the vulnerability was disclosed via HackerOne responsible disclosure (report 3720483), and GitLab has issued patched versions.

Gitlab Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-14362 MEDIUM PATCH This Month

Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). No public exploit code exists and CISA KEV listing is not confirmed; however, because memberlist underpins HashiCorp Consul, Nomad, and Vault cluster communication, a single exploitable node crash can disrupt distributed coordination in dependent systems.

Hashicorp Denial Of Service Shared Library
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-59806 MEDIUM PATCH This Month

Open redirect and client-side SSRF in Gradio before 6.20.0 expose cloud infrastructure credentials to network attackers via the /gradio_api/file= endpoint. The file_fetch() function accepts unvalidated HTTP/HTTPS URLs from attacker-controlled FileData responses, enabling redirection of victim browsers to arbitrary destinations including cloud metadata services such as the EC2 instance metadata endpoint (169.254.169.254). Successful exploitation in cloud-hosted Gradio deployments allows retrieval of IAM role credentials, achieving high subsequent-system confidentiality impact. No public exploit or CISA KEV listing is identified at time of analysis; a fix is available in version 6.20.0.

SSRF Open Redirect
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.2%
CVE-2026-12936 MEDIUM This Month

SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.

WordPress SQLi Recurio Ultimate Subscription For Woocommerce
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-59876 MEDIUM PATCH This Month

Prototype pollution in protobuf.js versions 8.2.0 through 8.6.4 allows network-reachable attackers to corrupt JavaScript object prototype chains via the Text Format extension, by supplying a map entry whose key is the reserved JavaScript token `__proto__`, causing the parser to overwrite the prototype of the returned map object instead of creating a literal own-property entry. Exploitation is constrained by high attack complexity - only applications explicitly using the optional `/ext/textformat` module and parsing attacker-controlled input are affected - and real-world impact is limited to partial confidentiality and integrity effects in downstream code that inherits or enumerates poisoned prototype properties. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Information Disclosure Prototype Pollution Protobuf Js
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-56374 MEDIUM PATCH This Month

Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.

Denial Of Service Buffer Overflow Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56359 MEDIUM PATCH This Month

Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.

XSS N8n
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-58657 MEDIUM PATCH This Month

Stored CSS injection in Grav CMS (all 2.0 branch releases through 2.0.0-rc.9) lets a lower-privileged content editor manipulate the visual interface seen by higher-privileged administrators and reviewers. The resize() Markdown media action in Excerpts::processMediaActions() writes caller-controlled values directly into rendered img style attributes without sanitization, despite prior hardening that blocked the ?style= and attribute() vectors. An attacker with editorial access can store a crafted image URL with semicolon-delimited CSS declarations that render a full-viewport overlay when a privileged user views the page, enabling UI redress and content-manipulation attacks. No public exploit has been identified at time of analysis; the vendor-confirmed fix is Grav 2.0.0.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-56283 MEDIUM PATCH This Month

HTML injection in Capgo's organization settings endpoint allows an authenticated attacker to embed malicious HTML into the organization name field, redirecting other users to attacker-controlled phishing sites. Affected versions are all Capgo releases prior to 12.128.2. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack path is low-complexity for any user with organization settings write access.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-6371 MEDIUM This Month

Stored cross-site scripting in Limatek System Inc.'s LimRAD NAC through version 08072026 allows an adjacent-network, low-privileged attacker to inject persistent malicious scripts that execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms that injected script execution crosses into the victim's browser security context, enabling potential session hijacking or credential theft targeting higher-privileged users such as administrators. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor did not respond to TR-CERT's disclosure, leaving no patch available and remediation options limited to compensating controls.

XSS Limrad Nac
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-54344 MEDIUM PATCH This Month

Command injection in ToolJet's GitHub Actions render preview deployment workflow allows any GitHub user capable of commenting on an open pull request to execute arbitrary shell commands on the CI runner and exfiltrate deployment secrets. The root cause is unsanitized interpolation of `github.event.comment.body` directly into a bash conditional within a `run` step, meaning a single malicious PR comment can pivot to full CI runner compromise. No CISA KEV listing exists at time of analysis, but the attack technique - GitHub Actions expression injection - is extremely well-documented publicly, making practical exploitation trivial for any GitHub user with PR commenting rights.

Command Injection Tooljet
NVD GitHub
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-59947 MEDIUM PATCH This Month

Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP Composer
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-14361 MEDIUM PATCH This Month

Path redirection via the writeToFile template helper in consul-template before 0.42.1 allows a local low-privileged attacker to redirect template output outside the intended destination directory or overwrite existing files on the filesystem. Because consul-template routinely renders sensitive secrets from HashiCorp Vault, Consul, and AWS Secrets Manager into local files, successful exploitation can expose those secrets by redirecting writes to attacker-readable locations. No public exploit code or CISA KEV listing is associated with this vulnerability at time of analysis.

Information Disclosure
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-12002 MEDIUM This Month

Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.

WordPress CSRF Smash Balloon Social Photo Feed Easy Social Feeds Plugin
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-12041 MEDIUM This Month

Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Chatra Live Chat Chatbot Cart Saver
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-49830 MEDIUM PATCH GHSA This Month

Local file inclusion in DSpace's OAI-ORE Ingestion Crosswalk allows a collection administrator to expose arbitrary server-side files as ingested bitstreams by supplying or triggering a malicious ORE XML document referencing file:/// URIs. Versions 7.x through 7.6.6, 8.0-8.3, and 9.0-9.2 are confirmed affected; fixed releases (7.6.7, 8.4, 9.3, 10.0) are available per the GitHub security advisory. No public exploit and no CISA KEV listing exist at time of analysis; the CVSS score of 4.4 reflects meaningful constraints on exploitation (high privileges, high complexity).

Privilege Escalation Tomcat
NVD GitHub
CVSS 3.1
4.4
CVE-2026-8472 MEDIUM PATCH This Month

Work item metadata in GitLab EE is exposed to authenticated users holding only minimal project permissions due to missing authorization checks on affected API or web endpoints, enabling unauthorized reads of private project data. Affected deployments span GitLab EE 18.9 through pre-18.11.7, 19.0 through pre-19.0.4, and 19.1 through pre-19.1.2, with patched releases now available from the vendor. No public exploit has been identified at time of analysis, the vulnerability is not listed in CISA KEV, and the CVSS 4.3 Medium score reflects narrow impact - confidentiality-only, metadata-scoped, with no integrity or availability consequence.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15131 MEDIUM PATCH This Month

Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15130 MEDIUM PATCH This Month

Insufficient navigation policy enforcement in Google Chrome prior to 150.0.7871.115 enables site isolation bypass when a user visits a crafted HTML page. A remote, unauthenticated attacker (per CVSS PR:N) can exploit this to read limited cross-origin data, undermining Chrome's core renderer process separation architecture. No public exploit code or active exploitation has been identified; SSVC rates exploitation as none and technical impact as partial, consistent with the moderate CVSS 4.3 score.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-12506 MEDIUM PATCH This Month

Content spoofing in GitLab CE/EE versions 16.5 through 18.x, 19.0, and 19.1 allows authenticated users to construct repositories where the web interface renders content that diverges from the actual downloadable source, exploiting improper Git reference name resolution (CWE-706). The CVSS score of 3.5 (Low) reflects the authentication requirement (PR:L), mandatory viewer interaction (UI:R), and limited integrity-only impact with no confidentiality or availability consequences. No public exploit code or CISA KEV listing has been identified at time of analysis, placing real-world risk firmly in the low tier despite the broad version range affected.

Gitlab Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13151 MEDIUM PATCH This Month

Improper authorization in GitLab Enterprise Edition allows an already-authenticated high-privilege user to modify group-level settings beyond the scope their role should permit. Affecting all EE versions from 16.10 through the patched releases of 18.11.7, 19.0.4, and 19.1.2, the flaw enables unauthorized integrity changes to group-wide policies without any user interaction. No public exploit or active exploitation has been identified at time of analysis, and the PR:H CVSS requirement substantially constrains real-world risk to a narrow set of already-privileged insiders.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15124 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Passwords component (versions prior to 150.0.7871.115) enables a remote attacker to read limited cross-origin data by directing a victim to a crafted HTML page. Chromium's own security team rates this High despite a CVSS base score of 4.3 (Medium), a discrepancy that likely reflects the sensitivity of credential-adjacent subsystem involvement rather than raw exploitability metrics alone. No public exploit identified at time of analysis; vendor patch is available as of the July 2026 stable channel release.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9731 MEDIUM This Month

Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; EPSS data was not supplied.

WordPress CSRF Wp Js Detect
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-59930 MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-15108 MEDIUM PATCH This Month

Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)

Integer Overflow Buffer Overflow Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-55873 MEDIUM PATCH This Month

Authorization collapse in SeaweedFS 4.08-4.33 allows any authenticated low-privileged S3 user to enumerate administrator-owned S3 table bucket names and ARNs via a SigV4 routing flaw. Requests signed with service identifier 'S3Tables' are misrouted to the S3Tables management API, where the authorization logic fails open by collapsing account-less S3 identities into the shared admin account, effectively granting read access to admin-scoped metadata. No public exploit code exists and this CVE is not listed in CISA KEV, but the CVSS vector (PR:L) confirms exploitation requires only a valid low-privilege S3 credential.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14896 MEDIUM PATCH This Month

Cross-namespace authorization bypass in HashiCorp Nomad's dynamic host volumes feature permits an authenticated operator holding host volume delete permissions in one namespace to delete sticky volume claims belonging to jobs in a different namespace. Both Nomad Community Edition and Nomad Enterprise are affected from version 0.4.1 up to 2.0.4, with Enterprise additionally receiving backport fixes in 1.11.8 and 1.10.14. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, limiting immediate risk to multi-tenant deployments where namespace isolation is an enforced security boundary.

Authentication Bypass Hashicorp
NVD VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-60000 HIGH PATCH This Week

Denial of service in OpenSSH sshd before 10.4 lets remote unauthenticated attackers exhaust server resources by driving excessive authentication attempts, because the MaxAuthTries cap was not correctly enforced for the GSSAPIAuthentication path. Only deployments that have enabled GSSAPI-based authentication are exposed, and there is no public exploit identified at time of analysis. EPSS is low (0.34%, 26th percentile) and CISA SSVC records no observed exploitation, so this is a real but non-urgent availability issue rather than a code-execution threat.

SSH Denial Of Service Openssh
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57111 HIGH This Week

Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.

Apache Information Disclosure Helix
NVD
CVSS 3.1
7.5
EPSS
0.2%
Prev Page 6 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy