2026 · Medium

Medium-severity vulnerabilities disclosed in 2026

Medium-rated CVEs published in 2026, with SEC.co remediation and prioritization guidance.

1128 published vulnerabilities · page 11 of 12

  • CVE-2026-11257MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser implements navigation controls. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's built-in restrictions on where a page can navigate. This allows the attacker to redirect the user to unintended destinations or perform unwanted navigation actions, potentially leading to phishing, credential harvesting, or distribution of malware. The vulnerability requires user interaction (clicking or visiting the page) and affects Chrome on Windows, macOS, and Linux.

  • CVE-2026-11259MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the Cast feature validates user-supplied input. This allows an attacker to craft a malicious webpage that, when visited, can bypass Chrome's same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites. The attack requires user interaction (visiting the page) but requires no special privileges. While Chromium rates the underlying severity as Low, the ability to circumvent same-origin policy elevates practical risk.

  • CVE-2026-11260MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles permissions that allows attackers to bypass the browser's Content Security Policy (CSP) protections via a specially crafted webpage. While the underlying browser vulnerability severity is rated as low, the CVSS assessment elevates this to medium risk because it requires user interaction but could enable an attacker to execute unintended behavior or inject content that CSP should block. The issue affects Chrome on Windows, macOS, and Linux.

  • CVE-2026-11261MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles PDF rendering that could allow an attacker to trick users into believing they're viewing legitimate content when they're not. If an attacker has already compromised Chrome's rendering engine (the component that displays web pages), they can craft a specially designed HTML page to perform UI spoofing—making fake buttons, warnings, or other interface elements appear authentic. This is a medium-severity issue because it requires both a prior compromise of the renderer process and user interaction to be exploited.

  • CVE-2026-11264MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how Content Security Policy (CSP) is enforced. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's CSP protections. This allows the attacker to inject or execute content that the website owner intended to block, potentially leading to credential theft, session hijacking, or other attacks that degrade site security. The vulnerability requires user interaction—the victim must visit the malicious page—and does not directly compromise the browser itself or enable data exfiltration.

  • CVE-2026-11266MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in the Safe Browsing feature that allows a remote attacker to bypass its protections by delivering a specially crafted file. An attacker would need to trick a user into opening or interacting with the malicious file, but if successful, the user's safety checks could be circumvented, potentially allowing access to sites or content that Safe Browsing would normally block.

  • CVE-2026-11267MEDIUM 4.3

    A vulnerability in Google Chrome's extension framework allows a malicious extension to bypass content security policy (CSP) protections if a user installs it. The issue stems from insufficient policy enforcement mechanisms that fail to properly validate extension behavior. While the underlying Chromium severity is rated as Low, the CVSS assessment elevates it to Medium due to the user interaction requirement combined with potential integrity impact. An attacker would need to socially engineer a user into installing a compromised extension—a realistic but not trivial attack vector.

  • CVE-2026-11274MEDIUM 4.3

    A flaw in Google Chrome's DOM Distiller component on iOS allows attackers to bypass navigation restrictions through a specially crafted web page. The vulnerability requires user interaction to trigger—specifically, the victim must visit or interact with a malicious page. The impact is limited to breaking navigation boundaries; no data theft or system crashes are involved. Chrome versions prior to 149.0.7827.53 on iOS are affected.

  • CVE-2026-11277MEDIUM 4.3

    A vulnerability in Chrome for iOS allows an attacker to bypass certain access controls through a specially crafted HTML page. The issue stems from insufficient enforcement of security policies in the iOS version of Chrome. An attacker would need to trick a user into visiting a malicious webpage, but no special user privileges are required and the attack is straightforward to execute. The primary risk is unauthorized modification of data or application behavior—not data theft or system crashes.

  • CVE-2026-11280MEDIUM 4.3

    A flaw in Google Chrome's sign-in interface on iOS allows an attacker to trick users with a fake login screen. By crafting a malicious web page, an attacker could make it appear that a legitimate Chrome sign-in prompt is appearing, potentially deceiving users into entering credentials or sensitive information. The vulnerability requires user interaction—visiting a crafted page—but does not require authentication or special privileges to attempt. While Google classifies this at low severity internally, the CVSS score reflects medium risk due to the integrity impact of potential credential theft or trust erosion.

  • CVE-2026-11285MEDIUM 4.3

    Google Chrome on iOS versions before 149.0.7827.53 contain a flaw that allows attackers to trick users with fake, spoofed user interface elements embedded in malicious web pages. An attacker would need to convince a user to visit a crafted HTML page, but no special privileges are required and the attack can be delivered over the network. The vulnerability does not compromise data confidentiality or availability, but could deceive users about what they are viewing or interacting with.

  • CVE-2026-11286MEDIUM 4.3

    A flaw in Google Chrome's Wallet component allows attackers who have already compromised a browser's renderer process to trick users with fake UI elements displayed on a web page. This requires the attacker to first gain control of the renderer—the part of the browser that displays web content—which is a significant prerequisite but not impossible in real-world scenarios where other vulnerabilities or social engineering may be chained together.

  • CVE-2026-11291MEDIUM 4.3

    A flaw in how Google Chrome handles autofill on Android devices allows an attacker to craft a malicious webpage that can bypass the browser's same-origin policy protections. By tricking a user into visiting their page, an attacker could potentially manipulate how Chrome autofills data in unexpected ways. Google rates this as low severity internally, though the CVSS score reflects it as medium risk due to the user interaction required and limited scope of potential impact.

  • CVE-2026-11292MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in the Blink rendering engine that allows attackers to bypass Content Security Policy (CSP) protections through a specially crafted webpage. An attacker would need to trick a user into visiting a malicious site, where the weakness could enable injection of unintended content or scripts that CSP was supposed to prevent. While Chromium rates this as low severity, the CVSS score reflects moderate impact potential because CSP bypass can lead to unauthorized modifications of page behavior.

  • CVE-2026-11294MEDIUM 4.3

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in password handling that allows attackers to create fake or misleading login screens through specially crafted web pages. An attacker would need to trick a user into visiting a malicious website, but once there, the browser's UI protections don't adequately prevent visual deception. This is not an authentication bypass—it's a user interface trick that could mislead people about whether they're interacting with legitimate Chrome UI or attacker-controlled content.

  • CVE-2026-11298MEDIUM 4.3

    A vulnerability in Google Chrome for iOS allows attackers to bypass the same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites—by tricking users into visiting a specially crafted webpage. The flaw affects Chrome versions before 149.0.7827.53 on iPhones and iPads. While the Chromium project rated this as low severity, the CVSS score reflects a medium severity due to the potential for information disclosure or unauthorized content modification in cross-origin contexts.

  • CVE-2026-11300MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles permissions that allows an attacker to trick users with a specially crafted web page. The attack doesn't steal data or crash the browser—instead, it displays fake permission dialogs or UI elements that might convince a user to grant access they shouldn't. The attacker needs the victim to visit the malicious page, but no special user configuration is required beforehand.

  • CVE-2026-11302MEDIUM 4.3

    A security flaw in Google Chrome for iOS allows attackers to bypass access controls through a specially crafted web page. The vulnerability requires user interaction—a person must visit the malicious page—but does not require any special privileges or system access to attempt exploitation. While Chromium's internal assessment classified this as low severity, the CVSS score of 4.3 reflects moderate concern, primarily because it can lead to unauthorized actions or changes within the browser's trust model, though it does not expose sensitive data or crash the application.

  • CVE-2026-11309MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser enforces policies for the History feature. An attacker can craft a deceptive webpage that tricks users into believing they're interacting with legitimate browser UI elements or content. While the vulnerability requires user interaction and doesn't directly expose sensitive data or crash the browser, the spoofing capability could be weaponized in social engineering campaigns to steal credentials or manipulate user behavior.

  • CVE-2026-11337MEDIUM 4.3

    A reflected cross-site scripting (XSS) vulnerability exists in tittuvarghese CollegeManagementSystem affecting the fetch.php endpoint. An attacker can inject malicious scripts through the department_name parameter, which are then executed in a victim's browser when they interact with a crafted link. The attack requires user interaction but no authentication, making it a practical threat in educational environments where students and staff may click on shared links. Public exploit code is available, increasing the likelihood of opportunistic attacks.

  • CVE-2026-11436MEDIUM 4.3

    Mage AI versions up to 0.9.79 contain a reflected cross-site scripting (XSS) vulnerability in the sign-in flow. An attacker can craft a malicious URL with a manipulated redirect parameter that, when clicked by a user, executes JavaScript in the victim's browser within the context of the Mage AI application. The vulnerability requires user interaction—someone must click the malicious link—but no authentication is needed to trigger it. Public exploit details are now available.

  • CVE-2026-11477MEDIUM 4.3

    CVE-2026-11477 is an open redirect vulnerability in the OAuth2 Client component of hsweb-framework versions up to 5.0.1. An attacker can craft a malicious URL that tricks users into being redirected to an external website after authenticating through your application's OAuth2 flow. This could be used for phishing or credential harvesting attacks. The vulnerability requires user interaction (clicking a link) but can be exploited over the network without authentication. Public exploit code is already available.

  • CVE-2026-11492MEDIUM 4.3

    A vulnerability in the D-Link DIR-823G router (firmware version 1.0.2B05) allows an authenticated attacker to modify the vsftpd configuration file in a way that violates least privilege protections. The flaw can be exploited remotely by someone with valid login credentials. While the barrier to entry requires authentication, the impact is a privilege escalation that could allow an attacker to exceed their intended access level on the device.

  • CVE-2026-11494MEDIUM 4.3

    A privilege escalation vulnerability has been discovered in TOTOLIK AC1200 T8 running firmware version 4.1.5cu.8611. The flaw resides in the vsftpd (Very Secure FTP Daemon) configuration file and allows an authenticated attacker to modify settings in a way that violates the principle of least privilege. While the vulnerability requires valid login credentials to exploit, successful attacks could lead to unauthorized configuration changes that broaden attacker capabilities on the device. Public disclosure of this issue means exploitation techniques are available in the wild.

  • CVE-2026-11512MEDIUM 4.3

    A cross-site scripting (XSS) vulnerability has been discovered in itsourcecode Hospital Management System version 1.0. The flaw exists in the billing module (/billing.php) and can be triggered by manipulating the patientid parameter. An attacker can craft a malicious link or form that, when clicked by a hospital staff member or administrator, injects arbitrary JavaScript into their browser session. This could allow the attacker to steal session credentials, modify billing records, or perform unauthorized actions on behalf of the logged-in user. The vulnerability requires user interaction (a victim must click a malicious link) but needs no authentication to set up the attack. Public exploit details are available, increasing real-world risk.

  • CVE-2026-11518MEDIUM 4.3

    SourceCodester Inventory System version 1.0 contains a cross-site scripting (XSS) vulnerability in its user management functionality. An attacker can inject malicious code through the fullname or username fields in the /users.php file, which is then reflected back to users viewing that data. While the vulnerability requires user interaction (such as clicking a malicious link), it could be exploited remotely to steal session cookies, redirect users, or perform actions on their behalf within the application.

  • CVE-2026-11554MEDIUM 4.3

    A privilege escalation weakness has been identified in TOTOLINK CP450 version 4.1.0cu.747 affecting the vsftpd FTP service configuration. An authenticated attacker can modify the /etc/vsftpd.conf file in a way that violates the principle of least privilege, potentially allowing them to expand their access or capabilities on the device. The vulnerability requires valid login credentials to exploit, but once leveraged, could enable unauthorized actions. Public details about this issue are already available, increasing the likelihood of active exploitation.

  • CVE-2026-11665MEDIUM 4.3

    A flaw in Google Chrome's graphics rendering engine (Dawn) on Windows could allow an attacker to trick a user into visiting a malicious webpage that leaks sensitive data from other websites the user is logged into. The vulnerability requires user interaction—the user must visit the crafted page—but does not require any special permissions or complex attack setup. The leaked data is limited in scope and does not include the ability to modify or destroy information.

  • CVE-2026-11668MEDIUM 4.3

    Google Chrome and Chrome OS contain a weakness in their video codec processing that could allow a remote attacker to steal data from other websites. The flaw stems from uninitialized memory in the codec layer—essentially, the browser fails to properly initialize certain memory regions before use. An attacker can craft a malicious video file that, when opened by a user, exploits this memory state to read sensitive information across security boundaries. The vulnerability affects Chrome on Linux and Chrome OS versions prior to 149.0.7827.103.

  • CVE-2026-11685MEDIUM 4.3

    Google Chrome on macOS contains a flaw in how it handles media capture permissions that could allow an attacker to trick you into revealing data meant to be private to a specific website. By crafting a malicious webpage, an attacker can bypass Chrome's protections and leak information across website boundaries—essentially stealing data that should stay isolated to one origin. The vulnerability requires user interaction, such as visiting a malicious page, but does not require special privileges or system-level access.

  • CVE-2026-11695MEDIUM 4.3

    Google Chrome prior to version 149.0.7827.103 contains a flaw in its password handling logic that could allow an attacker to leak sensitive data across website boundaries. An attacker would need to craft a malicious HTML page and convince a user to visit it, but the vulnerability itself does not require the user to take additional actions beyond normal browsing. The leaked data is restricted to information accessible within the browser context of the affected user.

  • CVE-2026-11785MEDIUM 4.3

    CVE-2026-11785 is a flaw in 389 Directory Server that leaks partial stack memory addresses to authenticated users through LDAP responses. An attacker with valid LDAP credentials can trigger a type confusion error during SSO token processing, causing the server to inadvertently expose memory layout information. This is a limited disclosure risk—the attacker must already be authenticated, and only partial address information is exposed—but it can provide a foothold for more advanced attacks that rely on defeating address space layout randomization (ASLR).

  • CVE-2026-24756MEDIUM 4.3

    Kiteworks, a platform for secure data sharing and management, contains a flaw that allows authenticated users to modify data belonging to other users. The vulnerability stems from the application failing to properly verify that a user should have access to resources they're attempting to change. An attacker with valid credentials could exploit this to alter forms, templates, or other shared resources without authorization. The fix requires upgrading to version 9.3.0 or later.

  • CVE-2026-28511MEDIUM 4.3

    eLabFTW, an open-source electronic lab notebook platform, contains an information disclosure vulnerability affecting versions before 5.4.2. When an authenticated user performs a numeric search or reference lookup, the system may return resource titles that the user should not have access to view. The actual content of those resources remains protected—only the titles are exposed. This is particularly concerning because titles may contain sensitive information such as project names, patient identifiers, or regulated data that could constitute unauthorized disclosure.

  • CVE-2026-32250MEDIUM 4.3

    NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.

  • CVE-2026-32906MEDIUM 4.3

    OpenClaw versions prior to 2026.5.12 contain a privilege escalation flaw in their Slack plugin approval system. Users who hold limited exec approval permissions can manipulate the approval workflow to bypass intended authorization checks, allowing them to approve plugin actions that should require additional oversight or operator configuration. The vulnerability requires an authenticated user to exploit, reducing but not eliminating risk in environments with permissive access controls.

  • CVE-2026-34193MEDIUM 4.3

    CVE-2026-34193 describes a logic error in GPU memory address translation that allows a compromised kernel running inside a virtual machine to send malformed commands to the GPU firmware, causing it to write data to unintended locations in firmware memory. The vulnerability requires local access and an already-compromised kernel to exploit, but once triggered, it can corrupt GPU firmware state without authorization.

  • CVE-2026-36602MEDIUM 4.3

    A Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 has a flaw in its UPnP service that exposes internal kernel memory addresses to anyone on the same network segment. An attacker can query the router's UPnP interface to extract a raw MIPS kernel pointer, effectively creating a roadmap of how the router's operating system is laid out in memory. While this doesn't directly compromise the device, it removes a significant barrier to follow-up attacks by revealing memory layout details that are normally hidden.

  • CVE-2026-36613MEDIUM 4.3

    Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 leak sensitive internal memory to unauthenticated attackers on the same network. When an attacker sends HTTP POST requests to non-existent paths on the router's web interface, the device inadvertently returns 128 bytes of uninitialized buffer memory. This exposed data may contain router state information, configuration details, or other sensitive runtime values. The vulnerability requires physical or network adjacency—an attacker must be on the same local network segment—but no authentication or user interaction is needed to trigger it.

  • CVE-2026-36615MEDIUM 4.3

    The Mercusys AC12G (EU) router running firmware version AC12G(EU)_V1_200909 contains an unauthenticated information disclosure vulnerability. An attacker on the same local network can access a hidden endpoint (/agileconfigreset) that leaks internal buffer contents without requiring any credentials or user interaction. This information could be used to further compromise the device or the network it serves.

  • CVE-2026-36618MEDIUM 4.3

    The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 has a configuration issue that allows anyone on the local network to discover which version of the DNS resolver software (unbound 1.22.0) is running on the device. An attacker can query the router for this information and use it to identify known vulnerabilities affecting that specific DNS software version, making targeted attacks easier. This is a local network exposure only—an attacker would need network access to the router or its subnet to exploit it.

  • CVE-2026-4058MEDIUM 4.3

    A WordPress plugin used for user management and registration has a security gap that allows any logged-in user with basic Subscriber permissions to cancel subscription plans belonging to other users—including site administrators. This missing permission check means a low-privilege attacker could disrupt subscriptions, affect billing relationships, and potentially lock administrators out of paid features. The vulnerability exists in all versions up to 4.3.2.

  • CVE-2026-4071MEDIUM 4.3

    The BirdSeed WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to change the plugin's authentication token without the site administrator's knowledge. An attacker can craft a malicious link or webpage that, when clicked by an admin, silently modifies the BirdSeed token stored in the site's database. This breaks the trust chain between your WordPress site and the BirdSeed service. The vulnerability affects all versions up to and including 2.2.0 and requires social engineering—tricking an administrator into clicking a link—but no authentication or special privileges are needed from the attacker's side.

  • CVE-2026-40914MEDIUM 4.3

    Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.

  • CVE-2026-41014MEDIUM 4.3

    Apache Airflow contains an authorization bypass in its UI that allows authenticated users to view information about data pipeline runs (DAGs) they shouldn't have access to. Specifically, a user with broad asset-level read permissions can see partition run states, scheduling details, and data connections for DAGs restricted to other teams or users. This affects only deployments that intentionally segment DAG access by user or role while granting wider asset visibility. The vulnerability requires an existing user account and network access to the Airflow UI or API.

  • CVE-2026-41115MEDIUM 4.3

    Apache Kafka contains an authorization mismatch in its consumer group metadata API. The CONSUMER_GROUP_DESCRIBE operation checks for DESCRIBE permission on groups, but Kafka's documentation and the relevant design specification (KIP-848) incorrectly state it should check for READ permission. This inconsistency between code behavior and documentation can lead to misconfigured access controls—either granting unintended READ access to users who only have DESCRIBE permissions, or blocking legitimate access for users who rely on documentation-based ACL configurations. The vulnerability is not a code flaw but a documentation gap that can cause real-world security postures to diverge from intent.

  • CVE-2026-41160MEDIUM 4.3

    EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.

  • CVE-2026-41983MEDIUM 4.3

    A denial-of-service vulnerability exists in a browser kernel component that can be triggered through user interaction. An attacker can craft malicious content that, when encountered by a user, causes the browser to become unresponsive or crash. The vulnerability requires user action (clicking a link, viewing a page) and does not allow attackers to steal data or modify system content—only to disrupt availability.

  • CVE-2026-42540MEDIUM 4.3

    IRIS is a collaborative web platform used by incident response teams to share and document technical details during security investigations. A vulnerability in versions before 2.4.28 allows authenticated users to modify database records through specially crafted API requests, potentially corrupting or altering incident investigation data. The issue requires valid login credentials to exploit and affects data integrity rather than confidentiality.

  • CVE-2026-42543MEDIUM 4.3

    IRIS, a web-based platform used by incident responders to collaborate and share technical details during investigations, contains a cross-site request forgery (CSRF) vulnerability in versions prior to 2.4.28. The vulnerability exists because the platform uses HTTP GET requests to perform state-changing actions on the server—a design flaw that allows an attacker to trick authenticated users into unknowingly executing unwanted actions. An attacker could craft a malicious link or webpage that, when visited by an IRIS user, silently modifies data or settings without the user's knowledge or consent.

  • CVE-2026-45264MEDIUM 4.3

    Nextcloud versions spanning 17.0.0 through 21.0.3 contain a permission bypass vulnerability that allows users with read and create access—but explicitly not update access—to rename files within team folders. This unintended capability undermines the granular permission model Nextcloud enforces, potentially enabling unauthorized modification of file metadata and organizational disruption. The issue affects a broad version range and has been patched across all active release lines.

  • CVE-2026-45286MEDIUM 4.3

    An authenticated user on a Nextcloud instance can discover other users' identities by abusing the Calendar app's attendee-suggestion feature. The vulnerability exists because this endpoint bypasses the access controls that Nextcloud applies elsewhere. An attacker already logged into the system can systematically enumerate valid usernames, potentially laying groundwork for targeted attacks like password spraying or social engineering. The flaw affects Nextcloud versions 5.5.13 through 5.5.16 and 6.2.0 through 6.2.2.

  • CVE-2026-45544MEDIUM 4.3

    Nextcloud Tables, a collaborative document and data management component, contains an information disclosure vulnerability affecting versions 0.8.0 through 1.0.3. The issue allows users with read-only access to view filter criteria—potentially including sensitive column names, field definitions, or search logic—that should have been restricted to higher-privilege users. This represents a low-severity data exposure that could leak operational details about table structure and content filtering strategies. The vulnerability has been resolved in Nextcloud Tables versions 1.0.4 and 2.0.0.

  • CVE-2026-45729MEDIUM 4.3

    ThorVG, a vector graphics rendering engine, contains a flaw that can crash applications using it when they process malicious SVG files. An attacker can craft a specially formatted SVG document as small as 6 bytes that triggers an application crash when the affected code path is invoked. This is a denial-of-service vulnerability affecting availability but not data confidentiality or integrity. The issue was introduced in earlier versions and is resolved in ThorVG 1.0.5.

  • CVE-2026-45776MEDIUM 4.3

    OpenXDMoD is an open-source framework used by HPC (high-performance computing) centers to collect and monitor system performance metrics. Versions before 11.0.3 contain a session-handling flaw that allows an authenticated attacker to manipulate authorization checks. If an installation includes the optional Job Performance (SUPReMM) module, an attacker could view other users' job efficiency data they shouldn't have access to. The vulnerability requires an existing login but does not require admin privileges.

  • CVE-2026-46605MEDIUM 4.3

    Apache ActiveMQ has an authorization flaw that allows authenticated users to delete message queues and topics they shouldn't be able to modify. An attacker with valid credentials to your messaging system could disrupt operations by removing critical destinations, even if permission controls suggest they shouldn't have that ability. This affects ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5.

  • CVE-2026-46764MEDIUM 4.3

    Apache Airflow contains an authorization bypass flaw in its audit-log API endpoints. An authenticated user with read access to audit logs for one workflow (Dag) can bypass per-Dag scoping restrictions and view audit-log entries from any other Dag in the same Airflow deployment by directly requesting specific event log IDs. The vulnerability stems from inconsistent permission enforcement: the collection endpoint properly restricts results by Dag, but the detail endpoint applies only a generic audit-log permission check without verifying the requester has access to the specific Dag whose logs are being retrieved. This allows low-privileged users to enumerate and read sensitive audit trails across Dags they should not be able to access.

  • CVE-2026-47675MEDIUM 4.3

    Hono, a JavaScript web framework, contains a flaw in how it sanitizes cookie options. While the framework validates certain cookie parameters (domain and path) to prevent malicious characters from breaking the Set-Cookie header, it fails to apply the same checks to sameSite and priority options. If an application passes user-controlled input directly into these parameters, an attacker could inject additional cookie attributes into the response header, potentially manipulating cookie behavior or setting unintended security policies.

  • CVE-2026-47696MEDIUM 4.3

    WWBN AVideo, an open-source video hosting platform, contains a payment processing vulnerability in versions 29.0 and earlier. When both the AuthorizeNet and YPTWallet plugins are active, any logged-in user can artificially inflate their account wallet balance without actually paying. The vulnerable endpoint accepts a user-supplied amount parameter and immediately credits the wallet without verifying that a real payment transaction occurred through Authorize.Net. This is a financial manipulation flaw that bypasses payment authentication entirely.

  • CVE-2026-48092MEDIUM 4.3

    7-Zip versions 9.34 through 26.00 contain a flaw in how they process SquashFS archive files that can leak sensitive data from memory when extracting files. The vulnerability exists only in 32-bit builds of 7-Zip and requires an attacker to craft a malicious archive with specially modified metadata. When a user extracts such an archive, heap memory contents that should remain private are instead written into the extracted file, potentially exposing passwords, encryption keys, or other sensitive information stored in memory. The issue stems from integer arithmetic wrapping that bypasses safety checks. Users on 64-bit systems are not affected.

  • CVE-2026-48103MEDIUM 4.3

    7-Zip versions 9.34 through 26.00 contain a memory read vulnerability in the WIM (Windows Imaging Format) archive handler. When processing specially crafted WIM files, the software reads a small amount of data just beyond an allocated memory region due to an off-by-one error in bounds checking. This occurs automatically in the file manager when listing directory contents, requiring only that a user open or preview a malicious WIM file. The practical impact is limited to crashes or potential minor leaks of adjacent memory; no file corruption or system compromise is possible through this flaw alone.

  • CVE-2026-48111MEDIUM 4.3

    7-Zip versions 9.21 through 26.00 contain a boundary-checking flaw in their UEFI firmware image parser. When processing certain archive sections, the parser uses an incorrect comparison operator that allows a malicious opcode value to read data beyond an array's bounds. This can either crash the application when the out-of-bounds memory is invalid, or leak small amounts of adjacent string data into the archive's metadata. The flaw is triggered automatically when opening a specially crafted archive file, but the leaked information is limited and does not expose sensitive data or memory layout information.

  • CVE-2026-48810MEDIUM 4.3

    FreeScout, a free help desk platform built on Laravel, contains an authorization flaw in version 1.8.220 and earlier. A user with conversation editing permissions who authored a message in one mailbox can edit that message's content even after an administrator removes them from that mailbox. The vulnerability exploits a gap in access controls: the system verifies the user created the message and has the global edit permission, but fails to confirm the user still belongs to the mailbox where the conversation lives. This allows former mailbox members to alter thread history and potentially mislead team members or customers.

  • CVE-2026-48811MEDIUM 4.3

    FreeScout, an open-source helpdesk and shared inbox platform, contains a flaw that allows former team members to permanently delete internal notes—even after their access to the mailbox has been revoked. A non-admin user who previously created private threads in a conversation can return and destroy those notes without authorization, because the system fails to verify whether the user still belongs to the mailbox. This affects FreeScout versions before 1.8.221.

  • CVE-2026-4888MEDIUM 4.3

    Everest Forms, a popular WordPress form-building plugin, contains a security flaw that allows low-privilege logged-in users to send emails from your website to anyone they choose. Any user with Subscriber access or higher can exploit this by calling an internal email-testing function without proper permission checks. This doesn't require clicking malicious links or advanced technical skills—just authenticated access to your WordPress admin panel.

  • CVE-2026-49140MEDIUM 4.3

    Nanobot versions before 0.2.1 have a denial-of-service flaw in how they handle media downloads from Matrix chat rooms. An authenticated user in a room can deliberately send specially crafted media events with missing or wrong size information, causing the system to download large files without properly checking their declared sizes first. By sending many of these malicious requests at once, an attacker can force the Nanobot process to consume excessive memory and bandwidth until the service becomes slow or unresponsive. The attacker must already be a member of the room to exploit this.

  • CVE-2026-49322MEDIUM 4.3

    The 2025 Indian Motorcycle Scout Bobber + Tech model contains a flaw in its wireless control system that allows someone with access to the motorcycle's internal network to steal the owner's PIN unlock code by observing just a single authentication attempt. Instead of using proper cryptographic security, the system performs simple mathematical operations that can be reversed to recover the PIN, completely bypassing the bike's primary security lock.

  • CVE-2026-49323MEDIUM 4.3

    The 2025 Indian Motorcycle Scout Bobber + Tech model contains a flaw in how its wireless control module authenticates with the engine control module. An attacker positioned on the vehicle's internal network can intercept a single authentication exchange and reverse-engineer the motorcycle's immobilizer secret—the cryptographic key that prevents unauthorized engine starts. Once recovered, the attacker can bypass the immobilizer entirely and start the engine without the key fob.

  • CVE-2026-49369MEDIUM 4.3

    JetBrains YouTrack versions before 2026.1.13162 contained a flaw that allowed authenticated users to access sensitive information about other users and groups they shouldn't be able to see. The vulnerability is limited to the Users and Groups administrative pages and requires valid login credentials to exploit. This is a straightforward authorization issue where the application failed to properly restrict who could view certain user and group data.

  • CVE-2026-49377MEDIUM 4.3

    JetBrains TeamCity contains a configuration flaw where default agent parameters inadvertently expose sensitive data to authenticated users. An attacker with valid login credentials can access information through TeamCity's agent configuration that should remain restricted. This is a network-accessible issue affecting TeamCity deployments before version 2025.11.2, though the vulnerability requires prior authentication to exploit.

  • CVE-2026-49378MEDIUM 4.3

    JetBrains TeamCity contained a vulnerability where stored credentials could be inadvertently exposed through the parameter autocompletion feature. When users typed in parameter fields, the system would suggest previously stored credential values, potentially revealing sensitive authentication data to anyone with access to the TeamCity interface. This issue affects TeamCity versions prior to 2026.1 and requires an authenticated user to interact with the affected feature. The exposure is limited to local disclosure within the TeamCity environment rather than remote exfiltration.

  • CVE-2026-7047MEDIUM 4.3

    The Frontend User Notes plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability affecting all versions through 2.1.1. An attacker can craft a malicious webpage that, when visited by a logged-in WordPress user, silently overwrites that user's own notes without their knowledge or consent. The attack requires social engineering—tricking the victim into clicking a link or visiting a malicious site—but once successful, allows unauthorized modification of the victim's note content. Importantly, the vulnerability is self-contained: attackers cannot use it to tamper with other users' notes, only those belonging to the person they've tricked.

  • CVE-2026-7523MEDIUM 4.3

    The Alba Board plugin for WordPress contains a flaw that allows attackers to bypass access controls and view sensitive project information they shouldn't be able to see. An authenticated user with basic subscriber access can retrieve private card data—titles, descriptions, due dates, and comments—that should be restricted to administrators and editors only. More critically, the vulnerability can be exploited by unauthenticated site visitors if the Alba Board shortcode appears anywhere on the website, because the security token (nonce) is exposed in the page source. All versions up to and including 2.1.3 are affected.

  • CVE-2026-7526MEDIUM 4.3

    The PDF Embedder plugin for WordPress contains a flaw that allows authenticated users with basic contributor permissions or higher to access sensitive configuration information. If the premium add-on is installed with a saved license key, that key can be exposed; on free installations, the exposure is limited to non-sensitive viewer settings like dimensions and toolbar options. An attacker would need valid WordPress login credentials at the contributor level or above to exploit this, but no user interaction or network complexity is required once authenticated.

  • CVE-2026-7533MEDIUM 4.3

    The Easy Digital Downloads plugin for WordPress contains a security flaw that allows attackers to hijack a store's Square payment processing account. An attacker can send a malicious link to a WordPress administrator; if clicked while logged in, the link silently changes the store's Square payment credentials to attacker-controlled ones, redirecting future payments to the attacker. The vulnerability exists because the plugin does not verify that payment configuration requests come from legitimate, authorized actions—a standard web security practice called CSRF protection.

  • CVE-2026-7621MEDIUM 4.3

    The SMTP2GO for WordPress plugin contains an authorization flaw that allows any logged-in user with subscriber-level permissions or higher to delete all SMTP email logs from the database or export sensitive email records to CSV format. This affects all versions up to 1.16.0 and exposes recipient addresses, sender information, message subjects, and API response data. An attacker with basic user access can perform these destructive and data-exfiltration actions without additional authentication checks.

  • CVE-2026-7624MEDIUM 4.3

    The Squirrly SEO plugin for WordPress has an access control flaw that allows lower-privileged users to perform actions meant only for administrators. Specifically, a contributor-level user can disconnect the website from Google Search Console and Google Analytics by invoking backend API calls that should be blocked. This is a privilege escalation issue affecting all versions up to 12.4.16.

  • CVE-2026-8422MEDIUM 4.3

    The Remove meta boxes per user role WordPress plugin contains a security flaw that allows attackers to change how meta boxes (content panels) are hidden or shown for different user roles on a WordPress site. An attacker can't do this directly, but by tricking a site administrator into clicking a malicious link, the attacker can force the admin's browser to make unauthorized changes to these visibility settings. The vulnerability affects all versions up to and including 1.01.

  • CVE-2026-8611MEDIUM 4.3

    A WordPress plugin called Klamra Paycal for Aspaclaria contains a flaw that allows authenticated users with subscriber-level permissions to access and download invoices belonging to other customers. The vulnerability stems from insufficient access controls on invoice retrieval—an attacker can simply modify an invoice identifier in a request to view sensitive billing data from any customer, including names, email addresses, phone numbers, order amounts, and internal notes. No special privileges or user interaction are required beyond basic authenticated access.

  • CVE-2026-8682MEDIUM 4.3

    The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On WordPress plugin contains a flaw that allows users with basic subscriber access to change critical plugin settings they should not be able to modify. An authenticated attacker can bypass authorization checks to write arbitrary data directly to the plugin's configuration stored in the database, potentially affecting how the 3D viewer and virtual try-on features function across the site.

  • CVE-2026-8689MEDIUM 4.3

    The Visualizer: Tables and Charts Manager WordPress plugin contains an authorization bypass flaw that allows logged-in users with minimal privileges (Subscriber level and above) to create chart posts without proper permission checks and to view or modify charts belonging to other users, including site administrators. The vulnerability affects all versions through 3.11.14 and stems from missing capability validation in two critical AJAX functions. While the flaw requires an authenticated account, the low barrier to entry and potential for unauthorized data access make it a meaningful risk for multi-user WordPress installations.

  • CVE-2026-8976MEDIUM 4.3

    The RSS Aggregator by Feedzy plugin for WordPress fails to properly verify user permissions, allowing contributors and higher-level users to perform administrative actions they shouldn't be able to access. An authenticated attacker with basic contributor rights can create RSS import jobs, delete all posts from any import, clear error logs, and view sensitive taxonomy and post metadata information. The vulnerability is particularly dangerous because the security token needed to perform these actions is automatically exposed to anyone who can edit posts through the block editor interface—no additional hacking or theft is required.

  • CVE-2026-8995MEDIUM 4.3

    The Poll Maker – Versus Polls plugin for WordPress has a flaw that lets logged-in users see sensitive account information they shouldn't access, including password hashes. The vulnerability stems from an AJAX endpoint that returns the entire WordPress user object without proper security checks. Any subscriber or higher can call this endpoint and retrieve not just their own data, but potentially others' account details including email addresses, registration dates, roles, and capabilities. While the exposure doesn't immediately compromise an account, the password hash data could be targeted by offline cracking attempts.

  • CVE-2026-9008MEDIUM 4.3

    The Page-list plugin for WordPress contains an authorization flaw in its shortcode feature that allows authenticated users with contributor-level or higher permissions to view sensitive content they shouldn't be able to access. By inserting a specially crafted shortcode into a draft post and previewing it, attackers can extract titles, body text, and metadata from private or draft pages across the entire site. The vulnerability exists because the plugin doesn't verify whether the current user is permitted to view the pages being queried.

  • CVE-2026-9015MEDIUM 4.3

    The Equalize Digital Accessibility Checker plugin for WordPress contains a flaw that allows users with basic subscriber access to modify accessibility audit findings they shouldn't be able to touch. An authenticated attacker can change whether issues are marked as ignored, alter the reason for ignoring them, and add comments to any accessibility finding on the site. In some cases, they can perform bulk modifications across multiple related findings at once. This means someone with minimal privileges could systematically hide or dismiss accessibility compliance problems, undermining the integrity of WCAG and ADA audit records without proper authorization.

  • CVE-2026-9048MEDIUM 4.3

    Slider Revolution, a popular WordPress plugin, contains a vulnerability that allows authenticated users with basic contributor privileges to view sensitive social media API credentials through a specific AJAX action. An attacker with contributor-level access or higher can call the 'slider.get.full' AJAX action to retrieve raw API tokens and keys—including Instagram OAuth tokens, Flickr API keys, YouTube Data API credentials, and Facebook App IDs—that have been configured within slider settings. This exposure affects plugin versions 7.0.0 through 7.0.14.

  • CVE-2026-9050MEDIUM 4.3

    Slider Revolution, a popular WordPress plugin, contains a flaw that allows contributors and higher-privileged users to disable any plugin on a WordPress site without proper authorization checks. An attacker with basic contributor access—a common account level in multi-author sites—can leverage this to shut down security plugins, backup solutions, or other critical extensions. The vulnerability affects versions 6.0.0 through 6.7.55 and 7.0.0 through 7.0.14.

  • CVE-2026-9228MEDIUM 4.3

    A WordPress plugin called Timetable and Event Schedule by MotoPress has a flaw that allows users with contributor-level access or higher to see confidential information they shouldn't have access to. Specifically, they can view drafts, pending reviews, and private event posts created by other users, including the content, excerpts, and author information. The vulnerability stems from the plugin failing to properly validate user input when retrieving event data, making it possible to directly access posts by guessing or enumerating their IDs.

  • CVE-2026-9234MEDIUM 4.3

    The JTL-Connector for WooCommerce plugin contains authorization flaws that allow low-privileged WordPress users (Subscriber level and above) to perform administrative actions without proper permission checks. Specifically, attackers can change plugin configuration, download sensitive log files containing developer information, and delete those logs. This bypasses WordPress's built-in permission model and could lead to configuration tampering or information disclosure.

  • CVE-2026-9241MEDIUM 4.3

    The FOX – Currency Switcher Professional for WooCommerce plugin contains a flaw that lets authenticated users trick the system into thinking they have higher privileges than they actually do. By manipulating a request parameter, a subscriber-level user can impersonate a wholesale customer or administrator to access pricing they shouldn't be able to see. This only matters if your store uses the fixed user-role pricing feature and has set special prices for privileged customer types.

  • CVE-2026-9599MEDIUM 4.3

    The Tectite Forms plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions through 1.3. An attacker can trick a site administrator into clicking a malicious link, which then allows the attacker to change the plugin's settings without the administrator's knowledge. This could include modifying the tectite_forms_button option or other plugin configurations. The vulnerability requires social engineering but poses a real risk to WordPress sites using this plugin.

  • CVE-2026-9618MEDIUM 4.3

    The PeachPay plugin for WordPress, which integrates payment processing for Stripe, PayPal, Square, and other providers, contains a cross-site request forgery (CSRF) vulnerability in all versions up to 1.120.46. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently deletes all stored Stripe credentials from the site's database without the administrator's knowledge or consent. This disables Stripe payments immediately and requires the administrator to reconfigure the integration. The attack requires social engineering to trick an admin into clicking the link, but requires no special authentication or technical sophistication once the admin takes the bait.

  • CVE-2026-9719MEDIUM 4.3

    The LatePoint WordPress plugin, which handles calendar booking and appointment scheduling, contains a security flaw that allows attackers to manipulate invoice statuses without proper authorization. An attacker can craft a malicious link or webpage and, if they trick a WordPress administrator into clicking it, change the status of any invoice—including fraudulently marking unpaid invoices as paid. This works because the plugin fails to properly validate requests before processing status changes.

  • CVE-2026-9722MEDIUM 4.3

    The Laiser Tag plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability affecting all versions through 1.2.5. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently modifies critical plugin settings without the administrator's knowledge or consent. This includes changes to API keys, tag filtering rules, and tagging behavior—settings that directly control how the plugin functions across the site.

  • CVE-2026-9723MEDIUM 4.3

    The Google Plus One Bottom plugin for WordPress contains a cross-site request forgery (CSRF) flaw that allows attackers to manipulate plugin settings without proper authorization. An attacker can craft a malicious link or web page that, when clicked by a site administrator, will change critical plugin configuration options—such as language preferences, callback functions, and URLs—without the administrator's knowledge or consent. This attack requires social engineering to trick an admin into clicking the malicious link, but requires no authentication or technical exploit code to execute.

  • CVE-2026-9730MEDIUM 4.3

    The Remove NoFollow Commenter URL plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability that allows unauthenticated attackers to change how the plugin displays comments. An attacker can craft a malicious link or webpage that, when clicked by a WordPress site administrator, silently modifies the plugin's comment settings without the administrator's knowledge or consent. This requires social engineering to trick an admin into visiting the attacker's content, but requires no special technical skills to exploit once that condition is met.

  • CVE-2026-9732MEDIUM 4.3

    The EmergencyWP plugin for WordPress has a security flaw that allows attackers to change important plugin settings without authorization. An attacker would need to trick a WordPress site administrator into clicking a malicious link, but if successful, they could alter access controls, email addresses, and other critical configurations. This is a cross-site request forgery (CSRF) vulnerability caused by the plugin failing to properly validate requests before processing them.

  • CVE-2026-9791MEDIUM 4.3

    An authenticated user who belongs to a Keycloak organization can request tokens or access APIs in ways that expose organization metadata, even after an administrator has turned off the Organizations feature. This metadata leakage could cause downstream applications (resource servers) to make incorrect access control decisions based on stale or unintended organization information.

  • CVE-2026-9798MEDIUM 4.3

    Keycloak's account lockout feature, which temporarily disables accounts after repeated failed login attempts, can be bypassed when an attacker possesses valid client credentials. By using the Client-Initiated Backchannel Authentication (CIBA) flow—a legitimate OAuth 2.0 feature—attackers can circumvent the lockout and continue attempting to authenticate or obtain tokens. This undermines brute-force protection and creates a secondary path for unauthorized access once the attacker has obtained initial client credentials.

  • CVE-2026-9807MEDIUM 4.3

    GitLab has patched a flaw in its Community and Enterprise editions where a Project Access Token that was supposed to be blocked could still access private project resources. This happened because the authorization checks weren't applied correctly when a token was revoked or blocked. An authenticated user with permissions to create or manage tokens could potentially exploit this before the fix was released, though the vulnerability requires prior login access and the attacker would need knowledge of or ability to create a blocked token.