Skip to main content
CVE-2026-61435 HIGH PATCH This Week

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invocation endpoints when the deployment runs with PRAISONAI_CALL_AUTH=disabled. Because the localhost-only safeguard derives the bind host from the client-supplied HTTP Host header, an attacker on the network can send a spoofed 'Host: 127.0.0.1' header to defeat the restriction and both enumerate and invoke registered agents. Vendor patch is available (reported by VulnCheck); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-58077 HIGH This Week

Unauthenticated stored cross-site scripting in the 4Analytics analytics extension for Joomla (by weeblr.com) lets a remote attacker inject persistent JavaScript through a specially crafted request, with no login required. Because the payload is stored and later rendered in a privileged context, it can escalate to full website takeover under some conditions. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS 4Analytics Extension For Joomla
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-59762 HIGH PATCH This Week

Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).

Denial Of Service Big Ip Big Ip Next For Kubernetes Big Ip Next Spk Big Ip Next Cnf
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56679 HIGH PATCH This Week

Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable application-wide login by abusing a mass-assignment flaw in the PATCH /api/settings endpoint. Because the endpoint persists the entire request body without a field whitelist, a low-privileged user can flip security-critical settings such as requireLogin, thereby exposing sensitive routes like /api/keys and /api/providers to unauthenticated access. No public exploit identified at time of analysis; the issue is fixed in version 0.5.4.

Information Disclosure 9Router
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-15804 HIGH PATCH This Week

SQL injection in MetaGuru's HCM (Human Capital Management) platform lets authenticated remote attackers inject malicious SQL through specific request parameters, yielding full read/write control over the backing database and its confidentiality, integrity, and availability. The flaw was reported by TWCERT (Taiwan CERT) and carries a CVSS 4.0 base score of 8.7; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because valid low-privilege credentials are required (PR:L), risk concentrates in environments where accounts are broadly provisioned or credentials can be phished/reused.

SQLi Hcm
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-55723 HIGH PATCH This Week

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.

Nginx Kubernetes Code Injection Nginx Ingress Controller
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-33445 HIGH PATCH This Week

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep, low-level command of the tunnel protocol to corrupt server-side memory management and keep the server down. The flaw carries a CVSS 4.0 base score of 8.7 driven entirely by an availability (VA:H) impact, with no confidentiality or integrity consequence. No public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world exploitation appears unproven.

Secure Access Denial Of Service
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-45535 HIGH PATCH This Week

Stored SQL injection in DataEase (open source data visualization/BI tool) versions prior to 2.10.23 allows an authenticated user who can define SQL-type datasets to persist malicious SQL through variable defaultValue entries, which later execute against the backend database whenever any user with dataset read permission opens the dataset. The flaw (CWE-89) enables reading and modifying arbitrary database data, and CVSS 4.0 rates it 8.7 (High). No public exploit has been identified at time of analysis, but the upstream fix commit is public, so exploitation prerequisites are well documented.

SQLi Dataease
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-57996 HIGH PATCH This Week

Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding USER_ADD/EDIT/DELETE rights mint a full SuperAdmin account through the POST /admin/api/user/add endpoint, resulting in complete instance takeover. The flaw stems from a missing SuperAdmin authorization guard, allowing a lower-privileged operator to submit isSuperAdmin: true with attacker-chosen credentials and then log in as that account. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Phpmyfaq
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-57832 HIGH This Week

SQL injection in EDocman, the Joomla download/document manager extension by Joomdonation, allows remote unauthenticated attackers to inject arbitrary SQL through the extension's request handling (CWE-89). The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, meaning database contents can be extracted directly over the network. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.

SQLi Edocman Extension For Joomla
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-57831 HIGH This Week

SQL injection in the DPCalendar extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a vulnerable parameter, per the CVSS:4.0 vector (PR:N/UI:N). With confidentiality-only impact rated High and no integrity or availability effect, the flaw primarily enables theft of Joomla database contents such as user records, session data, and configuration secrets. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal was provided.

SQLi Dp Calendar Extension For Joomla
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-45417 HIGH PATCH This Week

SQL injection in DataEase before 2.10.23 lets an authenticated low-privilege user compromise the backend datasource by abusing the datasource connection-status check, where io.dataease.datasource.provider.CalciteProvider#checkStatus concatenates the user-controlled configuration.getSchema() value into getTablesSql and runs it via executeQuery. Because the schema/owner string is embedded directly into metadata queries for DB2, SQL Server, PostgreSQL, Oracle and other datasources, an attacker who can create or edit a datasource can inject arbitrary SQL and read or alter data on the connected database. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the root cause is confirmed by the vendor commit that replaces string concatenation with parameterized PreparedStatements.

SQLi PostgreSQL Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-54498 HIGH POC PATCH GHSA This Week

Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.

CSRF XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-45320 HIGH PATCH This Week

{deptId}. The root cause is SqlparserUtils.transFilter() returning raw, unsanitized user input for operators other than 'in'/'between', which is then string-spliced into the dashboard query via SubstitutedSql.replace(). No public exploit identified at time of analysis and it is not in CISA KEV, but the vendor GHSA advisory, fixing commit, and 2.10.23 release confirm the flaw is real and patched.

SQLi Dataease
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62389 HIGH PATCH This Week

Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.

Denial Of Service Ws
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-60085 HIGH PATCH This Week

Security-policy bypass in PraisonAI before 4.6.78 renders the default Subprocess Sandbox backend inert, so administrator-defined blocked_commands, blocked_paths, blocked_imports, allow_subprocess, and allow_file_write restrictions are silently ignored. Any actor able to feed instructions into a PraisonAI agent can execute arbitrary subprocess commands, read sensitive files, and perform destructive file operations even though an explicit deny policy is configured. Reported by VulnCheck with a CVSS 4.0 base score of 8.7; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Praisonai
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-58655 HIGH PATCH This Week

Stored server-side template injection in Grav's bundled Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 lets a low-privileged content author inject Twig code through the dynamic collection/object title frontmatter, which is passed unsanitized to template_from_string() and executed. Because the title path bypasses Grav's Security::cleanDangerousTwig() filter, an attacker can reach internal Grav services such as the scheduler and escalate arbitrary Twig evaluation to full remote command execution. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Code Injection Grav
NVD GitHub
CVSS 4.0
8.7
EPSS
1.1%
CVE-2026-56339 HIGH PATCH This Week

Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59235 HIGH PATCH This Week

Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Authentication Bypass PHP Prospero Flow Crm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-57833 HIGH This Week

Stored cross-site scripting in the 4Analytics privacy analytics extension for Joomla (by weeblr.com) lets unauthenticated attackers inject persistent JavaScript that executes when a victim views the AI analysis feature. Because injection requires no authentication (PR:N) but execution requires a victim to open the affected view (UI:A), an attacker can seed malicious script that later runs in a privileged operator's browser session. There is no public exploit identified at time of analysis and the extension is not listed in CISA KEV.

XSS 4Analytics Extension For Joomla
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-15583 HIGH This Week

Server-side request forgery and credential theft in Grafana MCP Server lets an unauthenticated remote attacker steal the server's environment-configured Grafana service-account token by sending a crafted X-Grafana-URL request header, and pivot to reach arbitrary internal services including cloud metadata endpoints. The token grants the attacker the MCP server's full Grafana privileges, and the SSRF primitive exposes internal infrastructure behind the network perimeter. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed) rating and unauthenticated network vector make this a high-priority fix.

Grafana SSRF Grafana Mcp Server
NVD VulDB
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-15895 HIGH PATCH This Week

OS command injection in AWS jsii-diff before 1.131.0 lets a context-dependent attacker execute arbitrary shell commands when a victim runs the tool against an attacker-controlled 'npm:' source specifier. The npm package-loading component fails to sanitize the package specifier before passing it to a shell, so a crafted specifier is interpreted as a command. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor-released patch (v1.131.0) is available.

Node.js Command Injection
NVD GitHub
CVSS 4.0
8.4
EPSS
1.2%
CVE-2026-9770 HIGH PATCH This Week

Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.

Information Disclosure Kasa Ec71 V4 Kasa Ec70 V4
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-61836 HIGH PATCH This Week

Cross-context cache disclosure in Directus before 12.0.0 lets share-token holders and anonymous clients receive permission-filtered responses that were cached for a differently-scoped principal, because the cache key omits authorization context. When response caching is enabled, the key derived in api/src/utils/get-cache-key.ts covers only version, path, query, and accountability.user; since share tokens and anonymous requests both collapse to user null, requests to the same URL and query share a cache bucket and skip permission re-evaluation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is a straightforward, config-dependent information-disclosure issue fixed in 12.0.0.

Information Disclosure Directus
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-61446 HIGH PATCH This Week

Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Path Traversal RCE Code Injection Praisonai
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-61443 HIGH PATCH This Week

Path-traversal remote code execution in PraisonAI (mervinpraison/praisonai) before 1.6.78 lets an authenticated agent user abuse SkillTools.run_skill_script(), which executes skill scripts without validating that the supplied path stays inside the intended working directory. Because absolute file paths are accepted, a low-privileged attacker can point the skill runner at any executable script on the host and run it. No public exploit code has been identified and it is not in CISA KEV, but the flaw was reported by VulnCheck and a GitHub Security Advisory (GHSA-c44f-37qr-gw3f) confirms the fix.

Path Traversal RCE Praisonai
NVD GitHub
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-56398 HIGH PATCH This Week

Stored cross-site scripting in Open WebUI before 0.9.5 lets an attacker plant a malicious SVG as a victim's OAuth profile image and execute script in the application's origin. During OAuth login, the `picture` claim URL is fetched and its MIME type is guessed from the file extension rather than the response Content-Type, so a `.svg` URL is stored as a `data:image/svg+xml;base64,...` URI that bypasses the profile-image allowlist; when an authenticated user opens the profile image endpoint the SVG is served inline with no default CSP, running JavaScript that reads `localStorage.token` for account takeover. Reported by VulnCheck with a detailed GHSA source-code advisory; no public exploit identified at time of analysis and it is not in CISA KEV.

XSS Open Webui
NVD GitHub
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-55234 HIGH This Week

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-40952 HIGH PATCH This Week

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-privileged local user to gain Administrator rights when the software is installed to a non-default directory, due to an insecure installer permission configuration. Absolute (formerly NetMotion) assigns this a CVSS 4.0 base score of 8.5 (High), reflecting full local compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Secure Access Privilege Escalation
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-45419 HIGH PATCH This Week

Arbitrary file write in DataEase (open-source BI/data-visualization platform) before 2.10.23 lets an authenticated user (PR:L) abuse the /de2api/templateManage/save template-save endpoint to write attacker-controlled Base64 content to arbitrary filesystem paths. Because StaticResourceServer#saveFilesToServe extracted the filename using only a forward-slash split, crafted staticResource names containing traversal sequences or backslashes escaped the intended static-resource directory. No public exploit or CISA KEV listing is identified at time of analysis, though the fixing commit and advisory are public.

Path Traversal Dataease
NVD GitHub
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-61828 HIGH PATCH This Week

Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.

Privilege Escalation Nixpkgs
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-61433 HIGH PATCH This Week

Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Python RCE Code Injection Praisonai
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-8920 HIGH This Week

Arbitrary file operations in ASUS Aura Wallpaper Service allow a low-privileged local user to send crafted commands that carry an attacker-controlled file path, bypassing the service's intended path restrictions and abusing its higher-privileged context. Because the service exposes a communication channel that fails to properly restrict callers or validate file names (CWE-923), a local user can read, write, or manipulate files outside the intended scope, with high impact to confidentiality, integrity, and availability; on certain ASUS models exploitation can also render a single feature unavailable. No public exploit is identified at time of analysis, and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.5 (High) reflects meaningful impact despite the local vector and high attack complexity.

Authentication Bypass Aura Wallpaper Service
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-42936 HIGH This Week

Arbitrary code execution in the HYPER SBI 2 installer (SBI Securities' online trading application) allows a local attacker to run code with the invoking user's privileges by planting a crafted DLL in the installer's directory. The flaw stems from insecure DLL search-path loading (CWE-427) and requires the victim to launch the installer from an attacker-influenced folder. No public exploit has been identified at time of analysis; the issue was reported by JPCERT/CC and published via JVN.

RCE Hyper Sbi 2
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-54447 HIGH PATCH GHSA This Week

Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.

Python Apple Privilege Escalation Authentication Bypass
NVD GitHub
CVSS 3.1
8.4
CVE-2026-61430 HIGH PATCH This Week

Server-side request forgery in PraisonAI's web_crawl tool (versions before 1.6.78) allows an authenticated attacker to reach internal HTTP services and exfiltrate their response bodies. The flaw stems from a time-of-check/time-of-use gap: hostnames are validated once but re-resolved at connection time without IP pinning, so DNS rebinding defeats the SSRF allowlist. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the technique is well-documented and the vendor has released a fix in 1.6.78.

SSRF Praisonai
NVD GitHub
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-15029 HIGH This Week

Arbitrary physical memory read/write in the ASUS System Control Interface (v3 and legacy) and ASUS Business Manager driver allows a local administrator to issue crafted IOCTL requests that bypass OS-enforced memory protections, per an ASUS-published advisory. The flaw (CWE-822, Untrusted Pointer Dereference) turns the signed ASUS driver into a read/write primitive over physical memory, enabling privilege escalation from admin to kernel and potential defense evasion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

Authentication Bypass System Control Interface V3 System Control Interface Business Manager
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-45533 HIGH PATCH This Week

Arbitrary directory deletion in DataEase, an open-source data visualization and analysis platform, allows an authenticated user (PR:L) to abuse the export-center bulk delete API by injecting path traversal sequences (../) into task identifiers, which are passed unsanitized to ExportCenterManage.delete and used to recursively delete server directories. All releases prior to 2.10.23 are affected, and the fix in 2.10.23 constrains deletion to identifiers that exist as legitimate export tasks in the database. There is no public exploit identified at time of analysis and the issue is not on the CISA KEV list, but a full commit-level patch is publicly available which lowers the barrier to reverse-engineering an exploit.

Path Traversal Dataease
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-62349 HIGH PATCH This Week

Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in version 3.4.1.14.

Denial Of Service Buffer Overflow Stack Overflow RCE
NVD GitHub
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-10673 HIGH PATCH This Week

Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. There is no public exploit identified at time of analysis; the flaw was introduced in commit 0ca8b0756b1 and shipped in v3.7.0 through v4.4.0.

Denial Of Service Buffer Overflow Memory Corruption RCE Zephyr
NVD GitHub
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-20296 HIGH PATCH This Week

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Splunk CSRF Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-47158 HIGH PATCH This Week

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft CSRF Vaultwarden
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-56434 HIGH PATCH This Week

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.

Nginx Use After Free Memory Corruption Information Disclosure Nginx Plus +1
NVD
CVSS 4.0
8.3
EPSS
0.4%
CVE-2026-12382 HIGH This Week

mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.

Authentication Bypass Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-46485 HIGH PATCH This Week

Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or non-admin authenticated users overwrite the central config.yaml via the config-saving endpoint when the deployment uses OIDC authentication, bypassing configured permission controls. Successful abuse enables tampering with dashboard configuration and potential service disruption. No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Dashy
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-13585 HIGH This Week

Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.

Denial Of Service System Control Interface V3 System Control Interface Business Manager
NVD
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-57821 HIGH This Week

SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. No public exploit identified at time of analysis; the flaw is documented via an oss-security advisory and an upstream fix pull request (apache/fineract #6048).

SQLi Apache Microsoft Denial Of Service Fineract
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-56287 HIGH This Week

Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 lets an authenticated user who holds the view-clients permission concatenate unvalidated orderBy (and sortOrder) parameters directly into the backing SQL query. Attackers can extract arbitrary database contents one bit at a time and, on MySQL/MariaDB back ends, read arbitrary files accessible to the DB process via LOAD_FILE(). There is no public exploit identified at time of analysis, though the vendor's fix PR (#6020) ships an integration test containing a working injection payload; not listed in CISA KEV.

SQLi Apache Fineract
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-20156 HIGH This Week

Memory-corruption vulnerabilities in Cisco RoomOS Software (the operating system on Cisco/Webex collaboration room endpoints) allow remote, unauthenticated attackers to trigger buffer-boundary violations that can compromise device confidentiality, integrity, and availability (CVSS 8.1). The flaws were internally discovered by Cisco's RoomOS engineering team during a proactive security review and are grouped under the CWE-119 buffer-error pillar; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. High attack complexity (AC:H) reduces the practical ease of exploitation despite the network-facing, no-privilege vector.

Buffer Overflow Cisco Cisco Roomos Software
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-62685 HIGH PATCH This Week

Home-directory hijacking in File Browser before 2.63.17 lets an unauthenticated attacker gain full read/write access to another user's files by registering a username that normalizes to a victim's scope. Because cleanUsername() is a many-to-one transform, distinct usernames such as team/one, team one, and team-one collapse to the same home directory, and the signup path never checked whether the derived scope was already owned. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix commit and a regression test are public, making the root cause well understood.

Information Disclosure Filebrowser
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy