2026 · Medium
Medium-severity vulnerabilities disclosed in 2026
Medium-rated CVEs published in 2026, with SEC.co remediation and prioritization guidance.
422 published vulnerabilities · page 4 of 5
- CVE-2026-34460MEDIUM 5.4
NamelessMC, a website platform for Minecraft servers, contains a vulnerability in how it handles OAuth authentication callbacks. When a user logs in via OAuth (a third-party authentication method), the application fails to verify a security token called a 'state parameter' before accepting the login. An attacker can exploit this by crafting a malicious link that tricks a victim into logging in with the attacker's own account credentials. Once clicked, the victim's session becomes authenticated as the attacker, potentially granting unauthorized access to the victim's account on that NamelessMC instance. The vulnerability affects NamelessMC versions 2.2.4 and earlier.
- CVE-2026-34507MEDIUM 5.4
OpenClaw versions before 2026.4.29 contain a flaw that allows authenticated users to bypass security policies protecting sensitive admin commands. Specifically, attackers can circumvent message delivery restrictions (DM-only policy) and sender authorization checks (allowFrom policy), enabling them to execute administrative functions from contexts or senders that should be blocked. The vulnerability requires an attacker to already have authentication credentials, limiting its blast radius but creating insider risk and account compromise scenarios.
- CVE-2026-40930MEDIUM 5.4
A parsing flaw in libpng 1.8.0's APNG (Animated PNG) handler can cause specially crafted image data to be misinterpreted. When the parser encounters certain frame chunks in an APNG file, it clears internal state flags but fails to skip over the actual chunk data and checksum. On the next data processing call, bytes from the ignored chunk can masquerade as a new chunk header, potentially leading to integrity violations or denial of service. An attacker needs user interaction—typically opening a malicious PNG file—to trigger the issue.
- CVE-2026-42547MEDIUM 5.4
IRIS, a web platform used by incident response teams to collaborate and share investigation details, contains an authorization flaw in versions before 2.4.28 that allows users to create alerts falsely attributed to customers they don't manage. When combined with cross-site scripting vulnerabilities, attackers can also steal alerts belonging to other customers. This means a low-privileged user could pollute another team's alert stream with fraudulent incidents or harvest sensitive investigation data.
- CVE-2026-42951MEDIUM 5.4
A vulnerability in Danelec MacGregor Voyage Data Recorder (VDR) devices allows authenticated users to download a complete backup file that exposes sensitive account credentials and password hashes. While an attacker must already have valid user credentials to exploit this issue, successful exploitation grants access to password material that could enable lateral movement or privilege escalation within maritime network environments. The vulnerability is classified as medium severity due to the authentication requirement, though the disclosure of password hashes represents a meaningful step toward further compromise.
- CVE-2018-25387MEDIUM 5.3
HaPe PKH 1.1 contains a cross-site request forgery (CSRF) vulnerability that enables attackers to change administrator passwords without needing to log in. An attacker can trick an authenticated administrator into visiting a malicious website or clicking a crafted link, which silently submits a forged request to modify admin credentials. This allows complete account takeover of administrative users.
- CVE-2018-25397MEDIUM 5.3
PHP-SHOP 1.0 is vulnerable to cross-site request forgery (CSRF), a class of attack where malicious actors craft hidden web forms designed to trick authenticated administrators into unknowingly adding new admin accounts. An attacker creates a deceptive webpage containing a concealed form that automatically submits admin account creation requests when an authenticated admin visits the page. This allows the attacker to gain administrative control without needing the victim's credentials.
- CVE-2018-25435MEDIUM 5.3
ZeusCart 4.0 is vulnerable to a cross-site request forgery (CSRF) attack that allows an attacker to trick administrators into unknowingly deactivating customer accounts. By crafting a malicious webpage or email link, an attacker can force an admin to submit a request that disables customer access without their knowledge or consent. The attack requires only that an administrator visit an attacker-controlled page while logged into their ZeusCart admin panel.
- CVE-2024-27891MEDIUM 5.3
Arista EOS devices that simultaneously use MACsec (a security protocol encrypting layer 2 traffic) and egress Access Control Lists (ACLs) on the same network interfaces may fail to enforce the intended ACL policies on outgoing traffic. This means packets that should be blocked by policy could be allowed to leave the device, or conversely, traffic that should be permitted might be incorrectly denied—effectively breaking the network's egress filtering controls.
- CVE-2025-12714MEDIUM 5.3
A widely used WordPress SEO plugin has a security hole that allows anyone on the internet—even without a WordPress account—to change critical SEO settings and site metadata. An attacker could modify your site's homepage title, meta descriptions, breadcrumb labels, and social media preview information without permission. This creates two problems: it can tank your search engine rankings, and it opens the door to injecting malicious content that visitors see across your site.
- CVE-2025-53302MEDIUM 5.3
CVE-2025-53302 is a missing authorization vulnerability in Anton Shevchuk's Constructor framework that allows unauthenticated attackers to access functionality that should be restricted by access control rules. An attacker can reach protected features without proper credentials or permissions, potentially exposing sensitive operations or data. The vulnerability affects Constructor versions up to and including 1.6.5.
- CVE-2026-10075MEDIUM 5.3
DreamMaker, a product from Interinfo, contains a path traversal flaw that lets unauthenticated attackers list or read filenames from any directory on the affected system without requiring authentication or user interaction. An attacker can craft requests using absolute path manipulation to traverse the filesystem and discover file structures that should remain hidden. While this does not allow direct file content theft or system modification, it exposes the directory layout and naming conventions, which can aid reconnaissance in a broader attack chain.
- CVE-2026-10200MEDIUM 5.3
Assimp, a popular open-source 3D model import library, contains a heap-based buffer overflow vulnerability in its glTF file format parser. An attacker with local access to a system can craft a malicious glTF file with a specially crafted 4x4 matrix to overflow memory and trigger a crash, information disclosure, or potential code execution. The vulnerability affects Assimp versions up to 6.0.4 and has been publicly disclosed.
- CVE-2026-10224MEDIUM 5.3
A vulnerability in NousResearch's hermes-agent allows an attacker to consume resources on a server by sending specially crafted requests to a webhook endpoint. The vulnerability affects versions up to 2026.4.30 and can be triggered remotely without authentication. While the technical complexity is low, the impact is limited to availability rather than data breach or system compromise. Public exploit information exists, though NousResearch has not responded to early vendor disclosure attempts.
- CVE-2026-10229MEDIUM 5.3
Assimp, a widely-used 3D model import library, contains a heap-based buffer overflow in its Half-Life 1 MDL file loader. An attacker with local system access can craft a malicious .MDL file that, when processed by an application using vulnerable Assimp versions up to 6.0.4, triggers memory corruption. This could lead to information disclosure, data corruption, or process crash. The vulnerability requires local execution and has been publicly disclosed.
- CVE-2026-10230MEDIUM 5.3
Assimp, a popular open-source 3D model import library, contains a heap buffer overflow vulnerability in its Half-Life 1 MDL file loader. The vulnerability exists in the animation-reading function and can be triggered by a malicious or crafted MDL file. An attacker with local access can exploit this to read sensitive memory, modify data, or crash the application. The vulnerability affects Assimp versions up to 6.0.4.
- CVE-2026-10231MEDIUM 5.3
Assimp, a popular open-source 3D model importing library, contains a heap buffer overflow vulnerability in its Half-Life 1 MDL file loader. By crafting a malicious MDL file that manipulates the animation value counter, an attacker with local system access can trigger memory corruption. This flaw requires the attacker to be already present on the system and execute code that processes a specially crafted model file, making it a local-origin threat rather than a remote network attack.
- CVE-2026-10232MEDIUM 5.3
CVE-2026-10232 is a use-after-free vulnerability in Assimp, an open-source 3D model import library, affecting versions up to 6.0.4. The flaw exists in the ASE file parser component and can be triggered by a local attacker with user-level privileges when processing specially crafted ASE (ASCII Scene Export) files. Exploitation could allow an attacker to read sensitive data, modify application state, or crash the process. Because exploitation requires local access and user permissions, the risk is primarily relevant in multi-user systems or scenarios where untrusted ASE files are processed by privileged applications.
- CVE-2026-10254MEDIUM 5.3
SourceCodester Pet Grooming Management Software version 1.0 contains a vulnerability that exposes file and directory information to unauthenticated remote attackers. An unknown function in the /admin/ path fails to properly restrict access to sensitive filesystem metadata, allowing adversaries to enumerate files and directories without authentication. While this does not permit direct modification or service disruption, the information disclosure can serve as reconnaissance for subsequent targeted attacks. Public exploit code is available.
- CVE-2026-10255MEDIUM 5.3
A remote access control weakness exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An unauthenticated attacker can exploit the sell_statement function in the application's form controller to bypass authorization checks and gain unauthorized read access to sensitive pharmacy data. The vulnerability requires no special interaction from users and can be triggered over the network. Because exploit code has already been publicly disclosed, active exploitation risk is elevated.
- CVE-2026-10548MEDIUM 5.3
NousResearch's hermes-agent contains a flaw in how it synchronizes Anthropic API credentials from local credential files. An attacker with local access can exploit this to bypass authentication controls, potentially gaining unauthorized access to Anthropic services or resources protected by those credentials. The vulnerability affects versions up to 2026.4.23, and exploit code has already been made public, increasing the practical risk.
- CVE-2026-10566MEDIUM 5.3
A vulnerability exists in FoundationAgents MetaGPT versions up to 0.8.2 that allows local attackers with user-level privileges to trigger unsafe deserialization through manipulation of function arguments in the Message.check_instruct_content handler. An attacker with local access and basic user permissions can exploit this to potentially read, modify, or disrupt system operations. Public exploit code is available, increasing near-term risk for organizations running affected versions.
- CVE-2026-10597MEDIUM 5.3
OMICARD EDM, a product developed by ITPison, contains a vulnerability that allows attackers without credentials to access user email addresses by manipulating a specific parameter in a web request. No authentication is required, making this a direct and accessible attack surface. While the vulnerability does not allow attackers to modify data or disrupt service, the unauthorized disclosure of email addresses poses a clear privacy and information-gathering risk.
- CVE-2026-10650MEDIUM 5.3
A flaw in libwebsockets (a widely-used WebSocket and networking library) allows attackers to exhaust server resources by manipulating a specific message length parameter in the SSH protocol handler. The vulnerability requires network access but no authentication, and an exploit has already been published. This is a denial-of-service issue that can make affected systems unresponsive without compromising data confidentiality or integrity.
- CVE-2026-11004MEDIUM 5.3
CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.
- CVE-2026-11005MEDIUM 5.3
A flaw in ANGLE, the graphics abstraction layer used by Google Chrome on Windows, allows a remote attacker to read sensitive data from Chrome's renderer process memory. The attacker must first compromise the renderer process and trick a user into visiting a malicious webpage. Once those conditions are met, the attacker can extract potentially sensitive information from memory that they shouldn't have access to. This is an out-of-bounds read vulnerability—the code accesses memory locations it wasn't intended to reach.
- CVE-2026-2128MEDIUM 5.3
The Breeze WordPress plugin through version 2.5.2 contains a flaw that allows attackers to view content meant only for administrators. When the "Cache Logged-in Users" feature is enabled, the plugin trusts cookie information without properly verifying it belongs to a real, authenticated user. An attacker can craft a fake cookie claiming to be an administrator, and the plugin will serve them the cached pages generated for that admin—exposing private posts, administrative controls, security tokens, and other sensitive data. No authentication or special privileges are required to attempt this attack.
- CVE-2026-26825MEDIUM 5.3
A use-of-uninitialized memory vulnerability in libxls 1.6.3 allows attackers to craft malformed XLS files that trigger memory safety issues during file parsing. When the library processes these files, uninitialized heap memory from the OLE (Object Linking and Embedding) layer may be read, leading to unpredictable behavior, incorrect file interpretation, or disclosure of sensitive data from memory. This does not require authentication and affects any application using the vulnerable library to open untrusted XLS files.
- CVE-2026-33463MEDIUM 5.3
Kibana contains a flaw where access tokens that should expire at a specific time continue to work indefinitely. An attacker who obtains one of these tokens—even after it should have stopped being valid—can use it to read sensitive information they shouldn't have access to. The vulnerability stems from improper validation of token expiration times, allowing the system to forget when a token was supposed to stop working.
- CVE-2026-38978MEDIUM 5.3
Transmission, a popular BitTorrent application, contains a clickjacking vulnerability affecting versions up to and including 4.1.1. The flaw allows an attacker to trick users into performing unintended actions through the application's web interface or RPC (remote procedure call) endpoints by overlaying malicious content on top of legitimate interface elements. This requires user interaction but does not require the attacker to be authenticated or have any special privileges to exploit.
- CVE-2026-40898MEDIUM 5.3
quic-go, a Go-based QUIC protocol library, contains a denial-of-service flaw in its HTTP/3 implementation that allows remote attackers to exhaust server and client memory by sending malicious HTTP trailer fields. The vulnerability stems from inadequate validation of decoded trailer sizes—the library checks the compressed frame size but fails to enforce limits on the decompressed result. An attacker can craft QPACK-encoded headers with numerous unique field names or oversized values in the trailer section, forcing unbounded memory allocation and potentially crashing affected services.
- CVE-2026-41150MEDIUM 5.3
Mermaid, a popular JavaScript library for creating diagrams from text, contains a denial-of-service vulnerability in versions before 10.9.6 and 11.15.0. The flaw occurs when rendering Gantt charts that use the excludes attribute to block out all dates. An attacker can craft a malicious diagram that, when processed and rendered, causes the application to hang or consume excessive resources, disrupting service availability. The vulnerability only manifests during actual diagram rendering; simply parsing the diagram syntax does not trigger the issue unless the ganttDb.getTasks() function is subsequently called.
- CVE-2026-41159MEDIUM 5.3
Mermaid, a popular JavaScript library for creating diagrams from text, contains a CSS injection vulnerability in its configuration options. Attackers can inject malicious CSS through the fontFamily, themeCSS, and altFontFamily settings that breaks out of the intended diagram sandbox and affects the entire web page. This could enable page defacement or extraction of sensitive information through CSS selectors. The vulnerability affects versions before 10.9.6 and 11.15.0, and has been patched in those releases.
- CVE-2026-41178MEDIUM 5.3
OpenTelemetry-Go versions 1.41.0 and 1.43.0 contain a denial-of-service vulnerability in their baggage header parsing logic. The removal of size validation allows attackers to send oversized or malformed baggage headers that cause the application to process arbitrarily large inputs, log excessive errors, and potentially exhaust system resources. This is a network-accessible vulnerability requiring no authentication, making it exploitable by any remote actor.
- CVE-2026-41207MEDIUM 5.3
A vulnerability exists in Netty's binary HTTP parser (netty-incubator-codec-ohttp) where cryptographic key generation can fail silently and default to all-zero keys without raising an error. This occurs in the HKDF_expand and EVP_HPKE_CTX_export functions, which are supposed to generate random key material for encrypting HTTP responses. Instead of signaling failure, these functions return zero-filled byte arrays that are indistinguishable from legitimate keys. An attacker who understands this behavior could predict the encryption keys and decrypt sensitive response data, compromising the confidentiality of encrypted messages. The issue was resolved in version 0.0.21.Final.
- CVE-2026-42500MEDIUM 5.3
CVE-2026-42500 is a denial-of-service vulnerability triggered when software attempts to decode a specially crafted BMP image file with palette colors that reference invalid color table entries. The flaw causes the application to crash rather than handle the malformed data gracefully. An attacker can exploit this by distributing or hosting a malicious BMP file that, when opened or processed, crashes the affected application.
- CVE-2026-42507MEDIUM 5.3
CVE-2026-42507 is a moderate security issue affecting Go's net/textproto package where error messages can inadvertently expose or reflect user-supplied input. An attacker could craft malicious input that, when an error occurs, gets embedded into the error message itself. If those messages are logged, displayed to users, or forwarded to monitoring systems, the attacker's injected content appears as legitimate system output. This creates an integrity risk by allowing misleading information to be introduced into logs and alerts.
- CVE-2025-60477MEDIUM 5.0
CVE-2025-60477 is a crash vulnerability in GPAC's MP4Box multimedia processing tool. A specially crafted file can trigger a program crash when processed by a local or authenticated user, disrupting media encoding and processing workflows. The vulnerability does not leak data or enable privilege escalation, but it can be weaponized to interrupt legitimate operations or degrade service availability.
- CVE-2026-10010MEDIUM 5.0
Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.
- CVE-2026-10275MEDIUM 5.0
A buffer overflow vulnerability exists in OpenSC versions up to 0.26.1 within the pkcs11-tool component's key generation functionality. The flaw allows an attacker to overflow a buffer during certificate writing operations, potentially enabling remote code execution or data corruption. Exploitation requires user interaction and specific conditions, making it moderately difficult to weaponize, though a proof-of-concept has already been disclosed.
- CVE-2026-10533MEDIUM 5.0
A vulnerability in OpenShift Container Platform allows non-privileged users to circumvent resource quota enforcement by creating pods with a never-restart policy. These pods and their associated Kubernetes events are not counted against quota limits, enabling an attacker to flood the cluster's event database (etcd) with activity. The resulting accumulation degrades API server performance across the entire cluster, affecting all users and workloads.
- CVE-2026-43979MEDIUM 5.0
Local Deep Research versions before 1.6.0 contain a vulnerability where user-supplied search queries and metadata are inserted directly into HTML without proper escaping before being converted to PDF. An authenticated user can inject HTML tags that trick the server into making unauthorized web requests (SSRF), bypassing existing security controls. The vulnerability requires valid credentials but poses moderate risk due to potential confidentiality impact.
- CVE-2026-10039MEDIUM 4.9
The Frontend Admin plugin for WordPress contains a SQL injection vulnerability that allows authenticated administrators to extract sensitive data from the website's database. The flaw exists in how the plugin processes the 'order' parameter—it fails to properly escape user input before inserting it into database queries. An attacker with administrator privileges can craft a malicious request containing both 'order' and 'orderby' parameters to inject additional SQL commands and retrieve unauthorized information. This vulnerability affects all versions up to and including 3.28.28.
- CVE-2026-10074MEDIUM 4.9
DreamMaker, a product developed by Interinfo, contains a vulnerability that allows authenticated administrators or privileged users with local access to read arbitrary files from the system. An attacker with elevated privileges can exploit a path traversal flaw to access sensitive system files they shouldn't normally be able to retrieve, potentially exposing configuration data, credentials, or other protected information.
- CVE-2026-41412MEDIUM 4.9
alf.io is an open-source ticketing platform used by conferences and events to manage reservations. The vulnerability lies in how alf.io sandboxes custom extensions (plugins) that users can write to extend functionality. The sandbox was designed to safely run untrusted extension code, but it failed to protect file access. Specifically, extensions have access to an HTTP client tool that includes a method for uploading files. This method does not validate or restrict which files can be read—a malicious extension can read any file that the alf.io application has permission to access on the server, then send that file's contents to an attacker's server. An attacker would need to either write a malicious extension or trick an administrator into installing one, but once active, the extension can quietly exfiltrate sensitive data like configuration files, database credentials, or user records.
- CVE-2026-10057MEDIUM 4.8
ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with elevated privileges to inject malicious JavaScript code into the application. Once injected, this code persists in the system and executes automatically whenever other users load affected pages in their browsers. This is distinct from reflected XSS because the payload remains embedded in the application, posing a sustained risk to all users who access the compromised content.
- CVE-2026-10058MEDIUM 4.8
ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) flaw that lets high-privilege attackers inject malicious JavaScript into the system. When other users load affected pages, that injected code runs in their browsers automatically. This is a persistence threat—the malicious script stays in the system until removed, affecting anyone who accesses the compromised page.
- CVE-2026-34127MEDIUM 4.8
A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.
- CVE-2026-36460MEDIUM 4.8
Dovestones Software's ADPhonebook application before version 4.0.1.1 contains a Cross-Site Scripting (XSS) vulnerability in its administrative configuration API. An authenticated administrator can inject malicious JavaScript code into various system configuration sections, which is then stored and executed in the browsers of other users who access those settings. This requires both admin privileges and user interaction (a victim must view the affected configuration), limiting but not eliminating the risk.
- CVE-2026-10070MEDIUM 4.7
A flaw in macrozheng mall versions up to 1.0.3 allows an authenticated administrator with high privileges to bypass authorization controls on the super admin password update endpoint. An attacker with admin credentials could manipulate requests to the /admin/update/ path and gain unauthorized access to sensitive administrative functions. The vulnerability requires valid admin-level authentication and cannot be exploited anonymously from the network.
- CVE-2026-10155MEDIUM 4.7
A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0 within the Accounts Report Handler. An authenticated attacker can manipulate the 'dtpToDate' parameter in the accounts report search function to inject malicious SQL commands. While the vulnerability requires high privileges to exploit, successful attacks could leak sensitive financial data, modify account records, or disrupt reporting functionality. Public exploit code is available, increasing real-world risk.
- CVE-2026-10171MEDIUM 4.7
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows authenticated administrators to manipulate the ID parameter in the album update functionality. An attacker with admin credentials can inject malicious SQL commands through the /Administrator/PHP/AdminUpdateAlbum.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability has been publicly disclosed and exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10237MEDIUM 4.7
A SQL injection vulnerability was identified in SourceCodester Water Billing Management System version 1.0. An authenticated administrator can manipulate the ID parameter in the user management interface to inject malicious SQL commands, potentially reading or modifying sensitive database records. The vulnerability requires administrative privileges to exploit but poses a risk to data integrity and confidentiality within billing systems. Public proof-of-concept code exists, elevating the practical risk of exploitation.
- CVE-2026-10248MEDIUM 4.7
SourceCodester's Pharmacy Sales and Inventory System version 1.0 and earlier contains a CSV injection vulnerability in its supplier creation interface. An authenticated attacker with high privileges can inject malicious CSV formulas through the Address or Company Name fields when exporting supplier data, potentially causing data corruption, formula execution, or information disclosure when a user opens the exported file in a spreadsheet application.
- CVE-2026-10583MEDIUM 4.7
A server-side request forgery (SSRF) vulnerability exists in nextlevelbuilder GoClaw versions up to 3.11.3. The flaw is located in the TTS Configuration Endpoint's Import function, which fails to properly validate or restrict outbound HTTP requests. An authenticated attacker with high privileges can exploit this to make the affected server initiate requests to internal or external systems on their behalf, potentially accessing sensitive internal resources or launching further attacks. The vulnerability has been publicly disclosed.
- CVE-2026-42329MEDIUM 4.7
Iris, a web platform used by incident responders to collaborate and share technical details during security investigations, contains an open redirect vulnerability in versions before 2.4.28. An attacker can craft a malicious link within the application that tricks users into visiting an external website under the attacker's control. This is a social engineering risk rather than a direct system compromise—the attack depends on user interaction and targets the trust users place in links shared within their incident response platform.
- CVE-2026-46159MEDIUM 4.7
A race condition in the Linux kernel's btrfs filesystem driver can leak uninitialized kernel memory to unprivileged local users. The vulnerability exists in the ioctl handler that reports storage space information. When block groups are concurrently removed by the system during the space query operation, the kernel copies more data to userspace than it actually wrote, exposing sensitive kernel memory. An attacker with local access can exploit this timing window to read information that should not be accessible.
- CVE-2026-33462MEDIUM 4.6
A path traversal flaw in Kibana's dashboard management allows an authenticated user with basic permissions to craft a malicious dashboard identifier. When an administrator deletes this dashboard, the deletion request bypasses security controls and targets unintended internal endpoints—potentially destroying user accounts or other critical resources. The vulnerability requires an administrator to take action on the malicious object, making it a privilege-escalation path rather than a self-executing exploit.
- CVE-2026-36174MEDIUM 4.6
GNCC GP5 devices running version 7.1.76 transmit sensitive wireless network credentials in readable form to the serial console during normal operation. An attacker with physical access to the device's serial port can intercept these credentials, compromising network security. This is a localized but consequential exposure for organizations operating these devices in shared or less-controlled physical environments.
- CVE-2026-36178MEDIUM 4.6
A flaw in the factory reset process of GNCC GP5 v7.1.76 leaves sensitive cryptographic keys and related data intact on the device's storage partition even after a factory reset is performed. An attacker with physical access to the device could potentially recover this material and use it to decrypt or impersonate the original user's configuration and encrypted content.
- CVE-2026-36180MEDIUM 4.6
GNCC GP5 version 7.1.76 has a security weakness that allows an attacker with physical access to the machine to temporarily modify read-only system files and binaries during a single boot session. The vulnerability exploits bind-mount mechanisms—a Linux/Unix filesystem technique—to circumvent protections meant to keep critical system files locked down. While the attacker needs to be physically present and the changes only persist until reboot, this represents a meaningful integrity risk for systems in shared, controlled, or potentially hostile physical environments.
- CVE-2026-10814MEDIUM 4.5
Milvus, a popular vector database, contains a weakness in how it generates hash identifiers for grantee access control. An attacker with local access and sufficient privileges could exploit weak cryptographic hashing in the Grantee ID Hash Handler to potentially forge or predict access control identifiers, leading to unauthorized data access or modification. The vulnerability requires high technical complexity to exploit and is rated as medium severity.
- CVE-2026-10100MEDIUM 4.4
The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.
- CVE-2026-3620MEDIUM 4.4
The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.
- CVE-2019-25717MEDIUM 4.3
Dräger's Infinity Delta, Delta XL, and Kappa patient monitors expose sensitive log files to unauthenticated attackers on the local network. An attacker with network access can retrieve device internals, location data, and network configuration without needing credentials. This is a network-adjacent threat that discloses operational details but does not enable direct device compromise or manipulation.
- CVE-2024-47273MEDIUM 4.3
Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.
- CVE-2025-52606MEDIUM 4.3
HCL iControl contains a weakness in how it validates user input during its security architecture implementation. The application fails to properly check that incoming data matches the expected type before processing it, allowing an authenticated attacker to submit malformed input that the system does not adequately verify. This can lead to unintended modifications of application state or data.
- CVE-2025-53346MEDIUM 4.3
CVE-2025-53346 is a missing authorization flaw in ThimPress Thim Core that allows authenticated users to modify data or settings they should not have access to. The vulnerability stems from inadequate access control checks, meaning the application fails to properly verify whether a logged-in user has permission to perform specific actions. While an attacker must already have valid login credentials, the weakness could allow them to escalate privileges or tamper with configuration or content outside their intended scope.
- CVE-2026-10028MEDIUM 4.3
CVE-2026-10028 is a denial-of-service vulnerability in glib-networking that can be triggered when an attacker presents a maliciously crafted certificate chain containing circular issuer relationships. When an application using glib-networking with GnuTLS backend processes such a chain, the certificate verification logic enters an infinite loop, consuming CPU resources until the process becomes unresponsive. The attack requires user interaction (such as visiting a malicious website or accepting a connection) and affects only the targeted process, not the wider system.
- CVE-2026-10113MEDIUM 4.3
Open5GS, an open-source 5G core network software suite, contains a vulnerability in its Shared NF-profile Parser component that can be exploited to disrupt service availability. An attacker with network access and valid authentication credentials can trigger a denial of service condition by manipulating the NF-profile parsing logic. The vulnerability affects Open5GS versions up to 2.7.7, and public exploit information is available, increasing the risk of active exploitation.
- CVE-2026-10114MEDIUM 4.3
Open5GS versions up to 2.7.7 contain a flaw in how they parse shared NF profile information. When processing certain malformed input, the application writes data beyond the intended memory boundary, potentially crashing the service. While an attacker must have valid network credentials to exploit this, the vulnerability has been publicly disclosed, increasing the likelihood it will be weaponized.
- CVE-2026-10115MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a flaw in how it parses network function profiles. An authenticated attacker can send a specially crafted request that causes the affected service to become unresponsive, disrupting normal operations. The vulnerability requires valid credentials to exploit and does not lead to data theft or unauthorized access—only temporary unavailability. Versions up to 2.7.7 are affected.
- CVE-2026-10116MEDIUM 4.3
A vulnerability in Open5GS, a popular open-source 5G core network implementation, allows authenticated users to trigger a denial-of-service condition by manipulating the UE authentication endpoint. The flaw resides in timer transaction handling code and can be exploited remotely by anyone with legitimate access to the authentication service. Public exploit code is available, increasing the practical risk of abuse.
- CVE-2026-10117MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a vulnerability in its HTTP/2 server library that can be exploited to cause a denial of service. An attacker with valid credentials can remotely trigger the issue by manipulating specific inputs to the pool allocation function, causing the application to become unresponsive or crash. Versions up to 2.7.7 are affected. Public exploit code exists, increasing the risk of opportunistic attacks.
- CVE-2026-10153MEDIUM 4.3
A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.
- CVE-2026-10154MEDIUM 4.3
Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 contain an authorization bypass vulnerability in the user messaging module. An authenticated attacker can manipulate the ID parameter in htdocs/user/messaging.php to access or view information they should not have permission to see. The vulnerability requires valid login credentials but allows a logged-in user to circumvent access controls. Upgrading to version 23.0.3 resolves the issue.
- CVE-2026-10156MEDIUM 4.3
Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.
- CVE-2026-10173MEDIUM 4.3
Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.
- CVE-2026-10215MEDIUM 4.3
A flaw in Dolibarr ERP CRM's Leave Request REST API fails to properly check whether users have permission to access specific leave request objects. An authenticated attacker can remotely exploit this to view leave data they should not be able to see. The vulnerability affects versions up to 23.0.1, and Dolibarr has released version 23.0.2 as a fix. Because the exploit has been publicly disclosed, this poses an active risk despite its moderate CVSS score.
- CVE-2026-10282MEDIUM 4.3
Bottelet DaybydayCRM versions up to 2.2.1 contain an authorization flaw in the Documents controller that allows authenticated users to access files they shouldn't be able to view. An attacker with valid login credentials can exploit this remotely to read sensitive documents beyond their intended access scope. The vulnerability is rated MEDIUM severity and requires patching.
- CVE-2026-10289MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.
- CVE-2026-10291MEDIUM 4.3
Enderfga's claw-orchestrator contains a flaw in how it validates regular expressions in the Session Grep Endpoint. An authenticated attacker can supply a maliciously crafted regex pattern that forces excessive CPU consumption, potentially slowing or freezing the service. This is a medium-severity issue affecting versions up to 3.7.0 and is remedied by upgrading to 3.7.1.
- CVE-2026-10294MEDIUM 4.3
PackageKit, a system library for package management on Linux, contains an authorization bypass vulnerability in versions up to 1.3.5. An authenticated attacker can manipulate the frontend-socket parameter in the API to gain unauthorized access to sensitive information. The vulnerability requires an existing user account to exploit but does not require user interaction. While the attack surface is somewhat limited by authentication requirements, the unauthorized information disclosure poses a real security concern for systems relying on PackageKit.
- CVE-2026-10301MEDIUM 4.3
A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.
- CVE-2026-10616MEDIUM 4.3
GoClaw, a component of nextlevelbuilder, contains a flaw in how it validates permissions when completing team tasks. An authenticated attacker can manipulate the Team Task Completion Handler to bypass authorization checks, potentially modifying task records they shouldn't have access to. The vulnerability requires a valid login and network access, and affects versions up to 3.11.3. While the issue carries a medium risk profile, the public availability of exploit details increases practical attack likelihood.
- CVE-2026-10624MEDIUM 4.3
CVE-2026-10624 is a moderate-severity vulnerability in SourceCodester Human Resource Management version 1.0 that allows authenticated users to access employee information they should not be able to view. The flaw exists in the Employee View Page component and stems from improper handling of the 'employeeid' parameter, which an attacker can manipulate to bypass access controls. Because exploit code has been publicly disclosed, this vulnerability poses a realistic risk to organizations running affected systems.
- CVE-2026-10661MEDIUM 4.3
A vulnerability in the blender-mcp project allows an authenticated attacker to inject malicious input through the input_image_url parameter in the Open function of src/blender_mcp/server.py. Because authentication is required and the vulnerability only exposes limited information (not enabling code execution or system availability impact), the overall risk is moderate. However, the public disclosure means exploitation techniques are now accessible to threat actors.
- CVE-2026-10691MEDIUM 4.3
A vulnerability in wonderwhy-er DesktopCommanderMCP through version 0.2.38 allows an authenticated user to trigger a denial-of-service condition by crafting malicious search result data that causes inefficient regular expression processing. The flaw is in the search-manager component and can be exploited remotely by any logged-in user. The vendor has released version 0.2.39 with a fix.
- CVE-2026-10692MEDIUM 4.3
A flaw exists in code-index-mcp versions up to 2.14.0 that allows authenticated users to cause performance degradation through specially crafted regular expressions. By submitting a malicious regex pattern to the search_code_advanced function, an attacker can trigger inefficient regex processing that consumes excessive CPU resources, leading to application slowdown or unresponsiveness. This is a denial-of-service weakness that requires login credentials to exploit but does not compromise confidentiality or data integrity.
- CVE-2026-10702MEDIUM 4.3
A flaw in Firefox's JavaScript Just-In-Time (JIT) compiler can cause it to miscompile code in certain circumstances. When a user visits a malicious website, the affected browser may crash or become unstable due to incorrect code generation during compilation. This is not a memory corruption issue and does not allow attackers to steal data or take control of the system, but it does impact availability and user experience.
- CVE-2026-10802MEDIUM 4.3
A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.
- CVE-2026-10810MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.
- CVE-2026-10854MEDIUM 4.3
CVE-2026-10854 is a visibility control flaw in MISP's event template creation feature that allowed unauthorized users to see private galaxy data from other organizations. When creating an event template, the system listed all enabled galaxies without checking whether the user's organization owned them or whether they were marked private. This exposed sensitive metadata like galaxy type and description to users who shouldn't have access. The vulnerability requires authentication to exploit and affects only information disclosure—no data modification or denial of service is possible. MISP has patched the issue by filtering galaxy visibility based on organization ownership and distribution settings.
- CVE-2026-10855MEDIUM 4.3
MISP, a threat intelligence platform, contained an authorization flaw in its event template import feature. When an authenticated user attempted to overwrite an existing event template, the system verified that a template with that name existed but failed to check whether the importing user's organization actually owned it. This allowed users from one organization to forcibly overwrite event templates belonging to other organizations. The flaw only affected non-administrator users; site administrators retained the ability to manage templates across organizational boundaries by design. The vulnerability has been remediated by adding an ownership verification step before permitting any template overwrite operation.
- CVE-2026-10864MEDIUM 4.3
A flaw in MISP's dashboard widgets allows authenticated users with low-level access to bypass field restrictions and view sensitive information they shouldn't have access to. By manipulating which data fields the New Users and New Organisations widgets display, attackers can circumvent settings designed to hide user email addresses and other restricted organization metadata. The vulnerability stems from how the application processes field filtering—if redaction leaves the field list empty, it falls back to returning unfiltered data instead of enforcing safe defaults.
- CVE-2026-11031MEDIUM 4.3
Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.
- CVE-2026-24756MEDIUM 4.3
Kiteworks, a platform for secure data sharing and management, contains a flaw that allows authenticated users to modify data belonging to other users. The vulnerability stems from the application failing to properly verify that a user should have access to resources they're attempting to change. An attacker with valid credentials could exploit this to alter forms, templates, or other shared resources without authorization. The fix requires upgrading to version 9.3.0 or later.
- CVE-2026-28511MEDIUM 4.3
eLabFTW, an open-source electronic lab notebook platform, contains an information disclosure vulnerability affecting versions before 5.4.2. When an authenticated user performs a numeric search or reference lookup, the system may return resource titles that the user should not have access to view. The actual content of those resources remains protected—only the titles are exposed. This is particularly concerning because titles may contain sensitive information such as project names, patient identifiers, or regulated data that could constitute unauthorized disclosure.
- CVE-2026-32250MEDIUM 4.3
NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.
- CVE-2026-32906MEDIUM 4.3
OpenClaw versions prior to 2026.5.12 contain a privilege escalation flaw in their Slack plugin approval system. Users who hold limited exec approval permissions can manipulate the approval workflow to bypass intended authorization checks, allowing them to approve plugin actions that should require additional oversight or operator configuration. The vulnerability requires an authenticated user to exploit, reducing but not eliminating risk in environments with permissive access controls.