Skip to main content

Information Disclosure

66671 CVEs technique

Monthly

CVE-2026-12203 MEDIUM POC PATCH This Month

Unauthenticated information disclosure in HKUDS AI-Trader exposes the Research Export endpoint (`/api/research/agents.csv`) to any remote attacker without credentials, leaking proprietary research output in CSV format. The vendor explicitly confirmed the pre-patch state lacked access control: 'Research export endpoints now require an authenticated agent with the research_exports capability.' A public proof-of-concept exploit exists (CVSS 4.0: 6.9, E:P), and the upstream fix is available via commit 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65; no active exploitation is confirmed in CISA KEV at this time.

Information Disclosure Ai Trader
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-12201 LOW POC Monitor

Permission misconfiguration in IObit Malware Fighter's DLL Handler component (versions up to 13.2.0) allows a local low-privileged attacker to exploit insecure resource permissions, resulting in low-severity confidentiality, integrity, and availability impacts. The vulnerability stems from CWE-275 (Improper Permission Assignment for a Resource), and a public proof-of-concept exploit is available via GitHub and a researcher blog post. The vendor was notified prior to disclosure but did not respond, meaning no official patch or mitigation guidance has been issued.

Information Disclosure Malware Fighter
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-50870 HIGH This Week

An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

Information Disclosure N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45388 CRITICAL Act Now

Server impersonation in OCaml-TLS before 2.1.0 allows a malicious TLS server to present a certificate not intended for server authentication and still be accepted by client code, enabling man-in-the-middle and impersonation attacks against any application linking the library as a TLS client. The client fails to validate KeyUsage and ExtendedKeyUsage extensions properly, breaking a core PKIX trust assumption. No public exploit identified at time of analysis and EPSS sits at 0.15% (4th percentile), but the CVSS 9.1 reflects the broad confidentiality and integrity impact on encrypted sessions.

Information Disclosure N A
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-39007 HIGH This Week

An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.

Information Disclosure N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-30121 npm CRITICAL PATCH GHSA Act Now

Arbitrary file write in remotion-dev Remotion v4.0.409 allows remote attackers to write attacker-controlled content to arbitrary filesystem locations without authentication, per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) and CWE-123 (Write-what-where) classification. Remotion is a React-based programmatic video rendering framework, and the flaw can lead to integrity and availability compromise of the host running the rendering engine. No public exploit identified at time of analysis, and the EPSS score of 0.15% (4th percentile) indicates low predicted exploitation likelihood despite the high CVSS score.

Information Disclosure N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-45389 CRITICAL Act Now

Authentication bypass in OCaml-TLS server implementations before version 2.1.0 allows remote attackers to impersonate legitimate clients during mutual TLS authentication by presenting certificates whose KeyUsage and ExtendedKeyUsage extensions do not authorize client authentication. The server fails to enforce these X.509 certificate purpose constraints, so any valid certificate chain trusted by the server may be accepted regardless of intended use. EPSS probability is low (0.12%, 2nd percentile) and no public exploit identified at time of analysis, but the CVSS 9.1 reflects the high impact on confidentiality and integrity of mTLS-protected services.

Information Disclosure N A
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-12190 MEDIUM This Month

Improper authorization in the custom URL scheme handler of Genspark AI Workspace App 2.8.4 on Android allows a local low-privileged attacker to invoke restricted application functionality via the ai.mainfunc.genspark component without proper access control. The flaw is classified under CWE-939, affecting inter-app communication on Android where the URL scheme handler fails to verify the caller's authorization. No patch is available as the vendor did not respond to responsible disclosure; no public exploit or CISA KEV confirmation exists at time of analysis.

Google Information Disclosure Ai Workspace App
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-12189 LOW POC Monitor

Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.

Google Information Disclosure Bus Public Transit App
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-54412 HIGH This Week

Heap-based out-of-bounds read and integer underflow in LiamBindle MQTT-C (all versions through 1.1.6) allows a remote attacker who controls an MQTT broker - or who can inject packets into an unencrypted MQTT session - to crash any subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single specially crafted PUBLISH packet. The flaw resides in mqtt_unpack_publish_response() in src/mqtt.c, where the broker-supplied 16-bit topic_name_size field is used to advance a parse pointer without validating it fits within the packet's remaining_length, and the subsequent unsigned subtraction to derive application_message_size wraps to near 2^32 and is passed directly to memmove(). No patched release has been identified at time of analysis; a proof-of-concept is indicated by the CVSS 4.0 E:P supplemental metric, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Buffer Overflow Mqtt C
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.4%
CVE-2026-54411 MEDIUM This Month

Timing side-channel in Linux-PAM's pam_userdb module through version 1.7.2 allows plaintext password recovery by any attacker capable of repeatedly submitting authentication attempts to a service backed by the vulnerable configuration. The module's use of length-prefixed strncmp() (or strncasecmp() with PAM_ICASE_ARG) on plaintext credentials leaks both password length and individual prefix bytes via measurable response-time differences, enabling iterative character-by-character reconstruction of the stored password. Proof-of-concept exploit methodology exists per CVSS 4.0 supplemental metadata (E:P); while no CISA KEV listing was found, the high confidentiality impact (VC:H) and credential-disclosure nature make this a meaningful risk for any deployment relying on pam_userdb in plaintext mode.

Information Disclosure Linux Pam Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54410 HIGH This Week

Off-by-one buffer overflow in nanoMODBUS through v1.23.0 lets remote unauthenticated attackers write one attacker-controlled byte past a 260-byte receive buffer in the Modbus/TCP server's recv_msg_header() function. The corruption of the adjacent buffer-index field can cause denial of service on all targets and, on bare-metal/RTOS deployments without memory protection, leak one byte of memory and trigger unintended writes through the Write Multiple Registers (FC16) handler. No public exploit identified at time of analysis, but the bug is trivially reachable by sending a crafted MBAP frame with Length=255.

Denial Of Service Information Disclosure Buffer Overflow Nanomodbus
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.5%
CVE-2026-54421 MEDIUM PATCH This Month

Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated operator issues a PATCH request to update authorized fields in a node's volume properties - the API response returns sensitive data such as iSCSI CHAP usernames and secrets in plaintext. The scope change reflected in the CVSS (S:C) is meaningful: leaked storage credentials extend the blast radius beyond Ironic itself to the underlying iSCSI storage infrastructure. Notably, the same volume properties endpoint does not exhibit this behavior on POST requests, isolating the flaw to the PATCH response serialization path. No public exploit code has been identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Ironic Red Hat Suse
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-54420 HIGH POC KEV PATCH THREAT Act Now

Symlink mishandling in LiteSpeed cPanel Plugin before 2.4.8 (and the bundling LiteSpeed WHM PlugIn before 5.3.2.0) lets a low-privileged tenant on a shared CloudLinux/CageFS host escape their per-user filesystem jail by planting symlinks the plugin follows with elevated privileges. The CVE record states the flaw was exploited against shared hosting providers in May 2026, and CVSS 8.5 with Scope:Changed reflects cross-tenant compromise of other customers' files on the same server. No separate KEV listing or public POC is present in the provided intelligence.

Information Disclosure Cpanel Plugin
NVD VulDB GitHub
CVSS 3.1
8.5
EPSS
0.1%
Threat
4.7
CVE-2025-55642 MEDIUM This Month

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared frame counts. Specifically, avidmx_process() in filters/dmx_avi.c:639 fails to validate the frame count before using it as a divisor during Dasher bitrate computation, triggering an uncaught floating-point exception (FPE) when DASH segmentation is invoked. A public proof-of-concept file exists; exploitation requires no authentication or special privileges beyond delivering a malformed AVI-like input to an affected MP4Box instance. EPSS data is not yet available, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Gpac
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-41579 Go LOW PATCH GHSA Monitor

Host filesystem integrity violations in runc are triggered when the container runtime processes a malicious OCI image where /dev is configured as a symbolic link rather than a directory. An attacker who can deliver such a crafted image - via a public registry, a supply-chain-compromised base image, or a shared CI/CD pipeline - can cause runc to follow the symlink during container device-node initialization, resulting in limited, unintended write operations on the host filesystem outside the container boundary. The vendor-credited reporter (Aleksa Sarai, a known runc maintainer) describes the impact as 'limited host filesystem integrity violations,' falling short of a full container escape. No public exploit has been identified at time of analysis.

Information Disclosure Runc
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-12174 HIGH POC This Week

Format string vulnerability in the D-Link DCS-935L 1.10.01 IP camera allows authenticated remote attackers to corrupt memory and likely achieve information disclosure or code execution by manipulating the data argument passed to snprintf within the /web/cgi-bin/greece/rhea HTTP handler. Publicly available exploit code exists per VulDB submission, though this CVE is not on the CISA KEV list. The CVSS 4.0 score of 7.4 reflects high impact on confidentiality, integrity, and availability with low-privilege authentication required.

D-Link Information Disclosure Dcs 935L
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-11624 CRITICAL PATCH Act Now

Missing Origin/Host header validation in Google's MCP Toolbox for Databases (Model Context Protocol server) prior to v0.25.0 allows remote attackers to reach the locally-bound HTTP server via DNS rebinding from a victim's browser, abusing the bridge to issue arbitrary tool/database commands. The fix introduces a new --allowed-hosts startup flag (companion to the existing --allowed-origins) that validates inbound Host headers, though both flags retain an insecure-by-default '*' value with only a startup warning. No public exploit identified at time of analysis; the issue was reported internally by Google.

Information Disclosure Mcp Toolbox For Databases
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-54230 HIGH This Week

Local privilege escalation via arbitrary root-owned file overwrite affects libreport's ABRT post-create event handler scripts on Red Hat Enterprise Linux 6, 7, and 8. The event scripts write output using shell redirections that lack the O_NOFOLLOW flag, so a local low-privileged user who plants a symlink in a writable crash-dump path can cause the root shell to follow it and clobber any file on the system, which can be leveraged for full system compromise. SSVC rates technical impact as total, but there is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile).

Information Disclosure Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-54229 HIGH This Week

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows a low-privileged local user to race the ChownProblemDir method against still-running post-create event handlers. By invoking ChownProblemDir while privileged event scripts hold a write lock on the dump directory, the attacker gains filesystem ownership of files being written by root-context handlers, enabling tampering with privileged output and potential privilege escalation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Race Condition Information Disclosure Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-11442 MEDIUM This Month

Directory traversal in Allegra's exportReport method exposes arbitrary server-side files to authenticated remote attackers, operating in the context of the underlying service account. The flaw affects all tracked versions per the CPE wildcard (cpe:2.3:a:allegra:allegra:*), with Alltena's 9.0.0 release notes referencing the fix. No public exploit code or CISA KEV listing has been identified at time of analysis, and no EPSS data was provided, but the CVSS 6.5 rating reflects a meaningful confidentiality risk for any internet-facing Allegra deployment where user accounts may be broadly provisioned.

Path Traversal Information Disclosure Allegra
NVD VulDB
CVSS 3.0
6.5
EPSS
1.5%
CVE-2026-12068 HIGH This Week

Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.

Mozilla Microsoft Apple Information Disclosure Avira Password Manager
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-9033 HIGH PATCH This Week

Local code execution in Avira Antivirus engine builds before 8.3.70.76 on Windows, macOS, and Linux is triggered when the scanner processes a malformed PDF file, leading to a heap out-of-bounds read that can corrupt the antivirus engine process. CVSS 7.8 reflects the high impact on confidentiality, integrity, and availability, but exploitation requires the victim to expose the engine to the attacker's file. No public exploit identified at time of analysis.

Microsoft Apple Information Disclosure Buffer Overflow Avira Antivirus
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-9032 HIGH PATCH This Week

Heap out-of-bounds read in the Avira Antivirus scanning engine on Windows, macOS, and Linux (engine builds before 8.3.70.98) allows a malformed Windows PE file to trigger local code execution or crash the antivirus engine process. Because AV engines typically auto-scan files on access, simply writing or dropping a crafted PE onto disk can reach the vulnerable parser, and no public exploit identified at time of analysis. Exploitation requires the victim's AV to scan the file (UI:R), so realistic delivery is via downloads, email attachments, or removable media rather than fully remote unauthenticated execution.

Microsoft Apple Information Disclosure Buffer Overflow Avira Antivirus
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-7017 HIGH PATCH This Week

Local code execution or denial-of-service in Avira Antivirus engine builds prior to 8.3.70.56 occurs when the scanner parses a malformed Windows MSI installer file, triggering a heap out-of-bounds read. The flaw affects deployments on Windows, macOS, and Linux and requires user interaction to place a crafted MSI where the engine will scan it. No public exploit identified at time of analysis and CVSS scores it 7.8 High.

Microsoft Apple Information Disclosure Buffer Overflow Avira Antivirus
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-7011 HIGH PATCH This Week

Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Business Antivirus) on Windows, macOS, and Linux stems from a heap out-of-bounds read in the malformed-ZIP/XML scanner across virus definition builds 25020100 through 25021207. An attacker who lures a user into letting the on-access scanner process a crafted archive can crash the antivirus process or potentially execute code in its context. No public exploit identified at time of analysis and the EPSS signal was not provided.

Microsoft Apple Information Disclosure Buffer Overflow Avast Antivirus +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-7009 HIGH PATCH This Week

Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux) is triggered when the engine parses a malformed Windows PE file and performs a heap out-of-bounds read. Mitigation ships via the VPS 25021310 virus definition update rather than a product installer, so any consumer of the Gen Digital definition stream at or above that build is no longer exposed. No public exploit identified at time of analysis, but the bug sits inside a high-privilege scanner that auto-processes attacker-controlled files.

Microsoft Apple Information Disclosure Buffer Overflow Avast Antivirus +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-7008 HIGH PATCH This Week

Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) allows a malformed Windows PE file with crafted .NET metadata to crash the AV process or potentially execute code locally on Windows, macOS, and Linux endpoints running virus definitions prior to VPS 25021310. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the bug is reachable via on-access scanning, meaning any user who receives a malicious file may trigger it without explicit action. UI:R in the CVSS vector and the local attack vector temper the urgency relative to the 7.8 base score.

Microsoft Apple Information Disclosure Buffer Overflow Avast Antivirus +4
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-7006 MEDIUM PATCH This Month

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a malformed Windows PE file. Five Gen Digital products share a common virus definition update stream - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - making all simultaneously vulnerable until the shared definition stream reaches build VPS 25022500. No public exploit has been identified at time of analysis; the impact is limited to a Denial-of-Service of the antivirus process with no confidentiality or integrity loss, and the CVSS score of 5.5 reflects the local, user-interaction-dependent nature of the attack.

Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7005 MEDIUM PATCH This Month

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a specially crafted malformed Windows PE file, causing a Denial-of-Service across five Gen Digital products - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus - on Windows, macOS, and Linux. The vulnerability resides in the virus definition update stream rather than the product binary itself, meaning all five products sharing the same Gen Digital VPS stream are simultaneously exposed until updated to definition build VPS 25031700 or later. No public exploit code has been identified at time of analysis, and CVSS scores this at medium severity (5.5) reflecting local access and required user interaction as meaningful limiting factors.

Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7003 HIGH PATCH This Week

Out-of-bounds heap read in the Avira Antivirus scanning engine triggers when the engine parses a malformed PDF, allowing local code execution or denial-of-service of the antivirus process on Windows, macOS, and Linux engine builds prior to 8.3.70.56. The CVSS 7.8 (High) rating reflects local attack vector with required user interaction (the engine must scan the attacker-supplied file), and no public exploit identified at time of analysis. Because the AV engine typically runs with elevated privileges, successful code execution would inherit those privileges.

Microsoft Apple Information Disclosure Buffer Overflow Avira Antivirus
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-7002 HIGH PATCH This Week

Local code execution and denial-of-service in Avira Antivirus engine builds before 8.3.70.68 allow an attacker to compromise the scanning engine by placing a malformed PDF where the engine will scan it on Windows, macOS, or Linux. The flaw is a heap out-of-bounds read (CWE-125) triggered during PDF parsing, and no public exploit identified at time of analysis. CVSS is 7.8 (high) driven by full C/I/A impact on the local host, but exploitation requires user/scanner interaction with the malicious file.

Microsoft Apple Information Disclosure Buffer Overflow Avira Antivirus
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-41158 HIGH This Week

Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to issue crafted GPU system calls that perform read/write operations on arbitrary freed physical memory pages, enabling kernel memory corruption. The flaw stems from missing deferred-free handling, meaning the GPU can still access pages after the kernel module has released them. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 reflects high local impact on confidentiality, integrity, and availability.

Use After Free Memory Corruption Information Disclosure Graphics Ddk
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-53839 npm MEDIUM PATCH This Month

OpenClaw's retry endpoint authentication check performs hostname prefix matching instead of exact hostname comparison, enabling an authenticated attacker to redirect sensitive authentication material to an attacker-controlled endpoint. All versions before 2026.5.7 are affected per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector scores this at 6.0 with high confidentiality impact (VC:H) and a specific attack prerequisite (AT:P); no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53831 npm HIGH PATCH This Week

Information disclosure in OpenClaw before 2026.5.18 lets authenticated operators abuse shell metacharacter expansion within the system.run safe-bin allowlist to read unintended node-local files on POSIX nodes and exfiltrate sensitive configuration data. The flaw bypasses command-policy enforcement because the allowlist validates a literal command string while the underlying shell re-interprets it at execution time. No public exploit identified at time of analysis.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-53826 npm LOW PATCH Monitor

Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-54091 Go HIGH PATCH GHSA This Week

Unauthenticated information disclosure in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows public share recipients to bypass owner-defined deny rules and read or list files explicitly blocked beneath a shared directory. The flaw stems from the public share handler rebasing the filesystem root but evaluating access rules against the rebased relative path rather than the owner's original scope. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA advisory and EPSS sits at 0.04% (13th percentile).

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41155 MEDIUM This Month

Insufficient compartmentalization in the Imagination Technologies Graphics DDK kernel module enables a local, low-privileged attacker to abuse shared secure GPU memory allocations to either covertly pass data between otherwise isolated secure GPU processes or disrupt a peer process, causing image corruption and GPU hardware recovery events. Multiple DDK release trains spanning versions 1.18 RTM through 26.1 RTM are confirmed affected per EUVD-2026-36606. No public exploit exists and SSVC confirms no observed exploitation, but the 'Information Disclosure' tag in the advisory signals a confidentiality dimension that the official CVSS C:N metric does not fully capture.

Information Disclosure Graphics Ddk
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-54096 Go HIGH PATCH GHSA This Week

Improper access control in File Browser (filebrowser/filebrowser, Go) versions <= 2.63.6 lets a user with share/download permissions create a public share for a path that does not yet exist; because the share record stores only a path string and is never bound to a concrete object, the link silently begins exposing whatever file later appears at that path via GET /api/public/dl/<hash>. The flaw mirrors the Android MediaProvider issue CVE-2026-0035 — the create handler omits an existence check before persisting the share. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but a step-by-step PoC is included in the GitHub Security Advisory.

Google Java Information Disclosure
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-44311 npm MEDIUM PATCH GHSA This Month

Cross-site scripting in Fabric.js (npm: fabric) versions prior to 7.4.0 is triggered when applications export canvas content via `canvas.toSVG()` and render the result into the DOM using `innerHTML`. The `color` field within `colorStops` of a `fabric.Gradient` object is inserted into SVG `<stop>` elements without escaping `"`, `<`, or `>`, allowing crafted input to break attribute context and inject arbitrary HTML. A working proof-of-concept is publicly confirmed against v7.2.0; no active exploitation appears in CISA KEV, and the EPSS score of 0.04% reflects low observed exploitation breadth consistent with the chained conditions required.

XSS Information Disclosure Node.js
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-54396 MEDIUM PATCH This Month

User email enumeration in MISP's AuthKey edit endpoint allows any authenticated user holding AuthKey-edit permission to discover the email addresses of arbitrary platform users by manipulating a single POST parameter. The flaw exists in the validation-error rendering path of AuthKeysController.php, where the user dropdown was populated from attacker-controlled request body data rather than the persisted AuthKey owner, enabling systematic iteration over numeric user IDs. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivially reproducible from the description and patch diff alone.

Information Disclosure Misp
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-24618 MEDIUM This Month

Sensitive system information exposure in the Hash Elements WordPress plugin (all versions through 1.5.4) enables authenticated low-privilege users to retrieve embedded sensitive data from the plugin's output or internal responses. Classified under CWE-497, the plugin surfaces system-level information - potentially including API keys, server paths, or configuration values - to parties who should not have access to it. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low authentication barrier (subscriber-level or equivalent WordPress account) broadens the pool of potential abusers on multi-user WordPress installations.

Information Disclosure Hash Elements
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47264 MEDIUM PATCH This Month

Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users via a serializer that omits visibility filtering. Affected release lines are 2026.1.x (before 2026.1.4), 2026.3.x (before 2026.3.1), and 2026.4.x (before 2026.4.1), with the root cause being that DetailedTagSerializer#tag_group_names returned all group memberships without consulting the requesting user's permissions. An unauthenticated attacker can enumerate the names of tag groups restricted to specific user groups or non-visible categories, potentially leaking the internal structure of private forum spaces; no public exploit code has been identified at time of analysis and EPSS is 0.04% (11th percentile), indicating negligible observed exploitation activity.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47263 MEDIUM PATCH This Month

Unauthorized access to webhook event data in Discourse exposes internal webhook payloads to any authenticated user - or unauthenticated users on instances with login_required disabled - across versions 2026.1.0 through several branch heads. The flaw resides in the MessageBus channel /web_hook_events/<id>, which the Jobs::RedeliverWebHookEvents job publishes to without enforcing group_id restrictions, allowing unrestricted channel subscription. Compounded by trivially enumerable sequential integer webhook IDs, any low-privilege or anonymous actor can iterate over webhook event history without authorization. No public exploit code exists and EPSS is 0.03% (9th percentile), indicating no observed widespread exploitation at time of analysis.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44785 MEDIUM PATCH This Month

Discourse's AI 'explain' helper exposes raw content of hidden posts to any authenticated user with access to the feature, due to an incomplete authorization check on parent posts. Affected instances span three release tracks - 2026.1.x, 2026.3.x, and 2026.4.x - and any user who can invoke the AI helper and find a visible reply to a hidden post can silently read the hidden post's raw text. No public exploit code has been identified and EPSS places exploitation probability at 0.03% (9th percentile), indicating this is a low-urgency but genuine confidentiality bypass for deployments where hidden post content is sensitive.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44784 MEDIUM PATCH This Month

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL mode - from the group history log endpoint (/groups/:name/logs.json), affecting versions 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1. An authenticated group owner who holds no admin or moderator privileges can harvest the exposed SMTP password and use it to send mail impersonating the group's email identity from any external mail client, entirely bypassing Discourse's own sending controls. No public exploit code exists and this vulnerability is not listed in CISA KEV; the EPSS score of 0.03% at the 11th percentile reflects the narrow, configuration-dependent attack surface.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44782 MEDIUM PATCH This Month

Discourse's GroupPostSerializer leaks user real names to authenticated users even when site administrators have explicitly disabled name display via the enable_names site setting. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x release lines. An authenticated user querying group post endpoints receives real name data that the platform operator intended to suppress, undermining privacy configurations on Discourse instances that host pseudonymous or anonymous communities. No public exploit code exists and no active exploitation has been identified; the EPSS score of 0.03% (9th percentile) reflects low exploitation probability.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44780 MEDIUM PATCH This Month

Discourse's ReviewableQueuedPostSerializer unconditionally exposes full inbound email source - including SMTP headers, sender trace, mail user agent, and body - to category moderation group members accessing the review queue, bypassing the view_raw_email_allowed_groups trust boundary that restricts the dedicated raw-email endpoint. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x series on deployments using Discourse's incoming email feature. No public exploit has been identified and EPSS stands at 0.03% (9th percentile), indicating low automated exploitation probability, though the exposed data - including sender IP addresses and routing headers - presents meaningful privacy and de-anonymization risk to users who submitted posts via email.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44779 MEDIUM PATCH This Month

Discourse platform versions across three active release tracks expose whisper translation audit logs through bot debug endpoints to any authenticated low-privilege user. The vulnerability (CWE-200) exists across release lines 2026.1.x, 2026.3.x, and 2026.4.x, and has been patched by the vendor across all affected tracks. No public exploit exists and EPSS sits at the 9th percentile (0.03%), indicating this is a low-probability exploitation target; however, the exposure of internal moderation audit logs may pose compliance and confidentiality risks on community platforms handling sensitive staff communications.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44786 HIGH PATCH This Week

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat message payloads from public category channels without proper permission scoping, even when chat is not enabled for that user. The flaw affects versions 2026.1.0 through 2026.1.3, 2026.3.0 through 2026.3.0, and 2026.4.0 through 2026.4.0, and is fixed in 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit identified at time of analysis, but the unauthenticated network attack vector makes this a meaningful confidentiality concern for forums leveraging chat.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-53725 npm MEDIUM PATCH GHSA This Month

Parse Server 9.8.0-9.9.0 exposes raw MFA TOTP secrets and recovery codes through the /verifyPassword and /login endpoints when the _User class-level permission (CLP) is configured to deny get operations. An attacker with knowledge of a victim's username and password can call /verifyPassword without a session token or MFA token and receive the victim's plaintext TOTP secret and recovery codes in the response, completely defeating the second authentication factor. No public exploit has been identified at time of analysis; a patch exists in version 9.9.1-alpha.5, and the EPSS score of 0.04% (13th percentile) reflects limited opportunistic exploitation so far.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-50099 MEDIUM CISA This Month

WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attacker with brief physical access to recover host network SSID, PSK, and negotiated WPA keys printed in cleartext to a labeled, production-accessible UART debug console. The UART interface drops to an unauthenticated interactive RT-Thread shell, enabling arbitrary memory reads and full firmware extraction - escalating a credential-theft opportunity into a platform for deeper firmware-level compromise. Reported via CISA ICS-CERT advisory ICSA-26-162-02; no public exploit code identified, though the attack requires only commodity serial hardware and minimal technical knowledge.

Information Disclosure Smart Doorbell X3 X Smart Home V720 Ix Cam
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-42932 MEDIUM CISA This Month

Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform, V720, and IX Cam - allows unauthenticated remote attackers to build a complete inventory of active devices deployed in the field. The identifier scheme combines fixed manufacturing prefixes with sequential counters (CWE-340), and the platform compounds this by exposing an endpoint that reveals the current identifier high-water mark, effectively handing attackers a starting point for a full sweep. Reported by ICS-CERT under ICSA-26-162-02, this is a platform-wide architectural flaw; no public exploit or KEV listing is confirmed at time of analysis, but the low complexity and zero-authentication barrier make opportunistic enumeration trivially achievable.

Information Disclosure Smart Doorbell X3 X Smart Home V720 Ix Cam
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-50101 CRITICAL CISA Emergency

Persistent credential exposure in Naxclow smart cameras and doorbells (Smart Doorbell X3, X Smart Home, V720, ix Cam) allows anyone who obtains a device's server-side relay credential to maintain indefinite access to that device's relay channel. Because the credential is re-issued unchanged on every boot and cannot be rotated, reset, or revoked by the owner, even factory resets and re-onboarding do not evict an attacker. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided in the input.

Information Disclosure Smart Doorbell X3 X Smart Home V720 Ix Cam
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-47216 HIGH PATCH This Week

Unauthenticated denial-of-service in Typesense search engine versions prior to 29.1 and 30.2 allows remote attackers to terminate the server process by sending a crafted request to the /multi_search endpoint. The flaw triggers an unhandled exception during request processing, causing complete service unavailability for the duration of restart and dataset reload. No public exploit identified at time of analysis, and the low EPSS score (0.10%) suggests limited current exploitation interest despite the high CVSS 4.0 score of 8.7.

Information Disclosure Typesense
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47225 MEDIUM PATCH This Month

Cache isolation failure in Typesense's search engine exposes restricted search results across Scoped Search API Key authorization boundaries. When server-side caching and Scoped API Keys are both active, a specific sequence of requests can cause the cache to serve results to a scoped requester that were originally populated by a less-restricted context, effectively bypassing the embedded filter constraints of that key. Versions prior to 29.1 and 30.2 are affected; vendor-released patches exist in both release lines, with no public exploit identified and an EPSS of 0.05% (15th percentile) confirming low current exploitation probability.

Information Disclosure Typesense
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-47223 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.

Microsoft Google Information Disclosure Buffer Overflow Nanazip
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47224 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to crash the application or potentially expose heap memory by tricking a user into opening a maliciously crafted LVM2 disk image. All NanaZip installations from version 3.0.1000.0 up to (but not including) 6.0.1698.0 on Windows are vulnerable. No public exploit code or active exploitation has been identified; an EPSS score of 0.04% at the 11th percentile reflects very low real-world exploitation probability.

Microsoft Information Disclosure Buffer Overflow Nanazip
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47222 MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.

Microsoft Information Disclosure Denial Of Service Google Buffer Overflow +1
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6046 MEDIUM This Month

Private message interception in Mattermost affects versions 11.6.x through 11.6.1, 11.5.x through 11.5.4, and 10.11.x through 10.11.16, allowing a low-privileged attacker to receive plugin-generated direct messages intended for bot accounts. The flaw stems from the bot registration flow failing to verify that a claimed username actually belongs to a bot account, enabling an attacker who pre-registers a human account using a predictable plugin bot username to silently hijack those message channels. No public exploit code exists at time of analysis, and exploitation requires both an existing user account and advance knowledge of the target bot's username.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7184 MEDIUM This Month

Remote cluster authentication token disclosure in Mattermost's Secure Connections feature allows authenticated users holding the manage_secure_connections permission to retrieve plaintext inter-cluster credentials via a crafted PATCH request. Affected deployments span versions 10.11.x through 10.11.15, 11.5.x through 11.5.4, and 11.6.x through 11.6.1, with a CVSS-rated High confidentiality impact (6.5). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but successful exploitation could undermine the trust model of federated multi-cluster deployments.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3433 MEDIUM This Month

Mattermost's WebSocket layer improperly broadcasts `role_updated` events to all authenticated connections regardless of team or channel membership, enabling guest-level authenticated users to observe permission scheme change notifications for private teams they do not belong to. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release lines. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and broad version impact make patching a straightforward priority for any Mattermost deployment with guest accounts enabled.

Mattermost Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-50091 HIGH PATCH This Week

Hard-coded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so let attackers who extract the static keys from the shipped binary decrypt protected data and forge or tamper with device/cloud communications. Because every install ships the identical embedded keys, a single extraction compromises confidentiality and integrity across the entire installed base. Reported by runZero (CVE-2026-50091 / EUVD-2026-36481); publicly available exploit code exists (GitHub PoC 'theres-no-place-like-home'), but it is not on CISA KEV and EPSS is very low at 0.03%.

Google Information Disclosure Com Lumiunited Aqarahome
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-50088 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com) allows a malicious website to read authenticated responses from any victim developer who visits it, exposing portal data tied to IoT/smart-home developer accounts. The flaw is a permissive CORS policy (CWE-942) that trusts untrusted origins; runZero disclosed it and no public exploit identified at time of analysis, though the technique is well-known and trivially scriptable.

Cors Misconfiguration Information Disclosure Aqara Developer Portal Aqara Developer Test Portal
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-50087 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.

Cors Misconfiguration Information Disclosure Aqara Iam Sso Gateway
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-9641 MEDIUM PATCH This Month

Crypt::PBKDF2 for Perl prior to version 0.261630 ships with critically weak password-hashing defaults - HMAC-SHA1 as the pseudorandom function and only 1,000 iterations - leaving derived keys and stored passwords highly vulnerable to offline brute-force attacks. Applications that do not explicitly override these defaults expose any compromised credential store to cracking at rates orders of magnitude faster than OWASP-recommended configurations (220,000-1,400,000 iterations depending on algorithm). No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV, but the structural nature of CWE-916 means all previously generated hashes using the weak defaults remain exploitable even after upgrading the library unless proactively rehashed.

Information Disclosure Crypt Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-50020 Maven MEDIUM POC PATCH GHSA This Month

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.

Request Smuggling Information Disclosure Netty Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44967 MEDIUM PATCH This Month

Memory exhaustion in opentelemetry-cpp OTLP HTTP exporters (traces, metrics, logs) prior to 1.27.0 allows an attacker who controls the configured collector endpoint - or occupies a MITM position on the network path - to crash the instrumented process by returning an arbitrarily large HTTP response body. The curl-based HTTP client read response data into an unbounded in-memory buffer via io-equivalent copy with no size limit, making peak heap allocation entirely attacker-controlled. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) indicates low opportunistic exploitation probability, though the targeted threat model (supply-chain-adjacent collector compromise) is realistic in telemetry-heavy environments.

Information Disclosure Opentelemetry Cpp
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-50010 Maven HIGH PATCH GHSA This Week

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager), allowing network attackers in a man-in-the-middle position to present a valid certificate for any host and intercept supposedly encrypted traffic. Affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final; no public exploit identified at time of analysis and EPSS is very low (0.04%), but the defect bypasses a core TLS protection that Netty 4.2 explicitly advertises as enabled by default.

Jwt Attack Information Disclosure Netty
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-50009 Maven MEDIUM PATCH GHSA This Month

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an on-path attacker to derive the reset token for active connections and terminate them via spoofed Stateless Reset packets. The default HMAC-based generators expose a deterministic relationship between the source connection ID visible in QUIC headers and the server's stateless reset token - after a source-CID rotation, an observer can compute the token from the new connection-ID bytes. No public exploit identified at time of analysis; the CVSS 4.8 Medium rating reflects the on-path attacker prerequisite (AC:H), which meaningfully limits opportunistic exploitation.

Information Disclosure Denial Of Service Netty
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-9638 HIGH PATCH This Week

Predictable salt generation in the Perl Crypt::PBKDF2 module before version 0.261630 weakens the cryptographic strength of derived password hashes. The module uses Perl's built-in rand() function - a non-cryptographic PRNG - to generate salt values, making salts guessable and enabling precomputation attacks against stored password hashes. No public exploit identified at time of analysis, but a vendor patch is available and the issue was responsibly disclosed by CPANSec.

Information Disclosure Crypt Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44206 MEDIUM PATCH This Month

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthenticated remote attackers via a vulnerable endpoint. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, making this accessible to any internet-facing instance. While limited to low confidentiality impact (VC:L) with no integrity or availability consequences, schema information can inform targeted follow-on attacks against the application's data layer. No public exploit has been identified at time of analysis, and EPSS of 0.02% (7th percentile) indicates low current exploitation probability.

Information Disclosure Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-54133 CRITICAL POC PATCH Act Now

Remote code execution in jmespath.php versions prior to 2.9.1 allows attackers controlling JMESPath expressions to inject arbitrary PHP into compiler-generated cache files, which are then loaded and executed by JmesPath\CompilerRuntime. The flaw stems from insufficient escaping of parsed function names when the compiler emits PHP source, enabling code execution whenever an application evaluates untrusted expressions through the compiler runtime. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects unauthenticated network-reachable RCE in any web app that pipes user input into the compiler.

PHP Information Disclosure Jmespath Php
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1836 MEDIUM PATCH This Month

Credential exposure in Redmine allows any local attacker with access to a previously-used browser session to recover plaintext login credentials stored by the application after form submission. The flaw (CWE-257) affects all tracked Redmine versions per NVD CPE data and represents a classic insecure credential storage issue. No public exploit has been identified at time of analysis, and exploitation is constrained to local attack vectors requiring prior user interaction.

Information Disclosure Redmine
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2017-20240 MEDIUM PATCH This Month

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Crypt Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-12066 MEDIUM POC This Month

Weak password recovery in PbootCMS up to 3.2.12 allows remote unauthenticated attackers to take over user accounts by manipulating the `checkcode`, `username`, `password`, and `email` parameters in the `retrieve` function of `apps/home/controller/MemberController.php`. The recovery mechanism fails to adequately validate or protect the verification token, enabling bypass of the intended authentication challenge during the password reset flow. A public proof-of-concept exploit explicitly titled 'Account-Takeover' is available on GitHub, elevating the realistic risk beyond the conservative base score of 6.9.

PHP Information Disclosure Pbootcms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-49993 npm MEDIUM POC PATCH GHSA This Month

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.

Information Disclosure Nuxt
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-47729 MEDIUM POC PATCH This Month

Squid proxy server is affected by CVE-2026-47729, disclosed alongside CVE-2026-50012 in a single oss-security post dated 2026-06-12 by Amos Jeffries. This is a pre-NVD disclosure, meaning technical details, affected versions, CVSS scores, and patch information have not yet been published to the NVD. No exploit code has been identified at time of analysis, and CISA KEV status is not confirmed.

Information Disclosure Buffer Overflow
NVD VulDB GitHub
CVSS 3.1
6.5
EPSS
1.9%
CVE-2026-50012 MEDIUM PATCH This Month

Squid caching proxy is affected by CVE-2026-50012, disclosed via the oss-security mailing list on 2026-06-12 as a pre-NVD advisory. No technical details - description, affected versions, vulnerability class, or impact - have been made available in the current intelligence snapshot. The advisory was bundled with a sibling disclosure (CVE-2026-47729) from the same Squid maintainer post, suggesting a coordinated release, but no further differentiation between the two CVEs is derivable from available data. No exploitation, no KEV listing, and no EPSS score are present at time of analysis.

Information Disclosure
NVD VulDB GitHub
CVSS 3.1
5.5
EPSS
2.3%
CVE-2026-12065 LOW POC Monitor

Improper authorization in the WebView URL Handler of the Groww Stock, Mutual Fund, Gold App for Android (all versions up to build 20260805) allows a low-privileged attacker with physical device access to invoke custom URL scheme handlers without proper authorization, enabling unauthorized in-app navigation or bypass of client-side access controls. The CVSS 4.0 score of 0.3 reflects severe exploitation constraints: physical access is mandatory, attack complexity is high, and impact is limited to low integrity compromise with no confirmed confidentiality exposure. A public proof-of-concept is available on GitHub and Google Drive; the vulnerability is not listed in CISA KEV and no vendor patch has been confirmed at time of analysis.

Google Information Disclosure Stock Mutual Fund Gold App
NVD VulDB GitHub
CVSS 4.0
0.3
EPSS
0.0%
CVE-2026-48485 LOW PATCH Monitor

Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-ping triggers inside warning reasons, which are later replayed unsanitized when the /warns command outputs stored records. While the bot correctly suppresses Discord mentions during warning creation and several other moderation actions (unbanning, unwarning, kicking, muting, unmuting), the /warns display path lacks equivalent output encoding, creating an inconsistent trust boundary. The issue is patched in version 1.1.6 with no public exploit code identified at time of analysis.

Information Disclosure Questbot
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-47196 HIGH PATCH This Week

Improper input validation in Quest Bot (an open-source Discord bot) prior to version 1.1.6 lets a guild moderator weaponize the automod feature to delete every non-bot message in a server. By submitting whitespace-only input to the automod add command, the trimmed empty string is stored as a rule and the message listener's content.includes("") check evaluates true for all messages. No public exploit identified at time of analysis, though the trigger is trivial to reproduce by anyone with permission to configure automod rules.

Information Disclosure Questbot
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-9266 HIGH This Week

Disk encryption bypass in Moxa UC-1200A series industrial computers allows an attacker with invasive physical access to recover the LUKS disk encryption key by sniffing the SPI bus between the CPU and TPM2 chip. The flaw is an incomplete fix for CVE-2026-0714 - Moxa added TPM2 parameter encryption but misconfigured the authorization session so the encryption provides no real protection. No public exploit identified at time of analysis, and the CVSS 4.0 vector (AV:P) reflects that exploitation is bounded to attackers who can physically open the device.

Information Disclosure Uc 1200A Series
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-9271 MEDIUM POC PATCH This Month

Vulnerability Title

Information Disclosure Keepinmind Dashboard Notes
NVD WPScan VulDB Exploit-DB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-20746 MEDIUM PATCH This Month

PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Java Information Disclosure Pingdirectory
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-45170 HIGH PATCH This Week

Improper TLS certificate validation in CyberArk (Palo Alto Networks) Privilege Cloud Connector (PAM SH Connector, branded 'Idira') versions prior to 1.1.100504 allows adjacent-network attackers to intercept or tamper with privileged-access traffic under specific configuration scenarios. The flaw is rated CVSS 4.0 7.5 with no public exploit identified at time of analysis, but the Connector's role as a broker for secrets and privileged sessions makes successful exploitation highly impactful. Reported by Palo Alto with disclosure tracked under CyberArk Security Bulletin CA26-17.

Information Disclosure Pam Sh Connector
NVD VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-49482 MEDIUM This Month

SQL wildcard character injection in ClipBucket v5's subtitle editing endpoint allows authenticated users to overwrite all subtitle titles across every video they own in a single HTTP request. Affected versions are all releases prior to 5.5.3 - #141 of the open-source video sharing platform maintained by MacWarrior. No public exploit exists and the vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism (a single % character) means any authenticated account could cause bulk subtitle data corruption against their own content.

Information Disclosure Clipbucket V5
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45060 CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-45418 HIGH This Week

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45174 HIGH PATCH This Week

Local privilege/integrity compromise in CyberArk Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allows an authenticated local attacker to interfere with the agent daemon's initialization sequence, potentially undermining the endpoint privilege controls the product is meant to enforce. The CVSS 4.0 score of 8.5 reflects high impact on confidentiality, integrity, and availability of the vulnerable system, though exploitation requires existing local access with low privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Idira Endpoint Privilege Manager
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Unauthenticated information disclosure in HKUDS AI-Trader exposes the Research Export endpoint (`/api/research/agents.csv`) to any remote attacker without credentials, leaking proprietary research output in CSV format. The vendor explicitly confirmed the pre-patch state lacked access control: 'Research export endpoints now require an authenticated agent with the research_exports capability.' A public proof-of-concept exploit exists (CVSS 4.0: 6.9, E:P), and the upstream fix is available via commit 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65; no active exploitation is confirmed in CISA KEV at this time.

Information Disclosure Ai Trader
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Permission misconfiguration in IObit Malware Fighter's DLL Handler component (versions up to 13.2.0) allows a local low-privileged attacker to exploit insecure resource permissions, resulting in low-severity confidentiality, integrity, and availability impacts. The vulnerability stems from CWE-275 (Improper Permission Assignment for a Resource), and a public proof-of-concept exploit is available via GitHub and a researcher blog post. The vendor was notified prior to disclosure but did not respond, meaning no official patch or mitigation guidance has been issued.

Information Disclosure Malware Fighter
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

Information Disclosure N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Server impersonation in OCaml-TLS before 2.1.0 allows a malicious TLS server to present a certificate not intended for server authentication and still be accepted by client code, enabling man-in-the-middle and impersonation attacks against any application linking the library as a TLS client. The client fails to validate KeyUsage and ExtendedKeyUsage extensions properly, breaking a core PKIX trust assumption. No public exploit identified at time of analysis and EPSS sits at 0.15% (4th percentile), but the CVSS 9.1 reflects the broad confidentiality and integrity impact on encrypted sessions.

Information Disclosure N A
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.

Information Disclosure N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary file write in remotion-dev Remotion v4.0.409 allows remote attackers to write attacker-controlled content to arbitrary filesystem locations without authentication, per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) and CWE-123 (Write-what-where) classification. Remotion is a React-based programmatic video rendering framework, and the flaw can lead to integrity and availability compromise of the host running the rendering engine. No public exploit identified at time of analysis, and the EPSS score of 0.15% (4th percentile) indicates low predicted exploitation likelihood despite the high CVSS score.

Information Disclosure N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in OCaml-TLS server implementations before version 2.1.0 allows remote attackers to impersonate legitimate clients during mutual TLS authentication by presenting certificates whose KeyUsage and ExtendedKeyUsage extensions do not authorize client authentication. The server fails to enforce these X.509 certificate purpose constraints, so any valid certificate chain trusted by the server may be accepted regardless of intended use. EPSS probability is low (0.12%, 2nd percentile) and no public exploit identified at time of analysis, but the CVSS 9.1 reflects the high impact on confidentiality and integrity of mTLS-protected services.

Information Disclosure N A
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Improper authorization in the custom URL scheme handler of Genspark AI Workspace App 2.8.4 on Android allows a local low-privileged attacker to invoke restricted application functionality via the ai.mainfunc.genspark component without proper access control. The flaw is classified under CWE-939, affecting inter-app communication on Android where the URL scheme handler fails to verify the caller's authorization. No patch is available as the vendor did not respond to responsible disclosure; no public exploit or CISA KEV confirmation exists at time of analysis.

Google Information Disclosure Ai Workspace App
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.

Google Information Disclosure Bus Public Transit App
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Heap-based out-of-bounds read and integer underflow in LiamBindle MQTT-C (all versions through 1.1.6) allows a remote attacker who controls an MQTT broker - or who can inject packets into an unencrypted MQTT session - to crash any subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single specially crafted PUBLISH packet. The flaw resides in mqtt_unpack_publish_response() in src/mqtt.c, where the broker-supplied 16-bit topic_name_size field is used to advance a parse pointer without validating it fits within the packet's remaining_length, and the subsequent unsigned subtraction to derive application_message_size wraps to near 2^32 and is passed directly to memmove(). No patched release has been identified at time of analysis; a proof-of-concept is indicated by the CVSS 4.0 E:P supplemental metric, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Buffer Overflow Mqtt C
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Timing side-channel in Linux-PAM's pam_userdb module through version 1.7.2 allows plaintext password recovery by any attacker capable of repeatedly submitting authentication attempts to a service backed by the vulnerable configuration. The module's use of length-prefixed strncmp() (or strncasecmp() with PAM_ICASE_ARG) on plaintext credentials leaks both password length and individual prefix bytes via measurable response-time differences, enabling iterative character-by-character reconstruction of the stored password. Proof-of-concept exploit methodology exists per CVSS 4.0 supplemental metadata (E:P); while no CISA KEV listing was found, the high confidentiality impact (VC:H) and credential-disclosure nature make this a meaningful risk for any deployment relying on pam_userdb in plaintext mode.

Information Disclosure Linux Pam Red Hat +1
NVD GitHub VulDB
EPSS 1% CVSS 7.8
HIGH This Week

Off-by-one buffer overflow in nanoMODBUS through v1.23.0 lets remote unauthenticated attackers write one attacker-controlled byte past a 260-byte receive buffer in the Modbus/TCP server's recv_msg_header() function. The corruption of the adjacent buffer-index field can cause denial of service on all targets and, on bare-metal/RTOS deployments without memory protection, leak one byte of memory and trigger unintended writes through the Write Multiple Registers (FC16) handler. No public exploit identified at time of analysis, but the bug is trivially reachable by sending a crafted MBAP frame with Length=255.

Denial Of Service Information Disclosure Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated operator issues a PATCH request to update authorized fields in a node's volume properties - the API response returns sensitive data such as iSCSI CHAP usernames and secrets in plaintext. The scope change reflected in the CVSS (S:C) is meaningful: leaked storage credentials extend the blast radius beyond Ironic itself to the underlying iSCSI storage infrastructure. Notably, the same volume properties endpoint does not exhibit this behavior on POST requests, isolating the flaw to the PATCH response serialization path. No public exploit code has been identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Ironic Red Hat +1
NVD VulDB
EPSS 0% 4.7 CVSS 8.5
HIGH POC KEV PATCH THREAT Act Now

Symlink mishandling in LiteSpeed cPanel Plugin before 2.4.8 (and the bundling LiteSpeed WHM PlugIn before 5.3.2.0) lets a low-privileged tenant on a shared CloudLinux/CageFS host escape their per-user filesystem jail by planting symlinks the plugin follows with elevated privileges. The CVE record states the flaw was exploited against shared hosting providers in May 2026, and CVSS 8.5 with Scope:Changed reflects cross-tenant compromise of other customers' files on the same server. No separate KEV listing or public POC is present in the provided intelligence.

Information Disclosure Cpanel Plugin
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared frame counts. Specifically, avidmx_process() in filters/dmx_avi.c:639 fails to validate the frame count before using it as a divisor during Dasher bitrate computation, triggering an uncaught floating-point exception (FPE) when DASH segmentation is invoked. A public proof-of-concept file exists; exploitation requires no authentication or special privileges beyond delivering a malformed AVI-like input to an affected MP4Box instance. EPSS data is not yet available, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Gpac
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Host filesystem integrity violations in runc are triggered when the container runtime processes a malicious OCI image where /dev is configured as a symbolic link rather than a directory. An attacker who can deliver such a crafted image - via a public registry, a supply-chain-compromised base image, or a shared CI/CD pipeline - can cause runc to follow the symlink during container device-node initialization, resulting in limited, unintended write operations on the host filesystem outside the container boundary. The vendor-credited reporter (Aleksa Sarai, a known runc maintainer) describes the impact as 'limited host filesystem integrity violations,' falling short of a full container escape. No public exploit has been identified at time of analysis.

Information Disclosure Runc
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Format string vulnerability in the D-Link DCS-935L 1.10.01 IP camera allows authenticated remote attackers to corrupt memory and likely achieve information disclosure or code execution by manipulating the data argument passed to snprintf within the /web/cgi-bin/greece/rhea HTTP handler. Publicly available exploit code exists per VulDB submission, though this CVE is not on the CISA KEV list. The CVSS 4.0 score of 7.4 reflects high impact on confidentiality, integrity, and availability with low-privilege authentication required.

D-Link Information Disclosure Dcs 935L
NVD VulDB GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Missing Origin/Host header validation in Google's MCP Toolbox for Databases (Model Context Protocol server) prior to v0.25.0 allows remote attackers to reach the locally-bound HTTP server via DNS rebinding from a victim's browser, abusing the bridge to issue arbitrary tool/database commands. The fix introduces a new --allowed-hosts startup flag (companion to the existing --allowed-origins) that validates inbound Host headers, though both flags retain an insecure-by-default '*' value with only a startup warning. No public exploit identified at time of analysis; the issue was reported internally by Google.

Information Disclosure Mcp Toolbox For Databases
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation via arbitrary root-owned file overwrite affects libreport's ABRT post-create event handler scripts on Red Hat Enterprise Linux 6, 7, and 8. The event scripts write output using shell redirections that lack the O_NOFOLLOW flag, so a local low-privileged user who plants a symlink in a writable crash-dump path can cause the root shell to follow it and clobber any file on the system, which can be leveraged for full system compromise. SSVC rates technical impact as total, but there is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile).

Information Disclosure Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows a low-privileged local user to race the ChownProblemDir method against still-running post-create event handlers. By invoking ChownProblemDir while privileged event scripts hold a write lock on the dump directory, the attacker gains filesystem ownership of files being written by root-context handlers, enabling tampering with privileged output and potential privilege escalation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Race Condition Information Disclosure Red Hat Enterprise Linux 6 +2
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

Directory traversal in Allegra's exportReport method exposes arbitrary server-side files to authenticated remote attackers, operating in the context of the underlying service account. The flaw affects all tracked versions per the CPE wildcard (cpe:2.3:a:allegra:allegra:*), with Alltena's 9.0.0 release notes referencing the fix. No public exploit code or CISA KEV listing has been identified at time of analysis, and no EPSS data was provided, but the CVSS 6.5 rating reflects a meaningful confidentiality risk for any internet-facing Allegra deployment where user accounts may be broadly provisioned.

Path Traversal Information Disclosure Allegra
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.

Mozilla Microsoft Apple +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in Avira Antivirus engine builds before 8.3.70.76 on Windows, macOS, and Linux is triggered when the scanner processes a malformed PDF file, leading to a heap out-of-bounds read that can corrupt the antivirus engine process. CVSS 7.8 reflects the high impact on confidentiality, integrity, and availability, but exploitation requires the victim to expose the engine to the attacker's file. No public exploit identified at time of analysis.

Microsoft Apple Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap out-of-bounds read in the Avira Antivirus scanning engine on Windows, macOS, and Linux (engine builds before 8.3.70.98) allows a malformed Windows PE file to trigger local code execution or crash the antivirus engine process. Because AV engines typically auto-scan files on access, simply writing or dropping a crafted PE onto disk can reach the vulnerable parser, and no public exploit identified at time of analysis. Exploitation requires the victim's AV to scan the file (UI:R), so realistic delivery is via downloads, email attachments, or removable media rather than fully remote unauthenticated execution.

Microsoft Apple Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution or denial-of-service in Avira Antivirus engine builds prior to 8.3.70.56 occurs when the scanner parses a malformed Windows MSI installer file, triggering a heap out-of-bounds read. The flaw affects deployments on Windows, macOS, and Linux and requires user interaction to place a crafted MSI where the engine will scan it. No public exploit identified at time of analysis and CVSS scores it 7.8 High.

Microsoft Apple Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Business Antivirus) on Windows, macOS, and Linux stems from a heap out-of-bounds read in the malformed-ZIP/XML scanner across virus definition builds 25020100 through 25021207. An attacker who lures a user into letting the on-access scanner process a crafted archive can crash the antivirus process or potentially execute code in its context. No public exploit identified at time of analysis and the EPSS signal was not provided.

Microsoft Apple Information Disclosure +6
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux) is triggered when the engine parses a malformed Windows PE file and performs a heap out-of-bounds read. Mitigation ships via the VPS 25021310 virus definition update rather than a product installer, so any consumer of the Gen Digital definition stream at or above that build is no longer exposed. No public exploit identified at time of analysis, but the bug sits inside a high-privilege scanner that auto-processes attacker-controlled files.

Microsoft Apple Information Disclosure +6
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) allows a malformed Windows PE file with crafted .NET metadata to crash the AV process or potentially execute code locally on Windows, macOS, and Linux endpoints running virus definitions prior to VPS 25021310. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the bug is reachable via on-access scanning, meaning any user who receives a malicious file may trigger it without explicit action. UI:R in the CVSS vector and the local attack vector temper the urgency relative to the 7.8 base score.

Microsoft Apple Information Disclosure +6
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a malformed Windows PE file. Five Gen Digital products share a common virus definition update stream - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - making all simultaneously vulnerable until the shared definition stream reaches build VPS 25022500. No public exploit has been identified at time of analysis; the impact is limited to a Denial-of-Service of the antivirus process with no confidentiality or integrity loss, and the CVSS score of 5.5 reflects the local, user-interaction-dependent nature of the attack.

Microsoft Apple Information Disclosure +5
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a specially crafted malformed Windows PE file, causing a Denial-of-Service across five Gen Digital products - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus - on Windows, macOS, and Linux. The vulnerability resides in the virus definition update stream rather than the product binary itself, meaning all five products sharing the same Gen Digital VPS stream are simultaneously exposed until updated to definition build VPS 25031700 or later. No public exploit code has been identified at time of analysis, and CVSS scores this at medium severity (5.5) reflecting local access and required user interaction as meaningful limiting factors.

Microsoft Apple Information Disclosure +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap read in the Avira Antivirus scanning engine triggers when the engine parses a malformed PDF, allowing local code execution or denial-of-service of the antivirus process on Windows, macOS, and Linux engine builds prior to 8.3.70.56. The CVSS 7.8 (High) rating reflects local attack vector with required user interaction (the engine must scan the attacker-supplied file), and no public exploit identified at time of analysis. Because the AV engine typically runs with elevated privileges, successful code execution would inherit those privileges.

Microsoft Apple Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution and denial-of-service in Avira Antivirus engine builds before 8.3.70.68 allow an attacker to compromise the scanning engine by placing a malformed PDF where the engine will scan it on Windows, macOS, or Linux. The flaw is a heap out-of-bounds read (CWE-125) triggered during PDF parsing, and no public exploit identified at time of analysis. CVSS is 7.8 (high) driven by full C/I/A impact on the local host, but exploitation requires user/scanner interaction with the malicious file.

Microsoft Apple Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to issue crafted GPU system calls that perform read/write operations on arbitrary freed physical memory pages, enabling kernel memory corruption. The flaw stems from missing deferred-free handling, meaning the GPU can still access pages after the kernel module has released them. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 reflects high local impact on confidentiality, integrity, and availability.

Use After Free Memory Corruption Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw's retry endpoint authentication check performs hostname prefix matching instead of exact hostname comparison, enabling an authenticated attacker to redirect sensitive authentication material to an attacker-controlled endpoint. All versions before 2026.5.7 are affected per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector scores this at 6.0 with high confidentiality impact (VC:H) and a specific attack prerequisite (AT:P); no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Information disclosure in OpenClaw before 2026.5.18 lets authenticated operators abuse shell metacharacter expansion within the system.run safe-bin allowlist to read unintended node-local files on POSIX nodes and exfiltrate sensitive configuration data. The flaw bypasses command-policy enforcement because the allowlist validates a literal command string while the underlying shell re-interprets it at execution time. No public exploit identified at time of analysis.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows public share recipients to bypass owner-defined deny rules and read or list files explicitly blocked beneath a shared directory. The flaw stems from the public share handler rebasing the filesystem root but evaluating access rules against the rebased relative path rather than the owner's original scope. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA advisory and EPSS sits at 0.04% (13th percentile).

Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Insufficient compartmentalization in the Imagination Technologies Graphics DDK kernel module enables a local, low-privileged attacker to abuse shared secure GPU memory allocations to either covertly pass data between otherwise isolated secure GPU processes or disrupt a peer process, causing image corruption and GPU hardware recovery events. Multiple DDK release trains spanning versions 1.18 RTM through 26.1 RTM are confirmed affected per EUVD-2026-36606. No public exploit exists and SSVC confirms no observed exploitation, but the 'Information Disclosure' tag in the advisory signals a confidentiality dimension that the official CVSS C:N metric does not fully capture.

Information Disclosure Graphics Ddk
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Improper access control in File Browser (filebrowser/filebrowser, Go) versions <= 2.63.6 lets a user with share/download permissions create a public share for a path that does not yet exist; because the share record stores only a path string and is never bound to a concrete object, the link silently begins exposing whatever file later appears at that path via GET /api/public/dl/<hash>. The flaw mirrors the Android MediaProvider issue CVE-2026-0035 — the create handler omits an existence check before persisting the share. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but a step-by-step PoC is included in the GitHub Security Advisory.

Google Java Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Fabric.js (npm: fabric) versions prior to 7.4.0 is triggered when applications export canvas content via `canvas.toSVG()` and render the result into the DOM using `innerHTML`. The `color` field within `colorStops` of a `fabric.Gradient` object is inserted into SVG `<stop>` elements without escaping `"`, `<`, or `>`, allowing crafted input to break attribute context and inject arbitrary HTML. A working proof-of-concept is publicly confirmed against v7.2.0; no active exploitation appears in CISA KEV, and the EPSS score of 0.04% reflects low observed exploitation breadth consistent with the chained conditions required.

XSS Information Disclosure Node.js
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

User email enumeration in MISP's AuthKey edit endpoint allows any authenticated user holding AuthKey-edit permission to discover the email addresses of arbitrary platform users by manipulating a single POST parameter. The flaw exists in the validation-error rendering path of AuthKeysController.php, where the user dropdown was populated from attacker-controlled request body data rather than the persisted AuthKey owner, enabling systematic iteration over numeric user IDs. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivially reproducible from the description and patch diff alone.

Information Disclosure Misp
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive system information exposure in the Hash Elements WordPress plugin (all versions through 1.5.4) enables authenticated low-privilege users to retrieve embedded sensitive data from the plugin's output or internal responses. Classified under CWE-497, the plugin surfaces system-level information - potentially including API keys, server paths, or configuration values - to parties who should not have access to it. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low authentication barrier (subscriber-level or equivalent WordPress account) broadens the pool of potential abusers on multi-user WordPress installations.

Information Disclosure Hash Elements
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users via a serializer that omits visibility filtering. Affected release lines are 2026.1.x (before 2026.1.4), 2026.3.x (before 2026.3.1), and 2026.4.x (before 2026.4.1), with the root cause being that DetailedTagSerializer#tag_group_names returned all group memberships without consulting the requesting user's permissions. An unauthenticated attacker can enumerate the names of tag groups restricted to specific user groups or non-visible categories, potentially leaking the internal structure of private forum spaces; no public exploit code has been identified at time of analysis and EPSS is 0.04% (11th percentile), indicating negligible observed exploitation activity.

Information Disclosure Discourse
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized access to webhook event data in Discourse exposes internal webhook payloads to any authenticated user - or unauthenticated users on instances with login_required disabled - across versions 2026.1.0 through several branch heads. The flaw resides in the MessageBus channel /web_hook_events/<id>, which the Jobs::RedeliverWebHookEvents job publishes to without enforcing group_id restrictions, allowing unrestricted channel subscription. Compounded by trivially enumerable sequential integer webhook IDs, any low-privilege or anonymous actor can iterate over webhook event history without authorization. No public exploit code exists and EPSS is 0.03% (9th percentile), indicating no observed widespread exploitation at time of analysis.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Discourse's AI 'explain' helper exposes raw content of hidden posts to any authenticated user with access to the feature, due to an incomplete authorization check on parent posts. Affected instances span three release tracks - 2026.1.x, 2026.3.x, and 2026.4.x - and any user who can invoke the AI helper and find a visible reply to a hidden post can silently read the hidden post's raw text. No public exploit code has been identified and EPSS places exploitation probability at 0.03% (9th percentile), indicating this is a low-urgency but genuine confidentiality bypass for deployments where hidden post content is sensitive.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL mode - from the group history log endpoint (/groups/:name/logs.json), affecting versions 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1. An authenticated group owner who holds no admin or moderator privileges can harvest the exposed SMTP password and use it to send mail impersonating the group's email identity from any external mail client, entirely bypassing Discourse's own sending controls. No public exploit code exists and this vulnerability is not listed in CISA KEV; the EPSS score of 0.03% at the 11th percentile reflects the narrow, configuration-dependent attack surface.

Information Disclosure Discourse
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Discourse's GroupPostSerializer leaks user real names to authenticated users even when site administrators have explicitly disabled name display via the enable_names site setting. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x release lines. An authenticated user querying group post endpoints receives real name data that the platform operator intended to suppress, undermining privacy configurations on Discourse instances that host pseudonymous or anonymous communities. No public exploit code exists and no active exploitation has been identified; the EPSS score of 0.03% (9th percentile) reflects low exploitation probability.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Discourse's ReviewableQueuedPostSerializer unconditionally exposes full inbound email source - including SMTP headers, sender trace, mail user agent, and body - to category moderation group members accessing the review queue, bypassing the view_raw_email_allowed_groups trust boundary that restricts the dedicated raw-email endpoint. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x series on deployments using Discourse's incoming email feature. No public exploit has been identified and EPSS stands at 0.03% (9th percentile), indicating low automated exploitation probability, though the exposed data - including sender IP addresses and routing headers - presents meaningful privacy and de-anonymization risk to users who submitted posts via email.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Discourse platform versions across three active release tracks expose whisper translation audit logs through bot debug endpoints to any authenticated low-privilege user. The vulnerability (CWE-200) exists across release lines 2026.1.x, 2026.3.x, and 2026.4.x, and has been patched by the vendor across all affected tracks. No public exploit exists and EPSS sits at the 9th percentile (0.03%), indicating this is a low-probability exploitation target; however, the exposure of internal moderation audit logs may pose compliance and confidentiality risks on community platforms handling sensitive staff communications.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat message payloads from public category channels without proper permission scoping, even when chat is not enabled for that user. The flaw affects versions 2026.1.0 through 2026.1.3, 2026.3.0 through 2026.3.0, and 2026.4.0 through 2026.4.0, and is fixed in 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit identified at time of analysis, but the unauthenticated network attack vector makes this a meaningful confidentiality concern for forums leveraging chat.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Parse Server 9.8.0-9.9.0 exposes raw MFA TOTP secrets and recovery codes through the /verifyPassword and /login endpoints when the _User class-level permission (CLP) is configured to deny get operations. An attacker with knowledge of a victim's username and password can call /verifyPassword without a session token or MFA token and receive the victim's plaintext TOTP secret and recovery codes in the response, completely defeating the second authentication factor. No public exploit has been identified at time of analysis; a patch exists in version 9.9.1-alpha.5, and the EPSS score of 0.04% (13th percentile) reflects limited opportunistic exploitation so far.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attacker with brief physical access to recover host network SSID, PSK, and negotiated WPA keys printed in cleartext to a labeled, production-accessible UART debug console. The UART interface drops to an unauthenticated interactive RT-Thread shell, enabling arbitrary memory reads and full firmware extraction - escalating a credential-theft opportunity into a platform for deeper firmware-level compromise. Reported via CISA ICS-CERT advisory ICSA-26-162-02; no public exploit code identified, though the attack requires only commodity serial hardware and minimal technical knowledge.

Information Disclosure Smart Doorbell X3 X Smart Home +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform, V720, and IX Cam - allows unauthenticated remote attackers to build a complete inventory of active devices deployed in the field. The identifier scheme combines fixed manufacturing prefixes with sequential counters (CWE-340), and the platform compounds this by exposing an endpoint that reveals the current identifier high-water mark, effectively handing attackers a starting point for a full sweep. Reported by ICS-CERT under ICSA-26-162-02, this is a platform-wide architectural flaw; no public exploit or KEV listing is confirmed at time of analysis, but the low complexity and zero-authentication barrier make opportunistic enumeration trivially achievable.

Information Disclosure Smart Doorbell X3 X Smart Home +2
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL Emergency

Persistent credential exposure in Naxclow smart cameras and doorbells (Smart Doorbell X3, X Smart Home, V720, ix Cam) allows anyone who obtains a device's server-side relay credential to maintain indefinite access to that device's relay channel. Because the credential is re-issued unchanged on every boot and cannot be rotated, reset, or revoked by the owner, even factory resets and re-onboarding do not evict an attacker. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided in the input.

Information Disclosure Smart Doorbell X3 X Smart Home +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated denial-of-service in Typesense search engine versions prior to 29.1 and 30.2 allows remote attackers to terminate the server process by sending a crafted request to the /multi_search endpoint. The flaw triggers an unhandled exception during request processing, causing complete service unavailability for the duration of restart and dataset reload. No public exploit identified at time of analysis, and the low EPSS score (0.10%) suggests limited current exploitation interest despite the high CVSS 4.0 score of 8.7.

Information Disclosure Typesense
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Cache isolation failure in Typesense's search engine exposes restricted search results across Scoped Search API Key authorization boundaries. When server-side caching and Scoped API Keys are both active, a specific sequence of requests can cause the cache to serve results to a scoped requester that were originally populated by a less-restricted context, effectively bypassing the embedded filter constraints of that key. Versions prior to 29.1 and 30.2 are affected; vendor-released patches exist in both release lines, with no public exploit identified and an EPSS of 0.05% (15th percentile) confirming low current exploitation probability.

Information Disclosure Typesense
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.

Microsoft Google Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to crash the application or potentially expose heap memory by tricking a user into opening a maliciously crafted LVM2 disk image. All NanaZip installations from version 3.0.1000.0 up to (but not including) 6.0.1698.0 on Windows are vulnerable. No public exploit code or active exploitation has been identified; an EPSS score of 0.04% at the 11th percentile reflects very low real-world exploitation probability.

Microsoft Information Disclosure Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.

Microsoft Information Disclosure Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Private message interception in Mattermost affects versions 11.6.x through 11.6.1, 11.5.x through 11.5.4, and 10.11.x through 10.11.16, allowing a low-privileged attacker to receive plugin-generated direct messages intended for bot accounts. The flaw stems from the bot registration flow failing to verify that a claimed username actually belongs to a bot account, enabling an attacker who pre-registers a human account using a predictable plugin bot username to silently hijack those message channels. No public exploit code exists at time of analysis, and exploitation requires both an existing user account and advance knowledge of the target bot's username.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Remote cluster authentication token disclosure in Mattermost's Secure Connections feature allows authenticated users holding the manage_secure_connections permission to retrieve plaintext inter-cluster credentials via a crafted PATCH request. Affected deployments span versions 10.11.x through 10.11.15, 11.5.x through 11.5.4, and 11.6.x through 11.6.1, with a CVSS-rated High confidentiality impact (6.5). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but successful exploitation could undermine the trust model of federated multi-cluster deployments.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Mattermost's WebSocket layer improperly broadcasts `role_updated` events to all authenticated connections regardless of team or channel membership, enabling guest-level authenticated users to observe permission scheme change notifications for private teams they do not belong to. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release lines. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and broad version impact make patching a straightforward priority for any Mattermost deployment with guest accounts enabled.

Mattermost Information Disclosure
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Hard-coded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so let attackers who extract the static keys from the shipped binary decrypt protected data and forge or tamper with device/cloud communications. Because every install ships the identical embedded keys, a single extraction compromises confidentiality and integrity across the entire installed base. Reported by runZero (CVE-2026-50091 / EUVD-2026-36481); publicly available exploit code exists (GitHub PoC 'theres-no-place-like-home'), but it is not on CISA KEV and EPSS is very low at 0.03%.

Google Information Disclosure Com Lumiunited Aqarahome
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com) allows a malicious website to read authenticated responses from any victim developer who visits it, exposing portal data tied to IoT/smart-home developer accounts. The flaw is a permissive CORS policy (CWE-942) that trusts untrusted origins; runZero disclosed it and no public exploit identified at time of analysis, though the technique is well-known and trivially scriptable.

Cors Misconfiguration Information Disclosure Aqara Developer Portal +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.

Cors Misconfiguration Information Disclosure Aqara Iam Sso Gateway
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Crypt::PBKDF2 for Perl prior to version 0.261630 ships with critically weak password-hashing defaults - HMAC-SHA1 as the pseudorandom function and only 1,000 iterations - leaving derived keys and stored passwords highly vulnerable to offline brute-force attacks. Applications that do not explicitly override these defaults expose any compromised credential store to cracking at rates orders of magnitude faster than OWASP-recommended configurations (220,000-1,400,000 iterations depending on algorithm). No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV, but the structural nature of CWE-916 means all previously generated hashes using the weak defaults remain exploitable even after upgrading the library unless proactively rehashed.

Information Disclosure Crypt Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. No public exploit code has been identified and EPSS is 0.04% (12th percentile), indicating low current exploitation likelihood, though the attack surface expands significantly in architectures fronted by proxies or load balancers that strip or interpret those control bytes differently than Netty does.

Request Smuggling Information Disclosure Netty +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion in opentelemetry-cpp OTLP HTTP exporters (traces, metrics, logs) prior to 1.27.0 allows an attacker who controls the configured collector endpoint - or occupies a MITM position on the network path - to crash the instrumented process by returning an arbitrarily large HTTP response body. The curl-based HTTP client read response data into an unbounded in-memory buffer via io-equivalent copy with no size limit, making peak heap allocation entirely attacker-controlled. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) indicates low opportunistic exploitation probability, though the targeted threat model (supply-chain-adjacent collector compromise) is realistic in telemetry-heavy environments.

Information Disclosure Opentelemetry Cpp
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager), allowing network attackers in a man-in-the-middle position to present a valid certificate for any host and intercept supposedly encrypted traffic. Affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final; no public exploit identified at time of analysis and EPSS is very low (0.04%), but the defect bypasses a core TLS protection that Netty 4.2 explicitly advertises as enabled by default.

Jwt Attack Information Disclosure Netty
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an on-path attacker to derive the reset token for active connections and terminate them via spoofed Stateless Reset packets. The default HMAC-based generators expose a deterministic relationship between the source connection ID visible in QUIC headers and the server's stateless reset token - after a source-CID rotation, an observer can compute the token from the new connection-ID bytes. No public exploit identified at time of analysis; the CVSS 4.8 Medium rating reflects the on-path attacker prerequisite (AC:H), which meaningfully limits opportunistic exploitation.

Information Disclosure Denial Of Service Netty
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Predictable salt generation in the Perl Crypt::PBKDF2 module before version 0.261630 weakens the cryptographic strength of derived password hashes. The module uses Perl's built-in rand() function - a non-cryptographic PRNG - to generate salt values, making salts guessable and enabling precomputation attacks against stored password hashes. No public exploit identified at time of analysis, but a vendor patch is available and the issue was responsibly disclosed by CPANSec.

Information Disclosure Crypt Suse
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

DB schema enumeration in Frappe (versions prior to 15.107.2 and 16.17.4) exposes internal database structure to unauthenticated remote attackers via a vulnerable endpoint. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, making this accessible to any internet-facing instance. While limited to low confidentiality impact (VC:L) with no integrity or availability consequences, schema information can inform targeted follow-on attacks against the application's data layer. No public exploit has been identified at time of analysis, and EPSS of 0.02% (7th percentile) indicates low current exploitation probability.

Information Disclosure Frappe
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Remote code execution in jmespath.php versions prior to 2.9.1 allows attackers controlling JMESPath expressions to inject arbitrary PHP into compiler-generated cache files, which are then loaded and executed by JmesPath\CompilerRuntime. The flaw stems from insufficient escaping of parsed function names when the compiler emits PHP source, enabling code execution whenever an application evaluates untrusted expressions through the compiler runtime. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects unauthenticated network-reachable RCE in any web app that pipes user input into the compiler.

PHP Information Disclosure Jmespath Php
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Credential exposure in Redmine allows any local attacker with access to a previously-used browser session to recover plaintext login credentials stored by the application after form submission. The flaw (CWE-257) affects all tracked Redmine versions per NVD CPE data and represents a classic insecure credential storage issue. No public exploit has been identified at time of analysis, and exploitation is constrained to local attack vectors requiring prior user interaction.

Information Disclosure Redmine
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Crypt Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Weak password recovery in PbootCMS up to 3.2.12 allows remote unauthenticated attackers to take over user accounts by manipulating the `checkcode`, `username`, `password`, and `email` parameters in the `retrieve` function of `apps/home/controller/MemberController.php`. The recovery mechanism fails to adequately validate or protect the verification token, enabling bypass of the intended authentication challenge during the password reset flow. A public proof-of-concept exploit explicitly titled 'Account-Takeover' is available on GitHub, elevating the realistic risk beyond the conservative base score of 6.9.

PHP Information Disclosure Pbootcms
NVD VulDB GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.

Information Disclosure Nuxt
NVD GitHub VulDB
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Squid proxy server is affected by CVE-2026-47729, disclosed alongside CVE-2026-50012 in a single oss-security post dated 2026-06-12 by Amos Jeffries. This is a pre-NVD disclosure, meaning technical details, affected versions, CVSS scores, and patch information have not yet been published to the NVD. No exploit code has been identified at time of analysis, and CISA KEV status is not confirmed.

Information Disclosure Buffer Overflow
NVD VulDB GitHub
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

Squid caching proxy is affected by CVE-2026-50012, disclosed via the oss-security mailing list on 2026-06-12 as a pre-NVD advisory. No technical details - description, affected versions, vulnerability class, or impact - have been made available in the current intelligence snapshot. The advisory was bundled with a sibling disclosure (CVE-2026-47729) from the same Squid maintainer post, suggesting a coordinated release, but no further differentiation between the two CVEs is derivable from available data. No exploitation, no KEV listing, and no EPSS score are present at time of analysis.

Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 0.3
LOW POC Monitor

Improper authorization in the WebView URL Handler of the Groww Stock, Mutual Fund, Gold App for Android (all versions up to build 20260805) allows a low-privileged attacker with physical device access to invoke custom URL scheme handlers without proper authorization, enabling unauthorized in-app navigation or bypass of client-side access controls. The CVSS 4.0 score of 0.3 reflects severe exploitation constraints: physical access is mandatory, attack complexity is high, and impact is limited to low integrity compromise with no confirmed confidentiality exposure. A public proof-of-concept is available on GitHub and Google Drive; the vulnerability is not listed in CISA KEV and no vendor patch has been confirmed at time of analysis.

Google Information Disclosure Stock Mutual Fund Gold App
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-ping triggers inside warning reasons, which are later replayed unsanitized when the /warns command outputs stored records. While the bot correctly suppresses Discord mentions during warning creation and several other moderation actions (unbanning, unwarning, kicking, muting, unmuting), the /warns display path lacks equivalent output encoding, creating an inconsistent trust boundary. The issue is patched in version 1.1.6 with no public exploit code identified at time of analysis.

Information Disclosure Questbot
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Improper input validation in Quest Bot (an open-source Discord bot) prior to version 1.1.6 lets a guild moderator weaponize the automod feature to delete every non-bot message in a server. By submitting whitespace-only input to the automod add command, the trimmed empty string is stored as a rule and the message listener's content.includes("") check evaluates true for all messages. No public exploit identified at time of analysis, though the trigger is trivial to reproduce by anyone with permission to configure automod rules.

Information Disclosure Questbot
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Disk encryption bypass in Moxa UC-1200A series industrial computers allows an attacker with invasive physical access to recover the LUKS disk encryption key by sniffing the SPI bus between the CPU and TPM2 chip. The flaw is an incomplete fix for CVE-2026-0714 - Moxa added TPM2 parameter encryption but misconfigured the authorization session so the encryption provides no real protection. No public exploit identified at time of analysis, and the CVSS 4.0 vector (AV:P) reflects that exploitation is bounded to attackers who can physically open the device.

Information Disclosure Uc 1200A Series
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Vulnerability Title

Information Disclosure Keepinmind Dashboard Notes
NVD WPScan VulDB Exploit-DB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing `ds-privilege-name` values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.

Java Information Disclosure Pingdirectory
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper TLS certificate validation in CyberArk (Palo Alto Networks) Privilege Cloud Connector (PAM SH Connector, branded 'Idira') versions prior to 1.1.100504 allows adjacent-network attackers to intercept or tamper with privileged-access traffic under specific configuration scenarios. The flaw is rated CVSS 4.0 7.5 with no public exploit identified at time of analysis, but the Connector's role as a broker for secrets and privileged sessions makes successful exploitation highly impactful. Reported by Palo Alto with disclosure tracked under CyberArk Security Bulletin CA26-17.

Information Disclosure Pam Sh Connector
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

SQL wildcard character injection in ClipBucket v5's subtitle editing endpoint allows authenticated users to overwrite all subtitle titles across every video they own in a single HTTP request. Affected versions are all releases prior to 5.5.3 - #141 of the open-source video sharing platform maintained by MacWarrior. No public exploit exists and the vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism (a single % character) means any authenticated account could cause bulk subtitle data corruption against their own content.

Information Disclosure Clipbucket V5
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

PHP SQLi Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege/integrity compromise in CyberArk Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allows an authenticated local attacker to interfere with the agent daemon's initialization sequence, potentially undermining the endpoint privilege controls the product is meant to enforce. The CVSS 4.0 score of 8.5 reflects high impact on confidentiality, integrity, and availability of the vulnerable system, though exploitation requires existing local access with low privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Idira Endpoint Privilege Manager
NVD VulDB
Prev Page 28 of 741 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy