Skip to main content
CVE-2026-15271 HIGH This Week

Least-privilege violation across multiple TOTOLINK SOHO router models (A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10, EX200 through firmware 20260906) stems from the /etc/boa/boa.conf configuration of the Boa web-server interface, allowing a low-privileged remote actor to gain access or information beyond their intended authorization boundary. The flaw carries CVSS 4.0 base score 7.7 with high attack complexity, and VulDB rates real-world exploitation as difficult. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure A3000Ru A3100R A950Rg Ac1200T10 +3
NVD VulDB
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-59832 HIGH This Week

Authenticated path traversal in SiYuan personal knowledge management system (versions prior to 3.7.1) lets a low-privileged user read arbitrary workspace files by abusing the /snippets/*filepath handler. Because serveSnippets in kernel/server/serve.go single-decodes the request path and joins it to the snippets directory without containment or sensitive-file checks, a request like /snippets/%2e%2e/%2e%2e/conf/conf.json returns workspace secrets and the document database. No public exploit identified at time of analysis, though the fixing commit publicly reveals the vulnerable code path.

Path Traversal Siyuan
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-47829 HIGH PATCH This Week

Argument injection in bosh-cli versions before v7.10.4 lets a compromised or malicious BOSH Director inject arbitrary OpenSSH command-line options into the ssh process that the CLI spawns locally, achieving code execution on the operator's own workstation. It triggers during non-interactive SSH paths such as bosh ssh -c, bosh logs -f, and similar flows where the CLI builds an ssh command from Director-supplied data. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 7.7 (High).

SSH Code Injection Bosh Cli
NVD VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-55208 HIGH PATCH This Week

Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. No public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score supplied.

SQLi
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-47831 HIGH PATCH This Week

Predictable SSH credential generation in Cloud Foundry's bosh-windows-stemcell-builder (versions prior to v2019.98) lets attackers brute-force the SSH login on TCP/22 because the GenerateRandomPassword function relies on a cryptographically weak random number generator, drastically shrinking the effective password keyspace. Any Windows stemcell built with an affected release ships with a guessable administrative password, so an attacker who can reach port 22 of a deployed VM can recover interactive access and full control. No public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Information Disclosure Bosh Windows Stemcell Builder
NVD
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-59221 HIGH PATCH This Week

Path traversal in Open WebUI's terminal proxy (versions 0.9.6 through 0.9.x, fixed in 0.10.0) lets an authenticated attacker reach files and resources outside the intended proxy scope. The _sanitize_proxy_path routine in backend/open_webui/routers/terminals.py decoded incoming proxy paths exactly eight times, so a nine-times percent-encoded ../ sequence survived normalization and was decoded a final time by the upstream terminal server, defeating the traversal check. No public exploit or CISA KEV listing exists at time of analysis, but the scope-changing CVSS 3.1 score of 7.7 (S:C/C:H) signals meaningful confidentiality impact on the backend terminal component.

Path Traversal Open Webui
NVD GitHub
CVSS 3.1
7.7
EPSS
0.4%
CVE-2026-59208 HIGH PATCH This Week

Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the authentication-level impact (VC:H/VI:H) makes it a meaningful account-takeover risk for multi-issuer SSO deployments.

Authentication Bypass Microsoft N8n
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-51603 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.

Buffer Overflow Tenda Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-51604 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.

Buffer Overflow Tenda Denial Of Service Stack Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-51605 HIGH This Week

Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.

Buffer Overflow Tenda Denial Of Service Stack Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-1989 HIGH This Week

Broken object-level authorization in PAVO Pay (all builds through 09072026) lets remote attackers access other users' resources by substituting user-controlled identifiers (CWE-639, IDOR-class), exposing sensitive financial data with no integrity or availability impact. Reported by Turkey's national CSIRT (TR-CERT) and tracked in the ENISA EUVD, the flaw scores CVSS 7.5 driven entirely by high confidentiality impact over an unauthenticated network path. No public exploit is identified at time of analysis, but the vendor did not respond to coordinated disclosure and no fix has been released, leaving all deployments exposed.

Authentication Bypass Pavo Pay
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-51600 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker exhaust TCP connection resources by sending RTSP requests (DESCRIBE, SETUP, PLAY) that advertise a Content-Length header but omit the message body, wedging the RTSP parser into a permanent body-awaiting state and leaking the connection. Repeated requests permanently disable the camera's streaming service. SSVC records a public proof-of-concept and rates the attack automatable; publicly available exploit code exists (POC), though it is not listed in CISA KEV, so there is no confirmation of active exploitation.

Tenda Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-51602 HIGH This Week

Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.

Buffer Overflow Tenda Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59834 HIGH This Week

SQL injection in SiYuan's block-search endpoint (POST /api/search/fullTextSearchBlock) before version 3.7.1 lets an unauthenticated publish-mode visitor read documents they should not see. The endpoint concatenates attacker-controlled `paths` values directly into SQL predicates used by its non-SQL search modes, enabling a UNION SELECT that projects rows from hidden documents by spoofing an allowed visible box and path. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.5 reflecting confidentiality-only impact.

SQLi Siyuan
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59720 HIGH PATCH This Week

Unauthorized information disclosure in Hoppscotch prior to 2026.6.0 exposes mock servers linked to private collections to the public internet without authentication. The mock server creation logic in mock-server.service.ts silently drops the caller-supplied isPublic flag, while the Prisma schema defaults isPublic to true, so servers intended to be private are created as public. An unauthenticated remote attacker who reaches the mock endpoint can retrieve sensitive API data (schemas, example payloads, headers) the owner assumed was private; no public exploit was identified at time of analysis and the flaw is not in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-51606 HIGH This Week

Denial-of-service in the RTSP service of the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets remote unauthenticated attackers abruptly reset the streaming TCP connection by sending an RTSP request with an oversized field value. Rather than replying with an RFC 2326-compliant error, the service tears the connection down with a RST packet, indicating unsafe input handling in the RTSP parser that can disrupt video streaming. A public research report documenting the flaw exists on GitHub, but there is no CISA KEV listing and no confirmed active exploitation.

Tenda Information Disclosure N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-51926 HIGH This Week

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13462 HIGH This Week

Sensitive data exposure in the PayRange Android app (versions 7.0.7 and below) stems from improper TLS certificate validation in the app's embedded webviews, which accept invalid or attacker-controlled certificates. A network-positioned (man-in-the-middle) attacker can therefore decrypt and capture information users submit through those webviews, such as account or payment-related data. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CERT/CC advisory (VU#152953) is the primary reference.

Authentication Bypass Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-56458 HIGH This Week

Sensitive-information disclosure in HCL DevOps Deploy (formerly UrbanCode Deploy) versions 8.1 through 8.1.2.6 and 8.2 through 8.2.1.0 stems from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict allowed origins to trusted domains. Because the application accepts or reflects arbitrary origins, an attacker-controlled web page can issue cross-origin credentialed requests against an authenticated user's session to read protected data and invoke privileged actions. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC rates exploitation as none.

Cors Misconfiguration Information Disclosure Hcl Devops Deploy
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63579 HIGH This Week

Sensitive information disclosure in Kyocera Command Center RX, the embedded web management interface of numerous TASKalfa multifunction printers, allows remote attackers to export the entire device address book without authorization. Because the vulnerability also bypasses the encryption protecting incoming data, encrypted content can be decrypted to reveal stored passwords and other confidential data. Publicly available exploit code exists (GitHub PoC), though there is no evidence of active exploitation in CISA KEV; SSVC rates the flaw as automatable with partial technical impact.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-51601 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. There is a public research write-up on GitHub, but no active exploitation is recorded in CISA KEV and EPSS rates exploitation likelihood as low (0.19%, 9th percentile).

Buffer Overflow Tenda Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-38076 HIGH This Week

Denial of service in Artifex jbig2dec (JBIG2 decoder, commit cc37d0) lets a remote attacker crash the decoder by supplying a crafted JBIG2 image that triggers an integer overflow in jbig2_arith_iaid_ctx_new(). Impact is availability-only (CVSS 7.5, A:H) with no data exposure or code execution indicated. There is no public exploit identified at time of analysis, though a researcher gist referenced by NVD may contain reproduction material; EPSS is low at 0.17% (6th percentile) and the flaw is not in CISA KEV.

Integer Overflow Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-39246 HIGH This Week

Arbitrary symlink creation in the decompress npm package before 4.2.2 lets an attacker who supplies a crafted archive plant symlinks pointing outside the extraction directory, leading to information disclosure when the host application reads the extracted contents. The flaw stems from a symlink entry's linkname being passed straight to fs.symlink() without validation, while the existing anti-symlink guard only protects regular file entries. No public exploit has been identified at time of analysis, EPSS risk is low (0.17%, 6th percentile), and it is not listed in CISA KEV.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52770 HIGH POC PATCH GHSA This Week

Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.

PHP Oracle SQLi Docker
NVD GitHub
CVSS 3.1
7.5
CVE-2026-49485 HIGH PATCH GHSA This Week

Denial-of-service in the HL7 FHIR Core library (ca.uhn.hapi.fhir:org.hl7.fhir.core, all FHIRPathEngine implementations) lets a remote unauthenticated attacker exhaust a CPU core by submitting a FHIR resource whose matches(), matchesFull(), or replaceMatches() FHIRPath function carries a malicious regular expression that triggers catastrophic backtracking. The timeout utility meant to bound regex evaluation cancelled its executor thread but could not actually interrupt the running Pattern/String operation, and three modules invoked evaluation entirely outside that guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the ReDoS technique is well understood and trivial to reproduce.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59692 HIGH This Week

Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.

Buffer Overflow Denial Of Service Stack Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55424 HIGH PATCH This Week

Stored cross-site scripting in Discourse (before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5) lets a user with permission to set a topic "featured link" inject JavaScript that executes when the link is rendered in the topic list. Exploitation only succeeds where the platform's default Content Security Policy has been weakened or disabled, so out-of-the-box installs are protected in depth. No public exploit identified at time of analysis, and the issue is not in CISA KEV; official fixed releases are available.

XSS Discourse
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-53987 HIGH PATCH This Week

Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. No public exploit identified at time of analysis; the issue was reported by VulnCheck and a vendor patch (2.14.4) is available.

XSS Glpi 11
NVD GitHub
CVSS 4.0
7.3
EPSS
0.3%
CVE-2026-8848 HIGH This Week

Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass WordPress RCE Popup Maker Boost Sales Conversions Optins Subscribers With The Ultimate Wp Popup Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-59721 HIGH PATCH This Week

Command injection in self-hosted Hoppscotch instances prior to 2026.6.0 allows an authenticated administrator to achieve root-level code execution in the backend container. The updateInfraConfigs GraphQL mutation accepts an attacker-controlled MAILER_SMTP_URL whose path, query, or fragment is parsed by nodemailer into sendmail transport options, turning SMTP configuration into arbitrary command execution once the service restarts and sends mail. No public exploit identified at time of analysis, but the flaw is confirmed and patched upstream in release 2026.6.0.

Command Injection
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-15000 HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-33390 HIGH PATCH This Week

Privilege escalation via configuration synchronization in Nozomi Networks Guardian and Central Management Console (CMC) lets an authenticated low-privilege user push administrative CLI commands to managed Arc sensors, because those sensors incorrectly inherit CLI permissions during sync. Successful abuse alters device configuration and can degrade or disable sensor availability, undermining OT/ICS monitoring integrity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; risk is elevated by the network-reachable, low-privilege (PR:L) attack path against a security-critical appliance.

Information Disclosure Guardian Cmc
NVD VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-9253 HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13441 HIGH This Week

Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.

WordPress XSS Eventprime Events Calendar Bookings And Tickets
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-57032 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low-privileged authenticated attacker crash the Flexible PIC Concentrator (FPC) by subscribing over gRPC to an unsupported telemetry sensor path in the packet forwarding engine. Each crash produces a complete forwarding outage until the module auto-restarts, and the trigger can be repeated for sustained disruption. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low complexity and single low-privilege prerequisite make it operationally easy to trigger.

Juniper Denial Of Service Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-44787 HIGH PATCH This Week

Privilege escalation in Discourse (the open-source discussion platform) lets a newly registered user obtain whisper-group ('whisperer') privileges by supplying a primary_group_id during the signup flow, without ever being a legitimate member of that group. Exploitation only matters on sites that have configured whispers_allowed_groups, and success grants read access to staff-only whisper posts (a confidentiality-focused impact). EPSS is low (0.31%, 23rd percentile) and there is no public exploit identified at time of analysis, but the fix commits and GitHub advisory GHSA-vmwq-jvxx-jwfx confirm the flaw and its remediation.

Privilege Escalation Discourse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-59209 HIGH PATCH This Week

Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.

Information Disclosure N8n
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-33801 HIGH PATCH This Week

Remote denial-of-service in Juniper Networks Junos OS and Junos OS Evolved 25.2 (before 25.2R2 / 25.2R2-EVO) lets an adjacent, unauthenticated BGP peer crash the routing protocol daemon (RPD) by sending a single malformed non-inet/inet6 unicast BGP update over an already-established session. The RPD crash-and-restart produces a full routing outage until reconvergence completes, though the crash occurs before the update is readvertised so there is no downstream propagation to other routers. CVSS 4.0 base score is 7.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Denial Of Service Junos Junos Os Evolved
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-33800 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine of Juniper Junos OS on MX Series routers allows an unauthenticated, network-adjacent attacker to crash and restart the FPC by continuously flapping Micro-BFD sessions. The PFEMAN process queues each up/down event and, in a Virtual-Chassis deployment with locality-bias enabled, processing is slow enough that a sustained flap backlog prevents completion and trips the PFEMAN watchdog timer, forcing an FPC restart and a full traffic outage. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the low complexity and unauthenticated adjacent vector make it a credible availability threat to affected line cards (MPC9 and below).

Juniper Denial Of Service
NVD
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57027 HIGH PATCH This Week

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker to exhaust packet-forwarding-engine memory and crash the Flexible PIC Concentrator (FPC). The flaw triggers only when sFlow monitoring is enabled in a Virtual Chassis and multicast traffic ingresses on one VC member and egresses on another, causing a slow buffer leak that culminates in an FPC crash and restart. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability risk for affected deployments.

Juniper Denial Of Service Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57020 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1.

Juniper Information Disclosure Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57019 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Buffer Overflow Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59219 HIGH PATCH This Week

Session revocation bypass in Open WebUI 0.9.0 through 0.9.x (deployments configured with Redis) lets a holder of a revoked JWT keep authenticating realtime Socket.IO connections. The flaw stems from first-message authentication for Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket calling decode_token without the Redis-backed is_valid_token revocation check, so logout, forced-logout, or token invalidation does not sever active realtime access. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the fix is version 0.10.0.

Redis Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-55212 HIGH PATCH This Week

Broken authorization in Pimcore's Studio API lets a standard editor-level user create class definitions without administrative rights, because the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint checks the 'objects' permission rather than the 'classes' permission. Because class-definition creation writes new database tables and PHP class files to the server, this permission gap grants low-privileged users significant control over the application's data model and codebase, and absent API-layer UID validation malformed UIDs reach model-layer validation and surface internal exceptions. No public exploit identified at time of analysis; the flaw is fixed in 2025.4.6 and 2026.1.6.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-41857 HIGH PATCH This Week

Arbitrary command execution on operator workstations in Cloud Foundry BOSH CLI before 7.10.5 allows a compromised or malicious BOSH Director to inject and run shell commands locally when an operator invokes bosh ssh, bosh scp, or bosh logs -f with default flags. Because the CLI trusts director-supplied data and passes it into a shell, a controlled director turns a routine operator action into local code execution on the trusted management host. No public exploit identified at time of analysis; not listed in CISA KEV, though the reference blog by Cloud Foundry (originally reported by VMware) confirms the flaw and a fixed release.

Bosh Cli Command Injection
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-59206 HIGH PATCH This Week

Privilege escalation via prototype pollution in n8n workflow automation lets an authenticated low-privilege user (holding the default workflow:create permission) corrupt Object.prototype through a crafted workflow saved, updated, or imported via the workflow API. Once polluted, subsequent unauthenticated requests are evaluated as a privileged user, exposing internal user and project listing endpoints. This is an information-disclosure and access-control flaw with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.1.

Information Disclosure Prototype Pollution N8n
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59207 HIGH PATCH This Week

Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. No public exploit identified at time of analysis; risk is elevated because the abuse comes from an already-authorized internal user rather than an outside attacker.

Information Disclosure N8n
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-54798 HIGH This Week

Denial of service in Siemens CPCI85 Central Processing/Communication firmware and SICORE Base System (all versions before V26.20 / V26.20.0) allows an authenticated attacker to crash the device's web process via a leftover debugging interface exposed on HTTP endpoints. The flaw stems from active debug code shipped in production firmware and affects only availability, not data confidentiality or integrity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59691 HIGH This Week

Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. No public exploit identified at time of analysis; the primary confirmed impact is denial of service, with potential for further memory corruption. This is a client-side flaw requiring the victim to connect to attacker-controlled infrastructure.

Memory Corruption Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-14372 HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder
NVD
CVSS 3.1
7.1
EPSS
0.7%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy