Monthly
Remote unauthenticated attackers can disclose sensitive information from Microsoft 365 Copilot's Business Chat through improper input neutralization (CVSS 7.5). The vulnerability allows network-based exploitation with low complexity and no user interaction required. Vendor-released patch available via Microsoft Security Response Center (MSRC-2026-26129). No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of authentication requirements (PR:N) increase realistic exploitation risk.
Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers to access sensitive data through improper neutralization of special elements. This spoofing vulnerability (CWE-138) enables attackers to bypass authentication mechanisms and extract high-confidentiality information over the network with low attack complexity. No active exploitation confirmed (not in CISA KEV), but the network-accessible, no-authentication-required attack profile presents immediate risk for internet-facing .NET applications. Vendor patches available for all affected versions.
Unauthenticated SSH authentication bypass in Cisco Secure Firewall ASA allows remote attackers to log in as arbitrary users by exploiting insufficient input validation during the SSH key authentication phase, requiring only knowledge of a valid username and its associated public key. This vulnerability enables attackers to execute arbitrary commands on affected ASA devices with the privileges of the compromised user account. No patch is currently available.
A security vulnerability in tarteaucitron.js (CVSS 4.2). Risk factors: public PoC available. Vendor patch is available.
Meshtastic firmware is a device firmware for the Meshtastic project. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Windows Kernel Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Remote unauthenticated attackers can disclose sensitive information from Microsoft 365 Copilot's Business Chat through improper input neutralization (CVSS 7.5). The vulnerability allows network-based exploitation with low complexity and no user interaction required. Vendor-released patch available via Microsoft Security Response Center (MSRC-2026-26129). No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of authentication requirements (PR:N) increase realistic exploitation risk.
Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers to access sensitive data through improper neutralization of special elements. This spoofing vulnerability (CWE-138) enables attackers to bypass authentication mechanisms and extract high-confidentiality information over the network with low attack complexity. No active exploitation confirmed (not in CISA KEV), but the network-accessible, no-authentication-required attack profile presents immediate risk for internet-facing .NET applications. Vendor patches available for all affected versions.
Unauthenticated SSH authentication bypass in Cisco Secure Firewall ASA allows remote attackers to log in as arbitrary users by exploiting insufficient input validation during the SSH key authentication phase, requiring only knowledge of a valid username and its associated public key. This vulnerability enables attackers to execute arbitrary commands on affected ASA devices with the privileges of the compromised user account. No patch is currently available.
A security vulnerability in tarteaucitron.js (CVSS 4.2). Risk factors: public PoC available. Vendor patch is available.
Meshtastic firmware is a device firmware for the Meshtastic project. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Windows Kernel Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.