Skip to main content
CVE-2026-56460 MEDIUM This Month

Sensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecting all maintained version branches from 7.3 through 8.2.1.0. Any authenticated user with low-privilege access can retrieve secrets through standard API interactions, creating a stepping-stone for lateral movement or privilege escalation across connected deployment targets. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but real-world risk is elevated because CI/CD platforms routinely store high-value credentials for downstream infrastructure.

Information Disclosure Hcl Devops Deploy Hcl Launch
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-46413 MEDIUM PATCH This Month

Unauthorized write access to the admin backup store in Discourse allows any authenticated regular user to route S3 multipart uploads into a storage area that should be restricted to administrators. The flaw exists in ExternalUploadManager, which fails to enforce authorization checks (CWE-862) when accepting direct S3 multipart upload requests, meaning a low-privilege account holder can target the admin backup destination path without restriction. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this a credible threat on any Discourse deployment using S3 direct uploads.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-59149 MEDIUM PATCH This Month

Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the `getSafeFilePath` function in `packages/commons-server/src/libs/server/server.ts`, which enforces directory confinement using a bare string-prefix check (`resolvedPath.startsWith(staticBaseDir)`) without a path-separator boundary. Because any path whose absolute form begins with the base directory string - including sibling directories sharing a common prefix - passes this check, crafted `../`-escaped values embedded in request data can escape the sandbox across HTTP sendFile, WebSocket, and callback channels. No public exploit code identified at time of analysis and no CISA KEV listing.

Path Traversal Mockoon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-59220 MEDIUM PATCH This Month

Regular expression denial of service in Open WebUI 0.9.2-0.9.x allows any authenticated user to block the Python asyncio event loop by sending a single malformed chat message. The SKILL_MENTION_RE and strip_re patterns in middleware.py use overlapping quantifiers when parsing skill-mention syntax, causing quadratic backtracking on input containing '<$' without a closing '>'. Because the event loop is synchronously blocked, the attack effectively takes the entire Open WebUI instance offline for all concurrent users. No public exploit code or active exploitation has been identified at time of analysis; the fix is confirmed in the v0.10.0 release.

Denial Of Service Open Webui
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-8996 MEDIUM This Month

Sensitive information exposure in the Backup and Staging by WP Time Capsule WordPress plugin (all versions through 1.22.26) allows authenticated attackers with subscriber-level access to download a previously admin-decrypted SQL database backup via the unprotected `download_recent_decrypted_file_wptc` endpoint. The downloaded backup typically contains WordPress password hashes, user credentials, and site configuration data stored in the `recent_decrypted_file` plugin option. No public exploit code exists at time of analysis, but the vulnerability is conditionally exploitable wherever subscriber-level user registration is enabled and an administrator has recently used the plugin's decrypt function.

Authentication Bypass WordPress Information Disclosure Backup And Staging By Wp Time Capsule
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13011 MEDIUM This Month

SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized `orderby` parameter in the leave management module. The flaw resides in `functions-leave.php` and `LeaveRequestsListTable.php`, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. No public exploit code is confirmed and this CVE is not listed in the CISA KEV catalog, but the confidentiality impact is high given the plugin stores HR records, payroll data, and CRM contacts.

WordPress SQLi Erp
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-59853 MEDIUM This Month

Missing authorization on the `/api/storage/getCriteria` endpoint in SiYuan personal knowledge management software exposes saved search criteria - including private document paths, notebook and block IDs, and search/replace keyword history - to any publish-mode Reader, bypassing the access controls applied by all sibling storage endpoints. All SiYuan releases prior to 3.7.1 are affected per the vendor security advisory GHSA-px3c-cf92-9g83. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the low attack complexity and readily available fix commit make this straightforward to weaponize against exposed instances.

Authentication Bypass Siyuan
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-53961 MEDIUM PATCH This Month

Discourse's AWS SES bounce webhook endpoint (POST /webhooks/aws) validates Amazon SNS message signatures but omits TopicArn binding, allowing any AWS account holder to publish legitimately signed forged Bounce notifications that revoke a targeted Discourse user's email address. Versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 across all active release branches are affected when the SES integration is enabled. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and absence of Discourse-side authentication requirements make targeted abuse realistic for any motivated actor with an AWS account.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-51598 MEDIUM This Month

Denial of service in the RTSP service of MERCURY MIPC252W IP Camera firmware v1.0.5 Build 230306 Rel.79931n allows an unauthenticated, network-adjacent attacker to crash the streaming service by sending a crafted DESCRIBE request containing a malformed URL in the request line. The root cause is improper input validation (CWE-20) in the RTSP parser, resulting in complete loss of camera availability until the device is rebooted. Publicly available exploit code exists per SSVC classification, though no confirmed active exploitation (CISA KEV) has been recorded.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-53637 MEDIUM PATCH GHSA This Month

Order data corruption and permanent deletion in Sylius affects authenticated customers across versions prior to 2.0.18, 2.1.15, and 2.2.6 due to a stale-state race condition in the cart LiveComponent. When an order transitions to STATE_COMPLETED while a customer's cart page remains open in a browser tab, subsequent cart actions - clearing, removing items, or adjusting quantities - are applied to the completed order rather than a fresh cart, irreversibly deleting or mutating finalized order records. No public exploit code has been identified at time of analysis, but the attack is trivially reproducible by any authenticated customer without specialized tooling, as the attacker can deliberately engineer the race condition by completing checkout in one tab while exploiting the stale cart in another.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
6.5
CVE-2026-52763 MEDIUM POC PATCH GHSA This Month

Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.

SQLi PHP
NVD GitHub
CVSS 3.1
6.5
CVE-2026-53769 MEDIUM POC PATCH GHSA This Month

{FIELD_ID}? or update? policy checks - even when both explicitly return false for the requesting user. Primarily impacts Avo Pro/Advanced multi-role deployments where non-administrator operators are expected to be constrained by per-field authorization policies. A PoC request spec confirms exploitation on Avo 3.31.2; no CISA KEV listing, so no confirmed active exploitation at time of analysis.

Authentication Bypass File Upload
NVD GitHub
CVSS 3.1
6.5
CVE-2026-59715 MEDIUM PATCH This Month

Unauthenticated manipulation of collaborative document state is possible in Open WebUI versions 0.6.16 through 0.9.x, where the Socket.IO server's always_connect=True configuration allows the ydoc:awareness:update and ydoc:document:leave event handlers to process requests from any connected client regardless of identity. An attacker with network access to the platform can inject false collaborative presence data or trigger spurious document-leave events, disrupting active collaboration sessions for legitimate users. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the input.

Authentication Bypass Open Webui
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48987 MEDIUM POC GHSA This Month

Memory exhaustion in pyload's EventManager module allows authenticated remote attackers to cause a denial of service by sending large volumes of requests to the getEvents API endpoint with unique UUIDs. Each unique UUID causes a new Client instance to be appended to the internal clients list, but the existing clean() method that would purge inactive clients is never invoked anywhere in the codebase, resulting in unbounded memory growth. No public exploit is independently catalogued, but a functional proof-of-concept script was included in the disclosure, demonstrating that the attack can be executed with a valid API key and approximately 100,000 HTTP GET requests.

Python Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-12428 MEDIUM This Month

Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). Reported by Wordfence; no CISA KEV listing and no standalone public exploit code identified at time of analysis, though exploitation is operationally trivial for any attacker with a valid Author-level WordPress account.

Authentication Bypass WordPress Blocks For Acf Fields Display Custom Fields In The Block Editor
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12170 MEDIUM This Month

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.

WordPress XSS Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-13771 MEDIUM This Month

Stored Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (all versions ≤ 5.113.0) allows contributor-level authenticated users to inject arbitrary JavaScript via the 'color' attribute of the trust badge shortcode, which then executes in the browsers of every subsequent visitor to the compromised page. The trust badge rendering code in class-cr-trust-badge.php and badge-small.php fails to sanitize or escape shortcode attribute input before writing it to HTML output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a patch commit is referenced in the WordPress SVN repository.

WordPress XSS Customer Reviews For Woocommerce
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6910 MEDIUM This Month

Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the `bookero_products` shortcode. The `bookero_products()` function in `libraries/bookero-front.php` (lines 173-174) concatenates the raw `hide_products` and `filter_products` attribute values directly into an inline `<script>` block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Bookero Pl System Rezerwacji Online
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13253 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. No public exploit code has been identified at time of analysis, and no EPSS data was provided, but the contributor-level access requirement represents the primary real-world friction point for exploitation.

WordPress XSS Post Grid Gutenberg Blocks Postx
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14343 MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.61) allows authenticated contributors to inject persistent JavaScript payloads via the 'note_before' and 'note_after' shortcode attributes. The root cause is an unescaped output sink in the shortcode renderer: although wp_kses_post filters post content on save for users lacking the unfiltered_html capability, kses-allowed tag and attribute combinations that survive filtering are passed directly to the unsafe sink and execute in victims' browsers when the injected page is rendered. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Download Manager
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-4653 MEDIUM This Month

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. No public exploit code has been identified at time of analysis and the vulnerability has not been added to CISA KEV, but on BuddyPress community sites with open registration the subscriber-level prerequisite is trivially satisfied.

WordPress XSS Block Suspend Report For Buddypress
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-45788 MEDIUM PATCH This Month

Secure upload bypass in Discourse exposes protected files through the pull_hotlinked_images feature, which fails to enforce the secure_uploads access control when processing posts containing a known secure URL. Affected instances are those running versions prior to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 with the secure_uploads site setting enabled. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; however, the fix commits are publicly visible on GitHub, potentially aiding reverse-engineering of the flaw.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.5%
CVE-2026-49256 MEDIUM PATCH This Month

Restricted tag and tag-group name disclosure in Discourse exposes internal taxonomy metadata to anonymous and unauthorized users via the category and group API endpoints. All Discourse versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when restricted tags or tag groups are configured on publicly readable categories. An unauthenticated actor can enumerate these names - which may contain sensitive organizational labels, project codenames, or internal classifications - using standard HTTP requests with no exploit tooling required. No public exploit code exists and this is not listed in CISA KEV; the CVSS 4.0 AT:P modifier confirms that exploitation requires a specific non-default configuration to be present.

Information Disclosure Discourse
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-59225 MEDIUM PATCH This Month

Open WebUI versions 0.8.12 through 0.9.x expose a missing authorization flaw that permits authenticated non-admin users to reach restricted underlying AI models by exploiting a code-path divergence in task endpoints. The standard chat route (/api/v1/chat/completions) correctly re-validates submodel access after arena wrapper resolution, but task endpoints such as /api/v1/tasks/moa/completions call utils.chat.generate_chat_completion() directly, triggering arena fallback resolution after the wrapper check passes and recursing with bypass_filter=True - effectively nullifying the submodel access control. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack requires only low-privilege authentication (PR:L), making it directly relevant to any multi-tenant or enterprise Open WebUI deployment with model access tiering.

Authentication Bypass Open Webui
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-54800 MEDIUM CISA This Month

Insecure default OPC UA configuration in Siemens CPCI85 Central Processing/Communication and SICORE Base System exposes industrial control system functions to unauthenticated network attackers. Both products ship with all OPC UA security mechanisms disabled, meaning any attacker who can reach the OPC UA endpoint over the network can interact with the system without authentication or encryption. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the affected products operate in OT/ICS environments where unauthorized control access carries disproportionate operational and safety risk relative to the moderate CVSS score.

Authentication Bypass Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-39245 MEDIUM This Month

Directory traversal and arbitrary file write in the decompress npm package (versions before 4.2.2) stem from a prefix-confusion flaw in path boundary validation using String.indexOf() at two locations in index.js. An attacker supplying a crafted archive can write files to filesystem directories adjacent to the intended extraction target - for example, escaping /tmp/app into /tmp/app_config - bypassing both the safeMakeDir function and the extraction path validation. This is a confirmed bypass of the prior fix for CVE-2020-12265; no public exploit has been identified at time of analysis and EPSS is low at 0.26% (17th percentile), though the integrity impact is rated high by CVSS.

Path Traversal N A
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.3%
CVE-2026-0286 MEDIUM PATCH This Month

Command injection in the Palo Alto Networks PAN-OS management plane allows an authenticated administrator to execute arbitrary OS commands with root privileges on PA-Series, VM-Series, and Panorama appliances. The vulnerability is classified CWE-78 and is reachable via the network-accessible management interface, though the requirement for administrator-level credentials substantially constrains the attacker pool. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed by CISA KEV.

Command Injection Paloalto Pan Os
NVD VulDB
CVSS 4.0
6.0
EPSS
1.1%
CVE-2026-47646 MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Dynamics 365 Customer Voice allows a remote, unauthenticated attacker to inject script that executes in a victim's browser session and perform spoofing once the victim interacts with attacker-supplied content. The flaw carries a CVSS 9.3 rating driven largely by a scope change (S:C), meaning injected script escapes into a different security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Dynamics 365 Customer Voice
NVD VulDB
CVSS 3.1
6.1
EPSS
0.5%
CVE-2026-5793 MEDIUM This Month

Reflected cross-site scripting in BiEticaret, a Turkish e-commerce platform by Inrove Software and Internet Services, enables remote unauthenticated attackers to inject and execute malicious JavaScript in victims' browsers by tricking them into clicking a crafted URL. All versions prior to v3.3.57 are affected across the full product line. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the low attack complexity and absence of authentication requirements make this straightforward to exploit once a target is socially engineered.

XSS Bieticaret
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15191 LOW POC Monitor

Authorization bypass in mettle Sendportal up to version 3.0.1 permits authenticated remote users to circumvent object-level access controls at the Campaign Creation Endpoint, potentially allowing cross-tenant campaign manipulation. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the server trusts a user-supplied identifier to gate resource access without re-verifying ownership. A publicly available exploit exists via GitHub issue #339, and the vendor has not responded to responsible disclosure; no patch is available at time of analysis.

Authentication Bypass PHP Sendportal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13334 MEDIUM This Month

Reflected Cross-Site Scripting in the Mang Board WP WordPress plugin (all versions through 2.3.4) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'stag' parameter, which executes in the browser of any user who clicks a crafted link. Wordfence's source-level analysis identifies the flaw spanning multiple plugin files including _header.php, func.board.php, and class.store.php. No active exploitation has been identified (not in CISA KEV) and no EPSS score was provided, but the PR:N/UI:R profile makes this a viable phishing-assisted attack against WordPress site administrators and editors.

WordPress XSS Mang Board Wp
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-52773 MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-15188 LOW POC Monitor

Improper access control in manjurulhoque's django-job-portal allows authenticated remote attackers to manipulate the `role` argument via the `EditEmployeeProfileAPIView` endpoint, enabling unauthorized privilege escalation within the Employee Dashboard. All commits up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f are affected under a rolling release model with no fixed version available. A publicly available proof-of-concept exploit exists via GitHub issue #91; the project maintainer has not responded to disclosure and no patch has been released.

Authentication Bypass Python Django Job Portal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15187 LOW POC Monitor

Prototype pollution in the enquirer npm package (versions up to 2.4.1) allows remote authenticated attackers to manipulate JavaScript Object.prototype attributes by injecting a crafted value into the question.name argument of the Enquirer.set() function. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting limited integrity-only impact scoped to the vulnerable system with no confidentiality or availability consequence. Publicly available exploit code exists via GitHub issue #487, though no active exploitation has been confirmed in CISA KEV.

Information Disclosure Prototype Pollution Enquirer
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-58307 MEDIUM PATCH This Month

Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. No public exploit code or CISA KEV listing has been identified at time of analysis.

Samsung Buffer Overflow Information Disclosure Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58306 MEDIUM This Month

Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. No public exploit identified at time of analysis, and no CISA KEV listing, but the local-vector, low-complexity nature of heap overflows makes this reliably triggerable once an attacker can supply crafted input to the engine.

Heap Overflow Samsung Buffer Overflow Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58305 MEDIUM PATCH This Month

Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to high-impact availability disruption and limited integrity compromise when processing malicious JavaScript. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with particular relevance to Samsung embedded and smart appliance ecosystems where this engine is deployed. No public exploit has been identified at time of analysis, and an upstream fix is available via GitHub PR #1580, though a formally versioned release has not been independently confirmed.

Memory Corruption Samsung Information Disclosure Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58304 MEDIUM PATCH This Month

Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the CVSS-assigned high availability impact and the buffer overflow primitive make crash-based denial-of-service the primary realistic threat.

Samsung Buffer Overflow Information Disclosure Escargot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58303 MEDIUM This Month

Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface.

Buffer Overflow Samsung Stack Overflow Escargot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-59222 MEDIUM PATCH This Month

{id}/members endpoint returns full UserModelResponse objects, inadvertently exposing toolServers API keys and webhook configuration belonging to other channel members. No public exploit is identified at time of analysis, but the low exploitation complexity and high value of the exposed credentials (tool server keys enable lateral access to integrated AI tooling infrastructure) elevate practical risk above what the 6.0 CVSS score alone suggests.

Information Disclosure Open Webui
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-15311 LOW POC PATCH Monitor

Cross-site scripting in NousResearch hermes-agent (all versions through 2026.5.29.2) stems from unsanitized markdown-to-HTML conversion in the Matrix Adapter component, allowing an authenticated remote attacker to inject malicious scripts into Matrix platform messages. When a victim views the crafted content, the injected script executes in their browser context. Publicly available exploit code exists (GitHub issue #42667), though no public exploit identified at time of analysis maps to confirmed active exploitation - the CVSS 4.0 score of 2.0 reflects the low severity, limited scope, and required victim interaction.

XSS Hermes Agent
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-57029 MEDIUM PATCH This Month

Traffic forwarding on Juniper QFX Series switches running Junos OS Evolved can be fully disrupted by an adjacent, unauthenticated attacker exploiting a race condition in the sFlow collector handler. When sFlow collector reachability changes trigger a next-hop entry update concurrently with the sFlow thread reading that same next-hop data, the evo-pfemand process crashes and all packet forwarding halts until the process automatically restarts. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, but the availability impact is severe for any network segment relying on the affected switch.

Juniper Denial Of Service Junos Os Evolved
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-49837 MEDIUM POC PATCH GHSA This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-49834 MEDIUM PATCH GHSA This Month

Threshold counting logic in sigstore-go's multi-log verification policy is bypassable by a single compromised transparency or CT log. When a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), the intended defense-in-depth - requiring N distinct log authorities to independently vouch for an artifact - fails because counts accumulate per-entry or per-validation-path rather than per-log-authority. An attacker controlling one compromised Rekor transparency log or CT log can forge multiple entries with distinct indices, or present multiple embedded SCTs across certificate chains, artificially satisfying an N-count threshold with a single compromised source. No public exploit has been identified at time of analysis, and EPSS data is not available in the provided intelligence.

Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-12879 MEDIUM PATCH This Month

Cross-tenant data exfiltration in Google Cloud Apigee (versions prior to 2026-06-12) is possible via improper input validation in the BigQuery Data Access Object (DAO) component. An authenticated attacker with high-privilege access can craft requests that bypass tenant isolation boundaries, accessing confidential data belonging to other Apigee tenants on Google Cloud Platform. Google patched this server-side on June 12, 2026 with no customer action required; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Google Apigee
NVD
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-15185 LOW POC PATCH Monitor

Out-of-bounds read in GPAC MP4Box version 26.03-DEV allows local low-privileged attackers to cause a low-severity availability impact by supplying a crafted input that manipulates the `num_langs` argument in the `vobsub_read_idx` function of `vobsub.c`. A proof-of-concept exploit has been publicly disclosed via GitHub issue #3611 and the CVSS 4.0 E:P modifier confirms its availability. Two upstream commits have been applied to address the flaw, though no standalone patched release version has been independently confirmed.

Buffer Overflow Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15184 LOW POC PATCH Monitor

Null pointer dereference in GNU LibreDWG up to 0.13.4 allows a local low-privileged attacker to crash any application that processes a maliciously crafted DWG file via the `dwg_next_entity` function in `src/dwg.c`, resulting in denial of service. A proof-of-concept exploit file is publicly available (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV. The issue is fully resolved by upgrading to version 0.14, which includes a committed upstream patch.

Denial Of Service Null Pointer Dereference Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15182 LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG up to version 0.13.4 allows local low-privileged attackers to corrupt heap memory via a specially crafted DWG file containing malicious BMP image data processed by the dwg_bmp function in src/dwg.c. A public proof-of-concept exploit (a crafted R13/R2000 .dwg file) has been disclosed on GitHub, raising the urgency for affected deployments that process untrusted DWG input. No confirmed active exploitation (CISA KEV) has been recorded, and a vendor-released patch in version 0.14 fully resolves the issue.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-12590 MEDIUM PATCH This Month

Denial of service in body-parser npm middleware allows unauthenticated remote attackers to submit arbitrarily large HTTP request bodies when the package is misconfigured with an invalid `limit` option value. Affected versions span both the 1.x line (prior to 1.20.6) and 2.x line (prior to 2.3.0). The silent misconfiguration failure bypasses all payload size enforcement, enabling an attacker to exhaust server memory and CPU through oversized request flooding - though exploitation requires the specific precondition of an invalid limit setting, reflected accurately in the low CVSS score of 3.7. No public exploit or CISA KEV listing exists at time of analysis.

Denial Of Service Body Parser
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-0278 MEDIUM PATCH This Month

Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access Agent for Windows enable a local authenticated user to bypass DLP policy enforcement controls. Only the Windows platform is affected; the Prisma Access Agent for macOS is explicitly excluded per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 supplemental urgency rating of Amber and high confidentiality/integrity impact on the vulnerable system make this a meaningful insider threat risk.

Authentication Bypass Apple Microsoft Prisma Access Agent
NVD VulDB
CVSS 4.0
5.8
EPSS
0.2%
Prev Page 4 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy