Skip to main content
2026-07-16

2026-07-17

CVE-2026-9810 CRITICAL POC PATCH Act Now

Privilege escalation and full site takeover affects the AI Copilot WordPress plugin before 1.5.4, which fails to bind OAuth access tokens to a specific WordPress user and treats any valid token as an administrator session. An unauthenticated attacker who completes the plugin's public OAuth flow can invoke privileged MCP (Model Context Protocol) tools as an administrator, creating new users and escalating roles. Publicly available exploit code exists and the flaw carries a CVSS 9.8; no active exploitation has been confirmed (not in CISA KEV).

WordPress Privilege Escalation Ai Copilot
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-63101 HIGH POC This Week

Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. No public exploit has been added to CISA KEV, but the CVSS 4.0 base score of 8.7 (High) and confirmed PoC make it a credible mass-scraping risk.

Authentication Bypass Open Event Server
NVD GitHub
CVSS 4.0
8.7
CVE-2026-63093 HIGH POC This Week

Arbitrary code execution in Cursor for Windows 3.2.16 lets remote attackers run code on a developer's machine by planting a malicious git.exe in a repository's root directory. Because Cursor resolves and executes the workspace-resident git.exe at IDE startup and on a recurring timer, simply cloning and opening a crafted repository triggers execution under the current user's privileges with no explicit user action beyond opening the project. Publicly available exploit code exists and the flaw was reported by VulnCheck; there is no CISA KEV listing or active-exploitation confirmation in the data.

Microsoft RCE Cursor
NVD
CVSS 4.0
8.7
CVE-2026-11961 HIGH POC PATCH This Week

Privilege escalation in the User Registration & Membership WordPress plugin before 5.2.3 lets unauthenticated visitors self-assign an arbitrary published membership tier during public registration, gaining that tier's user role - including administrator where such a tier exists. The plugin never validates that the tier submitted in the registration form is one the form actually offers, so an attacker simply tampers with the submitted tier value. Publicly available exploit code exists (reported by WPScan), though active exploitation has not been confirmed.

WordPress Privilege Escalation User Registration Membership
NVD WPScan
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-63094 HIGH POC This Week

Session token theft in SigNoz through 0.133.0 lets unauthenticated attackers hijack any user account on instances configured with Google OAuth, SAML, or OIDC single sign-on. Because the unauthenticated sessions-context endpoint accepts an attacker-controlled 'ref' parameter that is embedded unvalidated into the SSO state/redirect, an attacker crafts a login URL that returns the victim's access and refresh tokens to an attacker-controlled host once the victim completes SSO. Reported by VulnCheck (CWE-601, open redirect), publicly available exploit code exists, though it is not listed in CISA KEV and EPSS was not provided.

Open Redirect Google Signoz
NVD GitHub
CVSS 4.0
7.6
CVE-2026-11575 HIGH POC PATCH This Week

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash of the request body that anyone can compute. This allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made.

WordPress Phonepe Payment Solutions Authentication Bypass
NVD WPScan
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-63100 HIGH POC This Week

Broken access control in Maybe Finance (self-hosted personal finance app) through 0.6.0 lets any authenticated low-privilege member-role user read and rewrite instance-wide hosting settings because Settings::HostingsController applies the ensure_admin before_action only to clear_cache, leaving show and update exposed. A member can exfiltrate the operator's Synth API key rendered in plaintext in a form field, replace it with an attacker-controlled value, enable open public registration, and disable email-confirmation enforcement to disrupt the instance. Publicly available exploit code exists (reported by VulnCheck); this is not listed in CISA KEV, so there is no public exploit identified beyond the released POC.

Authentication Bypass Maybe
NVD GitHub
CVSS 4.0
7.1
CVE-2026-63099 HIGH POC This Week

Cross-organization data disclosure in TheHive through 4.1.24 allows any authenticated user to download attachments belonging to other organizations by supplying a known content-hash identifier. The flaw is a broken object-level authorization (BOLA/IDOR) in the attachment download endpoints, where AttachmentSrv.visible acts as a pass-through datastore traversal without enforcing organization scoping. Publicly available exploit code exists (published by VulnCheck / geo-chen), though there is no public exploit identified as actively exploited in the wild (not in CISA KEV).

Authentication Bypass Thehive
NVD GitHub
CVSS 4.0
7.1
CVE-2026-63095 HIGH POC This Week

Improper authorization in Dendrite (the Go-based Matrix homeserver) through version 0.13.8 lets any authenticated local user delete another user's third-party identifier (3PID) bindings via the POST /account/3pid/delete endpoint, because the Forget3PID handler removes the supplied address/medium without verifying ownership. By stripping a victim's email or MSISDN binding and rebinding it through an identity server, an attacker can hijack the victim's account-recovery/password-reset flow. Publicly available exploit code exists; there is no CISA KEV listing, so this is not confirmed as actively exploited.

Authentication Bypass Dendrite
NVD GitHub
CVSS 4.0
7.1
CVE-2026-63098 MEDIUM POC This Month

Unauthenticated information disclosure in TheHive through 4.1.24 exposes sensitive configuration data - including the datastore attachment protection password, SSO settings, MFA capabilities, and clustered node addresses - to any network-reachable attacker via a single GET request to /api/status. The root cause is a missing authentication gate in the StatusCtrl.scala handler, a CWE-306 class defect. A public proof-of-concept is available on GitHub demonstrating trivial exploitation; no CISA KEV listing at time of analysis, though the exposed credentials materially increase lateral movement risk beyond the moderate CVSS score suggests.

Information Disclosure Authentication Bypass Thehive
NVD GitHub
CVSS 4.0
6.9
CVE-2026-63096 MEDIUM POC This Month

Server-side request forgery in Dendrite through 0.13.8 allows unauthenticated remote attackers to weaponize the server as a port-scanning proxy against internal networks by supplying arbitrary host and port values via the unvalidated `serverName` parameter on the legacy media download endpoint. The server initiates outbound TLS connections to attacker-controlled destinations, and distinguishable error response classes combined with leaked internal IP addresses in error messages expose internal network topology. A publicly available proof-of-concept exploit exists; this vulnerability is not currently listed in CISA KEV.

SSRF Dendrite
NVD GitHub
CVSS 4.0
6.9
CVE-2026-10525 MEDIUM POC PATCH This Month

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.

XSS WordPress Nex Forms
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14956 CRITICAL Act Now

Unauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers create a new administrator account by abusing the Pro Forms User Registration action. The plugin fails to validate the fieldIds parameter, so attacker-supplied field IDs are injected into the trusted form-field whitelist, enabling mass-assignment of a privileged role. No public exploit has been identified at time of analysis, but the flaw is trivially exploitable (CVSS 9.8) on any site exposing a Pro Forms registration element.

Privilege Escalation WordPress Bricksforge
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-15982 CRITICAL Act Now

Privilege escalation in the Aimogen Pro (Aiomatic) all-in-one AI toolkit plugin for WordPress affects all versions through 2.8.4 and lets unauthenticated attackers create administrator accounts. The 'aiomatic_call_google_ai_function' AJAX handler lacks a capability check, allowing the 'aimogen_wp_god_mode' tool to clear function blacklists and invoke arbitrary PHP functions. No public exploit identified at time of analysis, but the pre-auth nature and 9.8 CVSS make this a full-site-takeover risk.

Privilege Escalation WordPress PHP Aimogen Pro All In One Ai Content Writer Editor Chatbot Automation Toolkit
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-9198 CRITICAL PATCH Act Now

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any network-reachable attacker achieve full RCE on default deployments by chaining two endpoints: /api/v1/auto_login, which mints SUPERUSER tokens to any caller, and /api/v1/validate/code, which passes user-supplied code to Python's exec(). CVSS is 9.8 (AV:N/AC:L/PR:N/UI:N) and a vendor patch is available; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Code Injection IBM RCE Langflow Oss
NVD
CVSS 3.1
9.8
CVE-2026-9202 CRITICAL PATCH Act Now

Missing authentication in IBM Langflow OSS 1.0.0 through 1.10.0 lets unauthenticated remote attackers register unlimited user accounts against any exposed instance. When the documented NEW_USER_IS_ACTIVE=true option is set, those accounts become immediately active and can log in to reach known remote-code-execution endpoints, providing a full authentication foothold without relying on AUTO_LOGIN. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network vector make internet-facing deployments a high priority.

IBM Authentication Bypass Langflow Oss
NVD
CVSS 3.1
9.8
CVE-2026-12692 CRITICAL Act Now

Authentication bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets a remote, unauthenticated attacker change a victim's password without verifying the existing credential (CWE-620), enabling full account takeover. Reported by Turkey's national CERT (TR-CERT/USOM) and rated CVSS 9.8, the flaw grants complete control over targeted accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Enterprise Video Platform
NVD
CVSS 3.1
9.8
CVE-2026-8297 CRITICAL Act Now

SQL injection in GisLab Laboratory Management System (versions 1.4.03 through 08072026) allows remote unauthenticated attackers to inject arbitrary SQL commands via improperly neutralized special elements, per a TR-CERT advisory (TR-26-0573). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H, 9.8) indicates full compromise of the backend database with no authentication or user interaction. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Gislab Laboratory Management System
NVD
CVSS 3.1
9.8
CVE-2026-51080 CRITICAL Act Now

XML External Entity injection in the libpve-storage-perl library (the storage-management Perl backend of Proxmox VE) affects builds identified as libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7, per MITRE. An attacker able to submit crafted XML to an affected storage-handling code path can force the parser to resolve external entities, enabling arbitrary local file disclosure and potential SSRF or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.

XXE N A
NVD VulDB
CVSS 3.1
9.8
CVE-2026-16016 MEDIUM POC This Month

Server-side request forgery in poco-ai/poco-claw up to version 0.5.4 allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP requests to attacker-controlled destinations via the unvalidated callback_url parameter in the run_task API function. The flaw is exposed through the task execution endpoint at executor/app/api/v1/task.py and carries a publicly available proof-of-concept exploit referenced on GitHub. No vendor patch has been released; the associated GitHub issue was closed automatically due to inactivity, indicating no active maintenance response and indefinite risk exposure.

SSRF Poco Claw
NVD VulDB GitHub
CVSS 4.0
5.5
CVE-2026-16014 MEDIUM POC This Month

SQL injection in the Login Form of code-projects Hospital Bed Management System 1.0 exposes unauthenticated remote attackers to database manipulation via the Username parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no user interaction, and the E:P modifier reflects a publicly available proof-of-concept on Gitee. While not listed in CISA KEV, the low barrier to exploitation combined with a public POC elevates practical urgency for any organization running this software, despite the product's niche footprint.

SQLi Hospital Bed Management System
NVD VulDB
CVSS 4.0
5.5
CVE-2026-16013 MEDIUM POC PATCH This Month

Out-of-bounds read in CIPster's EtherNet/IP symbolic path parser exposes industrial control systems to remote availability disruption and potential memory disclosure. The flaw resides in `CipAppPath::deserialize_symbolic` (source/src/cip/cipepath.cc), where unsafe `memcpy` calls copy attacker-controlled byte counts from a network-supplied CIP symbolic path segment into a fixed-size stack buffer without bounds enforcement, reachable by a remote unauthenticated attacker sending a crafted EtherNet/IP explicit messaging request. No active exploitation is confirmed (not in CISA KEV), but a POC exploit archive has been publicly released and the CVSS 4.0 E:P modifier corroborates exploit availability.

Information Disclosure Buffer Overflow Cipster
NVD VulDB GitHub
CVSS 4.0
5.5
CVE-2026-12393 MEDIUM POC PATCH This Month

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.

WordPress Wps Bookings For Woocommerce Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-12693 CRITICAL Act Now

Authorization bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets remote unauthenticated attackers manipulate a user-controlled key (an IDOR-style reference) to reach functionality that should be restricted by access-control lists. Reported to Turkey's national CSIRT (USOM) with a CVSS 9.4, it enables reading and altering other tenants'/users' resources; no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
9.4
CVE-2026-62241 CRITICAL PATCH Act Now

Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.

Authentication Bypass Node.js Clawvet
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-13402 MEDIUM POC PATCH This Month

The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not check the post status of menu items or the templates they reference in one of its REST endpoints, allowing unauthenticated users to retrieve the rendered HTML content of private or draft Elementor templates linked from non-public navigation menu items.

Information Disclosure WordPress Royal Addons For Elementor
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-11966 MEDIUM POC PATCH This Month

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts.

WordPress User Registration Membership Authentication Bypass
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-63308 MEDIUM POC PATCH This Month

Denial of service in Helm's Files.Lines template helper (pkg/engine/files.go) allows any party who can supply a crafted chart to crash Helm operations deterministically by embedding a zero-length file. Affected are all Helm releases through 4.2.3 across template, install, upgrade, lint, and SDK Engine.Render code paths. A public proof-of-concept exists via GitHub issue #32279; this CVE is not listed in CISA KEV, and a patch is available in upstream commit ba6c9a29.

Denial Of Service Helm
NVD GitHub
CVSS 4.0
5.3
CVE-2026-9586 CRITICAL Act Now

Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. There is no public exploit identified at time of analysis, though vendor SRA published a technical writeup, and the CVSS 4.0 base score is 9.3 (Critical).

RCE SQLi PostgreSQL Switchvox Smb Edition
NVD
CVSS 4.0
9.3
CVE-2026-63097 MEDIUM POC This Month

Post-leave room state disclosure in Dendrite through 0.13.8 allows authenticated local users to retrieve unfiltered current room state from rooms they have previously exited. The syncapi /context endpoint in syncapi/routing/context.go performs an incomplete membership check - evaluating only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership - effectively treating departed users as current members for this endpoint alone. A publicly available proof-of-concept exists per VulnCheck and the geo-chen research disclosure; no active exploitation has been confirmed via CISA KEV at time of analysis.

Authentication Bypass Dendrite
NVD GitHub
CVSS 4.0
5.3
CVE-2026-62232 CRITICAL PATCH Act Now

Two-factor authentication bypass in Grav CMS before 2.0.4 lets an attacker who already knows a victim's password overwrite that user's TOTP secret and log in with full 2FA protection stripped away. During the pending TOTP challenge window the login plugin's regenerate2FASecret task verifies only that the user exists — not that the caller is authorized — and requires no CSRF nonce, so the attacker sets an attacker-chosen secret, computes a valid code, and completes login. VulnCheck-reported and CVSS 4.0 scored 9.1; no public exploit identified at time of analysis.

CSRF Authentication Bypass Grav
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.3%
CVE-2026-12694 CRITICAL Act Now

Improper access control in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) allows remote unauthenticated attackers to invoke privileged functionality that is not properly constrained by access control lists. Because the missing authorization check exposes state-changing operations, an attacker can modify or disrupt platform data and availability without credentials. This was reported by Turkey's national CSIRT (USOM); no public exploit has been identified at time of analysis and no EPSS or CISA KEV data is available.

Authentication Bypass
NVD
CVSS 3.1
9.1
CVE-2026-13352 HIGH This Week

Remote code execution is possible in the ProfilePress WordPress plugin (Paid Membership, Ecommerce, User Registration) in all versions through 4.16.18, where the DigitalProducts UploadHandler unconditionally registers an upload_mimes filter that whitelists executable extensions (.exe, .apk, .msi) across every WordPress upload context site-wide. Authenticated attackers with author-level access or above (per CVSS PR:L) can leverage this expanded MIME allowlist to upload executable files, leading to code execution. There is no public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.

RCE WordPress File Upload Paid Membership Plugin Ecommerce User Registration Form Login Form User Profile Restrict Content Profilepress
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-62230 HIGH PATCH This Week

Sensitive configuration file disclosure in Grav CMS before 2.0.4 lets unauthenticated remote attackers bypass the bundled .htaccess protections by requesting blocked file types with uppercase or mixed-case extensions (e.g., .YAML, .PHP). The shipped rules omit the Apache [NC] flag, so extension matching is case-sensitive and fails to block case variants on case-insensitive filesystems (Windows/NTFS, macOS/HFS+, Docker volume mounts), exposing files that may hold API keys and credentials. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Apple Microsoft Information Disclosure Docker PHP +1
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62218 HIGH PATCH This Week

Authorization bypass in OpenClaw versions 2026.1.20 through 2026.5.26 allows low-trust, authenticated callers to invoke the device.pair.approve feature and perform device-pairing approvals that should require stronger role-management authorization. Because the feature can be reached through configured input paths, an attacker holding only limited privileges can escalate their effective authority over device pairing, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the flaw was reported by VulnCheck and carries a CVSS 4.0 base score of 8.7.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62233 HIGH PATCH This Week

Privilege escalation in the getgrav grav-plugin-api before 1.0.6 allows a low-privileged manager holding the api.users.write permission to become a super-admin. The createApiKey, generate2fa, and disable2fa endpoints never re-check super-admin status, so an attacker can mint API keys bound to super-admin accounts or strip 2FA from super-admin users and take over the entire Grav instance. No public exploit identified at time of analysis, but the vendor GHSA advisory and VulnCheck confirm the flaw.

Authentication Bypass Grav
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-58148 HIGH This Week

Stored cross-site scripting in the ChronoForms extension for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in the browser of anyone who later views the affected page. The flaw carries a CVSS 4.0 base score of 8.7 and requires no authentication (PR:N), though a victim must load the poisoned content (UI:P). There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS Chronoforms Extension For Joomla
NVD
CVSS 4.0
8.7
CVE-2026-62231 HIGH PATCH This Week

Authorization bypass in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 lets any valid API key perform actions far beyond its intended scope. Although keys can be provisioned with a restricted scopes array (e.g. read-only), the ApiKeyAuthenticator class never reads or enforces those scopes and instead returns the owning user's full account object, so a limited key can execute any write, delete, or administrative operation the owner is entitled to. Reported by VulnCheck with no public exploit identified at time of analysis, but the flaw is trivially exploitable by any key holder against default configurations.

Authentication Bypass Grav
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-9585 HIGH This Week

Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. No public exploit is identified at time of analysis, though the reporting researcher (SRA) has published a technical writeup, and no evidence of active exploitation exists.

XSS Switchvox Smb Edition
NVD
CVSS 4.0
8.6
CVE-2026-15343 HIGH This Week

Arbitrary file write in GitHub Enterprise Server (all releases before 3.22) lets an attacker who already has code execution inside the Dependabot updater container escape the intended dependency-file directory via path traversal and symlink manipulation, planting attacker-controlled files anywhere in a repository - including GitHub Actions workflows under .github/workflows/. Because path validation checked the declared rather than the effective (symlink-resolved) path, an injected workflow can run with the repository's Actions secrets when the repo uses pull_request_target or auto-merge. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; CVSS 4.0 base score is 8.6 (High).

RCE Path Traversal Enterprise Server
NVD GitHub
CVSS 4.0
8.6
CVE-2026-12715 HIGH PATCH This Week

Cross-tenant data disclosure in Google Cloud Firebase Studio (versions prior to the 2026-04-15 fix) let an authenticated user retrieve other tenants' deployed source code and sensitive data by issuing unauthorized GCS signed-URL requests. The flaw stems from a missing authorization check (CWE-862) on the object-signing path rather than a code-execution bug, so impact is confidentiality-centric. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Google Information Disclosure Authentication Bypass Firebase Studio
NVD
CVSS 4.0
8.5
CVE-2026-62234 HIGH PATCH This Week

Server-side request forgery in Grav CMS before 2.0.4 allows authenticated users holding the api.webhooks.write permission to register webhooks with dangerous cURL protocol handlers (file://, dict://, gopher://) that fire when webhook events trigger. By abusing these unrestricted protocols an attacker can read local files, enumerate process and service information, and pivot to internal-only network services from the trust position of the Grav server. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; risk is driven by the CWE-918 primitive rather than confirmed in-the-wild activity.

SSRF Grav
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-57860 HIGH PATCH This Week

Arbitrary code execution in ForgeCode (tailcallhq/forgecode), an AI pair-programming CLI, occurs because the tool auto-loads and honors a repository's project-local .mcp.json at startup without asking the user. A malicious repository can define mcpServers entries with arbitrary command/args (e.g. bash -c), so simply running the forge CLI inside a cloned untrusted repo spawns attacker-chosen commands as the invoking developer. Reported by VulnCheck with a vendor patch available; no public exploit tool is identified at time of analysis, though the CVE description itself embeds a working payload example.

RCE Forgecode
NVD GitHub
CVSS 4.0
8.4
CVE-2026-59694 HIGH PATCH This Week

Economic resource exhaustion in the ZenHive mpp Elixir library (versions 0.2.0 through 0.5.x) lets an unauthenticated remote client inflate a sponsoring fee-payer's gas cost per payment by roughly 7.4x, draining the sponsor wallet over sustained abuse. When deployed with fee_payer: true, MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs client-supplied base fields of the 0x76 AASigned envelope verbatim - including an oversized EIP-2930 access list - without validating length or contents, so intrinsic gas is charged for fabricated entries that touch nothing on-chain. No public exploit identified at time of analysis, but the attack is fully detailed in the vendor advisory and fixed in 0.6.0.

Information Disclosure Mpp
NVD GitHub
CVSS 4.0
8.3
CVE-2026-59695 HIGH PATCH This Week

Fee-payer wallet draining in ZenHive mpp (Elixir) 0.2.0-0.5.x lets an unauthenticated remote client empty the sponsor's wallet in a single request when the server runs with fee_payer: true. Because MPP.Tempo.Transaction.cosign_fee_payer/3 co-signs the client-supplied gas ceilings (max_fee_per_gas / max_priority_fee_per_gas) of the 0x76 AASigned envelope without bounds checking, an attacker sets arbitrarily large per-gas rates that are billed against the server's wallet, after which it can no longer sponsor legitimate payments. No public exploit identified at time of analysis; the issue was reported by the Erlang Ecosystem Foundation (EEF) and patched in 0.6.0.

Information Disclosure Mpp
NVD GitHub
CVSS 4.0
8.3
CVE-2026-62386 HIGH PATCH This Week

Sensitive token exposure in the Grav CMS API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 allows attackers to hijack valid admin sessions after JWT access tokens leak from URLs. Because JwtAuthenticator::extractBearerToken accepts tokens via the ?token= query string on every API route, those tokens are written verbatim into web server access logs, Referer headers, browser history, and upstream proxy/CDN logs, and any captured token grants full admin API access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 4.0 score of 8.2 reflects the high value of the leaked admin credentials.

Information Disclosure Grav
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-13410 HIGH PATCH This Week

Google OAuth2 login can be fully impersonated in the Perl module Dancer::Plugin::Auth::Google (all versions through 0.07) because its default user agent is initialised with SSL_verify_mode set to SSL_VERIFY_NONE, disabling TLS certificate validation on calls to googleapis.com. A network man-in-the-middle can intercept the OAuth2 token exchange and userinfo fetch and return a forged access_token and profile, authenticating as any Google user to the Dancer application. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but an upstream fix (PR #5) is available.

Microsoft Google Information Disclosure Dancer
NVD GitHub VulDB
CVSS 3.1
8.2
CVE-2026-59252 HIGH PATCH This Week

Wallet-draining denial of service in ZenHive mpp (Elixir library) versions 0.2.0 through 0.5.x affects deployments configured as a Tempo fee payer (fee_payer: true), where the MPP.Methods.Tempo method co-signs and broadcasts a client-supplied EVM transaction without verifying the client's gas_limit is high enough to complete execution. An unauthenticated remote client can submit a signed transferWithMemo transaction with gas_limit set just below the required amount, causing an on-chain out-of-gas revert that still charges the sponsor's fee-payer wallet while the attacker pays nothing. There is no public exploit identified at time of analysis and this is not on CISA KEV, but repeated low-cost requests can exhaust the sponsor wallet and stop the server from funding gas for legitimate payment requests.

Denial Of Service Mpp
NVD GitHub
CVSS 4.0
8.2
CVE-2025-60357 HIGH This Week

NoSQL injection in AhnLab EPP (Endpoint Protection Platform) Management v1.0.14.32-6249 allows an authenticated attacker to manipulate backend NoSQL queries through the eventlog/agentEvent/list endpoint, as the CVSS:3.1 vector (PR:L) indicates a low-privilege authenticated session is required. Successful exploitation yields high confidentiality and integrity impact (C:H/I:H), enabling extraction or tampering of security event-log data across the managed endpoint fleet. A public GitHub repository named for this CVE suggests exploit/PoC material may exist; it is not listed in CISA KEV and no EPSS score was provided.

Code Injection Nosql Injection N A
NVD GitHub
CVSS 3.1
8.1
CVE-2026-9762 HIGH PATCH This Week

Code injection leading to remote code execution affects IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 when an attacker can influence the JDBC connection URL passed to the driver. An attacker who controls the JDBC URL (typically via an application that builds connection strings from user input) can inject malicious properties or references that cause arbitrary code to execute in the context of the connecting application/driver host. IBM has released a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection IBM RCE Db2
NVD
CVSS 3.1
7.8
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy