Skip to main content
2026-07-16

2026-07-17

CVE-2026-63098 MEDIUM POC This Month

Unauthenticated information disclosure in TheHive through 4.1.24 exposes sensitive configuration data - including the datastore attachment protection password, SSO settings, MFA capabilities, and clustered node addresses - to any network-reachable attacker via a single GET request to /api/status. The root cause is a missing authentication gate in the StatusCtrl.scala handler, a CWE-306 class defect. A public proof-of-concept is available on GitHub demonstrating trivial exploitation; no CISA KEV listing at time of analysis, though the exposed credentials materially increase lateral movement risk beyond the moderate CVSS score suggests.

Information Disclosure Authentication Bypass Thehive
NVD GitHub
CVSS 4.0
6.9
CVE-2026-63096 MEDIUM POC This Month

Server-side request forgery in Dendrite through 0.13.8 allows unauthenticated remote attackers to weaponize the server as a port-scanning proxy against internal networks by supplying arbitrary host and port values via the unvalidated `serverName` parameter on the legacy media download endpoint. The server initiates outbound TLS connections to attacker-controlled destinations, and distinguishable error response classes combined with leaked internal IP addresses in error messages expose internal network topology. A publicly available proof-of-concept exploit exists; this vulnerability is not currently listed in CISA KEV.

SSRF Dendrite
NVD GitHub
CVSS 4.0
6.9
CVE-2026-10525 MEDIUM POC PATCH This Month

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.

XSS WordPress Nex Forms
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-16016 MEDIUM POC This Month

Server-side request forgery in poco-ai/poco-claw up to version 0.5.4 allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP requests to attacker-controlled destinations via the unvalidated callback_url parameter in the run_task API function. The flaw is exposed through the task execution endpoint at executor/app/api/v1/task.py and carries a publicly available proof-of-concept exploit referenced on GitHub. No vendor patch has been released; the associated GitHub issue was closed automatically due to inactivity, indicating no active maintenance response and indefinite risk exposure.

SSRF Poco Claw
NVD VulDB GitHub
CVSS 4.0
5.5
CVE-2026-16014 MEDIUM POC This Month

SQL injection in the Login Form of code-projects Hospital Bed Management System 1.0 exposes unauthenticated remote attackers to database manipulation via the Username parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no user interaction, and the E:P modifier reflects a publicly available proof-of-concept on Gitee. While not listed in CISA KEV, the low barrier to exploitation combined with a public POC elevates practical urgency for any organization running this software, despite the product's niche footprint.

SQLi Hospital Bed Management System
NVD VulDB
CVSS 4.0
5.5
CVE-2026-16013 MEDIUM POC PATCH This Month

Out-of-bounds read in CIPster's EtherNet/IP symbolic path parser exposes industrial control systems to remote availability disruption and potential memory disclosure. The flaw resides in `CipAppPath::deserialize_symbolic` (source/src/cip/cipepath.cc), where unsafe `memcpy` calls copy attacker-controlled byte counts from a network-supplied CIP symbolic path segment into a fixed-size stack buffer without bounds enforcement, reachable by a remote unauthenticated attacker sending a crafted EtherNet/IP explicit messaging request. No active exploitation is confirmed (not in CISA KEV), but a POC exploit archive has been publicly released and the CVSS 4.0 E:P modifier corroborates exploit availability.

Information Disclosure Buffer Overflow Cipster
NVD VulDB GitHub
CVSS 4.0
5.5
CVE-2026-12393 MEDIUM POC PATCH This Month

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.

WordPress Wps Bookings For Woocommerce Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-13402 MEDIUM POC PATCH This Month

The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not check the post status of menu items or the templates they reference in one of its REST endpoints, allowing unauthenticated users to retrieve the rendered HTML content of private or draft Elementor templates linked from non-public navigation menu items.

Information Disclosure WordPress Royal Addons For Elementor
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-11966 MEDIUM POC PATCH This Month

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts.

WordPress User Registration Membership Authentication Bypass
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-63308 MEDIUM POC PATCH This Month

Denial of service in Helm's Files.Lines template helper (pkg/engine/files.go) allows any party who can supply a crafted chart to crash Helm operations deterministically by embedding a zero-length file. Affected are all Helm releases through 4.2.3 across template, install, upgrade, lint, and SDK Engine.Render code paths. A public proof-of-concept exists via GitHub issue #32279; this CVE is not listed in CISA KEV, and a patch is available in upstream commit ba6c9a29.

Denial Of Service Helm
NVD GitHub
CVSS 4.0
5.3
CVE-2026-63097 MEDIUM POC This Month

Post-leave room state disclosure in Dendrite through 0.13.8 allows authenticated local users to retrieve unfiltered current room state from rooms they have previously exited. The syncapi /context endpoint in syncapi/routing/context.go performs an incomplete membership check - evaluating only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership - effectively treating departed users as current members for this endpoint alone. A publicly available proof-of-concept exists per VulnCheck and the geo-chen research disclosure; no active exploitation has been confirmed via CISA KEV at time of analysis.

Authentication Bypass Dendrite
NVD GitHub
CVSS 4.0
5.3
CVE-2026-41993 MEDIUM PATCH This Month

Improper Access Control in TXOne Networks' Removable Media Validation function allows a local administrator to bypass the file lockdown mechanism enforced by SafePortAgent (before 3.2.5024) and StellarProtect (3.2.4011 through before 5.0.1083), enabling unauthorized file transfer to a protected device via specially prepared removable media. The attack requires pre-positioning unauthorized files on the removable media before insertion, making this a deliberate, multi-step insider or supply-chain adjacent threat rather than opportunistic exploitation. No public exploit code or active exploitation has been identified at time of analysis; the vendor self-reported this issue through their PSIRT.

Authentication Bypass Safeportagent Stellarprotect
NVD VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-14503 MEDIUM This Month

Sensitive information exposure in the pCloud WP Backup WordPress plugin (all versions up to and including 2.0.3) allows subscriber-level authenticated users to trigger full-site backup archive generation via the unprotected `wp2pcl_ajax_process_request_inner` AJAX endpoint. The resulting archive is deposited in the plugin's publicly web-accessible `tmp/` directory at a predictable URL, exposing `wp-config.php` database credentials, WordPress authentication secret salts, and the complete PHP source tree to unauthenticated HTTP retrieval by any internet visitor. No public exploit code has been identified at time of analysis, but the two-phase attack path (low-privilege trigger followed by unauthenticated exfiltration) makes this significantly more impactful than the 6.5 CVSS score suggests, as successful exploitation provides the material for full database access and authentication session forgery.

WordPress Information Disclosure PHP Pcloud Wp Backup
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-11763 MEDIUM This Month

Authorization bypass in GisLab Laboratory Management System (versions 1.4.03 through 08072026) allows an authenticated low-privileged user to access confidential data belonging to other users by manipulating user-controlled identifier keys in requests. The flaw (CWE-639, IDOR class) exposes high-confidentiality data without requiring elevated privileges or user interaction, over the network. No public exploit or CISA KEV listing has been identified at time of analysis; the vulnerability was disclosed by Turkey's national CERT (TR-CERT) via advisory TR-26-0573.

Authentication Bypass Gislab Laboratory Management System
NVD
CVSS 3.1
6.5
CVE-2026-8075 MEDIUM This Month

Improper null checking in Mattermost Desktop App versions ≤6.2, 5.5.13, and 6.0.2.0 enables any authenticated channel member to crash the Desktop App of all other members in the same channel by posting a crafted link containing an embedded image served without expected HTTP headers. The crash is client-side and can be made persistent if the malicious message remains in the channel, forcing repeated crashes each time an affected client reconnects. No public exploit has been identified at time of analysis, but the low-privilege attack vector and trivial reproduction make this a realistic insider or compromised-account threat in collaborative environments.

Denial Of Service Mattermost
NVD
CVSS 3.1
6.5
CVE-2026-9602 MEDIUM This Month

Mattermost Desktop App across the 5.x and 6.x release branches can be crashed by a malicious server operator through unvalidated inter-process payloads sent from the Mattermost Web App to the Desktop App. The root cause is the absence of payload validation in the Web-to-Desktop communication channel, enabling a server owner to send a malformed method payload that causes uncontrolled processing and application termination on the connected client. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the network-accessible path and low-complexity exploitation make this a credible denial-of-service threat for organizations running self-hosted Mattermost deployments with untrusted or compromised server administrators.

Denial Of Service Mattermost
NVD
CVSS 3.1
6.5
CVE-2026-21770 MEDIUM PATCH This Month

DLL hijacking in HCL Traveler for Microsoft Outlook (HTMO) permits a local, high-privileged attacker to replace or plant a malicious DLL in a directory searched by the application at load time, enabling arbitrary code execution within the HTMO process context. The CVSS vector (AV:L/AC:L/PR:H/UI:R) confirms the attack is constrained to local access with elevated privileges and requires a user to trigger application load, substantially limiting real-world exploitability despite the full C/I/A:H impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Microsoft Hcl Traveler For Microsoft Outlook Htmo
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-33754 MEDIUM This Month

Memory exhaustion denial-of-service in Wazuh's cluster protocol parser affects all deployments running versions 3.9.0 through 4.14.4. The cluster service reads an attacker-supplied payload length from an incoming message header and allocates memory of that size before performing any authentication or decryption, enabling unauthenticated adjacent-network attackers to exhaust system memory and crash the cluster service. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch 4.14.5 is available.

Denial Of Service Wazuh
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-44251 MEDIUM PATCH This Month

Remote denial-of-service and potential heap corruption in the Wazuh manager's wazuh-remoted daemon allows any enrolled agent to crash the manager's agent-communication process, instantly severing all agent connections across the entire deployment. Affected versions span 3.0.0 through 4.14.4; a secondary code path triggered by the same underflow may permit heap memory write primitives beyond pure DoS. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation barrier - any enrolled agent suffices - makes it a meaningful insider or supply-chain risk for Wazuh-dependent SOC environments.

Wazuh Heap Overflow Buffer Overflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-51083 MEDIUM This Month

Incorrect access control in the Proxmox Virtual Environment qemu-server component exposes hashed passwords to authenticated low-privilege users via the cloudinit/dump API endpoint. Affects PVE 8.x before 8.4.8 and 9.x before 9.1.8. An attacker with minimal PVE credentials can retrieve cloud-init password hashes for VMs, enabling offline cracking and potential lateral movement into guest systems. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass N A
NVD
CVSS 3.1
6.5
CVE-2026-2594 MEDIUM This Month

Stored cross-site scripting in the Smart Custom Fields WordPress plugin (versions up to and including 5.0.7) enables authenticated attackers holding at minimum Author-level access to persist malicious JavaScript payloads by supplying unsanitized content in uploaded image attachment titles. Any site visitor who subsequently loads an affected page triggers execution of the injected script within their browser, enabling session hijacking, credential harvesting, or unauthorized actions on behalf of that user. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; however, the vulnerability is partially unresolved even in the stated boundary version 5.0.7, making the precise remediation target unclear without consulting the referenced patch changesets.

WordPress XSS Smart Custom Fields
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15759 MEDIUM This Month

Stored Cross-Site Scripting in the ChatHelp plugin for WordPress (versions through 3.5.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'number' and 'group' shortcode attributes, which execute in victims' browsers on page load. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode rendering layer, identified across multiple source files in CustomButtonsTemplates.php and CustomShortcode.php. No public exploit code has been identified at time of analysis, and the plugin is not listed in CISA KEV; however, Wordfence has published a threat intelligence entry and a patch changeset exists in the WordPress plugin repository.

WordPress XSS Chathelp Click To Chat Button Woocommerce Chat To Order Floating Chat Form
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15161 MEDIUM This Month

Stored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into the admin Excel Export screen. The dual root cause is a missing capability check and nonce verification in the save_filter() AJAX handler - enabling any authenticated user to write arbitrary filter data to WordPress options - combined with unescaped concatenation of that data into HTML attributes in get_filter_row(). When administrative users subsequently visit the Excel Export admin page, the stored payload executes in their browser, enabling session hijack, credential theft, or further privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS Ninja Forms Excel Export
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-62220 MEDIUM PATCH This Month

WebSocket authentication rate limit bypass in OpenClaw versions 2026.2.25 through pre-2026.5.26 enables lower-trust callers or configured non-browser input paths to flood authentication attempts without being throttled at the gateway layer. The impact is limited to availability - an attacker can consume gateway connection and compute resources, degrading service for legitimate users. No public exploit has been identified at time of analysis and OpenClaw does not appear in the CISA KEV catalog.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-11324 MEDIUM This Month

Reflected Cross-Site Scripting in the WooCommerce PlacetoPay Gateway family of plugins (all regional Evertec variants) allows unauthenticated network-based attackers to inject and execute arbitrary JavaScript in victims' browsers by abusing the unsanitized 'redirect-url' parameter - confirmed in versions up to and including 3.2.2 across at least six regional plugin variants (Colombia, Ecuador, Honduras, Uruguay, Belice, and base). Exploitation requires the attacker to socially engineer a victim into clicking a crafted link; no patch version has been identified in the available data, as the most recent release (3.2.2, dated 2026-04-22) addresses only a tax-validation issue and not this XSS. No public exploit code or CISA KEV listing identified at time of analysis.

WordPress XSS Woocommerce Placetopay Gateway Belice Woocommerce Placetopay Gateway Ecuador Woocommerce Placetopay Gateway Colombia +3
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15094 MEDIUM This Month

Reflected Cross-Site Scripting in the WP Hotel Booking WordPress plugin (ThimPress) through version 2.3.2 enables unauthenticated network attackers to inject arbitrary JavaScript into hotel booking archive pages via the unsanitized `check_in_date` parameter. When a victim clicks a crafted URL, the payload executes in their browser under the WordPress site's origin — enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim, including against administrator accounts. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the CVSS scope-change metric (S:C) elevates the base score to 6.1 by reflecting cross-context browser impact.

WordPress XSS Wp Hotel Booking
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-51081 MEDIUM This Month

Cross-site scripting in Proxmox Virtual Environment (PVE) 8.x and 9.x allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in the browser of an authenticated PVE user who interacts with a crafted payload. The CVSS scope change (S:C) confirms the injected script executes outside the originating component's security context, enabling session hijacking, credential theft, or unauthorized management actions against the hypervisor web UI. SSVC classifies exploitation status as none with no automation possible, and no active exploitation or public exploit code has been identified at time of analysis.

XSS N A
NVD
CVSS 3.1
6.1
CVE-2026-62237 MEDIUM PATCH This Month

ReDoS in Grav CMS's Twig sandbox allows an authenticated page editor to crash the web server process via a catastrophically backtracking PCRE pattern supplied to the `regex_replace` filter. Affected versions are all Grav releases prior to 2.0.4. Exploitation requires a non-default configuration (`security.twig_content.process_enabled: true`) and at least page-editor-level authentication, limiting blast radius to deployments that have deliberately unlocked Twig processing in page content. No public exploit code or CISA KEV listing has been identified at time of analysis.

Denial Of Service Grav
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-62206 MEDIUM PATCH This Month

Missing authorization in OpenClaw's Discord moderation action handling allows a low-privilege caller to perform moderation operations - such as banning, kicking, or muting users - that should require elevated permissions. All OpenClaw versions prior to 2026.6.9 are affected per the vendor's GitHub security advisory (GHSA-f6p7-6326-vf7v), reported by VulnCheck. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 integrity impact is rated High, reflecting meaningful abuse potential where a lower-trust actor gains outsized moderation authority over a Discord community.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-62219 MEDIUM PATCH This Month

Authorization bypass in OpenClaw's hooks `allowedAgentIds` validation allows a lower-trust authenticated caller to circumvent agent ID restrictions by submitting blank agent IDs, effectively elevating privileges to perform actions gated behind stronger policy controls. Affected versions span OpenClaw 2026.2.12 through versions prior to 2026.5.26, with the flaw traceable to improper input validation of the agent identifier field during hook processing. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, though the high integrity impact (VI:H per CVSS 4.0) signals meaningful risk to deployments that rely on agent-scoped authorization boundaries.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-62214 MEDIUM PATCH This Month

Bot token and credential exposure in OpenClaw Bot Framework (versions before 2026.5.28) enables low-privilege authenticated callers to exfiltrate sensitive authentication data by supplying crafted serviceUrl values that circumvent trusted boundary validation. The flaw resides in the Microsoft Teams integration component (openclaw:msteams) and allows attackers to redirect credential-bearing requests to attacker-controlled endpoints, compromising bot tokens and downstream authentication secrets. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the CVSS 4.0 score of 6.0 reflects high confidentiality impact contingent on a specific attack prerequisite (AT:P) and low-privilege access.

Information Disclosure Msteams
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-62213 MEDIUM PATCH This Month

Token leakage in OpenClaw's MS Teams integration (versions before 2026.5.27) allows lower-trust authenticated callers to retrieve Bot Framework tokens that should remain within the application's trusted boundary. Attackers exploit access to configured input paths involved in outbound MS Teams requests to harvest bearer tokens, which can then be used to authenticate to downstream Microsoft Bot Framework or Teams services as the compromised bot identity. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the high confidentiality impact (VC:H) and credential theft potential make patching a priority for any organization running this integration.

Information Disclosure Msteams
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-62210 MEDIUM PATCH This Month

Denial of service in OpenClaw gateway via slow-read attacks against remote media URL processing affects all versions before 2026.6.1. Attackers with access to configured input paths can supply crafted remote media URLs that hold gateway worker connections open indefinitely, gradually exhausting the worker pool and degrading availability for legitimate requests. No active exploitation has been confirmed (not listed in CISA KEV) and no public POC has been identified at time of analysis, but the network-reachable vector and high availability impact make this a meaningful operational risk for exposed deployments.

Denial Of Service Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-62208 MEDIUM PATCH This Month

Authorization header leakage in OpenClaw before 2026.6.5 exposes credentials to unintended servers during MCP SSE redirect handling, allowing an authenticated lower-trust caller to gain access to resources beyond their intended authorization scope. The vulnerability affects deployments where the MCP SSE redirect feature is enabled and reachable by lower-trust input paths, with practical impact varying by operator configuration. Vendor-released patch 2026.6.5 is available; no public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-62205 MEDIUM PATCH This Month

Missing authorization controls in OpenClaw's MS Teams message actions feature permit a low-privilege authenticated caller to invoke operations that should require elevated permissions or policy checks, resulting in high integrity impact (VI:H per the CVSS 4.0 vector) on affected deployments. The flaw spans versions 2026.4.12-beta.1 through 2026.6.5, and practical severity is configuration-dependent - exploitation is gated on the MS Teams feature being enabled and reachable. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; the vendor confirmed and patched the issue in 2026.6.6.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-12705 MEDIUM This Month

Missing firmware integrity verification in ABB KNX Update Tool versions through 2.0.175 allows an adjacent network attacker with low-privilege access to inject tampered updates onto KNX building automation devices, leading to high integrity and availability impact. The vulnerability (CWE-353) means the tool accepts update packages without cryptographic validation, enabling a man-in-the-middle or rogue-update attack on the KNX bus segment. No public exploit code or CISA KEV listing has been identified at time of analysis, and active exploitation has not been confirmed.

Abb Information Disclosure Knx Update Tool Abb Knx Update Tool Bje
NVD
CVSS 4.0
5.9
CVE-2026-15007 MEDIUM This Month

GitHub Enterprise Server (all versions prior to 3.22) is vulnerable to authenticated denial of service via unbounded YAML parsing depth in release notes configuration files. An authenticated user with repository access can craft a release notes configuration file containing arbitrarily deeply nested YAML structures; when release note generation is triggered, the YAML parser processes the nesting without any depth limit, causing excessive CPU and memory consumption that can render the entire GHES instance unresponsive. No public exploit has been identified at time of analysis, and this was responsibly disclosed through the GitHub Bug Bounty program.

Denial Of Service Enterprise Server
NVD GitHub
CVSS 4.0
5.7
CVE-2026-62764 MEDIUM This Month

Privilege enforcement failure in Apache Accumulo 2.1.4 and 2.1.5 allows any authenticated low-privileged user - one without system-level permissions - to remotely trigger graceful shutdown of critical cluster services including the manager, tserver, gc, compactor, compaction-coordinator, monitor, and sserver. The result is a denial of service against the distributed data store, disrupting availability for all cluster consumers until an administrator manually restarts the affected components. No public exploit has been identified at time of analysis; a vendor-released fix is available in version 2.1.6.

Denial Of Service Apache
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.3%
CVE-2026-15943 MEDIUM This Month

Keycloak's identity provider management component exposes OIDC client secrets to delegated administrators who manipulate the masked sentinel value mechanism during IdP updates. When a delegated admin submits a configuration update using the sentinel placeholder for the client secret while simultaneously changing the token URL to an attacker-controlled endpoint, Keycloak improperly reuses the real underlying secret without validating the consistency of the changed security-sensitive field. On the next authentication flow through that identity provider, Keycloak transmits the real client secret to the attacker's token URL, resulting in credential exfiltration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
NVD VulDB
CVSS 3.1
5.5
CVE-2026-16093 MEDIUM This Month

Keycloak's Client Policies enforcement mechanism - designed to mandate stronger OAuth/OIDC client authentication such as signed JWTs (RFC 7523) - can be bypassed by any attacker who already holds valid client credentials. By supplying a crafted, unsigned assertion header in the token request, the attacker causes Keycloak to evaluate policy compliance as satisfied without performing cryptographic verification, allowing authentication to proceed via a weaker method such as a plain client secret. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; however, the integrity impact is meaningful for organizations that deployed Client Policies specifically to harden their authentication security posture, as those controls are silently neutralized.

Denial Of Service Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
NVD
CVSS 3.1
5.4
CVE-2026-16089 MEDIUM This Month

Authorization code injection in Red Hat Build of Keycloak's keycloak-services component enables a network-positioned attacker to hijack OAuth 2.0 flows by intercepting and cross-client redeeming authorization codes. Because codes are not cryptographically bound to the originating client, an attacker who obtains a victim's in-flight code can submit it using their own registered client credentials and receive access tokens tied to the victim's identity. No public exploit has been identified at time of analysis, and the CVSS AC:H rating reflects the non-trivial code interception prerequisite that constrains opportunistic exploitation.

Information Disclosure Red Hat Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack +1
NVD
CVSS 3.1
5.4
CVE-2026-8616 MEDIUM This Month

Unauthenticated settings reset in the Fense Proxy & VPN Blocker WordPress plugin (versions up to and including 3.0.1) allows any remote attacker to wipe the plugin's API key cache and configuration by invoking an unprotected AJAX endpoint. The fense_bpvt_save_settings() function is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks without any capability check or nonce validation, meaning it is reachable without authentication and calls delete_option() and delete_transient() unconditionally on plugin-critical data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivial to execute and carries a meaningful functional consequence: disabling the site's VPN and proxy detection capability.

WordPress Authentication Bypass Fense Proxy Vpn Blocker
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-63309 MEDIUM This Month

SurrealDB versions 3.0.0 through 3.1.4 expose a query-planner authorization bypass that allows authenticated record users to infer the relative sort order of field values protected by field-level SELECT permissions. By issuing ORDER BY queries against indexed restricted fields, an attacker with normal table SELECT access can observe that rows are returned in the hidden field's true sorted order even though the field value itself is correctly redacted to null at projection time. No public exploit has been identified at time of analysis, and CISA KEV has not listed this vulnerability; however, the attack surface is inherent to any indexed field protected by field-level permissions in affected versions.

Authentication Bypass Surrealdb
NVD GitHub
CVSS 4.0
5.3
CVE-2026-15783 MEDIUM This Month

Missing authorization in GitHub Enterprise Server's delegated bypass endpoint exposes private repository metadata to any authenticated user with write access to a single repository on the same instance. The endpoint resolves rule suites from attacker-supplied encoded identifiers without verifying that the caller holds read permission on the target repository; because these identifiers are sequential, an attacker can enumerate them to harvest private repository names, owners, branch names, commit SHAs, commit messages, and pushing actors across the entire GHES instance. No public exploit identified at time of analysis; the issue was responsibly disclosed via the GitHub Bug Bounty program and vendor-released patches are available across all active support branches.

Authentication Bypass Enterprise Server
NVD GitHub
CVSS 4.0
5.3
CVE-2026-62212 MEDIUM PATCH This Month

DNS rebinding protection bypass in OpenClaw before 2026.5.28 allows a lower-privileged caller to win a TOCTOU race window in the MS Teams safeFetch DNS validation path, potentially enabling requests to internal or restricted resources that should have been blocked by policy. Exploitation requires the safeFetch DNS rebinding check feature to be both enabled and reachable, and practical impact is heavily configuration-dependent. No public exploit code has been identified and no CISA KEV listing exists; the issue is confirmed via a vendor GitHub security advisory and VulnCheck reporting.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-15380 MEDIUM This Month

Full SYSTEM-level code execution in Broadcom's Symantec IT Management Suite (ITMS) 8.7.3 is reachable by any non-administrator interactive user via a DCOM and Windows Task Scheduler logic chain, requiring no network access and no memory corruption. The attack is confined to the local host, meaning a standard user account with an interactive session on the ITMS server is sufficient to achieve unrestricted SYSTEM privileges. No public exploit has been identified at time of analysis, though Broadcom's advisory carries the highest urgency rating (U:Red) and the CVSS 4.0 supplemental metric AU:Y indicates the exploitation steps can be automated once understood.

RCE Buffer Overflow Symantec Management Suite
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-15379 MEDIUM This Month

Local privilege escalation via a misconfigured WMI provider in Broadcom's Symantec IT Management Suite (Altiris) exposes SYSTEM-readable files to any local standard user. The AltirisAgent_Stream WMI class fails to re-impersonate the calling user when servicing queries, reverting to the LocalSystem context instead - allowing unprivileged local users to bypass filesystem ACLs and read files that are restricted to SYSTEM or Administrator accounts, including configuration files, service logs, and stored secrets. No public exploit has been identified at time of analysis, though the technique is mechanically straightforward for any authenticated local user; the Broadcom advisory (SA 37995) is the authoritative disclosure source.

Authentication Bypass Symantec It Management Suite
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-58317 MEDIUM This Month

Out-of-bounds memory read and write in Tera Term's TTSSH2 SSH plugin exposes users who connect to attacker-controlled SSH servers to memory disclosure and potential client crashes. The root cause is an unsigned-to-signed integer conversion error (CWE-196) in the SSH connection handshake code, which can cause internal memory contents to be transmitted to the malicious server. No public exploit code has been identified at time of analysis, and no KEV listing exists, but the network-reachable nature with no privilege requirement on the attacker side makes social-engineering lures a realistic delivery vector.

Buffer Overflow Ttssh2
NVD VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-60060 MEDIUM This Month

Out-of-bounds read/write in the TTSSH2 SSH plugin of Tera Term exposes users who connect to attacker-controlled SSH servers to memory disclosure and process crashes. A malicious SSH server can send crafted packets with inconsistent length parameters during connection establishment, causing the TTSSH2 plugin to read and write beyond allocated buffer boundaries - leaking adjacent memory contents (potentially including session data or credentials) back to the attacker's server. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated server-side position make this a credible threat for Tera Term users in environments where they may connect to untrusted SSH endpoints.

Buffer Overflow Ttssh2
NVD VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-62226 MEDIUM PATCH This Month

Authorization bypass in OpenClaw (versions 2026.3.28 through before 2026.5.19) allows low-privileged network attackers to exploit the browser act route's failure to validate current-tab URLs, enabling Server-Side Request Forgery (SSRF) that crosses authorization boundaries into restricted resources. The CVSS 4.0 scope-change metrics (SC:H/SI:L with VC:N/VI:N/VA:N) reveal that the primary impact falls on subsequent systems rather than OpenClaw itself - meaning attackers can reach internal resources or perform policy-restricted actions using their laundered, lower-trust credentials. No public exploit code or CISA KEV active exploitation listing has been identified at time of analysis.

SSRF Openclaw
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy