Skip to main content
CVE-2026-40553 MEDIUM PATCH This Month

Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.

Stack Overflow RCE Buffer Overflow Gawk
NVD VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-40469 MEDIUM PATCH This Month

Integer overflow in gawk's do_sub() routine (builtin.c) enables heap metadata corruption on 32-bit builds, crashing the process. Affecting all gawk versions through 5.4.0 compiled for 32-bit architectures, this flaw was reported by CERT-PL and is limited exclusively to the availability domain - the CVSS 4.0 vector confirms no confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis, and a patch commit is available upstream.

Denial Of Service Integer Overflow Gawk
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-40467 MEDIUM PATCH This Month

Use-after-free memory corruption in gawk's do_getline_redir() routine within io.c allows a local attacker to crash the gawk process, causing a denial of service. All gawk versions 5.4.0 and below are affected, as confirmed by CERT-PL and an upstream patch commit. No active exploitation has been identified (not in CISA KEV), and the impact is confined to availability - no confidentiality or integrity effects have been demonstrated.

Denial Of Service Use After Free Memory Corruption Gawk
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-4765 MEDIUM This Month

Stored XSS in Tallos Chat (RD Station Conversas) allows unauthenticated attackers to inject persistent malicious JavaScript via the 'name' parameter during chat session initialization. The payload executes not only in the initiating visitor's browser but also in the browser of any support agent who joins the conversation, expanding the attack surface to privileged operator sessions within the platform. No public exploit code or active exploitation has been confirmed at time of analysis, and no EPSS data was provided.

XSS Tallos Chat
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-45330 MEDIUM PATCH GHSA This Month

Cross-tenant IDOR in Decidim's verification admin flow exposes government-issued identity documents belonging to participants of one organization to administrators of a different tenant on the same instance. An authenticated admin of any tenant can enumerate sequential pending_authorization_id integers in the admin URL to view, approve, or reject ID document and postal-letter verification requests that belong to entirely separate organizations. The vulnerability was confirmed through a formal security audit and detailed reproduction steps are published in the GitHub advisory; no CISA KEV listing or independent exploit code exists at time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
4.9
CVE-2026-61970 MEDIUM This Month

Server-Side Request Forgery in the Themeisle Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 5.0.4 enables authenticated low-privilege users to coerce the server into issuing arbitrary outbound HTTP requests to attacker-controlled destinations, including internal network resources. The CVSS scope change (S:C) confirms the vulnerability can reach resources outside the WordPress application boundary - such as cloud metadata endpoints, internal APIs, or services on the hosting network. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation with non-automatable attack conditions.

SSRF Auto Featured Image Auto Post Thumbnail
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-61952 MEDIUM This Month

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.

Authentication Bypass WordPress Woocommerce Bulk Edit Products Wp Sheet Editor
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-9708 MEDIUM This Month

Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-45572 MEDIUM PATCH GHSA This Month

Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. No public exploit code or CISA KEV listing exists; vendor-released patches are available and the fix has been merged upstream.

RCE Code Injection XSS
NVD GitHub
CVSS 3.1
4.8
CVE-2026-14846 MEDIUM This Month

CSV formula injection in the PrestaShop module 'The Firmware' version 8.2.1 enables an authenticated attacker to inject malicious spreadsheet expressions via the unsanitized 'Alias' parameter in the address update function. When a victim subsequently exports account data using the 'Get my data in CSV' feature and opens the file in a spreadsheet application, the injected formula executes in that application's context, potentially exfiltrating the victim's personal data or executing commands on their workstation. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 4.5 reflects the high-privilege and user-interaction prerequisites that constrain exploitability.

Code Injection The Firmware
NVD
CVSS 4.0
4.5
EPSS
0.3%
CVE-2026-10103 MEDIUM This Month

Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12385 MEDIUM This Month

Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.

PHP Information Disclosure WordPress Smart Slider 3
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6541 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Mattermost's Playbooks feature permits any authenticated team member to overwrite another user's playbook metric configuration by supplying a foreign metric ID in a crafted import or update request. Affected branches are 11.7.x through 11.7.1, 11.6.x through 11.6.4, and 10.11.x through 10.11.19, where the server authorizes metric writes based on team membership alone rather than verifying that the referenced metric ID belongs to the playbook being saved. No public exploit code has been identified and this vulnerability does not appear in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9824 MEDIUM This Month

Missing authorization in Mattermost's /share-channel slash command autocomplete handler allows any authenticated user to enumerate remote cluster connection metadata, regardless of whether they hold the manage_shared_channels permission. Affects three active release lines (11.7.x, 11.6.x, 10.11.x) and is classified under CWE-862 (Missing Authorization). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; exploitation is constrained to authenticated users, limiting realistic blast radius to insider threat or compromised-account scenarios.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57797 MEDIUM This Month

Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.

Authentication Bypass Edumall
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-52820 MEDIUM PATCH GHSA This Month

Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52819 MEDIUM PATCH GHSA This Month

{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.

PHP Authentication Bypass
NVD GitHub
CVE-2026-49992 MEDIUM PATCH GHSA This Month

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.

CSRF
NVD GitHub
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy