Skip to main content

Information Disclosure

66671 CVEs technique

Monthly

CVE-2026-9183 MEDIUM This Month

Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.

Information Disclosure WordPress 24Liveblog Live Blog Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9175 MEDIUM This Month

Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.

Information Disclosure Authentication Bypass WordPress Devs Accounting Simple Accounting And Invoicing Solution
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9539 MEDIUM PATCH This Month

Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.

Buffer Overflow Information Disclosure Libslirp Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-54639 HIGH PATCH This Week

{ output: 'object' })`, the Expand API, and the transform lifecycle, and is most dangerous when Style Dictionary runs inside a Node.js server that ingests untrusted tokens. No public exploit identified at time of analysis and CISA has not listed it in KEV.

Prototype Pollution Information Disclosure Style Dictionary
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-49269 HIGH This Week

Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed Metal attacker app can run a GPU reader shader that reads stale register values left by a separate sandboxed victim app. In the proof of concept, GPUVictim.app generates a fresh random 128-bit secret using SecRandomCopyBytes and loads it into GPU registers. GPUAttacker.app, a separate sandboxed app, recovers the exact secret from stale GPU register state. NOTE: The vendor stated that this behavior affects only legacy hardware and has already been addressed at the hardware level in current-generation Apple Silicon.

Apple Information Disclosure N A
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-6458 MEDIUM This Month

Broken GCM integrity in Caliptra Core Runtime Firmware 2.0.0-2.1.0 allows an adjacent, low-privileged attacker to silently tamper with ciphertext produced by the streaming AES-256-GCM API when called with empty AAD. The root defect - a missing save of the hardware GHASH accumulator state after the first streaming update call - causes the final authentication tag to exclude the first batch of processed ciphertext, nullifying the integrity guarantee of authenticated encryption for that block. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Core Runtime Firmware
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-12164 MEDIUM PATCH This Month

Incorrect privilege assignment in Fortra File Integrity Monitoring (FIM) versions prior to 9.4.0 causes the `tetool import` command to assign elevated or incorrect effective permissions to newly created users when FIM is actively running during import. The flaw is compounded when the import operation also creates or modifies roles or role-permission relationships, meaning users may silently receive access levels beyond what was configured. No public exploit has been identified at time of analysis, and the CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite that limits realistic exposure to administrative misuse or insider threat scenarios.

Information Disclosure File Integrity Monitoring Fim
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-54588 CRITICAL Act Now

Account takeover in Poweradmin versions prior to 4.2.4 and 4.3.3 allows remote unauthenticated attackers to hijack OIDC and SAML authentication flows by poisoning the HTTP Host header used to construct the redirect_uri sent to the Identity Provider. By tricking a victim into clicking a crafted login link, the attacker causes the IdP to deliver the authorization code to an attacker-controlled host, yielding full account access with no credentials required. No public exploit identified at time of analysis, though the upstream advisory and patched releases describe the issue in detail.

Information Disclosure Poweradmin
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-54515 Maven MEDIUM PATCH GHSA This Month

Per-property @JsonIgnoreProperties filtering in jackson-databind is silently bypassed when the same property also carries @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES), enabling unauthenticated network attackers (per CVSS AV:N/PR:N) to write to fields the application explicitly excluded from deserialization. The flaw spans versions from 2.8.0 through the 2.18.x, 2.19-2.21.x, and 3.1.x release lines and constitutes a mass-assignment integrity risk wherever ignored fields guard sensitive state such as privilege or role attributes. No public exploit tool or CISA KEV listing has been identified at time of analysis; vendor-released patches (2.18.9, 2.21.5, 3.1.4) were published 2026-06-04.

Information Disclosure Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-53926 npm MEDIUM PATCH This Month

OAuth token persistence in NocoDB allows an attacker who previously obtained a user's OAuth credentials to maintain unauthorized account access even after the victim performs a password change, reset, or recovery - the exact security actions taken to revoke attacker access. All NocoDB versions up to 2026.05.0 (npm package: nocodb) are affected due to `revokeAllOAuthTokensByUser` being implemented as an empty stub in the users service, meaning no OAuth or refresh tokens were ever actually invalidated by any of the three password security flows. No public exploit has been identified at time of analysis, and a vendor-released patch is available in 2026.05.1.

Information Disclosure Nocodb
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-12892 MEDIUM This Month

Heap out-of-bounds read in GStreamer's gst-plugins-bad H.264 parser allows an attacker to crash a media application or leak a single byte of heap memory by tricking a victim into opening a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units. Affected systems span Red Hat Enterprise Linux versions 6 through 10 where gst-plugins-bad is installed. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; the narrow 1-byte read, required user interaction, and local attack vector substantially limit real-world exploitation impact.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-12891 MEDIUM This Month

Out-of-bounds read in the GStreamer gst-plugins-bad H.266/VVC parser allows a remote attacker to leak up to 8 bytes of application memory by delivering a crafted video file with a manipulated aspect ratio indicator value. Affected platforms include Red Hat Enterprise Linux 8, 9, and 10 wherever gst-plugins-bad processes H.266/VVC content. No public exploit code or active exploitation has been identified at time of analysis; the limited read window and user-interaction requirement constrain practical impact, but the network-reachable vector and zero-authentication requirement lower the delivery barrier.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-11819 MEDIUM This Month

Credential exposure in the Ansible keyring_info module (plugins/modules/keyring_info.py) causes master passwords, SSH key passphrases, and service credentials retrieved from OS-native keystores to be emitted as plaintext in task output, registered variables, and persistent log backends. Any local user with access to Ansible playbook output - including AWX/Tower job logs, Redis or JSON fact caches, and debug task output - can read credentials in full. A proof-of-concept demonstrating plaintext passphrase capture from Ansible output exists, though no confirmed active exploitation (CISA KEV) has been observed. Affected deployments span RHEL 8, 9, and 10 per Red Hat CPE data.

Redis Microsoft Information Disclosure Apple Red Hat Enterprise Linux 10 +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-9073 MEDIUM PATCH This Month

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers and authentication tokens through two independent logging paths. The INFO-level logger unconditionally records session identifiers (which function as authentication credentials) in plaintext, while a separate debug-mode logger incompletely sanitizes HTTP request headers, allowing Authorization tokens and API keys to persist in container logs. Any environment forwarding container logs to a centralized SIEM or log aggregation platform materially expands the attack surface beyond local disk access. No public exploit identified at time of analysis, and the CVE does not appear in CISA KEV.

Information Disclosure Red Hat Satellite 6
NVD VulDB
CVSS 3.1
6.2
EPSS
0.2%
CVE-2025-64105 MEDIUM PATCH This Month

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Authentication Bypass Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-50160 CRITICAL Act Now

Unauthenticated mass assignment in Hoppscotch self-hosted exposes the JWT_SECRET and SESSION_SECRET to full attacker control via a single HTTP POST request to the onboarding endpoint, enabling forged authentication tokens for any user including administrators. All self-hosted deployments running version 2026.4.1 and earlier are affected during the initial onboarding window or when re-onboarding is enabled. A working proof of concept is publicly available and the attack is fully automatable with no credentials, no user interaction, and no special tooling required.

Information Disclosure Hoppscotch
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2020-9711 MEDIUM This Month

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure Acrobat Reader
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2020-9713 MEDIUM This Month

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure Acrobat Reader
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-45049 Maven HIGH PATCH GHSA This Week

Session token disclosure in OpenAM Community Edition through 16.0.6 allows a remote attacker to harvest an authenticated victim's raw OpenAM session credential by tricking them into visiting a crafted URL that abuses the Cross-Domain Single Sign-On (CDSSO) servlet to POST the token to an attacker-controlled endpoint. Successful exploitation enables full session hijacking against deployments where CDSSO is enabled and a specific non-default hardening configuration is absent. No public exploit identified at time of analysis, but the upstream advisory (GHSA-r9pv-5rpp-vm8g) confirms the flaw and ships a fix in 16.1.1.

Information Disclosure
NVD GitHub
CVSS 3.1
8.3
CVE-2026-45048 Maven HIGH PATCH GHSA This Week

Authenticated privilege escalation in OpenAM Community Edition through 16.0.6 allows a low-privileged user to retrieve raw session tokens belonging to arbitrary other users via the session management RPC endpoint, which fails to enforce ownership or privilege checks. Capturing an administrator's session token enables full account takeover of higher-privileged accounts. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-vvhj-w2jq-263q) has been published by the Open Identity Platform maintainers.

Information Disclosure
NVD GitHub
CVSS 3.1
8.5
CVE-2026-57062 LOW Monitor

GnuPG's gpgsm component through version 2.5.20 improperly validates AES-GCM authentication tag length during CMS parsing, accepting a 4-byte ICV where the cryptographic standard mandates 12 bytes. This validation failure means gpgsm will process CMS-formatted messages with a truncated integrity check value, undermining the authentication guarantee that AES-GCM is specifically designed to provide. No public exploit has been identified at time of analysis; the low CVSS score of 2.9 reflects constrained attack conditions, though the related CVE-2026-34182 warrants cross-referencing as it may share the same code path.

Information Disclosure Gnupg
NVD
CVSS 3.1
2.9
EPSS
0.1%
CVE-2026-52815 Go MEDIUM POC PATCH GHSA This Month

Unauthenticated organization team enumeration in Gogs exposes team IDs, names, descriptions, and permission levels (read/write/admin/owner) to any network-accessible caller without credentials. All versions prior to 0.14.3 are affected - the `GET /api/v1/orgs/:orgname/teams` endpoint was placed in a route group missing the `reqToken()` middleware, meaning the `orgAssignment(true)` middleware loads the org object but enforces no authentication. A publicly available proof-of-concept demonstrates exploitation via a single unauthenticated `curl` command. No KEV listing is present, but the low attack complexity and zero authentication requirement make this a meaningful reconnaissance aid for follow-on attacks against Gogs installations.

Privilege Escalation Information Disclosure
NVD GitHub
CVSS 4.0
5.5
EPSS
1.6%
CVE-2026-52812 Go HIGH PATCH GHSA This Week

Cross-tenant information disclosure in Gogs (self-hosted Git service) before 0.14.3 lets any user with write access to a single repository read the byte-for-byte contents of Git LFS objects belonging to private repositories they cannot otherwise access. Because LFS storage is content-addressed by OID alone while authorization is tracked per-repo, an attacker who learns a victim object's OID can bind it to their own repo via the upload endpoint - which skips hash verification on the dedupe path - and then download the original private bytes. The GHSA advisory publishes a complete working proof-of-concept; there is no evidence of active in-the-wild exploitation.

Information Disclosure
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-52809 Go MEDIUM PATCH GHSA This Month

Password-reset tokens in Gogs self-hosted Git service (versions before 0.14.3) remain valid for the full account-activation lifetime - up to 3 hours by default - regardless of the administrator-configured `RESET_PASSWORD_CODE_LIVES` setting, because `GenerateActivateCode()` hardcodes `conf.Auth.ActivateCodeLives` into the token at generation time. An attacker who obtains an intercepted reset token can exploit it far beyond the intended expiry window to perform full account takeover, exposing all private repositories and source code. No KEV listing at time of analysis, but publicly available exploit code exists within the GitHub Security Advisory GHSA-5c3f-6486-3g7g.

Information Disclosure
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-56968 MEDIUM PATCH This Month

Memory disclosure in GNU SASL's NTLM client implementation allows a malicious or man-in-the-middle server to extract portions of client process memory by delivering a crafted undersized challenge to the `_gsasl_ntlm_client_step` function. All GNU SASL versions before 2.2.4 are affected, with the fix confirmed in the 2.2.4 release and a Debian security advisory issued downstream. No active exploitation has been identified; the high attack complexity required to position a malicious NTLM server tempers the already-low CVSS 3.7 rating.

Information Disclosure Gnu Sasl
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-13162 MEDIUM CISA This Month

Uncontrolled Search Path Element (DLL hijacking) in ABB Control Builder A and 800xA for Advant Master enables a local low-privileged attacker to achieve high-integrity code execution on industrial engineering workstations. Affected versions span Control Builder A through 1.4/4 and 800xA for Advant Master through 6.2.0-1, covering multiple release branches of ABB's flagship OT automation suite. No public exploit or CISA KEV listing is identified at time of analysis, limiting immediate mass-exploitation risk, though OT environments running these ICS platforms warrant targeted patching prioritization given integrity-impact severity.

Abb Information Disclosure Control Builder A 800Xa For Advant Master
NVD
CVSS 4.0
4.1
EPSS
0.1%
CVE-2026-12958 HIGH PATCH This Week

Arbitrary file write in AWS Language Servers (versions prior to 1.69.0) allows a local attacker to escape the workspace trust boundary by tricking a user into opening a workspace containing a maliciously crafted symbolic link. Because the language server fails to validate symlink targets, files written through normal language-server operations can land at arbitrary paths on disk, enabling tampering with sensitive files outside the workspace. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Language Servers For Aws
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-13007 HIGH PATCH This Week

Unauthenticated information disclosure in Tenable Identity Exposure versions prior to 3.93.5 allows remote attackers to retrieve cleartext LDAP credentials, SAML configuration, user accounts, and directory settings via API endpoints under /w/api/*. The flaw is compounded by Cache-Control: public response headers that lack a Vary: Cookie directive, allowing reverse proxies and CDNs to cache and re-serve the sensitive data to other unauthenticated requesters. No public exploit identified at time of analysis, but the issue was disclosed by the vendor itself.

Authentication Bypass Information Disclosure Tenable Identity Exposure
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56692 MEDIUM PATCH This Month

Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-controlled agents. All releases before 2.1.17 are affected; the `forwardAttachedFiles` function validated attachment filenames with `isSafeAttachmentName` but called `fs.copyFileSync` without first resolving symlinks or confirming the resolved path remained inside the agent's outbox directory. A low-privileged agent can craft a symlink with a safe-looking filename, point it at any host file readable by the NanoClaw process, and receive its contents forwarded as a message attachment. No public exploit is identified at time of analysis, though the VulnCheck advisory and GitHub PR diff provide sufficient detail for a technically capable attacker to reproduce exploitation.

Information Disclosure Nanoclaw
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-27604 CRITICAL PATCH Act Now

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged `/api/system/*` admin API methods because the `system` role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.

CSRF Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-28496 CRITICAL POC PATCH Act Now

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. No public exploit identified at time of analysis, but a related auth-bypass chain (GHSA-78x5-c8gw-8279) is documented by VulnCheck and could lower the practical privilege bar.

Ssti RCE Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
9.4
EPSS
1.9%
CVE-2026-56815 HIGH This Week

Symlink following in pwnlift's Blazor upload handler permits arbitrary file write with elevated system privileges when the application is deployed in a privileged (root or high-privilege) context. All pwnlift releases before commit d7a95449d9ee1ea09ec1529286685f6187afbbed are affected through the upload component in Components/Pages/Home.razor. No public exploit has been identified at time of analysis; an upstream fix is available via the referenced GitHub commit.

Information Disclosure Pwnlift
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-12969 MEDIUM PATCH This Month

Heap out-of-bounds read in dnsmasq's find_soa() function allows a remote attacker controlling a DNS zone to leak up to 10 bytes of stale heap memory by serving a crafted NXDOMAIN response. The flaw exists because extract_name() is invoked with extrabytes=0 when parsing NS section records, skipping the mandatory boundary check for the 10-byte fixed-length DNS record trailer fields. Confirmed affected platforms include Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4; no public exploit or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +3
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56701 PHP HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure Grav
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56371 NuGet MEDIUM PATCH This Month

Memory exhaustion in ImageMagick's TXT file coder (coders/txt.c) leaks heap allocations each time a crafted TXT file carrying a texture attribute is processed and GetTypeMetrics subsequently fails. Affected are ImageMagick before 7.1.2-15 and 6.9.13-40, and transitively Magick.NET NuGet packages before 14.10.3. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deterministic failure path makes repeated triggering straightforward in any service that accepts and processes user-supplied TXT files through ImageMagick.

Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56322 HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 allows unauthenticated remote attackers to enumerate private update channels via the /updates endpoint, because the defaultChannel parameter is resolved before privacy restrictions are enforced. Response differences let attackers distinguish valid private channels from nonexistent ones and harvest assigned bundle versions plus platform-specific configuration state. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the technique.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56234 MEDIUM PATCH This Month

Unauthenticated access to Capgo's credential validation endpoint before version 12.128.2 enables large-scale password spraying and credential stuffing attacks against user accounts. The `POST /functions/v1/private/validate_password_compliance` Supabase Edge Function accepts requests using only the publicly distributed anon key - a client-side secret embedded in shipped app binaries - with no rate limiting or lockout enforcement. Combined with wildcard CORS headers, any browser-side or scripted attacker can systematically validate username/password pairs at scale, ultimately compromising Capgo accounts and potentially tampering with mobile app live update pipelines. No public exploit code has been identified at time of analysis, but the attack is trivially automatable given the absence of access controls.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-71337 npm HIGH PATCH This Week

Account takeover in Flowise versions 3.0.7 and earlier allows an authenticated user to change their account email address via the profile endpoint without re-authenticating or confirming the change to the original email. Because email serves as both login identifier and password-recovery channel, an attacker who has hijacked a session (e.g., via XSS, stolen token, or unattended workstation) can pivot to permanent account ownership. Publicly available exploit code exists in the GitHub Security Advisory with reproduction steps, but no public exploit identified as actively used in the wild.

Information Disclosure Flowise
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-11374 CRITICAL PATCH Act Now

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.

Zoho Information Disclosure Manageengine Adselfservice Plus Manageengine Recovery Manager Plus Manageengine M365 Manager Plus +1
NVD VulDB
CVSS 3.1
9.0
EPSS
1.2%
CVE-2026-10521 HIGH PATCH This Week

Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.

Information Disclosure Mbconnect24 Mymbconnect24
NVD VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-8379 HIGH POC This Week

Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes every user-uploaded file to anonymous download via identifier enumeration. The plugin's file download handler fails to properly enforce WordPress nonce validation, stripping the only access control gate between unauthenticated HTTP requests and user-uploaded content. A public proof-of-concept is available via WPScan, and SSVC assessment confirms the attack is automatable - any script that iterates numeric file identifiers can bulk-harvest uploaded documents, images, or sensitive attachments without credentials. Not currently listed in CISA KEV.

WordPress Information Disclosure Frontend File Manager Plugin
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7842 MEDIUM POC PATCH This Month

Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized `orderby` and `order` parameters in three admin callbacks - `import_list()`, `url_detail()`, and `file_detail()` - are passed directly into SQL queries without validation or parameterization. A publicly available proof-of-concept exploit exists per WPScan (EUVD-2026-38416), and the CVSS S:C designation confirms that impact extends beyond the plugin itself to the full underlying database; no confirmed active exploitation (CISA KEV) has been documented at time of analysis.

SQLi WordPress Information Disclosure Infility Global
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-55654 LOW PATCH Monitor

OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.

Buffer Overflow Denial Of Service SSH Information Disclosure Red Hat Enterprise Linux 10 +6
NVD VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-55655 MEDIUM PATCH This Month

X11 forwarding session hijacking in OpenSSH enables a local unprivileged attacker sharing a Linux client host to intercept and partially manipulate the victim's forwarded X11 display traffic by squatting on the predictable abstract UNIX domain socket name before the SSH client creates it. Affected deployments span OpenSSH packages across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code has been identified at time of analysis, but successful exploitation yields high-confidence access to sensitive X11 session data including keystrokes, window contents, and clipboard material.

SSH Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +4
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-11833 HIGH CISA This Week

Information disclosure in Yokogawa FAST/TOOLS (R9.01-R10.04) and CI Server (R1.01-R1.04) allows unmodified network attackers to retrieve CI Server configuration data via the embedded web server. The leaked settings can be leveraged as reconnaissance fuel for follow-on attacks against the SCADA/automation environment. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Information Disclosure Fast Tools Ci Server
NVD VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-52799 Go HIGH PATCH GHSA This Week

Information disclosure in Gogs 0.14.1 (and all versions ≤ 0.14.2) allows unauthenticated remote attackers who know or guess an attachment UUID to download files attached to issues, comments, and releases in private repositories. The `/attachments/:uuid` endpoint performs no repository-level authorization check, so private-repo attachments - credentials, keys, internal documents, unpublished source - leak when `REQUIRE_SIGNIN_VIEW = false`. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-p9f5-h3rx-j5qw includes a full proof-of-concept reproduction.

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-10658 HIGH This Week

Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Zephyr Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52796 Go LOW PATCH GHSA Monitor

{` placeholder, the third-party `com.Expand()` call in `internal/markup/markup.go` panics due to a negative slice index, making all repository pages that render issue references permanently unavailable until the configuration is corrected. No public exploit beyond the PoC included in the advisory is identified at time of analysis; this is not in CISA KEV.

Ssti Information Disclosure
NVD GitHub
CVSS 3.1
3.5
EPSS
0.3%
CVE-2026-50179 npm MEDIUM PATCH GHSA This Month

CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub
CVSS 3.1
4.2
EPSS
0.3%
CVE-2026-10645 MEDIUM This Month

Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

Buffer Overflow Path Traversal Denial Of Service Information Disclosure Zephyr
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-49229 npm HIGH PATCH GHSA This Week

Session persistence flaw in @actual-app/sync-server through 26.5.2 lets disabled OpenID users retain authenticated access because session validation never re-checks the users.enabled flag. With the default token_expiration of 'never', a previously issued token continues to authorize sync and admin API calls indefinitely after an administrator disables the account. No public exploit identified at time of analysis, though the GHSA advisory includes a detailed PoC.

Information Disclosure
NVD GitHub
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-48487 PyPI MEDIUM PATCH GHSA This Month

Cache poisoning in python-zeroconf before 0.149.16 allows any unauthenticated adjacent-network attacker to inject attacker-controlled DNS records into the local mDNS cache by multicasting a single crafted UDP packet on port 5353. The parser in `_read_character_string` and `_read_string` advanced its offset by a caller-declared length without validating it against the actual packet buffer size; Python's silent slice truncation meant over-advertised records were accepted and committed to `DNSCache` and `ServiceInfo` intact. The vendor manually downgraded severity to low, noting no RCE or OOM risk, but characterizes this as a building block for higher-impact chains in downstream consumers such as Home Assistant. No public exploit code has been identified and the vulnerability is not in CISA KEV.

Python Information Disclosure
NVD GitHub
CVSS 4.0
5.3
CVE-2026-48166 PHP MEDIUM POC PATCH GHSA This Month

Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. The impact is confined to account enumeration - no credentials, session tokens, or other data are exposed - but the disclosed information can seed targeted phishing or credential-stuffing campaigns. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Filament
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48505 PHP HIGH PATCH GHSA This Week

Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.

Race Condition Information Disclosure Filament
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-48502 NuGet HIGH PATCH GHSA This Week

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.

Buffer Overflow Information Disclosure Messagepack Csharp
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-48509 NuGet MEDIUM PATCH GHSA This Month

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash-collision denial-of-service attacks. The parameterless `MessagePackInputFormatter()` constructor silently applies `MessagePackSecurity.TrustedData` to HTTP request bodies - data that by definition crosses an untrusted boundary - bypassing the hash-seed randomization that `MessagePackSecurity.UntrustedData` provides. Vendor-released patches are available in versions 2.5.301 and 3.1.7; no public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Messagepack Csharp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-48510 NuGet MEDIUM PATCH GHSA This Month

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attackers to force excessive heap memory allocations via crafted Lz4Block or Lz4BlockArray payloads that declare arbitrarily large uncompressed lengths. The library allocates an output buffer sized to the attacker-controlled wire-format length field before performing any validation of the compressed data or the reasonableness of the declared expansion, enabling a classic decompression-bomb denial-of-service. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the attack pattern is mechanically straightforward for any application that accepts untrusted MessagePack data with LZ4 compression enabled.

Information Disclosure Messagepack Csharp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-48511 NuGet MEDIUM PATCH GHSA This Month

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticated attackers to degrade or deny service by submitting attacker-controlled MessagePack maps containing many distinct keys. Affected are all releases prior to 2.5.301 (2.x branch) and 3.1.7 (3.x branch). No public exploit code has been identified at time of analysis, and no CISA KEV listing was referenced in available intelligence.

Information Disclosure Messagepack Csharp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56323 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_self endpoint with arbitrary app_id values to enumerate private rollout channels, confirm the existence of tenant applications, and extract subscription/billing status. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-level abuse against default deployments. The flaw enables cross-tenant reconnaissance that can seed further targeted attacks against high-value Capgo users.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56321 MEDIUM PATCH This Month

Capgo's Supabase edge function backend (versions before 12.128.2) inconsistently applies global authentication middleware across HTTP methods on the /private/role_bindings/:org_id endpoint - GET requests reach the handler unauthenticated while POST and DELETE are gated by middleware. The handler currently performs its own authorization check and rejects unauthenticated callers, so no data is exposed in the current implementation. This is a CWE-306 defense-in-depth failure: the middleware gap creates latent risk that any future relaxation of handler-level logic could silently permit unauthenticated access to organization role binding data, with no public exploit identified at time of analysis.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56314 HIGH PATCH This Week

Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56268 npm MEDIUM PATCH This Month

Cross-workspace chatflow configuration disclosure in Flowise before 3.1.2 allows any holder of a valid API key for one workspace to read the full configuration of unprotected chatflows belonging to all other workspaces in the same instance. The `/api/v1/chatflows/apikey/:apikey` endpoint's database query omits a workspace scope filter when the `keyonly` parameter is absent (the default), causing it to return every chatflow system-wide where `apikeyid` is NULL or empty - including `flowData`, system prompts, `chatbotConfig`, `apiConfig`, and credential IDs from unrelated tenants. No public exploit code or CISA KEV listing has been identified at time of analysis, but the vulnerability is trivially reproducible given the disclosed source code and standard HTTP tooling.

Authentication Bypass Information Disclosure Flowise
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-33692 PHP HIGH PATCH GHSA This Week

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.

Apache Docker Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-44273 MEDIUM PATCH This Month

Dell Wyse Management Suite (WMS) versions prior to 2605 ships with default credentials, enabling a high-privileged local attacker to authenticate using those credentials and access sensitive information. Reported by Dell under DSA-2026-247, the flaw is classified under CWE-1392 (Use of Default Credentials) and carries a CVSS 3.1 base score of 6.0, reflecting local-only attack surface constrained by the requirement for high privilege. No public exploit code or CISA KEV listing has been identified at time of analysis.

Dell Information Disclosure Wyse Management Suite Wms
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-32315 PyPI MEDIUM PATCH GHSA This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure Privilege Escalation
NVD GitHub
CVSS 3.1
5.5
EPSS
2.9%
CVE-2026-56109 HIGH POC PATCH This Week

Memory corruption in the Advanced Linux Sound Architecture (ALSA) user-space library (alsa-lib) before 1.2.16.1 allows local attackers to crash audio-dependent processes by feeding maliciously crafted configuration text to parse_def() in src/conf.c. The flaw is a double-free reachable through nested compound or array config blocks, leading to a NULL-pointer write or invalid read; publicly available exploit code exists (reported by VulnCheck), but the issue is not on the CISA KEV list.

Information Disclosure Alsa Lib
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-12249 CRITICAL PATCH Act Now

TLS trust store poisoning in Canonical ADSys through v0.16.2 allows a network-positioned attacker to inject an arbitrary Root CA certificate into managed Ubuntu hosts during Active Directory Certificate Services auto-enrollment. The vendored Samba GPO extension fetches the CA certificate over plaintext HTTP from the AD CS GetCACert endpoint, and the response is registered into the system trust store via update-ca-certificates without authenticity validation. No public exploit identified at time of analysis, but the impact enables persistent decryption of TLS traffic across the host.

Ubuntu Canonical Python Information Disclosure Ubuntu 20 04 Lts +4
NVD GitHub
CVSS 4.0
9.0
EPSS
0.1%
CVE-2026-41049 HIGH PATCH This Week

Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. No public exploit identified at time of analysis, though SUSE published a coordinated disclosure advisory alongside the upstream fix.

Information Disclosure Qsnapper
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-9006 CRITICAL PATCH Act Now

Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.

IBM SSRF Information Disclosure Websphere Application Server
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-8646 CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.

IBM Request Smuggling Information Disclosure Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-8636 HIGH PATCH This Week

Sensitive-data disclosure in IBM Datacap and Datacap Navigator (versions 9.1.7, 9.1.8, 9.1.9) lets an attacker recover user passwords and cryptographic keys that the application holds in cleartext in memory; the recovered keys can then decrypt stored credentials, authenticate to the application, and reach sensitive data in the backing database. IBM has released a patch. There is no public exploit identified at time of analysis, EPSS exploitation probability is negligible (0.08%, 0th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate field risk despite the high CVSS confidentiality impact.

IBM Information Disclosure Datacap Datacap Navigator
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9162 MEDIUM This Month

WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypass that revocation and continue receiving real-time platform events. Affected across four actively maintained release branches (11.7.x, 11.6.x, 11.5.x, 10.11.x), the flaw directly undermines the effectiveness of administrative session revocation - a control relied upon in account-compromise response and offboarding workflows. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS signal is absent from available data, and the vendor-assigned CVSS of 4.3 reflects correctly scoped, medium-severity risk.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-2669 MEDIUM PATCH This Month

Improper token validation in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data allows a privileged user to exceed their authorized scope, performing operations and accessing sensitive information beyond their granted permissions. Affected versions span 4.8 through 5.3, covering both the standard and warehouse variants of the product. No public exploit identified at time of analysis, and no active exploitation confirmed via CISA KEV, though the high integrity impact (I:H) signals meaningful risk for multi-tenant or regulated deployments.

IBM Information Disclosure Db2 On Cloud Pak For Data And Db2 Warehouse On Cloud Pak For Data
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-7167 MEDIUM This Month

Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact is confined to service integrity abuse - spam distribution, rate-limit evasion, and fraudulent account accumulation.

Information Disclosure Assassin Game
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-7166 CRITICAL Act Now

Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.

Information Disclosure Assassin Game
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-7165 CRITICAL Act Now

Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Assassin Game
NVD
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-54100 HIGH This Week

Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-network attackers to intercept SSH sessions to Windows worker nodes and steal WICD and kubelet bootstrap credentials. WMCO fails to verify the remote SSH host key when configuring Windows nodes, enabling a man-in-the-middle attacker positioned on the cluster network to capture credentials sufficient to assume Windows node identities. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

Information Disclosure Microsoft Red Hat Red Hat Openshift Container Platform 4 Red Hat Openshift For Windows Containers
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-12581 HIGH This Week

Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.

Information Disclosure Session Fixation Easyflow Net
NVD
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-10530 MEDIUM POC PATCH This Month

Pie Register WordPress plugin versions before 3.8.4.10 generates account verification tokens with insufficient randomness, enabling unauthenticated remote attackers to predict or enumerate valid tokens and activate registered accounts without receiving the associated verification email. This effectively bypasses the email-as-ownership-proof step in the registration flow, allowing account takeover of any pending registration. A publicly available exploit exists per WPScan; SSVC flags the attack as automatable with partial technical impact, though no confirmed active exploitation appears in CISA KEV at time of analysis.

Information Disclosure WordPress Pie Register
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-6645 HIGH PATCH This Week

Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.3 reflecting local vector with attack requirements and user interaction.

Information Disclosure Microsoft
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-11748 MEDIUM This Month

LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Central Dogma LDAP Code Injection
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-11745 HIGH This Week

Man-in-the-middle attacks against LY Corporation's Central Dogma server can compromise mirrored Git repositories in versions of the centraldogma-server-mirror-git module prior to 0.84.0, because the embedded SSH client accepts any host key presented over git+ssh:// connections. An on-path attacker between Central Dogma and the upstream Git server can impersonate that server, inject malicious commits, and silently poison every downstream consumer that reads from the mirror. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Central Dogma
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-12823 LOW POC Monitor

Incorrect default file permissions in Browserbase's Autobrowse Trace Artifact Handler (versions up to 20260526) expose locally stored trace artifact files to low-privileged users on the same host, resulting in unauthorized information disclosure. A public exploit (poc.sh) was released without a vendor patch, as the vendor did not respond to responsible disclosure. With a CVSS 4.0 score of 1.9, the attack is strictly local and limited to confidentiality impact; no KEV listing exists, but publicly available exploit code lowers the bar for exploitation in shared-host environments.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-66389 HIGH This Week

GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.

N A Information Disclosure Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56412 MEDIUM PATCH This Month

Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.

Information Disclosure Use After Free Memory Corruption Libexpat Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-56378 NuGet MEDIUM PATCH This Month

Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.

Information Disclosure Denial Of Service Buffer Overflow Imagemagick Red Hat
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56367 NuGet MEDIUM PATCH This Month

Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.

Information Disclosure Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56316 MEDIUM PATCH This Month

Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56242 HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets remote unauthenticated attackers abuse the security-definer RPC function get_identity_apikey_only to validate arbitrary API keys and map them to owning user_ids. The endpoint functions as an oracle, and results can be chained into other exposed RPCs such as get_orgs_v6 to enumerate organization membership and harvest management email PII. No public exploit identified at time of analysis, though VulnCheck has publicly documented the technique and a vendor patch is available.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56236 npm MEDIUM PATCH This Month

Symlink-following vulnerabilities in Capgo CLI before version 12.128.2 (npm @capgo/cli < 7.84.6) allow an attacker who controls a repository to overwrite arbitrary files on a developer's machine and expose sensitive signing credentials when the developer runs CLI login or build credential operations inside that repository. Three distinct issues are present: unsafe writeFileSync on .capgo and .capgo-credentials.json without symlink validation, and global credential files written with world-readable 664 permissions instead of the required 0600. A proof-of-concept demonstrating the .capgo clobber is publicly documented in the GitHub Security Advisory GHSA-8mpm-q7mh-8fvh. No CISA KEV listing exists at time of analysis, but exploitability is straightforward given the PoC and low attack complexity.

Information Disclosure Cli
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.

Information Disclosure WordPress 24Liveblog Live Blog Tool
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.

Information Disclosure Authentication Bypass WordPress +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.

Buffer Overflow Information Disclosure Libslirp +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

{ output: 'object' })`, the Expand API, and the transform lifecycle, and is most dangerous when Style Dictionary runs inside a Node.js server that ingests untrusted tokens. No public exploit identified at time of analysis and CISA has not listed it in KEV.

Prototype Pollution Information Disclosure Style Dictionary
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed Metal attacker app can run a GPU reader shader that reads stale register values left by a separate sandboxed victim app. In the proof of concept, GPUVictim.app generates a fresh random 128-bit secret using SecRandomCopyBytes and loads it into GPU registers. GPUAttacker.app, a separate sandboxed app, recovers the exact secret from stale GPU register state. NOTE: The vendor stated that this behavior affects only legacy hardware and has already been addressed at the hardware level in current-generation Apple Silicon.

Apple Information Disclosure N A
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Broken GCM integrity in Caliptra Core Runtime Firmware 2.0.0-2.1.0 allows an adjacent, low-privileged attacker to silently tamper with ciphertext produced by the streaming AES-256-GCM API when called with empty AAD. The root defect - a missing save of the hardware GHASH accumulator state after the first streaming update call - causes the final authentication tag to exclude the first batch of processed ciphertext, nullifying the integrity guarantee of authenticated encryption for that block. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Core Runtime Firmware
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Incorrect privilege assignment in Fortra File Integrity Monitoring (FIM) versions prior to 9.4.0 causes the `tetool import` command to assign elevated or incorrect effective permissions to newly created users when FIM is actively running during import. The flaw is compounded when the import operation also creates or modifies roles or role-permission relationships, meaning users may silently receive access levels beyond what was configured. No public exploit has been identified at time of analysis, and the CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite that limits realistic exposure to administrative misuse or insider threat scenarios.

Information Disclosure File Integrity Monitoring Fim
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Account takeover in Poweradmin versions prior to 4.2.4 and 4.3.3 allows remote unauthenticated attackers to hijack OIDC and SAML authentication flows by poisoning the HTTP Host header used to construct the redirect_uri sent to the Identity Provider. By tricking a victim into clicking a crafted login link, the attacker causes the IdP to deliver the authorization code to an attacker-controlled host, yielding full account access with no credentials required. No public exploit identified at time of analysis, though the upstream advisory and patched releases describe the issue in detail.

Information Disclosure Poweradmin
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Per-property @JsonIgnoreProperties filtering in jackson-databind is silently bypassed when the same property also carries @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES), enabling unauthenticated network attackers (per CVSS AV:N/PR:N) to write to fields the application explicitly excluded from deserialization. The flaw spans versions from 2.8.0 through the 2.18.x, 2.19-2.21.x, and 3.1.x release lines and constitutes a mass-assignment integrity risk wherever ignored fields guard sensitive state such as privilege or role attributes. No public exploit tool or CISA KEV listing has been identified at time of analysis; vendor-released patches (2.18.9, 2.21.5, 3.1.4) were published 2026-06-04.

Information Disclosure Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OAuth token persistence in NocoDB allows an attacker who previously obtained a user's OAuth credentials to maintain unauthorized account access even after the victim performs a password change, reset, or recovery - the exact security actions taken to revoke attacker access. All NocoDB versions up to 2026.05.0 (npm package: nocodb) are affected due to `revokeAllOAuthTokensByUser` being implemented as an empty stub in the users service, meaning no OAuth or refresh tokens were ever actually invalidated by any of the three password security flows. No public exploit has been identified at time of analysis, and a vendor-released patch is available in 2026.05.1.

Information Disclosure Nocodb
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Heap out-of-bounds read in GStreamer's gst-plugins-bad H.264 parser allows an attacker to crash a media application or leak a single byte of heap memory by tricking a victim into opening a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units. Affected systems span Red Hat Enterprise Linux versions 6 through 10 where gst-plugins-bad is installed. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; the narrow 1-byte read, required user interaction, and local attack vector substantially limit real-world exploitation impact.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Out-of-bounds read in the GStreamer gst-plugins-bad H.266/VVC parser allows a remote attacker to leak up to 8 bytes of application memory by delivering a crafted video file with a manipulated aspect ratio indicator value. Affected platforms include Red Hat Enterprise Linux 8, 9, and 10 wherever gst-plugins-bad processes H.266/VVC content. No public exploit code or active exploitation has been identified at time of analysis; the limited read window and user-interaction requirement constrain practical impact, but the network-reachable vector and zero-authentication requirement lower the delivery barrier.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Credential exposure in the Ansible keyring_info module (plugins/modules/keyring_info.py) causes master passwords, SSH key passphrases, and service credentials retrieved from OS-native keystores to be emitted as plaintext in task output, registered variables, and persistent log backends. Any local user with access to Ansible playbook output - including AWX/Tower job logs, Redis or JSON fact caches, and debug task output - can read credentials in full. A proof-of-concept demonstrating plaintext passphrase capture from Ansible output exists, though no confirmed active exploitation (CISA KEV) has been observed. Affected deployments span RHEL 8, 9, and 10 per Red Hat CPE data.

Redis Microsoft Information Disclosure +4
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers and authentication tokens through two independent logging paths. The INFO-level logger unconditionally records session identifiers (which function as authentication credentials) in plaintext, while a separate debug-mode logger incompletely sanitizes HTTP request headers, allowing Authorization tokens and API keys to persist in container logs. Any environment forwarding container logs to a centralized SIEM or log aggregation platform materially expands the attack surface beyond local disk access. No public exploit identified at time of analysis, and the CVE does not appear in CISA KEV.

Information Disclosure Red Hat Satellite 6
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Authentication Bypass Information Disclosure Fossbilling
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unauthenticated mass assignment in Hoppscotch self-hosted exposes the JWT_SECRET and SESSION_SECRET to full attacker control via a single HTTP POST request to the onboarding endpoint, enabling forged authentication tokens for any user including administrators. All self-hosted deployments running version 2026.4.1 and earlier are affected during the initial onboarding window or when re-onboarding is enabled. A working proof of concept is publicly available and the attack is fully automatable with no credentials, no user interaction, and no special tooling required.

Information Disclosure Hoppscotch
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure +1
NVD
CVSS 8.3
HIGH PATCH This Week

Session token disclosure in OpenAM Community Edition through 16.0.6 allows a remote attacker to harvest an authenticated victim's raw OpenAM session credential by tricking them into visiting a crafted URL that abuses the Cross-Domain Single Sign-On (CDSSO) servlet to POST the token to an attacker-controlled endpoint. Successful exploitation enables full session hijacking against deployments where CDSSO is enabled and a specific non-default hardening configuration is absent. No public exploit identified at time of analysis, but the upstream advisory (GHSA-r9pv-5rpp-vm8g) confirms the flaw and ships a fix in 16.1.1.

Information Disclosure
NVD GitHub
CVSS 8.5
HIGH PATCH This Week

Authenticated privilege escalation in OpenAM Community Edition through 16.0.6 allows a low-privileged user to retrieve raw session tokens belonging to arbitrary other users via the session management RPC endpoint, which fails to enforce ownership or privilege checks. Capturing an administrator's session token enables full account takeover of higher-privileged accounts. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-vvhj-w2jq-263q) has been published by the Open Identity Platform maintainers.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 2.9
LOW Monitor

GnuPG's gpgsm component through version 2.5.20 improperly validates AES-GCM authentication tag length during CMS parsing, accepting a 4-byte ICV where the cryptographic standard mandates 12 bytes. This validation failure means gpgsm will process CMS-formatted messages with a truncated integrity check value, undermining the authentication guarantee that AES-GCM is specifically designed to provide. No public exploit has been identified at time of analysis; the low CVSS score of 2.9 reflects constrained attack conditions, though the related CVE-2026-34182 warrants cross-referencing as it may share the same code path.

Information Disclosure Gnupg
NVD
EPSS 2% CVSS 5.5
MEDIUM POC PATCH This Month

Unauthenticated organization team enumeration in Gogs exposes team IDs, names, descriptions, and permission levels (read/write/admin/owner) to any network-accessible caller without credentials. All versions prior to 0.14.3 are affected - the `GET /api/v1/orgs/:orgname/teams` endpoint was placed in a route group missing the `reqToken()` middleware, meaning the `orgAssignment(true)` middleware loads the org object but enforces no authentication. A publicly available proof-of-concept demonstrates exploitation via a single unauthenticated `curl` command. No KEV listing is present, but the low attack complexity and zero authentication requirement make this a meaningful reconnaissance aid for follow-on attacks against Gogs installations.

Privilege Escalation Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant information disclosure in Gogs (self-hosted Git service) before 0.14.3 lets any user with write access to a single repository read the byte-for-byte contents of Git LFS objects belonging to private repositories they cannot otherwise access. Because LFS storage is content-addressed by OID alone while authorization is tracked per-repo, an attacker who learns a victim object's OID can bind it to their own repo via the upload endpoint - which skips hash verification on the dedupe path - and then download the original private bytes. The GHSA advisory publishes a complete working proof-of-concept; there is no evidence of active in-the-wild exploitation.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Password-reset tokens in Gogs self-hosted Git service (versions before 0.14.3) remain valid for the full account-activation lifetime - up to 3 hours by default - regardless of the administrator-configured `RESET_PASSWORD_CODE_LIVES` setting, because `GenerateActivateCode()` hardcodes `conf.Auth.ActivateCodeLives` into the token at generation time. An attacker who obtains an intercepted reset token can exploit it far beyond the intended expiry window to perform full account takeover, exposing all private repositories and source code. No KEV listing at time of analysis, but publicly available exploit code exists within the GitHub Security Advisory GHSA-5c3f-6486-3g7g.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory disclosure in GNU SASL's NTLM client implementation allows a malicious or man-in-the-middle server to extract portions of client process memory by delivering a crafted undersized challenge to the `_gsasl_ntlm_client_step` function. All GNU SASL versions before 2.2.4 are affected, with the fix confirmed in the 2.2.4 release and a Debian security advisory issued downstream. No active exploitation has been identified; the high attack complexity required to position a malicious NTLM server tempers the already-low CVSS 3.7 rating.

Information Disclosure Gnu Sasl
NVD VulDB
EPSS 0% CVSS 4.1
MEDIUM This Month

Uncontrolled Search Path Element (DLL hijacking) in ABB Control Builder A and 800xA for Advant Master enables a local low-privileged attacker to achieve high-integrity code execution on industrial engineering workstations. Affected versions span Control Builder A through 1.4/4 and 800xA for Advant Master through 6.2.0-1, covering multiple release branches of ABB's flagship OT automation suite. No public exploit or CISA KEV listing is identified at time of analysis, limiting immediate mass-exploitation risk, though OT environments running these ICS platforms warrant targeted patching prioritization given integrity-impact severity.

Abb Information Disclosure Control Builder A +1
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary file write in AWS Language Servers (versions prior to 1.69.0) allows a local attacker to escape the workspace trust boundary by tricking a user into opening a workspace containing a maliciously crafted symbolic link. Because the language server fails to validate symlink targets, files written through normal language-server operations can land at arbitrary paths on disk, enabling tampering with sensitive files outside the workspace. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Language Servers For Aws
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Tenable Identity Exposure versions prior to 3.93.5 allows remote attackers to retrieve cleartext LDAP credentials, SAML configuration, user accounts, and directory settings via API endpoints under /w/api/*. The flaw is compounded by Cache-Control: public response headers that lack a Vary: Cookie directive, allowing reverse proxies and CDNs to cache and re-serve the sensitive data to other unauthenticated requesters. No public exploit identified at time of analysis, but the issue was disclosed by the vendor itself.

Authentication Bypass Information Disclosure Tenable Identity Exposure
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Symlink following in NanoClaw's agent-to-agent file forwarding exposes arbitrary host-readable files to container-controlled agents. All releases before 2.1.17 are affected; the `forwardAttachedFiles` function validated attachment filenames with `isSafeAttachmentName` but called `fs.copyFileSync` without first resolving symlinks or confirming the resolved path remained inside the agent's outbox directory. A low-privileged agent can craft a symlink with a safe-looking filename, point it at any host file readable by the NanoClaw process, and receive its contents forwarded as a message attachment. No public exploit is identified at time of analysis, though the VulnCheck advisory and GitHub PR diff provide sufficient detail for a technically capable attacker to reproduce exploitation.

Information Disclosure Nanoclaw
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged `/api/system/*` admin API methods because the `system` role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.

CSRF Information Disclosure Fossbilling
NVD GitHub
EPSS 2% CVSS 9.4
CRITICAL POC PATCH Act Now

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. No public exploit identified at time of analysis, but a related auth-bypass chain (GHSA-78x5-c8gw-8279) is documented by VulnCheck and could lower the practical privilege bar.

Ssti RCE Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Symlink following in pwnlift's Blazor upload handler permits arbitrary file write with elevated system privileges when the application is deployed in a privileged (root or high-privilege) context. All pwnlift releases before commit d7a95449d9ee1ea09ec1529286685f6187afbbed are affected through the upload component in Components/Pages/Home.razor. No public exploit has been identified at time of analysis; an upstream fix is available via the referenced GitHub commit.

Information Disclosure Pwnlift
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Heap out-of-bounds read in dnsmasq's find_soa() function allows a remote attacker controlling a DNS zone to leak up to 10 bytes of stale heap memory by serving a crafted NXDOMAIN response. The flaw exists because extract_name() is invoked with extrabytes=0 when parsing NS section records, skipping the mandatory boundary check for the 10-byte fixed-length DNS record trailer fields. Confirmed affected platforms include Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4; no public exploit or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 +5
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. No public exploit identified at time of analysis, though the GHSA advisory includes a working proof-of-concept payload.

XXE File Upload Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Memory exhaustion in ImageMagick's TXT file coder (coders/txt.c) leaks heap allocations each time a crafted TXT file carrying a texture attribute is processed and GetTypeMetrics subsequently fails. Affected are ImageMagick before 7.1.2-15 and 6.9.13-40, and transitively Magick.NET NuGet packages before 14.10.3. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deterministic failure path makes repeated triggering straightforward in any service that accepts and processes user-supplied TXT files through ImageMagick.

Information Disclosure Imagemagick
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 allows unauthenticated remote attackers to enumerate private update channels via the /updates endpoint, because the defaultChannel parameter is resolved before privacy restrictions are enforced. Response differences let attackers distinguish valid private channels from nonexistent ones and harvest assigned bundle versions plus platform-specific configuration state. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the technique.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated access to Capgo's credential validation endpoint before version 12.128.2 enables large-scale password spraying and credential stuffing attacks against user accounts. The `POST /functions/v1/private/validate_password_compliance` Supabase Edge Function accepts requests using only the publicly distributed anon key - a client-side secret embedded in shipped app binaries - with no rate limiting or lockout enforcement. Combined with wildcard CORS headers, any browser-side or scripted attacker can systematically validate username/password pairs at scale, ultimately compromising Capgo accounts and potentially tampering with mobile app live update pipelines. No public exploit code has been identified at time of analysis, but the attack is trivially automatable given the absence of access controls.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Account takeover in Flowise versions 3.0.7 and earlier allows an authenticated user to change their account email address via the profile endpoint without re-authenticating or confirming the change to the original email. Because email serves as both login identifier and password-recovery channel, an attacker who has hijacked a session (e.g., via XSS, stolen token, or unattended workstation) can pivot to permanent account ownership. Publicly available exploit code exists in the GitHub Security Advisory with reproduction steps, but no public exploit identified as actively used in the wild.

Information Disclosure Flowise
NVD GitHub VulDB
EPSS 1% CVSS 9.0
CRITICAL PATCH Act Now

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.

Zoho Information Disclosure Manageengine Adselfservice Plus +3
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.

Information Disclosure Mbconnect24 Mymbconnect24
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes every user-uploaded file to anonymous download via identifier enumeration. The plugin's file download handler fails to properly enforce WordPress nonce validation, stripping the only access control gate between unauthenticated HTTP requests and user-uploaded content. A public proof-of-concept is available via WPScan, and SSVC assessment confirms the attack is automatable - any script that iterates numeric file identifiers can bulk-harvest uploaded documents, images, or sensitive attachments without credentials. Not currently listed in CISA KEV.

WordPress Information Disclosure Frontend File Manager Plugin
NVD WPScan VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized `orderby` and `order` parameters in three admin callbacks - `import_list()`, `url_detail()`, and `file_detail()` - are passed directly into SQL queries without validation or parameterization. A publicly available proof-of-concept exploit exists per WPScan (EUVD-2026-38416), and the CVSS S:C designation confirms that impact extends beyond the plugin itself to the full underlying database; no confirmed active exploitation (CISA KEV) has been documented at time of analysis.

SQLi WordPress Information Disclosure +1
NVD WPScan VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.

Buffer Overflow Denial Of Service SSH +8
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

X11 forwarding session hijacking in OpenSSH enables a local unprivileged attacker sharing a Linux client host to intercept and partially manipulate the victim's forwarded X11 display traffic by squatting on the predictable abstract UNIX domain socket name before the SSH client creates it. Affected deployments span OpenSSH packages across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code has been identified at time of analysis, but successful exploitation yields high-confidence access to sensitive X11 session data including keystrokes, window contents, and clipboard material.

SSH Information Disclosure Red Hat Enterprise Linux 10 +6
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Information disclosure in Yokogawa FAST/TOOLS (R9.01-R10.04) and CI Server (R1.01-R1.04) allows unmodified network attackers to retrieve CI Server configuration data via the embedded web server. The leaked settings can be leveraged as reconnaissance fuel for follow-on attacks against the SCADA/automation environment. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Information Disclosure Fast Tools Ci Server
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Gogs 0.14.1 (and all versions ≤ 0.14.2) allows unauthenticated remote attackers who know or guess an attachment UUID to download files attached to issues, comments, and releases in private repositories. The `/attachments/:uuid` endpoint performs no repository-level authorization check, so private-repo attachments - credentials, keys, internal documents, unpublished source - leak when `REQUIRE_SIGNIN_VIEW = false`. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-p9f5-h3rx-j5qw includes a full proof-of-concept reproduction.

Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Zephyr +1
NVD GitHub VulDB
EPSS 0% CVSS 3.5
LOW PATCH Monitor

{` placeholder, the third-party `com.Expand()` call in `internal/markup/markup.go` panics due to a negative slice index, making all repository pages that render issue references permanently unavailable until the configuration is corrected. No public exploit beyond the PoC included in the advisory is identified at time of analysis; this is not in CISA KEV.

Ssti Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

Buffer Overflow Path Traversal Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Session persistence flaw in @actual-app/sync-server through 26.5.2 lets disabled OpenID users retain authenticated access because session validation never re-checks the users.enabled flag. With the default token_expiration of 'never', a previously issued token continues to authorize sync and admin API calls indefinitely after an administrator disables the account. No public exploit identified at time of analysis, though the GHSA advisory includes a detailed PoC.

Information Disclosure
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Cache poisoning in python-zeroconf before 0.149.16 allows any unauthenticated adjacent-network attacker to inject attacker-controlled DNS records into the local mDNS cache by multicasting a single crafted UDP packet on port 5353. The parser in `_read_character_string` and `_read_string` advanced its offset by a caller-declared length without validating it against the actual packet buffer size; Python's silent slice truncation meant over-advertised records were accepted and committed to `DNSCache` and `ServiceInfo` intact. The vendor manually downgraded severity to low, noting no RCE or OOM risk, but characterizes this as a building block for higher-impact chains in downstream consumers such as Home Assistant. No public exploit code has been identified and the vulnerability is not in CISA KEV.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Filament's login page leaks account existence through a measurable timing side-channel, allowing unauthenticated remote attackers to enumerate registered email addresses. Versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 of this widely-used Laravel full-stack component library are affected. The impact is confined to account enumeration - no credentials, session tokens, or other data are exposed - but the disclosed information can seed targeted phishing or credential-stuffing campaigns. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Filament
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.

Race Condition Information Disclosure Filament
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.

Buffer Overflow Information Disclosure Messagepack Csharp
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash-collision denial-of-service attacks. The parameterless `MessagePackInputFormatter()` constructor silently applies `MessagePackSecurity.TrustedData` to HTTP request bodies - data that by definition crosses an untrusted boundary - bypassing the hash-seed randomization that `MessagePackSecurity.UntrustedData` provides. Vendor-released patches are available in versions 2.5.301 and 3.1.7; no public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Messagepack Csharp
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attackers to force excessive heap memory allocations via crafted Lz4Block or Lz4BlockArray payloads that declare arbitrarily large uncompressed lengths. The library allocates an output buffer sized to the attacker-controlled wire-format length field before performing any validation of the compressed data or the reasonableness of the declared expansion, enabling a classic decompression-bomb denial-of-service. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the attack pattern is mechanically straightforward for any application that accepts untrusted MessagePack data with LZ4 compression enabled.

Information Disclosure Messagepack Csharp
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticated attackers to degrade or deny service by submitting attacker-controlled MessagePack maps containing many distinct keys. Affected are all releases prior to 2.5.301 (2.x branch) and 3.1.7 (3.x branch). No public exploit code has been identified at time of analysis, and no CISA KEV listing was referenced in available intelligence.

Information Disclosure Messagepack Csharp
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_self endpoint with arbitrary app_id values to enumerate private rollout channels, confirm the existence of tenant applications, and extract subscription/billing status. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-level abuse against default deployments. The flaw enables cross-tenant reconnaissance that can seed further targeted attacks against high-value Capgo users.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's Supabase edge function backend (versions before 12.128.2) inconsistently applies global authentication middleware across HTTP methods on the /private/role_bindings/:org_id endpoint - GET requests reach the handler unauthenticated while POST and DELETE are gated by middleware. The handler currently performs its own authorization check and rejects unauthenticated callers, so no data is exposed in the current implementation. This is a CWE-306 defense-in-depth failure: the middleware gap creates latent risk that any future relaxation of handler-level logic could silently permit unauthenticated access to organization role binding data, with no public exploit identified at time of analysis.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-workspace chatflow configuration disclosure in Flowise before 3.1.2 allows any holder of a valid API key for one workspace to read the full configuration of unprotected chatflows belonging to all other workspaces in the same instance. The `/api/v1/chatflows/apikey/:apikey` endpoint's database query omits a workspace scope filter when the `keyonly` parameter is absent (the default), causing it to return every chatflow system-wide where `apikeyid` is NULL or empty - including `flowData`, system prompts, `chatbotConfig`, `apiConfig`, and credential IDs from unrelated tenants. No public exploit code or CISA KEV listing has been identified at time of analysis, but the vulnerability is trivially reproducible given the disclosed source code and standard HTTP tooling.

Authentication Bypass Information Disclosure Flowise
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.

Apache Docker Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Dell Wyse Management Suite (WMS) versions prior to 2605 ships with default credentials, enabling a high-privileged local attacker to authenticate using those credentials and access sensitive information. Reported by Dell under DSA-2026-247, the flaw is classified under CWE-1392 (Use of Default Credentials) and carries a CVSS 3.1 base score of 6.0, reflecting local-only attack surface constrained by the requirement for high privilege. No public exploit code or CISA KEV listing has been identified at time of analysis.

Dell Information Disclosure Wyse Management Suite Wms
NVD VulDB
EPSS 3% CVSS 5.5
MEDIUM PATCH This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

Memory corruption in the Advanced Linux Sound Architecture (ALSA) user-space library (alsa-lib) before 1.2.16.1 allows local attackers to crash audio-dependent processes by feeding maliciously crafted configuration text to parse_def() in src/conf.c. The flaw is a double-free reachable through nested compound or array config blocks, leading to a NULL-pointer write or invalid read; publicly available exploit code exists (reported by VulnCheck), but the issue is not on the CISA KEV list.

Information Disclosure Alsa Lib
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

TLS trust store poisoning in Canonical ADSys through v0.16.2 allows a network-positioned attacker to inject an arbitrary Root CA certificate into managed Ubuntu hosts during Active Directory Certificate Services auto-enrollment. The vendored Samba GPO extension fetches the CA certificate over plaintext HTTP from the AD CS GetCACert endpoint, and the response is registered into the system trust store via update-ca-certificates without authenticity validation. No public exploit identified at time of analysis, but the impact enables persistent decryption of TLS traffic across the host.

Ubuntu Canonical Python +6
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. No public exploit identified at time of analysis, though SUSE published a coordinated disclosure advisory alongside the upstream fix.

Information Disclosure Qsnapper
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.

IBM SSRF Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.

IBM Request Smuggling Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sensitive-data disclosure in IBM Datacap and Datacap Navigator (versions 9.1.7, 9.1.8, 9.1.9) lets an attacker recover user passwords and cryptographic keys that the application holds in cleartext in memory; the recovered keys can then decrypt stored credentials, authenticate to the application, and reach sensitive data in the backing database. IBM has released a patch. There is no public exploit identified at time of analysis, EPSS exploitation probability is negligible (0.08%, 0th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate field risk despite the high CVSS confidentiality impact.

IBM Information Disclosure Datacap +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypass that revocation and continue receiving real-time platform events. Affected across four actively maintained release branches (11.7.x, 11.6.x, 11.5.x, 10.11.x), the flaw directly undermines the effectiveness of administrative session revocation - a control relied upon in account-compromise response and offboarding workflows. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS signal is absent from available data, and the vendor-assigned CVSS of 4.3 reflects correctly scoped, medium-severity risk.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper token validation in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data allows a privileged user to exceed their authorized scope, performing operations and accessing sensitive information beyond their granted permissions. Affected versions span 4.8 through 5.3, covering both the standard and warehouse variants of the product. No public exploit identified at time of analysis, and no active exploitation confirmed via CISA KEV, though the high integrity impact (I:H) signals meaningful risk for multi-tenant or regulated deployments.

IBM Information Disclosure Db2 On Cloud Pak For Data And Db2 Warehouse On Cloud Pak For Data
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact is confined to service integrity abuse - spam distribution, rate-limit evasion, and fraudulent account accumulation.

Information Disclosure Assassin Game
NVD
EPSS 0% CVSS 9.2
CRITICAL Act Now

Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.

Information Disclosure Assassin Game
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Assassin Game
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-network attackers to intercept SSH sessions to Windows worker nodes and steal WICD and kubelet bootstrap credentials. WMCO fails to verify the remote SSH host key when configuring Windows nodes, enabling a man-in-the-middle attacker positioned on the cluster network to capture credentials sufficient to assume Windows node identities. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

Information Disclosure Microsoft Red Hat +2
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.

Information Disclosure Session Fixation Easyflow Net
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Pie Register WordPress plugin versions before 3.8.4.10 generates account verification tokens with insufficient randomness, enabling unauthenticated remote attackers to predict or enumerate valid tokens and activate registered accounts without receiving the associated verification email. This effectively bypasses the email-as-ownership-proof step in the registration flow, allowing account takeover of any pending registration. A publicly available exploit exists per WPScan; SSVC flags the attack as automatable with partial technical impact, though no confirmed active exploitation appears in CISA KEV at time of analysis.

Information Disclosure WordPress Pie Register
NVD WPScan VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.3 reflecting local vector with attack requirements and user interaction.

Information Disclosure Microsoft
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Central Dogma LDAP +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Man-in-the-middle attacks against LY Corporation's Central Dogma server can compromise mirrored Git repositories in versions of the centraldogma-server-mirror-git module prior to 0.84.0, because the embedded SSH client accepts any host key presented over git+ssh:// connections. An on-path attacker between Central Dogma and the upstream Git server can impersonate that server, inject malicious commits, and silently poison every downstream consumer that reads from the mirror. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Central Dogma
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Incorrect default file permissions in Browserbase's Autobrowse Trace Artifact Handler (versions up to 20260526) expose locally stored trace artifact files to low-privileged users on the same host, resulting in unauthorized information disclosure. A public exploit (poc.sh) was released without a vendor patch, as the vendor did not respond to responsible disclosure. With a CVSS 4.0 score of 1.9, the attack is strictly local and limited to confidentiality impact; no KEV listing exists, but publicly available exploit code lowers the bar for exploitation in shared-host environments.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.

N A Information Disclosure Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.

Information Disclosure Use After Free Memory Corruption +3
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.

Information Disclosure Denial Of Service Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.

Information Disclosure Buffer Overflow Imagemagick +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets remote unauthenticated attackers abuse the security-definer RPC function get_identity_apikey_only to validate arbitrary API keys and map them to owning user_ids. The endpoint functions as an oracle, and results can be chained into other exposed RPCs such as get_orgs_v6 to enumerate organization membership and harvest management email PII. No public exploit identified at time of analysis, though VulnCheck has publicly documented the technique and a vendor patch is available.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Symlink-following vulnerabilities in Capgo CLI before version 12.128.2 (npm @capgo/cli < 7.84.6) allow an attacker who controls a repository to overwrite arbitrary files on a developer's machine and expose sensitive signing credentials when the developer runs CLI login or build credential operations inside that repository. Three distinct issues are present: unsafe writeFileSync on .capgo and .capgo-credentials.json without symlink validation, and global credential files written with world-readable 664 permissions instead of the required 0600. A proof-of-concept demonstrating the .capgo clobber is publicly documented in the GitHub Security Advisory GHSA-8mpm-q7mh-8fvh. No CISA KEV listing exists at time of analysis, but exploitability is straightforward given the PoC and low attack complexity.

Information Disclosure Cli
NVD GitHub VulDB
Prev Page 22 of 741 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy