2026 · Medium
Medium-severity vulnerabilities disclosed in 2026
Medium-rated CVEs published in 2026, with SEC.co remediation and prioritization guidance.
1310 published vulnerabilities · page 14 of 14
- CVE-2024-47263MEDIUM 4.1
A path traversal flaw in Synology Hyper Backup's web API allows administrators who already have legitimate access to write files outside their intended directory. The vulnerability is constrained to non-sensitive file types, limiting immediate damage, but represents a control-boundary weakness that could enable privilege misuse or lateral movement in environments where admin accounts are compromised or where insider threat is a concern.
- CVE-2026-10052MEDIUM 4.1
Quay's configuration tool contains a weakness in how it validates LDAP and SMTP settings. When a configuration editor supplies endpoints for these services, the tool connects to them without restricting which IP addresses or hostnames are allowed. An attacker with config editor privileges can abuse this to make the Quay container reach internal network resources, allowing them to map and discover the organization's internal infrastructure from inside the cluster's network position.
- CVE-2026-37700MEDIUM 4.1
MaxSite CMS version 109.2 contains a cross-site scripting (XSS) vulnerability in its backend file upload feature that allows authenticated attackers to inject malicious scripts. When an administrator performs a file upload through the admin page endpoint, an attacker with login credentials could craft a request that executes JavaScript in the victim's browser, potentially exposing sensitive information displayed during the upload process.
- CVE-2026-42401MEDIUM 4.1
CVE-2026-42401 is a stored HTML injection vulnerability in Kibana that allows an attacker with write access to an Elasticsearch index to inject malicious markup. When other users view the affected Kibana dashboard or visualization, the injected code is not properly sanitized before rendering in their browser. This can enable unauthorized UI changes and cause the victim's browser to make unintended outbound network requests on their behalf.
- CVE-2019-25723MEDIUM 4.0
Dräger Perseus A500 ventilators running software versions 2.00 through 2.02 are vulnerable to a denial-of-service attack. An attacker on the network can send malformed data through the Medibus medical interface to crash the device's processor, forcing a warm restart. During this restart—which lasts several seconds—ventilation pressure drops to ambient level, temporarily interrupting therapy delivery before the device recovers. This is a network-accessible vulnerability with no authentication required, making it a genuine concern for clinical environments.
- CVE-2019-25734MEDIUM 4.0
Contact Form by WD version 1.13.1 has a security flaw that combines two weaknesses: a cross-site request forgery (CSRF) vulnerability and local file inclusion (LFI). An unauthenticated attacker can craft a malicious web form that, when visited by an admin, tricks the admin's browser into loading arbitrary files from the server using directory traversal sequences. This bypasses the normal authentication checks on certain WordPress AJAX actions, potentially exposing sensitive files.
- CVE-2021-4479MEDIUM 4.0
Dräger Atlan A350 patient monitoring devices running firmware versions 1.00 through 1.01 are vulnerable to a denial-of-service attack delivered through the Medibus network interface. An attacker can send malformed data packets that the device fails to validate properly, causing the internal processor to become overloaded. Over several hours, this degradation manifests as loss of data transmission capability, delays in displaying vital sign curves, and discrepancies between measured airway pressure and displayed values—conditions that could compromise clinical decision-making in critical care settings.
- CVE-2026-10099MEDIUM 4.0
XX-Net V5.16.6 has a flaw in how it processes WebSocket communications that causes data corruption. When a client sends WebSocket frames without proper masking, the server incorrectly interprets the first 4 bytes of the message as a mask key (even when masking wasn't used), then mangles the rest of the data by applying the wrong decryption. This results in corrupted data being processed by the application. The vulnerability affects local attack scenarios and has medium severity.
- CVE-2026-10998MEDIUM 4.0
CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.
- CVE-2026-28581MEDIUM 4.0
A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.