Skip to main content
CVE-2025-62826 MEDIUM This Month

HTTP Response Splitting in Fortinet FortiOS and FortiProxy captive portal authentication flows enables a man-in-the-middle attacker to inject arbitrary HTTP headers into intercepted authentication requests. Affected platforms span FortiOS 7.2-7.6.4 and FortiProxy 7.2-7.6.4. The CVSS temporal vector includes E:P, confirming proof-of-concept exploit code exists; however, no active exploitation has been confirmed via CISA KEV. The RL:O temporal indicator confirms an official remediation is available per vendor advisory FG-IR-26-153.

Fortinet Code Injection Fortipam Fortiproxy Fortios
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-62675 MEDIUM This Month

HTTP Response Splitting in Fortinet FortiOS and FortiProxy enables an attacker who holds a valid web filter override token to inject arbitrary HTTP headers into server responses by tricking a user into clicking a crafted link. Affected versions span FortiOS 7.2 through 7.6.4 and FortiProxy 7.2 through 7.6.4. No active exploitation has been confirmed by CISA KEV, though the CVSS temporal vector includes E:P, indicating partial proof-of-concept evidence exists. Real-world impact is constrained by the requirement to possess a valid web filter override token and to achieve user interaction.

Fortinet Code Injection Fortios Fortipam Fortiproxy
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15718 MEDIUM This Month

Information disclosure in Mozilla Firefox via CWE-763 (Release of Invalid Pointer or Reference) allows network-based attackers to read limited memory contents from affected browser instances. All Firefox versions prior to 152.0.6 are affected. Publicly available exploit code exists, though Mozilla reports no confirmed attacks in the wild; user interaction is required to trigger the flaw, moderately reducing real-world exposure.

Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9341 MEDIUM This Month

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. No public exploit identified at time of analysis, but the attack surface is fully described via Wordfence's public threat-intelligence entry and source-level code references.

Authentication Bypass WordPress Academy Lms
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-62393 MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-44771 MEDIUM This Month

Privilege escalation in SAP S/4HANA's Draft Operation component allows authenticated restricted users to read entity data beyond their authorized scope due to missing authorization checks. The flaw, classified under CWE-862, is exploitable over the network without elevated privileges, resulting in low confidentiality impact with no effect on integrity or availability. No public exploit code or active exploitation has been identified at time of analysis, keeping real-world risk bounded despite the network-accessible attack vector.

SAP Authentication Bypass Sap S 4Hana Draft Operation
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44770 MEDIUM This Month

Missing authorization in SAP S/4HANA's Create Single Payment function exposes restricted entity set keys to authenticated but low-privileged users. The flaw (CWE-862) allows a restricted user to query specific payment-related entity sets beyond their intended access scope, resulting in low-impact confidentiality leakage with no effect on data integrity or system availability. No public exploit code exists and this vulnerability is not listed in CISA KEV; EPSS data was not provided, but the CVSS 4.3 medium score and limited impact scope suggest low exploitation urgency.

SAP Authentication Bypass Sap S 4 Hana Create Single Payment
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-55608 MEDIUM PATCH GHSA This Month

## Summary In multi-tenant HTTP mode (`ENABLE_MULTI_TENANT=true`), an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope `workflow_versions` backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage, not a normal n8n API capability. ## Impact An authenticated MCP HTTP tenant could read or delete workflow-version backups stored in the default (single-tenant) scope - for example backups left from a prior single-tenant deployment or a migration period. Workflow snapshots may contain sensitive workflow configuration depending on their contents. Single-tenant and stdio deployments are not affected. ## Affected versions `<= 2.57.3` ## Patched version `2.57.4` ## Remediation Upgrade to n8n-mcp `2.57.4` or later. The fix requires a complete tenant context in multi-tenant mode and fails closed for workflow-version access that cannot be attributed to a specific tenant. ## Workarounds - Restrict network access to the HTTP endpoint (firewall / reverse proxy / VPN) so only trusted callers can reach it. - Run in stdio mode, which has no multi-tenant HTTP surface. - If default-scope backups from a prior single-tenant deployment are not needed, removing them eliminates the exposure. ## Credit Reported by @DavidCarliez.

Information Disclosure
NVD GitHub
CVSS 3.1
4.2
EPSS
0.3%
CVE-2026-44768 MEDIUM This Month

Script injection in SAP CRM WebClient UI is enabled by absent Content Security Policy (CSP) directives for certain restrictive headers, allowing an authenticated low-privileged attacker to inject malicious JavaScript that executes in a victim user's browser session. The CVSS vector (PR:L/UI:R/S:C) confirms this requires both an authenticated attacker and victim interaction, with a cross-scope impact consistent with browser-context script execution. No public exploit code or CISA KEV active exploitation listing has been identified at time of analysis, and impact is bounded to low integrity with no confidentiality or availability consequence.

SAP Code Injection Sap Crm Webclient Ui
NVD
CVSS 3.1
4.1
EPSS
0.2%
CVE-2026-14902 MEDIUM This Month

Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.

Open Redirect Ivanti Xtraction
NVD
CVSS 3.1
4.0
EPSS
0.5%
CVE-2026-52828 MEDIUM PATCH GHSA This Month

Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes `createExportTemplate` and `editExportTemplate` in `ExportController` inherit only the class-level `create_export` permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter `create_export_template` permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. Because ExportTemplate entities have no per-user or per-team scoping, a TEAMLEAD can silently alter organization-wide export configurations affecting all users including administrators. No public exploit is confirmed at time of analysis, though a private PoC was submitted to the vendor and subsequently removed.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52826 MEDIUM PATCH GHSA This Month

Cross-scope billing rate manipulation in Kimai 2.56.0 allows authenticated users with edit access to any single project, customer, or activity to tamper with rate configurations belonging to entirely different organizational units they are not authorized to access. The root cause is missing parent-child consistency validation in three Web admin rate-editing endpoints, where the controller validates the authenticated user's access to the parent object but never verifies that the child rate record actually belongs to that same parent. A PoC was privately submitted and subsequently removed from the advisory before public disclosure; no public exploit code is circulating and no CISA KEV active-exploitation listing exists at time of analysis.

Authentication Bypass
NVD GitHub
CVE-2026-52825 MEDIUM PATCH GHSA This Month

Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). A proof-of-concept was reportedly created but withheld; no public exploit code is currently available and this vulnerability is not listed in CISA KEV. Once a Teamlead writes an out-of-scope team relation, downstream authorization logic may treat those relations as legitimate, silently expanding access to time entries, project visibility, and reporting for the affected users and activities.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52823 MEDIUM PATCH GHSA This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
CVE-2026-52822 MEDIUM PATCH GHSA This Month

Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because `TimesheetVoter.php` evaluates the `*_own_timesheet` ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. No public exploit is available - a PoC was reportedly submitted to the project and then redacted - and this vulnerability is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52821 MEDIUM PATCH GHSA This Month

Improper object-level authorization in Kimai 2.56.0 allows any authenticated user holding the generic `create_activity` permission to inject Activity records into projects outside their authorized scope by directly invoking the preset-project creation routes with an arbitrary project ID. The controllers in `ActivityController.php` and `ProjectController.php` validate only the global capability (can the user create activities at all?) without performing a secondary check that the user also has edit rights on the specific target project. No public exploit exists at time of analysis, though a PoC was privately shared with the vendor and subsequently removed; the vendor has released a fix in version 2.57.0.

PHP Authentication Bypass
NVD GitHub
CVE-2026-54707 MEDIUM This Month

OnionShare's Receive mode incorrectly writes uploaded files to disk even when the operator has explicitly disabled file uploads, allowing unauthenticated remote attackers over Tor to bypass the access-control setting and deposit files on the host system. This affects deployments where operators have configured the 'disable uploads' option with an expectation that no inbound file writes will occur. No public exploit code or CISA KEV listing is identified at time of analysis, but the logic bypass is straightforward and exploitable against any exposed OnionShare Receive-mode instance with uploads disabled.

Information Disclosure
NVD
CVE-2026-54706 MEDIUM This Month

OnionShare fails to restrict symlink traversal within shared directories, allowing any recipient of a file share to read arbitrary local files on the sharer's machine. When a user shares a directory containing symbolic links, OnionShare follows those links and serves the linked files over the Tor .onion URL - including files and directories outside the intended share root. This is an information-disclosure vulnerability affecting users of OnionShare who share directories that contain symlinks, whether knowingly or not. No public exploit code or active exploitation has been identified at time of analysis, and the issue was reported through Ubuntu's vendor security channel.

Information Disclosure
NVD
CVE-2026-61626 MEDIUM This Month

Out-of-bounds bit clear operations in a Matroska container format parser allow processing of maliciously crafted media files containing negative ReadOrder field values to corrupt memory. The vulnerability arises when a negative integer ReadOrder value is used without adequate sign checking, causing bit-clear write operations to target memory locations outside the intended buffer boundary. Affected deployments include software in the Ubuntu ecosystem that parses Matroska (.mkv/.webm) files; no public exploit has been identified at time of analysis and CISA KEV status is not confirmed.

Buffer Overflow
NVD
CVE-2026-61627 MEDIUM This Month

Out-of-bounds read and write conditions exist in the `wrap_lines_measure` function, as tracked under GHSA-pjjp-65r7-ppgm and reported by Ubuntu. Memory corruption of this class - simultaneous OOB read and write - typically enables attackers to leak sensitive memory contents and corrupt heap or stack state, potentially leading to arbitrary code execution or process crash depending on exploitability conditions. No CVSS vector, EPSS score, KEV status, or POC availability data was supplied, so severity and real-world risk cannot be quantified with confidence at this time.

Buffer Overflow
NVD
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy