Skip to main content

Information Disclosure

66592 CVEs technique

Monthly

CVE-2026-58636 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged user to gain elevated (typically SYSTEM/administrator) privileges by abusing improper link resolution before file access (CWE-59). Reported by Microsoft with a patch available via MSRC; no public exploit identified at time of analysis and not listed in CISA KEV. The CVSS 7.8 score reflects high confidentiality, integrity, and availability impact once the local, low-privilege prerequisites are met.

Information Disclosure Microsoft Pc Manager
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-58614 MEDIUM PATCH This Month

Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-58609 HIGH PATCH This Week

Local code execution in the Microsoft Graphics Component affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). An attacker who convinces a user to open a specially crafted file or content triggers an out-of-bounds read (CWE-125) that Microsoft rates as enabling code execution with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation requires local access plus user interaction, making it a standard patch-cycle priority rather than an emergency.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-58608 HIGH PATCH NEWS Exploit Unlikely This Week

Network code execution in the Windows Print Spooler service allows an authenticated attacker to win a synchronization race and run arbitrary code across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). Microsoft rates it CVSS 8.8 with high confidentiality, integrity, and availability impact; a vendor patch is available, and there is no public exploit identified at time of analysis. Note that the CVE description and CVSS indicate remote code execution while the source tags label it 'Information Disclosure' — a discrepancy defenders should verify against the MSRC advisory.

Microsoft Race Condition Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-57979 MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +14
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2026-56193 HIGH PATCH Exploit Unlikely This Week

Information disclosure in Microsoft Office (Microsoft 365 Apps, Office 2016/2019, Office LTSC 2021/2024, and Office for Mac) via an out-of-bounds read (CWE-125) lets an attacker leak sensitive memory contents when a victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.1 (AV:L/AC:L/PR:N/UI:R), reflecting local exploitation that requires user interaction but no prior authentication. Microsoft is the reporting source and has published a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Office 2016 +6
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-56155 HIGH POC KEV PATCH THREAT Exploited Act Now

Local privilege escalation in Microsoft Active Directory Federation Services (AD FS) lets an already-authenticated low-privileged user on the host gain higher privileges due to insufficient granularity of access control (CWE-1220). Affected deployments span AD FS on Windows Server 2012 through Windows Server 2025, and the flaw carries a CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-priority-driven rather than exploitation-driven risk.

Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2012 Windows Server 2012 Server Core Installation +9
NVD VulDB
CVSS 3.1
7.8
EPSS
0.4%
Threat
4.6
CVE-2026-54988 MEDIUM PATCH This Month

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Excel 2016 +7
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-54108 MEDIUM PATCH Exploit Unlikely This Month

External control of file name or path in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Microsoft Information Disclosure Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2026-55144 HIGH PATCH This Week

Local tampering in Windows CryptoAPI (Crypt32) on Windows 11 (24H2/25H2/26H1) and Windows Server 2022/2025 stems from a missing cryptographic step, letting an authenticated local attacker undermine the integrity and confidentiality of cryptographically protected data. Microsoft rates it 7.1 (High) with high confidentiality and integrity impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. A vendor patch is available through the MSRC update guide.

Microsoft Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 Windows 11 Version 26H1 +3
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-55002 HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user to gain higher privileges on the host by controlling a file name or path used by the server engine. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, and Microsoft has released a patch. There is no public exploit identified at time of analysis, and the CVE is not in CISA KEV.

Information Disclosure Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 Cu 31 Microsoft Sql Server 2017 Gdr +6
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-55006 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an authenticated attacker with low-level privileges on the server to elevate to higher privileges due to insufficiently granular access controls (CWE-1220). The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L) reflects local exploitation yielding full confidentiality, integrity, and availability impact. A vendor patch is available; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Microsoft Information Disclosure Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-55003 MEDIUM PATCH This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2026-54997 MEDIUM PATCH This Month

Information disclosure via uninitialized memory in the Windows SMB driver stack affects a broad range of Windows 10, Windows 11, and Windows Server versions. A locally authenticated, low-privileged attacker can trigger a code path that reads from uninitialized memory within the SMB subsystem, potentially leaking sensitive kernel or heap memory contents. No public exploit code or active exploitation has been identified at the time of analysis; Microsoft has released a patch via MSRC.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-54996 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows USB Print Driver affecting Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an already-authenticated, low-privileged user win a race condition (CWE-362) in the driver to gain higher privileges. Microsoft has released a patch and reported the flaw itself; there is no public exploit identified at time of analysis. The high attack complexity (AC:H) reflects the timing-dependent nature of exploiting the shared-resource synchronization defect.

Microsoft Race Condition Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 +3
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-55004 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Microsoft Printer Drivers component across Windows 10, Windows 11 (through 26H1), and Windows Server 2012 through 2025 lets an already-authenticated attacker corrupt kernel-adjacent memory to gain higher privileges. The flaw is a double free (CWE-415) triggered locally by a low-privileged user, yielding high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-54112 HIGH PATCH This Week

Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated attacker to win a race condition (CWE-362) and elevate to SYSTEM-level privileges across supported Windows 10, Windows 11, and Windows Server 2019-2025 builds. Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and EPSS is low (0.16%, 5th percentile). CVSS 7.0 reflects high attack complexity (AC:H) driven by the timing-window nature of the flaw and the requirement for existing low-privilege access (PR:L).

Microsoft Race Condition Information Disclosure Windows 10 Version 1809 Windows 10 Version 21H2 +9
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-55001 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Active Directory certificate-validation path lets an already-authenticated attacker on Windows 10 (1607/1809) and Windows Server 2016 through 2025 (including Server Core) improperly validate a certificate to gain higher privileges. Microsoft reported and patched the flaw (CWE-295), but there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS 7.8 vector (AV:L/PR:L) confirms an authenticated local attacker with full confidentiality, integrity, and availability impact upon success.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2016 +6
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-54107 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated low-privileged user to win a race condition and elevate to SYSTEM across Windows 10, Windows 11 (through 26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available, it carries CVSS 7.0 but a high attack complexity (AC:H) reflecting the timing-sensitive nature of the flaw. There is no public exploit identified at time of analysis, and EPSS is low (0.19%, 9th percentile), consistent with CISA SSVC rating exploitation as 'none.'

Microsoft Race Condition Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-54991 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows USB Print Driver lets an already-authenticated low-privileged user win a race condition to gain SYSTEM-level control on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The flaw stems from unsynchronized access to a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.

Microsoft Race Condition Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 +3
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-54111 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows USB Print Driver on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an already-authenticated low-privileged user win a timing race in the driver to gain elevated privileges. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (must reliably win a race window) tempers real-world exploitability despite full confidentiality, integrity, and availability impact.

Microsoft Race Condition Information Disclosure Windows 11 Version 24H2 Windows 11 Version 25H2 +3
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-50697 HIGH PATCH This Week

Local privilege escalation in the Windows Common Log File System (CLFS) Driver allows an already-authenticated, low-privileged user to elevate to SYSTEM on a wide range of Windows client and server releases. Microsoft classifies the root cause as exposure of sensitive information (CWE-200), but the CVSS impact profile (C:H/I:H/A:H) reflects that the leaked kernel data enables full local privilege escalation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though CLFS has historically been a heavily exploited elevation-of-privilege target in Windows.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-47282 MEDIUM PATCH Exploit Unlikely This Month

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Information Disclosure Visual Studio Code
NVD VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-49784 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Microsoft Windows App Store component (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025) allows an authorized low-privileged attacker to win a race condition on an improperly synchronized shared resource and gain higher privileges. Exploitation is local-only and high-complexity because it depends on reliably hitting a narrow timing window, and no public exploit has been identified at time of analysis. A vendor patch is available via Microsoft's MSRC update guide.

Microsoft Race Condition Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +12
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-49177 MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-49170 HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows StateRepository API lets an already-authenticated low-privileged user gain higher (typically SYSTEM-level) privileges due to insufficiently granular access control (CWE-1220). It affects a broad range of currently supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). The flaw was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis (not listed in CISA KEV).

Microsoft Information Disclosure Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
7.8
EPSS
2.5%
CVE-2026-49165 HIGH PATCH Exploit Unlikely This Week

Local information disclosure in the Microsoft Windows App Store (Store/AppX component) affects a broad range of Windows 10, Windows 11, and Windows Server releases (1607 through 26H1, Server 2016/2019/2022/2025). An authorized local attacker can leverage a use of uninitialized resource (CWE-908) to read memory contents that should not be exposed, with CVSS 7.1 reflecting high confidentiality impact but requiring low-privileged authenticated local access. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and Microsoft has released a patch via the MSRC update guide.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +11
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48572 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows App Installer (App Installer / MSIX handler) on Windows 11 (23H2 through 26H1) and Windows Server 2025 lets an already-authenticated local attacker win a timing race to elevate to higher privileges. The flaw stems from improper synchronization of a shared resource during concurrent execution, and Microsoft has released a patch. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Race Condition Information Disclosure Windows 11 Version 23H2 Windows 11 Version 24H2 +4
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-34346 MEDIUM PATCH Exploit Unlikely This Month

Cleartext transmission of sensitive information in Windows Ancillary Function Driver for WinSock allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +16
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-34349 MEDIUM PATCH This Month

Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD VulDB
CVSS 3.1
5.5
EPSS
0.4%
CVE-2026-42982 HIGH PATCH NEWS Exploit Unlikely This Week

Local privilege escalation in Windows Secure Kernel Mode (SKM/VTL1) allows an already-authenticated attacker to elevate to higher privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 systems. The flaw stems from improper consistency validation of input crossing the trust boundary into the isolated secure kernel (CWE-1288), yielding full confidentiality, integrity, and availability impact on the local host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +12
NVD VulDB
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-59891 CRITICAL PATCH Act Now

Credential leakage in sigstore-js (specifically the @sigstore/oci package) before 0.7.1 allows Docker registry credentials to be transmitted to the wrong registry because getRegistryCredentials() matched configured auth keys against the target registry using a substring check instead of an exact host match. An attacker who can induce a victim to push or pull signatures/attestations against an attacker-named registry whose hostname has a substring relationship with a legitimately configured registry (e.g. 'cr.io' vs 'ghcr.io', or 'victim.127.0.0.1:5000' vs '127.0.0.1:5000') can capture the victim's stored registry credentials. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV; the underlying weakness (CWE-522) is confirmed and fixed by the vendor in @sigstore/oci 0.7.1.

Docker Information Disclosure Sigstore Js
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-15702 LOW PATCH Monitor

A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modification of object prototype attributes. The attack may be performed from remote. Upgrading to version 2.3.1 is able to mitigate this issue. The name of the patch is e46af9879b7627934ea4d6d6e46e65cea53abb3d. The affected component should be upgraded.

Prototype Pollution Information Disclosure Tamagui
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-54058 HIGH PATCH This Week

Out-of-bounds memory disclosure in Python Pillow before 12.3.0 lets an attacker who supplies a crafted McIdas AREA image file read adjacent process memory or crash the host application. When such a file is opened from a filename, header words control the raw-codec mmap row stride; setting it below the true row width causes later pixel operations (tobytes, getpixel, convert, save) to read past the mapped region. No public exploit is identified at time of analysis and it is not in CISA KEV, but the upstream fix, PR, and a regression test are public, making the flaw well documented.

Python Buffer Overflow Information Disclosure Pillow
NVD GitHub
CVSS 4.0
8.3
EPSS
0.4%
CVE-2026-42491 CRITICAL Act Now

Missing TLS certificate validation in the XAPI C# and PowerShell SDK bindings - specifically on secondary HTTP handler connections used for disk image transfers, host backups, RRD data, and patch delivery - allows a network-positioned attacker to intercept communications between third-party management tools and Xen hypervisor hosts. Successful Man-in-the-Middle exploitation can yield stolen administrative session tokens, enabling full hypervisor session hijack, or permit tampering with critical data such as imported disk images and host update packages in transit. No public exploit code has been identified at time of analysis, and the Xen Project advisory XSA-498 confirms no known mitigations exist short of patching.

Information Disclosure
NVD
CVE-2026-59198 HIGH PATCH This Week

Out-of-bounds heap read in Python Pillow's TGA RLE encoder (versions 5.2.0 through 12.2.x) lets adjacent process heap bytes leak into a generated TGA file when an application saves a mode '1' (1-bit) image using compression='tga_rle'. The flaw is an information-disclosure bug (CWE-125), fixed in 12.3.0, with no public exploit identified at time of analysis. The NVD CVSS of 7.5 (network vector) overstates practical reach because triggering the leak depends on the host application invoking this specific and unusual save path.

Python Buffer Overflow Information Disclosure Pillow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-62643 HIGH PATCH This Week

Server-Side Request Forgery and information disclosure in Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 arises from insufficient CSS sanitization in HTML e-mail bodies, letting a crafted message with stylesheet links pointing to internal hosts coerce the server into issuing requests to local-network resources. This is a re-opened flaw stemming from incomplete fixes for CVE-2026-35540 and CVE-2026-48843, indicating the sanitizer still failed to block specific local-address URL patterns. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it as a stable security update recommended for all installations.

SSRF Information Disclosure Webmail
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-15699 LOW POC PATCH Monitor

Prototype pollution in compromise (spencermountain/compromise) through version 14.15.1 exposes all JavaScript applications using the library to Object.prototype contamination via the nlp.extend() Public Root API. A low-privileged remote attacker who can supply a crafted plugin argument containing __proto__, constructor, or prototype keys can inject properties into the global Object.prototype, producing partial confidentiality, integrity, and availability impact across the Node.js runtime. A public exploit exists via GitHub issue #1208, a vendor patch has been released (commit b4644ab7), and no CISA KEV listing has been confirmed at time of analysis.

Prototype Pollution Information Disclosure Compromise
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59204 HIGH PATCH This Week

Denial of service in Python Pillow (versions 8.2.0 through 12.2.0) allows remote attackers to exhaust memory during JPEG2000 decoding, causing out-of-memory failures in any application that decodes untrusted images. The flaw stems from Pillow's JPEG2000 decoder summing tile widths across the whole image rather than per tile, so a small crafted tiled file forces disproportionately large transient allocations. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix (12.3.0) and a public PR/commit make the root cause fully transparent.

Python Information Disclosure Pillow
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-60082 CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI (Database Independent Interface) module before version 1.651 lets a caller trigger a negative-array-index read inside the internal row-buffer helper (_set_fbav in DBI.xs), potentially disclosing adjacent process memory or crashing the interpreter. The flaw arises when a statement handle declares zero fields but is fed a non-empty source row, an inconsistency the module failed to reject before returning results. No public exploit has been identified at time of analysis and the issue is not on CISA KEV; the assigned CVSS of 9.1 reflects high confidentiality and availability impact under a network vector, but realistic exploitation depends on a caller (typically a DBD driver or database backend) supplying mismatched metadata and rows.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-55651 HIGH This Week

Broken object-level authorization in Easy!Appointments 1.5.2 lets any authenticated user query the customers search endpoint to harvest the appointment hash tokens of other users and providers. Because these hashes act as the access control for appointment operations, an attacker can then edit or delete appointments they do not own, achieving a full Appointments Takeover across other providers. No public exploit identified at time of analysis; the flaw is fixed in version 1.6.0.

Information Disclosure Easyappointments
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-15698 LOW PATCH Monitor

Prototype pollution in kofrasa mingo up to version 7.2.1 allows low-privileged remote attackers to corrupt JavaScript Object.prototype by supplying `__proto__` as a field selector in `$set`, `updateOne`, or `updateMany` operations, injecting arbitrary properties into all objects within the Node.js process. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and successful exploitation can cascade to application-wide privilege logic bypass, information disclosure, or denial of service depending on how the host application relies on inherited object properties. Vendor-released patch version 7.2.2 is confirmed available.

Prototype Pollution Information Disclosure Mingo
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59840 MEDIUM This Month

Buffer over-read in Fortinet FortiOS and FortiProxy exposes sensitive memory contents to authenticated network attackers across multiple product lines including FortiPAM and FortiSwitchManager. The flaw, rooted in CWE-126 (buffer over-read), allows low-privileged remote users to read beyond allocated buffer boundaries, resulting in partial information disclosure with no integrity or availability impact. No active exploitation confirmed in CISA KEV, but the CVSS temporal vector includes E:P indicating proof-of-concept exploit code exists, and an official fix is available per RL:O.

Fortinet Buffer Overflow Information Disclosure Fortios Fortipam +2
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15697 LOW Monitor

Prototype pollution in svg.js (svgdotjs) up to version 3.2.5 allows a remote low-privileged attacker to inject arbitrary properties into JavaScript's shared Object.prototype via the EventTarget.on function of the npm package API. Depending on how consuming applications perform property lookups, this can lead to information disclosure, logic bypass, or integrity violations across the entire JavaScript runtime. No vendor patch exists - the maintainer has not responded to the responsible disclosure - and a proof-of-concept exists (CVSS E:P), though no confirmed active exploitation appears in CISA KEV.

Prototype Pollution Node.js Information Disclosure Svg Js
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59836 CRITICAL Act Now

Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation.

Fortinet Information Disclosure Forticlientems
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-12659 HIGH This Week

Remote denial-of-service in the Rockwell Automation FLEX 5000 EtherNet/IP adapter allows an unauthenticated network attacker to crash the module by sending a crafted CIP (Common Industrial Protocol) packet, halting the adapter and its associated I/O until a manual power cycle restores operation. The CVSS 4.0 score of 8.7 (High) reflects a network-reachable, no-privilege attack with high availability impact but no confidentiality or integrity loss. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV, so there is no confirmed active exploitation.

Information Disclosure The Flex 5000 Ethernet Ip Adapter
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-53379 HIGH This Week

Information disclosure in Fortinet FortiAuthenticator (6.5 all versions and 6.6.0–6.6.2) lets a remote unauthenticated attacker read out-of-bounds memory via a specially crafted request, exposing sensitive in-memory data. The CVSS temporal metrics (E:F, RC:C) indicate a functional, confirmed exploit is understood by the vendor, and an official fix is available (RL:O). No CISA KEV listing is present, so this is not confirmed as actively exploited despite the mature exploit signal.

Fortinet Buffer Overflow Information Disclosure Fortiauthenticator
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59835 HIGH This Week

Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Fortinet Information Disclosure Fortisandbox
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2026-10672 HIGH PATCH This Week

Out-of-bounds memory read in the Zephyr RTOS LwM2M firmware-update pull client (subsys/net/lib/lwm2m/lwm2m_pull_context.c) lets a LwM2M management server — or an on-path attacker on a session lacking strong DTLS — leak adjacent device memory and crash the device by writing an over-length Package URI (resource /5/0/1). Affected releases span v3.0.0 through v4.4.0 with the default-on CONFIG_LWM2M_FIRMWARE_UPDATE_PULL_SUPPORT path enabled. No public exploit identified at time of analysis; a vendor patch is available and EPSS/KEV signals are absent.

Buffer Overflow Denial Of Service Information Disclosure Zephyr
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-10671 HIGH PATCH This Week

Kernel object corruption in Zephyr RTOS (v4.1.0 through v4.4.0) lets a deprivileged user thread on CONFIG_USERSPACE builds re-initialize a live k_pipe to which it has been granted access, orphaning threads already blocked on that pipe. Because z_impl_k_pipe_init() unconditionally resets the ring buffer and wait queues without accounting for pended waiters, a subsequent timeout or wake drives sys_dlist_remove() through dangling pointers, producing an attacker-influenced invalid kernel write, list corruption, lost wakeups, and silent data loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the fix hardens the k_pipe_init syscall verifier.

Information Disclosure Zephyr
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-10669 HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in Zephyr RTOS on Xtensa SoCs (v3.7.0 through v4.4.0) built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, where arch_buffer_validate() fails open on an integer-overflow edge case, letting an unprivileged user thread trick the kernel into reading or writing arbitrary kernel/partition memory on its behalf. The flaw stems from a default-permit return value combined with a ROUND_UP address-space wrap that skips the MPU probe loop entirely, and it is not caught by the existing syscall-layer overflow guards. Vendor patch is available; no public exploit identified at time of analysis, and this is not in CISA KEV.

Denial Of Service Privilege Escalation Information Disclosure Buffer Overflow Memory Corruption +1
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-9653 HIGH This Week

Denial-of-service in Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT ControlLogix EtherNet/IP communication modules lets an unauthenticated network attacker drop active device connections by sending malformed CIP Implicit (I/O) Connection packets. Because CVSS 4.0 rates only availability impact (VC:N/VI:N/VA:H) and connections recover immediately once the traffic stops, the flaw enables repeatable disruption rather than persistent outage or code execution. No public exploit identified at time of analysis, and the module is not in CISA KEV.

Information Disclosure 1756 En2 1756 En3 1756 Enbt
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-52837 MEDIUM PATCH This Month

The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any party holding the 12-character appointment hash, with no authentication check and no field whitelisting on the ea_users row. These hashes are deliberately distributed to customers in reschedule emails, embedded in confirmation page URLs, and visible in operator calendar links, which means the effective attacker pool is anyone who has ever received or forwarded a booking email. The fix is available in version 1.6.0 per the GitHub security advisory; no public exploit code and no CISA KEV listing have been identified at time of analysis.

PHP Information Disclosure Easyappointments
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-8590 HIGH This Week

Information disclosure with integrity impact in the Spotfire Server modules of Spotfire Enterprise, Spotfire Enterprise with External Consumers, and Spotfire on Kubernetes allows a remote, unauthenticated attacker to obtain sensitive data and alter server-side state once a victim is lured into a passive interaction (UI:P), such as opening a crafted link or analysis. The CVSS 4.0 base score is 8.7 (High) with high confidentiality and integrity impact and low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

Kubernetes Information Disclosure Spotfire Enterprise Spotfire Enterprise With External Consumers Spotfire On Kubernetes
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-15305 MEDIUM PATCH This Month

MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the network-accessible, zero-prerequisite-auth nature of the bypass elevates practical risk wherever affected forms are publicly exposed.

Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-53566 MEDIUM PATCH This Month

Out-of-bounds read in Citrix Secure Access Client for Windows (all versions before 26.6.1.20) enables a local low-privileged attacker to read memory beyond an allocated buffer boundary, resulting in high confidentiality impact with no integrity or availability consequence. The CVSS 4.0 score of 6.8 reflects the local attack vector and low-privilege requirement, meaning an attacker must already hold a foothold on the endpoint. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

Citrix Buffer Overflow Microsoft Information Disclosure Citrix Secure Access Client For Windows
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-15719 MEDIUM This Month

Firefox versions prior to 152.0.6 are exposed to a network-exploitable flaw requiring user interaction that yields limited confidentiality and integrity impact within the browser context. Publicly available exploit code exists, confirmed by Mozilla's own advisory language, though the vendor reports no known attacks in the wild at time of disclosure. The fix is confirmed in Firefox 152.0.6, referenced in Mozilla security advisory MFSA2026-67.

Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-15718 MEDIUM This Month

Information disclosure in Mozilla Firefox via CWE-763 (Release of Invalid Pointer or Reference) allows network-based attackers to read limited memory contents from affected browser instances. All Firefox versions prior to 152.0.6 are affected. Publicly available exploit code exists, though Mozilla reports no confirmed attacks in the wild; user interaction is required to trigger the flaw, moderately reducing real-world exposure.

Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15043 CRITICAL PATCH Act Now

Incorrect WHERE-clause evaluation in Perl's DBI::SQL::Nano (versions 1.42 up to 1.651) causes text-based '<=' and '>=' comparisons to be silently inverted, so range-filtered queries return the wrong set of rows. The flaw affects DBI's built-in fallback mini-SQL engine used by file-backed drivers (DBD::File, DBD::DBM, CSV-style) when SQL::Statement is absent, and applications that rely on such predicates for policy or authorization filtering may leak or mishandle records without any error. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the fix is available upstream in DBI 1.651.

Information Disclosure Dbi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-12478 MEDIUM This Month

Out-of-bounds read in libsoup 3.6.6 exposes WebSocket clients to memory disclosure and crashes when connecting to malicious servers. The incomplete fix for CVE-2026-0716 (commit 6ff7ef0) placed the integer overflow guard exclusively inside the masked-frame branch, leaving the unmasked server-to-client frame path entirely unprotected - allowing a crafted payload length near UINT64_MAX to bypass the guard entirely. No public exploit code or active exploitation (CISA KEV) has been identified, but the CVSS AC:H rating reflects the non-trivial preconditions: a specific client configuration and attacker-controlled server are both required.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-8384 MEDIUM This Month

Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an unresolved path (e.g., `/public/../admin/secret.txt`) to downstream web applications instead of the canonicalized form (e.g., `/admin/secret.txt`). Web applications that delegate path-based authorization decisions to Jetty-provided paths are susceptible to confusion attacks where an attacker crafts a URI like `/public;/../admin/secret.txt` to receive a path that bypasses application-layer access controls. Jetty itself is shielded by its alias checker and will not serve restricted files directly; the integrity risk materializes only in applications that consume the unresolved path for routing or authorization logic. No public exploit code or CISA KEV listing is present at time of analysis.

Information Disclosure Eclipse Jetty
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-6790 MEDIUM This Month

Eclipse Jetty fails to enforce RFC 9110/9112's requirement that the HTTP request authority (host and port) match the value in the Host header across all supported protocol versions - HTTP/1, HTTP/2, and HTTP/3. Unauthenticated network attackers can exploit this input validation gap to manipulate Host-header-derived URI constructions (particularly redirect targets on login pages), influence virtual host selection, corrupt reverse proxy routing decisions, and produce misleading access logs. No public exploit has been identified at time of analysis and the vulnerability is not in CISA KEV, but the attack surface is meaningful in any Jetty deployment that performs host-based routing or generates redirects from the Host header.

Information Disclosure Eclipse Jetty
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-10051 MEDIUM This Month

HTTP/1.1 trailer leakage in Eclipse Jetty allows a remote unauthenticated attacker to read trailer headers from a previous request when sharing a persistent connection with another party. Trailers sent in an initial request are incorrectly retained in the server's connection state, causing them to bleed into all subsequent requests on the same keep-alive connection - either appended wholesale (if the later request has no trailers) or merged with the later request's own trailers. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Eclipse Jetty
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-12606 MEDIUM PATCH This Month

HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 4.0 AT:P condition signals that specific deployment prerequisites must be met.

Request Smuggling Information Disclosure Eclipse Glassfish
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-59084 CRITICAL Act Now

Cluster-communication confidentiality and integrity in Apache Tomcat can be undermined because the secure-configuration requirements for the EncryptInterceptor were never clearly documented, leaving operators liable to deploy the cluster session-replication channel insecurely. The flaw affects Tomcat 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.119, 10.1.0-M1-10.1.56 and 11.0.0-M1-11.0.23, and is fixed in 9.0.120, 10.1.57 and 11.0.24. It carries a CVSS 9.1 (C:H/I:H) but SSVC records exploitation as none, no public exploit identified at time of analysis, and the root cause is a documentation weakness (CWE-1059) rather than a code defect.

Information Disclosure Apache Tomcat Apache Tomcat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-15075 HIGH This Week

Cross-origin credential leakage in Eclipse Vert.x vertx-core (4.x through 4.5.29 and 5.x through 5.1.4) occurs because DefaultRedirectHandler copies all original request headers verbatim when the HttpClient follows an HTTP 30x redirect, stripping only Content-Length and never comparing the origin (scheme/host/port). An application that lets untrusted input influence a request URL - webhook dispatchers, image proxies, SSRF-style URL fetchers - can be steered to an attacker-controlled redirect target that then receives Authorization, Cookie, Proxy-Authorization, and custom headers like X-API-Token. No public exploit has been identified at time of analysis, and the flaw is not in CISA KEV.

Information Disclosure Eclipse Vert X
NVD
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-15076 HIGH This Week

Cross-domain cookie injection in Eclipse Vert.x Web Client (WebClientSession) lets any server a victim application contacts set a cookie scoped to an unrelated third-party domain, which the client later replays to that domain. Versions up to 4.5.29 (4.x) and 5.1.4 (5.x) fail to enforce the RFC 6265 Domain-attribute ownership check, so an attacker can bind their own session cookie into the victim's WebClientSession and have the victim's later requests to a target service execute under the attacker's account, exposing sensitive request payloads. No public exploit identified at time of analysis and it is not listed in CISA KEV; scored CVSS 4.0 8.2 (High) by Eclipse.

Information Disclosure Eclipse Vert X
NVD
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-13699 MEDIUM This Month

Eclipse KUKSA Databroker 0.6.1 panics in a Tokio worker thread when an authenticated client sends a PublishValueRequest with a valid signal_id but omits the optional data_point field, causing the server to call Rust's unwrap() on a None value. Any client holding a valid JWT token can trigger this condition, cancelling the individual gRPC call while leaving the Databroker process intact and available. No public exploit has been identified and this vulnerability is not listed in CISA KEV; EPSS data was not supplied in available intelligence.

Information Disclosure Eclipse Kuksa Databroker
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-6851 HIGH PATCH This Week

Local privilege escalation in Bitdefender Total Security and Internet Security for Windows (versions before 27.0.58.315) lets a less-privileged local user gain higher rights by abusing a symbolic-link race condition in the File Shredder module. Because the shredder operates with elevated privileges and does not safely resolve links before acting on files, an attacker who wins a time-of-check/time-of-use race can redirect a privileged file operation to a target of their choosing. No public exploit identified at time of analysis; the issue was reported by the vendor and requires local access plus user interaction, so EPSS-style mass-exploitation risk is limited.

Microsoft Information Disclosure Total Security Internet Security
NVD VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-11567 MEDIUM POC PATCH This Month

SureForms WordPress plugin before 2.11.1 permits unauthenticated attackers to submit manipulated payment amounts below the configured price on any form using a dynamically-sourced or hidden variable payment field, enabling financial fraud against site operators. The integrity bypass is confined to forms with variable pricing; fixed-price forms are explicitly unaffected. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 2.11.1 - though no CISA KEV listing confirms active mass exploitation at time of analysis.

WordPress Information Disclosure Sureforms
NVD WPScan
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-15665 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

WordPress Information Disclosure Ultimate Before After Image Slider Gallery
NVD WPScan
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-15629 LOW POC Monitor

Link-following vulnerability in louisho5 picobot up to version 0.2.0 allows a remote, low-privileged attacker to traverse outside the intended workspace directory via the CreateSkill and GetSkill functions in the filesystem handler. The root cause is improper symlink resolution (CWE-59) in internal/agent/tools/filesystem.go, enabling potential unauthorized file read and write operations on the host filesystem. A public exploit exists as a GitHub issue report; no vendor patch has been released and the project maintainer has not yet responded to the disclosure.

Information Disclosure Picobot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15627 LOW POC Monitor

Information disclosure in nextlevelbuilder GoClaw up to version 3.13.3-beta.3 allows remote low-privileged attackers to extract sensitive data by manipulating the `args.targetUrl` argument passed to the `handleNavigate` function in `pkg/browser/tool.go`. A public proof-of-concept exploit exists and is referenced via GitHub issue #1207, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No confirmed patched release has been identified at the time of analysis, leaving all known versions of the product exposed.

Information Disclosure Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15625 LOW POC Monitor

GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand function, allowing authenticated low-privilege remote attackers to circumvent command approval controls enforced in internal/tools/exec_approval.go. The bypass can yield limited confidentiality, integrity, and availability impacts consistent with the information-disclosure tag and the VC:L/VI:L/VA:L CVSS 4.0 impact metrics. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept exploit exists per the referenced GitHub issue, lowering the technical bar for abuse.

Information Disclosure Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15621 MEDIUM This Month

Link-following vulnerability in mosaxiv clawlet up to version 0.2.10 allows local low-privileged attackers to read, write, or modify files outside intended directories by supplying symlinks to the read_file, write_file, and edit_file functions in tools/fs_ops.go. All three file-operation primitives are affected, meaning the attack surface covers both read (information disclosure) and write/edit (integrity impact) paths. No patch is planned - the upstream GitHub issue was explicitly closed as 'not planned', leaving all deployments on affected versions permanently unpatched.

Information Disclosure Clawlet
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-44761 CRITICAL NEWS Act Now

Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed.

SAP Information Disclosure Sap Commerce Cloud
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-44753 LOW Monitor

User account enumeration in SAP HANA Extended Application Services Classic Model (XSC) user self-service tools allows unauthenticated remote attackers to identify valid usernames and email addresses by crafting requests that elicit distinguishable server responses. The CWE-204 root cause - observable response discrepancy - means the application behaves differently for valid versus invalid accounts, leaking account existence without requiring credentials. CVSS scores this at 3.7 (AV:N/AC:H) reflecting network accessibility tempered by high attack complexity; no public exploit code or CISA KEV listing has been identified at time of analysis.

SAP Information Disclosure Sap Hana Extended Application Services Classic Model User Self Service
NVD VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2026-44752 HIGH This Week

Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals.

SAP XSS Information Disclosure Java Sap Netweaver Application Server Java Configuration Wizard
NVD VulDB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-27690 CRITICAL PATCH NEWS Act Now

Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SAP Request Smuggling Information Disclosure Sap Approuter
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-15618 LOW Monitor

Protection mechanism failure in mosaxiv clawlet up to version 0.2.10 allows remote attackers to bypass the exec Safety Guard, undermining the tool's core command-execution restriction logic. The vulnerability resides in the `guardExecCommand` function within `tools/tool_exec.go`, where insufficient enforcement of protection controls permits manipulation that should otherwise be blocked. Passive user interaction is required (CVSS 4.0 UI:P), and a public proof-of-concept exploit has been released; however, the vendor has closed the tracking GitHub issue as 'not planned', indicating no patch is forthcoming.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-54707 MEDIUM This Month

OnionShare's Receive mode incorrectly writes uploaded files to disk even when the operator has explicitly disabled file uploads, allowing unauthenticated remote attackers over Tor to bypass the access-control setting and deposit files on the host system. This affects deployments where operators have configured the 'disable uploads' option with an expectation that no inbound file writes will occur. No public exploit code or CISA KEV listing is identified at time of analysis, but the logic bypass is straightforward and exploitable against any exposed OnionShare Receive-mode instance with uploads disabled.

Information Disclosure
NVD
CVE-2026-54706 MEDIUM This Month

OnionShare fails to restrict symlink traversal within shared directories, allowing any recipient of a file share to read arbitrary local files on the sharer's machine. When a user shares a directory containing symbolic links, OnionShare follows those links and serves the linked files over the Tor .onion URL - including files and directories outside the intended share root. This is an information-disclosure vulnerability affecting users of OnionShare who share directories that contain symlinks, whether knowingly or not. No public exploit code or active exploitation has been identified at time of analysis, and the issue was reported through Ubuntu's vendor security channel.

Information Disclosure
NVD
CVE-2026-15607 LOW POC PATCH Monitor

Prototype pollution in TanStack DB's select() query compiler allows low-privileged remote attackers to mutate Object.prototype by supplying dot-notation alias paths containing reserved JavaScript property names such as __proto__, prototype, or constructor. Versions up to 0.6.8 are confirmed affected via CPE cpe:2.3:a:tanstack:db. A publicly available exploit exists (GitHub issue #1584), though the vulnerability is not in CISA KEV. The CVSS 4.0 base score of 2.1 reflects low integrity impact scoped to the vulnerable system, but the downstream consequences of Object.prototype mutation in JavaScript runtimes can exceed what raw scoring conveys depending on application logic.

Information Disclosure Prototype Pollution Db
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15605 LOW PATCH Monitor

Artifact Integrity Validation in wandb 0.25.2.dev1 uses MD5 (a cryptographically broken hash algorithm) within ArtifactManifestEntry.download in wandb/sdk/lib/hashutil.py, enabling a sufficiently resourced attacker with write access to artifact storage or a man-in-the-middle network position to substitute a malicious artifact file that shares the same MD5 digest as a legitimate one, bypassing download integrity checks. The CVSS 4.0 base score of 2.3 reflects high attack complexity and the requirement for authenticated access (PR:L), placing real-world exploitability firmly in the theoretical-to-low range. No public exploit exists and the vulnerability has no CISA KEV listing; an upstream fix via SHA-256 supplementation is available as an unmerged GitHub PR (#12031).

Information Disclosure Wandb
NVD VulDB GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-58102 CRITICAL PATCH Act Now

Heap out-of-bounds read in the Crypt::OpenSSL::X509 Perl module (versions before 2.1.3) lets a crafted X.509 certificate leak adjacent heap memory to an application that enumerates certificate extensions. When code calls extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid(), a certificate extension whose textual OID exceeds the fixed 129-byte buffer causes the returned hash key to include bytes read past the allocation, exposing process memory and risking a crash. No public exploit is identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release 2.1.3 and the flaw is trivially triggerable by any attacker who can supply a certificate.

OpenSSL Buffer Overflow Information Disclosure Crypt
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-15598 MEDIUM This Month

Prototype pollution in antv layout 2.0.0 exposes JavaScript runtimes to object prototype manipulation via the `setNestedValue` function in `lib/util/object.js`, where a crafted `path` argument can inject arbitrary properties into the global Object prototype. The CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates network-reachable exploitation requiring low-privilege authentication, with limited but real confidentiality, integrity, and availability impact depending on how downstream application code consumes polluted prototype properties. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor has not responded to the responsible disclosure filed via GitHub issue #292, leaving no patch timeline available.

Information Disclosure Prototype Pollution Layout
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-62328 npm HIGH This Week

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read every user's AI request logs and full conversation histories by querying the /api/usage/request-logs and /api/usage/request-details endpoints, which ship without authentication middleware. Exposed data includes system prompts, user and assistant messages, tool calls, and user email addresses, and the linked GHSA advisory shows the same missing-auth flaw class also leaks plaintext provider API keys via /api/usage/stats and permits unauthenticated CRUD on /api/providers. This is a network-reachable, no-privilege flaw (CVSS 4.0 8.7) with no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-62327 npm CRITICAL Act Now

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote attacker retrieve full plaintext API keys for every connected AI provider by issuing a single GET to the /api/usage/stats endpoint, which lacks authentication middleware. The same missing-auth flaw class extends to unauthenticated CRUD on /api/providers and exposure of full conversation histories, so an attacker can harvest credentials, hijack provider accounts, and commit billing fraud or quota exhaustion. Reported by VulnCheck with a critical CVSS 4.0 base of 9.3; no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-62200 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62199 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged user to gain elevated (typically SYSTEM/administrator) privileges by abusing improper link resolution before file access (CWE-59). Reported by Microsoft with a patch available via MSRC; no public exploit identified at time of analysis and not listed in CISA KEV. The CVSS 7.8 score reflects high confidentiality, integrity, and availability impact once the local, low-privilege prerequisites are met.

Information Disclosure Microsoft Pc Manager
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally.

Buffer Overflow Microsoft Information Disclosure +18
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in the Microsoft Graphics Component affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). An attacker who convinces a user to open a specially crafted file or content triggers an out-of-bounds read (CWE-125) that Microsoft rates as enabling code execution with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation requires local access plus user interaction, making it a standard patch-cycle priority rather than an emergency.

Buffer Overflow Microsoft Information Disclosure +18
NVD
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Network code execution in the Windows Print Spooler service allows an authenticated attacker to win a synchronization race and run arbitrary code across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). Microsoft rates it CVSS 8.8 with high confidentiality, integrity, and availability impact; a vendor patch is available, and there is no public exploit identified at time of analysis. Note that the CVE description and CVSS indicate remote code execution while the source tags label it 'Information Disclosure' — a discrepancy defenders should verify against the MSRC advisory.

Microsoft Race Condition Information Disclosure +18
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.

Buffer Overflow Microsoft Information Disclosure +16
NVD
EPSS 0% CVSS 7.1
HIGH PATCH Exploit Unlikely This Week

Information disclosure in Microsoft Office (Microsoft 365 Apps, Office 2016/2019, Office LTSC 2021/2024, and Office for Mac) via an out-of-bounds read (CWE-125) lets an attacker leak sensitive memory contents when a victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.1 (AV:L/AC:L/PR:N/UI:R), reflecting local exploitation that requires user interaction but no prior authentication. Microsoft is the reporting source and has published a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Microsoft Information Disclosure +8
NVD
EPSS 0% 4.6 CVSS 7.8
HIGH POC KEV PATCH THREAT Exploited Act Now

Local privilege escalation in Microsoft Active Directory Federation Services (AD FS) lets an already-authenticated low-privileged user on the host gain higher privileges due to insufficient granularity of access control (CWE-1220). Affected deployments span AD FS on Windows Server 2012 through Windows Server 2025, and the flaw carries a CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-priority-driven rather than exploitation-driven risk.

Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 +11
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure +9
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

External control of file name or path in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Microsoft Information Disclosure Microsoft Sharepoint Enterprise Server 2016 +2
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local tampering in Windows CryptoAPI (Crypt32) on Windows 11 (24H2/25H2/26H1) and Windows Server 2022/2025 stems from a missing cryptographic step, letting an authenticated local attacker undermine the integrity and confidentiality of cryptographically protected data. Microsoft rates it 7.1 (High) with high confidentiality and integrity impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. A vendor patch is available through the MSRC update guide.

Microsoft Information Disclosure Windows 11 Version 24H2 +5
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user to gain higher privileges on the host by controlling a file name or path used by the server engine. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, and Microsoft has released a patch. There is no public exploit identified at time of analysis, and the CVE is not in CISA KEV.

Information Disclosure Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack +8
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an authenticated attacker with low-level privileges on the server to elevate to higher privileges due to insufficiently granular access controls (CWE-1220). The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L) reflects local exploitation yielding full confidentiality, integrity, and availability impact. A vendor patch is available; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Microsoft Information Disclosure Microsoft Exchange Server 2016 Cumulative Update 23 +3
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Information disclosure via uninitialized memory in the Windows SMB driver stack affects a broad range of Windows 10, Windows 11, and Windows Server versions. A locally authenticated, low-privileged attacker can trigger a code path that reads from uninitialized memory within the SMB subsystem, potentially leaking sensitive kernel or heap memory contents. No public exploit code or active exploitation has been identified at the time of analysis; Microsoft has released a patch via MSRC.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows USB Print Driver affecting Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an already-authenticated, low-privileged user win a race condition (CWE-362) in the driver to gain higher privileges. Microsoft has released a patch and reported the flaw itself; there is no public exploit identified at time of analysis. The high attack complexity (AC:H) reflects the timing-dependent nature of exploiting the shared-resource synchronization defect.

Microsoft Race Condition Information Disclosure +5
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Microsoft Printer Drivers component across Windows 10, Windows 11 (through 26H1), and Windows Server 2012 through 2025 lets an already-authenticated attacker corrupt kernel-adjacent memory to gain higher privileges. The flaw is a double free (CWE-415) triggered locally by a low-privileged user, yielding high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated attacker to win a race condition (CWE-362) and elevate to SYSTEM-level privileges across supported Windows 10, Windows 11, and Windows Server 2019-2025 builds. Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and EPSS is low (0.16%, 5th percentile). CVSS 7.0 reflects high attack complexity (AC:H) driven by the timing-window nature of the flaw and the requirement for existing low-privilege access (PR:L).

Microsoft Race Condition Information Disclosure +11
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Active Directory certificate-validation path lets an already-authenticated attacker on Windows 10 (1607/1809) and Windows Server 2016 through 2025 (including Server Core) improperly validate a certificate to gain higher privileges. Microsoft reported and patched the flaw (CWE-295), but there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS 7.8 vector (AV:L/PR:L) confirms an authenticated local attacker with full confidentiality, integrity, and availability impact upon success.

Microsoft Information Disclosure Windows 10 Version 1607 +8
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated low-privileged user to win a race condition and elevate to SYSTEM across Windows 10, Windows 11 (through 26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available, it carries CVSS 7.0 but a high attack complexity (AC:H) reflecting the timing-sensitive nature of the flaw. There is no public exploit identified at time of analysis, and EPSS is low (0.19%, 9th percentile), consistent with CISA SSVC rating exploitation as 'none.'

Microsoft Race Condition Information Disclosure +18
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows USB Print Driver lets an already-authenticated low-privileged user win a race condition to gain SYSTEM-level control on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The flaw stems from unsynchronized access to a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.

Microsoft Race Condition Information Disclosure +5
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows USB Print Driver on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an already-authenticated low-privileged user win a timing race in the driver to gain elevated privileges. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (must reliably win a race window) tempers real-world exploitability despite full confidentiality, integrity, and availability impact.

Microsoft Race Condition Information Disclosure +5
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Windows Common Log File System (CLFS) Driver allows an already-authenticated, low-privileged user to elevate to SYSTEM on a wide range of Windows client and server releases. Microsoft classifies the root cause as exposure of sensitive information (CWE-200), but the CVSS impact profile (C:H/I:H/A:H) reflects that the leaked kernel data enables full local privilege escalation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though CLFS has historically been a heavily exploited elevation-of-privilege target in Windows.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Information Disclosure Visual Studio Code
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Microsoft Windows App Store component (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025) allows an authorized low-privileged attacker to win a race condition on an improperly synchronized shared resource and gain higher privileges. Exploitation is local-only and high-complexity because it depends on reliably hitting a narrow timing window, and no public exploit has been identified at time of analysis. A vendor patch is available via Microsoft's MSRC update guide.

Microsoft Race Condition Information Disclosure +14
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally.

Buffer Overflow Microsoft Information Disclosure +18
NVD
EPSS 3% CVSS 7.8
HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows StateRepository API lets an already-authenticated low-privileged user gain higher (typically SYSTEM-level) privileges due to insufficiently granular access control (CWE-1220). It affects a broad range of currently supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). The flaw was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis (not listed in CISA KEV).

Microsoft Information Disclosure Windows 10 Version 1809 +10
NVD
EPSS 0% CVSS 7.1
HIGH PATCH Exploit Unlikely This Week

Local information disclosure in the Microsoft Windows App Store (Store/AppX component) affects a broad range of Windows 10, Windows 11, and Windows Server releases (1607 through 26H1, Server 2016/2019/2022/2025). An authorized local attacker can leverage a use of uninitialized resource (CWE-908) to read memory contents that should not be exposed, with CVSS 7.1 reflecting high confidentiality impact but requiring low-privileged authenticated local access. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and Microsoft has released a patch via the MSRC update guide.

Microsoft Information Disclosure Windows 10 Version 1607 +13
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows App Installer (App Installer / MSIX handler) on Windows 11 (23H2 through 26H1) and Windows Server 2025 lets an already-authenticated local attacker win a timing race to elevate to higher privileges. The flaw stems from improper synchronization of a shared resource during concurrent execution, and Microsoft has released a patch. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Microsoft Race Condition Information Disclosure +6
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Cleartext transmission of sensitive information in Windows Ancillary Function Driver for WinSock allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 +18
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1809 +10
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Secure Kernel Mode (SKM/VTL1) allows an already-authenticated attacker to elevate to higher privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 systems. The flaw stems from improper consistency validation of input crossing the trust boundary into the isolated secure kernel (CWE-1288), yielding full confidentiality, integrity, and availability impact on the local host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Microsoft Information Disclosure Windows 10 Version 1607 +14
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Credential leakage in sigstore-js (specifically the @sigstore/oci package) before 0.7.1 allows Docker registry credentials to be transmitted to the wrong registry because getRegistryCredentials() matched configured auth keys against the target registry using a substring check instead of an exact host match. An attacker who can induce a victim to push or pull signatures/attestations against an attacker-named registry whose hostname has a substring relationship with a legitimately configured registry (e.g. 'cr.io' vs 'ghcr.io', or 'victim.127.0.0.1:5000' vs '127.0.0.1:5000') can capture the victim's stored registry credentials. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV; the underlying weakness (CWE-522) is confirmed and fixed by the vendor in @sigstore/oci 0.7.1.

Docker Information Disclosure Sigstore Js
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modification of object prototype attributes. The attack may be performed from remote. Upgrading to version 2.3.1 is able to mitigate this issue. The name of the patch is e46af9879b7627934ea4d6d6e46e65cea53abb3d. The affected component should be upgraded.

Prototype Pollution Information Disclosure Tamagui
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Out-of-bounds memory disclosure in Python Pillow before 12.3.0 lets an attacker who supplies a crafted McIdas AREA image file read adjacent process memory or crash the host application. When such a file is opened from a filename, header words control the raw-codec mmap row stride; setting it below the true row width causes later pixel operations (tobytes, getpixel, convert, save) to read past the mapped region. No public exploit is identified at time of analysis and it is not in CISA KEV, but the upstream fix, PR, and a regression test are public, making the flaw well documented.

Python Buffer Overflow Information Disclosure +1
NVD GitHub
CRITICAL Act Now

Missing TLS certificate validation in the XAPI C# and PowerShell SDK bindings - specifically on secondary HTTP handler connections used for disk image transfers, host backups, RRD data, and patch delivery - allows a network-positioned attacker to intercept communications between third-party management tools and Xen hypervisor hosts. Successful Man-in-the-Middle exploitation can yield stolen administrative session tokens, enabling full hypervisor session hijack, or permit tampering with critical data such as imported disk images and host update packages in transit. No public exploit code has been identified at time of analysis, and the Xen Project advisory XSA-498 confirms no known mitigations exist short of patching.

Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds heap read in Python Pillow's TGA RLE encoder (versions 5.2.0 through 12.2.x) lets adjacent process heap bytes leak into a generated TGA file when an application saves a mode '1' (1-bit) image using compression='tga_rle'. The flaw is an information-disclosure bug (CWE-125), fixed in 12.3.0, with no public exploit identified at time of analysis. The NVD CVSS of 7.5 (network vector) overstates practical reach because triggering the leak depends on the host application invoking this specific and unusual save path.

Python Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-Side Request Forgery and information disclosure in Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2 arises from insufficient CSS sanitization in HTML e-mail bodies, letting a crafted message with stylesheet links pointing to internal hosts coerce the server into issuing requests to local-network resources. This is a re-opened flaw stemming from incomplete fixes for CVE-2026-35540 and CVE-2026-48843, indicating the sanitizer still failed to block specific local-address URL patterns. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it as a stable security update recommended for all installations.

SSRF Information Disclosure Webmail
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Prototype pollution in compromise (spencermountain/compromise) through version 14.15.1 exposes all JavaScript applications using the library to Object.prototype contamination via the nlp.extend() Public Root API. A low-privileged remote attacker who can supply a crafted plugin argument containing __proto__, constructor, or prototype keys can inject properties into the global Object.prototype, producing partial confidentiality, integrity, and availability impact across the Node.js runtime. A public exploit exists via GitHub issue #1208, a vendor patch has been released (commit b4644ab7), and no CISA KEV listing has been confirmed at time of analysis.

Prototype Pollution Information Disclosure Compromise
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Python Pillow (versions 8.2.0 through 12.2.0) allows remote attackers to exhaust memory during JPEG2000 decoding, causing out-of-memory failures in any application that decodes untrusted images. The flaw stems from Pillow's JPEG2000 decoder summing tile widths across the whole image rather than per tile, so a small crafted tiled file forces disproportionately large transient allocations. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix (12.3.0) and a public PR/commit make the root cause fully transparent.

Python Information Disclosure Pillow
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI (Database Independent Interface) module before version 1.651 lets a caller trigger a negative-array-index read inside the internal row-buffer helper (_set_fbav in DBI.xs), potentially disclosing adjacent process memory or crashing the interpreter. The flaw arises when a statement handle declares zero fields but is fed a non-empty source row, an inconsistency the module failed to reject before returning results. No public exploit has been identified at time of analysis and the issue is not on CISA KEV; the assigned CVSS of 9.1 reflects high confidentiality and availability impact under a network vector, but realistic exploitation depends on a caller (typically a DBD driver or database backend) supplying mismatched metadata and rows.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Broken object-level authorization in Easy!Appointments 1.5.2 lets any authenticated user query the customers search endpoint to harvest the appointment hash tokens of other users and providers. Because these hashes act as the access control for appointment operations, an attacker can then edit or delete appointments they do not own, achieving a full Appointments Takeover across other providers. No public exploit identified at time of analysis; the flaw is fixed in version 1.6.0.

Information Disclosure Easyappointments
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Prototype pollution in kofrasa mingo up to version 7.2.1 allows low-privileged remote attackers to corrupt JavaScript Object.prototype by supplying `__proto__` as a field selector in `$set`, `updateOne`, or `updateMany` operations, injecting arbitrary properties into all objects within the Node.js process. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and successful exploitation can cascade to application-wide privilege logic bypass, information disclosure, or denial of service depending on how the host application relies on inherited object properties. Vendor-released patch version 7.2.2 is confirmed available.

Prototype Pollution Information Disclosure Mingo
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Buffer over-read in Fortinet FortiOS and FortiProxy exposes sensitive memory contents to authenticated network attackers across multiple product lines including FortiPAM and FortiSwitchManager. The flaw, rooted in CWE-126 (buffer over-read), allows low-privileged remote users to read beyond allocated buffer boundaries, resulting in partial information disclosure with no integrity or availability impact. No active exploitation confirmed in CISA KEV, but the CVSS temporal vector includes E:P indicating proof-of-concept exploit code exists, and an official fix is available per RL:O.

Fortinet Buffer Overflow Information Disclosure +4
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Prototype pollution in svg.js (svgdotjs) up to version 3.2.5 allows a remote low-privileged attacker to inject arbitrary properties into JavaScript's shared Object.prototype via the EventTarget.on function of the npm package API. Depending on how consuming applications perform property lookups, this can lead to information disclosure, logic bypass, or integrity violations across the entire JavaScript runtime. No vendor patch exists - the maintainer has not responded to the responsible disclosure - and a proof-of-concept exists (CVSS E:P), though no confirmed active exploitation appears in CISA KEV.

Prototype Pollution Node.js Information Disclosure +1
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation.

Fortinet Information Disclosure Forticlientems
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Remote denial-of-service in the Rockwell Automation FLEX 5000 EtherNet/IP adapter allows an unauthenticated network attacker to crash the module by sending a crafted CIP (Common Industrial Protocol) packet, halting the adapter and its associated I/O until a manual power cycle restores operation. The CVSS 4.0 score of 8.7 (High) reflects a network-reachable, no-privilege attack with high availability impact but no confidentiality or integrity loss. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV, so there is no confirmed active exploitation.

Information Disclosure The Flex 5000 Ethernet Ip Adapter
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in Fortinet FortiAuthenticator (6.5 all versions and 6.6.0–6.6.2) lets a remote unauthenticated attacker read out-of-bounds memory via a specially crafted request, exposing sensitive in-memory data. The CVSS temporal metrics (E:F, RC:C) indicate a functional, confirmed exploit is understood by the vendor, and an official fix is available (RL:O). No CISA KEV listing is present, so this is not confirmed as actively exploited despite the mature exploit signal.

Fortinet Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Fortinet Information Disclosure Fortisandbox
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds memory read in the Zephyr RTOS LwM2M firmware-update pull client (subsys/net/lib/lwm2m/lwm2m_pull_context.c) lets a LwM2M management server — or an on-path attacker on a session lacking strong DTLS — leak adjacent device memory and crash the device by writing an over-length Package URI (resource /5/0/1). Affected releases span v3.0.0 through v4.4.0 with the default-on CONFIG_LWM2M_FIRMWARE_UPDATE_PULL_SUPPORT path enabled. No public exploit identified at time of analysis; a vendor patch is available and EPSS/KEV signals are absent.

Buffer Overflow Denial Of Service Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Kernel object corruption in Zephyr RTOS (v4.1.0 through v4.4.0) lets a deprivileged user thread on CONFIG_USERSPACE builds re-initialize a live k_pipe to which it has been granted access, orphaning threads already blocked on that pipe. Because z_impl_k_pipe_init() unconditionally resets the ring buffer and wait queues without accounting for pended waiters, a subsequent timeout or wake drives sys_dlist_remove() through dangling pointers, producing an attacker-influenced invalid kernel write, list corruption, lost wakeups, and silent data loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the fix hardens the k_pipe_init syscall verifier.

Information Disclosure Zephyr
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and kernel memory corruption in Zephyr RTOS on Xtensa SoCs (v3.7.0 through v4.4.0) built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, where arch_buffer_validate() fails open on an integer-overflow edge case, letting an unprivileged user thread trick the kernel into reading or writing arbitrary kernel/partition memory on its behalf. The flaw stems from a default-permit return value combined with a ROUND_UP address-space wrap that skips the MPU probe loop entirely, and it is not caught by the existing syscall-layer overflow guards. Vendor patch is available; no public exploit identified at time of analysis, and this is not in CISA KEV.

Denial Of Service Privilege Escalation Information Disclosure +3
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Denial-of-service in Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT ControlLogix EtherNet/IP communication modules lets an unauthenticated network attacker drop active device connections by sending malformed CIP Implicit (I/O) Connection packets. Because CVSS 4.0 rates only availability impact (VC:N/VI:N/VA:H) and connections recover immediately once the traffic stops, the flaw enables repeatable disruption rather than persistent outage or code execution. No public exploit identified at time of analysis, and the module is not in CISA KEV.

Information Disclosure 1756 En2 1756 En3 1756 Enbt
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any party holding the 12-character appointment hash, with no authentication check and no field whitelisting on the ea_users row. These hashes are deliberately distributed to customers in reschedule emails, embedded in confirmation page URLs, and visible in operator calendar links, which means the effective attacker pool is anyone who has ever received or forwarded a booking email. The fix is available in version 1.6.0 per the GitHub security advisory; no public exploit code and no CISA KEV listing have been identified at time of analysis.

PHP Information Disclosure Easyappointments
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Information disclosure with integrity impact in the Spotfire Server modules of Spotfire Enterprise, Spotfire Enterprise with External Consumers, and Spotfire on Kubernetes allows a remote, unauthenticated attacker to obtain sensitive data and alter server-side state once a victim is lured into a passive interaction (UI:P), such as opening a crafted link or analysis. The CVSS 4.0 base score is 8.7 (High) with high confidentiality and integrity impact and low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

Kubernetes Information Disclosure Spotfire Enterprise +2
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the network-accessible, zero-prerequisite-auth nature of the bypass elevates practical risk wherever affected forms are publicly exposed.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Out-of-bounds read in Citrix Secure Access Client for Windows (all versions before 26.6.1.20) enables a local low-privileged attacker to read memory beyond an allocated buffer boundary, resulting in high confidentiality impact with no integrity or availability consequence. The CVSS 4.0 score of 6.8 reflects the local attack vector and low-privilege requirement, meaning an attacker must already hold a foothold on the endpoint. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

Citrix Buffer Overflow Microsoft +2
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Firefox versions prior to 152.0.6 are exposed to a network-exploitable flaw requiring user interaction that yields limited confidentiality and integrity impact within the browser context. Publicly available exploit code exists, confirmed by Mozilla's own advisory language, though the vendor reports no known attacks in the wild at time of disclosure. The fix is confirmed in Firefox 152.0.6, referenced in Mozilla security advisory MFSA2026-67.

Mozilla Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Information disclosure in Mozilla Firefox via CWE-763 (Release of Invalid Pointer or Reference) allows network-based attackers to read limited memory contents from affected browser instances. All Firefox versions prior to 152.0.6 are affected. Publicly available exploit code exists, though Mozilla reports no confirmed attacks in the wild; user interaction is required to trigger the flaw, moderately reducing real-world exposure.

Mozilla Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Incorrect WHERE-clause evaluation in Perl's DBI::SQL::Nano (versions 1.42 up to 1.651) causes text-based '<=' and '>=' comparisons to be silently inverted, so range-filtered queries return the wrong set of rows. The flaw affects DBI's built-in fallback mini-SQL engine used by file-backed drivers (DBD::File, DBD::DBM, CSV-style) when SQL::Statement is absent, and applications that rely on such predicates for policy or authorization filtering may leak or mishandle records without any error. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the fix is available upstream in DBI 1.651.

Information Disclosure Dbi
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Out-of-bounds read in libsoup 3.6.6 exposes WebSocket clients to memory disclosure and crashes when connecting to malicious servers. The incomplete fix for CVE-2026-0716 (commit 6ff7ef0) placed the integer overflow guard exclusively inside the masked-frame branch, leaving the unmasked server-to-client frame path entirely unprotected - allowing a crafted payload length near UINT64_MAX to bypass the guard entirely. No public exploit code or active exploitation (CISA KEV) has been identified, but the CVSS AC:H rating reflects the non-trivial preconditions: a specific client configuration and attacker-controlled server are both required.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an unresolved path (e.g., `/public/../admin/secret.txt`) to downstream web applications instead of the canonicalized form (e.g., `/admin/secret.txt`). Web applications that delegate path-based authorization decisions to Jetty-provided paths are susceptible to confusion attacks where an attacker crafts a URI like `/public;/../admin/secret.txt` to receive a path that bypasses application-layer access controls. Jetty itself is shielded by its alias checker and will not serve restricted files directly; the integrity risk materializes only in applications that consume the unresolved path for routing or authorization logic. No public exploit code or CISA KEV listing is present at time of analysis.

Information Disclosure Eclipse Jetty
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Eclipse Jetty fails to enforce RFC 9110/9112's requirement that the HTTP request authority (host and port) match the value in the Host header across all supported protocol versions - HTTP/1, HTTP/2, and HTTP/3. Unauthenticated network attackers can exploit this input validation gap to manipulate Host-header-derived URI constructions (particularly redirect targets on login pages), influence virtual host selection, corrupt reverse proxy routing decisions, and produce misleading access logs. No public exploit has been identified at time of analysis and the vulnerability is not in CISA KEV, but the attack surface is meaningful in any Jetty deployment that performs host-based routing or generates redirects from the Host header.

Information Disclosure Eclipse Jetty
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

HTTP/1.1 trailer leakage in Eclipse Jetty allows a remote unauthenticated attacker to read trailer headers from a previous request when sharing a persistent connection with another party. Trailers sent in an initial request are incorrectly retained in the server's connection state, causing them to bleed into all subsequent requests on the same keep-alive connection - either appended wholesale (if the later request has no trailers) or merged with the later request's own trailers. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Eclipse Jetty
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 4.0 AT:P condition signals that specific deployment prerequisites must be met.

Request Smuggling Information Disclosure Eclipse Glassfish
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Cluster-communication confidentiality and integrity in Apache Tomcat can be undermined because the secure-configuration requirements for the EncryptInterceptor were never clearly documented, leaving operators liable to deploy the cluster session-replication channel insecurely. The flaw affects Tomcat 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.119, 10.1.0-M1-10.1.56 and 11.0.0-M1-11.0.23, and is fixed in 9.0.120, 10.1.57 and 11.0.24. It carries a CVSS 9.1 (C:H/I:H) but SSVC records exploitation as none, no public exploit identified at time of analysis, and the root cause is a documentation weakness (CWE-1059) rather than a code defect.

Information Disclosure Apache Tomcat +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Cross-origin credential leakage in Eclipse Vert.x vertx-core (4.x through 4.5.29 and 5.x through 5.1.4) occurs because DefaultRedirectHandler copies all original request headers verbatim when the HttpClient follows an HTTP 30x redirect, stripping only Content-Length and never comparing the origin (scheme/host/port). An application that lets untrusted input influence a request URL - webhook dispatchers, image proxies, SSRF-style URL fetchers - can be steered to an attacker-controlled redirect target that then receives Authorization, Cookie, Proxy-Authorization, and custom headers like X-API-Token. No public exploit has been identified at time of analysis, and the flaw is not in CISA KEV.

Information Disclosure Eclipse Vert X
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Cross-domain cookie injection in Eclipse Vert.x Web Client (WebClientSession) lets any server a victim application contacts set a cookie scoped to an unrelated third-party domain, which the client later replays to that domain. Versions up to 4.5.29 (4.x) and 5.1.4 (5.x) fail to enforce the RFC 6265 Domain-attribute ownership check, so an attacker can bind their own session cookie into the victim's WebClientSession and have the victim's later requests to a target service execute under the attacker's account, exposing sensitive request payloads. No public exploit identified at time of analysis and it is not listed in CISA KEV; scored CVSS 4.0 8.2 (High) by Eclipse.

Information Disclosure Eclipse Vert X
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Eclipse KUKSA Databroker 0.6.1 panics in a Tokio worker thread when an authenticated client sends a PublishValueRequest with a valid signal_id but omits the optional data_point field, causing the server to call Rust's unwrap() on a None value. Any client holding a valid JWT token can trigger this condition, cancelling the individual gRPC call while leaving the Databroker process intact and available. No public exploit has been identified and this vulnerability is not listed in CISA KEV; EPSS data was not supplied in available intelligence.

Information Disclosure Eclipse Kuksa Databroker
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in Bitdefender Total Security and Internet Security for Windows (versions before 27.0.58.315) lets a less-privileged local user gain higher rights by abusing a symbolic-link race condition in the File Shredder module. Because the shredder operates with elevated privileges and does not safely resolve links before acting on files, an attacker who wins a time-of-check/time-of-use race can redirect a privileged file operation to a target of their choosing. No public exploit identified at time of analysis; the issue was reported by the vendor and requires local access plus user interaction, so EPSS-style mass-exploitation risk is limited.

Microsoft Information Disclosure Total Security +1
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

SureForms WordPress plugin before 2.11.1 permits unauthenticated attackers to submit manipulated payment amounts below the configured price on any form using a dynamically-sourced or hidden variable payment field, enabling financial fraud against site operators. The integrity bypass is confined to forms with variable pricing; fixed-price forms are explicitly unaffected. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 2.11.1 - though no CISA KEV listing confirms active mass exploitation at time of analysis.

WordPress Information Disclosure Sureforms
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

WordPress Information Disclosure Ultimate Before After Image Slider Gallery
NVD WPScan
EPSS 0% CVSS 2.1
LOW POC Monitor

Link-following vulnerability in louisho5 picobot up to version 0.2.0 allows a remote, low-privileged attacker to traverse outside the intended workspace directory via the CreateSkill and GetSkill functions in the filesystem handler. The root cause is improper symlink resolution (CWE-59) in internal/agent/tools/filesystem.go, enabling potential unauthorized file read and write operations on the host filesystem. A public exploit exists as a GitHub issue report; no vendor patch has been released and the project maintainer has not yet responded to the disclosure.

Information Disclosure Picobot
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Information disclosure in nextlevelbuilder GoClaw up to version 3.13.3-beta.3 allows remote low-privileged attackers to extract sensitive data by manipulating the `args.targetUrl` argument passed to the `handleNavigate` function in `pkg/browser/tool.go`. A public proof-of-concept exploit exists and is referenced via GitHub issue #1207, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No confirmed patched release has been identified at the time of analysis, leaving all known versions of the product exposed.

Information Disclosure Goclaw
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand function, allowing authenticated low-privilege remote attackers to circumvent command approval controls enforced in internal/tools/exec_approval.go. The bypass can yield limited confidentiality, integrity, and availability impacts consistent with the information-disclosure tag and the VC:L/VI:L/VA:L CVSS 4.0 impact metrics. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept exploit exists per the referenced GitHub issue, lowering the technical bar for abuse.

Information Disclosure Goclaw
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Link-following vulnerability in mosaxiv clawlet up to version 0.2.10 allows local low-privileged attackers to read, write, or modify files outside intended directories by supplying symlinks to the read_file, write_file, and edit_file functions in tools/fs_ops.go. All three file-operation primitives are affected, meaning the attack surface covers both read (information disclosure) and write/edit (integrity impact) paths. No patch is planned - the upstream GitHub issue was explicitly closed as 'not planned', leaving all deployments on affected versions permanently unpatched.

Information Disclosure Clawlet
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed.

SAP Information Disclosure Sap Commerce Cloud
NVD
EPSS 0% CVSS 3.7
LOW Monitor

User account enumeration in SAP HANA Extended Application Services Classic Model (XSC) user self-service tools allows unauthenticated remote attackers to identify valid usernames and email addresses by crafting requests that elicit distinguishable server responses. The CWE-204 root cause - observable response discrepancy - means the application behaves differently for valid versus invalid accounts, leaking account existence without requiring credentials. CVSS scores this at 3.7 (AV:N/AC:H) reflecting network accessibility tempered by high attack complexity; no public exploit code or CISA KEV listing has been identified at time of analysis.

SAP Information Disclosure Sap Hana Extended Application Services Classic Model User Self Service
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals.

SAP XSS Information Disclosure +2
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SAP Request Smuggling Information Disclosure +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Protection mechanism failure in mosaxiv clawlet up to version 0.2.10 allows remote attackers to bypass the exec Safety Guard, undermining the tool's core command-execution restriction logic. The vulnerability resides in the `guardExecCommand` function within `tools/tool_exec.go`, where insufficient enforcement of protection controls permits manipulation that should otherwise be blocked. Passive user interaction is required (CVSS 4.0 UI:P), and a public proof-of-concept exploit has been released; however, the vendor has closed the tracking GitHub issue as 'not planned', indicating no patch is forthcoming.

Information Disclosure
NVD GitHub VulDB
MEDIUM This Month

OnionShare's Receive mode incorrectly writes uploaded files to disk even when the operator has explicitly disabled file uploads, allowing unauthenticated remote attackers over Tor to bypass the access-control setting and deposit files on the host system. This affects deployments where operators have configured the 'disable uploads' option with an expectation that no inbound file writes will occur. No public exploit code or CISA KEV listing is identified at time of analysis, but the logic bypass is straightforward and exploitable against any exposed OnionShare Receive-mode instance with uploads disabled.

Information Disclosure
NVD
MEDIUM This Month

OnionShare fails to restrict symlink traversal within shared directories, allowing any recipient of a file share to read arbitrary local files on the sharer's machine. When a user shares a directory containing symbolic links, OnionShare follows those links and serves the linked files over the Tor .onion URL - including files and directories outside the intended share root. This is an information-disclosure vulnerability affecting users of OnionShare who share directories that contain symlinks, whether knowingly or not. No public exploit code or active exploitation has been identified at time of analysis, and the issue was reported through Ubuntu's vendor security channel.

Information Disclosure
NVD
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Prototype pollution in TanStack DB's select() query compiler allows low-privileged remote attackers to mutate Object.prototype by supplying dot-notation alias paths containing reserved JavaScript property names such as __proto__, prototype, or constructor. Versions up to 0.6.8 are confirmed affected via CPE cpe:2.3:a:tanstack:db. A publicly available exploit exists (GitHub issue #1584), though the vulnerability is not in CISA KEV. The CVSS 4.0 base score of 2.1 reflects low integrity impact scoped to the vulnerable system, but the downstream consequences of Object.prototype mutation in JavaScript runtimes can exceed what raw scoring conveys depending on application logic.

Information Disclosure Prototype Pollution Db
NVD VulDB GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Artifact Integrity Validation in wandb 0.25.2.dev1 uses MD5 (a cryptographically broken hash algorithm) within ArtifactManifestEntry.download in wandb/sdk/lib/hashutil.py, enabling a sufficiently resourced attacker with write access to artifact storage or a man-in-the-middle network position to substitute a malicious artifact file that shares the same MD5 digest as a legitimate one, bypassing download integrity checks. The CVSS 4.0 base score of 2.3 reflects high attack complexity and the requirement for authenticated access (PR:L), placing real-world exploitability firmly in the theoretical-to-low range. No public exploit exists and the vulnerability has no CISA KEV listing; an upstream fix via SHA-256 supplementation is available as an unmerged GitHub PR (#12031).

Information Disclosure Wandb
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Heap out-of-bounds read in the Crypt::OpenSSL::X509 Perl module (versions before 2.1.3) lets a crafted X.509 certificate leak adjacent heap memory to an application that enumerates certificate extensions. When code calls extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid(), a certificate extension whose textual OID exceeds the fixed 129-byte buffer causes the returned hash key to include bytes read past the allocation, exposing process memory and risking a crash. No public exploit is identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release 2.1.3 and the flaw is trivially triggerable by any attacker who can supply a certificate.

OpenSSL Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Prototype pollution in antv layout 2.0.0 exposes JavaScript runtimes to object prototype manipulation via the `setNestedValue` function in `lib/util/object.js`, where a crafted `path` argument can inject arbitrary properties into the global Object prototype. The CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates network-reachable exploitation requiring low-privilege authentication, with limited but real confidentiality, integrity, and availability impact depending on how downstream application code consumes polluted prototype properties. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor has not responded to the responsible disclosure filed via GitHub issue #292, leaving no patch timeline available.

Information Disclosure Prototype Pollution Layout
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read every user's AI request logs and full conversation histories by querying the /api/usage/request-logs and /api/usage/request-details endpoints, which ship without authentication middleware. Exposed data includes system prompts, user and assistant messages, tool calls, and user email addresses, and the linked GHSA advisory shows the same missing-auth flaw class also leaks plaintext provider API keys via /api/usage/stats and permits unauthenticated CRUD on /api/providers. This is a network-reachable, no-privilege flaw (CVSS 4.0 8.7) with no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote attacker retrieve full plaintext API keys for every connected AI provider by issuing a single GET to the /api/usage/stats endpoint, which lacks authentication middleware. The same missing-auth flaw class extends to unauthenticated CRUD on /api/providers and exposure of full conversation histories, so an attacker can harvest credentials, hijack provider accounts, and commit billing fraud or quota exhaustion. Reported by VulnCheck with a critical CVSS 4.0 base of 9.3; no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.

Information Disclosure Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.

Information Disclosure Openclaw
NVD GitHub
Prev Page 4 of 740 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy