By severity
High-severity vulnerabilities
CVEs rated High by CVSS, with SEC.co remediation and prioritization guidance.
1184 published vulnerabilities · page 12 of 12
- CVE-2026-10871HIGH 7.2
Shibby Tomato 1.28.0000 contains a remote command injection vulnerability in its Web UI. An authenticated administrator can craft a malicious request targeting the IPv6 6rd tunnel configuration function, injecting arbitrary operating system commands that execute with the privileges of the affected service. The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts.
- CVE-2026-10872HIGH 7.2
Shibby Tomato 1.28.0000 contains a vulnerability in the Web UI component that allows authenticated users with high-level privileges to inject operating system commands through the VPN server startup function. An attacker with administrative access could manipulate input parameters to execute arbitrary commands on the device, potentially compromising the entire router system. Public exploit information exists for this vulnerability.
- CVE-2026-10873HIGH 7.2
Shibby Tomato 1.28.0000 contains a command injection vulnerability in its web interface that allows authenticated administrators to execute arbitrary operating system commands. The vulnerability exists in the rstats_path function within the /bin/rstats component. Because exploit code has been publicly disclosed, the risk of active exploitation is elevated. Note that this project has been superseded by FreshTomato, and users should verify their upgrade path accordingly.
- CVE-2026-2374HIGH 7.2
The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.
- CVE-2026-24085HIGH 7.2
A memory corruption vulnerability exists in multiple Qualcomm wireless chipsets and their firmware when processing display command line information. The flaw stems from improper initialization of a variable during command parsing, which could allow a high-privilege attacker with physical access to trigger memory corruption and potentially execute arbitrary code or crash the device. The vulnerability affects a broad range of Qualcomm wireless components used in enterprise and consumer devices.
- CVE-2026-3820HIGH 7.2
Supermicro's BMC (Baseboard Management Controller) SMTP service in the AS-2115HS-TNR contains a vulnerability that allows attackers with administrator-level access to inject malicious characters into SMTP configuration fields. This injection can lead the system to execute unintended commands, potentially resulting in loss of service, unauthorized code execution, or complete compromise of the BMC itself. While the attack requires existing high-level privileges, the consequences—especially arbitrary code execution on out-of-band management hardware—are severe.
- CVE-2026-39276HIGH 7.2
Emlog Pro v2.6.9 contains a path traversal flaw in its template upload feature that allows authenticated administrators to upload malicious files and execute arbitrary PHP code on the server. An attacker with admin credentials can craft a specially crafted ZIP archive with directory traversal sequences (such as '../') in filenames to escape the intended upload directory, overwrite legitimate template files, or inject malicious code that gets executed by the web server. This is a post-authentication vulnerability, meaning the attacker must already have admin access to the Emlog installation.
- CVE-2026-40961HIGH 7.2
Apache Airflow contains a flaw in its login redirect mechanism that allows authenticated users to redirect people to malicious websites. The vulnerability exists because the URL safety check (`is_safe_url`) can be circumvented through crafted URLs, enabling attackers to potentially harvest credentials or distribute malware by making the redirect appear to come from a trusted Airflow instance. Any organization running Airflow and allowing authentication should treat this as a priority.
- CVE-2026-41567HIGH 7.2
A critical weakness in Moby (the open-source container runtime underlying Docker) allows a malicious container to execute code with full daemon privileges—potentially gaining root access to the host system. The vulnerability occurs when compressed files are uploaded into a container using `docker cp` or the API endpoint `PUT /containers/{id}/archive`. Instead of using decompression tools from the host system, Moby incorrectly uses tools from inside the container itself. If a container image contains a trojanized decompression binary (like xz or unpigz), attackers can exploit this ordering mistake to run arbitrary commands with daemon-level privileges. Versions before Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14 are affected.
- CVE-2026-45609HIGH 7.2
mcp-security, a Spring AI component that manages security and authorization for the Model Context Protocol, contains a Server-Side Request Forgery (SSRF) vulnerability in versions before 0.1.9. When Dynamic Client Registration is enabled, the framework processes OAuth discovery and metadata URLs without properly validating them, allowing an attacker to redirect requests to internal network resources or malicious endpoints. This could lead to information disclosure or unauthorized actions on systems the application can reach.
- CVE-2026-49196HIGH 7.2
CVE-2026-49196 is a command injection vulnerability in Acer Predator Connect W6X Wi-Fi devices. The device's built-in feature for blocking Wi-Fi connections fails to properly validate MAC addresses before processing them, creating an opening for attackers to inject and execute arbitrary shell commands. An attacker with administrative access could leverage this to compromise the device and potentially the network it protects.
- CVE-2026-50231HIGH 7.2
Lyrion Music Server version 9.2.0 contains a stored cross-site scripting (XSS) vulnerability in its log viewer that allows attackers to inject malicious JavaScript without authentication. The vulnerability exists because the application fails to properly escape template variables, allowing crafted input to be permanently stored and executed in the browsers of users who view the logs. Attackers can inject payloads through multiple vectors including search parameters, log line numbers, file paths, or by manipulating values that the server naturally logs such as HTTP headers, stream titles, and player names.
- CVE-2026-50232HIGH 7.2
Lyrion Music Server version 9.2.0 has a stored cross-site scripting (XSS) vulnerability that lets attackers embed malicious code into audio file metadata fields such as GENRE, ARTIST, and ALBUM. When users browse or play these files through the web interface, the injected scripts execute in their browser, potentially granting attackers access to server management functions and sensitive configuration details. Unlike reflected XSS attacks that require a specially crafted link, this vulnerability persists in the server's database, affecting any user who interacts with a poisoned media file.
- CVE-2026-7052HIGH 7.2
HT Contact Form, a popular WordPress form builder plugin, contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 2.8.2. An unauthenticated attacker can inject malicious scripts through file upload fields that persist in the database and execute in administrators' browsers when viewing form submissions. The vulnerability requires the 'Store Submissions' setting to be enabled—a common configuration. This is a stored rather than reflected attack, making it more dangerous because the payload remains active until manually removed.
- CVE-2026-7537HIGH 7.2
The MDJM Event Management plugin for WordPress contains a file upload vulnerability that allows administrators to upload and execute malicious files on a website. Because there are no checks on file types, extensions, or formats, an attacker with admin access could upload executable files and run arbitrary code on the server. This affects all versions through 1.7.8.3.
- CVE-2026-7634HIGH 7.2
The SlimStat Analytics plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through the User-Agent header. When an administrator has enabled the 'show_complete_user_agent_tooltip' setting, these injected scripts will execute in the browsers of users who visit affected pages. This is a stored vulnerability, meaning the malicious payload persists in the database rather than requiring a specially crafted link. All versions up to and including 5.4.11 are affected.
- CVE-2026-8438HIGH 7.2
The All-In-One Security (AIOS) WordPress plugin contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 5.4.7. An unauthenticated attacker can inject malicious JavaScript into debug logs by crafting specially designed REST API requests. When site administrators view the debug logs page, the injected script executes in their browser, potentially allowing the attacker to steal session credentials, execute unauthorized actions, or compromise the entire WordPress site. The vulnerability requires two specific plugin features to be enabled: the 'Disable REST API for non-logged in users' setting and debug logging.
- CVE-2026-8901HIGH 7.2
A WordPress plugin called 'Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More' contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.0.15. Attackers can inject malicious scripts through form submissions. The injected code executes when a form submission fails to reach the CRM API and an administrator later views the error details in the WordPress admin dashboard. This affects any WordPress site using the vulnerable plugin versions without requiring the attacker to be logged in.
- CVE-2026-9851HIGH 7.2
The Booking Package plugin for WordPress contains a critical flaw that allows authenticated editors and higher-privileged users to seize control of any WordPress account, including administrator accounts. An attacker with editor-level access can bypass security checks in the plugin's user management functionality to change email addresses and passwords of other users without proper authorization. This effectively enables complete site takeover.
- CVE-2016-20063HIGH 7.1
Single Personal Message version 1.0.3 contains a SQL injection flaw that allows authenticated users to inject malicious database commands through the message parameter. An attacker with user credentials can craft specially-designed messages to execute arbitrary SQL queries, potentially extracting sensitive data such as user credentials and site configuration details from the underlying database.
- CVE-2018-25392HIGH 7.1
MaxOn ERP Software versions 8.x through 9.x contain a SQL injection flaw that lets authenticated users inject malicious SQL commands through specific parameters in the activity logging function. An attacker with valid credentials can craft POST requests to extract sensitive database information such as version numbers and database names. While exploitation requires authentication, the impact—unauthorized access to database structure and sensitive data—represents a meaningful security risk for organizations running these versions.
- CVE-2018-25410HIGH 7.1
SIM-PKH version 2.4.1 contains a SQL injection flaw in its admin media management interface. An authenticated attacker can craft malicious requests to the /admin/media.php endpoint that inject SQL code, allowing them to extract sensitive database information such as usernames, database names, and version details. The vulnerability requires valid login credentials but poses a meaningful risk to data confidentiality within affected deployments.
- CVE-2018-25429HIGH 7.1
Paroiciel version 11.20 contains an SQL injection vulnerability in the zpro.php endpoint that allows authenticated users to execute arbitrary database queries by manipulating the zProIdPro parameter. An attacker with valid credentials can craft malicious SQL statements to extract sensitive information from the database, including usernames, database names, and version details. This is a post-authentication attack that does not require user interaction.
- CVE-2018-25430HIGH 7.1
Paroiciel version 11.20 contains a SQL injection flaw in its egeq.php endpoint. Authenticated users can craft malicious requests that embed SQL commands into the eGeqIdEquipe parameter, allowing them to query the underlying database directly. This bypasses normal access controls and could expose sensitive information such as database version details and other stored data. The vulnerability requires valid login credentials, so it represents an insider threat or compromised-account scenario.
- CVE-2018-25431HIGH 7.1
No-Cms 1.0 contains a SQL injection flaw in its privilege management export feature. An authenticated user can craft a specially formatted request to extract sensitive data from the application's database by injecting malicious SQL commands into the order_by parameter. The vulnerability requires valid credentials but poses significant risk to data confidentiality.
- CVE-2025-15654HIGH 7.1
CVE-2025-15654 is a reflected cross-site scripting (XSS) vulnerability in Fox-themes Prague versions 2.2.8 and earlier. An attacker can craft a malicious URL containing unsanitized input that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the vulnerable application. This allows the attacker to steal session cookies, perform actions on behalf of the victim, or redirect them to phishing sites—all without modifying the application itself.
- CVE-2025-52612HIGH 7.1
HCL iControl contains a vulnerability that combines CSV injection with reflected cross-site scripting (XSS) in its export function. An authenticated attacker can craft malicious input that, when a user interacts with exported CSV content or follows a specially crafted link, executes arbitrary JavaScript in the victim's browser session. The vulnerability stems from inadequate input validation and sanitization, allowing attackers to inject both CSV formulas and script payloads.
- CVE-2025-52759HIGH 7.1
A reflected cross-site scripting (XSS) vulnerability exists in the UnboundStudio Accordion FAQ plugin affecting versions up to 2.2.1. An attacker can craft a malicious link that, when clicked by a user, executes arbitrary JavaScript in the victim's browser within the context of the affected site. This allows theft of session cookies, credential harvesting, malware injection, or other client-side attacks. The vulnerability requires user interaction—specifically clicking a malicious link—but has no authentication barrier, making it a straightforward social engineering vector.
- CVE-2025-67448HIGH 7.1
A stored cross-site scripting (XSS) vulnerability exists in the SMS module of Neterbit NW-431F routers running firmware version 20241014-IR03 and earlier. An attacker can craft a malicious SMS message and send it to a router user; when that user views the message, the embedded script executes in their browser. This allows attackers to steal session tokens, redirect users, inject fake content, or perform actions on behalf of the victim—all without the victim realizing they've been compromised through what appears to be a routine SMS.
- CVE-2026-10840HIGH 7.1
OpenShift Pipelines operator contains a privilege escalation vulnerability stemming from overly permissive role-based access control (RBAC). The tekton-scheduler-rolebinding automatically grants any authenticated user write access to Kueue and cert-manager custom resources. This means that anyone with cluster login credentials—including low-privilege service accounts or developers without special permissions—can interfere with workload scheduling, tamper with certificate management, and potentially overwrite critical TLS secrets used by ingress controllers. The vulnerability is particularly dangerous in multi-tenant clusters where separation of duties is expected.
- CVE-2026-11269HIGH 7.1
Google Chrome versions prior to 149.0.7827.53 contain a vulnerability in how the browser handles extensions that allows an attacker positioned on the same network as a user to execute arbitrary code within Chrome's sandbox. The attacker must craft a malicious extension and the user must interact with it (such as installing or clicking something), making this a moderate-complexity attack. While Chromium rated this as low severity internally, the CVSS assessment reflects the potential for complete compromise of the sandboxed process.
- CVE-2026-11422HIGH 7.1
Markdown Preview Enhanced, a popular VS Code extension that renders Markdown with enhanced visualization features, contains a critical flaw in how it processes WaveDrom diagrams. An attacker can craft a malicious Markdown file containing specially crafted WaveDrom code that, when previewed in VS Code, executes arbitrary JavaScript with the privileges of the extension. This JavaScript can then read files from your computer and write new files to your filesystem, potentially installing malware or stealing sensitive data. The vulnerability affects version 0.8.x when used with crossnote engine 0.9.28.
- CVE-2026-21032HIGH 7.1
Samsung Assistant versions before 9.3.14 contain a flaw in how they expose certain application components. A person with local access to an Android device can exploit this misconfiguration to run arbitrary scripts with elevated privileges, potentially gaining unauthorized control over the device or sensitive functions.
- CVE-2026-21033HIGH 7.1
Samsung Assistant versions before 9.3.14 contain a flaw in how it exports Android application components, specifically in the ExpressHomeWidgetReceiver. A local attacker with standard user privileges can exploit this misconfiguration to execute arbitrary code or scripts on a device. The vulnerability requires local access but no special interaction from the user, making it a practical concern for devices where untrusted applications may be installed.
- CVE-2026-21037HIGH 7.1
Samsung Members versions before 5.8.01.5 contain a flaw that fails to properly check what input users provide. A local attacker—someone already with access to the device—can exploit this to redirect the app to any URL and launch other features or apps while pretending to be Samsung Members, which runs with elevated privileges on the device.
- CVE-2026-24090HIGH 7.1
A cryptographic weakness in how Qualcomm processors handle partition table entries during boot allows a local attacker with standard user privileges to modify the boot process without authorization. This could enable an attacker to alter how a device loads its operating system or firmware, potentially leading to installation of malicious code or bypass of security controls. The vulnerability requires direct access to the device and cannot be exploited remotely.
- CVE-2026-24349HIGH 7.1
A vulnerability in Siemens SIMATIC WinCC Unified PC Runtime allows an attacker with local access to extract sensitive cryptographic material from the Certificate Manager component. The issue stems from inadequate protection of key material stored on disk or in memory, potentially exposing certificates and private keys that protect SCADA/HMI communications. While exploitation requires local system access, the impact is significant because certificate compromise can enable downstream attacks on industrial control systems and their communications.
- CVE-2026-31942HIGH 7.1
LibreChat versions up to 0.7.6 contain a critical flaw in how API keys are managed. Any authenticated user can manipulate API key settings for other users by injecting parameters into requests, allowing them to replace legitimate API keys (from providers like OpenAI, Anthropic, or Azure) with their own or invalid ones. This means an attacker could intercept conversations through attacker-controlled API endpoints or disable a victim's service entirely.
- CVE-2026-34194HIGH 7.1
CVE-2026-34194 is a memory management flaw in GPU-accelerated software that allows a non-privileged user to trigger incorrect memory references through improper GPU system calls. When the software performs mathematical operations across GPU buffers of different sizes, it can incorrectly access memory locations outside its intended scope. This can corrupt data or crash the application, but does not enable privilege escalation or data theft. The vulnerability requires local system access and is triggered through the application itself—not remotely.
- CVE-2026-36176HIGH 7.1
GNCC GP5 version 7.1.76 leaks Backblaze B2 cloud storage upload credentials to the device's serial console in plaintext. An attacker with physical access to the hardware can monitor the UART interface and capture active, pre-signed upload URLs intended for file transfers. Once captured, these URLs can be used to upload or manipulate files in the connected B2 storage bucket without authorization. The vulnerability requires proximity to the device but poses significant risk to organizations using this gateway in sensitive environments.
- CVE-2026-36606HIGH 7.1
Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 store backup files that are encrypted with a hardcoded, publicly discoverable key using weak encryption. Anyone who obtains a backup file—whether through direct device access, cloud storage misconfiguration, or phishing—can decrypt it and extract sensitive credentials including the admin password, WiFi pre-shared key, and DDNS login information. This is a local attack that depends on an attacker first gaining access to the backup file itself.
- CVE-2026-41845HIGH 7.1
Spring Framework contains a flaw in its JavaScriptUtils.javaScriptEscape() function that fails to properly escape certain characters. This weakness allows attackers to inject malicious JavaScript code that executes in users' browsers, potentially stealing session data, credentials, or performing actions on behalf of the user. The vulnerability requires user interaction—specifically clicking a malicious link or visiting a compromised page—but does not require authentication. Multiple versions of Spring Framework across the 5.3, 6.1, 6.2, and 7.0 release lines are affected.
- CVE-2026-42654HIGH 7.1
WP Swings Wallet System for WooCommerce contains a flaw that allows attackers with an existing user account to bypass normal authentication safeguards and exploit the password recovery mechanism. An authenticated attacker could use this vulnerability to take over other user accounts, including administrative ones, without knowing their passwords. The vulnerability affects all versions up to and including 2.7.5.
- CVE-2026-42678HIGH 7.1
GiveWP, a popular WordPress donation and fundraising plugin maintained by Liquid Web/StellarWP, contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by site visitors. Unlike traditional XSS flaws, this vulnerability operates at the DOM (Document Object Model) level in the browser, meaning the attack payload is crafted and executed client-side rather than originating from the server. An attacker can trick a user into clicking a malicious link or visiting a compromised page, leading to credential theft, session hijacking, or unauthorized actions taken on behalf of the victim within the vulnerable GiveWP installation.
- CVE-2026-42681HIGH 7.1
E2Pdf.Com's e2pdf plugin contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. When a user visits a crafted link, the injected code executes in their browser within the context of the affected site, potentially allowing theft of session data, credentials, or sensitive information. The vulnerability affects e2pdf versions up to and including 1.32.14.
- CVE-2026-42683HIGH 7.1
VikBooking Hotel Booking Engine & PMS contains a DOM-based cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious link or embed JavaScript in user-controllable input fields; when a victim visits the page or interacts with the compromised element, the script executes in their browser with access to session data and sensitive information. This is a client-side vulnerability requiring user interaction but affecting multiple users through a single compromised page.
- CVE-2026-42685HIGH 7.1
Ahmad WP Job Portal versions up to 2.5.1 contain a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a specially designed link and trick a user into clicking it, causing the injected code to execute in that user's browser with their privileges. This vulnerability requires user interaction—the victim must click a malicious link—but once triggered, it can be used to steal session tokens, deface content, redirect users to phishing sites, or perform actions on behalf of the victim.
- CVE-2026-44798HIGH 7.1
A vulnerability in Nautobot allows authenticated users with GitRepository management permissions to manipulate an internal field (current_head) via the REST API that should not be user-editable. By setting this field to arbitrary values, an attacker could cause Nautobot's local repository clones to checkout outdated commits or become unusable entirely, creating operational disruption and potentially stale or corrupted network automation state. The issue affects versions prior to 2.4.33 and 3.1.2.
- CVE-2026-45722HIGH 7.1
A vulnerability in Nextcloud's Tables app allows authenticated users to inject malicious SQL code through the ORDER BY clause of database queries. While this type of SQL injection is more limited than typical variants—attackers can extract only small amounts of data per request or cause database delays—it still poses a meaningful confidentiality and availability risk. The flaw affects Nextcloud Tables versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1. Nextcloud has released patches that organizations should apply promptly.
- CVE-2026-46130HIGH 7.1
A bug in the Linux kernel's dm-verity-fec (forward error correction) component can cause it to read data from outside the intended memory buffer. This occurs when parity bytes used to verify disk integrity are split across storage blocks in a specific way. Under certain non-default configurations and low-memory conditions, the code attempts to access more data than is available, leading to potential information disclosure or system instability. The issue only manifests with particular combinations of error correction parameters and buffer allocation scenarios.
- CVE-2026-46140HIGH 7.1
A flaw in the Linux kernel's Bluetooth driver (btmtk) fails to verify that incoming firmware responses contain sufficient data before reading from them. If a Bluetooth device sends a truncated or malformed response, the kernel code will read beyond the valid data boundaries, potentially exposing sensitive kernel memory. A local attacker with Bluetooth access could exploit this to leak information or crash the system.
- CVE-2026-46149HIGH 7.1
A vulnerability in the Linux kernel's SCSI target subsystem allows a local attacker with low privileges to read sensitive kernel memory and potentially crash the system. The issue occurs in the configfs interface where storage path group membership information is displayed. When a storage fabric's name is unusually long, the kernel writes more data than expected to a temporary buffer, and then copies that overrun data to a user-readable sysfs file. On systems with fortify checks enabled, this causes a kernel panic; on others, it leaks kernel memory to unprivileged users.
- CVE-2026-46150HIGH 7.1
A flaw in the Linux kernel's fanotify file monitoring subsystem can allow a local user with minimal privileges to bypass permission checks on file access events. The vulnerability stems from a logic error where the kernel incorrectly returns false for marks belonging to unrelated monitoring groups, causing permission event validation to be skipped. An attacker with local access could exploit this to circumvent intended file access restrictions.
- CVE-2026-46175HIGH 7.1
A flaw in the Linux kernel's F2FS (Flash-Friendly File System) garbage collection process can cause the system to incorrectly track file metadata during node block migration. When the garbage collector moves data blocks, it fails to properly clear internal markers that indicate whether data has been explicitly synced by a user. This confusion causes file system consistency checks (fsck) to report false inconsistencies, potentially leading to data integrity warnings or failures. The issue is triggered by specific sequences of file creation, deletion, and garbage collection operations, particularly when the system experiences power loss after garbage collection but before a checkpoint is written.
- CVE-2026-46190HIGH 7.1
A memory access flaw exists in the Linux kernel's SPI NOR flash debugging code. When displaying flash chip parameters through the debugfs interface, the kernel incorrectly calculates the size of an internal lookup table, treating the table's byte-size instead of its element count. This can cause the kernel to read memory beyond the intended bounds when processing certain flag values. An unprivileged local user could exploit this to crash the system or potentially leak sensitive kernel memory.
- CVE-2026-46191HIGH 7.1
CVE-2026-46191 is a memory access vulnerability in the Linux kernel's framebuffer console (fbcon) subsystem. When the kernel attempts to rotate the console display and the memory reallocation fails, it continues using an undersized font buffer. If a user then prints characters with high numeric codes to the rotated console, the kernel will write beyond the buffer's boundaries, potentially corrupting kernel memory. An attacker with local system access can trigger this by printing specific characters after inducing a console rotation failure.
- CVE-2026-46199HIGH 7.1
A flaw in the Linux kernel's AMD GPU video codec (VCN4) driver allows a local attacker to read memory beyond the intended boundaries of a buffer when processing decode messages. An authenticated user with local access can exploit this to access sensitive kernel memory, potentially exposing confidential data or triggering a system crash. The vulnerability requires local access and valid user privileges, limiting its reach but making it a concern for multi-user systems and containerized environments.
- CVE-2026-46203HIGH 7.1
A flaw in the Linux kernel's Cadence QuadSPI controller driver can cause the system to access hardware registers without proper power management during driver shutdown. When the driver is unloaded, it attempts to disable the controller without ensuring the hardware is powered up first, potentially causing system instability or data corruption. This is a local issue requiring user-level access to trigger.
- CVE-2026-46204HIGH 7.1
A bounds-checking vulnerability exists in the Linux kernel's AMD GPU video codec (VCN4) instruction buffer parser. When the kernel processes instruction buffers from user space, it can read beyond allocated memory if malicious or malformed data is provided. A local attacker with basic user privileges can trigger out-of-bounds reads, potentially exposing sensitive kernel memory or causing a denial of service. The fix involves rewriting the parser to use proper bounds-checking functions.
- CVE-2026-46218HIGH 7.1
A vulnerability exists in the Linux kernel's AMD GPU driver where video codec processing code (used for UVD, VCE, and VCN hardware) accesses memory buffers without verifying those buffers are large enough. An attacker with local access could exploit this to read sensitive kernel memory or cause a system crash. The fix adds proper bounds checking before these memory accesses and corrects an integer type to prevent overflow conditions that could bypass the checks.
- CVE-2026-46230HIGH 7.1
A boundary-checking flaw in the Linux kernel's AMD GPU video codec driver (VCN3) allows a local user with moderate privileges to read memory beyond allocated buffer boundaries when the driver processes video decoding messages. This out-of-bounds read could expose sensitive kernel memory or crash the system. The vulnerability requires local access and existing user-level permissions to trigger.
- CVE-2026-46243HIGH 7.1
A Linux kernel vulnerability allows unprivileged local users to manipulate CIFS (Common Internet File System) authentication credentials by creating spoofed credential requests. The vulnerability exists because the kernel's SMB client accepts cifs.spnego key descriptions that contain sensitive fields—like process ID, user ID, and credential UID—regardless of whether those fields come from the kernel itself or from untrusted userspace. An attacker with local access can forge these fields to impersonate legitimate credential requests, potentially gaining unauthorized access to network resources or intercepting authentication flows. The fix restricts acceptance of cifs.spnego keys only when they originate from the kernel's own credential handler.
- CVE-2026-4776HIGH 7.1
Mautic, a popular marketing automation platform, contains an SQL injection flaw in its API that allows authenticated users to execute unauthorized database queries. The vulnerability stems from incomplete filtering of nested query parameters in the contact filtering API—an attacker with valid API credentials can craft specially formed requests to bypass safety checks and inject SQL commands directly into database queries. This could lead to unauthorized data access or limited system disruption, though the attacker must already have valid API authentication.
- CVE-2026-48209HIGH 7.1
OTRS ticket management systems contain a reflected cross-site scripting (XSS) vulnerability in how they handle user input during ticket operations. An attacker can craft a malicious URL containing JavaScript code and trick an authenticated agent into clicking it. When opened, the script executes within the agent's browser session, potentially allowing the attacker to steal session tokens, modify tickets, or perform actions on behalf of that agent. The attack requires social engineering to deliver the link but does not require the attacker to have direct system access.
- CVE-2026-48827HIGH 7.1
Apache MINA SSHD's sshd-git module contains a path traversal vulnerability that allows SSH-authenticated users to access git repositories and perform git operations (upload-pack, receive-pack, and others) outside the configured git server root directory. An attacker with valid SSH credentials can escape the intended directory boundary and potentially read or modify repositories they should not have access to. This affects only applications explicitly using the sshd-git component; standard SSHD deployments without sshd-git are unaffected.
- CVE-2026-48839HIGH 7.1
A cross-site scripting (XSS) vulnerability exists in VeronaLabs WP Statistics plugin versions up to 14.16.6. The flaw allows attackers to inject malicious scripts that execute in a user's browser when they interact with a compromised page. Unlike traditional XSS attacks that rely on server-side injection, this variant operates at the DOM (Document Object Model) level, meaning the vulnerability stems from how the plugin processes user input on the client side. An attacker could craft a malicious link or embed code that, when visited by a site administrator or editor, steals session tokens, modifies page content, or performs actions on their behalf.
- CVE-2026-48865HIGH 7.1
ThimPress LearnPress, a popular WordPress learning management plugin, contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL and trick a user into clicking it, causing the victim's browser to execute arbitrary JavaScript in the context of the LearnPress application. This could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user.
- CVE-2026-49134HIGH 7.1
CodexBar versions before 0.32.0 contain a local privilege escalation flaw in the CLI installer. An attacker with access to the same system can intercept and modify the installer's temporary files during the installation process, tricking the system into running malicious commands with root-level privileges. This requires the attacker to be on the same machine and to time their interference with an active installation, but once successful, grants complete system control.
- CVE-2026-49135HIGH 7.1
CodexBar versions before 0.32.0 have a serious flaw in how they handle temporary files during the app release and notarization process. An attacker with access to the same machine can steal the App Store Connect API credentials or sabotage the build artifacts before they're submitted to Apple. The vulnerability exists because CodexBar writes sensitive files to predictable, fixed locations that any local user can read or manipulate.
- CVE-2026-49371HIGH 7.1
JetBrains TeamCity versions prior to 2026.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the keyword filter feature. An attacker can craft a malicious URL containing unsanitized input that, when visited by a TeamCity user, executes arbitrary JavaScript in the victim's browser within the context of the TeamCity application. This allows session hijacking, credential theft, or unauthorized actions performed on behalf of the victim.
- CVE-2026-49373HIGH 7.1
JetBrains TeamCity versions prior to 2026.1 contain a remote code execution vulnerability accessible through the Perforce connection configuration interface. An authenticated user with permissions to modify Perforce settings can execute arbitrary code on the TeamCity server. This requires valid credentials and access to TeamCity's configuration features, but does not require user interaction or special system conditions once access is gained.
- CVE-2026-8035HIGH 7.1
CVE-2026-8035 is a denial-of-service vulnerability in National Instruments' PAL kernel driver that allows authenticated local users to crash the system. The flaw stems from inadequate input validation that fails to check for NULL pointers before dereferencing them in memory. An attacker with local system access can exploit this by supplying malformed input to the driver, causing an immediate kernel panic. The vulnerability affects NI-PAL version 26.3.0 and all earlier releases across both Windows and Linux platforms.
- CVE-2026-8036HIGH 7.1
NI-PAL, National Instruments' process abstraction layer, contains an input validation flaw that allows authenticated local users to read and modify arbitrary memory regions on affected systems. An attacker with local access could exploit this to escalate their privileges. The vulnerability affects NI-PAL version 26.3.0 and earlier on both Windows and Linux platforms.
- CVE-2026-8874HIGH 7.1
Securly Chrome Extension version 3.0.7 downloads security configuration files—specifically crisis alert keywords and filtering rules—over plain HTTP instead of the encrypted HTTPS protocol. While the same extension correctly uses HTTPS for other sensitive data (IWF and CIPA filtering data), this inconsistency leaves downloaded crisis alert configurations vulnerable to interception and modification by network-positioned attackers. An attacker on the same network could intercept these files and inject malicious keywords or rules, potentially disrupting the extension's security functionality or causing it to behave unexpectedly.
- CVE-2026-9808HIGH 7.1
Mautic 7's API has a flaw where user permission restrictions aren't being honored properly. Specifically, permissions designed to let users only see or edit their own resources (called 'owner-scope' restrictions) are being bypassed. An attacker with low-level API access can exploit this to view or modify other users' data, even though they shouldn't have that permission.
- CVE-2026-34335HIGH 7.0
A use-after-free memory vulnerability exists in Windows Ancillary Function Driver for WinSock (AFD.sys), affecting Windows 10 and Windows 11 across multiple versions, as well as Windows Server 2012 through 2025. An authenticated local attacker can exploit this flaw to escalate their privileges to SYSTEM level. The vulnerability requires local access and specific conditions to trigger, but once exploited, grants complete control over the affected system.
- CVE-2026-41108HIGH 7.0
A memory safety flaw in Windows DNS could allow someone with local system access to break out of normal restrictions and gain full control of the computer. The vulnerability exists because DNS processes input in a way that can overflow a memory buffer, and an attacker positioned locally—such as a low-privilege user or service—could exploit this to run code with elevated permissions. This is not a remote vulnerability, but it poses a significant risk in multi-user or shared-system environments.
- CVE-2026-42836HIGH 7.0
A race condition in Windows' Function Discovery Service (fdwsd.dll) allows a user already logged into a machine to escalate their privileges to administrator level. The vulnerability exists because the service does not properly synchronize access to shared resources when multiple processes run concurrently, creating a narrow window where an attacker can manipulate the process. An authorized user would need local access and specific timing to exploit this, but successful exploitation grants full system-level permissions.
- CVE-2026-42911HIGH 7.0
A use-after-free memory vulnerability exists in Windows' Ancillary Function Driver for WinSock (AFD.sys). An attacker who already has local access to a machine can exploit this flaw to gain elevated privileges, potentially running code with system-level permissions. The vulnerability requires specific conditions to trigger—it is not trivially exploitable—but once successful grants significant control over the affected system.
- CVE-2026-42912HIGH 7.0
A race condition in Windows Telephony Service allows an attacker who already has local user access to exploit improper synchronization of shared resources and gain system-level privileges. The vulnerability requires the attacker to perform specific timing-dependent actions during concurrent operations—making it moderately difficult to exploit in practice, but reliably escalatable once triggered. No user interaction is required beyond the attacker's ability to run code as a local user.
- CVE-2026-42984HIGH 7.0
A use-after-free memory vulnerability exists in the Windows Kernel that allows an authorized local user to escalate their privileges to a higher level of access. An attacker with standard user permissions could exploit this flaw to gain system-level control on an affected machine. The vulnerability requires local access and specific conditions to trigger, but successful exploitation would grant complete compromise of the target system.
- CVE-2026-44604HIGH 7.0
A flaw in RPM's archive extraction tool allows an attacker to run arbitrary commands on a system by crafting a malicious archive with shell metacharacters embedded in its folder name. When a user extracts such an archive using the rpmuncompress utility, the unsanitized folder name is passed directly into a shell command, enabling code execution with the privileges of the extracting user. The vulnerability affects ZIP, 7z, and GEM archive formats.
- CVE-2026-46154HIGH 7.0
A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.
- CVE-2026-46164HIGH 7.0
A memory management bug in the Linux kernel's Btrfs filesystem can cause the same memory region to be freed twice when a sysfs initialization step fails. This double-free condition can lead to memory corruption and potentially allow an attacker with local access to crash the system or execute code with elevated privileges. The issue occurs in error handling code that wasn't properly coordinated between two layers of the filesystem's initialization logic.