Skip to main content
CVE-2026-47995 MEDIUM This Month

Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. No public exploit identified at time of analysis; remediated in Adobe security bulletin APSB26-73.

XSS Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD VulDB
CVSS 3.1
4.8
EPSS
0.7%
CVE-2026-50684 MEDIUM PATCH This Month

Improper neutralization of input during web page generation ('cross-site scripting') in Active Directory Federation Services (AD FS) allows an authorized attacker to perform spoofing over a network.

XSS Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2012 Windows Server 2012 Server Core Installation +9
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2026-15621 MEDIUM This Month

Link-following vulnerability in mosaxiv clawlet up to version 0.2.10 allows local low-privileged attackers to read, write, or modify files outside intended directories by supplying symlinks to the read_file, write_file, and edit_file functions in tools/fs_ops.go. All three file-operation primitives are affected, meaning the attack surface covers both read (information disclosure) and write/edit (integrity impact) paths. No patch is planned - the upstream GitHub issue was explicitly closed as 'not planned', leaving all deployments on affected versions permanently unpatched.

Information Disclosure Clawlet
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-50310 MEDIUM PATCH Exploit Unlikely This Month

Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.

Information Disclosure Microsoft Integer Overflow Windows 10 Version 1809 Windows 10 Version 21H2 +9
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2026-62658 MEDIUM PATCH This Month

Post-authentication command execution in NETGEAR Nighthawk RAX-series routers (RAX43, RAX45, RAX50, RAX54S, RAX54Sv2) permits an attacker already holding administrative credentials and adjacent network access to run unauthorized OS-level commands or code on the device. Rooted in CWE-20 (Improper Input Validation), the flaw bypasses authorization controls within the authenticated management session, yielding high integrity impact on the vulnerable system. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates proof-of-concept code exists; a vendor-released patch is available from NETGEAR.

Authentication Bypass Netgear Rax43 Rax45 Rax50 +2
NVD
CVSS 4.0
4.7
EPSS
0.2%
CVE-2026-50657 MEDIUM PATCH Exploit Unlikely This Month

Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Microsoft Defender For Endpoint For Mac
NVD
CVSS 3.1
4.7
EPSS
0.4%
CVE-2026-44760 MEDIUM This Month

Reflected XSS in SAP NetWeaver Application Server ABAP's Business Server Pages (BSP) framework allows remote unauthenticated attackers to inject arbitrary JavaScript into HTTP responses when a victim user interacts with a crafted URL. Successful exploitation enables session token theft and execution of authenticated actions on behalf of the victim within the SAP web context. No public exploit code or CISA KEV listing is identified at time of analysis; CVSS AC:H indicates non-trivial conditions must align for successful delivery, moderating real-world risk despite the enterprise sensitivity of SAP environments.

SAP XSS Sap Netweaver Application Server Abap Applications Based On Business Server Pages
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-49794 MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
4.6
EPSS
0.4%
CVE-2026-50485 MEDIUM PATCH Exploit Unlikely This Month

Denial of service in Windows Hyper-V allows an authorized, adjacent-network attacker to crash or disrupt the hypervisor by triggering a buffer over-read (CWE-126). Affected platforms span Windows 10, Windows 11, and Windows Server 2012 through 2025, covering a broad slice of Microsoft's enterprise footprint. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a vendor-issued patch is available via Microsoft MSRC.

Buffer Overflow Microsoft Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
4.5
EPSS
0.4%
CVE-2026-56193 LOW PATCH Exploit Unlikely Monitor

Information disclosure in Microsoft Office (Microsoft 365 Apps, Office 2016/2019, Office LTSC 2021/2024, and Office for Mac) via an out-of-bounds read (CWE-125) lets an attacker leak sensitive memory contents when a victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.1 (AV:L/AC:L/PR:N/UI:R), reflecting local exploitation that requires user interaction but no prior authentication. Microsoft is the reporting source and has published a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Office 2016 +6
NVD
CVSS 3.1
3.3
EPSS
0.4%
CVE-2025-43892 MEDIUM This Month

FortiOS across the 7.2, 7.4, and 7.6 release trains leaks portions of device runtime memory to authenticated remote attackers via a buffer over-read in redirect response handling. Exploitation requires valid credentials but no elevated privileges, and proof-of-concept code exists (CVSS temporal E:P). An official vendor fix is confirmed available (RL:O), though unpatched instances of FortiOS 7.2.x, 7.4.0-7.4.8, and 7.6.0-7.6.2 remain at risk of sensitive memory disclosure - a consequential exposure given that FortiOS processes session tokens, credentials, and cryptographic material at runtime.

Fortinet Buffer Overflow Fortios
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-62659 MEDIUM PATCH This Month

A security flaw was discovered in the NETGEAR WAX333 Access Point that could allow someone already logged in and connected to the local network to make unauthorized changes to the device's settings

Authentication Bypass Netgear Wax333
NVD
CVSS 4.0
4.3
EPSS
0.2%
CVE-2026-59840 MEDIUM This Month

Buffer over-read in Fortinet FortiOS and FortiProxy exposes sensitive memory contents to authenticated network attackers across multiple product lines including FortiPAM and FortiSwitchManager. The flaw, rooted in CWE-126 (buffer over-read), allows low-privileged remote users to read beyond allocated buffer boundaries, resulting in partial information disclosure with no integrity or availability impact. No active exploitation confirmed in CISA KEV, but the CVSS temporal vector includes E:P indicating proof-of-concept exploit code exists, and an official fix is available per RL:O.

Fortinet Buffer Overflow Information Disclosure Fortios Fortipam +2
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-62642 MEDIUM PATCH This Month

Roundcube Webmail's TNEF (winmail.dat) decoder enters an infinite loop when processing a specially crafted TNEF attachment, causing denial of service for users on affected installations. Versions before 1.6.17 and 1.7.x before 1.7.2 are confirmed affected per the vendor advisory issued 2026-07-05. No public exploit code and no active exploitation (CISA KEV) have been identified; the CVSS vector confirms user interaction is required, limiting automatable mass exploitation.

Denial Of Service Webmail
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-62641 MEDIUM PATCH This Month

Denial of service in Roundcube Webmail's TNEF decoder allows remote senders to crash the webmail parser by embedding a crafted compressed-RTF size field inside a winmail.dat attachment. Affected versions are all Roundcube Webmail releases before 1.6.17 and 1.7.x before 1.7.2. Release notes confirm the defect manifests as an infinite loop in the TNEF parser, meaning repeated delivery of malicious emails could degrade server availability for affected users. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Denial Of Service Webmail
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-62826 MEDIUM This Month

HTTP Response Splitting in Fortinet FortiOS and FortiProxy captive portal authentication flows enables a man-in-the-middle attacker to inject arbitrary HTTP headers into intercepted authentication requests. Affected platforms span FortiOS 7.2-7.6.4 and FortiProxy 7.2-7.6.4. The CVSS temporal vector includes E:P, confirming proof-of-concept exploit code exists; however, no active exploitation has been confirmed via CISA KEV. The RL:O temporal indicator confirms an official remediation is available per vendor advisory FG-IR-26-153.

Fortinet Code Injection Fortipam Fortiproxy Fortios
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-62675 MEDIUM This Month

HTTP Response Splitting in Fortinet FortiOS and FortiProxy enables an attacker who holds a valid web filter override token to inject arbitrary HTTP headers into server responses by tricking a user into clicking a crafted link. Affected versions span FortiOS 7.2 through 7.6.4 and FortiProxy 7.2 through 7.6.4. No active exploitation has been confirmed by CISA KEV, though the CVSS temporal vector includes E:P, indicating partial proof-of-concept evidence exists. Real-world impact is constrained by the requirement to possess a valid web filter override token and to achieve user interaction.

Fortinet Code Injection Fortios Fortipam Fortiproxy
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15718 MEDIUM This Month

Information disclosure in Mozilla Firefox via CWE-763 (Release of Invalid Pointer or Reference) allows network-based attackers to read limited memory contents from affected browser instances. All Firefox versions prior to 152.0.6 are affected. Publicly available exploit code exists, though Mozilla reports no confirmed attacks in the wild; user interaction is required to trigger the flaw, moderately reducing real-world exposure.

Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9341 MEDIUM This Month

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. No public exploit identified at time of analysis, but the attack surface is fully described via Wordfence's public threat-intelligence entry and source-level code references.

Authentication Bypass WordPress Academy Lms
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-62393 MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-44771 MEDIUM This Month

Privilege escalation in SAP S/4HANA's Draft Operation component allows authenticated restricted users to read entity data beyond their authorized scope due to missing authorization checks. The flaw, classified under CWE-862, is exploitable over the network without elevated privileges, resulting in low confidentiality impact with no effect on integrity or availability. No public exploit code or active exploitation has been identified at time of analysis, keeping real-world risk bounded despite the network-accessible attack vector.

SAP Authentication Bypass Sap S 4Hana Draft Operation
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44770 MEDIUM This Month

Missing authorization in SAP S/4HANA's Create Single Payment function exposes restricted entity set keys to authenticated but low-privileged users. The flaw (CWE-862) allows a restricted user to query specific payment-related entity sets beyond their intended access scope, resulting in low-impact confidentiality leakage with no effect on data integrity or system availability. No public exploit code exists and this vulnerability is not listed in CISA KEV; EPSS data was not provided, but the CVSS 4.3 medium score and limited impact scope suggest low exploitation urgency.

SAP Authentication Bypass Sap S 4 Hana Create Single Payment
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44768 MEDIUM This Month

Script injection in SAP CRM WebClient UI is enabled by absent Content Security Policy (CSP) directives for certain restrictive headers, allowing an authenticated low-privileged attacker to inject malicious JavaScript that executes in a victim user's browser session. The CVSS vector (PR:L/UI:R/S:C) confirms this requires both an authenticated attacker and victim interaction, with a cross-scope impact consistent with browser-context script execution. No public exploit code or CISA KEV active exploitation listing has been identified at time of analysis, and impact is bounded to low integrity with no confidentiality or availability consequence.

SAP Code Injection Sap Crm Webclient Ui
NVD
CVSS 3.1
4.1
EPSS
0.2%
CVE-2026-14902 MEDIUM This Month

Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.

Open Redirect Ivanti Xtraction
NVD
CVSS 3.1
4.0
EPSS
0.5%
CVE-2026-59084 CRITICAL Act Now

Cluster-communication confidentiality and integrity in Apache Tomcat can be undermined because the secure-configuration requirements for the EncryptInterceptor were never clearly documented, leaving operators liable to deploy the cluster session-replication channel insecurely. The flaw affects Tomcat 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.119, 10.1.0-M1-10.1.56 and 11.0.0-M1-11.0.23, and is fixed in 9.0.120, 10.1.57 and 11.0.24. It carries a CVSS 9.1 (C:H/I:H) but SSVC records exploitation as none, no public exploit identified at time of analysis, and the root cause is a documentation weakness (CWE-1059) rather than a code defect.

Information Disclosure Apache Tomcat Apache Tomcat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-59083 CRITICAL Act Now

Security constraint bypass in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.119, 10.1.0-M1-10.1.56, 11.0.0-M1-11.0.23) lets remote attackers reach protected resources by abusing improperly handled hex URL encoding in the RewriteValve, defeating URL-pattern security constraints. Because the flaw resides in the rewrite valve, only deployments that use the RewriteValve together with security constraints are exposed, but where present an unauthenticated attacker (per CVSS PR:N) can access or manipulate resources meant to be restricted. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Apache Tomcat Apache Tomcat
NVD VulDB HeroDevs
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-48001 LOW Monitor

Adobe Commerce is affected by an Information Exposure vulnerability that could lead to a limited disclosure of sensitive information. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Adobe Information Disclosure Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
3.7
EPSS
0.6%
CVE-2026-54335 LOW PATCH GHSA Monitor

### Impact The `_.merge(target, source)` utility exported by `@feathersjs/commons` recursively merges `source` into `target` by iterating `Object.keys(source)`. When `source` was produced by `JSON.parse` and contains a `__proto__` (or `constructor` / `prototype`) key, that key is returned as an own-enumerable property. The recursive merge then resolves `target['__proto__']` to `Object.prototype` and writes the attacker-supplied properties onto it, polluting the prototype for all plain objects in the process for the lifetime of the Node process. **Scope of real-world risk is limited.** No first-party Feathers package routes input - trusted or untrusted - through `commons._.merge`. The `@feathersjs/authentication` package, which does merge request-influenced data, uses `lodash/merge` (prototype-pollution-safe since 4.17.12), not this utility. Exploitation therefore requires a downstream plugin or application to pass JSON-parsed, attacker-controlled input directly through the exported `_.merge`. ### Patches Fixed in `@feathersjs/commons@5.0.45`. The fix skips `__proto__`, `constructor`, and `prototype` keys during iteration - the standard remediation used by lodash and others. ### Workarounds Avoid passing JSON-parsed untrusted input through `commons._.merge`. Freezing `Object.prototype` or validating/sanitizing keys upstream also mitigates. ### Credit Reported responsibly by Andrew Ridings (@ridingsa).

Prototype Pollution Information Disclosure
NVD GitHub
CVSS 3.1
3.7
CVE-2026-44753 LOW Monitor

User account enumeration in SAP HANA Extended Application Services Classic Model (XSC) user self-service tools allows unauthenticated remote attackers to identify valid usernames and email addresses by crafting requests that elicit distinguishable server responses. The CWE-204 root cause - observable response discrepancy - means the application behaves differently for valid versus invalid accounts, leaking account existence without requiring credentials. CVSS scores this at 3.7 (AV:N/AC:H) reflecting network accessibility tempered by high attack complexity; no public exploit code or CISA KEV listing has been identified at time of analysis.

SAP Information Disclosure Sap Hana Extended Application Services Classic Model User Self Service
NVD VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2026-42447 LOW PATCH Monitor

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.

Java XSS
NVD GitHub
CVSS 3.1
3.6
EPSS
0.1%
CVE-2026-45710 LOW GHSA Monitor

## Summary `WidgetVariante::renderVariantList` (`Core/Lib/Widget/WidgetVariante.php:298-330`) and `WidgetSubcuenta::renderSubaccountList` (`Core/Lib/Widget/WidgetSubcuenta.php:290-321`) build the `<tr onclick="...">` row for each modal hit by concatenating the user-controlled `referencia` / `codsubcuenta` field directly into a single-quoted JavaScript string literal inside an HTML `onclick` attribute. The defender's intuition is that `Tools::noHtml` (called in `Variante::test()` and `Subcuenta::test()`) replaces `'` with the HTML entity `&#39;`, neutralising the JavaScript string break. The intuition is wrong: HTML attribute parsing **decodes character references before** the JavaScript fragment is parsed, so `&#39;` becomes a literal `'` in the JavaScript context. An attacker who can store a value such as `1',alert(1),'2` in `Variante.referencia` (no special characters required, just one apostrophe) ends up with `widgetVarianteSelect('id', '1',alert(1),'2');` executing in any user's browser the moment they open the variant-picker modal. The recent `40bc701` and `8586b97` fixes corrected the same anti-pattern in three sister classes by switching to `data-reference="..."` + `this.dataset.reference`. The two widget classes audited here were missed by that fix wave. ## Details ### the offending code `Core/Lib/Widget/WidgetVariante.php:298-330`: ```php protected function renderVariantList(): string { $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `&#39;`, `&quot;`, `&lt;`, `&gt;`. The defender therefore expects that any apostrophe a user typed becomes `&#39;` in the database, which renders inside the `onclick` attribute as `&#39;` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). ### why HTML-entity escaping does not protect a JavaScript string Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1&#39;,alert(1),&#39;2');"> ``` After the tokenizer decodes `&#39;` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. ### ways to plant the payload `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1&#39;,alert(1),&#39;2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`&#39;`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. ### why the recent fix wave missed this The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. ## PoC > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1&#39;,alert(1),&#39;2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1&#39;,alert(...),&#39;2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1&#39;,alert(&#39;XSS-WidgetVariante&#39;),&#39;2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. ## Impact * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. ## Recommended Fix Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).

PHP CSRF XSS
NVD GitHub
CVSS 3.1
3.5
CVE-2026-55035 LOW PATCH Exploit Unlikely Monitor

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Office 2016 +9
NVD
CVSS 3.1
3.3
EPSS
0.5%
CVE-2026-55139 LOW PATCH Exploit Unlikely Monitor

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Office 2016 +6
NVD
CVSS 3.1
3.3
EPSS
0.4%
CVE-2026-50665 LOW PATCH Exploit Unlikely Monitor

Information disclosure in Microsoft Office (Microsoft 365 Apps, Office 2016/2019, Office LTSC 2021/2024, and Office for Mac) arises from an out-of-bounds read (CWE-125) that lets an attacker who convinces a victim to open a crafted file read memory beyond an intended buffer boundary. Exploitation is local and requires user interaction, and there is no public exploit identified at time of analysis and no CISA KEV listing. Disclosed memory can leak sensitive data such as heap contents or pointer addresses useful for defeating ASLR in a follow-on exploit chain.

Buffer Overflow Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Office 2016 +6
NVD
CVSS 3.1
3.3
EPSS
0.3%
CVE-2026-57085 LOW PATCH Monitor

Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
3.3
EPSS
0.3%
CVE-2026-50678 LOW PATCH Exploit Unlikely Monitor

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Heap Overflow Buffer Overflow Microsoft Microsoft 365 Apps For Enterprise Microsoft Excel 2016 +7
NVD
CVSS 3.1
3.3
EPSS
0.3%
CVE-2026-15642 LOW PATCH Monitor

Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. No public exploit code exists and the vulnerability is not in CISA KEV; however, because successful exploitation yields a reusable cloud credential, the downstream blast radius in Azure environments substantially exceeds what the 3.3 CVSS base score suggests. A vendor-released patch is available.

Hashicorp Microsoft Information Disclosure Server
NVD
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-50416 LOW PATCH Exploit Unlikely Monitor

Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 Windows 11 Version 26H1 +2
NVD
CVSS 3.1
3.3
EPSS
0.4%
CVE-2026-50419 LOW PATCH Monitor

Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
3.3
EPSS
0.3%
CVE-2026-52839 LOW PATCH Monitor

Horizontal privilege escalation in Easy!Appointments prior to 1.6.0 permits any authenticated provider to inject appointments into a peer provider's calendar or reassign existing appointments across provider boundaries by supplying an arbitrary `id_users_provider` value to the `store` and `update` API endpoints. The asymmetry is stark: the `search` endpoint correctly enforces provider-scoped filtering, confirming the isolation boundary was intentionally designed - making this an incomplete implementation rather than a missing feature. An additional write-before-crash defect on the `store` path means the unauthorized database row is silently persisted even when the attacker receives an HTTP error response. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass Easyappointments
NVD GitHub
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-12482 LOW Monitor

Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directory escape that can read or overwrite arbitrary files on the host filesystem. The root defect is in `keras/src/utils/file_utils.py`, where `is_path_in_dir` path containment checks are applied only to regular file entries - symlink entries are extracted without equivalent validation. The exposure is most severe on Python 3.10 and 3.11, where `filter_safe_tarinfos` is the sole extraction safeguard; no public exploit or active exploitation has been identified at time of analysis.

Python Path Traversal Keras Team Keras
NVD
CVSS 3.0
3.1
EPSS
0.3%
CVE-2026-21840 LOW Monitor

HCL BigFix Platform is affected by a user enumeration vulnerability which might allow an attacker, through careful system control and response time monitoring, to perform some level of user enumeration for the BigFix service.

Information Disclosure
NVD
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-15058 LOW PATCH Monitor

Improper authorization in Devolutions Server's secure messages deletion endpoint exposes an Insecure Direct Object Reference (IDOR) flaw allowing any authenticated user to permanently delete secure messages belonging to other users simply by supplying a target message identifier. Affected versions are 2026.2.11 and 2026.1.22; patched releases 2026.1.23 and 2026.2.12 are available per the vendor advisory. No public exploit identified at time of analysis, and the low CVSS score of 3.1 reflects constrained impact (integrity only, no data disclosure) paired with high attack complexity.

Authentication Bypass Server
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-52841 LOW PATCH Monitor

OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Google Authentication Bypass PHP Easyappointments
NVD GitHub
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-48329 LOW Monitor

ColdFusion is affected by an Insufficient Session Expiration vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Authentication Bypass Coldfusion
NVD
CVSS 3.1
2.7
EPSS
0.4%
CVE-2026-52840 LOW PATCH Monitor

Server-side request forgery in Easy!Appointments prior to 1.6.0 allows authenticated backend users - admins, providers, or secretaries - to probe internal network hosts by supplying arbitrary URLs to the CalDAV synchronization endpoint. The Guzzle HTTP client in `Caldav.php:60` forwards a REPORT request to the caller-supplied `caldav_url` without validating the scheme or destination host, enabling access to loopback, RFC1918, and link-local addresses on the deployment network. The SSRF is semi-blind, returning up to approximately 120 bytes of upstream response body through the exception path; no public exploit has been identified, exploitation requires an active backend account, and version 1.6.0 resolves the issue.

SSRF PHP Easyappointments
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%
CVE-2026-52838 LOW PATCH Monitor

Stored XSS in Easy!Appointments versions prior to 1.6.0 allows an authenticated administrator to inject arbitrary HTML or JavaScript into the 'booking disabled' message field via the booking settings rich-text editor. The unsanitized value is rendered directly to every unauthenticated visitor who opens the public booking page while booking is disabled, crossing a scope boundary from admin context to anonymous public users. No public exploit has been identified at time of analysis; CVSS rates this 2.6 (Low) driven by the administrator-level privilege requirement, though the persistent cross-scope impact on all public visitors is a meaningful secondary risk factor.

XSS Easyappointments
NVD GitHub
CVSS 3.1
2.6
EPSS
0.2%
CVE-2026-15753 LOW Monitor

The payment withdrawal approval endpoint in xianyu-auto-reply executes state-changing financial approval actions in response to HTTP GET requests, violating the HTTP safe-method contract and enabling unintended approvals through automated link-prefetching clients. Any low-privileged authenticated user possessing a valid review token can approve withdrawal requests by issuing a GET to /api/v1/payment/withdraw/review?action=approve, and more critically, email clients or mail-security gateways that automatically prefetch URLs can trigger approvals silently when an administrator receives a notification email. A proof-of-concept has been publicly disclosed per CVSS 4.0 E:P; no CISA KEV listing or confirmed active exploitation was identified at time of analysis.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15619 LOW Monitor

Server-side request forgery in mosaxiv clawlet up to version 0.2.10 allows remote attackers to manipulate the server into issuing arbitrary HTTP requests by supplying a crafted URL to the web_fetch function in tools/tool_web_fetch.go via the IPv4 Handler. The CVSS 4.0 score of 2.1 reflects limited practical impact, constrained further by a user-interaction requirement (UI:P) and low CIA impact metrics. Publicly available exploit code exists (E:P per CVSS 4.0 supplemental vector), and the upstream maintainer has closed the tracking issue as 'not planned', meaning no official fix will be released.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15750 LOW Monitor

A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcp__getComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
Prev Page 19 of 20 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy