Skip to main content
CVE-2026-49477 HIGH POC PATCH GHSA This Week

Denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4, lets remote attackers hang a worker thread by submitting a ~300-byte attribute selector with an unterminated quoted value (e.g. '[a="xxxx...'), triggering catastrophic regular-expression backtracking in the VALUE pattern of css_parser.py. Any Python service that passes untrusted selector strings to soupsieve.compile() or Beautiful Soup's .select()/.select_one() is affected, and each added byte roughly doubles CPU time, so a handful of concurrent requests can exhaust all workers. Publicly available exploit code exists (a working PoC is embedded in the advisory), but no exploit is identified as being used in active attacks and it is not listed in CISA KEV.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-49476 HIGH POC PATCH GHSA This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service Docker
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-11571 HIGH POC PATCH This Week

Information disclosure in the Everest Forms WordPress plugin before 3.5.0 allows unauthenticated remote attackers to download other users' form submissions. The plugin generates temporary CSV files during email-notification processing but fails to reliably delete them, leaving them publicly accessible in the wp-content uploads directory under predictable, enumerable filenames. Publicly available exploit code exists and the flaw is automatable per CISA SSVC, though EPSS remains low at 0.14%; not listed in CISA KEV.

WordPress Information Disclosure Everest Forms
NVD WPScan
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-47828 HIGH PATCH This Week

Man-in-the-middle credential theft and root code execution affects the BOSH CLI (bosh-cli) prior to v7.10.4, which fails to verify the DAV blobstore server certificate during 'bosh create-env' and 'bosh delete-env' even though a valid CA certificate is present in the installation manifest. An adjacent network attacker who can intercept the operator's HTTPS upload can harvest Basic-auth credentials and the rendered-templates archive holding every bootstrap secret for the new BOSH Director, then replay those credentials against the target VM's agent to gain root code execution. There is no public exploit identified at time of analysis, but the vendor-rated CVSS 4.0 score of 8.9 reflects the high impact of a full Director compromise.

RCE Bosh Cli
NVD VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-13492 HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-59827 HIGH PATCH This Week

Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run arbitrary Java on the server. When Metabase returns H2 result columns of type OTHER (JDBC JAVA_OBJECT), it deserializes the embedded Java object without validation, so a crafted native H2 query triggers CWE-502 unsafe deserialization and full server compromise. It affects any instance using an H2 connection, including the default bundled sample database. No public exploit is identified at time of analysis (SSVC exploitation: none; EPSS 0.45%), though the upstream fix commit and vendor advisory GHSA-w95f-x9v9-wv36 are public.

Deserialization Java Metabase
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-55207 HIGH PATCH This Week

Full admin account takeover in Pimcore (Studio backend) before 2025.4.6 and 2026.1.6 lets an unauthenticated attacker who knows a valid admin username hijack that account by submitting a password-reset request with an attacker-controlled resetPasswordUrl; the server appends a genuine recovery token to that URL and emails it to the victim, so a single victim click leaks the token to the attacker, who authenticates via POST /pimcore-studio/api/login/token with full admin rights and bypasses 2FA. GitHub advisory GHSA-h854-c3m3-mh5v classifies this as an authentication bypass (CWE-640). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-5523 HIGH This Week

Privilege escalation to full account takeover in the Divi Form Builder WordPress plugin (versions up to and including 5.1.8) lets any authenticated user with subscriber-level access or higher change the email address and password of arbitrary accounts, including administrators. The flaw is an insecure direct object reference where a user ID supplied in a form submission is trusted without an authorization check. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Divi Form Builder
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-59148 HIGH PATCH This Week

Missing authentication on Mockoon's admin API (commons-server admin-api.ts) prior to 9.7.0 lets any unauthenticated party who can reach the mock server port fully control the runtime. Because the admin routes are mounted on the same Express listener as user mock routes, enabled by default, serve Access-Control-Allow-Origin: * with write methods, and require no credentials, an attacker can read MOCKOON_* environment variables, write arbitrary process env vars, rewrite mock route bodies/statuses/headers, read transaction logs and SSE streams, and purge state. No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Mockoon
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-15308 HIGH PATCH This Week

CPU-exhaustion denial of service in CPython's standard-library html.parser.HTMLParser lets remote attackers cause quadratic processing time by feeding a long, unterminated markup construct (comment, tag, PI, DOCTYPE, CDATA, or RAWTEXT element) incrementally in many small chunks. Any Python service that streams attacker-controlled HTML through HTMLParser.feed() is affected in all CPython versions before 3.16.0. There is no public exploit identified at time of analysis, but the fix, root cause (repeated buffer rescan and concatenation), and a triggering test case are publicly documented in the upstream pull request, making a working reproducer trivial to reconstruct.

Denial Of Service Python
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-60109 HIGH PATCH This Week

Denial of service in Zeek (formerly Bro) network security monitor before 8.0.9 lets remote unauthenticated attackers crash the sensor by sending a single crafted Kerberos KRB_ERROR packet. The flaw is a null pointer dereference (CWE-476) in the Kerberos analyzer's proc_padata() routine, reachable over UDP or TCP port 88 with no credentials. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial single-packet trigger and passive-monitoring exposure make it operationally significant for security teams running Zeek inline or on tapped traffic.

Denial Of Service Null Pointer Dereference Zeek
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-52775 HIGH POC PATCH GHSA This Week

{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.

SQLi PHP
NVD GitHub
CVSS 3.1
8.8
CVE-2026-59734 HIGH PATCH This Week

Authenticated command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 allows a logged-in user to run arbitrary shell commands inside deployment containers by supplying malicious health-check parameters. The generate_healthcheck_commands() routine in ApplicationDeploymentJob.php interpolates the health_check_host, health_check_method, and health_check_path values straight into a shell command line, so any user able to configure an application's health check gains OS command execution during deployment. No public exploit identified at time of analysis, but the upstream fix and advisory (GHSA-4fhp-xqqp-w7vv) publicly document the vulnerable code path.

Command Injection PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-4275 HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-57026 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated, network-based attacker to crash the flow processing daemon (flowd) by sending a malformed SIP INVITE packet when the SIP Application Layer Gateway (ALG) is enabled. The crash forces a flowd restart, producing a complete traffic-forwarding outage until the device auto-recovers, and can be repeated to sustain the outage. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-57023 HIGH PATCH This Week

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability threat to perimeter devices.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-11404 HIGH PATCH This Week

Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial and the issue was disclosed by VulnCheck.

Buffer Overflow Information Disclosure Mongoose
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-60108 HIGH PATCH This Week

Denial of service in Zeek network security monitor (versions before 8.0.9) lets unauthenticated remote attackers crash the sensor by driving unbounded memory growth in the FTP protocol analyzer. By opening an FTP control session, negotiating AUTH GSSAPI, and sending an oversized ADAT control line, an attacker forces the NVT_Analyzer to repeatedly double its base64-decode buffer until the process is terminated. VulnCheck reported the issue; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, unauthenticated, low-complexity nature makes it a high-availability risk for exposed monitoring infrastructure.

Denial Of Service Zeek
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-12593 HIGH PATCH This Week

Privilege escalation in the Qt Axivion Dashboard allows an authenticated low-privileged user to mint API tokens for other, higher-privileged accounts via the undocumented POST /api/users/~/{user}/tokens endpoint, which failed to enforce an authorization check on the target user. An attacker who knows a more-privileged user's login name and can log in through the Dashboard's OAuth/OIDC flow can forge and finalize a token for that account, potentially seizing Dashboard Administrator rights and — chained with a separate weakness — achieving code execution on the host. CVSS 4.0 is rated 8.7 (High); there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass RCE Axivion
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-31984 HIGH PATCH This Week

Disk-exhaustion denial of service in Nozomi Networks Guardian and Central Management Console (CMC) lets a remote, unauthenticated attacker fill available storage by sending requests with oversized input that the audit-logging subsystem records without any size limit. Because the affected devices are OT/ICS network-monitoring appliances, exhausting disk can render the sensor or its management console inoperable and blind defenders. No public exploit is identified at time of analysis; EPSS and KEV data were not provided, but the network/unauthenticated CVSS 4.0 profile (VA:H) makes this a low-effort attack.

Denial Of Service Guardian Cmc
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-58143 HIGH This Week

Cross-site request forgery in Cotonti Siena (versions 0.9.26 and earlier) lets remote attackers alter administrator configuration by luring an authenticated admin into loading an attacker-controlled page that auto-submits a forged POST to the admin.php config update handler, which never calls the CMS's own CSRF validation routine. The highest-value abuse sets the PFS module option pfsfilecheck to 0, disabling the file-extension whitelist so any account with PFS (Personal File Storage) access can upload and execute arbitrary PHP, turning a CSRF into server-side code execution. There is no public exploit identified at time of analysis and it is not on CISA KEV, though a referenced public gist may contain proof-of-concept details; EPSS was not provided.

CSRF PHP
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-57156 HIGH PATCH This Week

Heap-based buffer overflow in FreeRDP (the widely used open-source RDP client library) allows a malicious or compromised RDP server to corrupt client memory and potentially achieve remote code execution in the connecting client's context. The flaw lives in the primary drawing-order parser (update_read_delta_points in libfreerdp/core/orders.c), where an inverted integer-overflow guard let an attacker-controlled point count produce an undersized heap allocation followed by an out-of-bounds write. No public exploit identified at time of analysis; the issue is fixed in FreeRDP 3.28.0 (GHSA-v5wf-j8j4-77h7).

Heap Overflow Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-59833 HIGH This Week

Stored cross-site scripting in SiYuan before 3.7.1 escalates to OS command execution inside the Electron desktop renderer because the bundled Lute Markdown/HTML engine sanitizes content but fails to block dangerous javascript schemes in form action and SVG xlink:href attributes. An attacker who plants crafted content that a victim later opens via document export-preview or a Bazaar package README render can run arbitrary code on the victim's machine. There is no public exploit identified at time of analysis, and it is not on CISA KEV; the CVSS 4.0 base score is 8.6.

XSS Siyuan
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-59855 HIGH This Week

Cross-site scripting escalating to remote code execution in SiYuan (open-source personal knowledge management) before 3.7.1 lets an attacker embed a crafted asset link whose path contains a double quote, breaking out of an image src attribute in Asset.render to inject an event handler. Because SiYuan runs in an Electron renderer with OS-level capabilities, the injected JavaScript can execute arbitrary operating-system commands on the victim's machine once the malicious asset is opened. No public exploit identified at time of analysis, and it is not listed in CISA KEV; user interaction is required to trigger the flaw.

XSS Siyuan
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-55604 HIGH PATCH This Week

Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. No public exploit identified at time of analysis and it is not on CISA KEV, but the mechanics are trivial and fully described in the vendor advisory (GHSA-fh3r-g96v-f578); version 1.7.0 fixes it.

Authentication Bypass Deepseek Mcp Server
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-61343 HIGH PATCH This Week

Authenticated remote code execution in LibreBooking (open-source scheduling/reservation platform) versions prior to 5.1.0 allows an administrator to write arbitrary files outside the intended template directory by abusing the email template editor's save action, which trusts the submitted template name as part of the destination file path. Because the resulting file can be dropped into a web-executable location, the write primitive escalates to server-side code execution. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but a CISA CSAF advisory and upstream fix commit exist.

RCE
NVD GitHub
CVSS 4.0
8.6
EPSS
0.8%
CVE-2026-58378 HIGH This Week

Root-level device takeover affects the Allwinner H616-based TV98 Android TV Box, which ships to production with the Android Debug Bridge (ADB) daemon enabled and reachable over the network (TCP/5555). A network attacker can send an ADB authorization request, and if the victim accepts the RSA key confirmation prompt on the device, the attacker obtains a root shell. Classified under CWE-489 (leftover debug functionality), there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the attack is trivial once a user approves the pairing.

Information Disclosure
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-54801 HIGH This Week

Privilege escalation in Siemens CPCI85 Central Processing/Communication and SICORE Base System (all versions before V26.20 / V26.20.0) lets an already-authenticated attacker abuse insufficient validation of authentication credentials when modifying administrative accounts through the web API. By exploiting this weak credential re-verification (CWE-620), an attacker with existing access can bypass security controls and obtain unauthorized elevated privileges over the device. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-50644 HIGH PATCH This Week

Authenticated SQL injection in SOPlanning lets a user holding the parameters_all privilege inject SQL through the audit retention configuration form, which is stored and then executed whenever the audit functionality is loaded by that attacker or any other user. Affected installations prior to version 1.56.01 face compromise of the underlying database, including data theft and modification. No public exploit identified at time of analysis; the flaw was reported by CERT-PL and is not listed in CISA KEV.

SQLi Soplanning
NVD VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-47826 HIGH PATCH This Week

Arbitrary file write and information disclosure in the Cloud Foundry BOSH CLI tool (versions prior to v7.10.4) stems from insufficient sanitization of the path key inside blobs.yml, letting a crafted release blob spec escape the intended blobstore directory. When an operator syncs or downloads blobs from a malicious or tampered release, the CLI can write files to attacker-controlled locations on the host and expose sensitive files. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 8.5 (High).

Bosh Cli Tool Path Traversal
NVD VulDB
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-58459 HIGH PATCH This Week

Arbitrary shell command execution in gpsd's gpsprof profiling tool (through release-3.27.5) allows an attacker who controls a GPS device's subtype value to run commands as the user rendering the plot. The subtype string - taken from a DEVICES JSON log entry or an NMEA PGRMT sentence - is embedded into a generated gnuplot program's `set title` statement with only double quotes escaped, so backtick payloads execute when the victim renders the plot via the gpsprof/gnuplot workflow. This was reported by VulnCheck; a vendor fix is available (fixed at commit 4c06658), and there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Command Injection Gpsd
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.7%
CVE-2026-47830 HIGH PATCH This Week

Local privilege escalation in BOSH-Ecosystem bosh-windows-stemcell-builder (versions prior to v2019.98) lets a low-privilege authenticated Windows user overwrite the BOSH agent executables at C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe, which then run as NT AUTHORITY\SYSTEM on the next service restart or reboot, yielding full host control. The weakness stems from overly permissive filesystem ACLs applied by BOSH.Utils.psm1 when the stemcell is built. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Information Disclosure Bosh Windows Stemcell Builder
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-59856 HIGH PATCH This Week

Arbitrary OS command execution in Vim prior to 9.2.0736 arises from the bundled PHP omni-completion script (runtime/autoload/phpcomplete.vim), which interpolates an attacker-controlled class or trait name from the edited buffer into a search() pattern executed via win_execute() without escaping. When a victim opens a crafted PHP file and invokes omni-completion, a name containing a single quote breaks out of the search string and the trailing text is honored as Ex commands, letting an attacker run shell commands through :! . There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is fixed and the mechanism is well documented in the vendor advisory.

Code Injection PHP RCE Vim
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.5%
CVE-2026-59858 HIGH PATCH This Week

Arbitrary Ex command execution in Vim before 9.2.0735 arises from its C omni-completion script (runtime/autoload/ccomplete.vim), which interpolates the unescaped typeref: or typename: field of a tags entry into a :vimgrep pattern passed to :execute. Because :vimgrep treats the bar character as a command separator, a crafted tag field can terminate the search pattern and append an attacker-controlled command that runs with the privileges of the editing user when a victim opens a malicious .c file and triggers C omni-completion. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.4 reflects high confidentiality, integrity, and availability impact.

Code Injection RCE Vim
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-54799 HIGH This Week

Malicious firmware installation is possible on Siemens CPCI85 Central Processing/Communication firmware (versions before V26.20) and the SICORE Base System (before V26.20.0) because the firmware update mechanism fails to properly validate signatures. An attacker with high privileges and local access can push crafted, tampered firmware to achieve persistent code execution and full device compromise. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

RCE Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-31985 HIGH PATCH This Week

Man-in-the-middle exposure in Nozomi Networks Remote Collector arises because configuring an upstream Guardian or CMC through the n2os-tui interface generates a configuration that disables TLS certificate verification, with no option to re-enable it. Any attacker positioned on the network path between the Remote Collector and its Guardian/CMC can intercept the channel to steal the sync token, impersonate the server, inject spoofed asset or vulnerability data, or disrupt telemetry flow. There is no public exploit identified at time of analysis, and the issue is not on CISA KEV; the vendor (Nozomi) self-reported it.

Code Injection Remote Collector
NVD VulDB
CVSS 4.0
8.3
EPSS
0.1%
CVE-2026-52771 HIGH POC PATCH GHSA This Week

Second-order SQL injection in YesWiki v4.6.5 lets any authenticated low-privilege user execute arbitrary SQL against the wiki database through the DELETE /api/pages/{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.

Deserialization SQLi PHP
NVD GitHub
CVSS 3.1
8.3
CVE-2026-52769 HIGH POC PATCH GHSA This Week

Server-side request forgery in YesWiki's Bazar ActivityPub module (through v4.6.5) lets an unauthenticated remote attacker coerce the server into fetching arbitrary attacker-chosen URLs. The public inbox route parses the HTTP Signature header and issues a server-side GET to the attacker-supplied keyId URL before any signature or URL validation, enabling internal port scanning, service enumeration, and cloud IAM metadata theft (169.254.169.254). Publicly available exploit code exists (a detailed PoC with a working request), and verbose 500 exception/stack-trace responses act as a data oracle; there is no CISA KEV listing.

CSRF SSRF PHP
NVD GitHub
CVSS 3.1
8.3
CVE-2026-33794 HIGH PATCH This Week

Denial-of-service in Juniper Junos OS Evolved on PTX Series routers lets an unauthenticated network attacker crash the advanced forwarding toolkit process (evo-aftmand) on the Packet Forwarding Engine by driving continuous routing updates that produce unified-list (unilist) ECMP routes. The resulting internal state corruption generates an evo-aftmand-bx core and halts forwarding, requiring a manual FPC restart or system reboot to recover. No public exploit identified at time of analysis; the vendor (Juniper SIRT) notes successful exploitation depends on a sequence of events outside the attacker's direct control, so this is a high-CVSS availability issue rather than a trivially reproducible one.

Juniper Denial Of Service Junos Os Evolved
NVD VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-57022 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). Juniper-reported with CVSS 4.0 8.2; no public exploit identified at time of analysis and it is not in CISA KEV.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-57030 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control.

Juniper Race Condition Information Disclosure Junos Os
NVD VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-52767 HIGH POC PATCH GHSA This Week

Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.

CSRF Jwt Attack SSRF OpenSSL Apache +2
NVD GitHub
CVSS 3.1
8.2
CVE-2026-4256 HIGH This Week

Directory data disclosure in PEAKUP Technology's PassGate (all versions through build 30042026) allows remote unauthenticated attackers to manipulate LDAP queries by injecting special characters into user-controlled input. Reported by TR-CERT (Turkey's national CERT), the flaw carries a CVSS 8.2 driven by high confidentiality impact with no authentication or user interaction required. No public exploit code or CISA KEV listing exists at time of analysis, indicating no confirmed active exploitation.

Code Injection LDAP Passgate
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-51925 HIGH This Week

Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.

Authentication Bypass RCE PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-55420 HIGH PATCH This Week

Remote code execution in Discourse (via the discourse-ai plugin's PDF-to-text feature) allows an attacker who can upload a crafted PDF to run arbitrary commands on the server, but only in non-default configurations where an LLM vision model is configured. The flaw is a CWE-78 OS command injection reached when uploaded PDFs are rasterized through ImageMagick, which in turn invokes an external delegate (Ghostscript) on attacker-controlled input. It is not in CISA KEV and has no public exploit identified at time of analysis; EPSS is low at 0.33% (25th percentile), and vendor patches exist across all supported release lines.

Command Injection Discourse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-51923 HIGH This Week

Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).

Authentication Bypass Information Disclosure RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-51924 HIGH This Week

Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.

Authentication Bypass File Upload RCE PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-45422 HIGH This Week

Improper access control in the Proximus b-box v8c.725A ISP gateway lets an already-authenticated low-privilege user override authorization checks and freely add, alter, or delete port forwarding (NAT) rules. Publicly available exploit code exists (GitHub PoC by Cedrico03), though it is not listed in CISA KEV and carries a low EPSS score (0.22%, 12th percentile), indicating no evidence of widespread active exploitation. The flaw effectively grants any logged-in account router-administrator control over inbound traffic routing.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-59224 HIGH PATCH This Week

Identity spoofing in Open WebUI before 0.10.0 lets an authenticated low-privileged user impersonate another account by injecting query parameters into the terminal WebSocket URL. Because backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter - while the HTTP proxy path trusted an integrity-unbound X-User-Id header - an attacker can make the terminal backend resolve a different user identity, gaining that victim's terminal session context. No public exploit has been identified at time of analysis, but the fix is confirmed in v0.10.0 and the flaw is scored CVSS 8.0.

Authentication Bypass Open Webui
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-53932 HIGH PATCH GHSA This Week

OS command injection in the wnx/laravel-backup-restore Composer package (fixed in v1.9.4) allows an attacker who can get a malicious backup archive restored to run arbitrary shell commands as the Laravel application user. The restore workflow interpolates an unescaped ZIP entry filename from the db-dumps directory directly into shell command strings (mysql, psql, sqlite3, gunzip) executed via Symfony Process::fromShellCommandline(), so shell metacharacters in the filename are interpreted by /bin/sh. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the flaw is trivially exploitable once a crafted archive reaches the restore path.

Command Injection Microsoft PHP
NVD GitHub
CVSS 3.1
8.0
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy