Skip to main content

Information Disclosure

66650 CVEs technique

Monthly

CVE-2026-57352 MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-57347 MEDIUM This Month

Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.

Information Disclosure Hotel Booking Lite
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-42382 HIGH This Week

Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.

LFI Information Disclosure PHP Audrey
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-27412 HIGH This Week

Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.

LFI Information Disclosure PHP Pearl Corporate Business
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69133 HIGH This Week

Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP Tourmaster
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-69132 MEDIUM This Month

Sensitive data exposure in the Corpkit WordPress theme (versions <= 1.0.5) allows an authenticated subscriber-level user to retrieve confidential information that should be inaccessible to that role. The CVSS vector (PR:L, C:H) confirms that any low-privileged account holder - the default registered-user role in WordPress - can trigger the disclosure over the network with no additional interaction required. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier of entry (subscriber registration is often open on WordPress sites) elevates real-world risk.

Information Disclosure Corpkit
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-58902 HIGH This Week

Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

LFI Information Disclosure PHP Lighthouse
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-12996 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-12932 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-13117 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-11771 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-13698 MEDIUM PATCH This Month

Memory leak in OpenVPN (pre-2.7.5) allows network-accessible unauthenticated attackers to exhaust server memory, resulting in high availability impact and denial of service. The flaw, classified CWE-401, requires specific attack prerequisites (CVSS 4.0 AT:P) and passive client interaction (UI:P), meaning it is not trivially exploitable against all default deployments. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis; vendor patch v2.7.5 is available.

Microsoft Information Disclosure Openvpn Red Hat Suse
NVD GitHub
CVSS 4.0
6.0
EPSS
0.5%
CVE-2026-13379 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-13122 MEDIUM PATCH This Month

Denial-of-service in OpenVPN via a reachable assertion (CWE-617) allows a remote, low-privileged attacker to crash the OpenVPN daemon under high-complexity, timing-specific conditions. All OpenVPN deployments running versions prior to v2.7.5 are affected; the fix is available in the v2.7.5 release disclosed pre-NVD via GitHub. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 (Medium) reflects the constrained exploitation path, though VPN service disruption carries meaningful operational impact for affected operators.

Microsoft Information Disclosure Openvpn Red Hat Suse
NVD GitHub
CVSS 4.0
5.9
EPSS
0.5%
CVE-2026-54431 MEDIUM PATCH This Month

DPoP (Demonstrating Proof-of-Possession) proof verification in OpenIDC's liboauth2 C library incorrectly accepts malformed proofs that embed private Elliptic Curve (EC) key material in the JWK header, directly violating RFC 9449 §4.3 step 7. The `oauth2_token_verify()` function returns success instead of rejecting such proofs, subverting DPoP's core token-binding security guarantee and enabling information disclosure of private key material. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and a patch is available in liboauth2 2.3.0.

Information Disclosure Liboauth2
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-8482 MEDIUM This Month

Secret credential leakage in StormShield Network Security's CLI tool exposes the proxy CA passphrase or TPM password to other users sharing an SSH session on the firewall appliance. Affected versions span three distinct branches - 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5 - and exploitation is gated behind SSH multiuser mode being explicitly enabled. No active exploitation has been confirmed by CISA KEV and no public proof-of-concept has been identified at time of analysis, though the leaked secrets carry high downstream value for privilege escalation or certificate authority abuse.

Information Disclosure Stormshield Network Security
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12122 MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-8147 HIGH PATCH This Week

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.

Authentication Bypass Information Disclosure Mlflow Mlflow
NVD GitHub
CVSS 3.0
8.1
EPSS
0.3%
CVE-2026-11965 MEDIUM PATCH This Month

Payment enforcement bypass in the User Registration & Membership WordPress plugin before 5.2.0 allows any visitor to self-register a free account and then activate a paid membership subscription without completing payment, gaining unauthorized access to gated premium content. The flaw is a business logic failure: the plugin activates the paid plan upon subscription initiation rather than upon confirmed payment receipt. No public exploit or CISA KEV listing exists at time of analysis, but exploitation is trivially low-effort given the plugin's open registration model and the CVSS vector of AV:N/AC:L/PR:N/UI:N.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-11781 LOW PATCH Monitor

Broken access control in the Adminify WordPress plugin before 4.2.10 allows authenticated Contributor-level users to enumerate sensitive site data through an administration search feature that omits per-user read-capability checks. Affected data includes other authors' unpublished post titles, pending comment content, installed plugin inventory, and registered user account names - all information WordPress's native capability model would otherwise restrict. No public exploit has been identified at time of analysis, and a vendor-released patch is available at version 4.2.10.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-11578 LOW PATCH Monitor

Broken access control in Fluent Forms WordPress plugin before 6.2.5 allows a restricted Manager role to permanently delete form submission entries belonging to forms outside their authorized scope. The flaw stems from missing authorization checks on the deletion endpoint, which fails to verify that the target submission belongs to a form the Manager is permitted to administer. This affects only installations where an administrator has explicitly created a restricted Manager account tied to specific forms - no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-57271 HIGH This Week

Out-of-bounds array indexing in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) allows a remote attacker to leak memory or crash the local WebSocket service by delivering a malformed 'pause' command. The addon runs a WebSocket server that backs the browser interfaces of GeoVision products such as GV-VMS and GV-Cloud, so any browser tricked into connecting to it can trigger the flaw. No public exploit identified at time of analysis; the issue was reported by the vendor (GeoVision) and documented by Cisco Talos (TALOS-2026-2373).

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57270 HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (a.k.a. "Web Plugin"/"WS Player"), a websocket-server addon bundled with GV-VMS, GV-Cloud and related GeoVision software, lets an attacker who lures a victim to a malicious web page reach the localhost websocket and supply an unvalidated `index` to leak memory and corrupt state (CWE-129). The play command in particular accepts an attacker-controlled index used to index internal arrays without a range check, enabling information disclosure and potential code-path corruption. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor has published a security advisory and Talos has released a detailed report.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57269 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (a.k.a. 'Web Plugin' / 'WS Player') addon lets an attacker read memory, corrupt state, or crash the local WebSocket helper bundled with GV-VMS, GV-Cloud, and related surveillance software. The plugin's localhost WebSocket server processes commands (such as 'disconnect') that carry an attacker-controlled 'index' used to dereference internal arrays without bounds checking (CWE-129), yielding high confidentiality, integrity, and availability impact. The CVSS 3.1 vector (AV:N/UI:R/S:C) reflects a cross-origin browser-driven vector where a victim lured to a malicious page has their browser relay commands to the local WebSocket; there is no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57267 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (the 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and related software) lets an attacker abuse the local WebSocket server's snapshot command by supplying an unchecked 'index' value that indexes arrays beyond their bounds. Because the CVSS vector is AV:N/UI:R with a scope change, a victim who visits a malicious web page can have their browser drive the localhost WebSocket into out-of-bounds reads/writes, yielding information disclosure and potential memory corruption (C:H/I:H/A:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57266 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker corrupt memory or leak sensitive data by sending a 2wayAudio WebSocket command with an unchecked index value. The addon runs a localhost WebSocket server that expands GeoVision web interfaces, and its command handlers use caller-supplied index values to index internal arrays without validating their range. Reported by GeoVision and Talos (TALOS-2026-2373); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57265 HIGH This Week

Memory-disclosure and denial-of-service in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) stems from an unvalidated `index` parameter in its localhost WebSocket command handler (audio command path), letting an attacker read and act on out-of-bounds array elements. Because the WebSocket listener is reachable cross-origin, a victim who is lured to a malicious web page can have their browser drive the local service, so the effective attack vector is network-based despite the server binding to localhost. No public exploit code is identified at time of analysis, though a Cisco Talos advisory (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57264 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker corrupt or read process memory by sending crafted WebSocket commands to the localhost server the addon exposes. The specific 'setPIP' command accepts an attacker-controlled 'index' that is used to index internal arrays without range validation, yielding information disclosure and potential memory corruption. There is no public exploit identified at time of analysis, though a Cisco Talos technical report (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV and no EPSS score is provided.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13132 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker abuse the addon's localhost WebSocket server via a crafted 'setStream' command whose attacker-controlled 'index' is used to index arrays without range validation (CWE-129), enabling memory disclosure and possible corruption. Because a victim's browser can be steered into connecting to the local WebSocket service, the vendor rates this AV:N/UI:R (CVSS 8.3) - a remote web page can pivot to the local service after the user visits it. No public exploit is identified at time of analysis and it is not in CISA KEV, so this is not confirmed as actively exploited.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13131 HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (the "Web Plugin"/"WS Player" addon bundled with GV-VMS, GV-Cloud and related software) lets a remote attacker corrupt memory via the local WebSocket server's connectInfo command. Because the server trusts an attacker-supplied index without range validation, a victim lured to a malicious web page can trigger high-impact confidentiality, integrity and availability effects (CVSS 8.3, scope-changed). No public exploit identified at time of analysis; the flaw was reported by the vendor (GV) and documented by Cisco Talos.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-55792 PHP MEDIUM POC PATCH GHSA This Month

Server-side file exfiltration in Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x allows any control panel user granted the utility:system-messages permission to embed a dataUrl() Twig payload into system email templates, causing the server to read and base64-encode arbitrary files - including the .env file - into outbound email bodies. Exfiltration of CRAFT_SECURITY_KEY from the .env file enables an attacker to forge valid session tokens and escalate to full administrator account takeover, chaining a confidentiality breach into complete privilege escalation. No public exploit has been identified at time of analysis; patches are available in 4.18.0 and 5.10.0.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-47714 MEDIUM PATCH This Month

CVE-2026-47714 is a vulnerability reported by Ubuntu with no public description, CVSS score, CWE classification, or technical details available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from the available intelligence. No exploitation status, patch availability, or affected version range has been confirmed.

Information Disclosure
NVD
CVE-2026-47247 MEDIUM This Month

CVE-2026-47247 has been reported by Ubuntu but carries no public description, CVSS score, CWE classification, or technical details at time of analysis. The affected product, vulnerability class, and impact are entirely unknown. No meaningful synthesis is possible from available data - this CVE should be treated as a placeholder or pre-disclosure record pending vendor publication.

Information Disclosure
NVD
CVE-2026-47254 MEDIUM PATCH This Month

Insufficient data to analyze. CVE-2026-47254 is reported by Ubuntu but no description, CVSS score, vector, or CWE information is available. Cannot determine attack vector, affected product, version, or real-world impact without vulnerability details.

Information Disclosure
NVD
CVE-2026-48029 MEDIUM PATCH This Month

Insufficient data to produce analysis. CVE-2026-48029 description is marked as unknown; no CVSS, CWE, EPSS, KEV status, or technical details provided. Only source is vendor:ubuntu attribution.

Information Disclosure
NVD
CVE-2026-47709 MEDIUM PATCH This Month

Insufficient intelligence to synthesize. CVE-2026-47709 description is marked unknown, CVSS vector is not available, CWE is not available, and no product name or affected versions are specified - only that Ubuntu reported it. Comprehensive vulnerability analysis requires description, CVSS vector, affected product details, and remediation data.

Information Disclosure
NVD
CVE-2026-47251 MEDIUM This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-47251 was reported by Ubuntu but carries no description, CVSS score, CVSS vector, CWE classification, or reference links at the time of this analysis. No impact, affected product, or exploitation mechanism can be determined from the available intelligence. Security teams should treat this as unresolved pending vendor disclosure.

Information Disclosure
NVD
CVE-2026-38971 CRITICAL Act Now

Out-of-bounds read in ArduPilot's MAVLink ground-control-station handler (through Plane-4.6.3) lets a remote attacker on the MAVLink link send a crafted SERIAL_CONTROL message that reads memory beyond intended bounds in GCS_MAVLINK::handle_serial_control(), potentially disclosing adjacent flight-controller memory and/or crashing the autopilot. The CVSS 9.1 rating reflects high confidentiality and availability impact over an unauthenticated network vector, though EPSS is low (0.17%, 6th percentile) and no public exploit is identified at time of analysis. An upstream fix is proposed via GitHub PR #32587 (issue #32524), but no tagged patched release is independently confirmed.

Buffer Overflow Information Disclosure N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-38968 CRITICAL NEWS Act Now

Session hijacking in ntopng versions through 6.6 arises because HTTP session identifiers are generated with weak, time-seeded pseudo-randomness in src/HTTPserver.cpp, making freshly issued authenticated session cookies predictable or collision-prone. Remote attackers who can influence or observe login timing can forecast a valid session token and take over an authenticated user's session without credentials. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile) despite the 9.8 CVSS rating.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14440 HIGH This Week

TLS certificate misissuance affecting Cloudflare Universal SSL zones lets an attacker who controls an ACME account at a CA in the auto-managed CAA RRset obtain a browser-trusted certificate for a victim domain, because Cloudflare's authoritative DNS serves a permissive auto-managed CAA RRset that supersedes customer-set records and drops RFC 8657 accounturi/validationmethods bindings. The result is a bypass of account-binding and validation-method-binding protections end-to-end, enabling MITM against the affected domain. Reported by Cloudflare (researcher David Osipov) with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.6 with high attack complexity and a present attack requirement.

Information Disclosure Universal Ssl
NVD
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-14399 MEDIUM PATCH This Month

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14408 MEDIUM PATCH This Month

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14421 MEDIUM PATCH This Month

Uninitialized memory use in Dawn, Chrome's WebGPU implementation, on ChromeOS prior to version 150.0.7871.46 enables remote attackers to read potentially sensitive contents from GPU process memory by serving a crafted HTML page. The flaw (CWE-457) allows stale or uninitialized buffer data to be exposed back to the requesting JavaScript context without proper sanitization. No public exploit has been identified at time of analysis, and CISA SSVC rates this as non-automatable with partial technical impact, though the CVSS confidentiality rating is High.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14413 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is an uninitialized-memory use (CWE-457) in ANGLE, reported by Google's own Chrome team and fixed in the June 2026 Stable channel update. No public exploit is identified at time of analysis, and CISA's SSVC framework records exploitation status as none, but the total technical impact and sandbox-escape nature make it a high-priority browser patch.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14418 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics subsystem (all versions prior to 150.0.7871.46) enables remote attackers to read sensitive data from other browser origins by luring a victim to a crafted HTML page. The flaw stems from uninitialized memory use in ANGLE, Chrome's GPU abstraction layer, which may expose stale cross-origin pixel buffers or texture memory to attacker-controlled JavaScript. No public exploit has been identified and CISA's SSVC framework rates exploitation as none with a non-automatable attack path, indicating limited immediate real-world threat despite the network-accessible vector.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14402 MEDIUM PATCH This Month

Uninitialized Use in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14423 CRITICAL PATCH Act Now

Sandbox escape via type confusion in Tint, the WGSL shader compiler within Chrome's Dawn/WebGPU stack, affects Google Chrome desktop versions prior to 150.0.7871.46. A remote attacker who lures a victim to a crafted HTML page can trigger the flaw (CWE-843) to potentially break out of the renderer/GPU sandbox and gain broader access on the host. Rated High by Chromium with a CVSS 9.6 (scope-changed), though there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation status as 'none'.

Memory Corruption Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14406 MEDIUM PATCH This Month

Out of bounds read in V8 in Google Chrome prior to 150.0.7871.46 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-14416 CRITICAL PATCH Act Now

Out-of-bounds read in the Dawn WebGPU implementation of Google Chrome before 150.0.7871.46 lets a remote attacker who lures a victim to a crafted HTML page potentially escape the renderer sandbox and disclose out-of-bounds memory. The upstream Chromium team rated the security severity as Low, yet the associated CVSS 3.1 base score is 9.6 due to a scope change and high triad impact. There is no public exploit identified at time of analysis, and the CISA SSVC decision framework records exploitation as none and automatable as no.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14388 MEDIUM PATCH This Month

Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Google Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14386 MEDIUM PATCH This Month

Out-of-bounds read in ANGLE (Chrome's cross-platform graphics abstraction layer) prior to version 150.0.7871.46 allows a remote attacker to extract potentially sensitive data from the browser's process memory by directing a victim to a crafted HTML page. The CVSS vector confirms network delivery with no authentication required but mandates user interaction, and the High confidentiality impact (C:H) indicates that in-memory data such as session tokens, cached credentials, or page content could be exposed. SSVC assessment records no active exploitation and the flaw is absent from the CISA KEV catalog; a vendor patch has been released and no public exploit code has been identified at time of analysis.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14396 MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's ANGLE graphics layer exposes sensitive browser memory contents to remote attackers who can induce a victim to visit a crafted HTML page. The out-of-bounds read in ANGLE (Chrome's cross-platform graphics abstraction engine) affects all Chrome desktop versions prior to 150.0.7871.46, confirmed by Google's stable channel advisory. No public exploit code or active exploitation has been identified at time of analysis; an EPSS of 0.17% (7th percentile) reflects minimal current weaponization pressure despite the high confidentiality impact assigned in CVSS.

Google Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14384 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Windows prior to 150.0.7871.46 stems from an out-of-bounds read in ANGLE, the browser's graphics abstraction layer. Remote attackers can exploit this by serving a crafted HTML page to a Windows user, causing the ANGLE subsystem to read memory beyond its intended buffer boundary and exposing data belonging to a separate web origin. No public exploit code has been identified at time of analysis, and the EPSS score of 0.18% (8th percentile) indicates low exploitation probability in the near term.

Google Microsoft Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14422 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's Tint component (the WGSL shader translator inside the Dawn/WebGPU stack) affects all desktop builds prior to 150.0.7871.46 and lets a remote attacker corrupt memory when a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS 3.1 score is 8.8, driven by high confidentiality, integrity, and availability impact requiring only that the user visit a malicious page. No public exploit identified at time of analysis, and the low EPSS score (0.19%, 9th percentile) indicates exploitation is not currently widespread.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14420 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Dawn WebGPU implementation prior to 150.0.7871.46 lets a remote attacker use a crafted HTML page to trigger an out-of-bounds read and write, potentially breaking out of the renderer sandbox. Rated Critical by Chromium with a CVSS of 9.6 (scope-changed), it requires the victim to visit a malicious page but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14391 MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-14429 HIGH PATCH This Week

Sandbox escape in Google Chrome (Skia graphics library) prior to 150.0.7871.46 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page, elevating a contained renderer compromise into a full-privilege breakout on the host. Rated High severity by Chromium, it carries a CVSS 3.1 score of 8.3 (scope-changed) with no public exploit identified at time of analysis and CISA SSVC recording exploitation status as none. It is a second-stage vulnerability that must be chained with a prior renderer exploit, so it is not directly exploitable against a fresh browser.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14414 MEDIUM PATCH This Month

Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-14428 HIGH PATCH This Week

Sandbox escape in Google Chrome on Android (versions prior to 150.0.7871.46) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page that abuses insufficient input validation in the Dawn WebGPU component. Google rates the Chromium severity as High, and the flaw carries a CVSS 8.3 with a scope-changing impact. There is no public exploit identified at time of analysis, and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14412 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by luring a victim to a crafted HTML page. This is a second-stage bug that chains with a prior renderer-level exploit rather than a standalone entry point; Chromium rates it High severity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC recording exploitation status as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14411 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim loads a malicious web page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a CVSS 9.6 due to scope change and full CIA impact, though exploitation requires the user to visit attacker-controlled content. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC exploitation status assessed as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14382 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker break out of the renderer sandbox when a victim visits a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a critical 9.6 CVSS score due to the scope-changing sandbox escape. Google has shipped a fix and rates the Chromium severity as High; there is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14401 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics component on Android (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 8.3, the flaw stems from improper validation of untrusted input in ANGLE and requires renderer compromise plus user interaction as prerequisites. There is no public exploit identified at time of analysis, and CISA SSVC lists exploitation status as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14381 MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.46) enables remote attackers to misrepresent security indicators during Progressive Web App installation prompts via a crafted HTML page. The incorrect security UI (CWE-451) can deceive users into believing they are installing a legitimate, trusted application when they are not, resulting in a low-integrity impact. EPSS is 0.18% (8th percentile), no public exploit code exists, and this vulnerability has not been added to CISA KEV, indicating minimal active exploitation risk at time of analysis.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14410 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to mislead users through a crafted HTML page. The attack requires renderer process compromise as a prerequisite, making this a chained exploit component rather than a standalone threat. EPSS at 0.18% (8th percentile) and absence from CISA KEV confirm no known active exploitation; Chromium's own team rated this Low severity.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14404 MEDIUM PATCH This Month

UI spoofing via a crafted PDF file in Google Chrome's PDFium rendering engine allows a remote, unauthenticated attacker to visually mislead users into performing unintended actions or trusting falsified content. All Chrome versions prior to 150.0.7871.46 are affected. Exploitation requires the victim to open a malicious PDF - no special configuration is needed beyond default Chrome behavior. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-50139 Go MEDIUM PATCH GHSA This Month

Download-limit enforcement in goshs (Go Simple HTTP Server) v2.0.9 and earlier can be bypassed by racing concurrent HTTP requests against a limited-use share token, allowing a single token to be redeemed more times than the operator configured. The TOCTOU flaw in `ShareHandler` means every concurrent goroutine observes the same pre-increment `Downloaded` counter, each passes the limit check, and each is served the file - completely defeating one-shot or low-count share-link controls. A working proof-of-concept is publicly documented in the GitHub security advisory (GHSA-j48m-h7xq-2xpj) with 5/5 consistent reproductions; no active exploitation is confirmed in CISA KEV.

Race Condition Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-54704 MEDIUM PATCH This Month

OpenTelemetry Java Instrumentation prior to 2.28.0 leaks clear-text database passwords into distributed trace span attributes when JDBC auto-instrumentation encounters double-quoted passwords in SQL CONNECT statements, bypassing the sanitization logic. These poisoned spans are then exported to any configured observability backend - Jaeger, Zipkin, OTLP collectors, or third-party SaaS monitoring - making database credentials visible to all parties with telemetry read access. No public exploit or confirmed active exploitation exists at time of analysis, but the impact of credential exposure is high given downstream database access risk.

Java Information Disclosure Opentelemetry Java Instrumentation
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54262 PyPI MEDIUM PATCH This Month

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-54261 PyPI MEDIUM PATCH This Month

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54259 PyPI MEDIUM PATCH This Month

Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44938 Go HIGH PATCH GHSA This Week

Privilege-escalation via admission-control bypass in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to overwrite Pod Security Standards (PSS) enforcement labels on target namespaces. Because Fleet's agent-side deployer failed to filter security-sensitive keys (notably the `pod-security.kubernetes.io/` prefix) from `namespaceLabels` in `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels`, an attacker can downgrade namespace admission enforcement and deploy privileged or otherwise restricted workloads that PSS would normally block. No public exploit identified at time of analysis; the flaw was privately reported through responsible disclosure by a NATO NCSC researcher and is not listed in CISA KEV.

Kubernetes Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-49457 CRITICAL GHSA Act Now

Server impersonation in erlang_quic (Benoît Chesneau's Erlang QUIC/HTTP/3 library) before 1.4.4 arises because the QUIC client performed no server authentication during the TLS 1.3 handshake - the CertificateVerify signature, certificate chain, and hostname were all left unchecked, making the `verify` option a no-op. An on-path attacker can present any certificate to impersonate any server and transparently read or modify traffic, breaking both confidentiality and integrity (CVSS 9.1). No public exploit has been identified at time of analysis, and PSK-based session resumption handshakes are unaffected because the peer is authenticated by the PSK binder.

Information Disclosure
NVD GitHub
CVSS 3.1
9.1
CVE-2026-54756 MEDIUM PATCH This Month

Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.

Information Disclosure Prototype Pollution Jodit
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-54786 Cargo LOW PATCH Monitor

Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.

Information Disclosure Wasmtime
NVD GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-48816 npm MEDIUM POC PATCH GHSA This Month

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity window checks by controlling the `integratedTime` field in an inclusionProof-only tlog entry. Because the inclusionProof-only code path in `@sigstore/verify` does not cryptographically bind `integratedTime` (unlike the signed inclusionPromise/set path), a low-privileged attacker who can present an untrusted bundle can cause the verifier to accept expired or not-yet-valid signing certificates as currently valid. A publicly available proof-of-concept exists; this vulnerability is not in CISA KEV.

Canonical Microsoft Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54908 MEDIUM PATCH This Month

Remote denial of service in pion/dtls (Go's DTLS implementation) versions prior to 3.1.4 allows an unauthenticated network attacker to crash any application built on this library by sending a crafted ECDHE_PSK ServerKeyExchange message during the DTLS handshake. The CWE-125 out-of-bounds read triggers a Go runtime panic, immediately terminating the host process. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; a vendor-released patch exists in version 3.1.4.

Denial Of Service Buffer Overflow Information Disclosure Dtls
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-58593 HIGH POC This Week

Author spoofing in NodeBB's ActivityPub federation allows a remote federated actor to forge posts and private messages attributed to arbitrary local users, including the administrator (uid 1). Because the inbound middleware validates the HTTP-signature actor and the origin of object.id but never binds attributedTo to the authenticated sender, an attacker with a valid remote signature can impersonate any local account. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified in CISA KEV and the flaw only affects instances with federation enabled.

Information Disclosure Nodebb
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-49858 PHP MEDIUM POC PATCH GHSA This Month

Cross-user attribute structure leakage in API Platform Core's JSON:API and HAL serializers exposes the schema layout of security-gated properties to lower-privileged users through improper cache reuse. Versions from 2.6.0 up to 4.1.29, 4.2.26, and 4.3.12 are affected across the core, hal, and json-api packages. The component structure computed for a higher-privileged user's request can be served from cache to a subsequent lower-privileged user's request, bypassing the per-request evaluation of #[ApiProperty(security: ...)] predicates. No public exploit identified at time of analysis; vendor-released patches are available.

Information Disclosure Core Api Platform Hal Api Platform Json Api
NVD GitHub
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-54164 MEDIUM PATCH This Month

Type confusion in API Platform Core's AbstractItemNormalizer allows authenticated API consumers to corrupt relational data by supplying IRIs pointing to resources of the wrong type during write operations (POST/PUT/PATCH). The root cause is that getResourceFromIri() omits the $operation context when calling IriConverter::getResourceFromIri(), silently bypassing the is_a type guard at IriConverter.php:86. All 4.1.x, 4.2.x, and 4.3.x releases prior to the patched versions are affected; no public exploit or CISA KEV listing has been identified at time of analysis.

Memory Corruption Information Disclosure PHP Core
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-55597 MEDIUM PATCH This Month

Heap buffer over-write in ImageMagick's JP2 (JPEG 2000) encoder - present in all versions prior to 7.1.2-26 - allows an attacker to crash the process by supplying a maliciously crafted JP2 image file, resulting in a denial-of-service condition. The root cause is CWE-682 (Incorrect Calculation): argument handling logic in the JP2 encoder computes incorrect bounds, leading to an out-of-bounds heap write. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Imagemagick
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-49988 npm MEDIUM PATCH GHSA This Month

Repomix 1.14.0's MCP server exposes a file-read safety bypass allowing any MCP-connected client to retrieve arbitrary local `.json`, `.txt`, `.md`, or `.xml` files without triggering the project's `runSecretLint()` secret-scanning guard. The `attach_packed_output` tool accepts arbitrary local paths, validates only by file extension, reads the file without invoking the secret check, and registers the path under an `outputId`; `read_repomix_output` then returns the full file contents-entirely circumventing the boundary enforced by the dedicated `file_system_read_file` tool. No CISA KEV listing or EPSS data is available, but the advisory includes a reproduction harness that confirmed the bypass end-to-end against repomix@1.14.0.

Information Disclosure
NVD GitHub
CVSS 4.0
6.8
EPSS
0.2%
CVE-2026-55510 MEDIUM PATCH This Month

Use-after-free in ImageMagick's 8BIM profile parser crashes the process when a specially crafted image is identified, affecting all releases prior to 6.9.13-51 (legacy branch) and 7.1.2-26 (current branch). The vulnerability is triggered by a specific format string embedded in the 8BIM metadata profile, causing memory corruption that results in a denial-of-service condition. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the intelligence feed.

Memory Corruption Use After Free Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-53467 MEDIUM PATCH This Month

Heap memory disclosure in ImageMagick's MNG decoder affects all versions prior to 6.9.13-51 (legacy branch) and 7.1.2-26 (current branch), allowing remote unauthenticated attackers to obtain partial heap contents by submitting a crafted MNG image file and retrieving the processed output. The root cause (CWE-908) is that pixel buffers are not fully initialized before output is written, leaving residual in-process heap data embedded in the resulting image. No public exploit or CISA KEV listing exists at time of analysis; however, the zero-authentication, network-accessible attack vector makes this a meaningful risk for any image-processing pipeline that accepts untrusted MNG input.

Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-41121 HIGH PATCH This Week

Local privilege escalation in Dell Device Management Agent (DDMA) versions prior to 26.05 allows an already-authenticated, low-privileged user on the host to elevate to full system-level control by abusing insecure symbolic/hard link resolution (CWE-59) during file operations. Dell has released a fix in DDMA 26.05. There is no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.12% (3rd percentile), but the SSVC technical impact is rated 'total', reflecting the complete compromise achievable once a foothold exists.

Dell Information Disclosure Device Management Agent
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13769 MEDIUM PATCH This Month

Credential exposure in AWS CLI on Unix-like systems allows other local users on the same host to read sensitive credentials written to disk by three specific subcommands: aws codeartifact login, aws iam create-virtual-mfa-device, and aws deploy register. When the system umask is at its default permissive value - the case on most Unix-like systems - credential files are written without adequately restrictive permissions, making them readable by other local accounts. No public exploit or CISA KEV listing exists at time of analysis; however, the vendor (Amazon) has confirmed the issue and released patched versions 1.44.78 (v1) and 2.34.29 (v2).

Information Disclosure Aws Cli Red Hat Suse
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-55628 MEDIUM PATCH This Month

Policy bypass in ImageMagick's `-concatenate` operation allows local users to read from and write to filesystem paths that the configured security policy explicitly prohibits. All versions prior to 7.1.2-26 are affected. An attacker or unprivileged local user can invoke ImageMagick with `-concatenate` to circumvent path-based access controls defined in ImageMagick's policy.xml, effectively nullifying a primary hardening control relied upon in restricted or multi-tenant deployments. No public exploit code or CISA KEV listing is identified at time of analysis.

Information Disclosure Imagemagick
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-46487 Maven HIGH PATCH GHSA This Week

Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. There is no public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable on any public-facing instance, making disclosure of non-public catalog records trivial once the triggering condition is known.

Authentication Bypass Elastic Information Disclosure
NVD GitHub
CVSS 3.1
7.5
CVE-2022-46280 PyPI HIGH PATCH GHSA This Week

### Summary A memory-safety vulnerability in Open Babel's PQS parser caused an uninitialized pointer dereference when reading a crafted input file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Python Cisco Information Disclosure Memory Corruption Suse
NVD GitHub
CVSS 3.1
7.8
EPSS
0.8%
CVE-2022-44451 PyPI HIGH PATCH GHSA This Week

### Summary A memory-safety vulnerability in Open Babel's MSI parser caused an uninitialized pointer dereference when reading a crafted input file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Python Cisco Information Disclosure Memory Corruption Suse
NVD GitHub
CVSS 3.1
7.8
EPSS
0.8%
EPSS 0% CVSS 4.8
MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.

Information Disclosure Hotel Booking Lite
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in the Corpkit WordPress theme (versions <= 1.0.5) allows an authenticated subscriber-level user to retrieve confidential information that should be inaccessible to that role. The CVSS vector (PR:L, C:H) confirms that any low-privileged account holder - the default registered-user role in WordPress - can trigger the disclosure over the network with no additional interaction required. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier of entry (subscriber registration is often open on WordPress sites) elevates real-world risk.

Information Disclosure Corpkit
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
EPSS 1% CVSS 6.0
MEDIUM PATCH This Month

Memory leak in OpenVPN (pre-2.7.5) allows network-accessible unauthenticated attackers to exhaust server memory, resulting in high availability impact and denial of service. The flaw, classified CWE-401, requires specific attack prerequisites (CVSS 4.0 AT:P) and passive client interaction (UI:P), meaning it is not trivially exploitable against all default deployments. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis; vendor patch v2.7.5 is available.

Microsoft Information Disclosure Openvpn +2
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial-of-service in OpenVPN via a reachable assertion (CWE-617) allows a remote, low-privileged attacker to crash the OpenVPN daemon under high-complexity, timing-specific conditions. All OpenVPN deployments running versions prior to v2.7.5 are affected; the fix is available in the v2.7.5 release disclosed pre-NVD via GitHub. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 (Medium) reflects the constrained exploitation path, though VPN service disruption carries meaningful operational impact for affected operators.

Microsoft Information Disclosure Openvpn +2
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

DPoP (Demonstrating Proof-of-Possession) proof verification in OpenIDC's liboauth2 C library incorrectly accepts malformed proofs that embed private Elliptic Curve (EC) key material in the JWK header, directly violating RFC 9449 §4.3 step 7. The `oauth2_token_verify()` function returns success instead of rejecting such proofs, subverting DPoP's core token-binding security guarantee and enabling information disclosure of private key material. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and a patch is available in liboauth2 2.3.0.

Information Disclosure Liboauth2
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Secret credential leakage in StormShield Network Security's CLI tool exposes the proxy CA passphrase or TPM password to other users sharing an SSH session on the firewall appliance. Affected versions span three distinct branches - 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5 - and exploitation is gated behind SSH multiuser mode being explicitly enabled. No active exploitation has been confirmed by CISA KEV and no public proof-of-concept has been identified at time of analysis, though the leaked secrets carry high downstream value for privilege escalation or certificate authority abuse.

Information Disclosure Stormshield Network Security
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.

Authentication Bypass Information Disclosure Mlflow Mlflow
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Payment enforcement bypass in the User Registration & Membership WordPress plugin before 5.2.0 allows any visitor to self-register a free account and then activate a paid membership subscription without completing payment, gaining unauthorized access to gated premium content. The flaw is a business logic failure: the plugin activates the paid plan upon subscription initiation rather than upon confirmed payment receipt. No public exploit or CISA KEV listing exists at time of analysis, but exploitation is trivially low-effort given the plugin's open registration model and the CVSS vector of AV:N/AC:L/PR:N/UI:N.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Broken access control in the Adminify WordPress plugin before 4.2.10 allows authenticated Contributor-level users to enumerate sensitive site data through an administration search feature that omits per-user read-capability checks. Affected data includes other authors' unpublished post titles, pending comment content, installed plugin inventory, and registered user account names - all information WordPress's native capability model would otherwise restrict. No public exploit has been identified at time of analysis, and a vendor-released patch is available at version 4.2.10.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Broken access control in Fluent Forms WordPress plugin before 6.2.5 allows a restricted Manager role to permanently delete form submission entries belonging to forms outside their authorized scope. The flaw stems from missing authorization checks on the deletion endpoint, which fails to verify that the target submission belongs to a form the Manager is permitted to administer. This affects only installations where an administrator has explicitly created a restricted Manager account tied to specific forms - no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array indexing in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) allows a remote attacker to leak memory or crash the local WebSocket service by delivering a malformed 'pause' command. The addon runs a WebSocket server that backs the browser interfaces of GeoVision products such as GV-VMS and GV-Cloud, so any browser tricked into connecting to it can trigger the flaw. No public exploit identified at time of analysis; the issue was reported by the vendor (GeoVision) and documented by Cisco Talos (TALOS-2026-2373).

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (a.k.a. "Web Plugin"/"WS Player"), a websocket-server addon bundled with GV-VMS, GV-Cloud and related GeoVision software, lets an attacker who lures a victim to a malicious web page reach the localhost websocket and supply an unvalidated `index` to leak memory and corrupt state (CWE-129). The play command in particular accepts an attacker-controlled index used to index internal arrays without a range check, enabling information disclosure and potential code-path corruption. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor has published a security advisory and Talos has released a detailed report.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (a.k.a. 'Web Plugin' / 'WS Player') addon lets an attacker read memory, corrupt state, or crash the local WebSocket helper bundled with GV-VMS, GV-Cloud, and related surveillance software. The plugin's localhost WebSocket server processes commands (such as 'disconnect') that carry an attacker-controlled 'index' used to dereference internal arrays without bounds checking (CWE-129), yielding high confidentiality, integrity, and availability impact. The CVSS 3.1 vector (AV:N/UI:R/S:C) reflects a cross-origin browser-driven vector where a victim lured to a malicious page has their browser relay commands to the local WebSocket; there is no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (the 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and related software) lets an attacker abuse the local WebSocket server's snapshot command by supplying an unchecked 'index' value that indexes arrays beyond their bounds. Because the CVSS vector is AV:N/UI:R with a scope change, a victim who visits a malicious web page can have their browser drive the localhost WebSocket into out-of-bounds reads/writes, yielding information disclosure and potential memory corruption (C:H/I:H/A:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker corrupt memory or leak sensitive data by sending a 2wayAudio WebSocket command with an unchecked index value. The addon runs a localhost WebSocket server that expands GeoVision web interfaces, and its command handlers use caller-supplied index values to index internal arrays without validating their range. Reported by GeoVision and Talos (TALOS-2026-2373); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Memory-disclosure and denial-of-service in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) stems from an unvalidated `index` parameter in its localhost WebSocket command handler (audio command path), letting an attacker read and act on out-of-bounds array elements. Because the WebSocket listener is reachable cross-origin, a victim who is lured to a malicious web page can have their browser drive the local service, so the effective attack vector is network-based despite the server binding to localhost. No public exploit code is identified at time of analysis, though a Cisco Talos advisory (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker corrupt or read process memory by sending crafted WebSocket commands to the localhost server the addon exposes. The specific 'setPIP' command accepts an attacker-controlled 'index' that is used to index internal arrays without range validation, yielding information disclosure and potential memory corruption. There is no public exploit identified at time of analysis, though a Cisco Talos technical report (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV and no EPSS score is provided.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker abuse the addon's localhost WebSocket server via a crafted 'setStream' command whose attacker-controlled 'index' is used to index arrays without range validation (CWE-129), enabling memory disclosure and possible corruption. Because a victim's browser can be steered into connecting to the local WebSocket service, the vendor rates this AV:N/UI:R (CVSS 8.3) - a remote web page can pivot to the local service after the user visits it. No public exploit is identified at time of analysis and it is not in CISA KEV, so this is not confirmed as actively exploited.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (the "Web Plugin"/"WS Player" addon bundled with GV-VMS, GV-Cloud and related software) lets a remote attacker corrupt memory via the local WebSocket server's connectInfo command. Because the server trusts an attacker-supplied index without range validation, a victim lured to a malicious web page can trigger high-impact confidentiality, integrity and availability effects (CVSS 8.3, scope-changed). No public exploit identified at time of analysis; the flaw was reported by the vendor (GV) and documented by Cisco Talos.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Server-side file exfiltration in Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x allows any control panel user granted the utility:system-messages permission to embed a dataUrl() Twig payload into system email templates, causing the server to read and base64-encode arbitrary files - including the .env file - into outbound email bodies. Exfiltration of CRAFT_SECURITY_KEY from the .env file enables an attacker to forge valid session tokens and escalate to full administrator account takeover, chaining a confidentiality breach into complete privilege escalation. No public exploit has been identified at time of analysis; patches are available in 4.18.0 and 5.10.0.

Information Disclosure
NVD GitHub VulDB
MEDIUM PATCH This Month

CVE-2026-47714 is a vulnerability reported by Ubuntu with no public description, CVSS score, CWE classification, or technical details available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from the available intelligence. No exploitation status, patch availability, or affected version range has been confirmed.

Information Disclosure
NVD
MEDIUM This Month

CVE-2026-47247 has been reported by Ubuntu but carries no public description, CVSS score, CWE classification, or technical details at time of analysis. The affected product, vulnerability class, and impact are entirely unknown. No meaningful synthesis is possible from available data - this CVE should be treated as a placeholder or pre-disclosure record pending vendor publication.

Information Disclosure
NVD
MEDIUM PATCH This Month

Insufficient data to analyze. CVE-2026-47254 is reported by Ubuntu but no description, CVSS score, vector, or CWE information is available. Cannot determine attack vector, affected product, version, or real-world impact without vulnerability details.

Information Disclosure
NVD
MEDIUM PATCH This Month

Insufficient data to produce analysis. CVE-2026-48029 description is marked as unknown; no CVSS, CWE, EPSS, KEV status, or technical details provided. Only source is vendor:ubuntu attribution.

Information Disclosure
NVD
MEDIUM PATCH This Month

Insufficient intelligence to synthesize. CVE-2026-47709 description is marked unknown, CVSS vector is not available, CWE is not available, and no product name or affected versions are specified - only that Ubuntu reported it. Comprehensive vulnerability analysis requires description, CVSS vector, affected product details, and remediation data.

Information Disclosure
NVD
MEDIUM This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-47251 was reported by Ubuntu but carries no description, CVSS score, CVSS vector, CWE classification, or reference links at the time of this analysis. No impact, affected product, or exploitation mechanism can be determined from the available intelligence. Security teams should treat this as unresolved pending vendor disclosure.

Information Disclosure
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Out-of-bounds read in ArduPilot's MAVLink ground-control-station handler (through Plane-4.6.3) lets a remote attacker on the MAVLink link send a crafted SERIAL_CONTROL message that reads memory beyond intended bounds in GCS_MAVLINK::handle_serial_control(), potentially disclosing adjacent flight-controller memory and/or crashing the autopilot. The CVSS 9.1 rating reflects high confidentiality and availability impact over an unauthenticated network vector, though EPSS is low (0.17%, 6th percentile) and no public exploit is identified at time of analysis. An upstream fix is proposed via GitHub PR #32587 (issue #32524), but no tagged patched release is independently confirmed.

Buffer Overflow Information Disclosure N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Session hijacking in ntopng versions through 6.6 arises because HTTP session identifiers are generated with weak, time-seeded pseudo-randomness in src/HTTPserver.cpp, making freshly issued authenticated session cookies predictable or collision-prone. Remote attackers who can influence or observe login timing can forecast a valid session token and take over an authenticated user's session without credentials. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile) despite the 9.8 CVSS rating.

Information Disclosure N A
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

TLS certificate misissuance affecting Cloudflare Universal SSL zones lets an attacker who controls an ACME account at a CA in the auto-managed CAA RRset obtain a browser-trusted certificate for a victim domain, because Cloudflare's authoritative DNS serves a permissive auto-managed CAA RRset that supersedes customer-set records and drops RFC 8657 accounturi/validationmethods bindings. The result is a bypass of account-binding and validation-method-binding protections end-to-end, enabling MITM against the affected domain. Reported by Cloudflare (researcher David Osipov) with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.6 with high attack complexity and a present attack requirement.

Information Disclosure Universal Ssl
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory use in Dawn, Chrome's WebGPU implementation, on ChromeOS prior to version 150.0.7871.46 enables remote attackers to read potentially sensitive contents from GPU process memory by serving a crafted HTML page. The flaw (CWE-457) allows stale or uninitialized buffer data to be exposed back to the requesting JavaScript context without proper sanitization. No public exploit has been identified at time of analysis, and CISA SSVC rates this as non-automatable with partial technical impact, though the CVSS confidentiality rating is High.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is an uninitialized-memory use (CWE-457) in ANGLE, reported by Google's own Chrome team and fixed in the June 2026 Stable channel update. No public exploit is identified at time of analysis, and CISA's SSVC framework records exploitation status as none, but the total technical impact and sandbox-escape nature make it a high-priority browser patch.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics subsystem (all versions prior to 150.0.7871.46) enables remote attackers to read sensitive data from other browser origins by luring a victim to a crafted HTML page. The flaw stems from uninitialized memory use in ANGLE, Chrome's GPU abstraction layer, which may expose stale cross-origin pixel buffers or texture memory to attacker-controlled JavaScript. No public exploit has been identified and CISA's SSVC framework rates exploitation as none with a non-automatable attack path, indicating limited immediate real-world threat despite the network-accessible vector.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape via type confusion in Tint, the WGSL shader compiler within Chrome's Dawn/WebGPU stack, affects Google Chrome desktop versions prior to 150.0.7871.46. A remote attacker who lures a victim to a crafted HTML page can trigger the flaw (CWE-843) to potentially break out of the renderer/GPU sandbox and gain broader access on the host. Rated High by Chromium with a CVSS 9.6 (scope-changed), though there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation status as 'none'.

Memory Corruption Information Disclosure Google +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Out of bounds read in V8 in Google Chrome prior to 150.0.7871.46 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Out-of-bounds read in the Dawn WebGPU implementation of Google Chrome before 150.0.7871.46 lets a remote attacker who lures a victim to a crafted HTML page potentially escape the renderer sandbox and disclose out-of-bounds memory. The upstream Chromium team rated the security severity as Low, yet the associated CVSS 3.1 base score is 9.6 due to a scope change and high triad impact. There is no public exploit identified at time of analysis, and the CISA SSVC decision framework records exploitation as none and automatable as no.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in ANGLE (Chrome's cross-platform graphics abstraction layer) prior to version 150.0.7871.46 allows a remote attacker to extract potentially sensitive data from the browser's process memory by directing a victim to a crafted HTML page. The CVSS vector confirms network delivery with no authentication required but mandates user interaction, and the High confidentiality impact (C:H) indicates that in-memory data such as session tokens, cached credentials, or page content could be exposed. SSVC assessment records no active exploitation and the flaw is absent from the CISA KEV catalog; a vendor patch has been released and no public exploit code has been identified at time of analysis.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's ANGLE graphics layer exposes sensitive browser memory contents to remote attackers who can induce a victim to visit a crafted HTML page. The out-of-bounds read in ANGLE (Chrome's cross-platform graphics abstraction engine) affects all Chrome desktop versions prior to 150.0.7871.46, confirmed by Google's stable channel advisory. No public exploit code or active exploitation has been identified at time of analysis; an EPSS of 0.17% (7th percentile) reflects minimal current weaponization pressure despite the high confidentiality impact assigned in CVSS.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Windows prior to 150.0.7871.46 stems from an out-of-bounds read in ANGLE, the browser's graphics abstraction layer. Remote attackers can exploit this by serving a crafted HTML page to a Windows user, causing the ANGLE subsystem to read memory beyond its intended buffer boundary and exposing data belonging to a separate web origin. No public exploit code has been identified at time of analysis, and the EPSS score of 0.18% (8th percentile) indicates low exploitation probability in the near term.

Google Microsoft Buffer Overflow +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's Tint component (the WGSL shader translator inside the Dawn/WebGPU stack) affects all desktop builds prior to 150.0.7871.46 and lets a remote attacker corrupt memory when a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS 3.1 score is 8.8, driven by high confidentiality, integrity, and availability impact requiring only that the user visit a malicious page. No public exploit identified at time of analysis, and the low EPSS score (0.19%, 9th percentile) indicates exploitation is not currently widespread.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Dawn WebGPU implementation prior to 150.0.7871.46 lets a remote attacker use a crafted HTML page to trigger an out-of-bounds read and write, potentially breaking out of the renderer sandbox. Rated Critical by Chromium with a CVSS of 9.6 (scope-changed), it requires the victim to visit a malicious page but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome (Skia graphics library) prior to 150.0.7871.46 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page, elevating a contained renderer compromise into a full-privilege breakout on the host. Rated High severity by Chromium, it carries a CVSS 3.1 score of 8.3 (scope-changed) with no public exploit identified at time of analysis and CISA SSVC recording exploitation status as none. It is a second-stage vulnerability that must be chained with a prior renderer exploit, so it is not directly exploitable against a fresh browser.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Android (versions prior to 150.0.7871.46) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page that abuses insufficient input validation in the Dawn WebGPU component. Google rates the Chromium severity as High, and the flaw carries a CVSS 8.3 with a scope-changing impact. There is no public exploit identified at time of analysis, and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by luring a victim to a crafted HTML page. This is a second-stage bug that chains with a prior renderer-level exploit rather than a standalone entry point; Chromium rates it High severity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC recording exploitation status as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim loads a malicious web page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a CVSS 9.6 due to scope change and full CIA impact, though exploitation requires the user to visit attacker-controlled content. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC exploitation status assessed as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker break out of the renderer sandbox when a victim visits a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a critical 9.6 CVSS score due to the scope-changing sandbox escape. Google has shipped a fix and rates the Chromium severity as High; there is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics component on Android (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 8.3, the flaw stems from improper validation of untrusted input in ANGLE and requires renderer compromise plus user interaction as prerequisites. There is no public exploit identified at time of analysis, and CISA SSVC lists exploitation status as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.46) enables remote attackers to misrepresent security indicators during Progressive Web App installation prompts via a crafted HTML page. The incorrect security UI (CWE-451) can deceive users into believing they are installing a legitimate, trusted application when they are not, resulting in a low-integrity impact. EPSS is 0.18% (8th percentile), no public exploit code exists, and this vulnerability has not been added to CISA KEV, indicating minimal active exploitation risk at time of analysis.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to mislead users through a crafted HTML page. The attack requires renderer process compromise as a prerequisite, making this a chained exploit component rather than a standalone threat. EPSS at 0.18% (8th percentile) and absence from CISA KEV confirm no known active exploitation; Chromium's own team rated this Low severity.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing via a crafted PDF file in Google Chrome's PDFium rendering engine allows a remote, unauthenticated attacker to visually mislead users into performing unintended actions or trusting falsified content. All Chrome versions prior to 150.0.7871.46 are affected. Exploitation requires the victim to open a malicious PDF - no special configuration is needed beyond default Chrome behavior. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact.

Information Disclosure Google Suse
NVD
CVSS 5.9
MEDIUM PATCH This Month

Download-limit enforcement in goshs (Go Simple HTTP Server) v2.0.9 and earlier can be bypassed by racing concurrent HTTP requests against a limited-use share token, allowing a single token to be redeemed more times than the operator configured. The TOCTOU flaw in `ShareHandler` means every concurrent goroutine observes the same pre-increment `Downloaded` counter, each passes the limit check, and each is served the file - completely defeating one-shot or low-count share-link controls. A working proof-of-concept is publicly documented in the GitHub security advisory (GHSA-j48m-h7xq-2xpj) with 5/5 consistent reproductions; no active exploitation is confirmed in CISA KEV.

Race Condition Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenTelemetry Java Instrumentation prior to 2.28.0 leaks clear-text database passwords into distributed trace span attributes when JDBC auto-instrumentation encounters double-quoted passwords in SQL CONNECT statements, bypassing the sanitization logic. These poisoned spans are then exported to any configured observability backend - Jaeger, Zipkin, OTLP collectors, or third-party SaaS monitoring - making database credentials visible to all parties with telemetry read access. No public exploit or confirmed active exploitation exists at time of analysis, but the impact of credential exposure is high given downstream database access risk.

Java Information Disclosure Opentelemetry Java Instrumentation
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege-escalation via admission-control bypass in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to overwrite Pod Security Standards (PSS) enforcement labels on target namespaces. Because Fleet's agent-side deployer failed to filter security-sensitive keys (notably the `pod-security.kubernetes.io/` prefix) from `namespaceLabels` in `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels`, an attacker can downgrade namespace admission enforcement and deploy privileged or otherwise restricted workloads that PSS would normally block. No public exploit identified at time of analysis; the flaw was privately reported through responsible disclosure by a NATO NCSC researcher and is not listed in CISA KEV.

Kubernetes Information Disclosure
NVD GitHub VulDB
CVSS 9.1
CRITICAL Act Now

Server impersonation in erlang_quic (Benoît Chesneau's Erlang QUIC/HTTP/3 library) before 1.4.4 arises because the QUIC client performed no server authentication during the TLS 1.3 handshake - the CertificateVerify signature, certificate chain, and hostname were all left unchecked, making the `verify` option a no-op. An on-path attacker can present any certificate to impersonate any server and transparently read or modify traffic, breaking both confidentiality and integrity (CVSS 9.1). No public exploit has been identified at time of analysis, and PSK-based session resumption handshakes are unaffected because the peer is authenticated by the PSK binder.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.

Information Disclosure Prototype Pollution Jodit
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.

Information Disclosure Wasmtime
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity window checks by controlling the `integratedTime` field in an inclusionProof-only tlog entry. Because the inclusionProof-only code path in `@sigstore/verify` does not cryptographically bind `integratedTime` (unlike the signed inclusionPromise/set path), a low-privileged attacker who can present an untrusted bundle can cause the verifier to accept expired or not-yet-valid signing certificates as currently valid. A publicly available proof-of-concept exists; this vulnerability is not in CISA KEV.

Canonical Microsoft Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Remote denial of service in pion/dtls (Go's DTLS implementation) versions prior to 3.1.4 allows an unauthenticated network attacker to crash any application built on this library by sending a crafted ECDHE_PSK ServerKeyExchange message during the DTLS handshake. The CWE-125 out-of-bounds read triggers a Go runtime panic, immediately terminating the host process. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; a vendor-released patch exists in version 3.1.4.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Author spoofing in NodeBB's ActivityPub federation allows a remote federated actor to forge posts and private messages attributed to arbitrary local users, including the administrator (uid 1). Because the inbound middleware validates the HTTP-signature actor and the origin of object.id but never binds attributedTo to the authenticated sender, an attacker with a valid remote signature can impersonate any local account. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified in CISA KEV and the flaw only affects instances with federation enabled.

Information Disclosure Nodebb
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Cross-user attribute structure leakage in API Platform Core's JSON:API and HAL serializers exposes the schema layout of security-gated properties to lower-privileged users through improper cache reuse. Versions from 2.6.0 up to 4.1.29, 4.2.26, and 4.3.12 are affected across the core, hal, and json-api packages. The component structure computed for a higher-privileged user's request can be served from cache to a subsequent lower-privileged user's request, bypassing the per-request evaluation of #[ApiProperty(security: ...)] predicates. No public exploit identified at time of analysis; vendor-released patches are available.

Information Disclosure Core Api Platform Hal +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Type confusion in API Platform Core's AbstractItemNormalizer allows authenticated API consumers to corrupt relational data by supplying IRIs pointing to resources of the wrong type during write operations (POST/PUT/PATCH). The root cause is that getResourceFromIri() omits the $operation context when calling IriConverter::getResourceFromIri(), silently bypassing the is_a type guard at IriConverter.php:86. All 4.1.x, 4.2.x, and 4.3.x releases prior to the patched versions are affected; no public exploit or CISA KEV listing has been identified at time of analysis.

Memory Corruption Information Disclosure PHP +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap buffer over-write in ImageMagick's JP2 (JPEG 2000) encoder - present in all versions prior to 7.1.2-26 - allows an attacker to crash the process by supplying a maliciously crafted JP2 image file, resulting in a denial-of-service condition. The root cause is CWE-682 (Incorrect Calculation): argument handling logic in the JP2 encoder computes incorrect bounds, leading to an out-of-bounds heap write. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Imagemagick
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Repomix 1.14.0's MCP server exposes a file-read safety bypass allowing any MCP-connected client to retrieve arbitrary local `.json`, `.txt`, `.md`, or `.xml` files without triggering the project's `runSecretLint()` secret-scanning guard. The `attach_packed_output` tool accepts arbitrary local paths, validates only by file extension, reads the file without invoking the secret check, and registers the path under an `outputId`; `read_repomix_output` then returns the full file contents-entirely circumventing the boundary enforced by the dedicated `file_system_read_file` tool. No CISA KEV listing or EPSS data is available, but the advisory includes a reproduction harness that confirmed the bypass end-to-end against repomix@1.14.0.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use-after-free in ImageMagick's 8BIM profile parser crashes the process when a specially crafted image is identified, affecting all releases prior to 6.9.13-51 (legacy branch) and 7.1.2-26 (current branch). The vulnerability is triggered by a specific format string embedded in the 8BIM metadata profile, causing memory corruption that results in a denial-of-service condition. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the intelligence feed.

Memory Corruption Use After Free Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Heap memory disclosure in ImageMagick's MNG decoder affects all versions prior to 6.9.13-51 (legacy branch) and 7.1.2-26 (current branch), allowing remote unauthenticated attackers to obtain partial heap contents by submitting a crafted MNG image file and retrieving the processed output. The root cause (CWE-908) is that pixel buffers are not fully initialized before output is written, leaving residual in-process heap data embedded in the resulting image. No public exploit or CISA KEV listing exists at time of analysis; however, the zero-authentication, network-accessible attack vector makes this a meaningful risk for any image-processing pipeline that accepts untrusted MNG input.

Information Disclosure Imagemagick
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Dell Device Management Agent (DDMA) versions prior to 26.05 allows an already-authenticated, low-privileged user on the host to elevate to full system-level control by abusing insecure symbolic/hard link resolution (CWE-59) during file operations. Dell has released a fix in DDMA 26.05. There is no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.12% (3rd percentile), but the SSVC technical impact is rated 'total', reflecting the complete compromise achievable once a foothold exists.

Dell Information Disclosure Device Management Agent
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Credential exposure in AWS CLI on Unix-like systems allows other local users on the same host to read sensitive credentials written to disk by three specific subcommands: aws codeartifact login, aws iam create-virtual-mfa-device, and aws deploy register. When the system umask is at its default permissive value - the case on most Unix-like systems - credential files are written without adequately restrictive permissions, making them readable by other local accounts. No public exploit or CISA KEV listing exists at time of analysis; however, the vendor (Amazon) has confirmed the issue and released patched versions 1.44.78 (v1) and 2.34.29 (v2).

Information Disclosure Aws Cli Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Policy bypass in ImageMagick's `-concatenate` operation allows local users to read from and write to filesystem paths that the configured security policy explicitly prohibits. All versions prior to 7.1.2-26 are affected. An attacker or unprivileged local user can invoke ImageMagick with `-concatenate` to circumvent path-based access controls defined in ImageMagick's policy.xml, effectively nullifying a primary hardening control relied upon in restricted or multi-tenant deployments. No public exploit code or CISA KEV listing is identified at time of analysis.

Information Disclosure Imagemagick
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Authorization bypass and information disclosure in GeoNetwork 4.x (4.0.0-alpha.1 through 4.4.10) lets an unauthenticated remote user retrieve restricted metadata records through the Elasticsearch-backed search API. Under certain request conditions the proxy layer skips the step that injects GeoNetwork's access-control filters, so requests reach the index without group-visibility, ownership, draft-exclusion, or portal filtering applied. There is no public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable on any public-facing instance, making disclosure of non-public catalog records trivial once the triggering condition is known.

Authentication Bypass Elastic Information Disclosure
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

### Summary A memory-safety vulnerability in Open Babel's PQS parser caused an uninitialized pointer dereference when reading a crafted input file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Python Cisco Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

### Summary A memory-safety vulnerability in Open Babel's MSI parser caused an uninitialized pointer dereference when reading a crafted input file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Python Cisco Information Disclosure +2
NVD GitHub
Prev Page 11 of 741 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy