Skip to main content
CVE-2026-59801 CRITICAL POC Act Now

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credentials enumerate, create, modify, and delete provider connections via the Next.js routes under src/app/api/providers/*. Because the /api/providers endpoints ship without authentication middleware, attackers can harvest partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled providers, or wipe all connections for a full denial of service; the companion /api/usage/stats endpoint further leaks full plaintext API keys. Rated CVSS 4.0 9.3 (critical); no public exploit identified at time of analysis, though the trivial access makes exploitation straightforward.

Authentication Bypass Denial Of Service 9Router
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-61498 CRITICAL POC Act Now

Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
2.2%
CVE-2026-60121 CRITICAL POC Act Now

Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
1.4%
CVE-2026-11964 CRITICAL POC PATCH Act Now

Payment-verification bypass in the User Registration & Membership WordPress plugin before 5.2.2 lets unauthenticated attackers forge a payment-provider webhook to mark a subscription as paid, activating premium memberships without any real transaction. WPScan reports publicly available exploit code, though there is no public exploit identified as being used in active attacks (not in CISA KEV). The core weakness is that inbound webhook notifications are trusted and acted upon without authenticating their origin or signature.

Information Disclosure WordPress User Registration Membership
NVD WPScan
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-57811 CRITICAL Act Now

Remote code injection in the Realtyna Organic IDX WordPress plugin (real-estate-listing-realtyna-wpl) affects all versions up to and including 5.2.0, allowing remote attackers to inject and execute arbitrary code (described as 'Remote Code Inclusion') against affected WordPress sites. Patchstack assigned a maximum CVSS 3.1 base score of 10.0 with an unauthenticated network vector and scope change, indicating full compromise of the host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Code Injection RCE Realtyna Organic Idx Plugin
NVD
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-57719 CRITICAL Act Now

Arbitrary file upload in CodeRevolution's Aimogen Pro WordPress plugin (versions up to and including 2.8.3) lets attackers upload files of dangerous types, typically enabling deployment of a PHP web shell and full remote code execution on the host. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) rates it 10.0 critical, reflecting network-reachable, low-complexity, unauthenticated exploitation with a scope change. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

File Upload Aimogen Pro
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-61667 CRITICAL PATCH GHSA Act Now

Remote code execution in DIRAC (Distributed Infrastructure with Remote Agent Control) grid middleware lets any authenticated user run arbitrary commands on the server through the FileCatalog DatasetManager. A SQL injection (CWE-89) in the checkDataset code path lets the attacker control a value that is fed directly into a Python eval(), turning a data-layer flaw into full server compromise. Rated CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H); no public exploit identified at time of analysis, though the vendor advisory names the exact vulnerable source lines.

SQLi RCE
NVD GitHub
CVSS 3.1
9.9
CVE-2026-45579 CRITICAL PATCH GHSA Act Now

Authenticated remote code execution in DIRAC's RequestManagementSystem lets any logged-in grid user run arbitrary commands as the DIRAC service account, enabling full compromise of the DIRAC installation. The flaw stems from an eval() call reachable through the export_getRequestCountersWeb service method, and successful exploitation exposes dirac.cfg secrets, database credentials, and all stored user proxies and tokens. Rated CVSS 9.9; no public exploit code has been released, though the vendor advisory documents a complete working exploitation path.

RCE Code Injection
NVD GitHub
CVSS 3.1
9.9
CVE-2026-57710 CRITICAL Act Now

Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Patchstack has confirmed and cataloged the flaw.

File Upload Woowbot Pro Max
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-57401 CRITICAL Act Now

Arbitrary file deletion via path traversal in the SureDash WordPress plugin (Brainstorm Force) affects all versions up to and including 1.8.0, allowing an authenticated low-privilege user to delete files outside the plugin's intended directory by supplying crafted pathnames. The Patchstack reference explicitly characterizes the flaw as arbitrary file deletion, meaning an attacker can remove critical files such as wp-config.php to disrupt the site or force a re-installation takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.9 rating reflects the low barrier to exploitation.

Path Traversal Suredash
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-51821 CRITICAL Act Now

SQL injection in Shenzhou Shihan Video Conference System v1.0 lets a remote, unauthenticated attacker inject arbitrary SQL through the /user/getUserLogin endpoint, enabling full database compromise and, per the MITRE report, arbitrary code execution. The flaw is network-reachable against default installs with no authentication or user interaction (CVSS 9.8). No CISA KEV listing exists and EPSS is low (0.27%, 18th percentile); disclosure references (a GitHub CVE issue and a cnblogs write-up) suggest public exploitation details circulate, though weaponized exploit code was not independently confirmed in this analysis.

SQLi RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-52533 CRITICAL Act Now

Privilege escalation in D-Link DIR-1253 firmware v1.0.1.250923.142435 stems from improper handling of the /etc/shadow file - the store of hashed local credentials - letting an attacker obtain or elevate to root-level access on the device. Publicly available exploit code exists (referenced via the zuh.re/codeberg advisory), but there is no public exploit identified as actively exploited and the CVE is not on the CISA KEV list. The published CVSS of 9.8 (AV:N) appears optimistic given that the core issue centers on a local system credential file, so the true remote-unauthenticated reach should be verified against the vendor advisory.

Privilege Escalation D-Link N A
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-51540 CRITICAL Act Now

Remote memory corruption in the OpENer EtherNet/IP stack (2.3.0 master branch up to commit 76b95cf) stems from an integer underflow while parsing connected explicit messages via the SendUnitData encapsulation command, allowing network attackers to corrupt memory on the target device. The CVSS 3.1 score of 9.8 (AV:N/PR:N) indicates unauthenticated remote exploitation with full confidentiality, integrity, and availability impact. A public gist by researcher MrAlaskan and a filed GitHub issue accompany the disclosure, so publicly available exploit code exists, though EPSS is low (0.15%, 5th percentile) and it is not on the CISA KEV list.

Buffer Overflow Integer Overflow N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-57433 CRITICAL PATCH Act Now

Denial-of-service in the Storable module for Perl (versions before 3.41) allows remote attackers to abort deserialization by supplying a crafted SX_HOOK record whose item count equals I32_MAX. The signed 32-bit count plus one wraps to a negative value, which av_extend rejects with a fatal panic, terminating any thaw() or retrieve() call on attacker-controlled data. No public exploit identified at time of analysis; despite the assigned CVSS of 9.8 (C:H/I:H/A:H), the documented outcome is a controlled abort rather than memory corruption or code execution.

Deserialization Integer Overflow Storable
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-59518 CRITICAL Act Now

PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Directorist
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57813 CRITICAL Act Now

Privilege escalation in the MailOptin WordPress plugin (by properfraction) affects all versions up to and including 1.2.77.3, stemming from incorrect privilege assignment (CWE-266). An attacker can obtain elevated privileges within the WordPress site, potentially reaching administrator-level control that yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported by Patchstack.

Privilege Escalation Mailoptin
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57770 CRITICAL Act Now

PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Deserialization Grand Photography
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57744 CRITICAL Act Now

PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the 9.8 base score reflects worst-case object-injection potential rather than confirmed in-the-wild activity.

Deserialization Rt Theme 18 Extensions
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57738 CRITICAL Act Now

Remote PHP object injection in the axiomthemes '777' (triple-seven) WordPress theme allows attackers to instantiate arbitrary PHP objects by supplying crafted serialized data to a vulnerable unserialize() call, affecting all versions up to and including 1.13.0. With the reported CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scoring 9.8, an unauthenticated network attacker can achieve high-impact compromise if a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Deserialization 777
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57724 CRITICAL Act Now

Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Because Kirki is a developer toolkit bundled into many premium WordPress themes, exposure depends on which theme/plugin code passes attacker-controllable input into its deserialization path.

Deserialization Kirki
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-14453 CRITICAL PATCH Act Now

Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and no EPSS score supplied, but the low authentication barrier and RCE outcome make this a high-priority patch.

Code Injection RCE Infra Monitoring
NVD GitHub
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-6875 CRITICAL Act Now

Remote code execution in the ServiceNow AI Platform allows an unauthenticated attacker, under certain (unspecified) circumstances, to execute arbitrary code within the ServiceNow platform, carrying a critical CVSS 4.0 base score of 9.5. ServiceNow has patched hosted instances directly and issued fixes to self-hosted customers and partners; there is no public exploit identified at time of analysis, and the vendor states it is not currently aware of exploitation. The high CVSS complexity metric (AC:H) indicates the exploit is not trivially reproducible against arbitrary instances, tempering the otherwise maximal impact rating.

RCE Servicenow Ai Platform Code Injection
NVD VulDB
CVSS 4.0
9.5
EPSS
0.5%
CVE-2026-22093 CRITICAL PATCH Act Now

Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.

Information Disclosure Google Evbee Service
NVD
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-61500 CRITICAL PATCH Act Now

Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticated attacker derive the server's session-cookie signing key. Because HFS seeds that key from JavaScript's non-cryptographic Math.random() and simultaneously leaks outputs of the same generator to clients during login, an attacker can sample a few login responses, reconstruct the PRNG state, and mint a valid admin cookie - yielding full administrative control and remote code execution through the server_code configuration feature. No public exploit is identified at time of analysis, but the flaw was reported by VulnCheck/Horizon3.ai and a vendor patch (v3.2.1) exists.

RCE Hfs
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-14934 CRITICAL PATCH Act Now

Cross-tenant privilege escalation in the repository creation functionality shared by Google Cloud BigQuery, Dataform, and Colab Enterprise allowed an authenticated GCP user to take over repositories belonging to other tenants. Rated CVSS 4.0 9.4 (critical) with a scope-changing cross-tenant impact, the flaw was a Missing Authorization (CWE-862) issue affecting the managed services between October 2025 and 10 May 2026. Google reports no public exploit identified at time of analysis; the defect was fixed server-side on 10 May 2026 with no customer action required.

Authentication Bypass Google Bigquery Dataform Colab Enterprise
NVD VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-62327 CRITICAL Act Now

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote attacker retrieve full plaintext API keys for every connected AI provider by issuing a single GET to the /api/usage/stats endpoint, which lacks authentication middleware. The same missing-auth flaw class extends to unauthenticated CRUD on /api/providers and exposure of full conversation histories, so an attacker can harvest credentials, hijack provider accounts, and commit billing fraud or quota exhaustion. Reported by VulnCheck with a critical CVSS 4.0 base of 9.3; no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-6847 CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE PHP Themisnetpanel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-22103 CRITICAL PATCH Act Now

Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-system commands via the 'NPC start' endpoint exposed on the device's web server at TCP port 8090. Reported by DIVD (Dutch Institute for Vulnerability Disclosure), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable vector (AV:N/PR:N/UI:N) and high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was supplied.

Command Injection Dc 80
NVD
CVSS 4.0
9.3
EPSS
1.3%
CVE-2026-22097 CRITICAL PATCH Act Now

Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships without cryptographic signature validation (CWE-347), letting an attacker who reaches the update capability push a malicious firmware image and have it executed by the device. Reported by DIVD (advisory DIVD-2026-00001) with a CVSS 4.0 base score of 9.3 and a 'Jwt Attack' angle noted in triage tags, the flaw grants full compromise of the charger. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Jwt Attack Dc 80
NVD
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-22102 CRITICAL PATCH Act Now

Arbitrary file write in the Evbee DC-80 EV charging station lets remote unauthenticated attackers overwrite any file on the device by sending a POST request whose Content-Disposition filename parameter is trusted without validation. Because a written file can clobber system files (denial of service) or replace shell scripts that are later executed, this escalates to remote code execution. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CWE-20 root cause make this a critical, high-priority flaw.

Denial Of Service Dc 80
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-22096 CRITICAL PATCH Act Now

Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that requires no login, allowing remote unauthenticated attackers to read sensitive data such as configured passwords and to upload arbitrary files via multiple endpoints. Reported through the DIVD CSIRT coordinated-disclosure program (DIVD-2026-00001), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable, no-privilege vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-22095 CRITICAL PATCH Act Now

Remote code execution in the evbee DC-80 EV charging station is possible through a command injection flaw in the network diagnosis endpoint exposed on the web server at TCP port 8090. Because the CVSS 4.0 vector specifies no privileges and no user interaction (AV:N/PR:N/UI:N), a remote unauthenticated attacker who can reach port 8090 can inject operating-system commands and fully compromise the device. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the DIVD coordinated disclosure and 9.3 (Critical) score make it a high-priority defect.

Command Injection Dc 80
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2026-59515 CRITICAL Act Now

Blind SQL injection in the Sergey "AIWU" ai-copilot-content-generator WordPress plugin (all versions through 1.5.4) allows remote attackers to inject arbitrary SQL into backend database queries, per the CVSS:3.1 vector without requiring authentication or user interaction. Because the scope is changed and confidentiality impact is High, an attacker can exfiltrate sensitive database contents (WordPress user credentials, secrets, PII) via time- or boolean-based blind techniques. No public exploit identified at time of analysis and the issue is not on CISA KEV, but its high CVSS (9.3) and the fact that it was catalogued by Patchstack make it a credible risk for exposed WordPress sites.

SQLi Aiwu
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57739 CRITICAL Act Now

Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.

SQLi Acymailing Smtp Newsletter
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57726 CRITICAL Act Now

Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets remote attackers inject SQL through improperly neutralized special elements, per the CVSS PR:N vector without authentication, to infer and extract database contents. The scope-changed CVSS 3.1 score of 9.3 reflects impact reaching beyond the plugin's own security boundary into the wider WordPress database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Kirki
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57714 CRITICAL Act Now

Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. No public exploit is identified at time of analysis and it is not listed in CISA KEV.

SQLi Latepoint
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57707 CRITICAL Act Now

SQL injection in QuantumCloud's Simple Business Directory Pro WordPress plugin (all versions through 15.9.4) allows remote attackers to inject crafted SQL into backend database queries, enabling extraction of sensitive data such as user credentials and stored directory records. Patchstack rates it critical (CVSS 9.3) with a network attack vector and no authentication indicated in the supplied vector; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high score and scope-change flag make it a priority for any site running this plugin.

SQLi Simple Business Directory Pro
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57702 CRITICAL Act Now

Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.

SQLi Amelia
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-4769 CRITICAL PATCH Act Now

Full system compromise of WAGO System I/O-Field series controllers (0765-xxx families) is possible when an unauthenticated remote attacker reaches an undocumented internal diagnostic interface that is briefly exposed during the device's early boot phase. Because the diagnostic capability requires no authentication and grants access to internal system processes, a successful attacker obtains complete control over confidentiality, integrity, and availability. Reported by CERT@VDE (VDE-2026-031); no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.

Information Disclosure 0765 110X 0100 0000 0765 120X 0100 0000 0765 150X 0100 0000 0765 2101 0100 0000 +4
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-61462 CRITICAL PATCH Act Now

GitLab API request redirection in zereight's mcp-gitlab (gitlab-mcp) MCP server lets attackers who control the job_id parameter escape the intended /jobs/ path prefix and reach arbitrary GitLab REST API endpoints under the operator's personal access token. Because the token is a bearer of the operator's full GitLab privileges, a crafted value such as '../../../user' resolves to /api/v4/user (or any other resource), turning a scoped job lookup into broad unauthorized data access. No public exploit was identified at time of analysis, and it is not listed in CISA KEV, but the flaw is trivially triggerable and was reported by VulnCheck with a vendor fix committed.

Gitlab Path Traversal Mcp Gitlab
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-13014 CRITICAL Act Now

Remote unauthenticated code execution in Thales CERT's "Suspicious" email-analysis application (versions 1.3.4 and earlier), dubbed "Matryoshka Mail," lets an attacker abuse path traversal in attachment handling to overwrite writable application files-Python modules, configuration, cron inputs, and runtime artifacts-yielding root-level execution inside the Django container. Because the affected code runs Python and processes attacker-supplied mail, overwriting an imported module effectively converts arbitrary file write into RCE, plus persistent denial of service and possible exposure of application secrets and integrations. No public exploit identified at time of analysis and the issue is not in CISA KEV, but it carries a CVSS 4.0 base score of 9.2 and vendor-credited discovery by Lucien Doustaly (wlayzz).

Denial Of Service Path Traversal RCE Python Suspicious
NVD GitHub
CVSS 4.0
9.2
EPSS
0.7%
CVE-2026-22098 CRITICAL PATCH Act Now

Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) UIDs in cleartext to log files, per DIVD advisory DIVD-2026-00001. The supplied CVSS 4.0 base score of 9.2 reflects high confidentiality impact to both the vulnerable system and downstream systems that reuse those credentials, so anyone able to read the logs can harvest reusable authentication material. No public exploit identified at time of analysis.

Information Disclosure Dc 80
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-13221 CRITICAL PATCH Act Now

Silently incorrect regular-expression matching in the Perl interpreter (all versions through 5.43.9) lets an oversized alternation of more than 65,535 fixed-string branches overflow a 16-bit delta field when the branches are optimized into a trie, truncating the match-decision table. The result is both false-positive and false-negative matches, so any Perl program that uses such a pattern to gate access or filter input can make wrong security decisions. There is no public exploit identified at time of analysis, though the fixing commit ships a deterministic reproducer test, and the flaw is not listed in CISA KEV.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51538 CRITICAL Act Now

Access-control bypass in EIPStackGroup OpENer 2.3.0 (commit 76b95cf) lets any unauthenticated network attacker hijack another client's EtherNet/IP encapsulation session by replaying a valid session_handle, because the stack validates the handle against a global session list but never binds it to the originating TCP socket. Affected industrial devices running this open-source stack can have their EtherNet/IP command channel abused for read/write operations under another client's authority. No CISA KEV listing exists, but a researcher gist referenced in the advisory appears to publish exploit details, and the CVSS 9.1 rating reflects high confidentiality and integrity impact.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51536 CRITICAL Act Now

Stack buffer overflow in the OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets remote attackers corrupt memory by sending a crafted CIP network packet whose length field is truncated into a negative value, bypassing bounds checks in DecodePaddedEPath. The CVSS vector (AV:N/PR:N/UI:N) indicates unauthenticated remote reachability with high confidentiality and availability impact; no public exploit is identified at time of analysis (not in CISA KEV), though a referenced gist and GitHub issue suggest researcher analysis and possible proof-of-concept material exist. As an OT/ICS protocol stack, exploitation would most plausibly cause denial of service or memory disclosure on embedded industrial devices.

Buffer Overflow Integer Overflow N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51537 CRITICAL Act Now

Out-of-bounds read in the EIPStackGroup OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets a remote unauthenticated attacker send a crafted ENIP frame carrying a malformed CIP ForwardOpen/LargeForwardOpen request that drives the Connection Manager parser to read past the supplied request buffer, exposing adjacent memory or crashing the stack. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N) it is reachable over the network with no authentication and low complexity, yielding high confidentiality and availability impact. No CISA KEV listing and no EPSS were supplied; no active exploitation is confirmed, though a referenced public gist appears to document the flaw and may contain proof-of-concept material.

Buffer Overflow Information Disclosure N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51541 CRITICAL Act Now

OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in CIP message parsing when handling malformed explicit requests with a forged EPath size. An attacker can send a valid ENIP SendRRData frame carrying a very short CIP payload whose path_size field claims that many more path words are present than are actually available. Because the parser trusts the attacker-controlled path_size and continues decoding path segments without a remaining-length boundary, it reads beyond the end of the stack receive buffer.

Buffer Overflow N A Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-58102 CRITICAL PATCH Act Now

Heap out-of-bounds read in the Crypt::OpenSSL::X509 Perl module (versions before 2.1.3) lets a crafted X.509 certificate leak adjacent heap memory to an application that enumerates certificate extensions. When code calls extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid(), a certificate extension whose textual OID exceeds the fixed 129-byte buffer causes the returned hash key to include bytes read past the allocation, exposing process memory and risking a crash. No public exploit is identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release 2.1.3 and the flaw is trivially triggerable by any attacker who can supply a certificate.

OpenSSL Buffer Overflow Information Disclosure Crypt
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-58409 CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE Crm
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-12257 CRITICAL Act Now

Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.

XSS RCE Java Cms
NVD
CVSS 4.0
9.3
EPSS
0.4%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy