Skip to main content
CVE-2026-39245 MEDIUM This Month

Directory traversal and arbitrary file write in the decompress npm package (versions before 4.2.2) stem from a prefix-confusion flaw in path boundary validation using String.indexOf() at two locations in index.js. An attacker supplying a crafted archive can write files to filesystem directories adjacent to the intended extraction target - for example, escaping /tmp/app into /tmp/app_config - bypassing both the safeMakeDir function and the extraction path validation. This is a confirmed bypass of the prior fix for CVE-2020-12265; no public exploit has been identified at time of analysis and EPSS is low at 0.26% (17th percentile), though the integrity impact is rated high by CVSS.

Path Traversal N A
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.3%
CVE-2026-0286 MEDIUM PATCH This Month

Command injection in the Palo Alto Networks PAN-OS management plane allows an authenticated administrator to execute arbitrary OS commands with root privileges on PA-Series, VM-Series, and Panorama appliances. The vulnerability is classified CWE-78 and is reachable via the network-accessible management interface, though the requirement for administrator-level credentials substantially constrains the attacker pool. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed by CISA KEV.

Command Injection Paloalto Pan Os
NVD VulDB
CVSS 4.0
6.0
EPSS
1.1%
CVE-2026-47646 MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Dynamics 365 Customer Voice allows a remote, unauthenticated attacker to inject script that executes in a victim's browser session and perform spoofing once the victim interacts with attacker-supplied content. The flaw carries a CVSS 9.3 rating driven largely by a scope change (S:C), meaning injected script escapes into a different security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Dynamics 365 Customer Voice
NVD VulDB
CVSS 3.1
6.1
EPSS
0.5%
CVE-2026-5793 MEDIUM This Month

Reflected cross-site scripting in BiEticaret, a Turkish e-commerce platform by Inrove Software and Internet Services, enables remote unauthenticated attackers to inject and execute malicious JavaScript in victims' browsers by tricking them into clicking a crafted URL. All versions prior to v3.3.57 are affected across the full product line. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the low attack complexity and absence of authentication requirements make this straightforward to exploit once a target is socially engineered.

XSS Bieticaret
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13334 MEDIUM This Month

Reflected Cross-Site Scripting in the Mang Board WP WordPress plugin (all versions through 2.3.4) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'stag' parameter, which executes in the browser of any user who clicks a crafted link. Wordfence's source-level analysis identifies the flaw spanning multiple plugin files including _header.php, func.board.php, and class.store.php. No active exploitation has been identified (not in CISA KEV) and no EPSS score was provided, but the PR:N/UI:R profile makes this a viable phishing-assisted attack against WordPress site administrators and editors.

WordPress XSS Mang Board Wp
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-52773 MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-58307 MEDIUM PATCH This Month

Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. No public exploit code or CISA KEV listing has been identified at time of analysis.

Samsung Buffer Overflow Information Disclosure Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58306 MEDIUM This Month

Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. No public exploit identified at time of analysis, and no CISA KEV listing, but the local-vector, low-complexity nature of heap overflows makes this reliably triggerable once an attacker can supply crafted input to the engine.

Heap Overflow Samsung Buffer Overflow Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58305 MEDIUM PATCH This Month

Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to high-impact availability disruption and limited integrity compromise when processing malicious JavaScript. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with particular relevance to Samsung embedded and smart appliance ecosystems where this engine is deployed. No public exploit has been identified at time of analysis, and an upstream fix is available via GitHub PR #1580, though a formally versioned release has not been independently confirmed.

Memory Corruption Samsung Information Disclosure Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58304 MEDIUM PATCH This Month

Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the CVSS-assigned high availability impact and the buffer overflow primitive make crash-based denial-of-service the primary realistic threat.

Samsung Buffer Overflow Information Disclosure Escargot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58303 MEDIUM This Month

Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface.

Buffer Overflow Samsung Stack Overflow Escargot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-59222 MEDIUM PATCH This Month

{id}/members endpoint returns full UserModelResponse objects, inadvertently exposing toolServers API keys and webhook configuration belonging to other channel members. No public exploit is identified at time of analysis, but the low exploitation complexity and high value of the exposed credentials (tool server keys enable lateral access to integrated AI tooling infrastructure) elevate practical risk above what the 6.0 CVSS score alone suggests.

Information Disclosure Open Webui
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-57029 MEDIUM PATCH This Month

Traffic forwarding on Juniper QFX Series switches running Junos OS Evolved can be fully disrupted by an adjacent, unauthenticated attacker exploiting a race condition in the sFlow collector handler. When sFlow collector reachability changes trigger a next-hop entry update concurrently with the sFlow thread reading that same next-hop data, the evo-pfemand process crashes and all packet forwarding halts until the process automatically restarts. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, but the availability impact is severe for any network segment relying on the affected switch.

Juniper Denial Of Service Junos Os Evolved
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-49837 MEDIUM POC PATCH GHSA This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-49834 MEDIUM PATCH GHSA This Month

Threshold counting logic in sigstore-go's multi-log verification policy is bypassable by a single compromised transparency or CT log. When a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), the intended defense-in-depth - requiring N distinct log authorities to independently vouch for an artifact - fails because counts accumulate per-entry or per-validation-path rather than per-log-authority. An attacker controlling one compromised Rekor transparency log or CT log can forge multiple entries with distinct indices, or present multiple embedded SCTs across certificate chains, artificially satisfying an N-count threshold with a single compromised source. No public exploit has been identified at time of analysis, and EPSS data is not available in the provided intelligence.

Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-12879 MEDIUM PATCH This Month

Cross-tenant data exfiltration in Google Cloud Apigee (versions prior to 2026-06-12) is possible via improper input validation in the BigQuery Data Access Object (DAO) component. An authenticated attacker with high-privilege access can craft requests that bypass tenant isolation boundaries, accessing confidential data belonging to other Apigee tenants on Google Cloud Platform. Google patched this server-side on June 12, 2026 with no customer action required; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Google Apigee
NVD
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-12590 MEDIUM PATCH This Month

Denial of service in body-parser npm middleware allows unauthenticated remote attackers to submit arbitrarily large HTTP request bodies when the package is misconfigured with an invalid `limit` option value. Affected versions span both the 1.x line (prior to 1.20.6) and 2.x line (prior to 2.3.0). The silent misconfiguration failure bypasses all payload size enforcement, enabling an attacker to exhaust server memory and CPU through oversized request flooding - though exploitation requires the specific precondition of an invalid limit setting, reflected accurately in the low CVSS score of 3.7. No public exploit or CISA KEV listing exists at time of analysis.

Denial Of Service Body Parser
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-0278 MEDIUM PATCH This Month

Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access Agent for Windows enable a local authenticated user to bypass DLP policy enforcement controls. Only the Windows platform is affected; the Prisma Access Agent for macOS is explicitly excluded per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 supplemental urgency rating of Amber and high confidentiality/integrity impact on the vulnerable system make this a meaningful insider threat risk.

Authentication Bypass Apple Microsoft Prisma Access Agent
NVD VulDB
CVSS 4.0
5.8
EPSS
0.2%
CVE-2026-31267 MEDIUM This Month

Stack-based buffer overflow in the Mercusys MW302R (EU) V1 1.4.10 Build 231023 administrative web interface allows an authenticated attacker with administrative access on the same network segment to crash the device by sending a specially crafted HTTP request. The crash results from control flow being redirected to an arbitrary instruction address - a classic CWE-121 stack overflow pattern that produces denial of service. No public exploit is confirmed in CISA KEV, though a researcher GitHub gist (BarrYPL/13dcd071673866cbbfaaa05085b98cf3) appears to document the finding and may constitute a proof-of-concept write-up. EPSS probability is very low at 0.16% (6th percentile), consistent with a niche consumer router model.

Buffer Overflow Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-0277 MEDIUM PATCH This Month

Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to interception and manipulation by a network-adjacent attacker. The flaw (CWE-295) enables a man-in-the-middle position to defeat the agent's TLS/certificate trust chain, allowing an adversary to read or alter traffic that the iOS client believes is securely tunneled. Exploitation is limited to iOS deployments - the Windows, macOS, Linux, Android, and ChromeOS agents are confirmed unaffected. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Apple Microsoft Google Prisma Access Agent
NVD
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-59857 MEDIUM PATCH This Month

Stack buffer overflow in Vim's SAL sound-folding spell engine prior to version 9.2.0725 crashes the editor by writing a null byte one position past the end of a MAXWLEN-element stack buffer in spell_soundfold_sal(). Exploitation requires a user to open Vim with a SAL-based spell file active under a non-multibyte 8-bit encoding and trigger sound-based spell suggestions on a boundary-length word, corrupting the eval_soundfold() stack frame. No public exploit has been identified at time of analysis, and the impact is limited to availability (editor crash) with no confidentiality or integrity consequences.

Memory Corruption Buffer Overflow Vim
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-15204 MEDIUM This Month

Path traversal in the TOTOLINK X5000R router's OpenVPN Export CGI handler exposes arbitrary router filesystem files to remote unauthenticated attackers. The `exportOvpn` function within `/web/cgi-bin/cstecgi.cgi` fails to sanitize user-controlled path input, allowing directory traversal sequences to escape the intended export directory. A public proof-of-concept exists (GitHub: meishigana/CVE, referenced 2026-06-09), and the CVSS 4.0 supplemental metric E:P confirms exploit code is available, elevating practical risk beyond the moderate 5.5 base score.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-15135 MEDIUM This Month

SQL injection in code-projects Online Food Order System 1.0 exposes the `/edit_food_items.php` endpoint to unauthenticated remote database manipulation via the `update` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication or special conditions, with limited but confirmed impact across confidentiality, integrity, and availability. A public exploit has been released (E:P), making opportunistic targeting realistic despite the niche deployment footprint; no patch or vendor advisory has been identified.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15134 MEDIUM This Month

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the backend database to unauthenticated remote attackers through the `email` parameter at `/SimpleOnlineLeave/index.php`. Manipulation of this parameter allows an attacker to alter SQL query logic, enabling authentication bypass, database enumeration, and data modification without any credentials or user interaction. A public proof-of-concept exploit has been disclosed via GitHub, significantly lowering the skill barrier for exploitation; the vulnerability is not currently listed in the CISA KEV catalog.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-39243 MEDIUM This Month

Arbitrary hardlink creation in the decompress npm package (before version 4.2.2) enables read disclosure and overwrite of any file accessible on the same filesystem as the extraction directory. When a victim extracts an attacker-crafted archive, the library passes the hardlink target path (x.linkname) directly to Node.js fs.link() without any path sanitization, allowing a hardlink inside the extraction directory to point at any file the process has access to. No CISA KEV listing exists and EPSS stands at 0.17% (7th percentile), reflecting low observed exploitation; however, the provided CVSS I:N metric conflicts with the description's explicit mention of file-overwrite capability, and in automated CI/CD pipelines the user-interaction barrier is effectively eliminated.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-56459 MEDIUM This Month

Sensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in application log files to any local user who can read those files. Affected across four major release branches (7.3, 8.0, 8.1, and 8.2), the vulnerability stems from CWE-532, where the application writes sensitive material into logs without adequate sanitization or access restriction. No public exploit code has been identified at time of analysis, and the flaw is not listed in the CISA KEV catalog, but the high confidentiality impact (C:H) and zero-privilege local access condition elevate real-world concern in multi-tenant or shared-host deployments.

Information Disclosure Hcl Devops Deploy Hcl Launch
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52772 MEDIUM POC PATCH GHSA This Month

Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.

XSS CSRF PHP
NVD GitHub
CVSS 3.1
5.5
CVE-2026-58198 MEDIUM PATCH This Month

Symlink-based extraction redirect in ChatterBot prior to 1.2.14 enables a local attacker with standard user privileges to cause training corpus archive contents to be written to an attacker-controlled directory by pre-planting a symlink at the predictable path ~/ubuntu_data/ubuntu_dialogs before UbuntuCorpusTrainer.extract() runs. The check-then-create pattern preceding tar.extractall() creates a CWE-367 TOCTOU window that, on shared multi-user systems, allows the attacker to intercept the extraction target without any race if the symlink is planted before the first training run. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 1.2.14.

Information Disclosure Chatterbot
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15192 MEDIUM This Month

Missing authentication on APIv1 webhook endpoints in sendportal up to 3.0.1 permits remote unauthenticated actors to invoke webhook handlers for SendGrid, Postmark, Postal, and Mailjet without any credential verification. The flaw enables integrity and availability manipulation of email processing pipelines from any network location. A publicly disclosed exploit exists per VulDB submission 851624; no vendor patch has been released and the maintainer has not responded to the responsible disclosure report.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.6%
CVE-2026-59212 MEDIUM PATCH This Month

Incorrect authorization in Open WebUI versions 0.9.6 through 0.9.x allows authenticated users with read-only knowledge file access to escalate their privileges to file write or delete operations. The root cause is that `_verify_knowledge_file_access` validated only read permissions, while write and delete routes independently trusted access derived from writable model `meta.knowledge` entries - creating a logical gap where the authorization check and the actual enforcement were misaligned. No public exploit or CISA KEV listing is identified at time of analysis; this is a medium-severity, authenticated-only issue fixed in v0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-53962 MEDIUM PATCH This Month

Stored cross-site scripting in Discourse's SVG upload and user avatar handling allows authenticated users to inject malicious JavaScript that executes in victims' browsers when they visit specific non-standard URLs. The CVSS scope change (S:C) reflects that successful exploitation crosses the browser security boundary, enabling session token theft or account takeover against victims who visit the triggering URL. Vendor-confirmed patches are available across four release branches; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Discourse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-59227 MEDIUM PATCH This Month

Open WebUI versions 0.8.11 through 0.10.0 expose a missing-authorization flaw (CWE-862) on the POST /api/v1/images/edit endpoint, allowing any verified non-admin account to invoke server-side image editing even when administrators have disabled the global image-edit switch or revoked per-user image-generation permissions. The bypass enables unprivileged users to consume admin-configured third-party image provider credentials - exhausting API quotas or generating unauthorized images - undermining deliberate access controls set by the platform operator. No public exploit has been identified at time of analysis; a vendor-confirmed fix is available in version 0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-53956 MEDIUM PATCH GHSA This Month

Path traversal in rattler_cache and py-rattler exposes the victim's filesystem to out-of-bounds file writes when package metadata from an untrusted conda channel contains path separators or directory traversal sequences in the build string. Users who install packages from a malicious channel trigger cache materialization logic that joins the unsanitized build string into a filesystem path, allowing package contents to land outside the configured cache directory. No public exploit has been identified and no CISA KEV listing exists; exploitation requires deliberate use of an untrusted channel (CVSS UI:R), meaningfully limiting real-world exposure.

Path Traversal
NVD GitHub
CVSS 3.1
5.4
CVE-2026-5005 MEDIUM PATCH This Month

Stored XSS in Twiser OKRs & Goals (builds 28220 through pre-28398) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other authenticated users' browsers. The CVSS scope change (S:C) confirms cross-user impact - a hallmark of stored XSS where one user's injected payload affects others who subsequently view the same content. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this firmly in standard patch-cycle priority.

XSS Okrs Goals
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-55605 MEDIUM PATCH This Month

Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.

Authentication Bypass Docker Deepseek Mcp Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-13450 MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the near-zero exploitation complexity makes it a practical mass-exploitation candidate against any unpatched deployment.

Authentication Bypass WordPress Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-33799 MEDIUM PATCH This Month

Memory exhaustion in Juniper Networks Junos OS and Junos OS Evolved snmpd allows an authenticated network attacker to crash SNMP monitoring by sending specific valid SNMPv3 queries that trigger an out-of-bounds write and progressive memory leak. The snmpd process will exhaust available memory over time, crash, and restart, rendering SNMP-based network monitoring unavailable for the duration of each crash cycle. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, the CVSS 4.0 supplemental metric AU:Y indicates the attack is automatable.

Memory Corruption Juniper Buffer Overflow Junos Junos Os Evolved
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-12406 MEDIUM This Month

Authorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visitors to delete guest-uploaded media attachments via the wpuf_file_del AJAX action. The plugin's sole access control gate - a WordPress nonce - is self-defeated: when any WPUF shortcode is rendered on a public front-end page, the nonce value is localized into publicly readable JavaScript objects (wpuf_upload and wpuf_frontend), making it trivially extractable by any browser visitor. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified, but the zero-authentication, low-complexity attack path makes this trivially reproducible from plugin source code alone.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59828 MEDIUM PATCH This Month

Discourse's post revision system exposes hidden edit history to unauthenticated network users through a serialization flaw in PostRevisionSerializer. When computing diffs between adjacent visible revisions, the serializer failed to enforce visibility restrictions, leaking content from revisions that moderators or administrators had marked as hidden. No active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity attack vector means any visitor to a vulnerable Discourse instance can potentially access suppressed post content - including moderator-redacted material - without any credentials or special access.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-7558 MEDIUM This Month

Unauthenticated export of sensitive WooCommerce donation records is possible in the Token of Trust WordPress plugin through version 4.0.2 due to a missing capability check on a publicly accessible export function. Any unauthenticated visitor can retrieve a CSV file containing charitable donor order dates, order IDs, donation amounts, and admin-only order edit URLs by appending a single GET parameter to any page on the affected site. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism - requiring only a browser and a known URL parameter - means low-skill attackers can exploit it at scale.

Authentication Bypass WordPress Age Verification Identity Verification By Token Of Trust
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59817 MEDIUM PATCH This Month

Ghost CMS versions 6.27.0 through 6.43.x permit unauthenticated attackers to manipulate donation checkout metadata, enabling acquisition of full paid gift memberships for a minimal payment. The flaw, classified as CWE-472 (External Control of Assumed-Immutable Web Parameter), stems from the server trusting client-controlled parameters in the public-facing checkout flow that should be server-authoritative. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified; the vendor released a fix in version 6.44.0.

Node.js Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59218 MEDIUM PATCH This Month

Timing-based account enumeration in Open WebUI prior to 0.10.0 exposes whether any given email address is registered on a self-hosted AI instance. The /api/v1/auths/signin endpoint only invokes bcrypt password verification when a matching email record exists, making registered-account login attempts measurably slower than attempts against unregistered emails - a classic CWE-208 timing oracle. Unauthenticated remote attackers can exploit this discrepancy at scale to harvest valid account emails, which can then fuel credential stuffing or targeted phishing. No public exploit code or CISA KEV listing has been identified, and the vendor has released a fix in v0.10.0.

Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-12418 MEDIUM This Month

Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visitor to overwrite the title, body, and excerpt of any post on the site, including posts authored by administrators. The flaw stems from the wpuf_submit_post AJAX action accepting a user-controlled post reference key in the wpuf_files_data parameter without validating whether the requesting user is authorized to edit the target post - a textbook CWE-639 authorization-through-user-controlled-key failure. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no authentication and no special configuration beyond the plugin being installed with at least one public-facing submission form.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57031 MEDIUM PATCH This Month

Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. No public exploit code has been identified and the vulnerability is absent from CISA KEV, though the CVSS 4.0 AU:Y (Automatable) supplemental metric indicates exploitation could be scripted at scale against affected broadband aggregation deployments.

Authentication Bypass Juniper Junos Os
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-31982 MEDIUM PATCH This Month

Open Redirect via SAML SSO cache poisoning in Nozomi Networks Guardian and CMC allows unauthenticated remote attackers to corrupt the server-side redirect cache for all users by submitting a crafted request to the SAML sign-in endpoint with a malicious redirection parameter. Victims who subsequently initiate SAML Single Sign-On are transparently redirected to attacker-controlled infrastructure, enabling phishing and credential theft. The flaw additionally disrupts legitimate SAML authentication for affected users, introducing an availability dimension beyond the typical Open Redirect threat model. No active exploitation (KEV) or public exploit code has been identified at time of analysis.

Open Redirect Guardian Cmc
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15189 MEDIUM This Month

Server-side request forgery in aerostackdev aerostack-mcp's mcp-whatsapp component allows authenticated remote attackers to manipulate the `media_url` argument of the `upload_media` function, causing the server to issue arbitrary outbound HTTP requests on the attacker's behalf. Affected installations span all commits up to 6315dfde7df0a15aaf743f88d91347115e09ba23 with no vendor patch available and no maintainer response to the disclosure. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

SSRF Aerostack Mcp
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-61474 MEDIUM PATCH This Month

MISP's attribute creation endpoint contains an authorization bypass allowing authenticated users with attribute-creation permissions to associate attributes with sharing groups they are not authorized to access. The flaw arises because the sharing group permission check was gated exclusively on the distribution field being set to 4 (sharing group mode), meaning a user could submit any non-empty sharing_group_id with a different distribution value and bypass the check entirely. No public exploit has been identified at time of analysis; a vendor patch is available via a confirmed GitHub commit.

Authentication Bypass Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-50554 MEDIUM POC PATCH GHSA This Month

{bookID}/notes carries no authentication middleware, and supplying ?deleted=true causes the service to invoke GORM's Unscoped() while retaining the is_public=true authorization branch, allowing any network-accessible actor to retrieve titles, slugs, and timestamps of notes an owner deliberately deleted from a public book. No active exploitation is confirmed (not listed in CISA KEV), though a fully functional proof of concept is embedded in the vendor advisory, and exploitation requires only a single crafted HTTP GET request.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
CVE-2026-9021 MEDIUM This Month

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. The ownership restriction that would prevent non-owners from acting on quotes is controlled by an off-by-default Pro feature flag, meaning the overwhelming majority of free-tier deployments are fully exposed to arbitrary quote status manipulation, including automatic invoice generation and client email dispatch. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress Easy Invoice Invoice Generator Pdf Quotes Payments
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9028 MEDIUM This Month

Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) allows any remote attacker to cancel any WooCommerce order paid via CorvusPay by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST API endpoint. The plugin registers this cancel endpoint without implementing a WordPress permission callback, meaning no authorization is verified before processing cancellation requests (CWE-862). No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis, though the attack requires no credentials and minimal technical skill.

Authentication Bypass WordPress Corvuspay Woocommerce Payment Gateway
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy