2026 · High
High-severity vulnerabilities disclosed in 2026
High-rated CVEs published in 2026, with SEC.co remediation and prioritization guidance.
861 published vulnerabilities · page 8 of 9
- CVE-2026-9909HIGH 7.5
A flaw in Skia, the graphics rendering library used by Google Chrome, can be exploited by an attacker who has already compromised Chrome's sandboxed renderer process. The vulnerability stems from improper handling of integer values, which an attacker could leverage to execute arbitrary code within the sandbox by serving a specially crafted HTML page. While the vulnerability requires prior compromise of the renderer process, it represents a critical step in a potential attack chain that could lead to full browser compromise.
- CVE-2026-9922HIGH 7.5
A use-after-free vulnerability exists in Google Chrome's GPU rendering engine on macOS. The flaw allows an attacker who has already compromised Chrome's renderer process to execute arbitrary code by serving a specially crafted HTML page. This is a post-compromise risk: the attacker must first break into the renderer sandbox, but if successful, can then escalate to full code execution with system privileges. The vulnerability affects Chrome versions prior to 148.0.7778.216 on macOS.
- CVE-2026-9933HIGH 7.5
CVE-2026-9933 is a use-after-free memory vulnerability in Google Chrome's input handling code that allows attackers to corrupt heap memory on affected systems. Exploitation requires an attacker to trick a user into performing specific UI interactions (such as unusual mouse or keyboard gestures) while viewing a specially crafted HTML page. This is not a passive drive-by attack; active user participation is required. If successfully exploited, an attacker could execute arbitrary code with the privileges of the Chrome process, leading to complete compromise of the affected user's system.
- CVE-2026-9934HIGH 7.5
A use-after-free memory flaw exists in Google Chrome's Aura component (which handles window management and input) before version 148.0.7778.216. An attacker could exploit this by convincing a user to interact with a specially crafted webpage using specific mouse or keyboard gestures. Successful exploitation would allow the attacker to run arbitrary code on the victim's machine with the privileges of the Chrome process.
- CVE-2026-9954HIGH 7.5
A use-after-free vulnerability exists in Google Chrome's TabStrip component that can lead to memory corruption. An attacker must trick a user into performing specific UI interactions (like clicking or dragging tabs in a particular sequence) on a malicious website to potentially trigger the flaw. Successful exploitation could allow the attacker to read sensitive data, modify page content, or crash the browser. The vulnerability affects Chrome versions prior to 148.0.7778.216 across Windows, macOS, and Linux.
- CVE-2026-9956HIGH 7.5
A use-after-free vulnerability in Google Chrome on iOS allows remote attackers to execute arbitrary code if a user can be tricked into performing specific gestures on a malicious webpage. The vulnerability requires user interaction but doesn't require special privileges or system access, making it a realistic attack vector for threat actors hosting compromised or attacker-controlled sites.
- CVE-2026-9960HIGH 7.5
A flaw in PDFium, the PDF rendering library used by Google Chrome, allows an attacker who has already compromised Chrome's renderer process to break out of the sandbox and run arbitrary code with elevated privileges by supplying a specially crafted font file. This represents a significant post-compromise risk for users who may have already been exposed to initial malware or browser exploits.
- CVE-2026-9963HIGH 7.5
A memory initialization flaw in Google Chrome for iOS (versions before 148.0.7778.216) could allow an attacker to run malicious code within the browser's sandbox if a user visits a crafted webpage and performs specific touch interactions. The vulnerability requires active user engagement to exploit—simply landing on a malicious site is not enough. Code execution remains confined to the browser sandbox, limiting direct system compromise but still posing a meaningful threat to user data and browser security.
- CVE-2026-9990HIGH 7.5
Google Chrome on macOS contains a use-after-free vulnerability in its web app installation feature that could allow an attacker to corrupt memory on a user's system. The vulnerability requires a user to perform specific interactions with a malicious webpage, but once triggered, it could potentially give an attacker the ability to read sensitive data, modify files, or crash the browser. The issue affects Chrome versions before 148.0.7778.216 on Mac systems.
- CVE-2022-4991HIGH 7.4
Tychon, a Windows application, contains a vulnerability in how it configures OpenSSL. An unprivileged user can place a malicious configuration file in a location that Tychon's privileged service will read, potentially allowing that user to execute arbitrary code with SYSTEM-level privileges. This is a local privilege escalation vulnerability that requires an attacker to have filesystem write access to a specific directory on the target system.
- CVE-2025-14774HIGH 7.4
CVE-2025-14774 is a flaw in ABB T-MAC Plus (version 4.0-24) where access control is not properly enforced, allowing an attacker on the same network to disrupt system availability without needing credentials or user interaction. The vulnerability has a CVSS score of 7.4 (HIGH) and is classified as an incorrect authorization issue.
- CVE-2025-64390HIGH 7.4
PlayStation 4 consoles running firmware versions 13.00 through 13.02 are vulnerable to a privilege escalation attack that allows an attacker with local access to escape the Blu-ray Disc Java (BD-J) sandbox environment by crafting a malicious JAR file. Once the sandbox is bypassed, an attacker could gain elevated system privileges on the device, potentially leading to unauthorized access or control of the console.
- CVE-2026-10629HIGH 7.4
Verizon's IMS (IP Multimedia Subsystem) platform handles VoLTE call signaling without proper encryption and authentication protections. An attacker positioned on the network path—such as a rogue cell tower operator, compromised router, or ISP-level adversary—can eavesdrop on, modify, or spoof VoLTE call setup messages. This breaks the confidentiality of who is calling whom and when, and enables attackers to hijack, redirect, or terminate calls by tampering with unprotected signaling traffic.
- CVE-2026-10968HIGH 7.4
A vulnerability in Chrome's graphics rendering engine (Dawn) on Windows allows attackers to steal sensitive data from websites you're visiting. If an attacker first compromises Chrome's renderer process—the part that runs web content—they can craft a malicious webpage to leak information across website boundaries, bypassing Chrome's security isolation. This requires the attacker to have already gained control of the renderer, making it part of a multi-stage attack but with serious data-theft consequences once achieved.
- CVE-2026-10973HIGH 7.4
A flaw in Google Chrome's Dawn graphics component allowed attackers to extract sensitive data across website boundaries through a specially crafted web page. The vulnerability required user interaction (clicking or visiting a malicious page) but did not require any special privileges. An attacker could craft HTML that exploits uninitialized memory in Chrome's graphics processing to read data from other origins that should have been isolated, potentially exposing authentication tokens, personal information, or other sensitive content loaded in the same browser session.
- CVE-2026-10976HIGH 7.4
A memory disclosure vulnerability exists in Google Chrome's graphics engine (Dawn) that could allow an attacker to read sensitive data from Chrome's process memory. The flaw stems from uninitialized variables being used without proper initialization checks. An attacker would need to trick a user into visiting a specially crafted webpage to trigger the vulnerability. The issue affects Chrome versions before 149.0.7827.53.
- CVE-2026-44393HIGH 7.4
OpenStack's oslo.messaging library contains a critical flaw in how it validates TLS certificates when connecting to RabbitMQ brokers. The driver accepts any certificate signed by your organization's CA without checking that it actually belongs to the RabbitMQ server you're trying to reach. This means an attacker positioned on your network could intercept traffic, present a valid (but wrong) certificate, and trick OpenStack services into sending sensitive control-plane messages to the attacker instead of RabbitMQ. The vulnerability affects all versions from 1.0.0 through 17.3.0.
- CVE-2026-45310HIGH 7.4
CodeWhale, a terminal-based AI coding agent, contains a server-side request forgery (SSRF) vulnerability in versions prior to 0.8.22. The application attempts to block requests to sensitive internal services by checking whether the initial URL points to a restricted IP address. However, attackers can bypass this protection by crafting a URL that initially resolves to an allowed address but redirects to an internal service—such as cloud metadata endpoints or localhost—because the HTTP client automatically follows redirects without re-checking the security blocklist. This allows an attacker to trick CodeWhale into making requests to internal systems that should be off-limits.
- CVE-2026-45373HIGH 7.4
CodeWhale, a terminal-based coding agent that integrates DeepSeek and MiMo AI models, contains a server-side request forgery (SSRF) vulnerability in versions prior to 0.8.26. The vulnerability exists because SSRF validation checks fail when IPv6 addresses are specified using bracket notation (e.g., http://[::1]). An attacker can bypass the SSRF defenses by crafting URLs with IPv6 localhost or other restricted addresses in this format, potentially allowing unauthorized access to internal services or metadata endpoints that the CodeWhale process can reach from its host environment.
- CVE-2026-46579HIGH 7.4
OpenShift Router has a header-spoofing vulnerability that breaks mutual TLS authentication when routes are configured to allow unencrypted HTTP traffic. An attacker can send plain HTTP requests with forged client certificate headers, tricking backend services into accepting them as though they came from legitimate authenticated clients. This bypasses the certificate-based trust model that many organizations rely on for service-to-service security.
- CVE-2026-46818HIGH 7.4
Oracle E-Business Suite's Payments module contains a vulnerability in its File Transmission component that allows an unauthenticated attacker over the network to read and modify sensitive payment data. The attacker does not need valid credentials, but exploitation requires specific technical conditions to be in place. Versions 12.2.3 through 12.2.15 are affected. The vulnerability can lead to unauthorized access to critical financial information or payment records.
- CVE-2026-48501HIGH 7.4
GitHub CLI (gh) prior to version 2.93.0 has a flaw where it unintentionally sends your authentication token to external services during specific operations. When you run commands like `gh attestation`, `gh release verify`, or `gh release verify-asset`, the tool needs to fetch data from various external servers—including TUF (The Update Framework) repositories and cloud storage. The problem is that the authentication layer doesn't correctly identify which servers should receive your token. Due to flawed host detection logic, requests to services like tuf-repo.github.com are incorrectly treated as requests to GitHub itself, causing your personal GitHub token to be transmitted to an untrusted third party. Similarly, requests to unrelated external hosts (like Sigstore's CDN or Azure Blob Storage) also receive your token. An attacker controlling or monitoring traffic to these external services could intercept your token and impersonate your GitHub account.
- CVE-2026-48526HIGH 7.4
PyJWT, a widely-used Python library for handling JSON Web Tokens (JWTs), contains an authentication bypass vulnerability in versions before 2.13.0. The flaw allows attackers to forge valid tokens by exploiting insufficient validation of cryptographic key usage. Specifically, when a library instance is configured to accept both asymmetric (public-key) and HMAC (shared-secret) algorithms, an attacker can take the issuer's public key—which is often publicly available—and use it as the HMAC secret to create forged tokens that the vulnerable library will accept as legitimate.
- CVE-2026-48555HIGH 7.4
Spatie's Laravel Media Library, a popular file management package for Laravel applications, contains a server-side request forgery (SSRF) vulnerability in versions prior to 11.23.0. The flaw exists in the addMediaFromUrl() method, which accepts user-controlled URLs without proper validation. An attacker with authenticated access can exploit this to force the server to make arbitrary outbound HTTP requests on their behalf, potentially reaching internal systems, cloud metadata endpoints, or external targets that the server can access but the attacker cannot directly reach.
- CVE-2026-50292HIGH 7.4
CVE-2026-50292 is a privilege escalation vulnerability in libinput, a widely-used input device handling library. The flaw allows an attacker with local access to craft malicious device properties that libinput-device-group fails to properly sanitize, leading to injection of arbitrary udev properties. This injection can result in arbitrary code execution with root privileges. The vulnerability affects libinput versions before 1.30.4 and all 1.31.x versions before 1.31.3.
- CVE-2026-5343HIGH 7.4
A privilege escalation vulnerability exists in miniOrange's SAML SSO Service Provider module for Drupal. The vulnerability stems from improper validation of exceptional conditions during SAML authentication. An unauthenticated attacker can craft specific SAML responses that bypass security checks, allowing them to escalate privileges within the Drupal application. The flaw affects all versions before 3.1.4, making it a significant risk for any Drupal installation relying on this SSO module for authentication.
- CVE-2026-10068HIGH 7.3
A server-side request forgery (SSRF) vulnerability has been identified in Shibby Tomato version 1.28, specifically within the miniupnpd daemon's SUBSCRIBE call handler. An attacker can exploit this flaw remotely without authentication to make the affected device perform unintended network requests on their behalf. This could lead to unauthorized access to internal services, data exfiltration, or lateral movement within a network. However, the practical impact is limited since Shibby Tomato is no longer maintained, with the project having been superseded by FreshTomato.
- CVE-2026-10110HIGH 7.3
A SQL injection vulnerability exists in code-projects Student Details Management System version 1.0 affecting the /index.php file. An attacker can manipulate the 'roll' parameter to inject arbitrary SQL commands, potentially accessing, modifying, or deleting sensitive student records. The vulnerability requires no authentication and can be exploited remotely over the network. Public exploit code is already available, increasing the risk of active exploitation.
- CVE-2026-10111HIGH 7.3
A SQL injection vulnerability exists in the Login Page of sambitraj STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker can manipulate the email parameter during login to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication or user interaction and can be exploited remotely. Exploit code has already been published publicly, elevating the practical risk.
- CVE-2026-10157HIGH 7.3
Open5GS, an open-source 5G core network software stack, contains an authentication bypass vulnerability in its NGAP (NG Application Protocol) PathSwitchRequest message handler. An unauthenticated attacker can exploit this remotely to bypass authentication controls, potentially gaining unauthorized access to 5G network functions. The vulnerability affects Open5GS versions up to 2.7.6 and has been publicly disclosed with exploit code available, elevating the practical risk to deployed systems.
- CVE-2026-10167HIGH 7.3
A flaw in the OUSL-GROUP-BrinaryBrains School Student Management System allows attackers to bypass authentication by manipulating role parameters during login cookie creation. An attacker can remotely exploit this without requiring special privileges or user interaction, potentially gaining unauthorized access to the system. Proof-of-concept code has been publicly released, increasing the risk of real-world exploitation.
- CVE-2026-10178HIGH 7.3
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows unauthenticated remote attackers to inject malicious SQL commands through the ID parameter in the admin album editing interface. The flaw permits reading, modifying, or deleting database records without authorization. Public exploit code is available, elevating immediate risk.
- CVE-2026-10184HIGH 7.3
SourceCodester Hospitals Patient Records Management System version 1.0 contains a SQL injection vulnerability in its user deletion function. An attacker can send a specially crafted request to the /classes/Users.php endpoint that manipulates the ID parameter, allowing unauthorized database queries. Because this flaw requires no authentication and can be exploited over the network, it poses a significant risk to hospital operations and patient data confidentiality.
- CVE-2026-10185HIGH 7.3
A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An attacker can send a malicious request to the /classes/Users.php file with a crafted ID parameter that causes the application to execute unintended database commands. No authentication is required, and the vulnerability is accessible over the network. Public exploit code is available, increasing the risk of active exploitation.
- CVE-2026-10186HIGH 7.3
CVE-2026-10186 is a SQL injection vulnerability in code-projects Online Hospital Management System version 1.0. An attacker can craft a malicious request to the /patient.php file, manipulating the 'editid' parameter to execute arbitrary SQL commands against the backend database. No authentication is required, and the exploit can be triggered remotely over the network. Public exploit details are available, increasing the practical risk of active exploitation.
- CVE-2026-10208HIGH 7.3
A SQL injection vulnerability exists in the Online Hospital Management System version 1.php, specifically in the login_user function of login_1.php. An attacker can manipulate the Username parameter during login to inject malicious SQL commands. This allows unauthorized access and data compromise without requiring authentication or user interaction. The vulnerability is remotely exploitable and public exploit code has already been released.
- CVE-2026-10214HIGH 7.3
A command injection vulnerability exists in the Bash Tool component of chatgpt-on-wechat versions up to 2.0.8. An attacker can remotely exploit a flaw in the _get_safety_warning function to execute arbitrary operating system commands without authentication. This issue is being actively exploited in the wild. Organizations using affected versions should prioritize upgrading to 2.0.9 immediately.
- CVE-2026-10219HIGH 7.3
nextlevelbuilder GoClaw versions up to 3.11.3 contain a command injection vulnerability in the write_file tool. An unauthenticated attacker can manipulate the WriteFile function to inject arbitrary operating system commands, which are then executed on the affected system. The vulnerability is remotely exploitable and does not require user interaction or special privileges.
- CVE-2026-10220HIGH 7.3
NousResearch's hermes-agent application contains a vulnerability in how it handles plugin skill requests. An attacker can send specially crafted input to the skill_view function that gets injected into backend operations, potentially compromising the confidentiality, integrity, and availability of the affected system. The vulnerability is network-accessible, requires no authentication, and can be triggered without user interaction. Because exploit details have been publicly disclosed, the attack surface is visible to potential adversaries.
- CVE-2026-10221HIGH 7.3
A code injection vulnerability exists in NousResearch's hermes-agent software, affecting versions up to 0.12.0. The flaw resides in the context compression function and allows remote attackers to inject malicious code without requiring authentication or user interaction. Public exploit code is available, increasing the practical risk of exploitation.
- CVE-2026-10225HIGH 7.3
A SQL injection vulnerability exists in raisulislamg4's student management system (PHP-based). An attacker can manipulate the Username parameter in the login_check.php file to inject malicious SQL commands. The vulnerability is network-accessible, requires no authentication, and doesn't require user interaction. Exploit code is publicly available. The project uses a rolling release model, making it difficult to track specific patched versions.
- CVE-2026-10226HIGH 7.3
A SQL injection vulnerability exists in the raisulislamg4 student management system (a PHP-based open-source project). An attacker can manipulate parameters in the delete.php file—specifically user_id, course_id, teacher_id, student_id, or application_id—to inject malicious SQL commands. This can be exploited remotely without authentication or user interaction, allowing an attacker to read, modify, or delete database records. Proof-of-concept code has been published, increasing the risk of active exploitation.
- CVE-2026-10227HIGH 7.3
A SQL injection vulnerability exists in the student management system by raisulislamg4 (up to commit 310d950e) that allows unauthenticated attackers to manipulate the role parameter in the user creation process. An attacker can submit malicious input through the add_user_check.php endpoint to execute arbitrary SQL commands, potentially reading, modifying, or deleting database contents. The vulnerability has been publicly disclosed and proof-of-concept information is available, increasing the likelihood of active exploitation.
- CVE-2026-10236HIGH 7.3
A security flaw exists in SourceCodester Water Billing Management System version 1.0 that allows attackers to bypass authorization controls in the User Management system. An attacker can remotely manipulate user-related operations through the /classes/Users.php?f=save endpoint without needing credentials or user interaction. This means an unauthorized person could potentially create, modify, or access user accounts and associated data. Public disclosure of this vulnerability means attackers are likely already aware of and testing for it.
- CVE-2026-10243HIGH 7.3
A critical authentication flaw exists in code-projects Smart Parking System version 1.0 that allows unauthenticated remote attackers to bypass security controls on multiple administrative endpoints. An attacker can interact with these endpoints without valid credentials, potentially gaining unauthorized access to sensitive parking system functions. The vulnerability has been publicly disclosed and exploit code is available, elevating the risk of active exploitation.
- CVE-2026-10249HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 within the admin request-viewing interface. An unauthenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive patient data, modification of records, or system disruption. Public exploits are already available, elevating the practical risk.
- CVE-2026-10250HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 that allows unauthenticated attackers to manipulate the hospital parameter in the /admin/campsdetails.php file, potentially compromising the confidentiality, integrity, and availability of the system and its data. The vulnerability is remotely exploitable and public exploit code is available, elevating active exploitation risk.
- CVE-2026-10251HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. An attacker can send a specially crafted request to the login functionality via the Username parameter to execute arbitrary database commands. Because the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to exposed instances. Public exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10252HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0 that allows unauthenticated attackers to inject malicious SQL commands through the ID parameter in the /manage_tenant.php file. This could enable attackers to read, modify, or delete tenant data stored in the application's database without requiring any special credentials or user interaction. The vulnerability is publicly known and exploit code is available.
- CVE-2026-10253HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. The vulnerability is located in the /manage_payment.php file, specifically in how it processes the ID parameter. An attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive payment and rental data. The vulnerability requires no authentication, can be exploited over the network, and exploit code is publicly available.
- CVE-2026-10260HIGH 7.3
CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its admin job deletion function. An attacker can manipulate the ID parameter in the /admin/jobs-admins/delete-jobs.php file to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication and can be exploited over the network. Proof-of-concept code has been released publicly, increasing the likelihood of active exploitation.
- CVE-2026-10261HIGH 7.3
CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its application status checking functionality. An attacker can manipulate the ID parameter in the /users/application_status.php file to inject malicious SQL commands, potentially gaining unauthorized access to the database. The vulnerability can be exploited remotely without authentication, making it accessible to anyone on the internet.
- CVE-2026-10262HIGH 7.3
A SQL injection vulnerability exists in Real State Services version 1.0 that allows an attacker to manipulate the Username parameter in the login form (/loginuser.php) to inject malicious SQL commands. Because no authentication is required and the vulnerability can be triggered over the network, an attacker can exploit this remotely to read, modify, or delete sensitive database information without needing valid credentials. The flaw has been publicly disclosed, increasing the risk of active exploitation.
- CVE-2026-10263HIGH 7.3
A SQL injection vulnerability exists in SourceCodester Computer Repair Shop Management System version 1.0 and earlier. An attacker can manipulate the ID parameter in the product management interface to inject malicious SQL commands, potentially exposing, modifying, or deleting sensitive data. The vulnerability requires no authentication and can be exploited remotely by anyone with network access to the application.
- CVE-2026-10273HIGH 7.3
php-censor versions up to 2.1.6 contain a remote code execution vulnerability in the webhook processing logic. An attacker can manipulate the commitId parameter sent to the Webhook Endpoint to inject and execute arbitrary operating system commands on the affected server. No authentication is required, and the exploit technique has been publicly disclosed, increasing the likelihood of active exploitation.
- CVE-2026-10280HIGH 7.3
Horizon921's mcpilot version 0.1.0 contains a server-side request forgery (SSRF) vulnerability in its MCP API Call Endpoint. An attacker can manipulate the serverBaseUrl parameter to trick the application into making requests to arbitrary internal or external systems. Because this requires no authentication and can be exploited over the network, it represents a meaningful attack surface for anyone running this software. The flaw has already been disclosed publicly and exploit code is available.
- CVE-2026-10281HIGH 7.3
Enderfga's claw-orchestrator contains an authentication bypass in its API endpoint handler. Versions up to 3.5.5 fail to enforce authentication checks in the EmbeddedServer component, allowing unauthenticated remote attackers to access protected functionality. The flaw has been publicly disclosed and exploit code is available. Version 3.5.6 addresses the issue.
- CVE-2026-10287HIGH 7.3
A server-side request forgery (SSRF) vulnerability exists in SourceCodester SEO Meta Tag Extractor version 1.0. An attacker can manipulate the URL parameter passed to the get_headers function in /index.php to make the vulnerable server perform requests on their behalf—potentially accessing internal services, exfiltrating data, or launching attacks against other systems on the network. No authentication is required, and the flaw can be exploited remotely over the network. Public exploit code is already available.
- CVE-2026-10288HIGH 7.3
A flaw in the Hotel and Tourism Reservation System version 1.0 allows attackers to bypass admin authentication. The vulnerability exists in the admin login page where the password verification function can be manipulated, enabling unauthorized access to the administrative interface without valid credentials. An attacker can exploit this remotely over the network, and proof-of-concept code has already been published publicly.
- CVE-2026-10290HIGH 7.3
A SQL injection vulnerability exists in the Hotel and Tourism Reservation System version 1.0, specifically in the tour.php file's GET parameter handler. An attacker can manipulate the 'tour' parameter to inject arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database. Because the vulnerability is remotely exploitable without authentication, and public exploits are available, organizations running this software face immediate risk.
- CVE-2026-10606HIGH 7.3
DedeCMS version 5.7.88 contains a SQL injection vulnerability in its feedback handling system. An attacker can manipulate user input passed to the TrimMsg function in the feedback component to inject malicious SQL commands. Since no authentication is required and the attack can be performed over the network, this vulnerability poses a significant risk to any organization running the affected version. The vulnerability has already been disclosed publicly, increasing the likelihood of active exploitation.
- CVE-2026-10607HIGH 7.3
DedeCMS 5.7.88 contains a SQL injection vulnerability in its friend links management function. An attacker can manipulate the 'msg' parameter in /plus/flink.php to inject malicious SQL commands, allowing unauthorized database access, modification, or deletion. No authentication is required, and the vulnerability can be exploited over the network. Public exploit code exists, elevating the practical risk.
- CVE-2026-10608HIGH 7.3
DedeCMS version 5.7.88 contains a SQL injection vulnerability in its RemoveXSS function within the /plus/carbuyaction.php file. An attacker can inject malicious SQL commands through the postname or des parameters without authentication, potentially compromising data confidentiality, integrity, and availability. The vulnerability is remotely exploitable and proof-of-concept code has been publicly released.
- CVE-2026-10617HIGH 7.3
GoClaw, a component by nextlevelbuilder, contains a flaw in its webhook verification handler that allows attackers to bypass authentication checks. An unauthenticated remote attacker can exploit this weakness to gain unauthorized access to protected webhook endpoints. The vulnerability affects GoClaw versions up to and including 3.11.3, and exploit code has already been made public, increasing the practical risk.
- CVE-2026-10619HIGH 7.3
A remote authentication bypass vulnerability exists in the sayan365 student-management-system affecting commit 7f3c9ce7d410332335c2affac93a385485051800 and earlier versions. An unauthenticated attacker can bypass authentication controls on multiple endpoints without requiring any special privileges or user interaction. The vulnerability allows attackers to gain unauthorized access to the system with confidentiality, integrity, and availability impact. Public exploit code is now available, increasing immediate risk.
- CVE-2026-10620HIGH 7.3
A SQL injection vulnerability exists in code-projects Student Admission System version 1.0. The flaw resides in the /index.php file and can be exploited by manipulating the eid or did parameters. An attacker can inject malicious SQL commands without authentication, potentially reading or modifying sensitive student and admission data. Public exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10694HIGH 7.3
SourceCodester's Online Food Ordering System version 2.0 contains a file inclusion vulnerability in its index.php page parameter. An unauthenticated attacker can supply a malicious page argument to cause the application to include and execute arbitrary files, potentially from the local filesystem or remote sources. This vulnerability requires no user interaction and can be exploited over the network. Public exploits are available.
- CVE-2026-10704HIGH 7.3
SourceCodester's Pizzafy E-Commerce System version 1.0 contains a SQL injection vulnerability in the administrative login function. An attacker can manipulate the username field during authentication to inject malicious SQL commands, potentially gaining unauthorized database access without needing credentials or user interaction. The vulnerability is network-accessible and exploits are now publicly available.
- CVE-2026-10771HIGH 7.3
A server-side request forgery (SSRF) vulnerability exists in CRMEB Java version 1.4. An attacker can manipulate the URL parameter in the RestTemplate.getForEntity function to force the server to make unintended outbound requests. This occurs in the QR code generation endpoint and requires no authentication. Since exploit code has been publicly disclosed, the risk of active exploitation is elevated.
- CVE-2026-10777HIGH 7.3
A weakness in the administrative backend of ealpha072's Student-Management-System allows attackers to bypass authentication controls and gain unauthorized access to sensitive functions. The vulnerability exists in the admin/config.php file and can be exploited remotely without requiring any special privileges or user interaction. Because exploit code is publicly available, the risk of active abuse is elevated. The project uses a rolling release model, so specific patched versions have not been publicly disclosed.
- CVE-2026-11035HIGH 7.3
Google Chrome on Android contains a flaw in how it handles Custom Tabs—a feature that allows apps to open web content within their own interface. An attacker with local access to a device can exploit this vulnerability by crafting a malicious XML file, potentially gaining elevated privileges on the system. The issue affects Chrome versions prior to 149.0.7827.53. While the base severity from Chromium is listed as Medium, the overall risk score reflects the complete attack chain impact.
- CVE-2026-30649HIGH 7.3
A buffer overflow vulnerability exists in VIVOTEK's FD8136 network camera that allows an unauthenticated remote attacker to execute arbitrary code. The flaw is located in the set_getparam.cgi component, which handles parameter processing without proper boundary checks. An attacker on the network can send a specially crafted request to trigger the overflow and gain complete control of the device.
- CVE-2026-30760HIGH 7.3
SourceBans Material Admin, a web-based administration panel, contains a vulnerability that allows unauthenticated attackers to alter user data through a specially crafted XAJAX request. An attacker can send a malicious web request to manipulate account information, permissions, or other critical user attributes without needing valid credentials. This affects versions prior to 1.1.6.
- CVE-2026-30761HIGH 7.3
SourceBans Material Admin v1.1.6 contains a critical weakness in its image upload functionality that allows unauthenticated attackers to upload malicious files and execute arbitrary code on affected servers. An attacker can craft a specially designed image file that bypasses upload validation, leading to remote code execution without needing valid credentials or user interaction. This is a direct pathway to full system compromise.
- CVE-2026-36609HIGH 7.3
A vulnerability in Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 allows attackers on the network to recover administrator passwords. The router uses a static authentication nonce (a security token) that remains the same for requests from the same IP address, and combines this with weak password encoding. An attacker who captures authentication traffic can reverse-engineer the encoding to extract plaintext credentials, potentially gaining full administrative control of the router.
- CVE-2026-36611HIGH 7.3
A Mercusys AC12G (EU) V1 router with firmware version AC12G(EU)_V1_200909 has a vulnerability that exposes uninitialized memory to attackers on the same network. When the router receives certain requests on its UPnP port without proper headers, it returns 128 bytes of raw memory content that should have been inaccessible. An attacker with network access can exploit this to leak sensitive internal data without needing credentials.
- CVE-2026-37579HIGH 7.3
SMSGate sms-core versions 2.1.13.6 and earlier contain a remote code execution vulnerability in the CMPP7 message handling component. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary code on affected systems without any user interaction, potentially gaining full control of the SMS gateway infrastructure.
- CVE-2026-39292HIGH 7.3
Falco Solutions PHPPageBuilder version 0.31.0 has a file upload vulnerability that lets attackers upload malicious files without proper checks. An attacker can exploit this to upload executable code and run commands on the affected server, potentially taking complete control of the web application.
- CVE-2026-42061HIGH 7.3
Acronis DeviceLock DLP on Windows contains a local privilege escalation vulnerability stemming from improper permission assignment to child processes. An authenticated user with limited privileges can exploit this flaw to gain elevated system access, potentially compromising data loss prevention controls and system integrity. The vulnerability requires local access and user interaction but delivers high-impact consequences including confidentiality, integrity, and availability breaches.
- CVE-2026-42675HIGH 7.3
Themefic Hydra Booking versions up to 1.1.41 contain a missing authorization flaw that allows attackers to bypass access controls and perform unauthorized actions. An attacker without authentication can exploit incorrectly configured security levels to access or modify booking data and functionality that should be restricted. This is a network-based vulnerability requiring no user interaction or special privileges.
- CVE-2026-44609HIGH 7.3
Acronis DeviceLock DLP for Windows contains a local privilege escalation flaw rooted in insecure executable (EXE) hijacking. An attacker with local system access and user-level privileges can exploit this vulnerability by substituting a legitimate executable that the application loads, forcing the system to run malicious code with elevated permissions. This is a user-interaction scenario—the victim must perform an action that triggers the vulnerable code path—but once activated, it grants an attacker full system control over the affected machine.
- CVE-2026-44682HIGH 7.3
Acronis DeviceLock DLP for Windows contains a vulnerability that allows a local user to gain elevated system privileges through DLL hijacking. An attacker with basic user-level access can exploit this flaw to escalate to administrator or system privileges, potentially compromising the entire endpoint. The vulnerability requires the user to interact with the application, such as launching a dialog or feature that triggers the malicious DLL load.
- CVE-2026-45360HIGH 7.3
Apache Airflow's scheduler contains a deserialization vulnerability in how it handles deadline references created by DAG authors. When a DAG author creates a custom deadline reference, the scheduler deserializes it without validating what code it might execute. An attacker who can author a DAG—or influence its contents—can embed malicious class paths that the scheduler will import and instantiate, gaining the ability to execute arbitrary code within the scheduler's security context and access its database connection.
- CVE-2026-45364HIGH 7.3
Better Auth, a TypeScript authentication library, contained a rate-limiting bypass that allowed attackers to circumvent protections on sensitive endpoints like sign-in, sign-up, and password reset. The vulnerability exploited how the library handled IPv6 addresses in rate-limiting checks. IPv6 clients could generate an enormous number of distinct request origins (up to 2^64 per /64 subnet) by rotating through different source addresses, or bypass limits by varying how a single IPv6 address was encoded (uppercase vs. lowercase, compressed vs. full format, IPv4-mapped notation). This rendered rate limiting ineffective against brute-force attacks on authentication endpoints. Fixed in versions 1.4.17 and 1.5.0-beta.9.
- CVE-2026-46250HIGH 7.3
CVE-2026-46250 is a critical initialization failure in the Linux kernel affecting MIPS-based systems. The vulnerability arises from a compiler bug in LLVM versions 18–21 where the compiler incorrectly restores the `$gp` (global pointer) register even when code intentionally modifies it as a global register variable. On MIPS, the kernel uses `$gp` to track the current thread info, and during boot the kernel relocates itself and updates `$gp` accordingly. When LLVM restores the old `$gp` value after this intentional modification, the register points to pre-relocation memory, causing the kernel to crash during the `init_idle` phase of scheduler initialization. This affects MIPS-based systems including Loongson and other MIPS processors, particularly those compiled with affected LLVM versions.
- CVE-2026-49942HIGH 7.3
Net::CIDR::Set, a Perl library for managing CIDR network blocks, contains a validation flaw in versions through 0.20 that allows attackers to bypass network access controls. The vulnerability stems from improper handling of network masks—the library accepts Unicode digit characters (such as Arabic-Indic numerals) and non-digit characters in mask fields, treating them as valid input. Additionally, leading zeros in masks are processed as decimal rather than octal, creating confusion about which networks are actually permitted. Together, these issues can cause the library to accept significantly larger or differently scoped networks than intended, potentially allowing unauthorized traffic or connections that should have been blocked.
- CVE-2026-50033HIGH 7.3
Acronis DeviceLock DLP for Windows contains a local privilege escalation flaw caused by insecure DLL loading. An authenticated user with limited privileges can trick the application into loading a malicious DLL from an attacker-controlled location, gaining elevated system rights. The vulnerability requires local access and user interaction, but can result in complete system compromise.
- CVE-2026-8876HIGH 7.3
Securly version 3.0.7 of their Chrome Extension contains hardcoded encryption keys embedded directly in the minified JavaScript file. These keys are meant to protect sensitive data like crisis alert keywords and intervention site configurations, but because they're hardcoded and visible in the browser extension code, anyone with access to the extension can decrypt that data. This is a classic case of storing secrets where they shouldn't be stored—effectively rendering the encryption useless.
- CVE-2026-9334HIGH 7.3
CVE-2026-9334 is a type-confusion vulnerability in Cpanel::JSON::XS (a Perl JSON parsing library) that occurs when a specific feature called dupkeys_as_arrayref is enabled. When decoding JSON with duplicate object keys, the library crashes and attempts to dereference attacker-controlled data as a pointer. An attacker can exploit this by sending crafted JSON to any application using this library with the vulnerable setting enabled, potentially leading to denial of service or information disclosure.
- CVE-2026-9658HIGH 7.3
Plack::Middleware::Security::Common, a security middleware for Perl web applications, contains a flaw in how it filters HTTP header injection attacks when they appear in request paths. The middleware was designed to block header injections but only reliably caught attacks that were double-encoded. Single-encoded CRLF sequences (carriage return/line feed) embedded in request paths could slip through, potentially allowing attackers to inject malicious HTTP headers. The actual impact depends on how reverse proxies and the underlying Plack-based server process these malformed requests, which remains unclear in practice.
- CVE-2026-9795HIGH 7.3
A flaw in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature allows a limited administrator to bypass security controls and inject high-privilege roles into a client application. When users authenticate to that client, the injected roles appear in their authentication tokens, granting them unauthorized access. An attacker with restricted admin rights can escalate their own permissions or those of other users without triggering standard approval workflows.
- CVE-2025-11262HIGH 7.2
Link Whisper Free, a WordPress plugin, contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially allowing attackers to steal credentials, redirect users, or perform actions on their behalf. The vulnerability stems from improper handling of the user_id parameter and affects all versions up to 0.9.0.
- CVE-2025-41265HIGH 7.2
Waterfall Security's WF-500 TX Host contains a command injection flaw in its web-based administration interface. An attacker with valid administrative credentials can inject malicious operating system commands through the web UI, leading to arbitrary command execution on the device itself. This is a post-authentication attack—the attacker must already have admin-level access—but once inside, they can run any OS-level commands the host permits.
- CVE-2025-41266HIGH 7.2
A command injection vulnerability exists in the Waterfall WF-500 TX Host administration interface that allows authenticated users with elevated privileges to execute arbitrary system commands. An attacker who has already gained administrative access can leverage this flaw to run operating system-level commands, potentially compromising the entire appliance. The vulnerability affects version 7.9.1.0 R2502171040 and requires the attacker to be authenticated and have high-level privileges, reducing but not eliminating the risk in environments where admin credential exposure is a concern.
- CVE-2025-41267HIGH 7.2
A command injection vulnerability exists in the Waterfall WF-500 TX Host administration web interface that allows authenticated administrators to execute arbitrary operating system commands. An attacker with administrative credentials can craft malicious input through the WebUI to bypass command sanitization and gain direct OS-level access to the device. This is a post-authentication attack requiring valid admin credentials, but once exploited, provides complete system compromise.
- CVE-2025-41279HIGH 7.2
Nozomi Networks Labs discovered a command injection vulnerability in Waterfall's WF-500 RX Host administration interface. An authenticated attacker with administrative privileges can inject operating system commands through the web UI, leading to arbitrary code execution on the affected device. This is a serious risk for organizations using this industrial security appliance, as the attacker would gain full control of the host system.
- CVE-2026-10072HIGH 7.2
DreamMaker, a product developed by Interinfo, contains a vulnerability that allows attackers with privileged access to upload arbitrary files to the server. An attacker exploiting this flaw could upload malicious web shells, gaining the ability to execute code and maintain persistent access to the affected system. The vulnerability requires the attacker to have elevated credentials, but once leveraged, it provides complete control over server operations.
- CVE-2026-10843HIGH 7.2
OpenShift's Cloud Credential Operator, when running in Mint mode, assigns AWS credentials with excessive permissions. Instead of limiting destructive actions to resources owned by the cluster, the operator grants account-wide scope. If an attacker compromises these credentials, they can perform destructive actions across the entire AWS account, not just the cluster—making lateral movement and account-wide damage possible.
- CVE-2026-10870HIGH 7.2
Shibby Tomato version 1.28.0000 contains a command injection vulnerability in its web-based configuration interface that allows authenticated administrators to execute arbitrary operating system commands on the router. An attacker with administrative access can manipulate the DHCP client startup function to inject malicious commands, potentially compromising the entire device and any network it serves. Exploit code has been published publicly, increasing the risk of opportunistic attacks.
- CVE-2026-10871HIGH 7.2
Shibby Tomato 1.28.0000 contains a remote command injection vulnerability in its Web UI. An authenticated administrator can craft a malicious request targeting the IPv6 6rd tunnel configuration function, injecting arbitrary operating system commands that execute with the privileges of the affected service. The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts.