Skip to main content
CVE-2026-56689 HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted SQL into a backend query, resulting in unauthorized reading of database contents (information exposure). The flaw is fixed in 5.1.0.1 per Dell advisory DSA-2026-066, and there is no public exploit identified at time of analysis. Because exploitation requires a valid low-privilege account, the practical risk is highest in multi-tenant or broadly-provisioned management deployments rather than internet-facing unauthenticated exposure.

Dell SQLi Information Disclosure Powerflex Manager
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-55175 HIGH PATCH This Week

Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.

Deserialization RCE Spinnaker
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-13347 HIGH This Week

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.

WordPress Path Traversal Hide My Wp Lite
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-15291 HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57220 HIGH PATCH This Week

Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash or degrade the broker via its stream protocol listener. Because the stream listener fails to enforce the configured frame-size limit while assembling frames during authentication and before Tune negotiation, an attacker can declare oversized frame lengths and force unbounded memory allocation in rabbit_stream_core. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; risk stems from the trivially reachable, pre-authentication attack surface (CVSS 7.5).

Denial Of Service Rabbitmq Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-15290 HIGH This Week

Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55213 HIGH This Week

Remote unauthenticated denial of service in the h2o HTTP server (all versions prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1) allows an attacker to crash the server by sending a crafted QPACK instruction over HTTP/3. The flaw causes lib/http3/qpack.c to allocate an ~800 KB on-stack buffer via alloca, overflowing the default musl libc pthread stack and segfaulting on the guard page. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; impact is limited to availability with no data exposure.

Denial Of Service H2O
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55233 HIGH PATCH This Week

Denial of service in OpenResty 1.29.2.1 through 1.29.2.4 arises from an out-of-bounds write (CWE-787) in the upstream PROXY protocol v2 implementation; when the platform is configured to prepend PROXY protocol v2 headers to upstream connections, header construction in the stream proxy-protocol-v2 patch overruns its allocated buffer and crashes the worker process. Any environment that has explicitly enabled PROXY protocol v2 for upstream connections is affected, degrading availability without any impact to confidentiality or integrity. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; it is resolved in OpenResty 1.29.2.5.

Memory Corruption Denial Of Service Buffer Overflow Openresty
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15288 HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-40006 HIGH PATCH This Week

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-40452 HIGH PATCH This Week

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). No public exploit code or active exploitation has been identified at time of analysis, but the REST interface nature of the flaw means any valid credential holder can attempt unauthorized data retrieval without elevated privilege.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40454 HIGH PATCH This Week

Denial of service in the Apache IoTDB C++ client (versions 1.3.5 before 1.3.8 and 2.0.5 before 2.0.10) allows a malicious or compromised IoTDB server to crash any connected client by returning malformed TsBlock response data. The client's TsBlock deserializer performs out-of-bounds reads (CWE-125) on attacker-controlled server payloads, terminating the client process. There is no public exploit identified at time of analysis, EPSS probability is low (0.14%), and impact is limited to availability of the client - no confidentiality or integrity effect is claimed.

Apache Buffer Overflow Information Disclosure Apache Iotdb C Client
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40007 HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.

Buffer Overflow Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-55687 HIGH PATCH This Week

Denial of service in Espressif's ESP-IDF JPEG driver (versions 6.0.1, 5.5.4, 5.4.4, 5.3.5 and likely earlier) stems from an out-of-bounds stack write in jpeg_parse_dqt_marker(), where the attacker-controlled DQT marker Tq nibble indexes the qt_tbl array without a 0..3 bounds check. Any application that feeds untrusted JPEG data into the hardware JPEG decode path can be reliably crashed by a single malformed image. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor has released a fix in 6.0.2 with backports pending for the 5.x branches.

Buffer Overflow Denial Of Service Stack Overflow Esp Idf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-70796 HIGH This Week

An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Technology, Inc.) version 3.5.0.r 2024/05/24 00:00:00. An unauthenticated attacker can craft malicious HTTP requests containing traversal sequences to access files outside of the intended web root directory. This may allow disclosure of sensitive system files and configuration data

Path Traversal N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-39244 HIGH This Week

adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.

Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57574 HIGH PATCH This Week

Authentication replay in Misskey before 2026.6.0 lets an attacker reuse a valid TOTP code that should be single-use, because UserAuthService fails to invalidate a code after its first successful use within the same time step. An adversary who concurrently captures a victim's password and one TOTP value can replay that code to authenticate, enabling unauthorized actions up to account takeover. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the vendor fixed the flaw in release 2026.6.0.

Authentication Bypass Misskey
NVD GitHub
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-53450 HIGH PATCH This Week

Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the default loopback-peer guard by supplying the IPv4-mapped IPv6 address ::ffff:127.0.0.1 in the XOR-PEER-ADDRESS attribute, relaying traffic to services bound only to the coturn host's localhost. The loopback check evaluates the literal IPv6 loopback shape before IPv4-mapped IPv6 normalization, so good_peer_addr never applies the rejection even when allow-loopback-peers is disabled. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in version 4.13.0.

SSRF Coturn
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-54919 HIGH PATCH This Week

TLS certificate validation bypass in cpp-httplib's Mbed TLS backend (0.31.0-0.46.1) and wolfSSL backend (0.33.0-0.46.1) lets a man-in-the-middle attacker defeat HTTPS/WSS protection when a client connects to an IP-literal host with verification nominally enabled. SSLClient/Client in HTTPS mode skip certificate chain validation and the WebSocketClient on Mbed TLS skips verification entirely, so an intercepting attacker can present a crafted certificate and read or alter traffic. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in 0.47.0.

Information Disclosure Cpp Httplib
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-15081 HIGH PATCH This Week

SQL injection in the Drupal Location Selector contributed module (all releases from 0.0.0 up to and including 1.3.0) lets remote attackers inject arbitrary SQL through improperly neutralized input, exposing and modifying database contents. The CVSS 3.1 base score is 7.4 with a network vector but high attack complexity, and the affected products confirm the Drupal 'location_selector' contrib module rather than Drupal core. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.19% (9th percentile), indicating little near-term mass-exploitation pressure.

SQLi Location Selector
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-56676 HIGH PATCH This Week

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. No public exploit identified at time of analysis; the flaw is fixed in 0.5.2.

Information Disclosure 9Router
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-53448 HIGH PATCH This Week

SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated administrator to inject arbitrary SQL via the du, ds, and dip query parameters of the delete-user, delete-secret, and delete-IP operations, yielding full backend database control and, on PostgreSQL deployments, OS-level command execution through COPY TO PROGRAM. The admin panel's parameters are interpolated into queries with snprintf while bypassing the is_secure_string filter that guards the STUN protocol path. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV; fixed in Coturn 4.12.0.

PostgreSQL SQLi Coturn
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-13430 HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE File Upload Post Export Import With Media
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-56667 HIGH PATCH This Week

Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. No public exploit identified at time of analysis; not listed in CISA KEV.

XSS Zitadel
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-15298 HIGH This Week

DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the scope-changed CVSS 7.2 reflects execution in the privileged admin context.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-22659 HIGH PATCH This Week

Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.

Authentication Bypass Flaskbb
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-1667 HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS Geo Plugin By Squirrly Seo
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-41878 HIGH This Week

Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 4.0
7.1
EPSS
0.5%
CVE-2026-41482 HIGH PATCH This Week

Local file inclusion in the Frappe Framework's Chrome PDF Generator (versions prior to 16.18.3) allows an authenticated user to abuse the 'secure local resource access' mechanism to traverse the filesystem and read arbitrary local files on the server. The flaw is a CWE-22 path traversal disclosed via GitHub Security Advisory GHSA-234v-jfr8-v2f8 and carries a CVSS 4.0 base score of 7.1 (VC:H - confidentiality-only impact). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector with only low privileges makes it a meaningful information-disclosure risk on multi-tenant deployments.

Path Traversal Google Frappe
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-39903 HIGH PATCH This Week

Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.

Authentication Bypass PHP Smf
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-11321 HIGH PATCH This Week

Authenticated SQL injection in the GLPI DataInjection plugin 2.15.6 (GLPI 11 builds) lets an operator with access to the Data injection feature smuggle SQL into the database by placing expressions in CSV field values, which the import routine concatenates directly into queries without parameterization or escaping (CWE-89). By mapping a payload such as SLEEP() to a field like Serial Number, an attacker performs time-based blind extraction of arbitrary database contents. Reported by VulnCheck and fixed in version 2.15.7; it is not on CISA KEV and no public exploit was identified at time of analysis.

SQLi Datainjection
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-49394 HIGH PATCH This Week

Broken access control in the Frappe framework (all versions prior to 16.19.0) lets a low-privileged authenticated user modify public Workspaces they should not control, because the update_page endpoint failed to enforce the Workspace Manager edit permission on public workspaces. Any user able to reach the endpoint can alter shared workspace layout and content, an integrity-only impact with no data disclosure. No public exploit has been identified, EPSS/KEV data were not provided, and the fix is shipped in Frappe 16.19.0.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57214 HIGH PATCH This Week

Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange declaration permissions inject JavaScript that executes in another user's browser when they view the Queues or Exchanges pages. The malicious payload is supplied via the x-internal-purpose queue or exchange argument, which is rendered into an HTML title attribute without escaping. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in RabbitMQ 4.2.5.

XSS Microsoft Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57212 HIGH PATCH This Week

Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or degrade the broker by submitting oversized-but-valid JSON bodies. The flaw lives in read_complete_body, which validates accumulated body size before the final chunk but never checks the final combined size, so the with_decode and direct_request code paths buffer and decode payloads that exceed intended limits. Affected releases are all versions prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55460 HIGH PATCH This Week

Broken authorization in Snipe-IT before 8.6.2 lets an authenticated non-admin user who holds users.view and users.edit - but explicitly not users.delete - soft-delete other non-admin user accounts by POSTing delete_user=1 to /users/bulksave. The root cause is that BulkUsersController::destroy() checks only the 'update' authorization, so the delete permission gate is never enforced. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-55881 HIGH PATCH This Week

Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the flaw is trivially triggerable by any valid account and is fixed in 1.27.0.

Authentication Bypass Openreplay
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-55880 HIGH This Week

Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. There is no public exploit identified and no CISA KEV listing; impact is integrity/availability of other tenants' data, not disclosure (CVSS 7.1, C:N/I:H/A:L).

Authentication Bypass Openreplay
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-55474 HIGH PATCH This Week

Arbitrary file read in Snipe-IT before 8.5.0 lets an authenticated user abuse the ActionlogController::displaySig endpoint, which concatenates the route's filename parameter into a private upload-directory path without sanitization, enabling relative path traversal (CWE-23) to read any file the web server process can access. The CVSS 4.0 base score is 7.1 with high confidentiality impact only; there is no public exploit identified at time of analysis and no CISA KEV listing. Because Snipe-IT stores database credentials and application secrets in web-readable files, the practical impact can extend beyond simple information disclosure toward full application compromise.

Information Disclosure Snipe It
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-61455 HIGH PATCH This Week

Denial of service in Grav CMS before 2.0.1 allows authenticated users to exhaust server storage by uploading a crafted ZIP archive (a decompression bomb) that the ZipArchiver::extract() routine expands without enforcing limits on uncompressed size, file count, or nesting depth. The CVSS 4.0 base score of 7.1 reflects a network-reachable, low-privilege flaw whose sole impact is high availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Grav
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-61450 HIGH PATCH This Week

Sensitive configuration exfiltration in Grav CMS before 2.0.2 lets an authenticated page author bypass the Twig sandbox and read the full config tree, including plugin SMTP credentials, API keys, and database passwords. The flaw is an incomplete fix for the earlier GHSA-j274-39qw-32c9 sandbox escape: the redacted 'config' facade is still trivially bypassed through the allow-listed grav.offsetGet('config') call. No public exploit has been identified at time of analysis, though the bypass technique is fully described in the vendor advisory.

Code Injection PHP RCE Grav
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-61441 HIGH PATCH This Week

Broken authorization in PraisonAI Platform before 0.1.9 lets an authenticated workspace member delete owner-created issue dependencies they should not be able to remove. The DELETE dependency route accepts either endpoint of a dependency edge and validates delete permission only against the caller-supplied issue URL, so a member blocked (403) via the owner's issue endpoint can delete the same edge by targeting their own member-owned issue endpoint. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56335 HIGH PATCH This Week

Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55843 HIGH PATCH This Week

Improper permission handling in Snipe-IT before 8.6.0 lets a privileged user strip another user's administrative or granular permissions when editing their account. Because UsersController::update() treats a missing permissions field as a sparse payload rather than a no-op, an administrator editing another administrator — or any user holding users.edit editing a regular account — can silently wipe the target's privileges. No public exploit identified at time of analysis; this is an authenticated integrity/availability issue rather than a remote takeover.

Privilege Escalation Snipe It
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-57217 HIGH PATCH This Week

Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or bind on topics they should be denied, but only during metadata-store failure windows. When the Khepri metadata store returns a lookup error, the topic-permission result collapses to 'undefined', which the internal authorization backend fails open and treats as 'allow'. There is no public exploit identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 7.0.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-57215 HIGH PATCH This Week

Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated client to create foreign bindings against another connection's volatile amq.rabbitmq.reply-to (direct reply-to) destination, so persistent route entries survive after unbind and can leak RPC reply traffic intended for other clients. The flaw stems from Khepri-backed deletion checks that omit these volatile pseudo-queues, letting stale routes persist. No public exploit identified at time of analysis; exploitation requires valid credentials and has high attack complexity per the vendor CVSS 4.0 vector.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-54000 HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Heap Overflow Microsoft Buffer Overflow Osquery
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-54001 HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

Privilege Escalation Heap Overflow Microsoft Buffer Overflow Osquery
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-59162 MEDIUM PATCH This Month

Panic-triggering denial of service in the Excelize Go library (all versions prior to 2.11.0) allows any actor who can supply a crafted XLSX file to crash the consuming application. The root cause is an integer bounds check that validates only the upper bound of shared-string indices, permitting a cell value of -1 to reach a slice-index operation as a negative integer and cause a Go runtime panic in `GetCellValue` or `GetRows`. No active exploitation has been identified at time of analysis, but the attack is trivially constructable and requires no privileges if the target application exposes XLSX processing to untrusted input.

Microsoft Information Disclosure Excelize
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-38057 HIGH CISA This Week

Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Evolution Iq Series Terminals 3315 Series 9 Series Terminals
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-42219 MEDIUM PATCH This Month

Path traversal via the download_backups endpoint in Frappe framework exposes arbitrary server-side files to authenticated high-privilege users. Affected versions span the entire v15 branch prior to 15.109.0 and the v16 branch prior to 16.19.0 (CPE: cpe:2.3:a:frappe:frappe:*). An attacker holding administrator-level credentials can craft a traversal payload in the backup download request to read files outside the intended backup directory, achieving high confidentiality impact with no integrity or availability consequence. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Path Traversal Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
Prev Page 3 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy