By severity
Medium-severity vulnerabilities
CVEs rated Medium by CVSS, with SEC.co remediation and prioritization guidance.
719 published vulnerabilities · page 7 of 8
- CVE-2026-49325MEDIUM 4.6
Indian Motorcycle's 2025 Scout Bobber + Tech model contains a physical security flaw in its anti-theft system. An attacker with access to the motorcycle's Wireless Control Module (WCM) wiring harness can disconnect a specific wire pair to bypass the PIN-protected shutdown mechanism, leaving the bike fully operational and vulnerable to theft. The vulnerability exploits a gap in how the motorcycle's engine control unit (ECU) validates shutdown signals—it cannot tell the difference between a legitimate shutdown command and a severed wire.
- CVE-2026-10814MEDIUM 4.5
Milvus, a popular vector database, contains a weakness in how it generates hash identifiers for grantee access control. An attacker with local access and sufficient privileges could exploit weak cryptographic hashing in the Grantee ID Hash Handler to potentially forge or predict access control identifiers, leading to unauthorized data access or modification. The vulnerability requires high technical complexity to exploit and is rated as medium severity.
- CVE-2026-44640MEDIUM 4.5
NanoMQ is an edge messaging platform that implements the MQTT protocol for lightweight IoT and edge device communication. A type confusion bug exists in versions before 0.24.14 in how the broker handles QUIC connection objects during the dialing and closing lifecycle. When the broker initiates a QUIC connection (dialing), it stores a pointer as one type (nni_quic_conn), but later during cleanup, the code misinterprets that same pointer as a different type (ex_quic_conn). This mismatch causes the broker to read and operate on invalid memory, resulting in hangs or crashes when closing connections. The issue requires local access and user interaction to trigger.
- CVE-2026-49382MEDIUM 4.5
A vulnerability in JetBrains IntelliJ IDEA's Copyright plugin allows an attacker to execute code on a developer's machine through template injection. The attack requires local access and user interaction—specifically, a developer must open a malicious project or file. While the severity is moderate, this poses a real risk in shared development environments or when developers download untrusted projects.
- CVE-2026-10100MEDIUM 4.4
The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.
- CVE-2026-3620MEDIUM 4.4
The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.
- CVE-2026-45279MEDIUM 4.4
Nextcloud Server contains a path traversal vulnerability that allows non-admin users to copy files into their own Nextcloud directories in certain scenarios. The vulnerability exists in specific versions and depends on underlying Unix file system permissions. An attacker would need already-elevated user privileges within Nextcloud to exploit this issue, limiting the practical threat surface.
- CVE-2026-45702MEDIUM 4.4
OP-TEE, a security-focused component running on Arm processors, contains a type confusion flaw when handling memory-sharing requests from the normal operating system. The vulnerability only affects specific OP-TEE configurations used to manage secure applications (when both SPMC mode and secure partition features are enabled). An attacker with high system privileges can trigger a denial of service, though the flaw does not expose sensitive data or allow code execution. Upgrading to OP-TEE version 4.11.0 or later resolves the issue.
- CVE-2026-7421MEDIUM 4.4
A WordPress plugin called Passeum Ticketing contains a vulnerability that allows site administrators to inadvertently (or maliciously in compromised accounts) inject malicious scripts into a website. The plugin fails to properly validate the shop name setting, allowing an attacker with admin access to point the site to a malicious domain. When this happens, the plugin loads JavaScript and CSS files from that attacker-controlled domain, which then executes on every page of the website for all visitors. This is a stored cross-site scripting (XSS) vulnerability specific to multisite WordPress installations.
- CVE-2026-7430MEDIUM 4.4
The Post Snippets plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to 4.0.19. An authenticated administrator can inject malicious code through the plugin's import feature. When that code is imported, it gets embedded unsafely into the post editor's JavaScript, allowing the attacker to execute arbitrary scripts that run whenever any administrator opens a post editor page. This is a privilege-escalation and persistence risk: an attacker with admin access can compromise the experience of other admins and potentially maintain control across sessions.
- CVE-2019-25717MEDIUM 4.3
Dräger's Infinity Delta, Delta XL, and Kappa patient monitors expose sensitive log files to unauthenticated attackers on the local network. An attacker with network access can retrieve device internals, location data, and network configuration without needing credentials. This is a network-adjacent threat that discloses operational details but does not enable direct device compromise or manipulation.
- CVE-2024-47273MEDIUM 4.3
Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.
- CVE-2025-52606MEDIUM 4.3
HCL iControl contains a weakness in how it validates user input during its security architecture implementation. The application fails to properly check that incoming data matches the expected type before processing it, allowing an authenticated attacker to submit malformed input that the system does not adequately verify. This can lead to unintended modifications of application state or data.
- CVE-2025-53346MEDIUM 4.3
CVE-2025-53346 is a missing authorization flaw in ThimPress Thim Core that allows authenticated users to modify data or settings they should not have access to. The vulnerability stems from inadequate access control checks, meaning the application fails to properly verify whether a logged-in user has permission to perform specific actions. While an attacker must already have valid login credentials, the weakness could allow them to escalate privileges or tamper with configuration or content outside their intended scope.
- CVE-2026-10028MEDIUM 4.3
CVE-2026-10028 is a denial-of-service vulnerability in glib-networking that can be triggered when an attacker presents a maliciously crafted certificate chain containing circular issuer relationships. When an application using glib-networking with GnuTLS backend processes such a chain, the certificate verification logic enters an infinite loop, consuming CPU resources until the process becomes unresponsive. The attack requires user interaction (such as visiting a malicious website or accepting a connection) and affects only the targeted process, not the wider system.
- CVE-2026-10113MEDIUM 4.3
Open5GS, an open-source 5G core network software suite, contains a vulnerability in its Shared NF-profile Parser component that can be exploited to disrupt service availability. An attacker with network access and valid authentication credentials can trigger a denial of service condition by manipulating the NF-profile parsing logic. The vulnerability affects Open5GS versions up to 2.7.7, and public exploit information is available, increasing the risk of active exploitation.
- CVE-2026-10114MEDIUM 4.3
Open5GS versions up to 2.7.7 contain a flaw in how they parse shared NF profile information. When processing certain malformed input, the application writes data beyond the intended memory boundary, potentially crashing the service. While an attacker must have valid network credentials to exploit this, the vulnerability has been publicly disclosed, increasing the likelihood it will be weaponized.
- CVE-2026-10115MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a flaw in how it parses network function profiles. An authenticated attacker can send a specially crafted request that causes the affected service to become unresponsive, disrupting normal operations. The vulnerability requires valid credentials to exploit and does not lead to data theft or unauthorized access—only temporary unavailability. Versions up to 2.7.7 are affected.
- CVE-2026-10116MEDIUM 4.3
A vulnerability in Open5GS, a popular open-source 5G core network implementation, allows authenticated users to trigger a denial-of-service condition by manipulating the UE authentication endpoint. The flaw resides in timer transaction handling code and can be exploited remotely by anyone with legitimate access to the authentication service. Public exploit code is available, increasing the practical risk of abuse.
- CVE-2026-10117MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a vulnerability in its HTTP/2 server library that can be exploited to cause a denial of service. An attacker with valid credentials can remotely trigger the issue by manipulating specific inputs to the pool allocation function, causing the application to become unresponsive or crash. Versions up to 2.7.7 are affected. Public exploit code exists, increasing the risk of opportunistic attacks.
- CVE-2026-10153MEDIUM 4.3
A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.
- CVE-2026-10154MEDIUM 4.3
Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 contain an authorization bypass vulnerability in the user messaging module. An authenticated attacker can manipulate the ID parameter in htdocs/user/messaging.php to access or view information they should not have permission to see. The vulnerability requires valid login credentials but allows a logged-in user to circumvent access controls. Upgrading to version 23.0.3 resolves the issue.
- CVE-2026-10156MEDIUM 4.3
Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.
- CVE-2026-10173MEDIUM 4.3
Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.
- CVE-2026-10215MEDIUM 4.3
A flaw in Dolibarr ERP CRM's Leave Request REST API fails to properly check whether users have permission to access specific leave request objects. An authenticated attacker can remotely exploit this to view leave data they should not be able to see. The vulnerability affects versions up to 23.0.1, and Dolibarr has released version 23.0.2 as a fix. Because the exploit has been publicly disclosed, this poses an active risk despite its moderate CVSS score.
- CVE-2026-10282MEDIUM 4.3
Bottelet DaybydayCRM versions up to 2.2.1 contain an authorization flaw in the Documents controller that allows authenticated users to access files they shouldn't be able to view. An attacker with valid login credentials can exploit this remotely to read sensitive documents beyond their intended access scope. The vulnerability is rated MEDIUM severity and requires patching.
- CVE-2026-10289MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.
- CVE-2026-10291MEDIUM 4.3
Enderfga's claw-orchestrator contains a flaw in how it validates regular expressions in the Session Grep Endpoint. An authenticated attacker can supply a maliciously crafted regex pattern that forces excessive CPU consumption, potentially slowing or freezing the service. This is a medium-severity issue affecting versions up to 3.7.0 and is remedied by upgrading to 3.7.1.
- CVE-2026-10294MEDIUM 4.3
PackageKit, a system library for package management on Linux, contains an authorization bypass vulnerability in versions up to 1.3.5. An authenticated attacker can manipulate the frontend-socket parameter in the API to gain unauthorized access to sensitive information. The vulnerability requires an existing user account to exploit but does not require user interaction. While the attack surface is somewhat limited by authentication requirements, the unauthorized information disclosure poses a real security concern for systems relying on PackageKit.
- CVE-2026-10301MEDIUM 4.3
A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.
- CVE-2026-10616MEDIUM 4.3
GoClaw, a component of nextlevelbuilder, contains a flaw in how it validates permissions when completing team tasks. An authenticated attacker can manipulate the Team Task Completion Handler to bypass authorization checks, potentially modifying task records they shouldn't have access to. The vulnerability requires a valid login and network access, and affects versions up to 3.11.3. While the issue carries a medium risk profile, the public availability of exploit details increases practical attack likelihood.
- CVE-2026-10624MEDIUM 4.3
CVE-2026-10624 is a moderate-severity vulnerability in SourceCodester Human Resource Management version 1.0 that allows authenticated users to access employee information they should not be able to view. The flaw exists in the Employee View Page component and stems from improper handling of the 'employeeid' parameter, which an attacker can manipulate to bypass access controls. Because exploit code has been publicly disclosed, this vulnerability poses a realistic risk to organizations running affected systems.
- CVE-2026-10661MEDIUM 4.3
A vulnerability in the blender-mcp project allows an authenticated attacker to inject malicious input through the input_image_url parameter in the Open function of src/blender_mcp/server.py. Because authentication is required and the vulnerability only exposes limited information (not enabling code execution or system availability impact), the overall risk is moderate. However, the public disclosure means exploitation techniques are now accessible to threat actors.
- CVE-2026-10691MEDIUM 4.3
A vulnerability in wonderwhy-er DesktopCommanderMCP through version 0.2.38 allows an authenticated user to trigger a denial-of-service condition by crafting malicious search result data that causes inefficient regular expression processing. The flaw is in the search-manager component and can be exploited remotely by any logged-in user. The vendor has released version 0.2.39 with a fix.
- CVE-2026-10692MEDIUM 4.3
A flaw exists in code-index-mcp versions up to 2.14.0 that allows authenticated users to cause performance degradation through specially crafted regular expressions. By submitting a malicious regex pattern to the search_code_advanced function, an attacker can trigger inefficient regex processing that consumes excessive CPU resources, leading to application slowdown or unresponsiveness. This is a denial-of-service weakness that requires login credentials to exploit but does not compromise confidentiality or data integrity.
- CVE-2026-10702MEDIUM 4.3
A flaw in Firefox's JavaScript Just-In-Time (JIT) compiler can cause it to miscompile code in certain circumstances. When a user visits a malicious website, the affected browser may crash or become unstable due to incorrect code generation during compilation. This is not a memory corruption issue and does not allow attackers to steal data or take control of the system, but it does impact availability and user experience.
- CVE-2026-10802MEDIUM 4.3
A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.
- CVE-2026-10810MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.
- CVE-2026-10854MEDIUM 4.3
CVE-2026-10854 is a visibility control flaw in MISP's event template creation feature that allowed unauthorized users to see private galaxy data from other organizations. When creating an event template, the system listed all enabled galaxies without checking whether the user's organization owned them or whether they were marked private. This exposed sensitive metadata like galaxy type and description to users who shouldn't have access. The vulnerability requires authentication to exploit and affects only information disclosure—no data modification or denial of service is possible. MISP has patched the issue by filtering galaxy visibility based on organization ownership and distribution settings.
- CVE-2026-10855MEDIUM 4.3
MISP, a threat intelligence platform, contained an authorization flaw in its event template import feature. When an authenticated user attempted to overwrite an existing event template, the system verified that a template with that name existed but failed to check whether the importing user's organization actually owned it. This allowed users from one organization to forcibly overwrite event templates belonging to other organizations. The flaw only affected non-administrator users; site administrators retained the ability to manage templates across organizational boundaries by design. The vulnerability has been remediated by adding an ownership verification step before permitting any template overwrite operation.
- CVE-2026-10864MEDIUM 4.3
A flaw in MISP's dashboard widgets allows authenticated users with low-level access to bypass field restrictions and view sensitive information they shouldn't have access to. By manipulating which data fields the New Users and New Organisations widgets display, attackers can circumvent settings designed to hide user email addresses and other restricted organization metadata. The vulnerability stems from how the application processes field filtering—if redaction leaves the field list empty, it falls back to returning unfiltered data instead of enforcing safe defaults.
- CVE-2026-11031MEDIUM 4.3
Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.
- CVE-2026-24756MEDIUM 4.3
Kiteworks, a platform for secure data sharing and management, contains a flaw that allows authenticated users to modify data belonging to other users. The vulnerability stems from the application failing to properly verify that a user should have access to resources they're attempting to change. An attacker with valid credentials could exploit this to alter forms, templates, or other shared resources without authorization. The fix requires upgrading to version 9.3.0 or later.
- CVE-2026-28511MEDIUM 4.3
eLabFTW, an open-source electronic lab notebook platform, contains an information disclosure vulnerability affecting versions before 5.4.2. When an authenticated user performs a numeric search or reference lookup, the system may return resource titles that the user should not have access to view. The actual content of those resources remains protected—only the titles are exposed. This is particularly concerning because titles may contain sensitive information such as project names, patient identifiers, or regulated data that could constitute unauthorized disclosure.
- CVE-2026-32250MEDIUM 4.3
NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.
- CVE-2026-32906MEDIUM 4.3
OpenClaw versions prior to 2026.5.12 contain a privilege escalation flaw in their Slack plugin approval system. Users who hold limited exec approval permissions can manipulate the approval workflow to bypass intended authorization checks, allowing them to approve plugin actions that should require additional oversight or operator configuration. The vulnerability requires an authenticated user to exploit, reducing but not eliminating risk in environments with permissive access controls.
- CVE-2026-34193MEDIUM 4.3
CVE-2026-34193 describes a logic error in GPU memory address translation that allows a compromised kernel running inside a virtual machine to send malformed commands to the GPU firmware, causing it to write data to unintended locations in firmware memory. The vulnerability requires local access and an already-compromised kernel to exploit, but once triggered, it can corrupt GPU firmware state without authorization.
- CVE-2026-36602MEDIUM 4.3
A Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 has a flaw in its UPnP service that exposes internal kernel memory addresses to anyone on the same network segment. An attacker can query the router's UPnP interface to extract a raw MIPS kernel pointer, effectively creating a roadmap of how the router's operating system is laid out in memory. While this doesn't directly compromise the device, it removes a significant barrier to follow-up attacks by revealing memory layout details that are normally hidden.
- CVE-2026-36613MEDIUM 4.3
Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 leak sensitive internal memory to unauthenticated attackers on the same network. When an attacker sends HTTP POST requests to non-existent paths on the router's web interface, the device inadvertently returns 128 bytes of uninitialized buffer memory. This exposed data may contain router state information, configuration details, or other sensitive runtime values. The vulnerability requires physical or network adjacency—an attacker must be on the same local network segment—but no authentication or user interaction is needed to trigger it.
- CVE-2026-36615MEDIUM 4.3
The Mercusys AC12G (EU) router running firmware version AC12G(EU)_V1_200909 contains an unauthenticated information disclosure vulnerability. An attacker on the same local network can access a hidden endpoint (/agileconfigreset) that leaks internal buffer contents without requiring any credentials or user interaction. This information could be used to further compromise the device or the network it serves.
- CVE-2026-36618MEDIUM 4.3
The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 has a configuration issue that allows anyone on the local network to discover which version of the DNS resolver software (unbound 1.22.0) is running on the device. An attacker can query the router for this information and use it to identify known vulnerabilities affecting that specific DNS software version, making targeted attacks easier. This is a local network exposure only—an attacker would need network access to the router or its subnet to exploit it.
- CVE-2026-4071MEDIUM 4.3
The BirdSeed WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to change the plugin's authentication token without the site administrator's knowledge. An attacker can craft a malicious link or webpage that, when clicked by an admin, silently modifies the BirdSeed token stored in the site's database. This breaks the trust chain between your WordPress site and the BirdSeed service. The vulnerability affects all versions up to and including 2.2.0 and requires social engineering—tricking an administrator into clicking a link—but no authentication or special privileges are needed from the attacker's side.
- CVE-2026-40914MEDIUM 4.3
Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.
- CVE-2026-41014MEDIUM 4.3
Apache Airflow contains an authorization bypass in its UI that allows authenticated users to view information about data pipeline runs (DAGs) they shouldn't have access to. Specifically, a user with broad asset-level read permissions can see partition run states, scheduling details, and data connections for DAGs restricted to other teams or users. This affects only deployments that intentionally segment DAG access by user or role while granting wider asset visibility. The vulnerability requires an existing user account and network access to the Airflow UI or API.
- CVE-2026-41115MEDIUM 4.3
Apache Kafka contains an authorization mismatch in its consumer group metadata API. The CONSUMER_GROUP_DESCRIBE operation checks for DESCRIBE permission on groups, but Kafka's documentation and the relevant design specification (KIP-848) incorrectly state it should check for READ permission. This inconsistency between code behavior and documentation can lead to misconfigured access controls—either granting unintended READ access to users who only have DESCRIBE permissions, or blocking legitimate access for users who rely on documentation-based ACL configurations. The vulnerability is not a code flaw but a documentation gap that can cause real-world security postures to diverge from intent.
- CVE-2026-41160MEDIUM 4.3
EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.
- CVE-2026-42540MEDIUM 4.3
IRIS is a collaborative web platform used by incident response teams to share and document technical details during security investigations. A vulnerability in versions before 2.4.28 allows authenticated users to modify database records through specially crafted API requests, potentially corrupting or altering incident investigation data. The issue requires valid login credentials to exploit and affects data integrity rather than confidentiality.
- CVE-2026-42543MEDIUM 4.3
IRIS, a web-based platform used by incident responders to collaborate and share technical details during investigations, contains a cross-site request forgery (CSRF) vulnerability in versions prior to 2.4.28. The vulnerability exists because the platform uses HTTP GET requests to perform state-changing actions on the server—a design flaw that allows an attacker to trick authenticated users into unknowingly executing unwanted actions. An attacker could craft a malicious link or webpage that, when visited by an IRIS user, silently modifies data or settings without the user's knowledge or consent.
- CVE-2026-45264MEDIUM 4.3
Nextcloud versions spanning 17.0.0 through 21.0.3 contain a permission bypass vulnerability that allows users with read and create access—but explicitly not update access—to rename files within team folders. This unintended capability undermines the granular permission model Nextcloud enforces, potentially enabling unauthorized modification of file metadata and organizational disruption. The issue affects a broad version range and has been patched across all active release lines.
- CVE-2026-45286MEDIUM 4.3
An authenticated user on a Nextcloud instance can discover other users' identities by abusing the Calendar app's attendee-suggestion feature. The vulnerability exists because this endpoint bypasses the access controls that Nextcloud applies elsewhere. An attacker already logged into the system can systematically enumerate valid usernames, potentially laying groundwork for targeted attacks like password spraying or social engineering. The flaw affects Nextcloud versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2.
- CVE-2026-45544MEDIUM 4.3
Nextcloud Tables, a collaborative document and data management component, contains an information disclosure vulnerability affecting versions 0.8.0 through 1.0.3. The issue allows users with read-only access to view filter criteria—potentially including sensitive column names, field definitions, or search logic—that should have been restricted to higher-privilege users. This represents a low-severity data exposure that could leak operational details about table structure and content filtering strategies. The vulnerability has been resolved in Nextcloud Tables versions 1.0.4 and 2.0.0.
- CVE-2026-45729MEDIUM 4.3
ThorVG, a vector graphics rendering engine, contains a flaw that can crash applications using it when they process malicious SVG files. An attacker can craft a specially formatted SVG document as small as 6 bytes that triggers an application crash when the affected code path is invoked. This is a denial-of-service vulnerability affecting availability but not data confidentiality or integrity. The issue was introduced in earlier versions and is resolved in ThorVG 1.0.5.
- CVE-2026-46605MEDIUM 4.3
Apache ActiveMQ has an authorization flaw that allows authenticated users to delete message queues and topics they shouldn't be able to modify. An attacker with valid credentials to your messaging system could disrupt operations by removing critical destinations, even if permission controls suggest they shouldn't have that ability. This affects ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5.
- CVE-2026-46764MEDIUM 4.3
Apache Airflow contains an authorization bypass flaw in its audit-log API endpoints. An authenticated user with read access to audit logs for one workflow (Dag) can bypass per-Dag scoping restrictions and view audit-log entries from any other Dag in the same Airflow deployment by directly requesting specific event log IDs. The vulnerability stems from inconsistent permission enforcement: the collection endpoint properly restricts results by Dag, but the detail endpoint applies only a generic audit-log permission check without verifying the requester has access to the specific Dag whose logs are being retrieved. This allows low-privileged users to enumerate and read sensitive audit trails across Dags they should not be able to access.
- CVE-2026-47675MEDIUM 4.3
Hono, a JavaScript web framework, contains a flaw in how it sanitizes cookie options. While the framework validates certain cookie parameters (domain and path) to prevent malicious characters from breaking the Set-Cookie header, it fails to apply the same checks to sameSite and priority options. If an application passes user-controlled input directly into these parameters, an attacker could inject additional cookie attributes into the response header, potentially manipulating cookie behavior or setting unintended security policies.
- CVE-2026-47696MEDIUM 4.3
WWBN AVideo, an open-source video hosting platform, contains a payment processing vulnerability in versions 29.0 and earlier. When both the AuthorizeNet and YPTWallet plugins are active, any logged-in user can artificially inflate their account wallet balance without actually paying. The vulnerable endpoint accepts a user-supplied amount parameter and immediately credits the wallet without verifying that a real payment transaction occurred through Authorize.Net. This is a financial manipulation flaw that bypasses payment authentication entirely.
- CVE-2026-48810MEDIUM 4.3
FreeScout, a free help desk platform built on Laravel, contains an authorization flaw in version 1.8.220 and earlier. A user with conversation editing permissions who authored a message in one mailbox can edit that message's content even after an administrator removes them from that mailbox. The vulnerability exploits a gap in access controls: the system verifies the user created the message and has the global edit permission, but fails to confirm the user still belongs to the mailbox where the conversation lives. This allows former mailbox members to alter thread history and potentially mislead team members or customers.
- CVE-2026-48811MEDIUM 4.3
FreeScout, an open-source helpdesk and shared inbox platform, contains a flaw that allows former team members to permanently delete internal notes—even after their access to the mailbox has been revoked. A non-admin user who previously created private threads in a conversation can return and destroy those notes without authorization, because the system fails to verify whether the user still belongs to the mailbox. This affects FreeScout versions before 1.8.221.
- CVE-2026-4888MEDIUM 4.3
Everest Forms, a popular WordPress form-building plugin, contains a security flaw that allows low-privilege logged-in users to send emails from your website to anyone they choose. Any user with Subscriber access or higher can exploit this by calling an internal email-testing function without proper permission checks. This doesn't require clicking malicious links or advanced technical skills—just authenticated access to your WordPress admin panel.
- CVE-2026-49140MEDIUM 4.3
Nanobot versions before 0.2.1 have a denial-of-service flaw in how they handle media downloads from Matrix chat rooms. An authenticated user in a room can deliberately send specially crafted media events with missing or wrong size information, causing the system to download large files without properly checking their declared sizes first. By sending many of these malicious requests at once, an attacker can force the Nanobot process to consume excessive memory and bandwidth until the service becomes slow or unresponsive. The attacker must already be a member of the room to exploit this.
- CVE-2026-49322MEDIUM 4.3
The 2025 Indian Motorcycle Scout Bobber + Tech model contains a flaw in its wireless control system that allows someone with access to the motorcycle's internal network to steal the owner's PIN unlock code by observing just a single authentication attempt. Instead of using proper cryptographic security, the system performs simple mathematical operations that can be reversed to recover the PIN, completely bypassing the bike's primary security lock.
- CVE-2026-49323MEDIUM 4.3
The 2025 Indian Motorcycle Scout Bobber + Tech model contains a flaw in how its wireless control module authenticates with the engine control module. An attacker positioned on the vehicle's internal network can intercept a single authentication exchange and reverse-engineer the motorcycle's immobilizer secret—the cryptographic key that prevents unauthorized engine starts. Once recovered, the attacker can bypass the immobilizer entirely and start the engine without the key fob.
- CVE-2026-49369MEDIUM 4.3
JetBrains YouTrack versions before 2026.1.13162 contained a flaw that allowed authenticated users to access sensitive information about other users and groups they shouldn't be able to see. The vulnerability is limited to the Users and Groups administrative pages and requires valid login credentials to exploit. This is a straightforward authorization issue where the application failed to properly restrict who could view certain user and group data.
- CVE-2026-49377MEDIUM 4.3
JetBrains TeamCity contains a configuration flaw where default agent parameters inadvertently expose sensitive data to authenticated users. An attacker with valid login credentials can access information through TeamCity's agent configuration that should remain restricted. This is a network-accessible issue affecting TeamCity deployments before version 2025.11.2, though the vulnerability requires prior authentication to exploit.
- CVE-2026-49378MEDIUM 4.3
JetBrains TeamCity contained a vulnerability where stored credentials could be inadvertently exposed through the parameter autocompletion feature. When users typed in parameter fields, the system would suggest previously stored credential values, potentially revealing sensitive authentication data to anyone with access to the TeamCity interface. This issue affects TeamCity versions prior to 2026.1 and requires an authenticated user to interact with the affected feature. The exposure is limited to local disclosure within the TeamCity environment rather than remote exfiltration.
- CVE-2026-7526MEDIUM 4.3
The PDF Embedder plugin for WordPress contains a flaw that allows authenticated users with basic contributor permissions or higher to access sensitive configuration information. If the premium add-on is installed with a saved license key, that key can be exposed; on free installations, the exposure is limited to non-sensitive viewer settings like dimensions and toolbar options. An attacker would need valid WordPress login credentials at the contributor level or above to exploit this, but no user interaction or network complexity is required once authenticated.
- CVE-2026-7533MEDIUM 4.3
The Easy Digital Downloads plugin for WordPress contains a security flaw that allows attackers to hijack a store's Square payment processing account. An attacker can send a malicious link to a WordPress administrator; if clicked while logged in, the link silently changes the store's Square payment credentials to attacker-controlled ones, redirecting future payments to the attacker. The vulnerability exists because the plugin does not verify that payment configuration requests come from legitimate, authorized actions—a standard web security practice called CSRF protection.
- CVE-2026-7621MEDIUM 4.3
The SMTP2GO for WordPress plugin contains an authorization flaw that allows any logged-in user with subscriber-level permissions or higher to delete all SMTP email logs from the database or export sensitive email records to CSV format. This affects all versions up to 1.16.0 and exposes recipient addresses, sender information, message subjects, and API response data. An attacker with basic user access can perform these destructive and data-exfiltration actions without additional authentication checks.
- CVE-2026-8422MEDIUM 4.3
The Remove meta boxes per user role WordPress plugin contains a security flaw that allows attackers to change how meta boxes (content panels) are hidden or shown for different user roles on a WordPress site. An attacker can't do this directly, but by tricking a site administrator into clicking a malicious link, the attacker can force the admin's browser to make unauthorized changes to these visibility settings. The vulnerability affects all versions up to and including 1.01.
- CVE-2026-8682MEDIUM 4.3
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On WordPress plugin contains a flaw that allows users with basic subscriber access to change critical plugin settings they should not be able to modify. An authenticated attacker can bypass authorization checks to write arbitrary data directly to the plugin's configuration stored in the database, potentially affecting how the 3D viewer and virtual try-on features function across the site.
- CVE-2026-8689MEDIUM 4.3
The Visualizer: Tables and Charts Manager WordPress plugin contains an authorization bypass flaw that allows logged-in users with minimal privileges (Subscriber level and above) to create chart posts without proper permission checks and to view or modify charts belonging to other users, including site administrators. The vulnerability affects all versions through 3.11.14 and stems from missing capability validation in two critical AJAX functions. While the flaw requires an authenticated account, the low barrier to entry and potential for unauthorized data access make it a meaningful risk for multi-user WordPress installations.
- CVE-2026-8995MEDIUM 4.3
The Poll Maker – Versus Polls plugin for WordPress has a flaw that lets logged-in users see sensitive account information they shouldn't access, including password hashes. The vulnerability stems from an AJAX endpoint that returns the entire WordPress user object without proper security checks. Any subscriber or higher can call this endpoint and retrieve not just their own data, but potentially others' account details including email addresses, registration dates, roles, and capabilities. While the exposure doesn't immediately compromise an account, the password hash data could be targeted by offline cracking attempts.
- CVE-2026-9015MEDIUM 4.3
The Equalize Digital Accessibility Checker plugin for WordPress contains a flaw that allows users with basic subscriber access to modify accessibility audit findings they shouldn't be able to touch. An authenticated attacker can change whether issues are marked as ignored, alter the reason for ignoring them, and add comments to any accessibility finding on the site. In some cases, they can perform bulk modifications across multiple related findings at once. This means someone with minimal privileges could systematically hide or dismiss accessibility compliance problems, undermining the integrity of WCAG and ADA audit records without proper authorization.
- CVE-2026-9048MEDIUM 4.3
Slider Revolution, a popular WordPress plugin, contains a vulnerability that allows authenticated users with basic contributor privileges to view sensitive social media API credentials through a specific AJAX action. An attacker with contributor-level access or higher can call the 'slider.get.full' AJAX action to retrieve raw API tokens and keys—including Instagram OAuth tokens, Flickr API keys, YouTube Data API credentials, and Facebook App IDs—that have been configured within slider settings. This exposure affects plugin versions 7.0.0 through 7.0.14.
- CVE-2026-9050MEDIUM 4.3
Slider Revolution, a popular WordPress plugin, contains a flaw that allows contributors and higher-privileged users to disable any plugin on a WordPress site without proper authorization checks. An attacker with basic contributor access—a common account level in multi-author sites—can leverage this to shut down security plugins, backup solutions, or other critical extensions. The vulnerability affects versions 6.0.0 through 6.7.55 and 7.0.0 through 7.0.14.
- CVE-2026-9228MEDIUM 4.3
A WordPress plugin called Timetable and Event Schedule by MotoPress has a flaw that allows users with contributor-level access or higher to see confidential information they shouldn't have access to. Specifically, they can view drafts, pending reviews, and private event posts created by other users, including the content, excerpts, and author information. The vulnerability stems from the plugin failing to properly validate user input when retrieving event data, making it possible to directly access posts by guessing or enumerating their IDs.
- CVE-2026-9234MEDIUM 4.3
The JTL-Connector for WooCommerce plugin contains authorization flaws that allow low-privileged WordPress users (Subscriber level and above) to perform administrative actions without proper permission checks. Specifically, attackers can change plugin configuration, download sensitive log files containing developer information, and delete those logs. This bypasses WordPress's built-in permission model and could lead to configuration tampering or information disclosure.
- CVE-2026-9241MEDIUM 4.3
The FOX – Currency Switcher Professional for WooCommerce plugin contains a flaw that lets authenticated users trick the system into thinking they have higher privileges than they actually do. By manipulating a request parameter, a subscriber-level user can impersonate a wholesale customer or administrator to access pricing they shouldn't be able to see. This only matters if your store uses the fixed user-role pricing feature and has set special prices for privileged customer types.
- CVE-2026-9599MEDIUM 4.3
The Tectite Forms plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions through 1.3. An attacker can trick a site administrator into clicking a malicious link, which then allows the attacker to change the plugin's settings without the administrator's knowledge. This could include modifying the tectite_forms_button option or other plugin configurations. The vulnerability requires social engineering but poses a real risk to WordPress sites using this plugin.
- CVE-2026-9618MEDIUM 4.3
The PeachPay plugin for WordPress, which integrates payment processing for Stripe, PayPal, Square, and other providers, contains a cross-site request forgery (CSRF) vulnerability in all versions up to 1.120.46. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently deletes all stored Stripe credentials from the site's database without the administrator's knowledge or consent. This disables Stripe payments immediately and requires the administrator to reconfigure the integration. The attack requires social engineering to trick an admin into clicking the link, but requires no special authentication or technical sophistication once the admin takes the bait.
- CVE-2026-9722MEDIUM 4.3
The Laiser Tag plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability affecting all versions through 1.2.5. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently modifies critical plugin settings without the administrator's knowledge or consent. This includes changes to API keys, tag filtering rules, and tagging behavior—settings that directly control how the plugin functions across the site.
- CVE-2026-9723MEDIUM 4.3
The Google Plus One Bottom plugin for WordPress contains a cross-site request forgery (CSRF) flaw that allows attackers to manipulate plugin settings without proper authorization. An attacker can craft a malicious link or web page that, when clicked by a site administrator, will change critical plugin configuration options—such as language preferences, callback functions, and URLs—without the administrator's knowledge or consent. This attack requires social engineering to trick an admin into clicking the malicious link, but requires no authentication or technical exploit code to execute.
- CVE-2026-9730MEDIUM 4.3
The Remove NoFollow Commenter URL plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability that allows unauthenticated attackers to change how the plugin displays comments. An attacker can craft a malicious link or webpage that, when clicked by a WordPress site administrator, silently modifies the plugin's comment settings without the administrator's knowledge or consent. This requires social engineering to trick an admin into visiting the attacker's content, but requires no special technical skills to exploit once that condition is met.
- CVE-2026-9732MEDIUM 4.3
The EmergencyWP plugin for WordPress has a security flaw that allows attackers to change important plugin settings without authorization. An attacker would need to trick a WordPress site administrator into clicking a malicious link, but if successful, they could alter access controls, email addresses, and other critical configurations. This is a cross-site request forgery (CSRF) vulnerability caused by the plugin failing to properly validate requests before processing them.
- CVE-2026-9791MEDIUM 4.3
An authenticated user who belongs to a Keycloak organization can request tokens or access APIs in ways that expose organization metadata, even after an administrator has turned off the Organizations feature. This metadata leakage could cause downstream applications (resource servers) to make incorrect access control decisions based on stale or unintended organization information.
- CVE-2026-9798MEDIUM 4.3
Keycloak's account lockout feature, which temporarily disables accounts after repeated failed login attempts, can be bypassed when an attacker possesses valid client credentials. By using the Client-Initiated Backchannel Authentication (CIBA) flow—a legitimate OAuth 2.0 feature—attackers can circumvent the lockout and continue attempting to authenticate or obtain tokens. This undermines brute-force protection and creates a secondary path for unauthorized access once the attacker has obtained initial client credentials.
- CVE-2026-9807MEDIUM 4.3
GitLab has patched a flaw in its Community and Enterprise editions where a Project Access Token that was supposed to be blocked could still access private project resources. This happened because the authorization checks weren't applied correctly when a token was revoked or blocked. An authenticated user with permissions to create or manage tokens could potentially exploit this before the fix was released, though the vulnerability requires prior login access and the attacker would need knowledge of or ability to create a blocked token.
- CVE-2026-9907MEDIUM 4.3
A memory read vulnerability in Google Chrome's Dawn graphics component allows attackers to access sensitive data from different website origins. An attacker can craft a malicious web page that, when visited by a user, tricks Chrome into reading memory beyond intended boundaries and leaking information from other websites the user may have open. This affects Windows systems running Chrome versions prior to 148.0.7778.216.
- CVE-2026-9911MEDIUM 4.3
CVE-2026-9911 is a memory safety issue in the ANGLE graphics library used by Google Chrome. When a user visits a specially crafted webpage, an attacker can read small amounts of sensitive data from the browser's memory. The vulnerability requires user interaction—visiting the malicious page—but needs no special permissions or browser configuration to exploit. While the data exposure is limited in scope, it could leak sensitive information like passwords, tokens, or cached credentials stored in memory.
- CVE-2026-9913MEDIUM 4.3
A flaw in the ANGLE graphics library component of Google Chrome prior to version 148.0.7778.216 could allow an attacker to access memory outside intended bounds when a user visits a malicious website. The vulnerability requires user interaction (visiting a crafted page) but does not require special privileges. Potential impacts include disclosure of sensitive information, though the attacker cannot modify data or crash the browser directly through this flaw.