Skip to main content

CWE-138

Improper Neutralization of Special Elements

9 CVEs Avg CVSS 6.7 MITRE
0
CRITICAL
6
HIGH
3
MEDIUM
0
LOW
1
POC
0
KEV

Monthly

CVE-2026-26129 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Remote unauthenticated attackers can disclose sensitive information from Microsoft 365 Copilot's Business Chat through improper input neutralization (CVSS 7.5). The vulnerability allows network-based exploitation with low complexity and no user interaction required. Vendor-released patch available via Microsoft Security Response Center (MSRC-2026-26129). No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of authentication requirements (PR:N) increase realistic exploitation risk.

Information Disclosure Microsoft 365 Copilot S Business Chat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32178 NuGet HIGH PATCH GHSA Exploit Unlikely This Week

Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers to access sensitive data through improper neutralization of special elements. This spoofing vulnerability (CWE-138) enables attackers to bypass authentication mechanisms and extract high-confidentiality information over the network with low attack complexity. No active exploitation confirmed (not in CISA KEV), but the network-accessible, no-authentication-required attack profile presents immediate risk for internet-facing .NET applications. Vendor patches available for all affected versions.

Authentication Bypass Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +1
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20009 MEDIUM This Month

Unauthenticated SSH authentication bypass in Cisco Secure Firewall ASA allows remote attackers to log in as arbitrary users by exploiting insufficient input validation during the SSH key authentication phase, requiring only knowledge of a valid username and its associated public key. This vulnerability enables attackers to execute arbitrary commands on affected ASA devices with the privileges of the compromised user account. No patch is currently available.

Cisco Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-48939 npm MEDIUM POC PATCH This Month

A security vulnerability in tarteaucitron.js (CVSS 4.2). Risk factors: public PoC available. Vendor patch is available.

Code Injection Tarteaucitronjs
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2024-51500 HIGH PATCH This Week

Meshtastic firmware is a device firmware for the Meshtastic project. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Meshtastic Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-38133 HIGH PATCH This Week

Windows Kernel Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 22h2 +7
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2023-22288 MEDIUM This Month

HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Checkmk
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-2429 HIGH This Week

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Ultimate Sms Notifications For Woocommerce
NVD
CVSS 3.1
8.0
EPSS
0.7%
CVE-2022-0024 HIGH This Week

A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Paloalto Pan Os
NVD
CVSS 3.1
7.2
EPSS
1.5%
EPSS 0% CVSS 7.5
HIGH PATCH NO ACTION HOSTED Monitor

Remote unauthenticated attackers can disclose sensitive information from Microsoft 365 Copilot's Business Chat through improper input neutralization (CVSS 7.5). The vulnerability allows network-based exploitation with low complexity and no user interaction required. Vendor-released patch available via Microsoft Security Response Center (MSRC-2026-26129). No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of authentication requirements (PR:N) increase realistic exploitation risk.

Information Disclosure Microsoft 365 Copilot S Business Chat
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers to access sensitive data through improper neutralization of special elements. This spoofing vulnerability (CWE-138) enables attackers to bypass authentication mechanisms and extract high-confidentiality information over the network with low attack complexity. No active exploitation confirmed (not in CISA KEV), but the network-accessible, no-authentication-required attack profile presents immediate risk for internet-facing .NET applications. Vendor patches available for all affected versions.

Authentication Bypass Net 10 0 Net 8 0 +3
NVD VulDB HeroDevs
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated SSH authentication bypass in Cisco Secure Firewall ASA allows remote attackers to log in as arbitrary users by exploiting insufficient input validation during the SSH key authentication phase, requiring only knowledge of a valid username and its associated public key. This vulnerability enables attackers to execute arbitrary commands on affected ASA devices with the privileges of the compromised user account. No patch is currently available.

Cisco Information Disclosure
NVD
EPSS 0% CVSS 4.2
MEDIUM POC PATCH This Month

A security vulnerability in tarteaucitron.js (CVSS 4.2). Risk factors: public PoC available. Vendor patch is available.

Code Injection Tarteaucitronjs
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Meshtastic firmware is a device firmware for the Meshtastic project. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Meshtastic Firmware
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Windows Kernel Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Microsoft Windows 10 1809 +9
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Checkmk
NVD
EPSS 1% CVSS 8.0
HIGH This Week

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Ultimate Sms Notifications For Woocommerce
NVD
EPSS 1% CVSS 7.2
HIGH This Week

A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Paloalto Pan Os
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy