Skip to main content
CVE-2026-51926 HIGH This Week

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13462 HIGH This Week

Sensitive data exposure in the PayRange Android app (versions 7.0.7 and below) stems from improper TLS certificate validation in the app's embedded webviews, which accept invalid or attacker-controlled certificates. A network-positioned (man-in-the-middle) attacker can therefore decrypt and capture information users submit through those webviews, such as account or payment-related data. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CERT/CC advisory (VU#152953) is the primary reference.

Authentication Bypass Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-56458 HIGH This Week

Sensitive-information disclosure in HCL DevOps Deploy (formerly UrbanCode Deploy) versions 8.1 through 8.1.2.6 and 8.2 through 8.2.1.0 stems from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict allowed origins to trusted domains. Because the application accepts or reflects arbitrary origins, an attacker-controlled web page can issue cross-origin credentialed requests against an authenticated user's session to read protected data and invoke privileged actions. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC rates exploitation as none.

Cors Misconfiguration Information Disclosure Hcl Devops Deploy
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63579 HIGH This Week

Sensitive information disclosure in Kyocera Command Center RX, the embedded web management interface of numerous TASKalfa multifunction printers, allows remote attackers to export the entire device address book without authorization. Because the vulnerability also bypasses the encryption protecting incoming data, encrypted content can be decrypted to reveal stored passwords and other confidential data. Publicly available exploit code exists (GitHub PoC), though there is no evidence of active exploitation in CISA KEV; SSVC rates the flaw as automatable with partial technical impact.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-51601 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. There is a public research write-up on GitHub, but no active exploitation is recorded in CISA KEV and EPSS rates exploitation likelihood as low (0.19%, 9th percentile).

Buffer Overflow Tenda Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-38076 HIGH This Week

Denial of service in Artifex jbig2dec (JBIG2 decoder, commit cc37d0) lets a remote attacker crash the decoder by supplying a crafted JBIG2 image that triggers an integer overflow in jbig2_arith_iaid_ctx_new(). Impact is availability-only (CVSS 7.5, A:H) with no data exposure or code execution indicated. There is no public exploit identified at time of analysis, though a researcher gist referenced by NVD may contain reproduction material; EPSS is low at 0.17% (6th percentile) and the flaw is not in CISA KEV.

Integer Overflow Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-39246 HIGH This Week

Arbitrary symlink creation in the decompress npm package before 4.2.2 lets an attacker who supplies a crafted archive plant symlinks pointing outside the extraction directory, leading to information disclosure when the host application reads the extracted contents. The flaw stems from a symlink entry's linkname being passed straight to fs.symlink() without validation, while the existing anti-symlink guard only protects regular file entries. No public exploit has been identified at time of analysis, EPSS risk is low (0.17%, 6th percentile), and it is not listed in CISA KEV.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52770 HIGH POC PATCH GHSA This Week

Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.

PHP Oracle SQLi Docker
NVD GitHub
CVSS 3.1
7.5
CVE-2026-49485 HIGH PATCH GHSA This Week

Denial-of-service in the HL7 FHIR Core library (ca.uhn.hapi.fhir:org.hl7.fhir.core, all FHIRPathEngine implementations) lets a remote unauthenticated attacker exhaust a CPU core by submitting a FHIR resource whose matches(), matchesFull(), or replaceMatches() FHIRPath function carries a malicious regular expression that triggers catastrophic backtracking. The timeout utility meant to bound regex evaluation cancelled its executor thread but could not actually interrupt the running Pattern/String operation, and three modules invoked evaluation entirely outside that guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the ReDoS technique is well understood and trivial to reproduce.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59692 HIGH This Week

Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.

Buffer Overflow Denial Of Service Stack Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55424 HIGH PATCH This Week

Stored cross-site scripting in Discourse (before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5) lets a user with permission to set a topic "featured link" inject JavaScript that executes when the link is rendered in the topic list. Exploitation only succeeds where the platform's default Content Security Policy has been weakened or disabled, so out-of-the-box installs are protected in depth. No public exploit identified at time of analysis, and the issue is not in CISA KEV; official fixed releases are available.

XSS Discourse
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-53987 HIGH PATCH This Week

Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. No public exploit identified at time of analysis; the issue was reported by VulnCheck and a vendor patch (2.14.4) is available.

XSS Glpi 11
NVD GitHub
CVSS 4.0
7.3
EPSS
0.3%
CVE-2026-8848 HIGH This Week

Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass WordPress RCE Popup Maker Boost Sales Conversions Optins Subscribers With The Ultimate Wp Popup Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-59721 HIGH PATCH This Week

Command injection in self-hosted Hoppscotch instances prior to 2026.6.0 allows an authenticated administrator to achieve root-level code execution in the backend container. The updateInfraConfigs GraphQL mutation accepts an attacker-controlled MAILER_SMTP_URL whose path, query, or fragment is parsed by nodemailer into sendmail transport options, turning SMTP configuration into arbitrary command execution once the service restarts and sends mail. No public exploit identified at time of analysis, but the flaw is confirmed and patched upstream in release 2026.6.0.

Command Injection
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-15000 HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-33390 HIGH PATCH This Week

Privilege escalation via configuration synchronization in Nozomi Networks Guardian and Central Management Console (CMC) lets an authenticated low-privilege user push administrative CLI commands to managed Arc sensors, because those sensors incorrectly inherit CLI permissions during sync. Successful abuse alters device configuration and can degrade or disable sensor availability, undermining OT/ICS monitoring integrity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; risk is elevated by the network-reachable, low-privilege (PR:L) attack path against a security-critical appliance.

Information Disclosure Guardian Cmc
NVD VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-9253 HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13441 HIGH This Week

Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.

WordPress XSS Eventprime Events Calendar Bookings And Tickets
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-57032 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low-privileged authenticated attacker crash the Flexible PIC Concentrator (FPC) by subscribing over gRPC to an unsupported telemetry sensor path in the packet forwarding engine. Each crash produces a complete forwarding outage until the module auto-restarts, and the trigger can be repeated for sustained disruption. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low complexity and single low-privilege prerequisite make it operationally easy to trigger.

Juniper Denial Of Service Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-44787 HIGH PATCH This Week

Privilege escalation in Discourse (the open-source discussion platform) lets a newly registered user obtain whisper-group ('whisperer') privileges by supplying a primary_group_id during the signup flow, without ever being a legitimate member of that group. Exploitation only matters on sites that have configured whispers_allowed_groups, and success grants read access to staff-only whisper posts (a confidentiality-focused impact). EPSS is low (0.31%, 23rd percentile) and there is no public exploit identified at time of analysis, but the fix commits and GitHub advisory GHSA-vmwq-jvxx-jwfx confirm the flaw and its remediation.

Privilege Escalation Discourse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-59209 HIGH PATCH This Week

Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.

Information Disclosure N8n
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-33801 HIGH PATCH This Week

Remote denial-of-service in Juniper Networks Junos OS and Junos OS Evolved 25.2 (before 25.2R2 / 25.2R2-EVO) lets an adjacent, unauthenticated BGP peer crash the routing protocol daemon (RPD) by sending a single malformed non-inet/inet6 unicast BGP update over an already-established session. The RPD crash-and-restart produces a full routing outage until reconvergence completes, though the crash occurs before the update is readvertised so there is no downstream propagation to other routers. CVSS 4.0 base score is 7.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Denial Of Service Junos Junos Os Evolved
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-33800 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine of Juniper Junos OS on MX Series routers allows an unauthenticated, network-adjacent attacker to crash and restart the FPC by continuously flapping Micro-BFD sessions. The PFEMAN process queues each up/down event and, in a Virtual-Chassis deployment with locality-bias enabled, processing is slow enough that a sustained flap backlog prevents completion and trips the PFEMAN watchdog timer, forcing an FPC restart and a full traffic outage. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the low complexity and unauthenticated adjacent vector make it a credible availability threat to affected line cards (MPC9 and below).

Juniper Denial Of Service
NVD
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57027 HIGH PATCH This Week

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker to exhaust packet-forwarding-engine memory and crash the Flexible PIC Concentrator (FPC). The flaw triggers only when sFlow monitoring is enabled in a Virtual Chassis and multicast traffic ingresses on one VC member and egresses on another, causing a slow buffer leak that culminates in an FPC crash and restart. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability risk for affected deployments.

Juniper Denial Of Service Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57020 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1.

Juniper Information Disclosure Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57019 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Buffer Overflow Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59219 HIGH PATCH This Week

Session revocation bypass in Open WebUI 0.9.0 through 0.9.x (deployments configured with Redis) lets a holder of a revoked JWT keep authenticating realtime Socket.IO connections. The flaw stems from first-message authentication for Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket calling decode_token without the Redis-backed is_valid_token revocation check, so logout, forced-logout, or token invalidation does not sever active realtime access. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the fix is version 0.10.0.

Redis Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-55212 HIGH PATCH This Week

Broken authorization in Pimcore's Studio API lets a standard editor-level user create class definitions without administrative rights, because the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint checks the 'objects' permission rather than the 'classes' permission. Because class-definition creation writes new database tables and PHP class files to the server, this permission gap grants low-privileged users significant control over the application's data model and codebase, and absent API-layer UID validation malformed UIDs reach model-layer validation and surface internal exceptions. No public exploit identified at time of analysis; the flaw is fixed in 2025.4.6 and 2026.1.6.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-41857 HIGH PATCH This Week

Arbitrary command execution on operator workstations in Cloud Foundry BOSH CLI before 7.10.5 allows a compromised or malicious BOSH Director to inject and run shell commands locally when an operator invokes bosh ssh, bosh scp, or bosh logs -f with default flags. Because the CLI trusts director-supplied data and passes it into a shell, a controlled director turns a routine operator action into local code execution on the trusted management host. No public exploit identified at time of analysis; not listed in CISA KEV, though the reference blog by Cloud Foundry (originally reported by VMware) confirms the flaw and a fixed release.

Bosh Cli Command Injection
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-59206 HIGH PATCH This Week

Privilege escalation via prototype pollution in n8n workflow automation lets an authenticated low-privilege user (holding the default workflow:create permission) corrupt Object.prototype through a crafted workflow saved, updated, or imported via the workflow API. Once polluted, subsequent unauthenticated requests are evaluated as a privileged user, exposing internal user and project listing endpoints. This is an information-disclosure and access-control flaw with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.1.

Information Disclosure Prototype Pollution N8n
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59207 HIGH PATCH This Week

Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. No public exploit identified at time of analysis; risk is elevated because the abuse comes from an already-authorized internal user rather than an outside attacker.

Information Disclosure N8n
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-54798 HIGH CISA This Week

Denial of service in Siemens CPCI85 Central Processing/Communication firmware and SICORE Base System (all versions before V26.20 / V26.20.0) allows an authenticated attacker to crash the device's web process via a leftover debugging interface exposed on HTTP endpoints. The flaw stems from active debug code shipped in production firmware and affects only availability, not data confidentiality or integrity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59691 HIGH This Week

Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. No public exploit identified at time of analysis; the primary confirmed impact is denial of service, with potential for further memory corruption. This is a client-side flaw requiring the victim to connect to attacker-controlled infrastructure.

Memory Corruption Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-14372 HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder
NVD
CVSS 3.1
7.1
EPSS
0.7%
CVE-2026-57021 MEDIUM PATCH This Month

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact.

Memory Corruption Juniper Buffer Overflow Junos Os
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-60095 MEDIUM This Month

Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.

Buffer Overflow Stack Overflow Backup Recovery 9 0
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-57024 MEDIUM PATCH This Month

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that assigns duplicate index values to new peers, triggering continuous iked process crashes and a full VPN service outage requiring system reboot. Unauthenticated network-based attackers can deliberately flood the device with failing VPN negotiations to accelerate the rollover condition. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable, zero-privilege attack vector makes this a meaningful risk for any organization relying on Juniper-based VPN infrastructure with iked enabled.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-60094 MEDIUM This Month

Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. This vulnerability is not listed in CISA KEV and no public exploit code is confirmed at time of analysis, though the heap overflow magnitude raises concern for potential code execution beyond simple denial-of-service.

Memory Corruption Buffer Overflow Backup Recovery 9 0
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-33803 MEDIUM PATCH This Month

Junos OS Evolved exposes an internal communication process to the network via an unintended open port due to incorrect initialization, enabling unauthenticated remote attackers to interact with a service never designed for external access. Affected Juniper devices suffer limited information disclosure and elevated CPU consumption as the misbound process handles unsolicited ingress packets - a soft availability degradation rather than a crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector across a broad version range warrants prompt patching on internet-facing routing infrastructure.

Juniper Information Disclosure Junos Os Evolved
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-57054 MEDIUM PATCH This Month

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.

Authentication Bypass Juniper Junos Os
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-57028 MEDIUM PATCH This Month

License exhaustion in Juniper Networks Junos OS Evolved lets an unauthenticated, network-based attacker reach the device's license-management process, which was intended to be internal-only but is exposed on an open network port due to incorrect initialization. All Junos OS Evolved releases before 23.2R2-EVO are affected. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible network-facing denial-of-service risk to affected routing/switching platforms.

Authentication Bypass Juniper Junos Os Evolved
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-31983 MEDIUM PATCH This Month

Unauthenticated access to the SSH keys synchronization endpoint in Nozomi Networks Guardian and CMC exposes user enumeration data and SSH public keys to any network-reachable attacker. By sending a single unauthenticated request to this endpoint, an attacker can retrieve usernames, group memberships, and uploaded SSH public keys - providing meaningful reconnaissance into the OT security platform's user base. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; the CVSS 4.0 score of 6.9 reflects low confidentiality impact with no integrity or availability risk.

Authentication Bypass Guardian Cmc
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-61344 MEDIUM PATCH This Month

Unauthenticated API exposure in the Superior Court of California's Hearing Reminder Service (hrs.courts.ca.gov) permits any internet-accessible party to retrieve court reminder records containing potentially sensitive information with no credentials or preconditions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote access, making bulk data harvesting trivial for any motivated actor. No public exploit code has been identified at time of analysis, and the service is not listed in the CISA KEV catalog, but the low technical barrier means exploitation requires nothing more than a standard HTTP request.

Authentication Bypass
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-57025 MEDIUM PATCH This Month

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a local, low-privileged attacker to crash the l2ald (Layer 2 Address Learning Daemon) by issuing a specific 'show l2-learning' CLI command, disrupting all Layer 2 services until the process automatically restarts. The root cause is a Return of Pointer Value Outside of Expected Range flaw (CWE-466) in the fileio library. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA or the vendor.

Juniper Denial Of Service Junos Os Junos Os Evolved
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-33802 MEDIUM PATCH This Month

Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally authenticated user, regardless of privilege class or assigned permissions, to execute a specific privileged 'request' command and cause complete traffic disruption on the affected switch. Affected platforms span EX2300, EX4000, EX4100, EX4300-MP, and EX4400 across six active Junos OS release trains from 23.2 through 25.4. No public exploit has been identified at time of analysis and the system recovers automatically, but the low barrier to exploitation - any authenticated local user qualifies - makes this a meaningful insider threat in shared-access or multi-tenant switch environments.

Authentication Bypass Juniper Junos Os
NVD
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-13080 MEDIUM This Month

Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.

WordPress LFI RCE PHP Information Disclosure +1
NVD
CVSS 3.1
6.6
EPSS
0.7%
CVE-2026-21901 MEDIUM PATCH This Month

NULL pointer dereference in the Juniper Networks Junos OS and Junos OS Evolved management daemon (mgd) allows a local, high-privileged attacker to crash the mgd process by manipulating a specific 'system services ssh' configuration parameter. Repeated execution of the offending configuration commands sustains the Denial of Service condition until the action ceases, as mgd will restart but crash again upon re-triggering. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; the attack barrier is high, requiring both local access and administrative-level credentials.

Juniper Denial Of Service Null Pointer Dereference
NVD GitHub
CVSS 4.0
6.7
EPSS
0.2%
CVE-2026-0287 MEDIUM PATCH This Month

Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall dataplane processes by sending specially crafted traffic to or through a dataplane interface. Repeated exploitation escalates the impact: the firewall is forced into maintenance mode, effectively taking the security appliance offline and disrupting all traffic enforcement. No public exploit code has been identified at time of analysis, and Panorama management infrastructure is explicitly confirmed unaffected.

Denial Of Service Paloalto Cloud Ngfw Pan Os
NVD VulDB
CVSS 4.0
6.6
EPSS
0.5%
CVE-2026-57157 MEDIUM PATCH This Month

CVE-2026-57157 has no published description, CVSS score, or CWE at time of analysis. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating the vulnerability may affect a package in the Ubuntu ecosystem. No impact, affected versions, attack vector, or exploitation details can be determined from the available data. This analysis cannot characterize the vulnerability beyond acknowledging its existence and Ubuntu provenance.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-1365 MEDIUM This Month

Sensitive authentication data is inserted into network-transmitted responses in OSOS, the energy management platform by Sayax Energy Technologies Inc., enabling authenticated low-privilege users to extract credentials or session tokens and bypass authentication controls. All versions through build 09072026 are affected with no vendor patch available - TR-CERT disclosed this vulnerability but received no response from the vendor. No public exploit code has been identified at time of analysis, though the network-accessible attack vector with low complexity raises practical risk in industrial energy environments where even low-privilege account access is common.

Authentication Bypass Osos
NVD
CVSS 3.1
6.5
EPSS
0.4%
Prev Page 3 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy