Skip to main content
CVE-2026-15481 HIGH POC This Week

Command injection in the TRENDnet TEW-635BRM wireless router (firmware through 1.00.03) lets an authenticated remote attacker inject OS commands via the ipoa_ipaddr argument handled by the ipoa_test function in /sbin/rc during IPoA WAN connection setup. Publicly available exploit code exists (published via VulDB and a researcher write-up), and because the device runs its control logic as a privileged system process, successful injection yields full command execution on the router. The product has been end-of-life since 2011 and the vendor will not issue a fix, so exposure is permanent for still-deployed units; there is no CISA KEV listing or confirmation of active exploitation.

Command Injection Tew 635Brm
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15480 HIGH POC This Week

Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. The device has been end-of-life since 2011 and the vendor declined to confirm the flaw, meaning no fix will be issued.

Buffer Overflow Stack Overflow Tew 635Brm
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15506 HIGH POC This Week

Local privilege escalation in SecureAge CatchPulse endpoint protection (versions up to and including 10.9.3) stems from a heap-based buffer overflow in the kernel driver saappctl.sys, where an authenticated local user can corrupt kernel heap memory to gain code execution at ring 0. Publicly available exploit code exists (demonstrated in a YouTube proof-of-concept), but there is no public exploit identified as being used in active attacks and the issue is not on CISA KEV. The CVSS 4.0 base score of 7.1 reflects local-only reachability but full compromise of confidentiality, integrity, and availability on the host once triggered.

Heap Overflow Buffer Overflow Catchpulse
NVD VulDB GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-15511 HIGH This Week

OS command injection in the Comfast CF-WR631AX V3 WiFi router (firmware through 2.7.0.8) lets remote attackers execute arbitrary operating-system commands by manipulating the filename argument in the system_wl_upload_pic_file routine of the /usr/bin/webmgnt FastCGI backend. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation, and publicly available exploit code exists (E:P). It is not listed in CISA KEV, so there is no confirmed active exploitation, but the public disclosure lowers the barrier for opportunistic attacks against exposed devices.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
2.7%
CVE-2026-56260 HIGH PATCH This Week

Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overwrite any file writable by the service account by abusing the unvalidated output_path parameter on the /screenshot and /pdf endpoints. Reported by VulnCheck and disclosed in GitHub advisory GHSA-365w-hqf6-vxfg, the flaw enables path traversal or absolute-path writes that corrupt server files and cause denial of service. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privileges attack surface makes it a straightforward target once a Crawl4AI Docker server is exposed.

Path Traversal Denial Of Service Docker Crawl4ai
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-56259 HIGH PATCH This Week

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.

Authentication Bypass Docker Information Disclosure Crawl4ai
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-15484 HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (firmware 1.12B01) wireless access point lets an authenticated remote attacker corrupt memory through the ssi-driven /goform/tools_nslookup handler (function sub_41EC14), enabling likely remote code execution or device crash. The device is end-of-life and the vendor has stated it cannot confirm or fix the issue, so no official patch is expected. A public technical write-up describing the overflow exists on GitHub (VulDB-coordinated disclosure), but there is no confirmed active exploitation in CISA KEV.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-15483 HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (v1.0R, firmware 1.12B01) dual-band access point lets an authenticated remote attacker corrupt memory via the ssi handler sub_41EC14, reachable through the /goform/tools_nslookup endpoint. Supplying an oversized nslookup_target value overruns a fixed buffer (CWE-120), enabling denial of service and likely arbitrary code execution on the device. No public exploit has been identified at time of analysis; the product is end-of-life and the vendor states it cannot confirm the flaw.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-61875 HIGH This Week

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).

XSS Luci
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59260 HIGH This Week

Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Luci
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-56238 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 exposes confidential business metrics through the Supabase PostgREST /rest/v1/global_stats endpoint, which lacks row-level security enforcement. Any remote party holding only the public (anon) Supabase apikey - a value embedded in Capgo client apps and therefore trivially obtainable - can read MRR, total and plan-tier revenue, customer counts, and operational telemetry. Reported by VulnCheck via a GitHub security advisory; no public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 score of 8.7 reflects high confidentiality impact with no barriers to access.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56308 HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-58596 HIGH PATCH Exploit Likely This Week

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.5%
CVE-2026-10666 HIGH PATCH This Week

Out-of-bounds stack write in the Zephyr RTOS IPv4 address parser (parse_ipv4() in subsys/net/ip/utils.c) lets an attacker corrupt memory when an application resolves an attacker-influenced "a.b.c.d:port" string, causing at minimum denial of service and potentially control-flow hijack on the affected embedded device. The defect exists in every release from v1.9.0 through v4.4.0 and is reachable through the standard socket resolver (zsock_getaddrinfo), DNS server-string configuration, and the eswifi Wi-Fi DNS-response path. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor fix (two upstream commits and advisory GHSA-532c-7g7f-jhmh) is available.

Memory Corruption Denial Of Service Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-10667 HIGH PATCH This Week

Kernel memory corruption in the Zephyr RTOS (versions v1.14.0 through v4.4.0) lets an unprivileged user-mode thread corrupt the kernel's dynamic object-tracking list across the userspace security boundary. The flaw is a use-after-free race (CWE-416) in the obj_list traversal, exploitable only on builds combining CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, and can yield privilege escalation or a kernel crash. No public exploit identified at time of analysis; a vendor patch is available.

Memory Corruption Buffer Overflow Denial Of Service Use After Free Privilege Escalation +1
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-10665 HIGH PATCH This Week

Out-of-bounds write in the WireGuard subsystem of Zephyr RTOS 4.4.0 lets a malicious or compromised WireGuard peer (or an on-path attacker driving an established session) corrupt memory by sending an oversized transport-data datagram. Because the flawed copy occurs before the Poly1305 authentication check, exploitation needs only a valid receiver session index rather than a valid authenticator, and reliably yields at least a remote denial of service on the target device. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the Zephyr project has published advisory GHSA-3wqm-wgx2-9367 and an upstream fix.

Memory Corruption Denial Of Service Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-56241 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-56313 HIGH PATCH This Week

Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy