Skip to main content

Information Disclosure

66600 CVEs technique

Monthly

CVE-2026-58503 MEDIUM PATCH This Month

User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the zero-barrier network access makes this a realistic reconnaissance primitive for credential stuffing or targeted phishing campaigns against Frappe-based deployments.

Information Disclosure Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-54736 HIGH PATCH This Week

Authentication-bypass via timing side-channel in Phalcon's Crypt::decrypt (cphalcon PHP framework prior to 5.14.1) allows remote attackers to forge valid HMAC tags and have tampered ciphertext accepted as authentic. Because the HMAC verification uses PHP/Zephir identity comparison that short-circuits on the first mismatching byte, an attacker who can observe response timing can recover a valid tag byte-by-byte and break the encrypt-then-MAC integrity guarantee. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is confirmed and patched by the vendor in 5.14.1.

Information Disclosure PHP Cphalcon
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-55664 MEDIUM PATCH This Month

Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.

Python Information Disclosure Grist Core
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-45203 HIGH This Week

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets a malicious kernel driver inside a Host VM issue improper commands to the GPU firmware, causing a memory write outside the host kernel's permitted range. The flaw is a TOCTOU race in which values are altered in memory after the firmware validates them but before it uses them, bypassing the firmware's range enforcement. No public exploit identified at time of analysis, EPSS is low (0.12%, 2nd percentile), and it is not listed in CISA KEV.

Information Disclosure Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-54171 Ruby MEDIUM PATCH GHSA This Month

Sensitive HTTP header leakage in the excon Ruby gem's RedirectFollower middleware exposes credentials and tokens to unintended redirect destinations. Applications using the RedirectFollower middleware that include headers such as Authorization or API keys in outbound requests will inadvertently forward those headers to the redirect target - which may be attacker-controlled or a third-party service. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; however, the CVSS 3.1 score of 6.5 reflects high confidentiality impact, and a vendor-released patch is available in v1.5.0.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-57219 HIGH PATCH This Week

Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured via management.oauth_client_secret, prior to versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. The obsolete GET /api/auth endpoint returns the configured OAuth 2 client secret to unauthenticated callers, allowing any remote party with network reach to the management interface to harvest the credential and potentially impersonate the broker to its identity provider. No public exploit identified at time of analysis, and it is not listed in CISA KEV, though the fix and root cause are fully documented in the vendor GitHub Security Advisory GHSA-pj24-8j6m-vq9q.

Information Disclosure Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-55452 MEDIUM PATCH This Month

CSV formula injection in Snipe-IT prior to version 8.5.0 enables a low-privileged authenticated user to store a malicious spreadsheet formula via the HTTP User-Agent header, which is then written unescaped into exported Activity Report CSV files. When an administrator or report viewer opens the exported file in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the embedded formula executes within their local application environment, potentially enabling data exfiltration or arbitrary command execution on the viewer's workstation. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 8.5.0.

Information Disclosure Snipe It
NVD GitHub
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-55370 MEDIUM PATCH This Month

TOTP replay vulnerability in Logto prior to 1.41.0 allows an attacker who holds a victim's first-factor credentials and captures a live TOTP code to replay that code within the same RFC 6238 acceptance window, bypassing multi-factor authentication entirely. The root cause is otplib's stateless verification call with window=1, which validates the time-based OTP cryptographically but does not persist the last-accepted time-step counter - leaving used codes valid for replay until the 30-second window expires. No public exploit or CISA KEV listing exists at time of analysis, but successful exploitation yields full account compromise (C:H, I:H) because MFA is the terminal authentication barrier.

Information Disclosure
NVD GitHub
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-57211 CRITICAL PATCH Act Now

Server-side request forgery and NTLM credential exposure in the RabbitMQ management plugin (versions 4.1.0 to before 4.1.11 and 4.2.0 to before 4.2.6) on Windows lets remote actors coerce the broker into outbound DNS and SMB connections to attacker-controlled UNC paths. The static file handler rabbit_mgmt_wm_static passes URL-encoded backslashes to erl_prim_loader:read_file_info before path validation, but only when multiple management extension plugins are enabled. No public exploit has been identified at time of analysis, and the EPSS score is low (0.28%, 20th percentile) despite the CVSS 10.0 rating.

Microsoft Information Disclosure Rabbitmq Server
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-55474 HIGH PATCH This Week

Arbitrary file read in Snipe-IT before 8.5.0 lets an authenticated user abuse the ActionlogController::displaySig endpoint, which concatenates the route's filename parameter into a private upload-directory path without sanitization, enabling relative path traversal (CWE-23) to read any file the web server process can access. The CVSS 4.0 base score is 7.1 with high confidentiality impact only; there is no public exploit identified at time of analysis and no CISA KEV listing. Because Snipe-IT stores database credentials and application secrets in web-readable files, the practical impact can extend beyond simple information disclosure toward full application compromise.

Information Disclosure Snipe It
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-53449 MEDIUM PATCH This Month

Arbitrary file overwrite in Coturn prior to 4.13.0 is possible through the CLI management interface's `psd` (print sessions dump) command, which passes a user-supplied filename directly to `fopen()` without any path validation (CWE-73). An authenticated admin with CLI access can overwrite any file writable by the coturn process, potentially corrupting sensitive system files, certificates, or configuration data to achieve privilege escalation or service disruption. No public exploit identified at time of analysis; exploitation is constrained to local, high-privilege access, limiting realistic threat surface despite the High integrity and availability impact ratings.

Information Disclosure Coturn
NVD GitHub
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-56665 MEDIUM PATCH This Month

Insufficient JWT expiration enforcement in ZITADEL's external JWT Identity Provider integration allows tokens lacking the `exp` claim to be treated as indefinitely valid, bypassing intended session lifetime controls. Versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 are affected, with the flaw residing in `internal/idp/providers/jwt/session.go`. An attacker who can obtain or craft a JWT from a configured trusted external issuer that omits the `exp` claim can maintain persistent authenticated access without re-authentication. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Zitadel
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-56664 Go MEDIUM PATCH This Month

Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. An attacker holding a previously issued JWT from a trusted external IdP - specifically one lacking the iat claim - can reuse that token indefinitely, bypassing intended session expiry controls and maintaining unauthorized access. No public exploit identified at time of analysis.

Information Disclosure Zitadel
NVD GitHub
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-57474 MEDIUM PATCH This Month

Configuration information disclosure in Deloitte AI Assist for Customer exposed internal system details through unauthenticated, publicly accessible API endpoints, reducing attacker reconnaissance effort. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) confirms remote, low-complexity, unauthenticated access, though impact is bounded to low confidentiality exposure with no integrity or availability consequence. Deloitte confirmed the fix on 2026-03-25 by restricting network access and enforcing authentication on the affected endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Ai Assist For Customer
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54919 HIGH PATCH This Week

TLS certificate validation bypass in cpp-httplib's Mbed TLS backend (0.31.0-0.46.1) and wolfSSL backend (0.33.0-0.46.1) lets a man-in-the-middle attacker defeat HTTPS/WSS protection when a client connects to an IP-literal host with verification nominally enabled. SSLClient/Client in HTTPS mode skip certificate chain validation and the WebSocketClient on Mbed TLS skips verification entirely, so an intercepting attacker can present a crafted certificate and read or alter traffic. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in 0.47.0.

Information Disclosure Cpp Httplib
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-59180 LOW PATCH Monitor

HTTP redirect handling in Apprise prior to 1.11.0 leaks user-configured secrets - including Authorization headers, bearer tokens, custom headers, and service API keys - by blindly resending them on redirected requests to attacker-controlled endpoints. Any deployment using Apprise's HTTP-based notification plugins or its HTTP attachment and config loaders (apprise/attachment/http.py, apprise/config/http.py) is affected. An on-path attacker or a compromised notification destination can silently harvest these credentials. No public exploit has been identified at time of analysis, and EPSS data is not present in the source intel, but the credential-theft impact on third-party service integrations elevates real-world risk above the Low CVSS score suggests.

Information Disclosure Apprise
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-59162 MEDIUM PATCH This Month

Panic-triggering denial of service in the Excelize Go library (all versions prior to 2.11.0) allows any actor who can supply a crafted XLSX file to crash the consuming application. The root cause is an integer bounds check that validates only the upper bound of shared-string indices, permitting a cell value of -1 to reach a slice-index operation as a negative integer and cause a Go runtime panic in `GetCellValue` or `GetRows`. No active exploitation has been identified at time of analysis, but the attack is trivially constructable and requires no privileges if the target application exposes XLSX processing to untrusted input.

Microsoft Information Disclosure Excelize
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-56676 HIGH PATCH This Week

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. No public exploit identified at time of analysis; the flaw is fixed in 0.5.2.

Information Disclosure 9Router
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-15143 CRITICAL Act Now

Server-side request forgery in the file_type content detector of guardrails-detectors (a component shipped with Red Hat OpenShift AI/RHOAI) allows a remote attacker to submit an arbitrary XML Schema Definition (XSD) that the parser resolves without restriction, coercing the server into fetching attacker-chosen URLs or reading local files. Because the CVSS vector is AV:N/PR:N/UI:N with a changed scope and high confidentiality impact (base score 9.3), an unauthenticated attacker can pivot into internal networks and harvest secrets such as cloud provider credentials. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

SSRF Information Disclosure Red Hat Openshift Ai Rhoai
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-46388 MEDIUM PATCH This Month

File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permissions, allowing a local unprivileged attacker to read carve contents during the collection window. If the carve targets a directory the attacker controls, the impact extends to arbitrary local file reads. No public exploit identified at time of analysis; the vendor-confirmed fix ships in osquery 5.23.1.

Information Disclosure Osquery
NVD GitHub
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-59793 HIGH PATCH This Week

Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With PR:L in the CVSS vector, exploitation requires a low-privilege account that can define or influence a Perforce VCS root, making it a realistic post-authentication threat on shared CI servers.

Information Disclosure Teamcity
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-57994 MEDIUM PATCH This Month

{categoryId}/{faqId}, and title-plus-preview content via the v3.1 and v4.0 tag-based endpoints - all without credentials. No public exploit has been identified and this vulnerability is not in CISA KEV, though the AV:N/PR:N vector makes exploitation trivially simple for anyone who can reach the API.

Information Disclosure Phpmyfaq
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56329 MEDIUM PATCH This Month

Preview namespace collision in Capgo before 12.128.2 enables authenticated low-privileged tenants to hijack or deny preview routing for other tenants' applications by deliberately registering app IDs containing double underscores that decode identically to a victim's dot-separated app ID. The non-bijective hostname parsing - where `__` maps to `.` but `.` is also a valid app ID character - breaks namespace uniqueness across tenants, allowing cross-tenant preview misrouting. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; real-world impact is confined to preview functionality, not production app delivery.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56279 HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56254 HIGH PATCH This Week

Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. Reported by VulnCheck with a CVSS 4.0 base score of 8.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Capacitor Updater
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-22660 HIGH PATCH This Week

Authorization-model destruction in FlaskBB forum software (versions up to and including 2.2.0) lets an authenticated administrator wipe all six built-in permission groups through the management bulk-delete AJAX endpoint. Because the endpoint compares JSON integer group IDs against string literals, the guard meant to protect built-in groups never matches and silently allows their removal, collapsing the forum's entire permission model and potentially bricking the site. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and is fixed in commit a5da9a5.

Information Disclosure Flaskbb
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-56690 HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dell SQLi Information Disclosure
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-56689 HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted SQL into a backend query, resulting in unauthorized reading of database contents (information exposure). The flaw is fixed in 5.1.0.1 per Dell advisory DSA-2026-066, and there is no public exploit identified at time of analysis. Because exploitation requires a valid low-privilege account, the practical risk is highest in multi-tenant or broadly-provisioned management deployments rather than internet-facing unauthenticated exposure.

Dell SQLi Information Disclosure
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-53363 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() iptfs_consume_frags() transfers paged fragments from one socket buffer to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is the same class of bug that was fixed in skb_try_coalesce() for CVE-2026-46300: when fragments backed by read-only page-cache pages are merged, the marker indicating their shared nature must be preserved so that ESP can decide correctly whether in-place encryption is safe. Apply the same two-line fix used in skb_try_coalesce() to iptfs_consume_frags().

Linux Information Disclosure
NVD VulDB
EPSS
0.1%
CVE-2026-14461 MEDIUM This Month

Out-of-bounds read in mtr's ipinfo_lookup() function allows a DNS-layer attacker to reliably crash the tool by serving a crafted TXT response during AS-number lookups. mtr through version 0.96 is affected; the root cause is that dn_expand() receives the total response length as its boundary argument rather than the safe, validated packet end - so a >512-byte response carrying a malicious compression pointer in the answer NAME field directs the read past the buffer. No public exploit code and no CISA KEV listing exist at time of analysis, though the crash is described as deterministic once the attacker controls the DNS response.

Buffer Overflow Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-41879 HIGH This Week

Credential disclosure in R-SOFT DMS lets an attacker who obtains the stored superadmin password hash recover the plaintext password, because credentials are protected with a non-salted, nested MD5 hash that is trivially reversible via brute-force and precomputed rainbow tables. The superadmin account is high-value and cannot be rotated through the UI - the password can only be changed by editing the configuration file - so recovered credentials remain valid indefinitely. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Information Disclosure
NVD VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-15026 MEDIUM This Month

Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Information Disclosure Import And Export Users And Customers
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-11977 MEDIUM This Month

Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.

WordPress LFI RCE PHP Information Disclosure +1
NVD VulDB
CVSS 3.1
6.6
EPSS
0.5%
CVE-2026-40454 HIGH PATCH This Week

Denial of service in the Apache IoTDB C++ client (versions 1.3.5 before 1.3.8 and 2.0.5 before 2.0.10) allows a malicious or compromised IoTDB server to crash any connected client by returning malformed TsBlock response data. The client's TsBlock deserializer performs out-of-bounds reads (CWE-125) on attacker-controlled server payloads, terminating the client process. There is no public exploit identified at time of analysis, EPSS probability is low (0.14%), and impact is limited to availability of the client - no confidentiality or integrity effect is claimed.

Apache Buffer Overflow Information Disclosure Apache Iotdb C Client
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40008 CRITICAL PATCH Act Now

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.

Java Information Disclosure Apache Apache Iotdb
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12685 HIGH POC This Week

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

WordPress Information Disclosure Escortwp
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-12276 MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21056 MEDIUM This Month

Improper authorization in Samsung Health prior to version 7.00.0.107 exposes connected device information to local, low-privileged attackers on the same Android device. The flaw likely involves an improperly protected Android IPC mechanism - such as a content provider or broadcast receiver - that fails to enforce access controls over paired wearable or peripheral device data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; combined with the local-only attack vector and limited data sensitivity, real-world risk is low.

Samsung Information Disclosure
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-21055 HIGH This Week

Local privilege escalation to arbitrary command execution in Samsung Bixby (versions prior to 4.0.70.8) allows a malicious co-located Android app to invoke improperly exported application components and run commands with Bixby's elevated privilege level. Reported by Samsung Mobile Security and rated CVSS 4.0 base 8.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation requires attacker-controlled code already present on the device (e.g., a rogue installed app), not remote network access.

Information Disclosure Google
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-21054 MEDIUM This Month

Improper export of Android application components in Samsung's InputSharing app (prior to version 2.7.01.4) exposes internal sharing data to any co-resident application on the same device. The flaw allows a local attacker - via a malicious app installed on the same Samsung device - to silently access data transiting the InputSharing component without requiring any special Android permissions. No active exploitation has been confirmed (no CISA KEV listing), and a vendor-released patch at version 2.7.01.4 is available per the Samsung Mobile Security advisory.

Information Disclosure Google
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21053 MEDIUM This Month

Improper input validation in Samsung Email prior to version 6.2.13.1 enables local attackers to create arbitrary files within the application's Android sandbox, affecting integrity and availability of the email client. The attack is confined to the Samsung Email sandbox by Android's isolation model and cannot directly escalate to system-level or cross-application impact. No public exploit has been identified and the vulnerability is not listed in CISA KEV; Samsung has released a confirmed fix in version 6.2.13.1.

Samsung Information Disclosure
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-21051 MEDIUM This Month

Incorrect default permissions in Samsung Mobile's WLAN security component expose TencentWifiSecurity settings to any local attacker on Android 14, 15, and 16 devices prior to SMR Jul-2026 Release 1. An unprivileged local user or application can read or modify TencentWifiSecurity configuration, resulting in limited information disclosure and integrity compromise of WiFi security settings. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the zero-privilege-required local access condition broadens practical exposure on shared, enterprise-managed, or already-compromised devices.

Information Disclosure
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-21050 MEDIUM This Month

Improper access control in Samsung's SmartThingsKit component on Android 16 devices allows local attackers without elevated privileges to read sensitive information. The flaw, patched in SMR Jul-2026 Release 1, is limited to local exploitation and carries no integrity or availability impact. No public exploit has been identified at time of analysis, and Samsung has not reported active exploitation.

Information Disclosure
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-21041 MEDIUM This Month

Improper access control in SamsungSEAgentService on Samsung Android 15 and 16 devices allows a local attacker to read sensitive information without requiring elevated privileges. The CVSS 4.0 vector (AV:L/PR:N/VC:H) confirms that any local process on the device can trigger the flaw with high confidentiality impact and no integrity or availability loss. No public exploit or CISA KEV listing exists at time of analysis; risk is bounded to the local attack surface of affected Samsung hardware.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21040 MEDIUM This Month

Improper access control in IAFDService on Samsung mobile devices (Android 14, 15, and 16) allows local attackers holding low-level privileges to invoke privileged system APIs that should be restricted to higher-trust callers. The flaw carries a CVSS 4.0 score of 6.9, reflecting high integrity and availability impact on the vulnerable system. No public exploit code or active exploitation confirmed in CISA KEV has been identified at time of analysis; Samsung has released the fix in SMR Jul-2026 Release 1.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21039 MEDIUM This Month

Improper access control in the Samsung Settings application on Android 15 and 16 allows a local attacker to modify Theft Protection configurations without requiring device credentials or elevated privileges. The vulnerability stems from missing or bypassable authorization checks in the Settings component, enabling an attacker with local access - such as someone in possession of a stolen device - to reconfigure the very security controls designed to prevent unauthorized use. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the local-no-privilege vector makes this particularly relevant to physical device theft scenarios.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-15291 HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-15288 HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15329 LOW POC Monitor

Information disclosure in zhayujie CowAgent up to version 2.1.0 exposes sensitive data to low-privileged authenticated remote attackers through the BrowserTool._do_navigate function in the Browser Tool component. Publicly available proof-of-concept exploit code exists via a GitHub issue report, though no patch has been released as the project maintainer has not yet responded to responsible disclosure. The CVSS 4.0 score of 2.1 and impact limited to low confidentiality exposure place this at the lower end of priority, tempered by the authentication requirement and niche product footprint.

Information Disclosure Cowagent
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-49837 Go MEDIUM POC PATCH GHSA This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-49834 Go MEDIUM PATCH GHSA This Month

Threshold counting logic in sigstore-go's multi-log verification policy is bypassable by a single compromised transparency or CT log. When a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), the intended defense-in-depth - requiring N distinct log authorities to independently vouch for an artifact - fails because counts accumulate per-entry or per-validation-path rather than per-log-authority. An attacker controlling one compromised Rekor transparency log or CT log can forge multiple entries with distinct indices, or present multiple embedded SCTs across certificate chains, artificially satisfying an N-count threshold with a single compromised source. No public exploit has been identified at time of analysis, and EPSS data is not available in the provided intelligence.

Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-59854 MEDIUM This Month

Credential file exfiltration in SiYuan prior to 3.7.1 is possible through the POST /api/file/globalCopyFiles endpoint, which accepts arbitrary absolute source paths and relies on an incomplete denylist in util.IsSensitivePath to block sensitive files. The denylist omits common credential files including .git-credentials, .netrc, .pgpass, .kube/config, .docker/config.json, and .gnupg, enabling an authenticated administrator or API-token holder to copy these files into the workspace and read them via the file API. No public exploit code or CISA KEV listing exists at time of analysis, but the Docker tag suggests this is relevant in containerized deployments where host-mounted credential files may be accessible.

Information Disclosure Docker Siyuan
NVD GitHub
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-59828 MEDIUM PATCH This Month

Discourse's post revision system exposes hidden edit history to unauthenticated network users through a serialization flaw in PostRevisionSerializer. When computing diffs between adjacent visible revisions, the serializer failed to enforce visibility restrictions, leaking content from revisions that moderators or administrators had marked as hidden. No active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity attack vector means any visitor to a vulnerable Discourse instance can potentially access suppressed post content - including moderator-redacted material - without any credentials or special access.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-53961 MEDIUM PATCH This Month

Discourse's AWS SES bounce webhook endpoint (POST /webhooks/aws) validates Amazon SNS message signatures but omits TopicArn binding, allowing any AWS account holder to publish legitimately signed forged Bounce notifications that revoke a targeted Discourse user's email address. Versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 across all active release branches are affected when the SES integration is enabled. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and absence of Discourse-side authentication requirements make targeted abuse realistic for any motivated actor with an AWS account.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49256 MEDIUM PATCH This Month

Restricted tag and tag-group name disclosure in Discourse exposes internal taxonomy metadata to anonymous and unauthorized users via the category and group API endpoints. All Discourse versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when restricted tags or tag groups are configured on publicly readable categories. An unauthenticated actor can enumerate these names - which may contain sensitive organizational labels, project codenames, or internal classifications - using standard HTTP requests with no exploit tooling required. No public exploit code exists and this is not listed in CISA KEV; the CVSS 4.0 AT:P modifier confirms that exploitation requires a specific non-default configuration to be present.

Information Disclosure Discourse
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-45788 MEDIUM PATCH This Month

Secure upload bypass in Discourse exposes protected files through the pull_hotlinked_images feature, which fails to enforce the secure_uploads access control when processing posts containing a known secure URL. Affected instances are those running versions prior to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 with the secure_uploads site setting enabled. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; however, the fix commits are publicly visible on GitHub, potentially aiding reverse-engineering of the flaw.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.5%
CVE-2026-45780 MEDIUM PATCH This Month

EventSerializer in Discourse improperly exposes private event invitation metadata - including invited group names, sample invitee usernames, and attendance statistics - to any user who can view the topic, regardless of their authorization to access the private invitee list. All Discourse installations prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when event functionality is in use. No public exploit or active exploitation (CISA KEV) has been identified, but the trivial network vector (AV:N/AC:L/PR:N/UI:N) makes this passively accessible to any user - authenticated or not - with topic-read access on an open or semi-open forum.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-59831 MEDIUM This Month

Command execution via URI injection in GitHub CLI's `gh codespace jupyter` subcommand (versions 2.10.0-2.95.0) allows an attacker who controls a Codespace to redirect a connecting developer's VS Code instance into executing arbitrary protocol handler actions. The CLI passes a JupyterLab URL sourced from a process inside the Codespace directly to the OS without validating that the URL is a loopback HTTP or HTTPS address, enabling substitution with a crafted `vscode://` or `vscode-insiders://` URI. No public exploit has been identified at time of analysis and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, but the scope-change characteristic (S:C) means local VS Code extension execution is a realistic downstream impact.

Information Disclosure Cli
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15271 HIGH This Week

Least-privilege violation across multiple TOTOLINK SOHO router models (A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10, EX200 through firmware 20260906) stems from the /etc/boa/boa.conf configuration of the Boa web-server interface, allowing a low-privileged remote actor to gain access or information beyond their intended authorization boundary. The flaw carries CVSS 4.0 base score 7.7 with high attack complexity, and VulDB rates real-world exploitation as difficult. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure A3000Ru A3100R A950Rg Ac1200T10 +3
NVD VulDB
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-51926 HIGH This Week

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-51923 HIGH This Week

Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).

Authentication Bypass Information Disclosure RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-57030 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control.

Juniper Race Condition Information Disclosure Junos Os
NVD VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-57020 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1.

Juniper Information Disclosure Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-33803 MEDIUM PATCH This Month

Junos OS Evolved exposes an internal communication process to the network via an unintended open port due to incorrect initialization, enabling unauthenticated remote attackers to interact with a service never designed for external access. Affected Juniper devices suffer limited information disclosure and elevated CPU consumption as the misbound process handles unsolicited ingress packets - a soft availability degradation rather than a crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector across a broad version range warrants prompt patching on internet-facing routing infrastructure.

Juniper Information Disclosure Junos Os Evolved
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-53637 PHP MEDIUM PATCH GHSA This Month

Order data corruption and permanent deletion in Sylius affects authenticated customers across versions prior to 2.0.18, 2.1.15, and 2.2.6 due to a stale-state race condition in the cart LiveComponent. When an order transitions to STATE_COMPLETED while a customer's cart page remains open in a browser tab, subsequent cart actions - clearing, removing items, or adjusting quantities - are applied to the completed order rather than a fresh cart, irreversibly deleting or mutating finalized order records. No public exploit code has been identified at time of analysis, but the attack is trivially reproducible by any authenticated customer without specialized tooling, as the attacker can deliberately engineer the race condition by completing checkout in one tab while exploiting the stale cart in another.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
6.5
CVE-2026-52774 PHP MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.

XSS Information Disclosure PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-52773 PHP MEDIUM POC PATCH GHSA This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE PHP
NVD GitHub
CVSS 3.1
6.1
CVE-2026-15270 MEDIUM POC This Month

Least-privilege violation in the D-Link DIR-823G router (firmware 1.0.2B05_20181207) stems from insecure configuration of the Boa web server via /etc/boa/boa.conf, allowing an authenticated remote attacker to abuse over-broad privileges to compromise confidentiality, integrity, and availability. Publicly available exploit code exists, but the CVSS 4.0 vector rates attack complexity high (AC:H) and vendor guidance notes exploitation is difficult; there is no public exploit identified as actively exploited (not in CISA KEV). EPSS data was not supplied, but the low-privilege network vector combined with full CIA impact makes this a meaningful risk on exposed devices.

D-Link Information Disclosure Dir 823G
NVD VulDB
CVSS 4.0
6.8
EPSS
0.4%
CVE-2026-0284 MEDIUM PATCH This Month

XML injection in Palo Alto Networks PAN-OS Large Scale VPN (LSVPN) exposes unauthenticated remote attackers a path to inject malicious XML content into the LSVPN data pipeline, resulting in information disclosure or corruption of internal satellite configuration data. Only PAN-OS devices with LSVPN actively configured are affected; the vendor explicitly confirms Panorama, Cloud NGFW, and Prisma Access are not in scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 supplemental E:U metric signals exploitation as currently unlikely, though the zero-authentication, network-accessible attack surface demands prompt attention from operators running LSVPN hub deployments.

Information Disclosure Paloalto Pan Os
NVD VulDB
CVSS 4.0
4.7
EPSS
0.5%
CVE-2026-0282 LOW PATCH Monitor

Unauthenticated file deletion in Palo Alto Networks PAN-OS allows network-reachable attackers to delete files from a temporary directory via the management web interface, affecting PA-Series and VM-Series firewalls and Panorama appliances. Real-world risk is substantially bounded by the vendor's documented best-practice guidance to restrict management interface access to trusted internal IP addresses, which eliminates external attack surface. No public exploit code has been identified, CISA KEV listing is absent, and the vendor-provided CVSS 4.0 score of 2.7 with an E:U supplemental metric reflects no known active exploitation.

Information Disclosure Paloalto Pan Os
NVD VulDB
CVSS 4.0
2.7
EPSS
0.4%
CVE-2026-0281 LOW PATCH Monitor

Web session token theft from PAN-OS management interfaces affects PA-Series and VM-Series firewalls and Panorama deployments, enabling a network-adjacent unauthenticated attacker to hijack authenticated administrator sessions. Exploitation depends on a legitimate management user clicking an attacker-crafted malicious link while an active session exists - a social engineering prerequisite that substantially reduces real-world risk. No public exploit code exists (CVSS 4.0 E:U) and the issue is not listed in CISA KEV; the vendor rates overall CVSS 4.0 severity at 2.1, reflecting these mitigating factors.

Information Disclosure Paloalto Pan Os
NVD VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-63579 HIGH This Week

Sensitive information disclosure in Kyocera Command Center RX, the embedded web management interface of numerous TASKalfa multifunction printers, allows remote attackers to export the entire device address book without authorization. Because the vulnerability also bypasses the encryption protecting incoming data, encrypted content can be decrypted to reveal stored passwords and other confidential data. Publicly available exploit code exists (GitHub PoC), though there is no evidence of active exploitation in CISA KEV; SSVC rates the flaw as automatable with partial technical impact.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-0277 MEDIUM PATCH This Month

Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to interception and manipulation by a network-adjacent attacker. The flaw (CWE-295) enables a man-in-the-middle position to defeat the agent's TLS/certificate trust chain, allowing an adversary to read or alter traffic that the iOS client believes is securely tunneled. Exploitation is limited to iOS deployments - the Windows, macOS, Linux, Android, and ChromeOS agents are confirmed unaffected. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Apple Microsoft Google Prisma Access Agent
NVD
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-58198 PyPI MEDIUM PATCH This Month

Symlink-based extraction redirect in ChatterBot prior to 1.2.14 enables a local attacker with standard user privileges to cause training corpus archive contents to be written to an attacker-controlled directory by pre-planting a symlink at the predictable path ~/ubuntu_data/ubuntu_dialogs before UbuntuCorpusTrainer.extract() runs. The check-then-create pattern preceding tar.extractall() creates a CWE-367 TOCTOU window that, on shared multi-user systems, allows the attacker to intercept the extraction target without any race if the symlink is planted before the first training run. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 1.2.14.

Information Disclosure Chatterbot
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-59817 MEDIUM PATCH This Month

Ghost CMS versions 6.27.0 through 6.43.x permit unauthenticated attackers to manipulate donation checkout metadata, enabling acquisition of full paid gift memberships for a minimal payment. The flaw, classified as CWE-472 (External Control of Assumed-Immutable Web Parameter), stems from the server trusting client-controlled parameters in the public-facing checkout flow that should be server-authoritative. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified; the vendor released a fix in version 6.44.0.

Node.js Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59720 HIGH PATCH This Week

Unauthorized information disclosure in Hoppscotch prior to 2026.6.0 exposes mock servers linked to private collections to the public internet without authentication. The mock server creation logic in mock-server.service.ts silently drops the caller-supplied isPublic flag, while the Prisma schema defaults isPublic to true, so servers intended to be private are created as public. An unauthenticated remote attacker who reaches the mock endpoint can retrieve sensitive API data (schemas, example payloads, headers) the owner assumed was private; no public exploit was identified at time of analysis and the flaw is not in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58378 HIGH This Week

Root-level device takeover affects the Allwinner H616-based TV98 Android TV Box, which ships to production with the Android Debug Bridge (ADB) daemon enabled and reachable over the network (TCP/5555). A network attacker can send an ADB authorization request, and if the victim accepts the RSA key confirmation prompt on the device, the attacker obtains a root shell. Classified under CWE-489 (leftover debug functionality), there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the attack is trivial once a user approves the pairing.

Information Disclosure
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-59222 MEDIUM PATCH This Month

{id}/members endpoint returns full UserModelResponse objects, inadvertently exposing toolServers API keys and webhook configuration belonging to other channel members. No public exploit is identified at time of analysis, but the low exploitation complexity and high value of the exposed credentials (tool server keys enable lateral access to integrated AI tooling infrastructure) elevate practical risk above what the 6.0 CVSS score alone suggests.

Information Disclosure Open Webui
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-59219 HIGH PATCH This Week

Session revocation bypass in Open WebUI 0.9.0 through 0.9.x (deployments configured with Redis) lets a holder of a revoked JWT keep authenticating realtime Socket.IO connections. The flaw stems from first-message authentication for Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket calling decode_token without the Redis-backed is_valid_token revocation check, so logout, forced-logout, or token invalidation does not sever active realtime access. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the fix is version 0.10.0.

Redis Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-59213 MEDIUM PATCH This Month

Cache key misconfiguration in Open WebUI versions 0.6.27 through 0.9.x leaks permission-filtered model lists across authenticated users during the aiocache TTL window. The flaw exists in both the OpenAI and Ollama router handlers, where a lambda was incorrectly passed as the cache key instead of a per-user key_builder, collapsing all users into a single shared cache entry. An authenticated attacker on a shared instance can receive a different user's model list - revealing which AI models that user has access to - with no public exploit identified at time of analysis and a vendor-released patch available in v0.10.0.

Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
5.0
EPSS
0.3%
CVE-2026-51599 CRITICAL Act Now

Temporary connection denial-of-service in the RTSP service of the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an unauthenticated remote attacker wedge an individual TCP connection by sending an RTSP request that declares a Content-Length but includes no message body. The malformed parser enters a body-waiting state and silently swallows all further data on that socket until a server-side timeout closes it. Despite an NVD CVSS of 9.8 and an 'Information Disclosure' tag, the described behavior is a single-connection availability nuisance with no confidentiality or integrity impact; no public exploit is identified at time of analysis and EPSS is low at 0.18% (8th percentile).

Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-59218 MEDIUM PATCH This Month

Timing-based account enumeration in Open WebUI prior to 0.10.0 exposes whether any given email address is registered on a self-hosted AI instance. The /api/v1/auths/signin endpoint only invokes bcrypt password verification when a matching email record exists, making registered-account login attempts measurably slower than attempts against unregistered emails - a classic CWE-208 timing oracle. Unauthenticated remote attackers can exploit this discrepancy at scale to harvest valid account emails, which can then fuel credential stuffing or targeted phishing. No public exploit code or CISA KEV listing has been identified, and the vendor has released a fix in v0.10.0.

Information Disclosure Open Webui
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-59209 HIGH PATCH This Week

Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.

Information Disclosure N8n
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59206 HIGH PATCH This Week

Privilege escalation via prototype pollution in n8n workflow automation lets an authenticated low-privilege user (holding the default workflow:create permission) corrupt Object.prototype through a crafted workflow saved, updated, or imported via the workflow API. Once polluted, subsequent unauthenticated requests are evaluated as a privileged user, exposing internal user and project listing endpoints. This is an information-disclosure and access-control flaw with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.1.

Information Disclosure Prototype Pollution N8n
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-59207 HIGH PATCH This Week

Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. No public exploit identified at time of analysis; risk is elevated because the abuse comes from an already-authorized internal user rather than an outside attacker.

Information Disclosure N8n
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-11404 HIGH PATCH This Week

Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial and the issue was disclosed by VulnCheck.

Buffer Overflow Information Disclosure Mongoose
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2025-58151 CRITICAL Act Now

Guest-to-host privilege escalation in varstored, the Xapi (XenServer/XCP-ng/Citrix Hypervisor) toolstack daemon that services UEFI variable requests for VMs, allows a malicious guest to corrupt control flow in the host-side process. Missing compiler barriers on a buffer shared with in-guest OVMF create a time-of-check/time-of-use race (CWE-367) that, in default builds, lets the attacker control an index into a jump table - yielding attacker-influenced execution in the toolstack. Tracked as Xen Security Advisory XSA-478 with a CVSS 4.0 base score of 9.4; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Varstored
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-58146 CRITICAL Act Now

Denial-of-service and database-corruption in Xen's XAPI toolstack (the XenAPI management layer used by XCP-ng and Citrix/XenServer Hypervisor) lets clients that submit object updates crash the database event thread or write strings that permanently prevent the database from loading. Three distinct input-validation defects are covered by XSA-474: notifications built from unsanitised input, a UTF-8 encoder that follows Unicode 3.0 while dependent libraries enforce the stricter 3.1 spec, and a total absence of sanitisation for Map/Set object updates. No public exploit has been identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 9.4.

Information Disclosure Xapi
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-15187 LOW POC Monitor

Prototype pollution in the enquirer npm package (versions up to 2.4.1) allows remote authenticated attackers to manipulate JavaScript Object.prototype attributes by injecting a crafted value into the question.name argument of the Enquirer.set() function. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting limited integrity-only impact scoped to the vulnerable system with no confidentiality or availability consequence. Publicly available exploit code exists via GitHub issue #487, though no active exploitation has been confirmed in CISA KEV.

Information Disclosure Prototype Pollution Enquirer
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-50554 Go MEDIUM POC PATCH GHSA This Month

{bookID}/notes carries no authentication middleware, and supplying ?deleted=true causes the service to invoke GORM's Unscoped() while retaining the is_public=true authorization branch, allowing any network-accessible actor to retrieve titles, slugs, and timestamps of notes an owner deliberately deleted from a public book. No active exploitation is confirmed (not listed in CISA KEV), though a fully functional proof of concept is embedded in the vendor advisory, and exploitation requires only a single crafted HTTP GET request.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the zero-barrier network access makes this a realistic reconnaissance primitive for credential stuffing or targeted phishing campaigns against Frappe-based deployments.

Information Disclosure Frappe
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication-bypass via timing side-channel in Phalcon's Crypt::decrypt (cphalcon PHP framework prior to 5.14.1) allows remote attackers to forge valid HMAC tags and have tampered ciphertext accepted as authentic. Because the HMAC verification uses PHP/Zephir identity comparison that short-circuits on the first mismatching byte, an attacker who can observe response timing can recover a valid tag byte-by-byte and break the encrypt-then-MAC integrity guarantee. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is confirmed and patched by the vendor in 5.14.1.

Information Disclosure PHP Cphalcon
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.

Python Information Disclosure Grist Core
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets a malicious kernel driver inside a Host VM issue improper commands to the GPU firmware, causing a memory write outside the host kernel's permitted range. The flaw is a TOCTOU race in which values are altered in memory after the firmware validates them but before it uses them, bypassing the firmware's range enforcement. No public exploit identified at time of analysis, EPSS is low (0.12%, 2nd percentile), and it is not listed in CISA KEV.

Information Disclosure Graphics Ddk
NVD
CVSS 6.5
MEDIUM PATCH This Month

Sensitive HTTP header leakage in the excon Ruby gem's RedirectFollower middleware exposes credentials and tokens to unintended redirect destinations. Applications using the RedirectFollower middleware that include headers such as Authorization or API keys in outbound requests will inadvertently forward those headers to the redirect target - which may be attacker-controlled or a third-party service. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; however, the CVSS 3.1 score of 6.5 reflects high confidentiality impact, and a vendor-released patch is available in v1.5.0.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured via management.oauth_client_secret, prior to versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. The obsolete GET /api/auth endpoint returns the configured OAuth 2 client secret to unauthenticated callers, allowing any remote party with network reach to the management interface to harvest the credential and potentially impersonate the broker to its identity provider. No public exploit identified at time of analysis, and it is not listed in CISA KEV, though the fix and root cause are fully documented in the vendor GitHub Security Advisory GHSA-pj24-8j6m-vq9q.

Information Disclosure Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

CSV formula injection in Snipe-IT prior to version 8.5.0 enables a low-privileged authenticated user to store a malicious spreadsheet formula via the HTTP User-Agent header, which is then written unescaped into exported Activity Report CSV files. When an administrator or report viewer opens the exported file in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the embedded formula executes within their local application environment, potentially enabling data exfiltration or arbitrary command execution on the viewer's workstation. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 8.5.0.

Information Disclosure Snipe It
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

TOTP replay vulnerability in Logto prior to 1.41.0 allows an attacker who holds a victim's first-factor credentials and captures a live TOTP code to replay that code within the same RFC 6238 acceptance window, bypassing multi-factor authentication entirely. The root cause is otplib's stateless verification call with window=1, which validates the time-based OTP cryptographically but does not persist the last-accepted time-step counter - leaving used codes valid for replay until the 30-second window expires. No public exploit or CISA KEV listing exists at time of analysis, but successful exploitation yields full account compromise (C:H, I:H) because MFA is the terminal authentication barrier.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Server-side request forgery and NTLM credential exposure in the RabbitMQ management plugin (versions 4.1.0 to before 4.1.11 and 4.2.0 to before 4.2.6) on Windows lets remote actors coerce the broker into outbound DNS and SMB connections to attacker-controlled UNC paths. The static file handler rabbit_mgmt_wm_static passes URL-encoded backslashes to erl_prim_loader:read_file_info before path validation, but only when multiple management extension plugins are enabled. No public exploit has been identified at time of analysis, and the EPSS score is low (0.28%, 20th percentile) despite the CVSS 10.0 rating.

Microsoft Information Disclosure Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file read in Snipe-IT before 8.5.0 lets an authenticated user abuse the ActionlogController::displaySig endpoint, which concatenates the route's filename parameter into a private upload-directory path without sanitization, enabling relative path traversal (CWE-23) to read any file the web server process can access. The CVSS 4.0 base score is 7.1 with high confidentiality impact only; there is no public exploit identified at time of analysis and no CISA KEV listing. Because Snipe-IT stores database credentials and application secrets in web-readable files, the practical impact can extend beyond simple information disclosure toward full application compromise.

Information Disclosure Snipe It
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Arbitrary file overwrite in Coturn prior to 4.13.0 is possible through the CLI management interface's `psd` (print sessions dump) command, which passes a user-supplied filename directly to `fopen()` without any path validation (CWE-73). An authenticated admin with CLI access can overwrite any file writable by the coturn process, potentially corrupting sensitive system files, certificates, or configuration data to achieve privilege escalation or service disruption. No public exploit identified at time of analysis; exploitation is constrained to local, high-privilege access, limiting realistic threat surface despite the High integrity and availability impact ratings.

Information Disclosure Coturn
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient JWT expiration enforcement in ZITADEL's external JWT Identity Provider integration allows tokens lacking the `exp` claim to be treated as indefinitely valid, bypassing intended session lifetime controls. Versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 are affected, with the flaw residing in `internal/idp/providers/jwt/session.go`. An attacker who can obtain or craft a JWT from a configured trusted external issuer that omits the `exp` claim can maintain persistent authenticated access without re-authentication. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Zitadel
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. An attacker holding a previously issued JWT from a trusted external IdP - specifically one lacking the iat claim - can reuse that token indefinitely, bypassing intended session expiry controls and maintaining unauthorized access. No public exploit identified at time of analysis.

Information Disclosure Zitadel
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Configuration information disclosure in Deloitte AI Assist for Customer exposed internal system details through unauthenticated, publicly accessible API endpoints, reducing attacker reconnaissance effort. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) confirms remote, low-complexity, unauthenticated access, though impact is bounded to low confidentiality exposure with no integrity or availability consequence. Deloitte confirmed the fix on 2026-03-25 by restricting network access and enforcing authentication on the affected endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Ai Assist For Customer
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

TLS certificate validation bypass in cpp-httplib's Mbed TLS backend (0.31.0-0.46.1) and wolfSSL backend (0.33.0-0.46.1) lets a man-in-the-middle attacker defeat HTTPS/WSS protection when a client connects to an IP-literal host with verification nominally enabled. SSLClient/Client in HTTPS mode skip certificate chain validation and the WebSocketClient on Mbed TLS skips verification entirely, so an intercepting attacker can present a crafted certificate and read or alter traffic. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in 0.47.0.

Information Disclosure Cpp Httplib
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

HTTP redirect handling in Apprise prior to 1.11.0 leaks user-configured secrets - including Authorization headers, bearer tokens, custom headers, and service API keys - by blindly resending them on redirected requests to attacker-controlled endpoints. Any deployment using Apprise's HTTP-based notification plugins or its HTTP attachment and config loaders (apprise/attachment/http.py, apprise/config/http.py) is affected. An on-path attacker or a compromised notification destination can silently harvest these credentials. No public exploit has been identified at time of analysis, and EPSS data is not present in the source intel, but the credential-theft impact on third-party service integrations elevates real-world risk above the Low CVSS score suggests.

Information Disclosure Apprise
NVD GitHub VulDB
EPSS 1% CVSS 6.9
MEDIUM PATCH This Month

Panic-triggering denial of service in the Excelize Go library (all versions prior to 2.11.0) allows any actor who can supply a crafted XLSX file to crash the consuming application. The root cause is an integer bounds check that validates only the upper bound of shared-string indices, permitting a cell value of -1 to reach a slice-index operation as a negative integer and cause a Go runtime panic in `GetCellValue` or `GetRows`. No active exploitation has been identified at time of analysis, but the attack is trivially constructable and requires no privileges if the target application exposes XLSX processing to untrusted input.

Microsoft Information Disclosure Excelize
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. No public exploit identified at time of analysis; the flaw is fixed in 0.5.2.

Information Disclosure 9Router
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Server-side request forgery in the file_type content detector of guardrails-detectors (a component shipped with Red Hat OpenShift AI/RHOAI) allows a remote attacker to submit an arbitrary XML Schema Definition (XSD) that the parser resolves without restriction, coercing the server into fetching attacker-chosen URLs or reading local files. Because the CVSS vector is AV:N/PR:N/UI:N with a changed scope and high confidentiality impact (base score 9.3), an unauthenticated attacker can pivot into internal networks and harvest secrets such as cloud provider credentials. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

SSRF Information Disclosure Red Hat Openshift Ai Rhoai
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permissions, allowing a local unprivileged attacker to read carve contents during the collection window. If the carve targets a directory the attacker controls, the impact extends to arbitrary local file reads. No public exploit identified at time of analysis; the vendor-confirmed fix ships in osquery 5.23.1.

Information Disclosure Osquery
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With PR:L in the CVSS vector, exploitation requires a low-privilege account that can define or influence a Perforce VCS root, making it a realistic post-authentication threat on shared CI servers.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

{categoryId}/{faqId}, and title-plus-preview content via the v3.1 and v4.0 tag-based endpoints - all without credentials. No public exploit has been identified and this vulnerability is not in CISA KEV, though the AV:N/PR:N vector makes exploitation trivially simple for anyone who can reach the API.

Information Disclosure Phpmyfaq
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Preview namespace collision in Capgo before 12.128.2 enables authenticated low-privileged tenants to hijack or deny preview routing for other tenants' applications by deliberately registering app IDs containing double underscores that decode identically to a victim's dot-separated app ID. The non-bijective hostname parsing - where `__` maps to `.` but `.` is also a valid app ID character - breaks namespace uniqueness across tenants, allowing cross-tenant preview misrouting. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; real-world impact is confined to preview functionality, not production app delivery.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Information disclosure in Capgo before 12.128.2 lets unauthenticated remote attackers call the get_orgs_v7(userid) RPC endpoint with arbitrary user UUIDs to read foreign users' organization memberships, roles, management emails, and billing metadata. The endpoint remained publicly invokable despite intended private access controls, so any internet-facing Capgo deployment on an affected version exposes tenant data cross-account. No public exploit has been identified at time of analysis, though the trivial invocation pattern (supply a UUID) makes weaponization straightforward.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. Reported by VulnCheck with a CVSS 4.0 base score of 8.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Capacitor Updater
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization-model destruction in FlaskBB forum software (versions up to and including 2.2.0) lets an authenticated administrator wipe all six built-in permission groups through the management bulk-delete AJAX endpoint. Because the endpoint compares JSON integer group IDs against string literals, the guard meant to protect built-in groups never matches and silently allows their removal, collapsing the forum's entire permission model and potentially bricking the site. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and is fixed in commit a5da9a5.

Information Disclosure Flaskbb
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dell SQLi +1
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted SQL into a backend query, resulting in unauthorized reading of database contents (information exposure). The flaw is fixed in 5.1.0.1 per Dell advisory DSA-2026-066, and there is no public exploit identified at time of analysis. Because exploitation requires a valid low-privilege account, the practical risk is highest in multi-tenant or broadly-provisioned management deployments rather than internet-facing unauthenticated exposure.

Dell SQLi Information Disclosure
NVD VulDB
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() iptfs_consume_frags() transfers paged fragments from one socket buffer to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is the same class of bug that was fixed in skb_try_coalesce() for CVE-2026-46300: when fragments backed by read-only page-cache pages are merged, the marker indicating their shared nature must be preserved so that ESP can decide correctly whether in-place encryption is safe. Apply the same two-line fix used in skb_try_coalesce() to iptfs_consume_frags().

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Out-of-bounds read in mtr's ipinfo_lookup() function allows a DNS-layer attacker to reliably crash the tool by serving a crafted TXT response during AS-number lookups. mtr through version 0.96 is affected; the root cause is that dn_expand() receives the total response length as its boundary argument rather than the safe, validated packet end - so a >512-byte response carrying a malicious compression pointer in the answer NAME field directs the read past the buffer. No public exploit code and no CISA KEV listing exist at time of analysis, though the crash is described as deterministic once the attacker controls the DNS response.

Buffer Overflow Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Credential disclosure in R-SOFT DMS lets an attacker who obtains the stored superadmin password hash recover the plaintext password, because credentials are protected with a non-salted, nested MD5 hash that is trivially reversible via brute-force and precomputed rainbow tables. The superadmin account is high-value and cannot be rotated through the UI - the password can only be changed by editing the configuration file - so recovered credentials remain valid indefinitely. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.

WordPress LFI RCE +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Apache IoTDB C++ client (versions 1.3.5 before 1.3.8 and 2.0.5 before 2.0.10) allows a malicious or compromised IoTDB server to crash any connected client by returning malformed TsBlock response data. The client's TsBlock deserializer performs out-of-bounds reads (CWE-125) on attacker-controlled server payloads, terminating the client process. There is no public exploit identified at time of analysis, EPSS probability is low (0.14%), and impact is limited to availability of the client - no confidentiality or integrity effect is claimed.

Apache Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.

Java Information Disclosure Apache +1
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

WordPress Information Disclosure Escortwp
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
EPSS 0% CVSS 4.8
MEDIUM This Month

Improper authorization in Samsung Health prior to version 7.00.0.107 exposes connected device information to local, low-privileged attackers on the same Android device. The flaw likely involves an improperly protected Android IPC mechanism - such as a content provider or broadcast receiver - that fails to enforce access controls over paired wearable or peripheral device data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; combined with the local-only attack vector and limited data sensitivity, real-world risk is low.

Samsung Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation to arbitrary command execution in Samsung Bixby (versions prior to 4.0.70.8) allows a malicious co-located Android app to invoke improperly exported application components and run commands with Bixby's elevated privilege level. Reported by Samsung Mobile Security and rated CVSS 4.0 base 8.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation requires attacker-controlled code already present on the device (e.g., a rogue installed app), not remote network access.

Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper export of Android application components in Samsung's InputSharing app (prior to version 2.7.01.4) exposes internal sharing data to any co-resident application on the same device. The flaw allows a local attacker - via a malicious app installed on the same Samsung device - to silently access data transiting the InputSharing component without requiring any special Android permissions. No active exploitation has been confirmed (no CISA KEV listing), and a vendor-released patch at version 2.7.01.4 is available per the Samsung Mobile Security advisory.

Information Disclosure Google
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Improper input validation in Samsung Email prior to version 6.2.13.1 enables local attackers to create arbitrary files within the application's Android sandbox, affecting integrity and availability of the email client. The attack is confined to the Samsung Email sandbox by Android's isolation model and cannot directly escalate to system-level or cross-application impact. No public exploit has been identified and the vulnerability is not listed in CISA KEV; Samsung has released a confirmed fix in version 6.2.13.1.

Samsung Information Disclosure
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Incorrect default permissions in Samsung Mobile's WLAN security component expose TencentWifiSecurity settings to any local attacker on Android 14, 15, and 16 devices prior to SMR Jul-2026 Release 1. An unprivileged local user or application can read or modify TencentWifiSecurity configuration, resulting in limited information disclosure and integrity compromise of WiFi security settings. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the zero-privilege-required local access condition broadens practical exposure on shared, enterprise-managed, or already-compromised devices.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Improper access control in Samsung's SmartThingsKit component on Android 16 devices allows local attackers without elevated privileges to read sensitive information. The flaw, patched in SMR Jul-2026 Release 1, is limited to local exploitation and carries no integrity or availability impact. No public exploit has been identified at time of analysis, and Samsung has not reported active exploitation.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper access control in SamsungSEAgentService on Samsung Android 15 and 16 devices allows a local attacker to read sensitive information without requiring elevated privileges. The CVSS 4.0 vector (AV:L/PR:N/VC:H) confirms that any local process on the device can trigger the flaw with high confidentiality impact and no integrity or availability loss. No public exploit or CISA KEV listing exists at time of analysis; risk is bounded to the local attack surface of affected Samsung hardware.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper access control in IAFDService on Samsung mobile devices (Android 14, 15, and 16) allows local attackers holding low-level privileges to invoke privileged system APIs that should be restricted to higher-trust callers. The flaw carries a CVSS 4.0 score of 6.9, reflecting high integrity and availability impact on the vulnerable system. No public exploit code or active exploitation confirmed in CISA KEV has been identified at time of analysis; Samsung has released the fix in SMR Jul-2026 Release 1.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper access control in the Samsung Settings application on Android 15 and 16 allows a local attacker to modify Theft Protection configurations without requiring device credentials or elevated privileges. The vulnerability stems from missing or bypassable authorization checks in the Settings component, enabling an attacker with local access - such as someone in possession of a stolen device - to reconfigure the very security controls designed to prevent unauthorized use. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the local-no-privilege vector makes this particularly relevant to physical device theft scenarios.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Information disclosure in zhayujie CowAgent up to version 2.1.0 exposes sensitive data to low-privileged authenticated remote attackers through the BrowserTool._do_navigate function in the Browser Tool component. Publicly available proof-of-concept exploit code exists via a GitHub issue report, though no patch has been released as the project maintainer has not yet responded to responsible disclosure. The CVSS 4.0 score of 2.1 and impact limited to low confidentiality exposure place this at the lower end of priority, tempered by the authentication requirement and niche product footprint.

Information Disclosure Cowagent
NVD VulDB GitHub
CVSS 5.9
MEDIUM POC PATCH This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
CVSS 5.9
MEDIUM PATCH This Month

Threshold counting logic in sigstore-go's multi-log verification policy is bypassable by a single compromised transparency or CT log. When a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), the intended defense-in-depth - requiring N distinct log authorities to independently vouch for an artifact - fails because counts accumulate per-entry or per-validation-path rather than per-log-authority. An attacker controlling one compromised Rekor transparency log or CT log can forge multiple entries with distinct indices, or present multiple embedded SCTs across certificate chains, artificially satisfying an N-count threshold with a single compromised source. No public exploit has been identified at time of analysis, and EPSS data is not available in the provided intelligence.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Credential file exfiltration in SiYuan prior to 3.7.1 is possible through the POST /api/file/globalCopyFiles endpoint, which accepts arbitrary absolute source paths and relies on an incomplete denylist in util.IsSensitivePath to block sensitive files. The denylist omits common credential files including .git-credentials, .netrc, .pgpass, .kube/config, .docker/config.json, and .gnupg, enabling an authenticated administrator or API-token holder to copy these files into the workspace and read them via the file API. No public exploit code or CISA KEV listing exists at time of analysis, but the Docker tag suggests this is relevant in containerized deployments where host-mounted credential files may be accessible.

Information Disclosure Docker Siyuan
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Discourse's post revision system exposes hidden edit history to unauthenticated network users through a serialization flaw in PostRevisionSerializer. When computing diffs between adjacent visible revisions, the serializer failed to enforce visibility restrictions, leaking content from revisions that moderators or administrators had marked as hidden. No active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity attack vector means any visitor to a vulnerable Discourse instance can potentially access suppressed post content - including moderator-redacted material - without any credentials or special access.

Information Disclosure Discourse
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Discourse's AWS SES bounce webhook endpoint (POST /webhooks/aws) validates Amazon SNS message signatures but omits TopicArn binding, allowing any AWS account holder to publish legitimately signed forged Bounce notifications that revoke a targeted Discourse user's email address. Versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 across all active release branches are affected when the SES integration is enabled. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and absence of Discourse-side authentication requirements make targeted abuse realistic for any motivated actor with an AWS account.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Restricted tag and tag-group name disclosure in Discourse exposes internal taxonomy metadata to anonymous and unauthorized users via the category and group API endpoints. All Discourse versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when restricted tags or tag groups are configured on publicly readable categories. An unauthenticated actor can enumerate these names - which may contain sensitive organizational labels, project codenames, or internal classifications - using standard HTTP requests with no exploit tooling required. No public exploit code exists and this is not listed in CISA KEV; the CVSS 4.0 AT:P modifier confirms that exploitation requires a specific non-default configuration to be present.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Secure upload bypass in Discourse exposes protected files through the pull_hotlinked_images feature, which fails to enforce the secure_uploads access control when processing posts containing a known secure URL. Affected instances are those running versions prior to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 with the secure_uploads site setting enabled. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; however, the fix commits are publicly visible on GitHub, potentially aiding reverse-engineering of the flaw.

Information Disclosure Discourse
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

EventSerializer in Discourse improperly exposes private event invitation metadata - including invited group names, sample invitee usernames, and attendance statistics - to any user who can view the topic, regardless of their authorization to access the private invitee list. All Discourse installations prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when event functionality is in use. No public exploit or active exploitation (CISA KEV) has been identified, but the trivial network vector (AV:N/AC:L/PR:N/UI:N) makes this passively accessible to any user - authenticated or not - with topic-read access on an open or semi-open forum.

Information Disclosure Discourse
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Command execution via URI injection in GitHub CLI's `gh codespace jupyter` subcommand (versions 2.10.0-2.95.0) allows an attacker who controls a Codespace to redirect a connecting developer's VS Code instance into executing arbitrary protocol handler actions. The CLI passes a JupyterLab URL sourced from a process inside the Codespace directly to the OS without validating that the URL is a loopback HTTP or HTTPS address, enabling substitution with a crafted `vscode://` or `vscode-insiders://` URI. No public exploit has been identified at time of analysis and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, but the scope-change characteristic (S:C) means local VS Code extension execution is a realistic downstream impact.

Information Disclosure Cli
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Least-privilege violation across multiple TOTOLINK SOHO router models (A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10, EX200 through firmware 20260906) stems from the /etc/boa/boa.conf configuration of the Boa web-server interface, allowing a low-privileged remote actor to gain access or information beyond their intended authorization boundary. The flaw carries CVSS 4.0 base score 7.7 with high attack complexity, and VulDB rates real-world exploitation as difficult. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure A3000Ru A3100R +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.

Information Disclosure PHP
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).

Authentication Bypass Information Disclosure RCE
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control.

Juniper Race Condition Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1.

Juniper Information Disclosure Junos Os
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Junos OS Evolved exposes an internal communication process to the network via an unintended open port due to incorrect initialization, enabling unauthenticated remote attackers to interact with a service never designed for external access. Affected Juniper devices suffer limited information disclosure and elevated CPU consumption as the misbound process handles unsolicited ingress packets - a soft availability degradation rather than a crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector across a broad version range warrants prompt patching on internet-facing routing infrastructure.

Juniper Information Disclosure Junos Os Evolved
NVD VulDB
CVSS 6.5
MEDIUM PATCH This Month

Order data corruption and permanent deletion in Sylius affects authenticated customers across versions prior to 2.0.18, 2.1.15, and 2.2.6 due to a stale-state race condition in the cart LiveComponent. When an order transitions to STATE_COMPLETED while a customer's cart page remains open in a browser tab, subsequent cart actions - clearing, removing items, or adjusting quantities - are applied to the completed order rather than a fresh cart, irreversibly deleting or mutating finalized order records. No public exploit code has been identified at time of analysis, but the attack is trivially reproducible by any authenticated customer without specialized tooling, as the attacker can deliberately engineer the race condition by completing checkout in one tab while exploiting the stale cart in another.

Information Disclosure PHP
NVD GitHub
CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.

XSS Information Disclosure PHP
NVD GitHub
CVSS 6.1
MEDIUM POC PATCH This Month

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the `time` GET parameter in the archived-revision edit form at `handlers/page/show.php`. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. No active exploitation has been confirmed by CISA KEV, but the detailed PoC lowers the barrier to weaponization.

XSS Information Disclosure RCE +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Least-privilege violation in the D-Link DIR-823G router (firmware 1.0.2B05_20181207) stems from insecure configuration of the Boa web server via /etc/boa/boa.conf, allowing an authenticated remote attacker to abuse over-broad privileges to compromise confidentiality, integrity, and availability. Publicly available exploit code exists, but the CVSS 4.0 vector rates attack complexity high (AC:H) and vendor guidance notes exploitation is difficult; there is no public exploit identified as actively exploited (not in CISA KEV). EPSS data was not supplied, but the low-privilege network vector combined with full CIA impact makes this a meaningful risk on exposed devices.

D-Link Information Disclosure Dir 823G
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

XML injection in Palo Alto Networks PAN-OS Large Scale VPN (LSVPN) exposes unauthenticated remote attackers a path to inject malicious XML content into the LSVPN data pipeline, resulting in information disclosure or corruption of internal satellite configuration data. Only PAN-OS devices with LSVPN actively configured are affected; the vendor explicitly confirms Panorama, Cloud NGFW, and Prisma Access are not in scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 supplemental E:U metric signals exploitation as currently unlikely, though the zero-authentication, network-accessible attack surface demands prompt attention from operators running LSVPN hub deployments.

Information Disclosure Paloalto Pan Os
NVD VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Unauthenticated file deletion in Palo Alto Networks PAN-OS allows network-reachable attackers to delete files from a temporary directory via the management web interface, affecting PA-Series and VM-Series firewalls and Panorama appliances. Real-world risk is substantially bounded by the vendor's documented best-practice guidance to restrict management interface access to trusted internal IP addresses, which eliminates external attack surface. No public exploit code has been identified, CISA KEV listing is absent, and the vendor-provided CVSS 4.0 score of 2.7 with an E:U supplemental metric reflects no known active exploitation.

Information Disclosure Paloalto Pan Os
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Web session token theft from PAN-OS management interfaces affects PA-Series and VM-Series firewalls and Panorama deployments, enabling a network-adjacent unauthenticated attacker to hijack authenticated administrator sessions. Exploitation depends on a legitimate management user clicking an attacker-crafted malicious link while an active session exists - a social engineering prerequisite that substantially reduces real-world risk. No public exploit code exists (CVSS 4.0 E:U) and the issue is not listed in CISA KEV; the vendor rates overall CVSS 4.0 severity at 2.1, reflecting these mitigating factors.

Information Disclosure Paloalto Pan Os
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive information disclosure in Kyocera Command Center RX, the embedded web management interface of numerous TASKalfa multifunction printers, allows remote attackers to export the entire device address book without authorization. Because the vulnerability also bypasses the encryption protecting incoming data, encrypted content can be decrypted to reveal stored passwords and other confidential data. Publicly available exploit code exists (GitHub PoC), though there is no evidence of active exploitation in CISA KEV; SSVC rates the flaw as automatable with partial technical impact.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to interception and manipulation by a network-adjacent attacker. The flaw (CWE-295) enables a man-in-the-middle position to defeat the agent's TLS/certificate trust chain, allowing an adversary to read or alter traffic that the iOS client believes is securely tunneled. Exploitation is limited to iOS deployments - the Windows, macOS, Linux, Android, and ChromeOS agents are confirmed unaffected. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Apple Microsoft +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Symlink-based extraction redirect in ChatterBot prior to 1.2.14 enables a local attacker with standard user privileges to cause training corpus archive contents to be written to an attacker-controlled directory by pre-planting a symlink at the predictable path ~/ubuntu_data/ubuntu_dialogs before UbuntuCorpusTrainer.extract() runs. The check-then-create pattern preceding tar.extractall() creates a CWE-367 TOCTOU window that, on shared multi-user systems, allows the attacker to intercept the extraction target without any race if the symlink is planted before the first training run. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 1.2.14.

Information Disclosure Chatterbot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Ghost CMS versions 6.27.0 through 6.43.x permit unauthenticated attackers to manipulate donation checkout metadata, enabling acquisition of full paid gift memberships for a minimal payment. The flaw, classified as CWE-472 (External Control of Assumed-Immutable Web Parameter), stems from the server trusting client-controlled parameters in the public-facing checkout flow that should be server-authoritative. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified; the vendor released a fix in version 6.44.0.

Node.js Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthorized information disclosure in Hoppscotch prior to 2026.6.0 exposes mock servers linked to private collections to the public internet without authentication. The mock server creation logic in mock-server.service.ts silently drops the caller-supplied isPublic flag, while the Prisma schema defaults isPublic to true, so servers intended to be private are created as public. An unauthenticated remote attacker who reaches the mock endpoint can retrieve sensitive API data (schemas, example payloads, headers) the owner assumed was private; no public exploit was identified at time of analysis and the flaw is not in CISA KEV.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Root-level device takeover affects the Allwinner H616-based TV98 Android TV Box, which ships to production with the Android Debug Bridge (ADB) daemon enabled and reachable over the network (TCP/5555). A network attacker can send an ADB authorization request, and if the victim accepts the RSA key confirmation prompt on the device, the attacker obtains a root shell. Classified under CWE-489 (leftover debug functionality), there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the attack is trivial once a user approves the pairing.

Information Disclosure
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

{id}/members endpoint returns full UserModelResponse objects, inadvertently exposing toolServers API keys and webhook configuration belonging to other channel members. No public exploit is identified at time of analysis, but the low exploitation complexity and high value of the exposed credentials (tool server keys enable lateral access to integrated AI tooling infrastructure) elevate practical risk above what the 6.0 CVSS score alone suggests.

Information Disclosure Open Webui
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Session revocation bypass in Open WebUI 0.9.0 through 0.9.x (deployments configured with Redis) lets a holder of a revoked JWT keep authenticating realtime Socket.IO connections. The flaw stems from first-message authentication for Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket calling decode_token without the Redis-backed is_valid_token revocation check, so logout, forced-logout, or token invalidation does not sever active realtime access. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the fix is version 0.10.0.

Redis Information Disclosure Open Webui
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Cache key misconfiguration in Open WebUI versions 0.6.27 through 0.9.x leaks permission-filtered model lists across authenticated users during the aiocache TTL window. The flaw exists in both the OpenAI and Ollama router handlers, where a lambda was incorrectly passed as the cache key instead of a per-user key_builder, collapsing all users into a single shared cache entry. An authenticated attacker on a shared instance can receive a different user's model list - revealing which AI models that user has access to - with no public exploit identified at time of analysis and a vendor-released patch available in v0.10.0.

Information Disclosure Open Webui
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Temporary connection denial-of-service in the RTSP service of the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an unauthenticated remote attacker wedge an individual TCP connection by sending an RTSP request that declares a Content-Length but includes no message body. The malformed parser enters a body-waiting state and silently swallows all further data on that socket until a server-side timeout closes it. Despite an NVD CVSS of 9.8 and an 'Information Disclosure' tag, the described behavior is a single-connection availability nuisance with no confidentiality or integrity impact; no public exploit is identified at time of analysis and EPSS is low at 0.18% (8th percentile).

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Timing-based account enumeration in Open WebUI prior to 0.10.0 exposes whether any given email address is registered on a self-hosted AI instance. The /api/v1/auths/signin endpoint only invokes bcrypt password verification when a matching email record exists, making registered-account login attempts measurably slower than attempts against unregistered emails - a classic CWE-208 timing oracle. Unauthenticated remote attackers can exploit this discrepancy at scale to harvest valid account emails, which can then fuel credential stuffing or targeted phishing. No public exploit code or CISA KEV listing has been identified, and the vendor has released a fix in v0.10.0.

Information Disclosure Open Webui
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.

Information Disclosure N8n
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation via prototype pollution in n8n workflow automation lets an authenticated low-privilege user (holding the default workflow:create permission) corrupt Object.prototype through a crafted workflow saved, updated, or imported via the workflow API. Once polluted, subsequent unauthenticated requests are evaluated as a privileged user, exposing internal user and project listing endpoints. This is an information-disclosure and access-control flaw with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.1.

Information Disclosure Prototype Pollution N8n
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. No public exploit identified at time of analysis; risk is elevated because the abuse comes from an already-authorized internal user rather than an outside attacker.

Information Disclosure N8n
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial and the issue was disclosed by VulnCheck.

Buffer Overflow Information Disclosure Mongoose
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

Guest-to-host privilege escalation in varstored, the Xapi (XenServer/XCP-ng/Citrix Hypervisor) toolstack daemon that services UEFI variable requests for VMs, allows a malicious guest to corrupt control flow in the host-side process. Missing compiler barriers on a buffer shared with in-guest OVMF create a time-of-check/time-of-use race (CWE-367) that, in default builds, lets the attacker control an index into a jump table - yielding attacker-influenced execution in the toolstack. Tracked as Xen Security Advisory XSA-478 with a CVSS 4.0 base score of 9.4; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Varstored
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Denial-of-service and database-corruption in Xen's XAPI toolstack (the XenAPI management layer used by XCP-ng and Citrix/XenServer Hypervisor) lets clients that submit object updates crash the database event thread or write strings that permanently prevent the database from loading. Three distinct input-validation defects are covered by XSA-474: notifications built from unsanitised input, a UTF-8 encoder that follows Unicode 3.0 while dependent libraries enforce the stricter 3.1 spec, and a total absence of sanitisation for Map/Set object updates. No public exploit has been identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 9.4.

Information Disclosure Xapi
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Prototype pollution in the enquirer npm package (versions up to 2.4.1) allows remote authenticated attackers to manipulate JavaScript Object.prototype attributes by injecting a crafted value into the question.name argument of the Enquirer.set() function. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting limited integrity-only impact scoped to the vulnerable system with no confidentiality or availability consequence. Publicly available exploit code exists via GitHub issue #487, though no active exploitation has been confirmed in CISA KEV.

Information Disclosure Prototype Pollution Enquirer
NVD VulDB GitHub
CVSS 5.3
MEDIUM POC PATCH This Month

{bookID}/notes carries no authentication middleware, and supplying ?deleted=true causes the service to invoke GORM's Unscoped() while retaining the is_public=true authorization branch, allowing any network-accessible actor to retrieve titles, slugs, and timestamps of notes an owner deliberately deleted from a public book. No active exploitation is confirmed (not listed in CISA KEV), though a fully functional proof of concept is embedded in the vendor advisory, and exploitation requires only a single crafted HTTP GET request.

Information Disclosure
NVD GitHub
Prev Page 6 of 740 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy