Skip to main content
CVE-2026-47160 MEDIUM PATCH This Month

{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.rs applied should_block_address() and post_resolve() checks only against standard dotted-decimal notation, leaving alternative encodings - such as 0x7f000001 or 2130706433 for 127.0.0.1 - fully unblocked. No public exploit has been identified at time of analysis, and the issue is fixed in version 1.36.0.

SSRF Vaultwarden
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.2%
CVE-2026-15030 MEDIUM This Month

Out-of-bounds memory read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager exposes kernel and firmware memory contents to local administrators via a crafted IOCTL request that bypasses the driver's length validation. The vulnerability (CWE-125) is constrained to AV:L/PR:H, meaning exploitation requires prior establishment of local administrator access on a system where the affected ASUS software is installed. No public exploit code or active exploitation has been confirmed at time of analysis; the ASUS Security Advisory documents the remediation path.

Buffer Overflow Information Disclosure System Control Interface V3 System Control Interface Business Manager
NVD VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-20146 MEDIUM This Month

Path traversal in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows a remote, authenticated attacker with administrative credentials to read or delete arbitrary files on the underlying operating system via crafted HTTP requests. Successful exploitation could expose sensitive configuration or credential files, or trigger destructive deletion of system files. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the high confidentiality impact and the critical role ISE plays in enterprise network access control make this notable for environments running affected versions.

Path Traversal Cisco Cisco Identity Services Engine Software Cisco Ise Passive Identity Connector
NVD VulDB
CVSS 3.1
5.5
EPSS
0.5%
CVE-2026-62361 MEDIUM PATCH This Month

SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.

SQLi PostgreSQL Listmonk
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-9007 MEDIUM This Month

Reflected cross-site scripting in HCL Notes 12.0.2FP5HF8 enables unauthenticated network attackers to inject and execute arbitrary JavaScript in the browser sessions of targeted users who interact with malicious links. The CVSS 4.0 vector (SC:H/SI:H/SA:H) signals high downstream impact on victim sessions - including potential session hijacking, credential theft, and unauthorized action execution within the Notes web environment. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

XSS Hcl Notes
NVD
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-40633 MEDIUM PATCH This Month

Local information disclosure in Dell PowerScale OneFS (9.5.0.0-9.10.1.7 and 9.11.0.0-9.13.0.2) arises from sensitive data being written to log files, allowing a low-privileged local user to read secrets they should not access. Dell reported the issue (advisory DSA-2026-261) with no public exploit identified at time of analysis. Exploitation requires existing local, authenticated access to the cluster, limiting reach to insiders or attackers who have already established a foothold.

Dell Information Disclosure Powerscale Onefs
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-62348 MEDIUM PATCH This Month

Privilege escalation in TDengine Enterprise (prior to 3.4.1.15) allows any authenticated low-privilege SQL user to abort active shared-storage migrations by issuing KILL SSMIGRATE commands that should be restricted to administrators. The MND_OPER_SSMIGRATE_DB privilege gate was inadvertently commented out in mndProcessKillSsMigrateReq, collapsing authorization enforcement entirely for this operation. No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch is available in version 3.4.1.15.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-56743 MEDIUM PATCH This Month

Network policy bypass in Cilium 1.19.0-1.19.4 allows workloads inside a Kubernetes namespace to reach peers that CIDR-based ipBlock NetworkPolicies should block. The flaw surfaces exclusively when Cilium is deployed with a custom clusterName (any value other than the default 'any'): the network-policy parser in parseNetworkPolicyPeer erroneously instantiates an empty pod selector for selectorless ipBlock peers, which compiles into a wildcard namespace-allow rule instead of a pure CIDR rule. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Kubernetes Cilium
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-62355 MEDIUM PATCH This Month

Improper privilege management in TDengine Cloud DB prior to 3.4.1.15 allows an authenticated Data Reader admin_user to execute `create udf` (user-defined function) commands that should be restricted to higher-privilege roles. While the same role is correctly denied `show dnodes` and `create user`, the UDF creation permission was left ungated, creating a privilege escalation path within the database engine. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.

Privilege Escalation
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-62353 MEDIUM PATCH This Month

Out-of-bounds read in TDengine's SQL tokenizer (versions prior to 3.4.1.14) allows an authenticated user with SQL query access to crash the database server and potentially leak one byte of adjacent heap memory. The flaw resides in tGetToken() within source/libs/parser/src/parTokenizer.c, triggered by submitting a SQL string literal ending in a bare backslash (e.g., 'abc\). No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-26032 MEDIUM This Month

Path traversal in Apache Ivy's PackagerResolver (versions 2.0.0 through 2.5.3) allows an attacker with write access to a packager repository to overwrite arbitrary files outside the configured buildRoot directory by embedding '../' sequences in module coordinates such as organisation, name, or revision. The overwrite occurs during the Ant-script-driven repackaging phase that PackagerResolver triggers on artifact download. No public exploit code has been identified at time of analysis, and the vendor has released version 2.6.0 as the fix, confirmed via the Apache Ant project site on July 14, 2026.

Apache Path Traversal Ivy
NVD VulDB
CVSS 3.1
5.4
EPSS
0.6%
CVE-2026-13230 MEDIUM PATCH This Month

Unauthenticated information disclosure in TP-Link Kasa EC70 v4 and EC71 v4 exposes sensitive geolocation data to any attacker on the same local network segment. The flaw resides in the devices' local discovery mechanism, which returns geolocation-related information in response to crafted network probes without requiring any credentials. Impact is limited to confidentiality; no integrity or availability compromise is possible through this vector. No public exploit exists and no active exploitation has been confirmed.

TP-Link Information Disclosure Kasa Ec71 V4 Kasa Ec70 V4
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-38974 MEDIUM This Month

Missing SSH host key verification in Dulwich's paramiko vendor module exposes SSH connections to man-in-the-middle interception. The contrib/paramiko_vendor.py module used paramiko's MissingHostKeyPolicy, which silently accepts any server host key without checking it against known_hosts, allowing a network-positioned attacker to impersonate a legitimate SSH Git server. No public exploit has been identified at time of analysis and EPSS sits at 0.14% (4th percentile), but the attack is conceptually straightforward for any attacker with network access between client and server.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-20298 MEDIUM PATCH This Month

Credential hash exposure in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users - those without the 'admin' or 'power' roles - to retrieve stored credential hashes by issuing the `|rest` SPL command against the `/servicesNS/-/-/storage/passwords` endpoint, which incorrectly returns the `encr_password` field. Affected are Splunk Enterprise branches below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and multiple Splunk Cloud Platform versions. No public exploit has been identified at time of analysis and this CVE is not in CISA KEV, but the real-world impact is significant wherever Splunk stores credentials for external services such as databases, APIs, or cloud accounts.

Splunk Information Disclosure Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-60062 MEDIUM PATCH This Month

Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.

Nginx Path Traversal Nginx Agent Nginx Instance Manager
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-46459 MEDIUM PATCH This Month

Missing authorization on device receiver endpoints in ICU Scandinavia Boomerang exposes facility and quality-assurance installations to unauthenticated read and write access over adjacent networks. Any attacker with network adjacency can retrieve complete facility configurations and inject arbitrary data into the sensor database without supplying credentials, violating both confidentiality and integrity of operational sensor records. No public exploit has been identified at time of analysis, but CERT-PL's coordinated disclosure and a vendor-confirmed patch in version 2.4.18.029 indicate a concrete, addressable risk for organizations running unpatched deployments.

Authentication Bypass Boomerang
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-61457 MEDIUM PATCH This Month

Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.

File Upload PHP RCE Grav
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2026-56352 MEDIUM PATCH This Month

File path restriction bypass in n8n before 2.19.3 allows authenticated users with workflow creation or modification rights to circumvent the N8N_RESTRICT_FILE_ACCESS_TO security boundary via a legacy REST API code path, enabling arbitrary file existence disclosure on the host filesystem. Where a targeted path contains valid workflow JSON, that file can additionally be loaded and executed by the n8n engine, potentially triggering downstream actions on all systems connected to that workflow. No public exploit or active exploitation has been identified at time of analysis, but the low complexity and broad impact on connected downstream systems make this a meaningful risk in multi-tenant or partially-trusted deployments.

Path Traversal N8n
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-55399 MEDIUM PATCH This Month

Resource exhaustion in Absolute Security Secure Access publisher (versions prior to 14.55) enables authenticated remote attackers holding valid tunnel credentials to trigger a non-persistent denial of service against the publisher component. The CVSS 4.0 score of 5.1 (Medium) reflects the constrained impact: availability loss is limited and self-recovering, with no confidentiality or integrity exposure. No public exploit code and no CISA KEV listing identified at time of analysis.

Denial Of Service Secure Access
NVD
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-62294 MEDIUM PATCH This Month

Flameshot's 'Open With' feature prior to version 14.0.0 contains a TOCTOU (time-of-check to time-of-use) symlink-following race condition that allows a local unprivileged attacker on the same machine to overwrite arbitrary files writable by the victim user. By pre-planting a symlink at the predictable temporary file path before Flameshot writes the screenshot PNG, an attacker can redirect the write operation to any file within the victim's permissions - including configuration files, SSH keys, or application data. No public exploit identified at time of analysis, though the attack is straightforward given the deterministic path; the vendor-confirmed fix is available in v14.0.0.

Race Condition Information Disclosure Flameshot
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-58556 MEDIUM This Month

Permission control failure in the Bluetooth module of Huawei HarmonyOS and EMUI exposes devices to local exploitation that can degrade Bluetooth service availability and leak limited data. The flaw, classified under CWE-264, allows a local process operating without elevated privileges to bypass Bluetooth permission enforcement, potentially disrupting connectivity or reading restricted information. No public exploit or CISA KEV listing exists at time of analysis, but Huawei has disclosed this via its July 2026 security bulletin.

Privilege Escalation Harmony Os Emui
NVD
CVSS 3.1
5.1
EPSS
0.1%
CVE-2026-58552 MEDIUM This Month

Out-of-bounds read in HarmonyOS's image codec module exposes partial memory contents to local attackers, affecting service confidentiality with a secondary availability impact. The CVSS vector (AV:L/PR:N) scopes exploitation to the local device - reachable by any installed application capable of submitting image data to the vulnerable codec - without requiring elevated privileges. No confirmed active exploitation (not listed in CISA KEV) and no public exploit code have been identified at time of analysis; Huawei has published remediation bulletins across four device categories in July 2026.

Buffer Overflow Harmonyos
NVD
CVSS 3.1
5.1
EPSS
0.1%
CVE-2026-58551 MEDIUM This Month

Out-of-bounds read in HarmonyOS's image codec module exposes limited memory content and may cause service instability, affecting confidentiality and availability at a low severity level. The flaw resides in image processing logic and is reachable by a local, unprivileged actor who can trigger image decoding - such as by supplying a crafted image file. No public exploit has been identified at time of analysis, and Huawei has disclosed patches via July 2026 security bulletins covering consumer devices, wearables, and laptops.

Buffer Overflow Harmonyos
NVD
CVSS 3.1
5.1
EPSS
0.1%
CVE-2026-61453 MEDIUM PATCH This Month

{{ page.content|raw }} filter. No public exploit or CISA KEV listing has been identified at time of analysis, but the bypass technique is explicitly documented in the vendor advisory.

XSS Grav
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-62947 MEDIUM PATCH This Month

Path traversal in OpenWrt's cgi-io cgi-download handler (prior to 25.12.5) allows an authenticated administrator to read arbitrary root-readable files - including /etc/shadow - by exploiting a TOCTOU-style authorization flaw where ACL checks occur before path canonicalization. The rpcd session.c ACL matcher uses fnmatch() without FNM_PATHNAME, meaning a wildcard-prefixed ACL entry (e.g., /etc/config/*) can be defeated by appending ../ sequences that pass the ACL check but resolve to an out-of-scope file when open() is called. No public exploit identified at time of analysis; vendor-released patch is available in v25.12.5.

Path Traversal Openwrt
NVD GitHub
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-61859 MEDIUM PATCH This Month

ImageMagick's `-script` operation bypasses the configured security policy file path restrictions in versions before 7.1.2-26 (7.x branch) and before 6.9.13-51 (6.9.13-x branch), enabling a local attacker with low privileges to read files from paths explicitly denied by the security policy. The CVSS 4.0 score of 4.8 reflects the local-only attack surface, low-privilege requirement, and confidentiality-only impact with no code execution possible. No public exploit code has been identified and this vulnerability is not confirmed actively exploited (CISA KEV).

Authentication Bypass Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-1563 MEDIUM This Month

Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

XSS Pega Infinity
NVD
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-59838 MEDIUM This Month

Stored or reflected cross-site scripting in Fortinet FortiSIEM's web interface enables a high-privileged authenticated attacker to inject malicious script tags that execute in the browsers of other users who view the affected page. The vulnerability spans a wide version range from FortiSIEM 6.4 through 7.4.0, affecting all deployments of this enterprise SIEM platform. No active exploitation has been confirmed by CISA KEV, and no public exploit code is identified at time of analysis; the PR:H requirement meaningfully constrains real-world attacker opportunity despite the scope change to the victim's browser context.

Fortinet XSS Fortisiem
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-58557 MEDIUM This Month

Design defect in HarmonyOS's 'Expedition mode' allows a high-privileged local attacker, with user interaction, to cause significant availability disruption and minor integrity impact. Reported by Huawei in its July 2026 security bulletin, the vulnerability carries a CVSS 3.1 base score of 4.8, reflecting constrained exploitability due to local access, high privilege, and required user interaction. No public exploit code has been identified, and the flaw does not appear in the CISA KEV catalog. Notably, the 'Information Disclosure' tag associated with this CVE is inconsistent with the CVSS confidentiality metric of C:N - this discrepancy should be verified against the vendor advisory.

Information Disclosure Harmonyos
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-56375 MEDIUM PATCH This Month

Memory exhaustion denial of service in ImageMagick through 7.1.2-18 arises from the ASHLAR coder failing to release a temporary image object when an internal action fails, allowing an attacker who can supply malicious ASHLAR files to a processing pipeline to cumulatively exhaust process memory. The CVSS 4.0 vector (AV:L/UI:P) confirms this is a local-vector attack requiring passive user or pipeline interaction to process the crafted file, not a remote unauthenticated scenario. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; confirmed fixed versions exist for Magick.NET NuGet packages at 14.11.1.

Denial Of Service Imagemagick
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-1562 MEDIUM This Month

Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Pega Infinity
NVD
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-54495 MEDIUM GHSA This Month

{NAMESPACE}/{NAME} cross-namespace annotation syntax are both intentional design choices; this vulnerability represents an unimplemented security feature rather than a coding bug, and is categorized as CWE-668. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, multi-tenant Kubernetes clusters relying on namespace isolation as a trust boundary are the exclusive impact surface.

Kubernetes Information Disclosure
NVD GitHub
CVSS 3.1
4.3
CVE-2026-54492 MEDIUM POC PATCH GHSA This Month

Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.

Docker SSRF PHP
NVD GitHub
CVSS 3.1
4.3
CVE-2026-58553 MEDIUM This Month

Out-of-bounds read in HarmonyOS's image codec module allows a local attacker to cause service availability disruption, with the vendor description also noting potential confidentiality impact - a discrepancy with the CVSS C:N metric that warrants attention. All versions of Huawei HarmonyOS across consumer devices, vision products, wearables, and laptops are identified as affected per the July 2026 Huawei Security Bulletin. No public exploit code has been identified at time of analysis, and the medium CVSS score of 4.0 with a local attack vector limits real-world exploitation to scenarios with physical or local access to the target device.

Buffer Overflow Harmonyos
NVD VulDB
CVSS 3.1
4.0
EPSS
0.1%
CVE-2026-58550 MEDIUM This Month

Out-of-bounds read in HarmonyOS's image codec module can be triggered locally, with potential impact to service confidentiality and availability. Huawei disclosed this via its July 2026 security bulletin family covering consumer devices, vision products, wearables, and laptops - indicating broad exposure across the HarmonyOS device ecosystem. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog.

Buffer Overflow Harmonyos
NVD
CVSS 3.1
4.0
EPSS
0.1%
CVE-2026-58549 MEDIUM This Month

Out-of-bounds read in the HarmonyOS image codec module allows a local unprivileged user to disrupt service availability on affected Huawei devices. Huawei's own bulletin language references potential confidentiality impact, but the NVD CVSS vector assigns C:N and A:L only - a discrepancy that warrants attention. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk low despite the wide device footprint across Huawei phones, wearables, and laptops.

Buffer Overflow Harmonyos
NVD
CVSS 3.1
4.0
EPSS
0.1%
CVE-2026-54490 MEDIUM PATCH GHSA This Month

Resource limit bypass in the websocket-driver npm library (versions < 0.7.5) allows WebSocket messages to exceed the application's configured maximum message size when the permessage-deflate compression extension is active. The size enforcement is applied to compressed frame length headers rather than the decompressed payload, meaning a highly compressed message can appear within limits on the wire but expand arbitrarily upon decompression. Vendor-released patch is available in version 0.7.5; no public exploit has been identified at time of analysis.

Denial Of Service
NVD GitHub
CVE-2026-54465 MEDIUM PATCH GHSA This Month

Memory exhaustion in the websocket-driver Ruby gem (versions prior to 0.8.1) allows a remote peer to crash or degrade a receiving process by sending an HTTP request or response with an arbitrarily large number of headers, which the parser accumulates without any size bound. Affected deployments are those using WebSocket::Driver.server() directly atop a raw TCP server (bypassing an HTTP framework), or applications using this library as a WebSocket client - standard HTTP framework integrations (Rails, Sinatra, Rack) are not in scope. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but exploitation is mechanically trivial once a vulnerable deployment is identified, requiring only a crafted HTTP connection.

Denial Of Service
NVD GitHub
CVE-2026-54464 MEDIUM PATCH GHSA This Month

Resource exhaustion in the websocket-driver Ruby gem (faye/websocket-driver-ruby) allows any WebSocket peer to bypass a configured maximum message size when the permessage-deflate compression extension is in use. The size limit is enforced against the compressed frame length rather than the post-decompression size, enabling a decompression-bomb style attack where a small compressed payload expands far beyond the intended ceiling. Applications on versions below 0.8.1 silently accept oversized payloads, potentially exhausting server memory or CPU and causing a denial-of-service condition. No public exploit exists at time of analysis, but the attack class is well understood and low-complexity to implement.

Denial Of Service
NVD GitHub
CVE-2026-54463 MEDIUM PATCH GHSA This Month

Memory exhaustion in the Ruby websocket-driver gem (faye/websocket-driver-ruby) allows any network peer to crash the host process by abusing the draft WebSocket protocol's variable-length integer encoding. By streaming an indefinite sequence of bytes with values 0x80 or above in a frame length header, an attacker forces the parser to accumulate an ever-growing Ruby arbitrary-precision integer, consuming unbounded heap memory until the process is killed by the OS. The attack is bidirectional - a malicious server can target a client, or a malicious client can target a server - and no public exploit has been identified at time of analysis.

Denial Of Service
NVD GitHub
CVE-2026-54254 MEDIUM PATCH GHSA This Month

Pixeldrain API key exfiltration in cyberdrop-dl-patched (versions 8.5.0 through 9.13.x) allows a network attacker who controls a lookalike domain (e.g., evil-pixeldrain.com) to receive the victim's Pixeldrain Authorization header when the tool processes a crafted URL. The root cause is substring-based host matching: any domain containing 'pixeldrain' as a substring is accepted as a valid Pixeldrain host, causing the tool to blindly send API credentials to attacker-controlled infrastructure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the attack path is straightforward and fully described in the advisory.

WordPress Information Disclosure
NVD GitHub
CVE-2026-54452 MEDIUM PATCH GHSA This Month

SSRF protection bypass in the Doyensec safeurl Go library (versions prior to 0.2.4) allows network requests to four newly standardized IPv6 CIDR ranges that were absent from the library's internal blocklist. Applications that explicitly enable IPv6 via EnableIPv6(true) and rely on safeurl to enforce SSRF controls are exposed; attackers who can supply attacker-controlled URLs to such applications may reach internal resources hosted on NAT64 local-use (64:ff9b:1::/48), SRv6 SID (5f00::/16), documentation (3fff::/20), or Dummy IPv6 (100:0:0:1::/64) address space. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF
NVD GitHub
CVE-2026-52883 MEDIUM PATCH GHSA This Month

Authenticated injection of TIME_TRACKING and REMINDER note types in MantisBT's SOAP and REST APIs allows UPDATER-level users to corrupt billing data and falsify project records. The `note_type` integer parameter supplied by the caller is passed directly to `bugnote_add()` in the SOAP endpoint - and through `mc_issue_update()` in the REST API - without verifying the caller holds sufficient privilege to create that note type. Attackers with UPDATER access can inject arbitrary billable hours into MantisBT's billing reports, generating fraudulent invoices, and can register fake REMINDER notes via SOAP. No public exploit is identified at time of analysis, and a vendor patch is available in version 2.28.4.

PHP Code Injection
NVD GitHub
CVE-2026-52882 MEDIUM PATCH GHSA This Month

Authorization bypass in MantisBT's SOAP API, REST API, and web-based bug update interface allows authenticated lower-privileged users to assign unreleased product versions to issues, circumventing the `report_issues_for_unreleased_versions_threshold` access control. All three issue-update pathways in versions 2.28.3 and earlier were unprotected: the SOAP handler (`mc_issue_api.php`), the web form (`bug_update.php`), and the REST command layer (`IssueAddCommand.php`). No public exploit code and no active exploitation (CISA KEV) have been identified; vendor-released patch version 2.28.4 closes all three vectors.

Authentication Bypass PHP
NVD GitHub
CVE-2026-54494 MEDIUM POC PATCH GHSA This Month

Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.

Microsoft SSRF PHP
NVD GitHub
CVE-2026-49280 MEDIUM PATCH GHSA This Month

MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. Because UPDATER is the default role for ordinary authenticated contributors, this flaw is broadly reachable on any MantisBT instance where the API is accessible without further hardening of role assignments.

Authentication Bypass PHP
NVD GitHub
CVE-2026-46572 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G through 2026.2.25 allows local privilege escalation to root via a crafted NTFS filesystem image. The overflow occurs in ntfs_ib_cut_tail() within the index management code when a file is created inside a specially constructed directory on a malicious NTFS image. Because the ntfs-3g binary runs as SUID-root, heap corruption in this process can yield code execution with root privileges. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Buffer Overflow
NVD
CVE-2026-56136 MEDIUM PATCH This Month

Out-of-bounds read in NTFS-3G through version 2026.2.25 exposes ntfs-3g process memory when a maliciously crafted NTFS image is mounted and a file with a specially crafted name is created on it. The flaw in ntfs_ir_nill() within the index-handling code allows an attacker who controls the filesystem image to read data from the running ntfs-3g process that may include confidential in-memory contents. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; this issue was surfaced by the Ubuntu security team.

Buffer Overflow
NVD
CVE-2026-42616 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G's ntfscat utility (versions through 2026.2.25) enables heap memory corruption when processing a crafted malicious NTFS image, specifically in the cat() function of cat.c. The overflow is triggered passively during file read operations, requiring no complex interaction beyond ntfscat processing an attacker-supplied image. No public exploit has been identified at time of analysis, and a vendor patch is available via Ubuntu USN-8554-1. Given NTFS-3G's near-universal deployment across Linux distributions, organizations that process untrusted disk images - forensic tools, backup pipelines, virtualization stacks - face meaningful exposure until patched.

Buffer Overflow
NVD
CVE-2026-42617 MEDIUM PATCH This Month

Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by mounting a crafted NTFS image and performing a directory-extending operation such as creating a file. Because ntfs-3g runs as root via the SUID bit on most Linux distributions, successful exploitation of the overflow in ntfs_ir_to_ib() could yield local privilege escalation to root. No public exploit code or active exploitation has been identified at time of analysis; a vendor patch is available via Ubuntu Security Notice USN-8554-1.

Buffer Overflow
NVD
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy