Skip to main content
CVE-2026-24226 MEDIUM This Month

NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause improper control of code generation. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.

Nvidia RCE Information Disclosure Tensorrt Llm
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-57973 MEDIUM PATCH Exploit Unlikely This Month

Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to perform tampering locally.

Microsoft Information Disclosure Windows Subsystem For Linux Wsl2
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-55145 MEDIUM PATCH This Month

Improper neutralization of special elements used in a command ('command injection') in Outlook Copilot allows an authorized attacker to perform tampering over a network.

Microsoft Command Injection Microsoft Copilot
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2026-50374 MEDIUM PATCH Exploit Unlikely This Month

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.

Use After Free Memory Corruption Denial Of Service Microsoft Windows 10 Version 1809 +10
NVD
CVSS 3.1
6.3
EPSS
0.3%
CVE-2026-50375 MEDIUM PATCH Exploit Likely This Month

Heap-based buffer overflow in Windows DirectX allows an authorized attacker to elevate privileges locally.

Heap Overflow Buffer Overflow Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 +9
NVD
CVSS 3.1
6.3
EPSS
1.5%
CVE-2026-50420 MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 +3
NVD
CVSS 3.1
6.2
EPSS
0.4%
CVE-2026-49807 MEDIUM PATCH Exploit Unlikely This Month

Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
6.2
EPSS
0.4%
CVE-2026-50294 MEDIUM PATCH Exploit Unlikely This Month

Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.2
EPSS
0.4%
CVE-2026-48000 MEDIUM This Month

Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.

Open Redirect Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2026-48302 MEDIUM This Month

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service C2Pa C2Pa Web C2Patool
NVD VulDB
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-48296 MEDIUM This Month

CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Integer Overflow C2Pa C2Pa Web C2Patool
NVD VulDB
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-48357 MEDIUM This Month

CAI Content Credentials is affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service C2Pa C2Pa Web C2Patool
NVD
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-48354 MEDIUM This Month

CAI Content Credentials is affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Integer Overflow C2Pa C2Pa Web C2Patool
NVD
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-48298 MEDIUM This Month

CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Integer Overflow C2Pa C2Pa Web C2Patool
NVD
CVSS 3.1
6.2
EPSS
0.2%
CVE-2026-24271 MEDIUM This Month

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API, where an attacker could cause allocation of GPU resources without limits or throttling. A successful exploit of this vulnerability might lead to denial of service.

Nvidia Denial Of Service Tensorrt Llm
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-47475 MEDIUM This Month

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API where an attacker could trigger a reachable assertion in the sampler thread. A successful exploit of this vulnerability might lead to denial of service.

Nvidia Denial Of Service Tensorrt Llm
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-47470 MEDIUM This Month

NVIDIA TensorRT-LLM for any platform contains a vulnerability in the gRPC server chat API endpoint, where an attacker could cause CWE-20 by local attack. A successful exploit of this vulnerability might lead to denial of service.

Nvidia Denial Of Service Tensorrt Llm
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-0515 MEDIUM This Month

Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of the QNX Neutrino kernel.

Denial Of Service Qnx Software Development Platform Qnx Os For Safety Qnx Os For Medical
NVD VulDB
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-57095 MEDIUM PATCH This Month

Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.2
EPSS
0.5%
CVE-2026-54988 MEDIUM PATCH This Month

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Excel 2016 +7
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15626 LOW POC Monitor

Path traversal in GoClaw 3.13.3-beta.3 allows authenticated remote attackers to read or write files outside the intended workspace directory by manipulating the path argument to the `writeFile` function in the ACP ToolBridge Workspace Handler (`internal/providers/acp/tool_bridge.go`). A proof-of-concept exploit has been publicly disclosed via a GitHub issue, lowering the bar for exploitation. No CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.

Path Traversal Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15668 LOW POC Monitor

Server-side request forgery in louisho5 picobot up to version 0.2.0 allows authenticated remote attackers to manipulate the url argument of the WebTool.Execute function in internal/agent/tools/web.go, causing the server to issue arbitrary HTTP requests to internal or external targets. The vulnerability carries a CVSS 4.0 score of 5.3 with low-privilege authentication required and has publicly available exploit code disclosed via a GitHub issue report. The upstream project has not responded to the responsible disclosure, meaning no patch is available at time of analysis.

SSRF Picobot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15624 LOW POC Monitor

Server-side request forgery in GoClaw 3.13.3-beta.3 enables authenticated remote attackers to manipulate the `output.video_url` parameter within the `bytePlusDownloadVideo` function, coercing the server into issuing HTTP requests to attacker-controlled destinations including internal network resources. The flaw resides in `internal/tools/create_video_byteplus.go` at the invoke endpoint. A proof-of-concept exploit has been publicly disclosed via GitHub issue #1199; however, no CISA KEV listing confirms mass active exploitation, and the CVSS 4.0 score of 2.1 reflects the low-privilege authentication barrier and limited per-request impact scope.

SSRF Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15672 LOW POC Monitor

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.

SQLi PHP Electronic Judging System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15715 LOW POC Monitor

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-50661 MEDIUM POC PATCH Exploit Unlikely This Month

Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Authentication Bypass Microsoft Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +11
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-50495 MEDIUM PATCH Exploit Unlikely This Month

Local tampering in Windows DNS via improper access control (CWE-284) allows a low-privilege authenticated local user to manipulate DNS configuration or records across a broad range of Windows 10, Windows 11, and Windows Server releases. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) confirms exploitation requires only a valid local account with no elevated privileges, yielding high integrity impact with minimal availability disruption and no direct confidentiality exposure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the 'Authentication Bypass' advisory tag suggests DNS tampering may enable downstream bypass of authentication mechanisms dependent on DNS resolution, potentially amplifying the effective impact beyond the raw CVSS score.

Authentication Bypass Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-50453 MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-50383 MEDIUM PATCH Exploit Unlikely This Month

Buffer over-read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.

Buffer Overflow Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-49174 MEDIUM PATCH This Month

Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.

Authentication Bypass Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15699 LOW POC PATCH Monitor

Prototype pollution in compromise (spencermountain/compromise) through version 14.15.1 exposes all JavaScript applications using the library to Object.prototype contamination via the nlp.extend() Public Root API. A low-privileged remote attacker who can supply a crafted plugin argument containing __proto__, constructor, or prototype keys can inject properties into the global Object.prototype, producing partial confidentiality, integrity, and availability impact across the Node.js runtime. A public exploit exists via GitHub issue #1208, a vendor patch has been released (commit b4644ab7), and no CISA KEV listing has been confirmed at time of analysis.

Prototype Pollution Information Disclosure Compromise
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-23573 MEDIUM This Month

Reflected or stored cross-site scripting in Fortinet FortiOS, FortiPAM, and FortiProxy web interfaces allows a remote unauthenticated attacker to execute JavaScript in the browser session of an authenticated administrator via crafted HTTP requests. The CVSS temporal metric E:P confirms publicly available proof-of-concept exploit code exists, and the RL:O metric confirms Fortinet has released an official fix. No active exploitation has been confirmed by CISA KEV at time of analysis, but the combination of a POC and the high-value targets (network security appliances and privileged access management systems) elevates real-world risk beyond what the base CVSS score of 6.1 suggests.

Fortinet XSS Fortios Fortiproxy Fortipam
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15629 LOW POC Monitor

Link-following vulnerability in louisho5 picobot up to version 0.2.0 allows a remote, low-privileged attacker to traverse outside the intended workspace directory via the CreateSkill and GetSkill functions in the filesystem handler. The root cause is improper symlink resolution (CWE-59) in internal/agent/tools/filesystem.go, enabling potential unauthorized file read and write operations on the host filesystem. A public exploit exists as a GitHub issue report; no vendor patch has been released and the project maintainer has not yet responded to the disclosure.

Information Disclosure Picobot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15628 LOW POC PATCH Monitor

Server-side request forgery in zhayujie CowAgent's Vision Tool allows authenticated remote attackers to make the server issue arbitrary HTTP requests to internal network resources. The vulnerability exists in the Vision._download_to_data_url / _build_image_content function in agent/tools/vision/vision.py, where the image argument is passed to an HTTP fetch without URL validation, enabling access to private RFC1918 addresses, loopback interfaces, and other non-public infrastructure. A publicly available proof-of-concept exploit exists (GitHub issue #2878), and a vendor-released patch (version 2.1.2) is available.

SSRF Chatgpt On Wechat Cowagent
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15627 LOW POC Monitor

Information disclosure in nextlevelbuilder GoClaw up to version 3.13.3-beta.3 allows remote low-privileged attackers to extract sensitive data by manipulating the `args.targetUrl` argument passed to the `handleNavigate` function in `pkg/browser/tool.go`. A public proof-of-concept exploit exists and is referenced via GitHub issue #1207, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No confirmed patched release has been identified at the time of analysis, leaving all known versions of the product exposed.

Information Disclosure Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15625 LOW POC Monitor

GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand function, allowing authenticated low-privilege remote attackers to circumvent command approval controls enforced in internal/tools/exec_approval.go. The bypass can yield limited confidentiality, integrity, and availability impacts consistent with the information-disclosure tag and the VC:L/VI:L/VA:L CVSS 4.0 impact metrics. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept exploit exists per the referenced GitHub issue, lowering the technical bar for abuse.

Information Disclosure Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-44767 MEDIUM PATCH This Month

CSS stylesheet injection in SAP @ui5/webcomponents-base allows unauthenticated remote attackers to load arbitrary cross-origin stylesheets into victim pages by bypassing the sap-allowed-theme-origins allowlist enforcement inside setThemeRoot(). The ?sap-themeRoot URL query parameter is a direct delivery vector, making socially-engineered exploitation trivial - no authentication is required from the attacker (CVSS PR:N), only a victim page load (UI:R). Successful exploitation enables UI redressing, clickjacking, phishing overlays, visual defacement, and limited CSS attribute-selector-based data exfiltration; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SAP Authentication Bypass Ui5 Webcomponents Base
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-44759 MEDIUM This Month

Reflected cross-site scripting in SAP NetWeaver Enterprise Portal enables unauthenticated remote attackers to inject arbitrary JavaScript into URL parameters that are echoed back unencoded in server responses. When a victim with an active portal session visits a crafted URL, the injected script executes in their browser under the portal's origin, permitting session token theft, unauthorized manipulation of portal content, or forced redirection to attacker-controlled resources. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, though the unauthenticated network-accessible attack surface and low complexity make phishing-based delivery operationally straightforward.

SAP XSS Sap Netweaver Enterprise Portal
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15620 LOW POC Monitor

Server-side request forgery in mosaxiv clawlet up to version 0.2.10 enables authenticated remote attackers to manipulate the webFetch tool function to issue arbitrary HTTP requests from the server, potentially reaching internal services, cloud metadata endpoints, or other network resources not directly accessible to the attacker. A publicly available proof-of-concept exploit was disclosed via GitHub issue #14, making real-world exploitation more accessible. Critically, the upstream maintainer closed the issue as 'not planned,' meaning no vendor-released patch is forthcoming and the vulnerability will remain permanently unaddressed in the existing codebase.

SSRF Clawlet
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-50324 MEDIUM PATCH Exploit Unlikely This Month

Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.

Denial Of Service Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2012 R2 Windows Server 2012 R2 Server Core Installation +7
NVD
CVSS 3.1
5.9
EPSS
0.8%
CVE-2026-54429 MEDIUM This Month

Denial of service in Siemens SIMATIC S7-PLCSIM Advanced (all versions) allows an unauthenticated attacker on the same local network segment to exhaust the application's memory by flooding it with high-volume multicast traffic, rendering the PLC simulation instance inaccessible until manually restarted. Exploitation is limited to instances running a specific active project configuration, and no project data is lost. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Simatic S7 Plcsim Advanced
NVD
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-15678 LOW POC Monitor

Cross-site scripting in code-projects Online Job Portal 1.0 allows a remote, low-privileged attacker to inject malicious JavaScript via the /Admin/DetailJob.php endpoint, which executes in the browser of any user who views the affected page. The CVSS 4.0 vector (PR:L/UI:P) confirms that exploitation requires an authenticated session and passive victim interaction, constraining but not eliminating real-world risk. A public proof-of-concept has been disclosed on GitHub; no patch from the vendor has been identified at time of analysis.

PHP XSS Online Job Portal
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-12588 MEDIUM This Month

Denial of Service in Trellix HX (versions 10.0.0 and earlier) allows an authenticated network attacker to exhaust appliance resources by submitting a specially crafted highly-compressed file to the HX console, triggering the product's own detection engine to perform runaway decompression. The impact is limited to availability - the EDR appliance becomes unresponsive - but disruption of an endpoint detection and response platform carries secondary operational risk by creating a monitoring blind spot. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists.

Denial Of Service
NVD
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-15700 LOW POC Monitor

Path traversal in DedeCMS 5.7.118's Album Publishing Feature allows remote attackers with administrative credentials to read or write files outside the intended extraction directory by manipulating the `filename` argument passed to the `ExtractFile` function in `include/zip.class.php`. A public proof-of-concept exploit has been released on GitHub, lowering the skill bar for exploitation, though no active exploitation has been confirmed in the CISA KEV catalog. The CVSS 4.0 score of 5.1 with PR:H reflects the high privilege requirement, which materially limits the exposed attack surface to authenticated admin-level sessions.

Path Traversal PHP Dedecms
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.4%
CVE-2026-15712 MEDIUM This Month

Heap buffer over-read in libsoup's HTTP/2 GOAWAY frame parser allows remote unauthenticated attackers to crash applications or leak heap memory fragments by sending a malformed frame with a non-NUL-terminated Additional Debug Data payload. Affected deployments include applications built on libsoup running on Red Hat Enterprise Linux 10 that accept or initiate HTTP/2 connections. A proof-of-concept exists per SSVC data, though exploitation is rated non-automatable and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Buffer Overflow Denial Of Service Information Disclosure Red Hat Enterprise Linux 10
NVD VulDB
CVSS 3.1
5.9
EPSS
0.5%
CVE-2026-15713 MEDIUM This Month

A vulnerability was found in libsoup's HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system's heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-48308 MEDIUM This Month

Premiere Pro is affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. Scope is changed.

Authentication Bypass Premiere
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-47997 MEDIUM This Month

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2026-47998 MEDIUM This Month

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2026-15669 LOW POC Monitor

OS command injection in louisho5 picobot up to version 0.2.0 allows local low-privileged attackers to execute arbitrary operating system commands through the ExecTool.Execute function in internal/agent/tools/exec.go. A publicly available proof-of-concept exploit exists (GitHub issue #43), elevating practical risk despite the moderate CVSS 4.0 score of 4.8. No patch has been issued as the project maintainer has not responded to responsible disclosure, leaving all known deployments persistently exposed.

Command Injection Picobot
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.6%
Prev Page 16 of 20 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy