Vulnerability Intelligence

Know what's exploitable before it's exploited

CVE analysis built on public NVD and CISA KEV data — enriched with practical remediation, detection, and prioritization guidance.

313
CVEs ingested
87
Published
3
Known exploited
  • CVE-2025-48977MEDIUM 6.5

    Apache Ignite REST API contains a path traversal vulnerability that allows authenticated users to read arbitrary files from the server by manipulating the log path parameter in API commands. An attacker with valid REST API credentials can escape the intended log directory and access sensitive files anywhere on the system. This affects Ignite versions 2.0.0 through 2.17.0, and the vendor has released version 2.18.0 to address it.

  • CVE-2026-2374HIGH 7.2

    The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.

  • CVE-2026-24444CRITICAL 9.8

    SDMC NE6037 cable modem routers contain a critical vulnerability that allows attackers to bypass all authentication protections on the device's web management interface. The routers have a hardcoded password built into their firmware that can be used to access recovery endpoints without any credentials. An attacker on the internet can submit this hardcoded password to gain immediate root access to the device, effectively taking complete control. Once compromised, attackers can enable additional remote access methods like SSH and Telnet, creating multiple pathways for persistent unauthorized control of the affected modem router.

  • CVE-2026-3173MEDIUM 6.5

    The Meta Field Block plugin for WordPress has a permission-checking flaw that lets Contributor-level users and above read sensitive data stored in WordPress metadata. An attacker with basic contributor access can specify any object ID and type—bypassing the plugin's validation—to retrieve private information like user details, customer billing addresses, or other metadata that WordPress site administrators expected to keep hidden. On sites running e-commerce or membership plugins, this can expose personally identifiable information at scale.

  • CVE-2026-32995HIGH 7.5

    Rocket.Chat contains an authentication bypass vulnerability in its direct message protocol (DDP) translation feature. An authenticated user—even without access to specific rooms or channels—can read private messages, direct messages, and end-to-end encrypted messages from other users by exploiting an unprotected DDP method. The flaw stems from insufficient permission checks when a client requests message translation, allowing lateral message enumeration across the entire Rocket.Chat instance.

  • CVE-2026-32999CRITICAL 9.0

    CVE-2026-32999 is a code execution vulnerability in Comet Backup's server signing module that allows an authenticated tenant administrator to run arbitrary code with elevated privileges on the backup server and connected client devices. The flaw stems from insufficient filtering of special characters in the backup agent signing process, creating a pathway for privilege escalation. An attacker who holds tenant administrator credentials can exploit this to compromise not only the server but also any devices connected to that backup infrastructure.

  • CVE-2026-35671HIGH 8.8

    phpMyFAQ versions before 4.1.3 contain a privilege escalation vulnerability in the admin password management API. An authenticated administrator with low-level privileges can manipulate API requests to reset any user's password, including SuperAdmin accounts, bypassing normal authorization checks. This allows attackers to seize full control of the FAQ system.

  • CVE-2026-35672HIGH 7.5

    phpMyFAQ versions before 4.1.3 have a critical flaw in their API that allows anyone on the network to create and modify FAQ entries without logging in. The vulnerability exists because the system accepts an empty authentication token by default, meaning attackers can submit requests with no valid credentials and the API will process them anyway. This permits unauthorized content injection into your knowledge base, potentially spreading misinformation, malware links, or defacement across your FAQ system.

  • CVE-2026-35675HIGH 8.2

    phpMyFAQ versions before 4.1.3 contain a critical flaw in their password reset mechanism that completely bypasses authentication checks. An attacker does not need valid credentials or access to a victim's email to reset passwords—they can simply request a password reset for any user account, and the system grants it without verification. This means attackers can take over any account, including administrator accounts, giving them full control of the FAQ system and potentially the underlying server.

  • CVE-2026-35676HIGH 8.2

    phpMyFAQ versions before 4.1.3 contain a critical flaw that allows anyone on the internet to reset user account passwords without authentication. An attacker can enumerate valid usernames and email addresses, then forcibly change passwords by sending direct API requests. This bypasses normal security controls and immediately locks legitimate users out of their accounts.

  • CVE-2026-37266HIGH 8.0

    Responsive File Manager version 9.14.0 contains a remote code execution vulnerability in its force_download.php component. An authenticated attacker can exploit this flaw to execute arbitrary code on the server, potentially gaining full control of the application and underlying system. The vulnerability requires an attacker to have valid login credentials and user interaction (such as clicking a malicious link), but poses a significant risk in multi-user or publicly accessible deployments.

  • CVE-2026-37579HIGH 7.3

    SMSGate sms-core versions 2.1.13.6 and earlier contain a remote code execution vulnerability in the CMPP7 message handling component. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary code on affected systems without any user interaction, potentially gaining full control of the SMS gateway infrastructure.

  • CVE-2026-38702CRITICAL 9.8

    A command injection flaw in InHand Networks industrial routers allows unauthenticated attackers to execute arbitrary commands with root privileges remotely. The vulnerability affects the Admin Access feature across multiple IR series devices (IR302, IR305, IR315, IR615) running specified firmware versions or earlier. No user interaction is required, and the attack can be mounted over the network without prior credentials.

  • CVE-2026-38703CRITICAL 9.8

    A command injection flaw in the ZeroTier VPN feature of InHand Networks industrial routers allows unauthenticated remote attackers to execute arbitrary commands with root privileges. The vulnerability affects multiple IR-series models and versions up to and including IR302 V3.5.108, IR305 V1.0.118, IR315 V1.0.118, and IR615 V1.0.118. No authentication or user interaction is required to exploit this issue, making it a severe risk for any organization with these devices exposed on untrusted networks.

  • CVE-2026-38704CRITICAL 9.8

    A critical command injection vulnerability has been identified in InHand Networks industrial routers that allows unauthenticated remote attackers to execute arbitrary system commands with root-level privileges. The vulnerability exists in the WireGuard VPN feature across multiple device models and firmware versions. An attacker with network access to the affected device needs only to send a specially crafted command to gain complete control of the system.

  • CVE-2026-38707CRITICAL 9.8

    InHand Networks has a critical command injection flaw in the IPSec VPN component of multiple industrial router models (IR302, IR305, IR315, and IR615). An unauthenticated remote attacker can send specially crafted input to the VPN service to execute arbitrary system commands with root-level privileges, leading to complete device compromise. This affects firmware versions V3.5.108 (IR302) and V1.0.118 (IR305, IR315, IR615) and earlier releases.

  • CVE-2026-40914MEDIUM 4.3

    Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.

  • CVE-2026-41141MEDIUM 6.5

    EspoCRM versions before 9.3.5 contain an access control bypass in the email template preparation endpoint. An authenticated user with basic EmailTemplate read permissions can extract sensitive field data from any Contact, Lead, Account, or User record by providing the target's email address—effectively circumventing role-based visibility restrictions. This allows lower-privileged users to read information they should not have access to, such as financial details, personal fields, or team-restricted records.

  • CVE-2026-41160MEDIUM 4.3

    EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.

  • CVE-2026-41184MEDIUM 6.5

    Calico's CNI installer container accidentally logs Kubernetes ServiceAccount tokens to standard output during deployment, specifically when using Canal or Flannel-Calico configurations. Any user with permission to view pod logs in the affected namespace can retrieve this token, which grants the ability to modify pod annotations—a vector for attacking workloads in your cluster. The vulnerability is a regression of a previously fixed issue and does not affect deployments using the default kubeconfig authentication method.

  • CVE-2026-41185MEDIUM 6.5

    Calico, a widely-used open-source networking plugin for Kubernetes, logs sensitive authentication credentials to plaintext files when deployed with Azure's IPAM plugin and token-based Kubernetes authentication. The vulnerability occurs because the Calico CNI binary adds subnet information to the configuration before forwarding it to Azure IPAM for processing. During this handoff, the entire configuration—including Kubernetes ServiceAccount tokens, client keys, and certificate authority data—is logged at INFO level to /var/log/calico/cni/cni.log. This happens on every pod scheduling or termination, creating a high-frequency credential leak. Any user or process with read access to node-level logs can extract cluster-wide Calico networking administrator credentials without triggering alarms.

  • CVE-2026-41565HIGH 7.5

    CryptX, a cryptographic library for Perl, contains a stack buffer overflow vulnerability in its AEAD (Authenticated Encryption with Associated Data) decryption functions. When these functions process an authentication tag longer than expected, they overflow a fixed-size buffer on the stack, potentially corrupting memory and crashing the application. An attacker who can supply a maliciously long authentication tag to vulnerable code paths can trigger this crash. The vulnerability affects four specific decryption functions: gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, and eax_decrypt_verify. Patches were released incrementally, with gcm_decrypt_verify fixed in version 0.088 and the remaining three functions addressed in version 0.088_001.

  • CVE-2026-4334MEDIUM 6.4

    The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.6.20. Attackers with Contributor-level access or higher can inject malicious scripts through the 'headline' parameter in the [shariff] shortcode. When other users view the affected page, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further compromise. The vulnerability stems from the plugin's use of a permissive HTML sanitization routine followed by unsafe string replacement operations that reintroduce dangerous content after the sanitization check.

  • CVE-2026-4408CRITICAL 9.0

    Samba file servers and domain controllers are vulnerable to remote command execution when administrators configure the optional "check password script" feature with the %u substitution character. This combination allows attackers to inject shell commands through usernames during authentication, running arbitrary code on the server. The vulnerability requires a specific (non-standard) configuration to be present, but when it is, the attack can be executed over the network without authentication or user interaction.

  • CVE-2026-44358HIGH 8.2

    Espressif's Shared GitHub DangerJS Action, a reusable CI workflow component, contains a privilege escalation vulnerability in versions prior to 1.0.1. When processing pull requests from forks, the action's entrypoint script executes DangerJS from an untrusted search path after copying fork code into the working directory. This allows fork-supplied code to run inside the action container with the permissions of the workflow, rather than the action's own trusted code. An attacker can exploit this by submitting a malicious pull request from a fork, causing arbitrary code execution in the CI/CD environment.

  • CVE-2026-44461HIGH 8.6

    Zed, a modern code editor, has a vulnerability in how it constructs commands for remote development over SSH or WSL (Windows Subsystem for Linux). When opening a terminal in a remote session, Zed builds a shell command that includes environment variables, but it doesn't properly escape or validate the names of those variables. An attacker who can inject a malicious environment variable name—such as through project-level terminal settings—can embed shell commands within that name. When the remote shell executes the command, it interprets these embedded instructions, allowing arbitrary code execution on the remote machine under the user's privileges. The flaw has been patched in version 0.227.1.

  • CVE-2026-44462MEDIUM 6.4

    Zed is a popular code editor that includes a terminal tool with permission controls meant to restrict which commands can be executed. Prior to version 0.229.0, an attacker could bypass these restrictions by chaining bash variable expansion syntax—specifically the ${var@P} expansion—to execute arbitrary commands even when they appeared to violate the allowed command prefix rules. This requires user interaction (opening a malicious project or terminal configuration) but grants the attacker code execution within the editor's process context.

  • CVE-2026-44463HIGH 8.6

    Zed, a modern code editor, contains a security flaw in how it controls which programs can run in the integrated terminal. An attacker can bypass these permission restrictions by sneaking environment variable assignments into commands that are supposed to be allowed. By manipulating variables like PAGER, an attacker can redirect the editor to run malicious code when it attempts to display output. This affects Zed versions before 0.229.0 and is resolved in that release.

  • CVE-2026-44594HIGH 7.5

    esm.sh, a popular CDN for JavaScript development that eliminates the need for build processes, contains a vulnerability in how it processes package metadata. An attacker can publish a malicious npm package that tricks the esm.sh server into reading and exposing sensitive files from its own filesystem. This happens because the service doesn't properly validate how it interprets the 'browser' field in package.json during the build process. While the attacker cannot modify files or crash the service, they can gain unauthorized access to confidential data stored on esm.sh infrastructure.

  • CVE-2026-44604HIGH 7.0

    A flaw in RPM's archive extraction tool allows an attacker to run arbitrary commands on a system by crafting a malicious archive with shell metacharacters embedded in its folder name. When a user extracts such an archive using the rpmuncompress utility, the unsanitized folder name is passed directly into a shell command, enabling code execution with the privileges of the extracting user. The vulnerability affects ZIP, 7z, and GEM archive formats.

  • CVE-2026-45017HIGH 7.5

    Python Liquid is a templating engine used to process dynamic content. Versions before 2.2.0 contain a path traversal flaw that lets an attacker with the ability to author templates bypass security restrictions and read arbitrary files from the server. An attacker could use the {% include %} or {% render %} template tags with absolute file paths to access files outside the intended template directory. The compromised files are then processed as templates, potentially exposing their contents. This requires the attacker to have template authoring privileges and targets files readable by the application.

  • CVE-2026-46104MEDIUM 5.5

    A flaw exists in how the Linux kernel's SELinux security module accesses socket security data when multiple security modules are stacked together. The vulnerability occurs because SELinux directly reads socket security information from a hardcoded memory location, assuming it will always find its own data there. When another security module is loaded first, SELinux reads the wrong data instead, potentially using invalid security identifiers in permission checks. This can cause the kernel to crash due to invalid memory access or improper security decisions.

  • CVE-2026-46105HIGH 7.8

    A flaw in the Linux kernel's mpt3sas driver allows NVMe storage controllers to accept I/O requests larger than the driver can safely handle. The driver allocates a fixed 4 KB buffer that can hold at most 512 entries in its request queue (PRP list), limiting safe transfers to 2 MiB. However, the firmware may advertise support for larger transfers based on the drive's capabilities. When oversized requests are issued, the kernel can crash. This vulnerability requires local access and valid user privileges to exploit.

  • CVE-2026-46106MEDIUM 5.5

    A race condition in the Linux kernel's eventfs subsystem can cause memory corruption or system crashes when users simultaneously remount the tracefs filesystem (which hosts performance monitoring tools) while creating or deleting tracepoints. The vulnerability arises because the kernel walks through a list of event structures during remount without proper synchronization, allowing concurrent operations to corrupt data structures or access freed memory. This is a local issue affecting only users with permission to remount filesystems and modify tracing events.

  • CVE-2026-46107HIGH 7.8

    A bug in the Linux kernel's device mapper thin provisioning layer can cause reference counting errors when managing shared metadata trees. When the kernel tries to reorganize a btree node that has been shared across multiple data structures, it fails to properly track pointers to child nodes, leading to crashes and data unavailability. The flaw occurs specifically in the rebalance_children function during metadata tree operations.

  • CVE-2026-46108MEDIUM 5.5

    A flaw in the Linux kernel's IPMI serial interface (SI) driver can leave the system in an abnormal state when message allocation fails. Normally, failed operations trigger cleanup routines that reset the driver to a ready state. This vulnerability occurs because certain error paths skip that reset logic, potentially causing the driver to remain hung or unresponsive. An attacker with local system access could trigger memory allocation failures under specific conditions, degrading system availability until the driver is manually restarted or the system reboots.

  • CVE-2026-46109MEDIUM 5.5

    A memory leak exists in the Linux kernel's USB ULPI (UTMI Low Pin Interface) driver registration code. When certain initialization steps fail early in the device registration process, allocated memory is not properly freed, allowing memory to accumulate over repeated failures. This is a residual issue from a prior fix that addressed a different memory safety problem. The vulnerability requires local access and elevated privileges to trigger.

  • CVE-2026-46110HIGH 7.5

    CVE-2026-46110 is a NULL pointer dereference vulnerability in the Linux kernel's stmmac network driver that can crash a system when memory becomes exhausted during packet reception. The driver manages a circular ring of descriptors to coordinate DMA transfers between the CPU and network hardware. When the driver runs out of memory to allocate new receive buffers, it can incorrectly process already-used descriptors as if they were fresh, leading to a kernel panic. This occurs because the driver doesn't properly distinguish between descriptors that are waiting to be refilled versus those that have already been processed.

  • CVE-2026-46111HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's Bluetooth connection handling code. When creating a Broadcast Isochronous Group (BIG) connection, the kernel can attempt to access a connection object that has already been freed. This occurs because the code doesn't properly validate that a connection still exists before operating on it, and doesn't keep a reference to the connection object while asynchronous operations are in flight. A local attacker with limited privileges could exploit this to crash the system or potentially execute code with elevated privileges.

  • CVE-2026-46112HIGH 7.8

    A locking bug exists in the Linux kernel's RDMA HNS driver when creating queue pairs. During error recovery in queue pair creation, the code attempts to clean up resources without holding required synchronization locks. This unlocked cleanup can corrupt internal kernel memory structures, potentially allowing a local attacker to escalate privileges or crash the system. The vulnerability affects the error handling path specifically—the normal operation path uses proper locking.