Skip to main content
CVE-2026-31267 MEDIUM This Month

Stack-based buffer overflow in the Mercusys MW302R (EU) V1 1.4.10 Build 231023 administrative web interface allows an authenticated attacker with administrative access on the same network segment to crash the device by sending a specially crafted HTTP request. The crash results from control flow being redirected to an arbitrary instruction address - a classic CWE-121 stack overflow pattern that produces denial of service. No public exploit is confirmed in CISA KEV, though a researcher GitHub gist (BarrYPL/13dcd071673866cbbfaaa05085b98cf3) appears to document the finding and may constitute a proof-of-concept write-up. EPSS probability is very low at 0.16% (6th percentile), consistent with a niche consumer router model.

Buffer Overflow Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-0277 MEDIUM PATCH This Month

Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to interception and manipulation by a network-adjacent attacker. The flaw (CWE-295) enables a man-in-the-middle position to defeat the agent's TLS/certificate trust chain, allowing an adversary to read or alter traffic that the iOS client believes is securely tunneled. Exploitation is limited to iOS deployments - the Windows, macOS, Linux, Android, and ChromeOS agents are confirmed unaffected. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Apple Microsoft Google Prisma Access Agent
NVD
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-59857 MEDIUM PATCH This Month

Stack buffer overflow in Vim's SAL sound-folding spell engine prior to version 9.2.0725 crashes the editor by writing a null byte one position past the end of a MAXWLEN-element stack buffer in spell_soundfold_sal(). Exploitation requires a user to open Vim with a SAL-based spell file active under a non-multibyte 8-bit encoding and trigger sound-based spell suggestions on a boundary-length word, corrupting the eval_soundfold() stack frame. No public exploit has been identified at time of analysis, and the impact is limited to availability (editor crash) with no confidentiality or integrity consequences.

Memory Corruption Buffer Overflow Vim
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-15204 MEDIUM This Month

Path traversal in the TOTOLINK X5000R router's OpenVPN Export CGI handler exposes arbitrary router filesystem files to remote unauthenticated attackers. The `exportOvpn` function within `/web/cgi-bin/cstecgi.cgi` fails to sanitize user-controlled path input, allowing directory traversal sequences to escape the intended export directory. A public proof-of-concept exists (GitHub: meishigana/CVE, referenced 2026-06-09), and the CVSS 4.0 supplemental metric E:P confirms exploit code is available, elevating practical risk beyond the moderate 5.5 base score.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-15135 MEDIUM This Month

SQL injection in code-projects Online Food Order System 1.0 exposes the `/edit_food_items.php` endpoint to unauthenticated remote database manipulation via the `update` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication or special conditions, with limited but confirmed impact across confidentiality, integrity, and availability. A public exploit has been released (E:P), making opportunistic targeting realistic despite the niche deployment footprint; no patch or vendor advisory has been identified.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15134 MEDIUM This Month

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the backend database to unauthenticated remote attackers through the `email` parameter at `/SimpleOnlineLeave/index.php`. Manipulation of this parameter allows an attacker to alter SQL query logic, enabling authentication bypass, database enumeration, and data modification without any credentials or user interaction. A public proof-of-concept exploit has been disclosed via GitHub, significantly lowering the skill barrier for exploitation; the vulnerability is not currently listed in the CISA KEV catalog.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-39243 MEDIUM This Month

Arbitrary hardlink creation in the decompress npm package (before version 4.2.2) enables read disclosure and overwrite of any file accessible on the same filesystem as the extraction directory. When a victim extracts an attacker-crafted archive, the library passes the hardlink target path (x.linkname) directly to Node.js fs.link() without any path sanitization, allowing a hardlink inside the extraction directory to point at any file the process has access to. No CISA KEV listing exists and EPSS stands at 0.17% (7th percentile), reflecting low observed exploitation; however, the provided CVSS I:N metric conflicts with the description's explicit mention of file-overwrite capability, and in automated CI/CD pipelines the user-interaction barrier is effectively eliminated.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-56459 MEDIUM This Month

Sensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in application log files to any local user who can read those files. Affected across four major release branches (7.3, 8.0, 8.1, and 8.2), the vulnerability stems from CWE-532, where the application writes sensitive material into logs without adequate sanitization or access restriction. No public exploit code has been identified at time of analysis, and the flaw is not listed in the CISA KEV catalog, but the high confidentiality impact (C:H) and zero-privilege local access condition elevate real-world concern in multi-tenant or shared-host deployments.

Information Disclosure Hcl Devops Deploy Hcl Launch
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52772 MEDIUM POC PATCH GHSA This Month

Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.

XSS CSRF PHP
NVD GitHub
CVSS 3.1
5.5
CVE-2026-58198 MEDIUM PATCH This Month

Symlink-based extraction redirect in ChatterBot prior to 1.2.14 enables a local attacker with standard user privileges to cause training corpus archive contents to be written to an attacker-controlled directory by pre-planting a symlink at the predictable path ~/ubuntu_data/ubuntu_dialogs before UbuntuCorpusTrainer.extract() runs. The check-then-create pattern preceding tar.extractall() creates a CWE-367 TOCTOU window that, on shared multi-user systems, allows the attacker to intercept the extraction target without any race if the symlink is planted before the first training run. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 1.2.14.

Information Disclosure Chatterbot
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15192 MEDIUM This Month

Missing authentication on APIv1 webhook endpoints in sendportal up to 3.0.1 permits remote unauthenticated actors to invoke webhook handlers for SendGrid, Postmark, Postal, and Mailjet without any credential verification. The flaw enables integrity and availability manipulation of email processing pipelines from any network location. A publicly disclosed exploit exists per VulDB submission 851624; no vendor patch has been released and the maintainer has not responded to the responsible disclosure report.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.6%
CVE-2026-59212 MEDIUM PATCH This Month

Incorrect authorization in Open WebUI versions 0.9.6 through 0.9.x allows authenticated users with read-only knowledge file access to escalate their privileges to file write or delete operations. The root cause is that `_verify_knowledge_file_access` validated only read permissions, while write and delete routes independently trusted access derived from writable model `meta.knowledge` entries - creating a logical gap where the authorization check and the actual enforcement were misaligned. No public exploit or CISA KEV listing is identified at time of analysis; this is a medium-severity, authenticated-only issue fixed in v0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-53962 MEDIUM PATCH This Month

Stored cross-site scripting in Discourse's SVG upload and user avatar handling allows authenticated users to inject malicious JavaScript that executes in victims' browsers when they visit specific non-standard URLs. The CVSS scope change (S:C) reflects that successful exploitation crosses the browser security boundary, enabling session token theft or account takeover against victims who visit the triggering URL. Vendor-confirmed patches are available across four release branches; no public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Discourse
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-59227 MEDIUM PATCH This Month

Open WebUI versions 0.8.11 through 0.10.0 expose a missing-authorization flaw (CWE-862) on the POST /api/v1/images/edit endpoint, allowing any verified non-admin account to invoke server-side image editing even when administrators have disabled the global image-edit switch or revoked per-user image-generation permissions. The bypass enables unprivileged users to consume admin-configured third-party image provider credentials - exhausting API quotas or generating unauthorized images - undermining deliberate access controls set by the platform operator. No public exploit has been identified at time of analysis; a vendor-confirmed fix is available in version 0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-53956 MEDIUM PATCH GHSA This Month

Path traversal in rattler_cache and py-rattler exposes the victim's filesystem to out-of-bounds file writes when package metadata from an untrusted conda channel contains path separators or directory traversal sequences in the build string. Users who install packages from a malicious channel trigger cache materialization logic that joins the unsanitized build string into a filesystem path, allowing package contents to land outside the configured cache directory. No public exploit has been identified and no CISA KEV listing exists; exploitation requires deliberate use of an untrusted channel (CVSS UI:R), meaningfully limiting real-world exposure.

Path Traversal
NVD GitHub
CVSS 3.1
5.4
CVE-2026-5005 MEDIUM PATCH This Month

Stored XSS in Twiser OKRs & Goals (builds 28220 through pre-28398) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other authenticated users' browsers. The CVSS scope change (S:C) confirms cross-user impact - a hallmark of stored XSS where one user's injected payload affects others who subsequently view the same content. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this firmly in standard patch-cycle priority.

XSS Okrs Goals
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-55605 MEDIUM PATCH This Month

Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.

Authentication Bypass Docker Deepseek Mcp Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-13450 MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the near-zero exploitation complexity makes it a practical mass-exploitation candidate against any unpatched deployment.

Authentication Bypass WordPress Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-33799 MEDIUM PATCH This Month

Memory exhaustion in Juniper Networks Junos OS and Junos OS Evolved snmpd allows an authenticated network attacker to crash SNMP monitoring by sending specific valid SNMPv3 queries that trigger an out-of-bounds write and progressive memory leak. The snmpd process will exhaust available memory over time, crash, and restart, rendering SNMP-based network monitoring unavailable for the duration of each crash cycle. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, the CVSS 4.0 supplemental metric AU:Y indicates the attack is automatable.

Memory Corruption Juniper Buffer Overflow Junos Junos Os Evolved
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-12406 MEDIUM This Month

Authorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visitors to delete guest-uploaded media attachments via the wpuf_file_del AJAX action. The plugin's sole access control gate - a WordPress nonce - is self-defeated: when any WPUF shortcode is rendered on a public front-end page, the nonce value is localized into publicly readable JavaScript objects (wpuf_upload and wpuf_frontend), making it trivially extractable by any browser visitor. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified, but the zero-authentication, low-complexity attack path makes this trivially reproducible from plugin source code alone.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59828 MEDIUM PATCH This Month

Discourse's post revision system exposes hidden edit history to unauthenticated network users through a serialization flaw in PostRevisionSerializer. When computing diffs between adjacent visible revisions, the serializer failed to enforce visibility restrictions, leaking content from revisions that moderators or administrators had marked as hidden. No active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity attack vector means any visitor to a vulnerable Discourse instance can potentially access suppressed post content - including moderator-redacted material - without any credentials or special access.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-7558 MEDIUM This Month

Unauthenticated export of sensitive WooCommerce donation records is possible in the Token of Trust WordPress plugin through version 4.0.2 due to a missing capability check on a publicly accessible export function. Any unauthenticated visitor can retrieve a CSV file containing charitable donor order dates, order IDs, donation amounts, and admin-only order edit URLs by appending a single GET parameter to any page on the affected site. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism - requiring only a browser and a known URL parameter - means low-skill attackers can exploit it at scale.

Authentication Bypass WordPress Age Verification Identity Verification By Token Of Trust
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59817 MEDIUM PATCH This Month

Ghost CMS versions 6.27.0 through 6.43.x permit unauthenticated attackers to manipulate donation checkout metadata, enabling acquisition of full paid gift memberships for a minimal payment. The flaw, classified as CWE-472 (External Control of Assumed-Immutable Web Parameter), stems from the server trusting client-controlled parameters in the public-facing checkout flow that should be server-authoritative. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified; the vendor released a fix in version 6.44.0.

Node.js Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59218 MEDIUM PATCH This Month

Timing-based account enumeration in Open WebUI prior to 0.10.0 exposes whether any given email address is registered on a self-hosted AI instance. The /api/v1/auths/signin endpoint only invokes bcrypt password verification when a matching email record exists, making registered-account login attempts measurably slower than attempts against unregistered emails - a classic CWE-208 timing oracle. Unauthenticated remote attackers can exploit this discrepancy at scale to harvest valid account emails, which can then fuel credential stuffing or targeted phishing. No public exploit code or CISA KEV listing has been identified, and the vendor has released a fix in v0.10.0.

Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-12418 MEDIUM This Month

Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visitor to overwrite the title, body, and excerpt of any post on the site, including posts authored by administrators. The flaw stems from the wpuf_submit_post AJAX action accepting a user-controlled post reference key in the wpuf_files_data parameter without validating whether the requesting user is authorized to edit the target post - a textbook CWE-639 authorization-through-user-controlled-key failure. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no authentication and no special configuration beyond the plugin being installed with at least one public-facing submission form.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57031 MEDIUM PATCH This Month

Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. No public exploit code has been identified and the vulnerability is absent from CISA KEV, though the CVSS 4.0 AU:Y (Automatable) supplemental metric indicates exploitation could be scripted at scale against affected broadband aggregation deployments.

Authentication Bypass Juniper Junos Os
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-31982 MEDIUM PATCH This Month

Open Redirect via SAML SSO cache poisoning in Nozomi Networks Guardian and CMC allows unauthenticated remote attackers to corrupt the server-side redirect cache for all users by submitting a crafted request to the SAML sign-in endpoint with a malicious redirection parameter. Victims who subsequently initiate SAML Single Sign-On are transparently redirected to attacker-controlled infrastructure, enabling phishing and credential theft. The flaw additionally disrupts legitimate SAML authentication for affected users, introducing an availability dimension beyond the typical Open Redirect threat model. No active exploitation (KEV) or public exploit code has been identified at time of analysis.

Open Redirect Guardian Cmc
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15189 MEDIUM This Month

Server-side request forgery in aerostackdev aerostack-mcp's mcp-whatsapp component allows authenticated remote attackers to manipulate the `media_url` argument of the `upload_media` function, causing the server to issue arbitrary outbound HTTP requests on the attacker's behalf. Affected installations span all commits up to 6315dfde7df0a15aaf743f88d91347115e09ba23 with no vendor patch available and no maintainer response to the disclosure. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

SSRF Aerostack Mcp
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-61474 MEDIUM PATCH This Month

MISP's attribute creation endpoint contains an authorization bypass allowing authenticated users with attribute-creation permissions to associate attributes with sharing groups they are not authorized to access. The flaw arises because the sharing group permission check was gated exclusively on the distribution field being set to 4 (sharing group mode), meaning a user could submit any non-empty sharing_group_id with a different distribution value and bypass the check entirely. No public exploit has been identified at time of analysis; a vendor patch is available via a confirmed GitHub commit.

Authentication Bypass Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-50554 MEDIUM POC PATCH GHSA This Month

{bookID}/notes carries no authentication middleware, and supplying ?deleted=true causes the service to invoke GORM's Unscoped() while retaining the is_public=true authorization branch, allowing any network-accessible actor to retrieve titles, slugs, and timestamps of notes an owner deliberately deleted from a public book. No active exploitation is confirmed (not listed in CISA KEV), though a fully functional proof of concept is embedded in the vendor advisory, and exploitation requires only a single crafted HTTP GET request.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
CVE-2026-9021 MEDIUM This Month

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. The ownership restriction that would prevent non-owners from acting on quotes is controlled by an off-by-default Pro feature flag, meaning the overwhelming majority of free-tier deployments are fully exposed to arbitrary quote status manipulation, including automatic invoice generation and client email dispatch. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress Easy Invoice Invoice Generator Pdf Quotes Payments
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9028 MEDIUM This Month

Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) allows any remote attacker to cancel any WooCommerce order paid via CorvusPay by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST API endpoint. The plugin registers this cancel endpoint without implementing a WordPress permission callback, meaning no authorization is verified before processing cancellation requests (CWE-862). No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis, though the attack requires no credentials and minimal technical skill.

Authentication Bypass WordPress Corvuspay Woocommerce Payment Gateway
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9027 MEDIUM This Month

Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress Jwt Attack Authentication Bypass Corvuspay Woocommerce Payment Gateway
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57158 MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-57158 meaningfully. The CVE description is absent, no CVSS vector or score has been published, and the only available intelligence signal is a single vendor source tag ('vendor:ubuntu'). No impact, attack vector, or affected component can be determined from the provided data. Security teams should treat this as an unresolved entry requiring direct vendor advisory lookup before any risk decision is made.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.5%
CVE-2026-53760 MEDIUM POC GHSA This Month

Cross-site request forgery in Admidio's plugin management endpoint (`modules/plugins.php`) enables a remote attacker to trigger destructive plugin operations - including irreversible DROP TABLE SQL execution - against any authenticated administrator who visits an attacker-controlled web page. The endpoint processes install, uninstall, and update operations via unauthenticated GET requests lacking CSRF token validation, and SameSite=Lax cookie behavior causes browsers to automatically include session credentials on top-level GET navigations from cross-origin pages. A working Playwright-based proof-of-concept is publicly available demonstrating the full attack chain; no confirmed active exploitation (CISA KEV) is present at time of analysis.

CSRF PHP
NVD GitHub
CVSS 3.1
5.2
CVE-2026-60120 MEDIUM PATCH This Month

Stored client-side template injection in Bagisto before v2.4.4 allows any attacker who can register a customer account to execute arbitrary JavaScript in an administrator's browser. The `create.blade.php` template renders customer name fields inside a Vue.js context without the `v-pre` directive, causing Vue.js to evaluate stored template expressions as live code when an administrator opens the Create Order page for the affected customer. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the stored nature of the payload and its execution in an admin session context make this a higher real-world priority than the CVSS 4.0 score of 5.1 alone suggests.

XSS PHP
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-58144 MEDIUM This Month

Stored cross-site scripting in Cotonti Siena 0.9.26 and earlier allows any authenticated user with PFS (Personal File System) access to plant persistent JavaScript payloads by submitting a crafted folder title via the ntitle parameter. The TXT filter in pfs.main.php fails to sanitize HTML before persisting the value, so the payload executes in the browser of every subsequent visitor - including administrators - who views the folder listing. No public exploit has been confirmed beyond a researcher-published proof-of-concept gist, and no vendor patch has been identified at time of analysis.

XSS PHP
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-59213 MEDIUM PATCH This Month

Cache key misconfiguration in Open WebUI versions 0.6.27 through 0.9.x leaks permission-filtered model lists across authenticated users during the aiocache TTL window. The flaw exists in both the OpenAI and Ollama router handlers, where a lambda was incorrectly passed as the cache key instead of a per-user key_builder, collapsing all users into a single shared cache entry. An authenticated attacker on a shared instance can receive a different user's model list - revealing which AI models that user has access to - with no public exploit identified at time of analysis and a vendor-released patch available in v0.10.0.

Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
5.0
EPSS
0.3%
CVE-2026-43752 MEDIUM PATCH This Month

Arbitrary code execution on the host operating system is achievable by an authenticated FileMaker Server administrator via a malicious file upload through the Open Source LLM setup feature - specifically the Miniforge installer upload path - in the Admin Console. All FileMaker Server versions prior to 26.0.1 are affected; the flaw is classified as CWE-434 (unrestricted upload of a dangerous file type) and was reported directly by Apple/Claris product security. No public exploit code or CISA KEV listing exists at time of analysis, and SSVC rates exploitation as none with no automation feasibility, substantially limiting real-world risk despite the RCE classification.

RCE File Upload Filemaker Server
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-59854 MEDIUM This Month

Credential file exfiltration in SiYuan prior to 3.7.1 is possible through the POST /api/file/globalCopyFiles endpoint, which accepts arbitrary absolute source paths and relies on an incomplete denylist in util.IsSensitivePath to block sensitive files. The denylist omits common credential files including .git-credentials, .netrc, .pgpass, .kube/config, .docker/config.json, and .gnupg, enabling an authenticated administrator or API-token holder to copy these files into the workspace and read them via the file API. No public exploit code or CISA KEV listing exists at time of analysis, but the Docker tag suggests this is relevant in containerized deployments where host-mounted credential files may be accessible.

Information Disclosure Docker Siyuan
NVD GitHub
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-14342 MEDIUM This Month

Time-based SQL injection in the Mail Mint WordPress plugin (versions ≤1.24.2) allows authenticated administrators to extract arbitrary data from the underlying database via the unsanitized 'contact_ids' parameter in the contact management API. Reported by Wordfence, the flaw is rooted in insufficient input escaping and missing prepared statements in the ContactModel and ContactController layers. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, a corrective changeset (3597255) has been committed to the WordPress plugin repository.

WordPress SQLi Mail Mint Email Marketing Newsletter Email Automation Woocommerce Emails
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-48737 MEDIUM POC GHSA This Month

SSRF protection bypass in pyload-ng allows authenticated users with link-add permissions to reach internal network endpoints - including cloud metadata services - by supplying IPv6 transition-encoded addresses that Python's `ipaddress.IPv6Address.is_global` incorrectly classifies as globally routable. The NAT64 prefix (`64:ff9b::/96`) bypass is universal across all supported Python versions (3.9-3.14); the 6to4 prefix (`2002::/16`) bypass additionally affects Python 3.9-3.11, covering the full `python_requires = >=3.9` matrix. No confirmed active exploitation (CISA KEV) has been identified, but a researcher-provided proof-of-concept demonstrates full bypass of both the `is_global_address` guard and the pycurl PREREQFUNC in `http_request.py:680`.

SSRF Python
NVD GitHub
CVSS 3.1
4.9
CVE-2026-31981 MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (N2OS) allows authenticated administrators to embed malicious HTML into configuration data rendered in the Diagram tab and Graph view, enabling phishing and open redirect attacks against other authenticated users who view the affected pages. The vulnerability originates from a shared input validation function applied across multiple input vectors in N2OS that is insufficiently restrictive, permitting certain HTML tags to persist. Full XSS exploitation and direct information disclosure are explicitly constrained by existing input validation and a Content Security Policy, limiting realistic attacker impact to social engineering vectors. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

XSS Open Redirect Information Disclosure Guardian Cmc
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-0284 MEDIUM PATCH This Month

XML injection in Palo Alto Networks PAN-OS Large Scale VPN (LSVPN) exposes unauthenticated remote attackers a path to inject malicious XML content into the LSVPN data pipeline, resulting in information disclosure or corruption of internal satellite configuration data. Only PAN-OS devices with LSVPN actively configured are affected; the vendor explicitly confirms Panorama, Cloud NGFW, and Prisma Access are not in scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 supplemental E:U metric signals exploitation as currently unlikely, though the zero-authentication, network-accessible attack surface demands prompt attention from operators running LSVPN hub deployments.

Information Disclosure Paloalto Pan Os
NVD VulDB
CVSS 4.0
4.7
EPSS
0.5%
CVE-2026-0285 MEDIUM PATCH This Month

Server-side request forgery in Palo Alto Networks PAN-OS allows an authenticated administrator with access to the management web interface to weaponize the firewall as an unauthorized network relay, making requests to internal services on behalf of the attacker. Exploitation is constrained by the requirement for high-privilege administrator credentials (PR:H) and network reachability to the management interface, substantially limiting the realistic attacker population. No public exploit code or active exploitation has been identified; the vendor's own CVSS 4.0 supplemental metrics rate exploitation status as Unreported (E:U) and urgency as Amber.

SSRF Paloalto Pan Os
NVD VulDB
CVSS 4.0
4.7
EPSS
0.5%
CVE-2026-56289 MEDIUM PATCH This Month

GNU patch enters an infinite CPU-consuming loop when processing a specially crafted unified-diff file containing an excessively large hunk line offset, resulting in a denial of service. The utility becomes unresponsive and must be manually terminated, impacting any pipeline, CI/CD system, or developer workflow that applies untrusted patch files. No public exploit has been identified at time of analysis, and an upstream fix commit has been published by the maintainers on Savannah; a formally tagged release is not yet independently confirmed.

Denial Of Service Patch
NVD VulDB
CVSS 4.0
4.6
EPSS
0.1%
CVE-2026-56288 MEDIUM PATCH This Month

GNU patch crashes with a NULL pointer dereference when a user applies a specially crafted unified-diff file, resulting in denial of service. Improper handling of consecutive end-of-file newline markers corrupts internal hunk data structures, causing a NULL pointer to be passed to fwrite() during processing. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is constrained by the requirement for user interaction with a malicious file.

Denial Of Service Null Pointer Dereference Patch
NVD VulDB
CVSS 4.0
4.6
EPSS
0.1%
CVE-2026-0283 MEDIUM PATCH This Month

Authentication bypass in the Large Scale VPN (LSVPN) feature of Palo Alto Networks PAN-OS enables unauthenticated network-adjacent attackers to establish unauthorized site-to-site VPN connections without valid credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), where the LSVPN peer negotiation process fails to enforce authentication before allowing VPN tunnel establishment. While the CVSS 4.0 base score is 4.5, the subsequent-system confidentiality impact is rated High (SC:H), reflecting that a successful bypass grants the attacker routing-level access into networks protected by the VPN - a materially greater risk than the headline score suggests. No public exploit code exists and no active exploitation has been confirmed (CISA KEV not listed, E:U).

Authentication Bypass Paloalto Pan Os
NVD VulDB
CVSS 4.0
4.5
EPSS
0.6%
CVE-2026-59831 MEDIUM This Month

Command execution via URI injection in GitHub CLI's `gh codespace jupyter` subcommand (versions 2.10.0-2.95.0) allows an attacker who controls a Codespace to redirect a connecting developer's VS Code instance into executing arbitrary protocol handler actions. The CLI passes a JupyterLab URL sourced from a process inside the Codespace directly to the OS without validating that the URL is a loopback HTTP or HTTPS address, enabling substitution with a crafted `vscode://` or `vscode-insiders://` URI. No public exploit has been identified at time of analysis and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, but the scope-change characteristic (S:C) means local VS Code extension execution is a realistic downstream impact.

Information Disclosure Cli
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-12433 MEDIUM This Month

{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.

Authentication Bypass WordPress Hydra Booking Appointment Scheduling Booking Calendar
NVD VulDB
CVSS 3.1
4.3
EPSS
0.4%
Prev Page 5 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy