Skip to main content
Security News Jul 17, 2026 by vuln.today Threat Intelligence

4 New Docker Vulnerabilities - 4 High Severity, 1 With POC

Related CVEs

Other CVEs in Same Group

CVE-2026-62232 CRITICAL 9.1

Two-factor authentication bypass in Grav CMS before 2.0.4 lets an attacker who already knows a victim's password overwrite that user's TOTP secret and log in with full 2FA protection stripped away. During the pending TOTP challenge window the login plugin's regenerate2FASecret task verifies only that the user exists — not that the caller is authorized — and requires no CSRF nonce, so the attacker sets an attacker-chosen secret, computes a valid code, and completes login. VulnCheck-reported and CVSS 4.0 scored 9.1; no public exploit identified at time of analysis.

CVE-2026-62234 HIGH 8.4

Server-side request forgery in Grav CMS before 2.0.4 allows authenticated users holding the api.webhooks.write permission to register webhooks with dangerous cURL protocol handlers (file://, dict://, gopher://) that fire when webhook events trigger. By abusing these unrestricted protocols an attacker can read local files, enumerate process and service information, and pivot to internal-only network services from the trust position of the Grav server. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; risk is driven by the CWE-918 primitive rather than confirmed in-the-wild activity.

CVE-2026-39359 HIGH 7.5

Sensitive file disclosure in the Wazuh Manager (versions 4.0.0-4.10.3 and 4.11.0-4.14.4) allows a malicious enrolling agent to exfiltrate manager secrets by abusing the group parameter during enrollment. The authd enrollment daemon fails to filter path traversal ("..") sequences in the agent-selected group name, so remoted later builds shared-configuration paths that reach /var/ossec/etc and stream files such as client.keys, ossec.conf, and internal certificates to the attacker-controlled agent. There is no public exploit identified at time of analysis, but the network-reachable, unauthenticated CVSS 7.5 profile makes this a meaningful confidentiality risk for exposed manager enrollment services.

CVE-2026-33754 MEDIUM 6.5

Memory exhaustion denial-of-service in Wazuh's cluster protocol parser affects all deployments running versions 3.9.0 through 4.14.4. The cluster service reads an attacker-supplied payload length from an incoming message header and allocates memory of that size before performing any authentication or decryption, enabling unauthenticated adjacent-network attackers to exhaust system memory and crash the cluster service. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch 4.14.5 is available.

CVE-2026-44251 MEDIUM 6.5

Remote denial-of-service and potential heap corruption in the Wazuh manager's wazuh-remoted daemon allows any enrolled agent to crash the manager's agent-communication process, instantly severing all agent connections across the entire deployment. Affected versions span 3.0.0 through 4.14.4; a secondary code path triggered by the same underflow may permit heap memory write primitives beyond pure DoS. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation barrier - any enrolled agent suffices - makes it a meaningful insider or supply-chain risk for Wazuh-dependent SOC environments.

CVE-2026-62237 MEDIUM 6.0

ReDoS in Grav CMS's Twig sandbox allows an authenticated page editor to crash the web server process via a catastrophically backtracking PCRE pattern supplied to the `regex_replace` filter. Affected versions are all Grav releases prior to 2.0.4. Exploitation requires a non-default configuration (`security.twig_content.process_enabled: true`) and at least page-editor-level authentication, limiting blast radius to deployments that have deliberately unlocked Twig processing in page content. No public exploit code or CISA KEV listing has been identified at time of analysis.

CVE-2026-33434 MEDIUM 4.3

Rate limit bypass in Wazuh's /events endpoint allows authenticated network users to inject events into analysisd beyond the administrator-configured global rate limit. A logic error in CheckRateLimitsMiddleware.dispatch() causes the endpoint-specific counter (hardcoded at 30 requests/min) to unconditionally overwrite the result of the global rate limit check, meaning the global max_request_per_minute threshold is silently ignored for this endpoint. Versions 4.6.0 through 4.14.4 are affected; no public exploit code has been identified and the issue is not listed in CISA KEV.

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy