Skip to main content

Information Disclosure

66624 CVEs technique

Monthly

CVE-2025-12506 MEDIUM PATCH This Month

Content spoofing in GitLab CE/EE versions 16.5 through 18.x, 19.0, and 19.1 allows authenticated users to construct repositories where the web interface renders content that diverges from the actual downloadable source, exploiting improper Git reference name resolution (CWE-706). The CVSS score of 3.5 (Low) reflects the authentication requirement (PR:L), mandatory viewer interaction (UI:R), and limited integrity-only impact with no confidentiality or availability consequences. No public exploit code or CISA KEV listing has been identified at time of analysis, placing real-world risk firmly in the low tier despite the broad version range affected.

Gitlab Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-49463 Maven MEDIUM PATCH GHSA This Month

Broken object-level authorization in the nl-portal-backend-libraries GraphQL API exposes sensitive personal data belonging to arbitrary users to any authenticated caller. Two resolvers - document content retrieval (all published versions of nl.nl-portal:documenten-api since 0.2.2.RELEASE, 2023) and the besluiten (decisions) module (nl.nl-portal:besluiten 1.5.0-3.0.0) - were declared without a CommonGroundAuthentication parameter, causing the Spring framework to never bind the authenticated principal into the call path and leaving ownership checks impossible at the resolver level. The two endpoints chain naturally: an attacker enumerates decision records and their attached document IDs via the besluit queries, then exfiltrates raw document content through the document endpoint; decisions frequently contain government benefit, permit, and objection rulings, giving the exposure high real-world sensitivity. No public exploit has been identified at time of analysis, and this was discovered during a structured penetration testing engagement in May 2026.

Java Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-53600 Cargo MEDIUM POC PATCH GHSA This Month

Differential extraction in async-tar 0.6.0 enables content-smuggling attacks against scan-then-extract pipelines: an attacker who controls the bytes of a tar stream can construct an archive that GNU-tar-based AV scanners see as a single benign blob while async-tar writes a distinct executable payload to disk that the scanner never inspected. The root cause is in poll_next_raw (src/archive.rs), which mis-applies a buffered PAX local-extension size record to an intermediary GNU longname (L) header rather than restricting the override to the following file entry, desyncing the stream cursor from any POSIX-correct parser. No public exploitation in the wild or CISA KEV listing has been identified, but a fully functional proof-of-concept with verbatim captured output is included in the advisory, demonstrating the complete x → L → file smuggling sequence.

Information Disclosure
NVD GitHub
CVE-2026-59807 HIGH PATCH This Week

Sensitive file exfiltration in Composio SDK (the @composio/cli package) before 0.2.32-beta.283 lets attackers steal credential files by abusing a missing path-safety check in the readFileFromDisk function of tool-file-uploads.ts. Because the assertSafeFileUploadPath guard is absent, an attacker who can influence the agent's prompt can manipulate file_uploadable parameters to point at arbitrary paths such as ~/.ssh private keys, causing the CLI to upload those files to attacker-controlled storage. There is no public exploit identified at time of analysis, but the upstream fix, issue, and pull request are all public, which lowers the bar for reproduction.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.3%
CVE-2026-14891 HIGH PATCH This Week

Container-to-host sandbox escape in HashiCorp Nomad and Nomad Enterprise lets an authenticated job submitter using the Docker task driver bind-mount an arbitrary host path into their container even when volume bind mounts are administratively disabled, enabling read and write access to files on the underlying host. The scope-changing flaw (CVSS 3.1 8.7) affects the Community and Enterprise editions and is fixed in Nomad 2.0.4 (CE), and Enterprise 2.0.4, 1.11.8, and 1.10.14. There is no public exploit identified at time of analysis and it is not on CISA KEV.

Hashicorp Information Disclosure Docker
NVD VulDB
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-14361 MEDIUM PATCH This Month

Path redirection via the writeToFile template helper in consul-template before 0.42.1 allows a local low-privileged attacker to redirect template output outside the intended destination directory or overwrite existing files on the filesystem. Because consul-template routinely renders sensitive secrets from HashiCorp Vault, Consul, and AWS Secrets Manager into local files, successful exploitation can expose those secrets by redirecting writes to attacker-readable locations. No public exploit code or CISA KEV listing is associated with this vulnerability at time of analysis.

Information Disclosure
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-59803 HIGH POC PATCH This Week

Uncontrolled resource consumption in the smallnest rpcx Go RPC framework (through 1.9.3) lets a single unauthenticated client crash the server by sending a small (<2 MB) gzip-compressed protocol message that decompresses into gigabytes of heap. Because protocol.Message.Decode inflates the payload via util.Unzip during readRequest - before any authentication - and the only size guard (protocol.MaxMessageLength) is checked against the compressed frame rather than the decompressed output, the server exhausts memory and becomes unavailable. Publicly available exploit code exists and a vendor patch (commit 047aec1) has been released; no public evidence of active exploitation at time of analysis.

Information Disclosure Rpcx
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-59802 MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-8649 CRITICAL PATCH Act Now

SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-59939 PyPI HIGH POC PATCH This Week

Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromised HTTP server crash the client by returning a small gzip- or deflate-compressed response body that expands without bound during automatic decompression, exhausting memory and triggering a MemoryError or OS OOM-kill. Any application that uses httplib2 to fetch content from untrusted or attacker-controllable endpoints is affected. No public exploit identified at time of analysis; EPSS not provided, but the class is trivially demonstrable and the fix is a one-line-scope behavioral change shipped in 0.32.0.

Python Information Disclosure Httplib2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59947 MEDIUM PATCH This Month

Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP Composer
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-59819 LOW PATCH Monitor

Local filesystem read in LiteLLM's AI Gateway proxy prior to version 1.83.10-stable allows a proxy administrator to exfiltrate files from the server by supplying crafted oidc/file/ path references through the /health/test_connection endpoint. The vulnerability stems from unsanitized resolution of request-supplied environment and OIDC file references within litellm_params, giving a high-privileged caller a direct path to arbitrary file read. No public exploit code or active exploitation has been identified; the low CVSS 4.0 score of 2.1 reflects the high privilege bar and limited confidentiality impact.

Information Disclosure Litellm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-57111 HIGH This Week

Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.

Apache Information Disclosure Helix
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-59938 MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59731 HIGH PATCH This Week

Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected routes by exploiting an inconsistency between how the framework decodes URL paths for auth decisions versus route matching. Because authorization runs against a path that hit the iterative URL-decoder limit while later rewrite matching applies an extra decodeURI(), a request that appears benign at the auth gate resolves to a guarded route afterward, exposing protected content. No public exploit has been identified at time of analysis, but the fix in 6.4.8 and a published GitHub Security Advisory confirm the flaw.

Information Disclosure Astro
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2025-3110 MEDIUM This Month

HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.

Request Smuggling Information Disclosure Access Server Red Hat
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59930 PyPI MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-29007 MEDIUM This Month

Out-of-bounds read in U-Boot's TCP stack (net/tcp.c, tcp_rx_state_machine()) allows remote unauthenticated attackers to corrupt bootloader TCP connection state by sending a crafted packet with deliberately mismatched IP total length and TCP data offset fields. Affected builds span U-Boot through 2026.04-rc3, but only when compiled with CONFIG_PROT_TCP - a non-default option. Impact is disruption of TCP window calculations via corruption of rmt_win_scale and rmt_timestamp variables, potentially breaking network-based boot sequences. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.

Buffer Overflow Information Disclosure U Boot
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-59896 MEDIUM PATCH This Month

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. No public exploit has been identified at time of analysis, but the C:H CVSS impact rating reflects that leaked context values frequently carry sensitive per-user material such as authentication state, session tokens, or profile data.

Race Condition Information Disclosure Hono
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59897 MEDIUM PATCH This Month

Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. Affected versions span 4.3.3 through 4.12.26; no public exploit identified at time of analysis, though the GitHub advisory confirms the issue and a fix is released in v4.12.27.

Information Disclosure Hono
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-59892 HIGH PATCH This Week

Denial of service in OpenTelemetry JavaScript (@opentelemetry/propagator-jaeger) before 2.9.0 allows an unauthenticated remote attacker to crash a Node.js service by sending a malformed percent-encoded uber-trace-id or uberctx-* HTTP header. The JaegerPropagator passes header values to decodeURIComponent() without catching the resulting URIError, so the uncaught exception terminates the process. No public exploit identified at time of analysis, and this is not listed in CISA KEV; the fix is version 2.9.0.

Node.js Information Disclosure Opentelemetry Js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59261 HIGH PATCH This Week

Credential exposure in OpenClaw before 2026.5.28 lets a lower-trust actor who can write to a workspace's configured input paths plant a dotenv file that overrides trusted provider credentials, causing sensitive secrets to leak across intended trust boundaries. VulnCheck reported the issue and it is fixed in 2026.5.28; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The vendor CVSS 4.0 base score is 8.4 (High), reflecting high confidentiality and integrity impact but requiring local path access and user interaction.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-59887 HIGH PATCH This Week

Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.

Information Disclosure Linkify It
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59882 MEDIUM PATCH This Month

Host validation bypass in guzzlehttp/psr7 before 2.12.3 enables URI authority confusion attacks against PHP applications that rely on Uri::getHost() for security-critical decisions. The Uri::assertValidHost() method accepts host strings containing authority delimiters, embedded ports, or malformed IPv6 brackets, causing a semantic split where getHost() returns a sanitized value that disagrees with the actual URI authority used for routing - a classic CWE-436 interpretation conflict exploitable for SSRF allowlist bypass or host-based access control evasion. No public exploit has been identified at time of analysis; vendor-released patch version 2.12.3 resolves the issue.

Information Disclosure Psr7
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-42505 Go MEDIUM PATCH This Month

Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; however, exploitation requires no authentication or user interaction and is accessible to any network-level adversary with passive traffic visibility.

Information Disclosure Crypto Tls
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-39822 Go HIGH PATCH This Week

Sandbox escape in the Go standard library's os.Root API (os package) on Unix systems allows filesystem operations meant to be confined to a directory to reach files outside it. When a path's final component is a symbolic link and the path ends in a trailing slash (e.g. root.Open("symlink/")), os.Root improperly dereferences that symlink to a location outside the root, defeating the traversal protection the API is designed to enforce. Affects Go before 1.25.12, 1.26.5, and 1.27.0-rc.2; no public exploit is identified at time of analysis and it is not in CISA KEV.

Information Disclosure Os
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-59880 HIGH PATCH This Week

Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. No public exploit identified at time of analysis and no active exploitation is indicated, but the CVSS 4.0 score of 8.7 reflects an easy, unauthenticated, network-reachable availability impact wherever user-supplied objects reach these structures.

Information Disclosure Immutable Js
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59725 HIGH PATCH This Week

Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.

Information Disclosure Socket Io
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59876 MEDIUM PATCH This Month

Prototype pollution in protobuf.js versions 8.2.0 through 8.6.4 allows network-reachable attackers to corrupt JavaScript object prototype chains via the Text Format extension, by supplying a map entry whose key is the reserved JavaScript token `__proto__`, causing the parser to overwrite the prototype of the returned map object instead of creating a literal own-property entry. Exploitation is constrained by high attack complexity - only applications explicitly using the optional `/ext/textformat` module and parsing attacker-controlled input are affected - and real-world impact is limited to partial confidentiality and integrity effects in downstream code that inherits or enumerates poisoned prototype properties. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Information Disclosure Prototype Pollution Protobuf Js
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-59871 HIGH PATCH This Week

Denial of service in node-tar prior to 7.5.18 allows unauthenticated network-reachable attackers to crash Node.js processes by submitting crafted tar archives containing all-digit PAX header path or linkpath values. The library incorrectly coerces these string values to JavaScript numbers in src/pax.ts, causing downstream path handling (normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError when it attempts to call a string method on a numeric value. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59875 MEDIUM PATCH This Month

Process termination via crafted tar archive affects node-tar prior to 7.5.17, where NUL bytes in PAX path and linkpath header records are not sanitized before being passed to Node.js filesystem calls. Any application using node-tar to extract untrusted archives is susceptible to denial of service through an uncaught exception that crashes the Node.js process. No confirmed active exploitation or public exploit code has been identified at time of analysis; however, the low attack complexity (CVSS AC:L, PR:N) makes this trivial to trigger wherever attacker-controlled archive input reaches a vulnerable node-tar instance.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59868 HIGH PATCH This Week

Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attacker consume quadratic CPU time by submitting a small, linearly-sized YAML document that chains merge keys (<<) so each mapping merges the previous one. Because confidentiality and integrity impact are nil and only availability is affected (CVSS 7.5, AV:N/A:H), a single crafted document can stall or hang the parsing thread. SSVC rates this poc / automatable=yes / partial impact; there is no public weaponized exploit and it is not on CISA KEV, with a low EPSS of 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59703 HIGH PATCH This Week

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High) driven by high confidentiality impact with no authentication required.

Authentication Bypass Path Traversal Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-15067 HIGH PATCH This Week

SQL and DDL injection in the Snowflake Terraform Provider before 2.18.0 lets an attacker who can influence pipeline workspace variables execute arbitrary SQL inside the provider's privileged Snowflake session (CWE-89), enabling data exfiltration and creation of long-lived credentials. A second flaw allows identifier-injection into user-management DDL, so accounts can be minted with attacker-controlled credentials that bypass operator-configured security controls. No public exploit identified at time of analysis; risk is authenticated/insider-driven rather than remote-unauthenticated.

Hashicorp SQLi Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-15044 MEDIUM This Month

Unauthenticated cluster-internal access to TrustyAI Service Operator's gorch and NemoGuardrails deployments is possible when a specific security setting is not explicitly enabled at deployment time. Any workload running within the same Kubernetes or OpenShift cluster can reach these AI guardrail and orchestration service endpoints without presenting credentials, exposing sensitive inference data and enabling limited unauthorized model interactions. No public exploit has been identified at time of analysis, but the low-complexity adjacent attack vector and low-privilege prerequisite make this a realistic lateral movement risk in shared or multi-tenant cluster environments.

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-10708 HIGH This Week

Sensitive information disclosure in Adalo App Builder (versions 1 through 2) lets remote unauthenticated attackers harvest personal data at scale by sending a single request to a minimal leaderboard component, returning user records that include emails, UUIDs, and custom fields. The flaw stems from wildcard CORS behavior combined with long-lived twenty-day JWTs and no token revocation, meaning any Adalo application can be scraped without app-specific secrets. No public exploit is identified at time of analysis, and the EPSS score is low (0.10%), but the network-reachable, no-authentication nature makes mass automated collection straightforward.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-10706 HIGH This Week

Sensitive user-record disclosure in Adalo's no-code app builder (App Builder versions 1 and 2) lets remote actors enumerate the internal 'dbId' identifier to retrieve complete user records and correlate individuals' behavior across multiple applications hosted on the platform. The flaw stems from predictable/enumerable record identifiers combined with absent access controls and no data minimization. There is no public exploit identified at time of analysis, and EPSS rates near-term exploitation probability very low (0.15%, 5th percentile) despite the high confidentiality-only CVSS of 7.5.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-10699 HIGH PATCH This Week

Denial of service in Progress MOVEit Transfer (Custom Reports modules) allows remote attackers to exhaust server memory through a missing-release-of-memory (memory leak) flaw, degrading availability of the managed file transfer service. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, and is addressed in the Progress Critical Security Bulletin of June 2026. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-10698 HIGH PATCH This Week

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-59869 HIGH PATCH This Week

Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers to consume quadratic CPU time by submitting a linearly-sized YAML document built from a chain of mappings that use merge keys, where each mapping merges the previous one. Exploitation requires no authentication or user interaction (CVSS 7.5, availability-only impact), and any application that parses attacker-controlled YAML with a vulnerable version is affected. No public exploit identified at time of analysis; fixes are available in 3.15.0 and 4.3.0.

Information Disclosure Js Yaml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59870 HIGH PATCH This Week

Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote attackers to exhaust CPU by submitting a crafted YAML document containing an ordered-map (!!omap) node with many entries. Because the !!omap handler performs a linear duplicate-key scan on every insertion, parsing scales as O(n^2), so a modestly sized payload can consume disproportionate CPU when yaml.load() is called. Exploitation is gated behind the non-default YAML11_SCHEMA; SSVC lists proof-of-concept exploit status, there is no CISA KEV entry, and EPSS is low at 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58656 HIGH This Week

Cross-origin admin account takeover in the Grav CMS API plugin before v1.0.0-rc.16 stems from two combined weaknesses: JWT tokens are accepted through the ?token= URL query parameter and every API response returns the wildcard Access-Control-Allow-Origin: * header. Any attacker who harvests a leaked JWT from access logs, proxy logs, browser history, or Referrer headers can replay it in fully authenticated cross-origin requests from an arbitrary malicious site, then create persistent super-admin accounts and exfiltrate configuration and user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch (v1.0.0-rc.16) is available.

Information Disclosure
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56374 NuGet MEDIUM PATCH This Month

Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.

Denial Of Service Buffer Overflow Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56362 NuGet LOW PATCH Monitor

Heap-buffer-overflow read in ImageMagick's GetPixelIndex function exposes limited heap memory contents and can cause partial availability impact in affected 6.x and 7.x branches before the patched releases. The root cause is a metadata-allocation race in OpenPixelCache, which updates image channel metadata before confirming successful pixel cache memory allocation, leaving GetPixelIndex to operate on stale channel counts. Exploitation requires high privilege access and the ability to induce memory or disk allocation failures, yielding only limited confidentiality and availability impact; no public exploit code and no CISA KEV listing are associated with this CVE.

Buffer Overflow Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-56298 MEDIUM PATCH This Month

Capgo's app information endpoint retains EXIF metadata in uploaded images, leaking sensitive geolocation coordinates and device information to any party with image access. Versions prior to 12.128.2 are affected. An authenticated attacker or any user who can view uploaded app-information images can retrieve full EXIF payloads - including GPS coordinates, timestamps, and device identifiers - from files that the platform should have sanitized. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; however, the attack requires only low-privilege network access and trivial tooling such as exiftool.

Information Disclosure
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56284 MEDIUM PATCH This Month

Unauthenticated information disclosure in Capgo (Cap-go/capgo) before 12.128.2 exposes sensitive organization metrics through a misconfigured Supabase PostgREST RPC endpoint. The Supabase function public.get_total_metrics(org_id) is accessible to the anon role using only the publicly distributed sb_publishable_* key, meaning any external party can query it without credentials. By iterating valid organization UUIDs against POST /rest/v1/rpc/get_total_metrics, attackers can confirm organization existence and harvest usage data including monthly active users, bandwidth consumption, and install counts. No public exploit or CISA KEV listing exists at time of analysis; the EPSS signal is absent from provided data but the low exploitation complexity suggests elevated opportunistic risk.

Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56226 HIGH PATCH This Week

Broken access control in Capgo (the Capacitor live-update/OTA platform) before 12.128.2 lets any unauthenticated caller holding only the public publishable API key read arbitrary users' organization data. The Supabase PostgREST RPC function public.get_orgs_v6 runs as SECURITY DEFINER and is granted to the anon role, yet trusts a caller-supplied user UUID instead of the authenticated identity, exposing org membership, roles, subscription/trial metadata, and the management_email PII. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but exploitation is trivial and requires no credentials beyond the intentionally-public key.

Information Disclosure
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-41122 HIGH PATCH This Week

Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches) lets a remote attacker persist malicious script in the appliance management interface that executes in other users' browser sessions. Because the flaw is reachable without authentication and the injected payload runs in the victim's authenticated context, an attacker can achieve information disclosure, session/token theft, and client-side request forgery against operators of the backup appliance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Dell has published advisory DSA-2026-278.

XSS Dell Information Disclosure Data Domain Operating System
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-14454 CRITICAL PATCH Act Now

Denial of service in the Imager image-processing module for Perl (all versions before 1.033) allows remote attackers to crash a worker process by submitting an image whose EXIF IFD entry count is mishandled as a signed integer, triggering an near-address-space-sized memory allocation that fails and aborts the process. Any application that passes untrusted images through Imager's EXIF parsing is exposed. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not listed in CISA KEV.

Information Disclosure Imager
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-15041 LOW Monitor

Timing side-channel exposure in Red Hat Directory Server's PBKDF2-SHA256 password verification allows a remote unauthenticated attacker to send repeated LDAP bind requests and statistically infer partial hash information by measuring response-time differences caused by non-constant-time memcmp() comparisons. Affected deployments span Red Hat Directory Server 11 through 13 and the 389-ds-base package shipped across RHEL 6 through 10. No public exploit identified at time of analysis, and practical exploitation is acknowledged to be extremely difficult due to the computational overhead inherent in PBKDF2 key stretching, which substantially degrades the timing signal.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 Red Hat Directory Server 13 Red Hat Enterprise Linux 10 +4
NVD VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-6280 MEDIUM This Month

Nomysem, an education and consulting management platform by Turkish vendor NOMYSOFT Informatics, exposes sensitive information to authenticated low-privilege users due to incompatible ACL policies that fail to properly constrain access to restricted functionality. Network-accessible endpoints can be reached by any valid account holder, yielding high-confidentiality-impact data exposure without requiring elevated rights or user interaction. No public exploit code has been identified at time of analysis; however, the vendor failed to respond to coordinated disclosure, leaving the vulnerability unpatched.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57239 HIGH This Week

Local privilege escalation in Foxit PDF Editor and Foxit PDF Reader (Windows) lets a low-privileged user place executable files that a high-privilege process later runs directly, yielding code execution as NT AUTHORITY\SYSTEM. The flaw stems from an untrusted search path (CWE-427) where the application loads and executes attacker-writable binaries without validating their origin. There is no public exploit identified at time of analysis, EPSS is low (0.11%, 2nd percentile), and SSVC reports no observed exploitation, so this is a locally-exploitable escalation rather than a remotely wormable threat.

Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-57241 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader allows a local attacker to crash the application and potentially expose adjacent memory contents by delivering a specially crafted PDF containing malicious JavaScript. The JavaScript manipulates page and document objects to desynchronize internal page-related state from the renderer's trusted page count; when the renderer subsequently accesses page objects using the stale index, it reads beyond valid memory bounds. No public exploit identified at time of analysis and no CISA KEV listing, but the broad affected version ranges across multiple major release branches (13.x, 14.x, and 2026.x) means a large proportion of unpatched Foxit deployments are exposed.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57243 MEDIUM This Month

Foxit PDF Reader and PDF Editor crash with potential memory disclosure when processing maliciously crafted PDF documents containing JavaScript that causes reentrancy during page opening or form formatting. The reentrancy leaves the document object in an inconsistent state; when the application subsequently attempts to dereference stale page metadata, it reads from an invalid memory address (CWE-125 out-of-bounds read), resulting in application termination and limited memory content exposure. No public exploit code or active exploitation has been identified at time of analysis; exploitation requires a local user interaction to open a crafted PDF file.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57253 MEDIUM This Month

Out-of-bounds read in Foxit PDF Reader and PDF Editor allows a local attacker to crash the application and potentially disclose limited memory contents by delivering a specially crafted PDF containing a malformed image object. The vulnerability triggers when the renderer encounters an abnormal image object, causes it to enter an incorrect processing branch, and subsequently dereferences an invalid buffer pointer during scan line conversion. No public exploit code has been identified and no CISA KEV listing exists, but the CVSS availability impact is rated High, meaning successful exploitation reliably causes application termination.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57255 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader crashes the application and exposes limited memory contents when a victim opens a specially crafted PDF embedding a semantically malformed color space function. Affected versions span multiple branches across both Editor and Reader products, confirmed through EUVD-2026-42198. No public exploit code or active exploitation has been identified at time of analysis; however, the low attack complexity and file-based delivery mechanism make this a plausible phishing lure in targeted campaigns against organizations relying on Foxit products.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57257 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and PDF Reader during PRC (Product Representation Compact) 3D content parsing crashes the application and leaks limited memory content. Affects multiple concurrent release trains including versions 2026.1.1, 14.0.4, and 13.2.4 and earlier. Exploitation requires a victim to open a specially crafted PDF containing a malicious PRC entity - no public exploit has been identified at time of analysis.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-57258 MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader's PRC 3D file header parser crashes the application and may leak process memory when a victim opens a specially crafted PDF. Affected version ranges span Foxit PDF Reader through 2026.1.1 and multiple Foxit PDF Editor release branches through 13.2.4, 14.0.4, and 2026.1.1. No public exploit code or confirmed active exploitation has been identified at time of analysis; the CVSS availability impact is rated High due to a reliable application crash on trigger, with a minor confidentiality component from out-of-bounds memory exposure.

Buffer Overflow Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-60002 CRITICAL PATCH Act Now

Memory corruption in the OpenSSH client (ssh) before 10.4 lets a malicious or compromised SSH server trigger a use-after-free on the connecting client by changing its host key during a key re-exchange (rekey), potentially leading to information disclosure or code execution in the client process. Only the client side is affected; the server is not vulnerable. There is no public exploit identified at time of analysis and it is not on CISA KEV, and EPSS is low (0.25%, 16th percentile), but the flaw is fixed in OpenSSH 10.4/10.4p1.

Memory Corruption SSH Microsoft Use After Free Information Disclosure +1
NVD VulDB
CVSS 3.1
9.4
EPSS
0.3%
CVE-2026-59999 HIGH PATCH This Week

Security-control bypass in OpenSSH sshd before 10.4 causes the DisableForwarding=yes hardening directive to be silently ignored when PermitTunnel=yes is also set, so tun-device forwarding remains available despite an administrator's explicit policy to disable all forwarding. Affected operators are those who rely on DisableForwarding as a defense-in-depth restriction; the flaw lets an authenticated user establish layer-2/3 tunnels the configuration was meant to forbid. There is no public exploit identified at time of analysis, EPSS is low (0.13%, 3rd percentile), and it is not on CISA KEV.

SSH Information Disclosure Openssh
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-59998 MEDIUM PATCH This Month

OpenSSH sshd before version 10.4 silently ignores the GSSAPIStrictAcceptorCheck configuration directive when the server is integrated with Windows Active Directory, defeating a security control that administrators rely on to enforce GSSAPI acceptor name validation during Kerberos-based SSH authentication. This undocumented behavior means AD-joined SSH servers may accept GSSAPI authentications against unintended Kerberos service principals regardless of how the option is configured, yielding limited confidentiality and integrity impact. No public exploits or active exploitation have been identified; the CVSS AC:H rating reflects the specific environmental prerequisites required for exploitation.

SSH Microsoft Information Disclosure Openssh
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59997 MEDIUM PATCH This Month

OpenSSH's internal-sftp subsystem silently discards all command-line arguments beyond position 9, allowing authenticated SFTP users to bypass security restrictions that administrators intended to enforce via those later-positioned arguments. All OpenSSH releases before 10.4 are affected when sshd_config supplies more than nine arguments to the internal-sftp subsystem, which is a non-default but legitimate administrative pattern used for directory restriction, read-only enforcement, and umask control. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; however, sites relying on complex internal-sftp argument chains for access policy enforcement face a direct, silent policy bypass.

SSH Information Disclosure Openssh
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-59996 MEDIUM PATCH This Month

Path traversal in the scp utility of OpenSSH before 10.4 causes files to be written into the parent directory of the intended destination during remote-to-remote copy operations. The root cause is CWE-23 (Relative Path Traversal): scp fails to canonicalize or sanitize paths when relaying data between two remote hosts, allowing an attacker controlling a malicious endpoint to influence where transferred files land. No public exploit identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; the CVSS AC:H and UI:R metrics significantly constrain real-world exploitability.

SSH Information Disclosure Openssh
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-59995 MEDIUM PATCH This Month

Path traversal in the OpenSSH sftp client before version 10.4p1 allows an attacker-controlled server to write downloaded files outside the user's intended target directory when the 'sftp server:/path .' bulk-download syntax is used. Affected are all OpenSSH deployments where users sftp from untrusted or attacker-controlled hosts, which in practice spans virtually every Linux and Unix environment. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the ubiquity of OpenSSH elevates aggregate exposure despite the moderate per-instance severity.

SSH Information Disclosure Openssh
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-14740 CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-54601 MEDIUM PATCH This Month

Cross-tenant authorization bypass in FastGPT (versions 4.14.17 through pre-4.15.0-beta4) permits an authenticated tenant user to inject a foreign tenant's datasetId via the POST /api/core/dataset/collection/create/reTrainingCollection endpoint, corrupting ownership anchors in persisted dataset objects. Downstream dataset, collection, and training endpoints then derive authorization decisions from these poisoned records, granting the attacker cross-tenant read, update, and delete access to another tenant's data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the vendor released version 4.15.0-beta4 as the confirmed fix.

Information Disclosure Fastgpt
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-58266 PyPI MEDIUM PATCH This Month

Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a victim's system by distributing a maliciously crafted card package (.apkg). The root cause is an origin validation failure (CWE-346) in Anki's internal localhost API, which fails to block iframe-embedded scripts from accessing privileged backend methods such as getImageForOcclusion. Exploitation requires the victim to import the malicious deck; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Anki
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59153 PyPI LOW PATCH GHSA Monitor

Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). The practical severity varies significantly by browser: implementations with Private Network Access (PNA) protections block such requests by default, limiting real-world impact to older or less-restrictive browser configurations. No public exploit identified at time of analysis, though security researcher Tavis Ormandy (Google Project Zero) publicly discussed the issue on X, indicating independent researcher awareness.

Information Disclosure Anki
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-58469 HIGH PATCH This Week

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.

Buffer Overflow Information Disclosure Wget
NVD VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-44877 MEDIUM This Month

Sensitive cryptographic material on HPE Networking Instant On 1830, 1930, and 1960 switches is exposed to remote network actors through an information disclosure vulnerability. Exploitation allows retrieval of cryptographic secrets such as private keys, certificates, or pre-shared credentials, which could subsequently enable man-in-the-middle attacks, traffic decryption, or device impersonation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Information Disclosure Hpe Networking Instant On
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-7017 HIGH PATCH This Week

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.

Information Disclosure Http
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-14904 HIGH This Week

Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Res
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-14969 MEDIUM This Month

Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. An attacker with privileged filesystem-level read access to the LDBM database files can exploit this to determine whether any two encrypted attribute values are identical, leaking relational information about the directory without recovering plaintext. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 Red Hat Directory Server 13 Red Hat Enterprise Linux 10 +6
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-53877 PyPI MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-48588 PyPI LOW PATCH Monitor

Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-34151 Maven HIGH PATCH GHSA This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat Docker
NVD GitHub
CVE-2026-11348 HIGH This Week

Signature verification bypass in HAVELSAN Liman MYS (versions before release.Master.1107) lets remote attackers forge the source/authenticity of data - tagged as a JWT attack - enabling identity spoofing and likely authentication bypass. Per CVSS the vector is network-based and unauthenticated (AV:N/PR:N) with high impact to confidentiality and integrity. No public exploit is identified at time of analysis and it is not on CISA KEV.

Jwt Attack Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-14868 HIGH PATCH This Week

Privilege escalation in ARC Informatique PcVue SCADA/HMI software (all versions prior to 17.0.0) arises because the encryption algorithm protecting user-account configuration in the built-in user directory is cryptographically inadequate (CWE-326). A local attacker with low privileges can decrypt or tamper with the stored account configuration and ultimately obtain privileged access to the PcVue application. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 base score is 8.4 (High).

Information Disclosure Pcvue
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-14867 MEDIUM PATCH This Month

Insecure credential storage in PcVue exposes built-in user account passwords to any local attacker with low-privileged filesystem access, across all versions prior to 17.0.0. The credentials are stored unprotected in the project's User directory, recoverable without elevated OS privileges. No public exploit code has been identified at time of analysis, but in OT/SCADA environments where PcVue is deployed, recovered credentials could enable unauthorized control of industrial processes.

Information Disclosure Pcvue
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-49487 PyPI MEDIUM PATCH This Month

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when tasks are in a deferred state. Any authenticated user holding DAG-scoped task-instance read access - a permission commonly granted to non-admin roles - can retrieve API keys, passwords, or other secrets passed by deferred operators into trigger kwargs. Fixed in Apache Airflow 3.3.0; no public exploit code identified at time of analysis, though exploitation is trivially achievable by any authenticated user with the requisite read permission.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48828 MEDIUM PATCH This Month

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read permission to retrieve plaintext values from JSON-typed variables whose key names use secret-suffixed conventions such as `*_password`, `*_token`, or `*_secret`. The redactor function was invoked without passing the variable key, so the `should_hide_value_for_key` check - which is responsible for masking secrets based on key-name patterns - could never fire for JSON-decodable variable values. This affects all deployments prior to 3.3.0 that store sensitive credentials in JSON-typed Airflow Variables under secret-suffixed key names; no public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for authenticated access with a specific permission grant.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48891 PyPI MEDIUM PATCH This Month

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted DAG identifiers to authenticated users who lack read permission on those DAGs. The endpoint correctly filters top-level serialized DAG keys against the caller's ACL but leaks referenced DAG IDs through `dep.source` and `dep.target` fields of trigger and sensor dependency entries, enabling cross-team DAG enumeration in multi-tenant deployments. This is a residual gap from an incomplete fix for CVE-2026-28563; no public exploit has been identified at time of analysis, and a vendor patch is available in apache-airflow 3.3.0.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-48892 PyPI MEDIUM PATCH This Month

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permission, because per-key environment variable overrides (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID) generate synthetic config entries whose names are absent from the sensitive_config_values masking list. Affected deployments are those that configure secrets backends such as HashiCorp Vault via these per-key environment variable patterns, exposing credentials like Vault role_id and secret_id through normal API responses. No public exploit has been identified at the time of analysis; the vendor-released fix is apache-airflow 3.3.0.

Hashicorp Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13199 MEDIUM PATCH This Month

Predictable KASLR offsets and RNG seeds in Raspberry Pi 5 and Compute Module 5 EEPROM firmware undermine kernel address space layout randomization across all affected devices and reboots. Because the entropy source is deterministic, any attacker who can identify the firmware version can predict kernel memory addresses, reducing KASLR to a known-offset bypass. This does not itself enable code execution, but it significantly lowers the bar for chaining with any memory-corruption vulnerability targeting these devices. No public exploit code has been identified at time of analysis and this is not listed in the CISA KEV catalog.

Information Disclosure Raspberry Pi 5 And Compute Module 5
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-12277 HIGH This Week

Arbitrary file deletion in the WordPress Frontend File Manager Plugin (versions up to and including 23.6) lets unauthenticated visitors remove any file on the server when guest upload mode is enabled, because a user-supplied file path is not validated before the delete operation. Removing critical files such as wp-config.php drops the site into its installation/setup routine, which an attacker can chain toward a complete site takeover. No public exploit is identified at time of analysis and EPSS is low (0.15%, 4th percentile), but the unauthenticated network vector and scope-changing impact make this a serious risk for exposed sites running the vulnerable configuration.

WordPress Information Disclosure PHP
NVD WPScan VulDB
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-10834 MEDIUM PATCH This Month

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
4.6
EPSS
0.1%
CVE-2026-26053 MEDIUM This Month

Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.

Information Disclosure Command Centre Server
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-34198 MEDIUM PATCH This Month

Password reset poisoning in Coolify prior to 4.0.0-beta.471 enables unauthenticated account takeover by injecting a forged X-Forwarded-Host header during a password reset request. Two compounding middleware failures make this possible: TrustProxies trusts all proxy sources unconditionally, and TrustHosts is rendered inoperable by a circular caching dependency, meaning the Host header is never validated. The reset URL is generated from the spoofed request host, so the victim's reset token is delivered to an attacker-controlled domain. No public exploit is identified at time of analysis, but the attack is low-friction and the fix is confirmed in version 4.0.0-beta.471.

Information Disclosure Coolify
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-42172 LOW PATCH Monitor

Sanctum API tokens in Coolify never expire prior to v4.0.0-beta.474, meaning any token that is leaked or stolen remains permanently valid until an administrator manually revokes it. This affects the self-hosted server, application, and database management platform across all versions below 4.0.0-beta.474. An attacker who obtains a valid API token via secondary means retains indefinite read access to the Coolify API without natural time-bounded expiry as a safeguard. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained real-world impact.

Information Disclosure Coolify
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-53648 MEDIUM This Month

File path collision in FOSSBilling's downloadable product service allows an authenticated administrator to silently overwrite another product's stored file by uploading a file with an identical original filename. Because FOSSBilling stores uploaded files at a path derived solely from md5(<original filename>), two uploads sharing the same filename map to the same storage location - the later upload wins, and customers downloading the earlier product receive the substituted file instead. No public exploit exists and this is not in CISA KEV, but the integrity and information-disclosure impact are concrete: customers may receive incorrect - potentially confidential - product files. Version 0.8.1 patches the issue.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content spoofing in GitLab CE/EE versions 16.5 through 18.x, 19.0, and 19.1 allows authenticated users to construct repositories where the web interface renders content that diverges from the actual downloadable source, exploiting improper Git reference name resolution (CWE-706). The CVSS score of 3.5 (Low) reflects the authentication requirement (PR:L), mandatory viewer interaction (UI:R), and limited integrity-only impact with no confidentiality or availability consequences. No public exploit code or CISA KEV listing has been identified at time of analysis, placing real-world risk firmly in the low tier despite the broad version range affected.

Gitlab Information Disclosure
NVD VulDB
CVSS 6.5
MEDIUM PATCH This Month

Broken object-level authorization in the nl-portal-backend-libraries GraphQL API exposes sensitive personal data belonging to arbitrary users to any authenticated caller. Two resolvers - document content retrieval (all published versions of nl.nl-portal:documenten-api since 0.2.2.RELEASE, 2023) and the besluiten (decisions) module (nl.nl-portal:besluiten 1.5.0-3.0.0) - were declared without a CommonGroundAuthentication parameter, causing the Spring framework to never bind the authenticated principal into the call path and leaving ownership checks impossible at the resolver level. The two endpoints chain naturally: an attacker enumerates decision records and their attached document IDs via the besluit queries, then exfiltrates raw document content through the document endpoint; decisions frequently contain government benefit, permit, and objection rulings, giving the exposure high real-world sensitivity. No public exploit has been identified at time of analysis, and this was discovered during a structured penetration testing engagement in May 2026.

Java Information Disclosure
NVD GitHub
MEDIUM POC PATCH This Month

Differential extraction in async-tar 0.6.0 enables content-smuggling attacks against scan-then-extract pipelines: an attacker who controls the bytes of a tar stream can construct an archive that GNU-tar-based AV scanners see as a single benign blob while async-tar writes a distinct executable payload to disk that the scanner never inspected. The root cause is in poll_next_raw (src/archive.rs), which mis-applies a buffered PAX local-extension size record to an intermediary GNU longname (L) header rather than restricting the override to the following file entry, desyncing the stream cursor from any POSIX-correct parser. No public exploitation in the wild or CISA KEV listing has been identified, but a fully functional proof-of-concept with verbatim captured output is included in the advisory, demonstrating the complete x → L → file smuggling sequence.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Sensitive file exfiltration in Composio SDK (the @composio/cli package) before 0.2.32-beta.283 lets attackers steal credential files by abusing a missing path-safety check in the readFileFromDisk function of tool-file-uploads.ts. Because the assertSafeFileUploadPath guard is absent, an attacker who can influence the agent's prompt can manipulate file_uploadable parameters to point at arbitrary paths such as ~/.ssh private keys, causing the CLI to upload those files to attacker-controlled storage. There is no public exploit identified at time of analysis, but the upstream fix, issue, and pull request are all public, which lowers the bar for reproduction.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Container-to-host sandbox escape in HashiCorp Nomad and Nomad Enterprise lets an authenticated job submitter using the Docker task driver bind-mount an arbitrary host path into their container even when volume bind mounts are administratively disabled, enabling read and write access to files on the underlying host. The scope-changing flaw (CVSS 3.1 8.7) affects the Community and Enterprise editions and is fixed in Nomad 2.0.4 (CE), and Enterprise 2.0.4, 1.11.8, and 1.10.14. There is no public exploit identified at time of analysis and it is not on CISA KEV.

Hashicorp Information Disclosure Docker
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Path redirection via the writeToFile template helper in consul-template before 0.42.1 allows a local low-privileged attacker to redirect template output outside the intended destination directory or overwrite existing files on the filesystem. Because consul-template routinely renders sensitive secrets from HashiCorp Vault, Consul, and AWS Secrets Manager into local files, successful exploitation can expose those secrets by redirecting writes to attacker-readable locations. No public exploit code or CISA KEV listing is associated with this vulnerability at time of analysis.

Information Disclosure
NVD
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Uncontrolled resource consumption in the smallnest rpcx Go RPC framework (through 1.9.3) lets a single unauthenticated client crash the server by sending a small (<2 MB) gzip-compressed protocol message that decompresses into gigabytes of heap. Because protocol.Message.Decode inflates the payload via util.Unzip during readRequest - before any authentication - and the only size guard (protocol.MaxMessageLength) is checked against the compressed frame rather than the decompressed output, the server exhausts memory and becomes unavailable. Publicly available exploit code exists and a vendor patch (commit 047aec1) has been released; no public evidence of active exploitation at time of analysis.

Information Disclosure Rpcx
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromised HTTP server crash the client by returning a small gzip- or deflate-compressed response body that expands without bound during automatic decompression, exhausting memory and triggering a MemoryError or OS OOM-kill. Any application that uses httplib2 to fetch content from untrusted or attacker-controllable endpoints is affected. No public exploit identified at time of analysis; EPSS not provided, but the class is trivially demonstrable and the fix is a one-line-scope behavioral change shipped in 0.32.0.

Python Information Disclosure Httplib2
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens embedded in repository URLs - to debug output when the tool is invoked with the -vvv verbosity flag. Affected versions prior to 2.2.29 (LTS branch) and 2.10.2 fail to sanitize username-slot URL credentials (e.g., https://TOKEN@host/) across three components: AuthHelper, Url::sanitize, and ProcessExecutor. An attacker or co-located user with access to terminal output or CI/CD log artifacts could extract valid authentication tokens from this debug output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP Composer
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Local filesystem read in LiteLLM's AI Gateway proxy prior to version 1.83.10-stable allows a proxy administrator to exfiltrate files from the server by supplying crafted oidc/file/ path references through the /health/test_connection endpoint. The vulnerability stems from unsanitized resolution of request-supplied environment and OIDC file references within litellm_params, giving a high-privileged caller a direct path to arbitrary file read. No public exploit code or active exploitation has been identified; the low CVSS 4.0 score of 2.1 reflects the high privilege bar and limited confidentiality impact.

Information Disclosure Litellm
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.

Apache Information Disclosure Helix
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected routes by exploiting an inconsistency between how the framework decodes URL paths for auth decisions versus route matching. Because authorization runs against a path that hit the iterative URL-decoder limit while later rewrite matching applies an extra decodeURI(), a request that appears benign at the auth gate resolves to a guarded route afterward, exposing protected content. No public exploit has been identified at time of analysis, but the fix in 6.4.8 and a published GitHub Security Advisory confirm the flaw.

Information Disclosure Astro
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.

Request Smuggling Information Disclosure Access Server +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Out-of-bounds read in U-Boot's TCP stack (net/tcp.c, tcp_rx_state_machine()) allows remote unauthenticated attackers to corrupt bootloader TCP connection state by sending a crafted packet with deliberately mismatched IP total length and TCP data offset fields. Affected builds span U-Boot through 2026.04-rc3, but only when compiled with CONFIG_PROT_TCP - a non-default option. Impact is disruption of TCP window calculations via corruption of rmt_win_scale and rmt_timestamp variables, potentially breaking network-based boot sequences. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.

Buffer Overflow Information Disclosure U Boot
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. No public exploit has been identified at time of analysis, but the C:H CVSS impact rating reflects that leaked context values frequently carry sensitive per-user material such as authentication state, session tokens, or profile data.

Race Condition Information Disclosure Hono
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Header de-duplication logic in Hono's AWS API Gateway v1 adapter silently drops distinct repeated header values because it uses substring comparison rather than exact string equality, meaning a value like '10.0.0.1' would incorrectly suppress '10.0.0.10'. Middleware or application logic relying on a complete X-Forwarded-For chain, rate limiting counters, audit trail integrity, or proxy-chain trust validation receives a truncated view of the request. Affected versions span 4.3.3 through 4.12.26; no public exploit identified at time of analysis, though the GitHub advisory confirms the issue and a fix is released in v4.12.27.

Information Disclosure Hono
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in OpenTelemetry JavaScript (@opentelemetry/propagator-jaeger) before 2.9.0 allows an unauthenticated remote attacker to crash a Node.js service by sending a malformed percent-encoded uber-trace-id or uberctx-* HTTP header. The JaegerPropagator passes header values to decodeURIComponent() without catching the resulting URIError, so the uncaught exception terminates the process. No public exploit identified at time of analysis, and this is not listed in CISA KEV; the fix is version 2.9.0.

Node.js Information Disclosure Opentelemetry Js
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Credential exposure in OpenClaw before 2026.5.28 lets a lower-trust actor who can write to a workspace's configured input paths plant a dotenv file that overrides trusted provider credentials, causing sensitive secrets to leak across intended trust boundaries. VulnCheck reported the issue and it is fixed in 2026.5.28; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The vendor CVSS 4.0 base score is 8.4 (High), reflecting high confidentiality and integrity impact but requiring local path access and user interaction.

Information Disclosure Openclaw
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.

Information Disclosure Linkify It
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Host validation bypass in guzzlehttp/psr7 before 2.12.3 enables URI authority confusion attacks against PHP applications that rely on Uri::getHost() for security-critical decisions. The Uri::assertValidHost() method accepts host strings containing authority delimiters, embedded ports, or malformed IPv6 brackets, causing a semantic split where getHost() returns a sanitized value that disagrees with the actual URI authority used for routing - a classic CWE-436 interpretation conflict exploitable for SSRF allowlist bypass or host-based access control evasion. No public exploit has been identified at time of analysis; vendor-released patch version 2.12.3 resolves the issue.

Information Disclosure Psr7
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; however, exploitation requires no authentication or user interaction and is accessible to any network-level adversary with passive traffic visibility.

Information Disclosure Crypto Tls
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Sandbox escape in the Go standard library's os.Root API (os package) on Unix systems allows filesystem operations meant to be confined to a directory to reach files outside it. When a path's final component is a symbolic link and the path ends in a trailing slash (e.g. root.Open("symlink/")), os.Root improperly dereferences that symlink to a location outside the root, defeating the traversal protection the API is designed to enforce. Affects Go before 1.25.12, 1.26.5, and 1.27.0-rc.2; no public exploit is identified at time of analysis and it is not in CISA KEV.

Information Disclosure Os
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. No public exploit identified at time of analysis and no active exploitation is indicated, but the CVSS 4.0 score of 8.7 reflects an easy, unauthenticated, network-reachable availability impact wherever user-supplied objects reach these structures.

Information Disclosure Immutable Js
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.

Information Disclosure Socket Io
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Prototype pollution in protobuf.js versions 8.2.0 through 8.6.4 allows network-reachable attackers to corrupt JavaScript object prototype chains via the Text Format extension, by supplying a map entry whose key is the reserved JavaScript token `__proto__`, causing the parser to overwrite the prototype of the returned map object instead of creating a literal own-property entry. Exploitation is constrained by high attack complexity - only applications explicitly using the optional `/ext/textformat` module and parsing attacker-controlled input are affected - and real-world impact is limited to partial confidentiality and integrity effects in downstream code that inherits or enumerates poisoned prototype properties. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Information Disclosure Prototype Pollution Protobuf Js
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in node-tar prior to 7.5.18 allows unauthenticated network-reachable attackers to crash Node.js processes by submitting crafted tar archives containing all-digit PAX header path or linkpath values. The library incorrectly coerces these string values to JavaScript numbers in src/pax.ts, causing downstream path handling (normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError when it attempts to call a string method on a numeric value. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Process termination via crafted tar archive affects node-tar prior to 7.5.17, where NUL bytes in PAX path and linkpath header records are not sanitized before being passed to Node.js filesystem calls. Any application using node-tar to extract untrusted archives is susceptible to denial of service through an uncaught exception that crashes the Node.js process. No confirmed active exploitation or public exploit code has been identified at time of analysis; however, the low attack complexity (CVSS AC:L, PR:N) makes this trivial to trigger wherever attacker-controlled archive input reaches a vulnerable node-tar instance.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attacker consume quadratic CPU time by submitting a small, linearly-sized YAML document that chains merge keys (<<) so each mapping merges the previous one. Because confidentiality and integrity impact are nil and only availability is affected (CVSS 7.5, AV:N/A:H), a single crafted document can stall or hang the parsing thread. SSVC rates this poc / automatable=yes / partial impact; there is no public weaponized exploit and it is not on CISA KEV, with a low EPSS of 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Local file inclusion in Repomix's git clone HTTP endpoint lets unauthenticated remote attackers read arbitrary tracked file contents from git repositories on the server's filesystem. The isValidRemoteValue validation in src/core/git/gitRemoteParse.ts does not reject file:// scheme URLs, so a supplied file:///path/to/repo value is passed directly to git clone. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High) driven by high confidentiality impact with no authentication required.

Authentication Bypass Path Traversal Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL and DDL injection in the Snowflake Terraform Provider before 2.18.0 lets an attacker who can influence pipeline workspace variables execute arbitrary SQL inside the provider's privileged Snowflake session (CWE-89), enabling data exfiltration and creation of long-lived credentials. A second flaw allows identifier-injection into user-management DDL, so accounts can be minted with attacker-controlled credentials that bypass operator-configured security controls. No public exploit identified at time of analysis; risk is authenticated/insider-driven rather than remote-unauthenticated.

Hashicorp SQLi Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Unauthenticated cluster-internal access to TrustyAI Service Operator's gorch and NemoGuardrails deployments is possible when a specific security setting is not explicitly enabled at deployment time. Any workload running within the same Kubernetes or OpenShift cluster can reach these AI guardrail and orchestration service endpoints without presenting credentials, exposing sensitive inference data and enabling limited unauthorized model interactions. No public exploit has been identified at time of analysis, but the low-complexity adjacent attack vector and low-privilege prerequisite make this a realistic lateral movement risk in shared or multi-tenant cluster environments.

Authentication Bypass Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive information disclosure in Adalo App Builder (versions 1 through 2) lets remote unauthenticated attackers harvest personal data at scale by sending a single request to a minimal leaderboard component, returning user records that include emails, UUIDs, and custom fields. The flaw stems from wildcard CORS behavior combined with long-lived twenty-day JWTs and no token revocation, meaning any Adalo application can be scraped without app-specific secrets. No public exploit is identified at time of analysis, and the EPSS score is low (0.10%), but the network-reachable, no-authentication nature makes mass automated collection straightforward.

Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive user-record disclosure in Adalo's no-code app builder (App Builder versions 1 and 2) lets remote actors enumerate the internal 'dbId' identifier to retrieve complete user records and correlate individuals' behavior across multiple applications hosted on the platform. The flaw stems from predictable/enumerable record identifiers combined with absent access controls and no data minimization. There is no public exploit identified at time of analysis, and EPSS rates near-term exploitation probability very low (0.15%, 5th percentile) despite the high confidentiality-only CVSS of 7.5.

Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Progress MOVEit Transfer (Custom Reports modules) allows remote attackers to exhaust server memory through a missing-release-of-memory (memory leak) flaw, degrading availability of the managed file transfer service. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, and is addressed in the Progress Critical Security Bulletin of June 2026. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Moveit Transfer
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers to consume quadratic CPU time by submitting a linearly-sized YAML document built from a chain of mappings that use merge keys, where each mapping merges the previous one. Exploitation requires no authentication or user interaction (CVSS 7.5, availability-only impact), and any application that parses attacker-controlled YAML with a vulnerable version is affected. No public exploit identified at time of analysis; fixes are available in 3.15.0 and 4.3.0.

Information Disclosure Js Yaml
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote attackers to exhaust CPU by submitting a crafted YAML document containing an ordered-map (!!omap) node with many entries. Because the !!omap handler performs a linear duplicate-key scan on every insertion, parsing scales as O(n^2), so a modestly sized payload can consume disproportionate CPU when yaml.load() is called. Exploitation is gated behind the non-default YAML11_SCHEMA; SSVC lists proof-of-concept exploit status, there is no CISA KEV entry, and EPSS is low at 0.29%.

Information Disclosure Js Yaml
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Cross-origin admin account takeover in the Grav CMS API plugin before v1.0.0-rc.16 stems from two combined weaknesses: JWT tokens are accepted through the ?token= URL query parameter and every API response returns the wildcard Access-Control-Allow-Origin: * header. Any attacker who harvests a leaked JWT from access logs, proxy logs, browser history, or Referrer headers can replay it in fully authenticated cross-origin requests from an arbitrary malicious site, then create persistent super-admin accounts and exfiltrate configuration and user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch (v1.0.0-rc.16) is available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Heap-buffer-overflow read in ImageMagick's GetPixelIndex function exposes limited heap memory contents and can cause partial availability impact in affected 6.x and 7.x branches before the patched releases. The root cause is a metadata-allocation race in OpenPixelCache, which updates image channel metadata before confirming successful pixel cache memory allocation, leaving GetPixelIndex to operate on stale channel counts. Exploitation requires high privilege access and the ability to induce memory or disk allocation failures, yielding only limited confidentiality and availability impact; no public exploit code and no CISA KEV listing are associated with this CVE.

Buffer Overflow Information Disclosure Imagemagick
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Capgo's app information endpoint retains EXIF metadata in uploaded images, leaking sensitive geolocation coordinates and device information to any party with image access. Versions prior to 12.128.2 are affected. An authenticated attacker or any user who can view uploaded app-information images can retrieve full EXIF payloads - including GPS coordinates, timestamps, and device identifiers - from files that the platform should have sanitized. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; however, the attack requires only low-privilege network access and trivial tooling such as exiftool.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated information disclosure in Capgo (Cap-go/capgo) before 12.128.2 exposes sensitive organization metrics through a misconfigured Supabase PostgREST RPC endpoint. The Supabase function public.get_total_metrics(org_id) is accessible to the anon role using only the publicly distributed sb_publishable_* key, meaning any external party can query it without credentials. By iterating valid organization UUIDs against POST /rest/v1/rpc/get_total_metrics, attackers can confirm organization existence and harvest usage data including monthly active users, bandwidth consumption, and install counts. No public exploit or CISA KEV listing exists at time of analysis; the EPSS signal is absent from provided data but the low exploitation complexity suggests elevated opportunistic risk.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Broken access control in Capgo (the Capacitor live-update/OTA platform) before 12.128.2 lets any unauthenticated caller holding only the public publishable API key read arbitrary users' organization data. The Supabase PostgREST RPC function public.get_orgs_v6 runs as SECURITY DEFINER and is granted to the anon role, yet trusts a caller-supplied user UUID instead of the authenticated identity, exposing org membership, roles, subscription/trial metadata, and the management_email PII. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but exploitation is trivial and requires no credentials beyond the intentionally-public key.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches) lets a remote attacker persist malicious script in the appliance management interface that executes in other users' browser sessions. Because the flaw is reachable without authentication and the injected payload runs in the victim's authenticated context, an attacker can achieve information disclosure, session/token theft, and client-side request forgery against operators of the backup appliance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Dell has published advisory DSA-2026-278.

XSS Dell Information Disclosure +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Denial of service in the Imager image-processing module for Perl (all versions before 1.033) allows remote attackers to crash a worker process by submitting an image whose EXIF IFD entry count is mishandled as a signed integer, triggering an near-address-space-sized memory allocation that fails and aborts the process. Any application that passes untrusted images through Imager's EXIF parsing is exposed. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not listed in CISA KEV.

Information Disclosure Imager
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW Monitor

Timing side-channel exposure in Red Hat Directory Server's PBKDF2-SHA256 password verification allows a remote unauthenticated attacker to send repeated LDAP bind requests and statistically infer partial hash information by measuring response-time differences caused by non-constant-time memcmp() comparisons. Affected deployments span Red Hat Directory Server 11 through 13 and the 389-ds-base package shipped across RHEL 6 through 10. No public exploit identified at time of analysis, and practical exploitation is acknowledged to be extremely difficult due to the computational overhead inherent in PBKDF2 key stretching, which substantially degrades the timing signal.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 +6
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Nomysem, an education and consulting management platform by Turkish vendor NOMYSOFT Informatics, exposes sensitive information to authenticated low-privilege users due to incompatible ACL policies that fail to properly constrain access to restricted functionality. Network-accessible endpoints can be reached by any valid account holder, yielding high-confidentiality-impact data exposure without requiring elevated rights or user interaction. No public exploit code has been identified at time of analysis; however, the vendor failed to respond to coordinated disclosure, leaving the vulnerability unpatched.

Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Foxit PDF Editor and Foxit PDF Reader (Windows) lets a low-privileged user place executable files that a high-privilege process later runs directly, yielding code execution as NT AUTHORITY\SYSTEM. The flaw stems from an untrusted search path (CWE-427) where the application loads and executes attacker-writable binaries without validating their origin. There is no public exploit identified at time of analysis, EPSS is low (0.11%, 2nd percentile), and SSVC reports no observed exploitation, so this is a locally-exploitable escalation rather than a remotely wormable threat.

Information Disclosure Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader allows a local attacker to crash the application and potentially expose adjacent memory contents by delivering a specially crafted PDF containing malicious JavaScript. The JavaScript manipulates page and document objects to desynchronize internal page-related state from the renderer's trusted page count; when the renderer subsequently accesses page objects using the stale index, it reads beyond valid memory bounds. No public exploit identified at time of analysis and no CISA KEV listing, but the broad affected version ranges across multiple major release branches (13.x, 14.x, and 2026.x) means a large proportion of unpatched Foxit deployments are exposed.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Foxit PDF Reader and PDF Editor crash with potential memory disclosure when processing maliciously crafted PDF documents containing JavaScript that causes reentrancy during page opening or form formatting. The reentrancy leaves the document object in an inconsistent state; when the application subsequently attempts to dereference stale page metadata, it reads from an invalid memory address (CWE-125 out-of-bounds read), resulting in application termination and limited memory content exposure. No public exploit code or active exploitation has been identified at time of analysis; exploitation requires a local user interaction to open a crafted PDF file.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Reader and PDF Editor allows a local attacker to crash the application and potentially disclose limited memory contents by delivering a specially crafted PDF containing a malformed image object. The vulnerability triggers when the renderer encounters an abnormal image object, causes it to enter an incorrect processing branch, and subsequently dereferences an invalid buffer pointer during scan line conversion. No public exploit code has been identified and no CISA KEV listing exists, but the CVSS availability impact is rated High, meaning successful exploitation reliably causes application termination.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader crashes the application and exposes limited memory contents when a victim opens a specially crafted PDF embedding a semantically malformed color space function. Affected versions span multiple branches across both Editor and Reader products, confirmed through EUVD-2026-42198. No public exploit code or active exploitation has been identified at time of analysis; however, the low attack complexity and file-based delivery mechanism make this a plausible phishing lure in targeted campaigns against organizations relying on Foxit products.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and PDF Reader during PRC (Product Representation Compact) 3D content parsing crashes the application and leaks limited memory content. Affects multiple concurrent release trains including versions 2026.1.1, 14.0.4, and 13.2.4 and earlier. Exploitation requires a victim to open a specially crafted PDF containing a malicious PRC entity - no public exploit has been identified at time of analysis.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader's PRC 3D file header parser crashes the application and may leak process memory when a victim opens a specially crafted PDF. Affected version ranges span Foxit PDF Reader through 2026.1.1 and multiple Foxit PDF Editor release branches through 13.2.4, 14.0.4, and 2026.1.1. No public exploit code or confirmed active exploitation has been identified at time of analysis; the CVSS availability impact is rated High due to a reliable application crash on trigger, with a minor confidentiality component from out-of-bounds memory exposure.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Memory corruption in the OpenSSH client (ssh) before 10.4 lets a malicious or compromised SSH server trigger a use-after-free on the connecting client by changing its host key during a key re-exchange (rekey), potentially leading to information disclosure or code execution in the client process. Only the client side is affected; the server is not vulnerable. There is no public exploit identified at time of analysis and it is not on CISA KEV, and EPSS is low (0.25%, 16th percentile), but the flaw is fixed in OpenSSH 10.4/10.4p1.

Memory Corruption SSH Microsoft +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Security-control bypass in OpenSSH sshd before 10.4 causes the DisableForwarding=yes hardening directive to be silently ignored when PermitTunnel=yes is also set, so tun-device forwarding remains available despite an administrator's explicit policy to disable all forwarding. Affected operators are those who rely on DisableForwarding as a defense-in-depth restriction; the flaw lets an authenticated user establish layer-2/3 tunnels the configuration was meant to forbid. There is no public exploit identified at time of analysis, EPSS is low (0.13%, 3rd percentile), and it is not on CISA KEV.

SSH Information Disclosure Openssh
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenSSH sshd before version 10.4 silently ignores the GSSAPIStrictAcceptorCheck configuration directive when the server is integrated with Windows Active Directory, defeating a security control that administrators rely on to enforce GSSAPI acceptor name validation during Kerberos-based SSH authentication. This undocumented behavior means AD-joined SSH servers may accept GSSAPI authentications against unintended Kerberos service principals regardless of how the option is configured, yielding limited confidentiality and integrity impact. No public exploits or active exploitation have been identified; the CVSS AC:H rating reflects the specific environmental prerequisites required for exploitation.

SSH Microsoft Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

OpenSSH's internal-sftp subsystem silently discards all command-line arguments beyond position 9, allowing authenticated SFTP users to bypass security restrictions that administrators intended to enforce via those later-positioned arguments. All OpenSSH releases before 10.4 are affected when sshd_config supplies more than nine arguments to the internal-sftp subsystem, which is a non-default but legitimate administrative pattern used for directory restriction, read-only enforcement, and umask control. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; however, sites relying on complex internal-sftp argument chains for access policy enforcement face a direct, silent policy bypass.

SSH Information Disclosure Openssh
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Path traversal in the scp utility of OpenSSH before 10.4 causes files to be written into the parent directory of the intended destination during remote-to-remote copy operations. The root cause is CWE-23 (Relative Path Traversal): scp fails to canonicalize or sanitize paths when relaying data between two remote hosts, allowing an attacker controlling a malicious endpoint to influence where transferred files land. No public exploit identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; the CVSS AC:H and UI:R metrics significantly constrain real-world exploitability.

SSH Information Disclosure Openssh
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Path traversal in the OpenSSH sftp client before version 10.4p1 allows an attacker-controlled server to write downloaded files outside the user's intended target directory when the 'sftp server:/path .' bulk-download syntax is used. Affected are all OpenSSH deployments where users sftp from untrusted or attacker-controlled hosts, which in practice spans virtually every Linux and Unix environment. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the ubiquity of OpenSSH elevates aggregate exposure despite the moderate per-instance severity.

SSH Information Disclosure Openssh
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-tenant authorization bypass in FastGPT (versions 4.14.17 through pre-4.15.0-beta4) permits an authenticated tenant user to inject a foreign tenant's datasetId via the POST /api/core/dataset/collection/create/reTrainingCollection endpoint, corrupting ownership anchors in persisted dataset objects. Downstream dataset, collection, and training endpoints then derive authorization decisions from these poisoned records, granting the attacker cross-tenant read, update, and delete access to another tenant's data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the vendor released version 4.15.0-beta4 as the confirmed fix.

Information Disclosure Fastgpt
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a victim's system by distributing a maliciously crafted card package (.apkg). The root cause is an origin validation failure (CWE-346) in Anki's internal localhost API, which fails to block iframe-embedded scripts from accessing privileged backend methods such as getImageForOcclusion. Exploitation requires the victim to import the malicious deck; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Anki
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). The practical severity varies significantly by browser: implementations with Private Network Access (PNA) protections block such requests by default, limiting real-world impact to older or less-restrictive browser configurations. No public exploit identified at time of analysis, though security researcher Tavis Ormandy (Google Project Zero) publicly discussed the issue on X, indicating independent researcher awareness.

Information Disclosure Anki
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.

Buffer Overflow Information Disclosure Wget
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive cryptographic material on HPE Networking Instant On 1830, 1930, and 1960 switches is exposed to remote network actors through an information disclosure vulnerability. Exploitation allows retrieval of cryptographic secrets such as private keys, certificates, or pre-shared credentials, which could subsequently enable man-in-the-middle attacks, traffic decryption, or device impersonation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Information Disclosure Hpe Networking Instant On
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.

Information Disclosure Http
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Res
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. An attacker with privileged filesystem-level read access to the LDBM database files can exploit this to determine whether any two encrypted attribute values are identical, leaking relational information about the directory without recovering plaintext. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 +8
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.

Python Information Disclosure Django
NVD VulDB
HIGH PATCH This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Signature verification bypass in HAVELSAN Liman MYS (versions before release.Master.1107) lets remote attackers forge the source/authenticity of data - tagged as a JWT attack - enabling identity spoofing and likely authentication bypass. Per CVSS the vector is network-based and unauthenticated (AV:N/PR:N) with high impact to confidentiality and integrity. No public exploit is identified at time of analysis and it is not on CISA KEV.

Jwt Attack Information Disclosure
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Privilege escalation in ARC Informatique PcVue SCADA/HMI software (all versions prior to 17.0.0) arises because the encryption algorithm protecting user-account configuration in the built-in user directory is cryptographically inadequate (CWE-326). A local attacker with low privileges can decrypt or tamper with the stored account configuration and ultimately obtain privileged access to the PcVue application. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 base score is 8.4 (High).

Information Disclosure Pcvue
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Insecure credential storage in PcVue exposes built-in user account passwords to any local attacker with low-privileged filesystem access, across all versions prior to 17.0.0. The credentials are stored unprotected in the project's User directory, recoverable without elevated OS privileges. No public exploit code has been identified at time of analysis, but in OT/SCADA environments where PcVue is deployed, recovered credentials could enable unauthorized control of industrial processes.

Information Disclosure Pcvue
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when tasks are in a deferred state. Any authenticated user holding DAG-scoped task-instance read access - a permission commonly granted to non-admin roles - can retrieve API keys, passwords, or other secrets passed by deferred operators into trigger kwargs. Fixed in Apache Airflow 3.3.0; no public exploit code identified at time of analysis, though exploitation is trivially achievable by any authenticated user with the requisite read permission.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read permission to retrieve plaintext values from JSON-typed variables whose key names use secret-suffixed conventions such as `*_password`, `*_token`, or `*_secret`. The redactor function was invoked without passing the variable key, so the `should_hide_value_for_key` check - which is responsible for masking secrets based on key-name patterns - could never fire for JSON-decodable variable values. This affects all deployments prior to 3.3.0 that store sensitive credentials in JSON-typed Airflow Variables under secret-suffixed key names; no public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for authenticated access with a specific permission grant.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted DAG identifiers to authenticated users who lack read permission on those DAGs. The endpoint correctly filters top-level serialized DAG keys against the caller's ACL but leaks referenced DAG IDs through `dep.source` and `dep.target` fields of trigger and sensor dependency entries, enabling cross-team DAG enumeration in multi-tenant deployments. This is a residual gap from an incomplete fix for CVE-2026-28563; no public exploit has been identified at time of analysis, and a vendor patch is available in apache-airflow 3.3.0.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permission, because per-key environment variable overrides (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID) generate synthetic config entries whose names are absent from the sensitive_config_values masking list. Affected deployments are those that configure secrets backends such as HashiCorp Vault via these per-key environment variable patterns, exposing credentials like Vault role_id and secret_id through normal API responses. No public exploit has been identified at the time of analysis; the vendor-released fix is apache-airflow 3.3.0.

Hashicorp Apache Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Predictable KASLR offsets and RNG seeds in Raspberry Pi 5 and Compute Module 5 EEPROM firmware undermine kernel address space layout randomization across all affected devices and reboots. Because the entropy source is deterministic, any attacker who can identify the firmware version can predict kernel memory addresses, reducing KASLR to a known-offset bypass. This does not itself enable code execution, but it significantly lowers the bar for chaining with any memory-corruption vulnerability targeting these devices. No public exploit code has been identified at time of analysis and this is not listed in the CISA KEV catalog.

Information Disclosure Raspberry Pi 5 And Compute Module 5
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file deletion in the WordPress Frontend File Manager Plugin (versions up to and including 23.6) lets unauthenticated visitors remove any file on the server when guest upload mode is enabled, because a user-supplied file path is not validated before the delete operation. Removing critical files such as wp-config.php drops the site into its installation/setup routine, which an attacker can chain toward a complete site takeover. No public exploit is identified at time of analysis and EPSS is low (0.15%, 4th percentile), but the unauthenticated network vector and scope-changing impact make this a serious risk for exposed sites running the vulnerable configuration.

WordPress Information Disclosure PHP
NVD WPScan VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.

Information Disclosure Command Centre Server
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Password reset poisoning in Coolify prior to 4.0.0-beta.471 enables unauthenticated account takeover by injecting a forged X-Forwarded-Host header during a password reset request. Two compounding middleware failures make this possible: TrustProxies trusts all proxy sources unconditionally, and TrustHosts is rendered inoperable by a circular caching dependency, meaning the Host header is never validated. The reset URL is generated from the spoofed request host, so the victim's reset token is delivered to an attacker-controlled domain. No public exploit is identified at time of analysis, but the attack is low-friction and the fix is confirmed in version 4.0.0-beta.471.

Information Disclosure Coolify
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Sanctum API tokens in Coolify never expire prior to v4.0.0-beta.474, meaning any token that is leaked or stolen remains permanently valid until an administrator manually revokes it. This affects the self-hosted server, application, and database management platform across all versions below 4.0.0-beta.474. An attacker who obtains a valid API token via secondary means retains indefinite read access to the Coolify API without natural time-bounded expiry as a safeguard. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained real-world impact.

Information Disclosure Coolify
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

File path collision in FOSSBilling's downloadable product service allows an authenticated administrator to silently overwrite another product's stored file by uploading a file with an identical original filename. Because FOSSBilling stores uploaded files at a path derived solely from md5(<original filename>), two uploads sharing the same filename map to the same storage location - the later upload wins, and customers downloading the earlier product receive the substituted file instead. No public exploit exists and this is not in CISA KEV, but the integrity and information-disclosure impact are concrete: customers may receive incorrect - potentially confidential - product files. Version 0.8.1 patches the issue.

Information Disclosure
NVD GitHub VulDB
Prev Page 8 of 741 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy