Skip to main content
CVE-2026-61459 CRITICAL POC PATCH Act Now

Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.

Authentication Bypass Kubernetes Mcp Server Kubernetes
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-61460 HIGH POC This Week

Broken object-level authorization in Krayin CRM (Laravel CRM) through version 2.2.3 lets any authenticated user tamper with leads, persons, organizations, quotes, and activities belonging to other users. Because the edit, update, and destroy methods across five controllers never verify record ownership, a low-privileged account can read, modify, reassign, or delete arbitrary CRM records by manipulating the object ID. Publicly available exploit details exist (reported by VulnCheck), though the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass Laravel Crm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-61461 HIGH POC PATCH This Week

SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute arbitrary SQL against the underlying ClickHouse database by passing unsanitized search parameters into the search_by_full_text method. Because those parameters are concatenated into the query without escaping or parameterization, an attacker can read, modify, or delete stored vector-store data. Publicly available exploit code exists (VulnCheck advisory and GitHub issue #38281) and a vendor patch is available; there is no confirmation of active in-the-wild exploitation.

SQLi Dify
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-12685 HIGH POC This Week

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

WordPress Information Disclosure Escortwp
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20744 CRITICAL CISA Emergency

Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-14480 HIGH CISA Act Now

Authenticated arbitrary file write in OpenPLC Runtime v3 lets a logged-in user of the legacy web UI escalate to native code execution on the host running the automation controller. The program-upload workflow stores the attacker-supplied prog_file filename in the Programs.File database field and later reuses it unvalidated as a destination path; because Python os.path.join() honors absolute paths, files can be written anywhere the webserver process can write. Reported by ICS-CERT (CISA ICS advisory ICSA-26-190-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python RCE Openplc
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-44383 HIGH CISA Act Now

Backend resource exhaustion in Hydro-Québec's Le Circuit Electrique EV charging station backend (all versions prior to the June 2026 fix) lets remote unauthenticated attackers open multiple simultaneous OCPP sessions under a single charging station identifier, flooding the platform with rogue clients. Because the backend never enforces one active session per station ID, an attacker can spin up many spoofed OCPP clients and exhaust backend capacity, degrading or denying service to legitimate charging stations. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-42952 HIGH CISA Act Now

Denial-of-service exposure in the Hydro-Québec Le Circuit Électrique EV charging-station backend allows remote, unauthenticated attackers to hammer the authentication endpoint without rate limiting, degrading or exhausting the service that charging stations rely on. The flaw (CWE-307, missing throttling of repeated auth attempts) affects all backend versions prior to the June 2026 fix and carries a CVSS 4.0 base score of 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but it was reported through ICS-CERT and documented in CISA ICS advisory ICSA-26-188-01.

Information Disclosure Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-29519 MEDIUM POC This Month

Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.

XSS Lucee
NVD GitHub
CVSS 4.0
6.2
EPSS
0.4%
CVE-2026-54159 CRITICAL PATCH GHSA Act Now

Unauthenticated remote code execution in the PrestaShop ps_facetedsearch (layered navigation) module versions 3.0.0 through 4.0.3 allows a single crafted front-office request to fully compromise the shop and its underlying server. The module rebuilds price/weight slider filter values from the request URL and later reads them back through a native unserialize(), enabling PHP object injection whose gadget chain writes a PHP webshell into the module directory. No public exploit is identified at time of analysis, but the flaw is trivially reachable and rated CVSS 10.0.

Deserialization Microsoft PHP
NVD GitHub
CVSS 3.1
10.0
CVE-2026-15282 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-14894 CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload Super Forms Drag Drop Form Builder
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-12761 CRITICAL Act Now

Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.

Authentication Bypass WordPress Google Miniorange Social Login And Register Discord Google Twitter Linkedin
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57807 CRITICAL Act Now

Authentication bypass in the miniOrange OAuth Single Sign On - SSO (OAuth Client) WordPress plugin (versions up to and including 38.5.8) lets remote unauthenticated attackers abuse an alternate authentication path in the password-recovery flow to log in as arbitrary users, including administrators. Rated CVSS 9.8, the flaw grants full account takeover without credentials or user interaction; there is no public exploit identified at time of analysis, but the plugin's SSO role and low attack complexity make it a high-value target.

Authentication Bypass Oauth Single Sign On Sso Oauth Client
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-59792 CRITICAL PATCH Act Now

Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.

Path Traversal RCE Intellij Idea
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-40008 CRITICAL PATCH Act Now

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.

Java Information Disclosure Apache Apache Iotdb
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-28564 CRITICAL PATCH Act Now

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), so no active exploitation is indicated despite the 9.8 CVSS.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-12535 CRITICAL PATCH Act Now

Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.

Code Injection Formatter Field
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-9726 CRITICAL PATCH Act Now

PHP object injection in the Drupal AlternativeCommerce (Basket) contributed module (all versions up to and including 2.1.17) allows remote unauthenticated attackers to modify dynamically-determined object attributes and inject crafted objects into the application. Successful exploitation can lead to code execution or full compromise of the Drupal site, with CVSS 3.1 scoring it 9.8 (Critical). No public exploit identified at time of analysis, and EPSS is low at 0.16% (6th percentile), indicating no observed exploitation activity yet despite the high severity rating.

Code Injection Drupal Alternativecommerce Basket
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-11913 CRITICAL Act Now

Stored/reflected cross-site scripting (CWE-79) affects the Drupal contributed module 'Mother May I' across all released versions (*.*), letting attackers inject script that executes in the browser context of other Drupal users. Because the module is a Drupal add-on rather than core, exposure is limited to sites that have installed it, and no public exploit has been identified. EPSS is low (0.15%, 5th percentile) and the flaw is not on the CISA KEV list, indicating no known active exploitation despite the vendor-assigned 9.8 rating.

XSS Mother May I
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-10768 CRITICAL PATCH Act Now

Missing authorization in the Drupal LocalGov Workflows contrib module (all versions 0.0.0 through 1.6.0, fixed in 1.6.0) lets remote attackers reach protected workflow-related routes through forceful browsing without proper permission checks. The flaw carries a vendor CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis. Affected sites are Drupal deployments running this LocalGov Drupal editorial-workflow module.

Authentication Bypass Localgov Workflows
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-5801 CRITICAL Act Now

SQL injection in Semtek SEM-PMP through build 23042026 allows remote attackers to inject arbitrary SQL and, per the vendor description, escalate to operating-system command execution through the database layer. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating and is reachable over the network without authentication or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the combination of unauthenticated network reach and command-execution impact makes it a high-priority patching target.

SQLi Sem Pmp
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-2397 CRITICAL Act Now

SQL injection in Adam Retail Automation's MobilMen 20T retail-automation software (versions v3 through build 10072026) lets remote attackers inject arbitrary SQL through improperly neutralized input, yielding full read/write access to the backing database. Rated CVSS 9.8 by TR-CERT with an unauthenticated network-reachable vector, though no public exploit has been identified and it is not on CISA KEV. The vendor was contacted but did not respond, so no fix is available.

SQLi Mobilmen 20T
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-59151 CRITICAL PATCH Act Now

Cross-tenant account takeover in Prowler (cloud security platform) before 5.30.3 lets an authenticated attacker who operates a controlled SAML IdP obtain a tenant-scoped JWT for a victim tenant. The ACS finish logic in api/src/backend/api/v1/views.py derived the destination tenant from the user-asserted email domain rather than binding token issuance to the validated SAML configuration, so an attacker completing a legitimate SAML flow for their own domain while asserting a victim-domain email address receives a SAMLToken and JWT for the wrong tenant. Rated CVSS 9.6 (scope-changing); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Prowler
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-15319 MEDIUM POC PATCH This Month

Improper access control in Sipeed PicoClaw up to version 0.2.9 allows remote unauthenticated attackers to bypass the IP allowlist enforced by the Launcher's web backend middleware. The flaw resides in the IPAllowlist function within web/backend/middleware/access_control.go, which fails to correctly enforce source-address restrictions, permitting unauthorized network access to protected endpoints. A public proof-of-concept exploit exists (GitHub issue #3069), and an upstream patch (PR #3126) has been submitted but a formally released patched version has not been independently confirmed.

Authentication Bypass Picoclaw
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-61444 CRITICAL PATCH Act Now

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api.py run arbitrary Python, because that value is interpolated directly into an f-string that is later executed as generated server code via subprocess.Popen(). The CVSS 4.0 base score is 9.4 and the vector requires high privileges (PR:H), meaning the attacker must already be able to reach and drive the deployment API. No public exploit has been identified at time of analysis and it is not on the CISA KEV list.

Code Injection Python RCE Praisonai
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-15378 CRITICAL Act Now

Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.

Authentication Bypass SSRF Kubernetes
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-55879 CRITICAL PATCH Act Now

Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS base score is 9.3 and a vendor fix exists in 1.25.0.

XSS Openreplay
NVD GitHub
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-12276 MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-54072 CRITICAL PATCH GHSA Act Now

Token theft via open redirect in the Authorizer identity server (authorizerdev/authorizer) lets an unauthenticated attacker steal a logged-in victim's OAuth/OIDC tokens. The /authorize endpoint fails to validate the redirect_uri against AllowedOrigins, so with response_type=token or id_token the server appends access_token, id_token, and refresh_token to any attacker-supplied URL via a 302 redirect. Detailed reproduction steps are public in advisory GHSA-h29v-hj44-q8cv, and the required client_id is trivially harvested from the unauthenticated /graphql meta query; no active exploitation is confirmed in CISA KEV at time of analysis.

Open Redirect
NVD GitHub
CVSS 3.1
9.3
CVE-2026-15143 CRITICAL Act Now

Server-side request forgery in the file_type content detector of guardrails-detectors (a component shipped with Red Hat OpenShift AI/RHOAI) allows a remote attacker to submit an arbitrary XML Schema Definition (XSD) that the parser resolves without restriction, coercing the server into fetching attacker-chosen URLs or reading local files. Because the CVSS vector is AV:N/PR:N/UI:N with a changed scope and high confidentiality impact (base score 9.3), an unauthenticated attacker can pivot into internal networks and harvest secrets such as cloud provider credentials. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

SSRF Information Disclosure Red Hat Openshift Ai Rhoai
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-56765 CRITICAL PATCH Act Now

Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. Rated CVSS 4.0 9.3 (critical) with a network, unauthenticated vector; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Vikunja
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56261 CRITICAL PATCH Act Now

Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attackers to coerce the server into making arbitrary internal requests. The /crawl/job and /llm/job endpoints accept caller-supplied webhook URLs without validating the destination, so an attacker can target private IP ranges, Docker network internals, or the cloud metadata endpoint (169.254.169.254) to reach otherwise unreachable services and harvest credentials. CVSS 4.0 rates it 9.2 (critical); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

SSRF Docker Crawl4ai
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-41880 CRITICAL Act Now

OS command injection as root in the R-SOFT DMS Optical Character Recognition (OCR) module lets an authenticated attacker run arbitrary shell commands. Multiple OCR command-execution functions accept user-controllable file paths and pass them unsanitized to the system shell over SSH, yielding full root-level compromise of the document management server. No public exploit has been identified at time of analysis, and the flaw is mitigated in the default web-upload flow because URL encoding neutralizes the injection, which is reflected in the high attack complexity (AC:H).

Command Injection
NVD VulDB
CVSS 4.0
9.0
EPSS
1.3%
CVE-2026-58492 CRITICAL PATCH Act Now

SQL injection in the Grav CMS Database plugin (grav-plugin-database) prior to 1.2.0 lets attacker-controlled table names reach a raw SQL query. The PDO::tableExists method interpolates its table argument directly into a query with no sanitization, escaping, quoting, or whitelisting, so any consuming plugin or developer code that forwards untrusted input into that method can execute arbitrary SQL against the configured database. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 9.2, with an attack-requirement (AT:P) reflecting the dependency on downstream code passing tainted table names.

SQLi Grav
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-15300 CRITICAL Act Now

Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.

WordPress SQLi PHP
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-15089 CRITICAL Act Now

Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.

Authentication Bypass Commerce Guest Registration
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-40005 CRITICAL PATCH Act Now

Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB process can write by abusing an unsafe API that fails to sanitize user-supplied pathnames. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with high confidentiality and integrity impact, and controlled file placement can escalate to code execution or overwrite of critical files. No public exploit has been identified at time of analysis, and EPSS is low (0.16%, 5th percentile) despite the 9.1 severity.

Path Traversal Apache Apache Iotdb
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-30007 HIGH PATCH This Week

Privilege escalation to root in the HestiaCP web hosting control panel (versions before 1.9.5) lets any low-privilege authenticated user run arbitrary OS commands as root by injecting a single-quote into an unvalidated DNS record type field. The flaw chains weak input validation in is_dns_record_format_valid() with unsafe eval-based zone parsing in update_domain_zone(), turning a routine DNS record creation into full host takeover. No public exploit is identified at time of analysis, but VulnCheck has published a detailed advisory and the vendor shipped a fix in 1.9.5.

Command Injection RCE Hestiacp
NVD GitHub
CVSS 4.0
8.7
EPSS
2.1%
CVE-2026-56688 CRITICAL PATCH Act Now

Root-level OS command execution in Dell PowerFlex Manager (versions prior to 5.1.0.1) lets a remote, high-privileged attacker inject operating-system commands during OS Repository processing, resulting in full appliance compromise. Because PowerFlex Manager orchestrates storage and HCI infrastructure, code execution as root also enables lateral movement into managed nodes. There is no public exploit identified at time of analysis, and Dell has released a fixed build (5.1.0.1) via advisory DSA-2026-066.

Command Injection Dell
NVD VulDB
CVSS 3.1
9.1
EPSS
1.3%
CVE-2026-51119 CRITICAL Act Now

An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components

Privilege Escalation N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-41876 HIGH This Week

OS command injection in R-SOFT DMS lets an authenticated user run arbitrary shell commands as the web server account by abusing the document converter. The konwertujAction() routine builds shell commands from unsanitized file-path and format parameters (CWE-78), so any user who can trigger a conversion can inject commands. Discovery is credited to CERT Polska; no public exploit identified at time of analysis and it is not listed in CISA KEV. CVSS 4.0 base is 8.7 (High).

Command Injection
NVD VulDB
CVSS 4.0
8.7
EPSS
1.2%
CVE-2026-54469 HIGH PATCH This Week

Remote command execution in Dell Unisphere for PowerMax versions 10.3.0.5 and prior allows a low-privileged authenticated user to run arbitrary OS commands with root privileges by abusing unsafe deserialization of untrusted data (CWE-502). Because the CVSS vector is AV:N/AC:L/PR:L, any account with minimal access on the management interface can escalate to full root control of the storage-management appliance. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the low attack complexity and full CIA impact make it a high-priority patch for storage administrators.

Deserialization Dell
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-59793 HIGH PATCH This Week

Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With PR:L in the CVSS vector, exploitation requires a low-privilege account that can define or influence a Perforce VCS root, making it a realistic post-authentication threat on shared CI servers.

Information Disclosure Teamcity
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-15070 HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE PHP Salon Booking System Free Version
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-59161 HIGH PATCH This Week

Uncontrolled memory and CPU consumption in Excelize (qax-os/excelize), the widely used Go library for reading and writing Microsoft Excel spreadsheets, before version 2.11.0 lets a crafted XLSX file trigger a denial of service. The streaming worksheet reader behind the Rows and GetRows APIs fails to enforce the TotalRows (1,048,576) limit on the row 'r' attribute, so a tiny file declaring an out-of-range row index with no cell coordinate forces GetRows to allocate empty rows up to that attacker-chosen index. No public exploit identified at time of analysis, but the trigger is trivial to construct and the fix is confined to a single validation check.

Denial Of Service Microsoft Excelize
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-6212 HIGH This Week

Authorization bypass in Teracity TeraMIS (versions V03.26.01.14 through the 30.04.2026 build) lets an authenticated low-privilege user tamper with a user-controlled object key to reach records and functions belonging to other users or higher-privilege roles (CWE-639 IDOR). The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation by any account holder, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS and POC data were not provided.

Authentication Bypass Teramis
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-2398 HIGH This Week

Privilege escalation in Adam Retail Automation's MobilMen 20T (versions v3 through build 10072026) lets an authenticated low-privileged user manipulate a user-controlled key (CWE-639) to access resources or actions belonging to other, higher-privileged accounts. The flaw carries CVSS 8.8 and was reported by Turkey's national CERT (TR-CERT), but no public exploit identified at time of analysis and it is not in CISA KEV. The vendor was contacted but did not respond, so no coordinated fix is confirmed.

Authentication Bypass Privilege Escalation Mobilmen 20T
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-54149 HIGH PATCH This Week

OS command injection in MaxKB (1Panel-dev's open-source enterprise AI assistant) before 2.10.0-lts lets an authenticated user achieve arbitrary command execution on the host by importing a crafted .tool file that declares an MCP stdio transport and triggering it through an AI Chat node. Because the tool-import path (apps/tools/serializers/tool.py) and the MCP referencing path (base_chat_step.py) fail to consistently validate the MCP transport type, the MultiServerMCPClient spawns the attacker's stdio command locally. Rated CVSS 8.8; no public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Command Injection Maxkb
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57584 HIGH PATCH This Week

Regular-expression denial of service (ReDoS) in the Phalcon PHP framework before 5.15.0 lets remote unauthenticated attackers exhaust server CPU by sending a crafted request URI. Every default MVC application registers a built-in route whose compiled PCRE pattern contains a nested quantifier that Router::handle() evaluates against the raw request path on every request, so a path with repeated slashes followed by decoded newlines triggers catastrophic backtracking. There is no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.7 reflects a high availability impact with no confidentiality or integrity effect.

Denial Of Service PHP Cphalcon
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy