Skip to main content
CVE-2026-12492 CRITICAL POC PATCH Act Now

Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. Publicly available exploit code exists (WPScan) and a vendor patch (2.8) is available; EPSS remains low at 0.15% despite the maximal 9.8 CVSS score.

Authentication Bypass WordPress Happy Coders Otp Login For Woocommerce
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-63087 CRITICAL POC Act Now

Authentication bypass in Grafana OnCall through 1.16.11 lets unauthenticated remote attackers mint a valid PluginAuthToken by POSTing to the internal plugin install endpoint with hardcoded default stack_id and org_id values exposed in the public source tree, then use that token to seize full control of the OnCall instance. With the token, an attacker can create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token to lock out operators, and redirect OnCall-to-Grafana API traffic to an attacker host by overwriting grafana_url and api_token. Publicly available exploit code exists (reported by VulnCheck), CVSS 4.0 base 9.3, though there is no public exploit identified as actively exploited - it is not on CISA KEV.

Grafana Authentication Bypass Oncall
NVD GitHub
CVSS 4.0
9.3
CVE-2026-45336 CRITICAL PATCH Act Now

Authentication bypass in HireFlow interview management system (versions 1.2 and earlier) lets unauthenticated remote attackers forge signed session cookies because app.py ships a hard-coded Flask secret_key. Since the key is present in the public source tree, any attacker can mint cookies asserting role=admin and arbitrary user_id values to gain full administrative access. Rated CVSS 10.0; no public exploit is identified at time of analysis, though the flaw is trivially reproducible from the disclosed source value.

Python Authentication Bypass Hireflow
NVD GitHub VulDB
CVSS 3.1
10.0
CVE-2026-46512 CRITICAL PATCH Act Now

Code injection in Frogman before 1.6.2 lets an authenticated PERM_WRITE caller of the MCP/HTTP dialplan API inject arbitrary Asterisk directives - including System() and Set(SHELL(...)) - into extensions_custom.conf, yielding remote command execution on the PBX host. The flaw stems from fm_dialplan_apply sanitizing only the context name while passing template parameters such as greeting, dest, url, extension, code, and file into generated dialplan text unchecked. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but the CVSS is 9.9 and the fix (v1.6.2) plus root-cause commit are public.

PHP RCE Code Injection Frogman
NVD GitHub
CVSS 3.1
9.9
CVE-2026-53412 CRITICAL PATCH NEWS Act Now

Account takeover in Zoom's Windows client family - the Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows - lets a remote, unauthenticated attacker seize control of a victim's account by sending crafted input over the network, per Zoom's security bulletin ZSB-26014. The flaw stems from improper input validation (CWE-20) and carries a vendor CVSS of 9.8, reflecting full confidentiality, integrity, and availability impact with no privileges or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network vector makes it a high-priority patch.

Information Disclosure Microsoft Zoom Workplace For Windows
NVD VulDB
CVSS 3.1
9.8
CVE-2026-55579 CRITICAL PATCH GHSA Act Now

Hardcoded default administrator password in Pheditor (all versions prior to 2.0.6) lets remote unauthenticated attackers log in as admin using the string 'admin' — the SHA-512 hash of which is baked into pheditor.php line 11 — and then abuse the built-in terminal and file-upload features for immediate remote code execution. Any deployment left on defaults is trivially compromised because there is no forced password change, expiry, lockout, or setup wizard. A working PoC is published in the GitHub Security Advisory, though there is no public exploit identified in active in-the-wild campaigns and no EPSS/KEV data is provided.

RCE Authentication Bypass File Upload PHP
NVD GitHub
CVSS 3.1
9.8
CVE-2026-15013 CRITICAL Act Now

Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. Reported by Wordfence; no public exploit identified at time of analysis, but the flaw is trivially exploitable and carries a 9.8 CVSS.

Authentication Bypass WordPress Jwt Attack Saml Single Sign On Sso Login
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-22752 CRITICAL Act Now

Authentication bypass in VMware/Spring's Spring Authorization Server (versions 7.0.0-7.0.4, 1.5.0-1.5.6, 1.4.0-1.4.9, and 1.3.0-1.3.10) allows a low-privileged authenticated actor to circumvent authentication controls and access protected resources across a security boundary. The CVSS 9.6 (Critical) rating reflects a scope change with high confidentiality and integrity impact but no availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the near-maximum score in a widely deployed OAuth2/OIDC authorization component makes this a high-priority patch.

Authentication Bypass Java Spring Authorization Server
NVD VulDB
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-46515 CRITICAL PATCH Act Now

Missing authorization in Frogman, a headless Asterisk PBX control layer exposed over MCP and an HTTP API, lets any low-privilege PERM_READ caller invoke eight administrative tools (fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, fm_diagnose_trunk) that should require admin, leaking AMI manager secrets, outbound dial PINs, full dialplan context, root SSH connection commands, backup artifact paths, CDR history, and raw AMI endpoint dumps containing SIP password/md5_cred/oauth_secret fields, plus executing arbitrary saved GraphQL queries. All releases prior to 1.6.3 are affected, tracked under GHSA-q4c4-5cr4-8q47 with a CVSS 4.0 score of 9.3. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Frogman
NVD GitHub
CVSS 4.0
9.3
CVE-2026-54733 CRITICAL PATCH Act Now

Authentication bypass in the Microsoft 365 / Microsoft Entra ID (local_o365) plugin for Moodle allows an unauthenticated attacker to forge a JWT and log in as any Office 365-linked Moodle user before versions 4.5.6, 5.0.5, and 5.1.1. The Teams SSO endpoint sso_login.php base64-decodes the JWT payload and trusts the 'upn' claim without verifying the token signature, so a self-signed or hand-crafted token is accepted as valid. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is trivially exploitable and confirmed by a Microsoft GitHub security advisory (GHSA-hqjh-93qv-47v5).

Microsoft PHP Jwt Attack Information Disclosure O365 Moodle
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59866 CRITICAL PATCH Act Now

Path traversal and code injection in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description write generated source files outside the intended output directory and inject arbitrary text into class/namespace declarations. When a developer runs `kiota generate` without the -c/--class-name flag, Kiota consumes the clientClassName and clientNamespaceName values from the OpenAPI `x-ms-kiota-info` extension without identifier or path sanitization, using them both as code identifiers and as filesystem path components. There is no public exploit identified at time of analysis and no CISA KEV listing, though the fix (SanitizeClientClassName/SanitizeClientNamespaceName) is visible in the merged patch.

Path Traversal Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59864 CRITICAL PATCH Act Now

Path traversal in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description inject unvalidated `static_template.file` values (via the x-ai-adaptive-card and x-ai-capabilities extensions) into generated Microsoft 365 Copilot and Teams plugin manifests, so a developer who runs `kiota plugin add` or `kiota plugin generate -t APIPlugin` against a malicious spec produces a manifest that resolves files outside its package when deployed. Rated CVSS 4.0 9.3 (Critical) with high confidentiality/integrity/availability impact and no privileges required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the upstream fix is confirmed in release v1.32.5.

Microsoft Path Traversal Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59865 CRITICAL PATCH Act Now

Command injection in Microsoft Kiota before 1.32.5 lets a malicious or compromised OpenAPI description dictate the install command that Kiota presents to developers. When a developer runs `kiota info` (or the VS Code extension's `kiota info --json` dependency-install flow) against an attacker-controlled spec, Kiota reads the `x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand` field plus attacker-chosen dependency name/version values and surfaces them as its trusted recommended install command, achieving arbitrary command execution when that command is run. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the fix explicitly removes the untrusted extension field.

Command Injection RCE Code Injection Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-63306 CRITICAL PATCH Act Now

Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Stoatchat
NVD GitHub VulDB
CVSS 4.0
9.2
CVE-2026-63305 CRITICAL Act Now

OS command injection in WWBN AVideo through version 29.0 allows attackers to execute arbitrary operating-system commands as the web-server user via the ffmpeg.json.php endpoint. The notifyCode and callback request parameters are concatenated into a shell command without escaping, so an attacker able to produce a valid encrypted payload can inject shell metacharacters and achieve remote code execution. No public exploit identified at time of analysis; the flaw carries a CVSS 4.0 base score of 9.2, though successful exploitation is gated by the requirement to forge a valid encrypted payload.

PHP Command Injection Avideo
NVD GitHub
CVSS 4.0
9.2
CVE-2026-63304 CRITICAL Act Now

OS command injection in AVideo (WWBN) through version 29.0 lets remote attackers who can forge a valid encrypted codeToExec payload run arbitrary shell commands as the web-server user via the listFFmpegProcesses() function in the standAlone plugin API. The flaw is unauthenticated (PR:N) but non-trivial to reach because it depends on producing an accepted encrypted parameter, and no public exploit or CISA KEV listing is identified at time of analysis.

PHP Command Injection Avideo
NVD GitHub VulDB
CVSS 4.0
9.2
CVE-2026-15925 CRITICAL PATCH Act Now

Improper TLS hostname verification in the Snowflake Connector for Python (versions before 4.7.1) lets an on-path attacker defeat HTTPS certificate validation, accepting any certificate signed by any trusted CA regardless of the requested hostname. An adversary who can intercept traffic can decrypt and tamper with connector sessions, exposing Snowflake credentials, query results, and staged file data, and can inject arbitrary SQL bounded by the victim role's privileges. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the reporting vendor (Snowflake) rates it CVSS 4.0 9.2.

Python Authentication Bypass Snowflake Connector For Python
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-15422 CRITICAL PATCH Act Now

Remote kernel heap corruption in the illumos SCTP stack lets an unauthenticated attacker send a crafted INIT ACK packet with malformed address parameters to trigger an out-of-bounds access during packet classification, potentially leading to remote code execution or a kernel panic. The flaw affects illumos-gate and downstream distributions (OmniOS, SmartOS/Triton) built before commit 53a3efde, and has existed since 2010 (commit a5407c02). There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is Unreported (E:U), but the attack requires no authentication or user interaction.

RCE Heap Overflow Buffer Overflow Illumos Gate Omnios +1
NVD GitHub
CVSS 4.0
9.1
CVE-2026-53713 CRITICAL PATCH GHSA Act Now

Arbitrary file disclosure in Envoy Gateway's controller allows a low-privileged tenant who can create an EnvoyExtensionPolicy to read sensitive files from the gateway controller pod. A path-normalization gap in the security.lua critical-path check (CWE-20) lets attacker-supplied Lua bypass the read restriction using double-slash paths (e.g. //etc/passwd), exposing Kubernetes service-account tokens, TLS certificates, and process environment. No public exploit identified at time of analysis, but the vendor advisory documents the exact bypass and CVSS is rated 9.1.

RCE Kubernetes
NVD GitHub
CVSS 3.1
9.1
CVE-2026-14890 CRITICAL Act Now

Unauthenticated remote code execution in SGLang (versions 0 through 0.5.14) arises when the expert-parallel backup subsystem binds a ZeroMQ PULL socket to a routable interface without authentication or safe deserialization, letting a network attacker send a crafted pickle payload that executes arbitrary code in the serving process. It affects deployments where the elastic expert-parallel backup feature is enabled and the socket is reachable. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE Deserialization Sglang
NVD GitHub
CVSS 3.1
9.1
CVE-2026-63089 CRITICAL PATCH Act Now

Peer credential disclosure in WireGuard Easy (wg-easy) through 15.3.0 lets unauthenticated network attackers recover a client's WireGuard PrivateKey and PresharedKey by brute-forcing the one-time configuration link. Because the OTL token is derived from CRC32 over a random value bounded to 0-999, an attacker faces at most 1000 candidate tokens per client ID against the unauthenticated /cnf/:oneTimeLink route, which had no rate limiting and did not enforce token expiration. There is no public exploit identified at time of analysis, but the small keyspace makes exploitation trivial once a valid link is active; the flaw was reported by VulnCheck and is fixed upstream.

Information Disclosure Wg Easy
NVD GitHub
CVSS 4.0
9.0
CVE-2026-11386 CRITICAL PATCH Act Now

Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Ubuntu Canonical RCE Ubuntu Pro Client Ubuntu Advantage Tools +7
NVD VulDB
CVSS 3.1
9.0
CVE-2026-44909 CRITICAL Act Now

Memory exhaustion and denial-of-service across HTTP/2 server implementations allow remote unauthenticated attackers to crash or severely degrade affected services by intentionally stalling flow control using standard HTTP/2 protocol frames. Researched and reported by the Okta Red Team and coordinated through CERT/CC as VU#885548, this class of vulnerability is tracked across three CVEs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) affecting multiple vendor implementations including F5 BIG-IP. By advertising SETTINGS_INITIAL_WINDOW_SIZE=0 and withholding WINDOW_UPDATE frames across many simultaneous streams, an attacker forces vulnerable servers to buffer unbounded response data in memory with no ability to transmit it, leading to OOM kills, swap exhaustion, or connection and worker resource starvation. No public exploit code has been identified and no CISA KEV listing is present at time of analysis.

Apple Denial Of Service Mozilla
NVD
CVE-2026-59173 CRITICAL Act Now

Memory exhaustion denial-of-service affects HTTP/2 server implementations that fail to cap buffered response data under stalled flow-control conditions. A remote unauthenticated attacker opens many simultaneous HTTP/2 streams while advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 or withholding WINDOW_UPDATE frames, forcing the server to accumulate unbounded in-memory response buffers it cannot transmit. Under permissive resource limits this can trigger OOM kills, swap exhaustion, and full system unresponsiveness; under tighter limits, connection and worker pool exhaustion degrades availability for legitimate clients. Reported 2026-07-16 by Okta Red Team and coordinated as CERT VU#885548 covering at least three CVE IDs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) across multiple vendor implementations. No public exploit code identified at time of analysis, and CISA KEV listing not confirmed.

Apple Denial Of Service Mozilla
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy