By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1364 published vulnerabilities · page 12 of 14

  • CVE-2026-44611MEDIUM 5.4

    Danelec MacGregor's Voyage Data Recorder (VDR) uses a weak password hashing method that restricts password length and is vulnerable to brute force attacks. An authenticated attacker with local network access could potentially crack stored passwords to gain unauthorized access to the device or escalate privileges. This is a medium-severity issue affecting maritime safety and navigation systems.

  • CVE-2026-44794MEDIUM 5.4

    Nautobot, a network automation platform, contains a permission bypass vulnerability in its REST API that affects how it validates references between database objects. When users create or update records that link to other objects in the system, the API fails to properly check whether the user has permission to view those referenced objects. This means an authenticated user could potentially reference objects they shouldn't have access to, leading to information disclosure or unintended modifications. The issue affects Nautobot versions before 2.4.33 and 3.1.2.

  • CVE-2026-45023MEDIUM 5.4

    AutoGPT versions before 0.6.59 contain a flaw in their API implementation that allows authenticated users to execute workflow blocks without consuming credits from their account balance. The vulnerability stems from an API endpoint that bypasses the credit-checking logic present elsewhere in the system, enabling users to run unlimited blocks at no cost. This is a business model violation rather than a critical system compromise, but it undermines the platform's monetization and resource management controls.

  • CVE-2026-45580MEDIUM 5.4

    WWBN AVideo, an open-source video streaming platform, contains a stored cross-site scripting (XSS) vulnerability in its Live plugin. A user with streaming permissions can inject malicious JavaScript into the stream configuration, which then executes in the browsers of anyone—logged-in or anonymous—who views that live stream. The vulnerability persists because user-controlled input (the stream key) is inserted directly into an HTML class attribute without proper sanitization.

  • CVE-2026-45660MEDIUM 5.4

    Statamic is a content management system built on Laravel that includes an image proxy feature called Glide. A flaw in how this proxy validates URLs allows attackers to bypass security checks by using alternate IP address formats that aren't properly normalized before validation. An unauthenticated attacker could exploit this to make the server fetch content from internal addresses—such as localhost, private networks, or cloud metadata services—potentially exposing sensitive information. The vulnerability only affects Statamic versions before 5.73.22 and 6.18.1, and does not impact deployments running PHP 8.3 or later.

  • CVE-2026-47694MEDIUM 5.4

    WWBN AVideo, an open-source video platform, contains a stored cross-site scripting (XSS) vulnerability in how it handles category descriptions. Any user with permission to create or modify video categories can inject malicious JavaScript code into the description field. This code then executes in the browsers of other users who view that category's gallery page. Unlike previously patched XSS issues affecting video titles or comments, this flaw specifically targets the category description rendering pipeline.

  • CVE-2026-48523MEDIUM 5.4

    PyJWT, a widely-used Python library for handling JSON Web Tokens, has a flaw in how it validates token signatures when using JWK (JSON Web Key) objects. Between versions 2.9.0 and 2.12.1, the library checks that a token's advertised algorithm is in the caller's allow-list, but then ignores that check and uses a different algorithm bound to the JWK object for actual verification. This means an attacker with access to a registered private key can craft a token that claims to use an allowed algorithm in its header while being signed with a disallowed algorithm stored in the JWK—and the library will accept it. The fix is available in version 2.13.0.

  • CVE-2026-48559MEDIUM 5.4

    Lightweight Music Server (LMS) version 3.76.0 and earlier contains a stored cross-site scripting (XSS) vulnerability in how it handles media file metadata. An attacker can craft a malicious media file with embedded JavaScript in tags like GENRE, ARTIST, or ALBUM, then introduce it into a victim's music library. When the library is scanned, the payload is permanently stored and automatically executes in the web interface whenever that file's metadata is displayed, potentially allowing unauthorized actions on behalf of the logged-in user.

  • CVE-2026-49192MEDIUM 5.4

    A flaw in the Acer Connect M6E 5G device's summary service endpoint allows authenticated users to bypass ownership checks and access device data they don't own. An attacker with valid credentials can enumerate and scrape hardware information by manipulating device serial numbers in API requests, leading to unauthorized disclosure of device details across the user base.

  • CVE-2018-25387MEDIUM 5.3

    HaPe PKH 1.1 contains a cross-site request forgery (CSRF) vulnerability that enables attackers to change administrator passwords without needing to log in. An attacker can trick an authenticated administrator into visiting a malicious website or clicking a crafted link, which silently submits a forged request to modify admin credentials. This allows complete account takeover of administrative users.

  • CVE-2018-25397MEDIUM 5.3

    PHP-SHOP 1.0 is vulnerable to cross-site request forgery (CSRF), a class of attack where malicious actors craft hidden web forms designed to trick authenticated administrators into unknowingly adding new admin accounts. An attacker creates a deceptive webpage containing a concealed form that automatically submits admin account creation requests when an authenticated admin visits the page. This allows the attacker to gain administrative control without needing the victim's credentials.

  • CVE-2018-25435MEDIUM 5.3

    ZeusCart 4.0 is vulnerable to a cross-site request forgery (CSRF) attack that allows an attacker to trick administrators into unknowingly deactivating customer accounts. By crafting a malicious webpage or email link, an attacker can force an admin to submit a request that disables customer access without their knowledge or consent. The attack requires only that an administrator visit an attacker-controlled page while logged into their ZeusCart admin panel.

  • CVE-2024-27891MEDIUM 5.3

    Arista EOS devices that simultaneously use MACsec (a security protocol encrypting layer 2 traffic) and egress Access Control Lists (ACLs) on the same network interfaces may fail to enforce the intended ACL policies on outgoing traffic. This means packets that should be blocked by policy could be allowed to leave the device, or conversely, traffic that should be permitted might be incorrectly denied—effectively breaking the network's egress filtering controls.

  • CVE-2025-12714MEDIUM 5.3

    A widely used WordPress SEO plugin has a security hole that allows anyone on the internet—even without a WordPress account—to change critical SEO settings and site metadata. An attacker could modify your site's homepage title, meta descriptions, breadcrumb labels, and social media preview information without permission. This creates two problems: it can tank your search engine rankings, and it opens the door to injecting malicious content that visitors see across your site.

  • CVE-2025-53302MEDIUM 5.3

    CVE-2025-53302 is a missing authorization vulnerability in Anton Shevchuk's Constructor framework that allows unauthenticated attackers to access functionality that should be restricted by access control rules. An attacker can reach protected features without proper credentials or permissions, potentially exposing sensitive operations or data. The vulnerability affects Constructor versions up to and including 1.6.5.

  • CVE-2026-10075MEDIUM 5.3

    DreamMaker, a product from Interinfo, contains a path traversal flaw that lets unauthenticated attackers list or read filenames from any directory on the affected system without requiring authentication or user interaction. An attacker can craft requests using absolute path manipulation to traverse the filesystem and discover file structures that should remain hidden. While this does not allow direct file content theft or system modification, it exposes the directory layout and naming conventions, which can aid reconnaissance in a broader attack chain.

  • CVE-2026-10200MEDIUM 5.3

    Assimp, a popular open-source 3D model import library, contains a heap-based buffer overflow vulnerability in its glTF file format parser. An attacker with local access to a system can craft a malicious glTF file with a specially crafted 4x4 matrix to overflow memory and trigger a crash, information disclosure, or potential code execution. The vulnerability affects Assimp versions up to 6.0.4 and has been publicly disclosed.

  • CVE-2026-10224MEDIUM 5.3

    A vulnerability in NousResearch's hermes-agent allows an attacker to consume resources on a server by sending specially crafted requests to a webhook endpoint. The vulnerability affects versions up to 2026.4.30 and can be triggered remotely without authentication. While the technical complexity is low, the impact is limited to availability rather than data breach or system compromise. Public exploit information exists, though NousResearch has not responded to early vendor disclosure attempts.

  • CVE-2026-10229MEDIUM 5.3

    Assimp, a widely-used 3D model import library, contains a heap-based buffer overflow in its Half-Life 1 MDL file loader. An attacker with local system access can craft a malicious .MDL file that, when processed by an application using vulnerable Assimp versions up to 6.0.4, triggers memory corruption. This could lead to information disclosure, data corruption, or process crash. The vulnerability requires local execution and has been publicly disclosed.

  • CVE-2026-10230MEDIUM 5.3

    Assimp, a popular open-source 3D model import library, contains a heap buffer overflow vulnerability in its Half-Life 1 MDL file loader. The vulnerability exists in the animation-reading function and can be triggered by a malicious or crafted MDL file. An attacker with local access can exploit this to read sensitive memory, modify data, or crash the application. The vulnerability affects Assimp versions up to 6.0.4.

  • CVE-2026-10231MEDIUM 5.3

    Assimp, a popular open-source 3D model importing library, contains a heap buffer overflow vulnerability in its Half-Life 1 MDL file loader. By crafting a malicious MDL file that manipulates the animation value counter, an attacker with local system access can trigger memory corruption. This flaw requires the attacker to be already present on the system and execute code that processes a specially crafted model file, making it a local-origin threat rather than a remote network attack.

  • CVE-2026-10232MEDIUM 5.3

    CVE-2026-10232 is a use-after-free vulnerability in Assimp, an open-source 3D model import library, affecting versions up to 6.0.4. The flaw exists in the ASE file parser component and can be triggered by a local attacker with user-level privileges when processing specially crafted ASE (ASCII Scene Export) files. Exploitation could allow an attacker to read sensitive data, modify application state, or crash the process. Because exploitation requires local access and user permissions, the risk is primarily relevant in multi-user systems or scenarios where untrusted ASE files are processed by privileged applications.

  • CVE-2026-10254MEDIUM 5.3

    SourceCodester Pet Grooming Management Software version 1.0 contains a vulnerability that exposes file and directory information to unauthenticated remote attackers. An unknown function in the /admin/ path fails to properly restrict access to sensitive filesystem metadata, allowing adversaries to enumerate files and directories without authentication. While this does not permit direct modification or service disruption, the information disclosure can serve as reconnaissance for subsequent targeted attacks. Public exploit code is available.

  • CVE-2026-10255MEDIUM 5.3

    A remote access control weakness exists in SourceCodester Pharmacy Sales and Inventory System version 1.0. An unauthenticated attacker can exploit the sell_statement function in the application's form controller to bypass authorization checks and gain unauthorized read access to sensitive pharmacy data. The vulnerability requires no special interaction from users and can be triggered over the network. Because exploit code has already been publicly disclosed, active exploitation risk is elevated.

  • CVE-2026-10548MEDIUM 5.3

    NousResearch's hermes-agent contains a flaw in how it synchronizes Anthropic API credentials from local credential files. An attacker with local access can exploit this to bypass authentication controls, potentially gaining unauthorized access to Anthropic services or resources protected by those credentials. The vulnerability affects versions up to 2026.4.23, and exploit code has already been made public, increasing the practical risk.

  • CVE-2026-10566MEDIUM 5.3

    A vulnerability exists in FoundationAgents MetaGPT versions up to 0.8.2 that allows local attackers with user-level privileges to trigger unsafe deserialization through manipulation of function arguments in the Message.check_instruct_content handler. An attacker with local access and basic user permissions can exploit this to potentially read, modify, or disrupt system operations. Public exploit code is available, increasing near-term risk for organizations running affected versions.

  • CVE-2026-10597MEDIUM 5.3

    OMICARD EDM, a product developed by ITPison, contains a vulnerability that allows attackers without credentials to access user email addresses by manipulating a specific parameter in a web request. No authentication is required, making this a direct and accessible attack surface. While the vulnerability does not allow attackers to modify data or disrupt service, the unauthorized disclosure of email addresses poses a clear privacy and information-gathering risk.

  • CVE-2026-10650MEDIUM 5.3

    A flaw in libwebsockets (a widely-used WebSocket and networking library) allows attackers to exhaust server resources by manipulating a specific message length parameter in the SSH protocol handler. The vulnerability requires network access but no authentication, and an exploit has already been published. This is a denial-of-service issue that can make affected systems unresponsive without compromising data confidentiality or integrity.

  • CVE-2026-11004MEDIUM 5.3

    CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.

  • CVE-2026-11005MEDIUM 5.3

    A flaw in ANGLE, the graphics abstraction layer used by Google Chrome on Windows, allows a remote attacker to read sensitive data from Chrome's renderer process memory. The attacker must first compromise the renderer process and trick a user into visiting a malicious webpage. Once those conditions are met, the attacker can extract potentially sensitive information from memory that they shouldn't have access to. This is an out-of-bounds read vulnerability—the code accesses memory locations it wasn't intended to reach.

  • CVE-2026-2128MEDIUM 5.3

    The Breeze WordPress plugin through version 2.5.2 contains a flaw that allows attackers to view content meant only for administrators. When the "Cache Logged-in Users" feature is enabled, the plugin trusts cookie information without properly verifying it belongs to a real, authenticated user. An attacker can craft a fake cookie claiming to be an administrator, and the plugin will serve them the cached pages generated for that admin—exposing private posts, administrative controls, security tokens, and other sensitive data. No authentication or special privileges are required to attempt this attack.

  • CVE-2026-26825MEDIUM 5.3

    A use-of-uninitialized memory vulnerability in libxls 1.6.3 allows attackers to craft malformed XLS files that trigger memory safety issues during file parsing. When the library processes these files, uninitialized heap memory from the OLE (Object Linking and Embedding) layer may be read, leading to unpredictable behavior, incorrect file interpretation, or disclosure of sensitive data from memory. This does not require authentication and affects any application using the vulnerable library to open untrusted XLS files.

  • CVE-2026-33463MEDIUM 5.3

    Kibana contains a flaw where access tokens that should expire at a specific time continue to work indefinitely. An attacker who obtains one of these tokens—even after it should have stopped being valid—can use it to read sensitive information they shouldn't have access to. The vulnerability stems from improper validation of token expiration times, allowing the system to forget when a token was supposed to stop working.

  • CVE-2026-38978MEDIUM 5.3

    Transmission, a popular BitTorrent application, contains a clickjacking vulnerability affecting versions up to and including 4.1.1. The flaw allows an attacker to trick users into performing unintended actions through the application's web interface or RPC (remote procedure call) endpoints by overlaying malicious content on top of legitimate interface elements. This requires user interaction but does not require the attacker to be authenticated or have any special privileges to exploit.

  • CVE-2026-40898MEDIUM 5.3

    quic-go, a Go-based QUIC protocol library, contains a denial-of-service flaw in its HTTP/3 implementation that allows remote attackers to exhaust server and client memory by sending malicious HTTP trailer fields. The vulnerability stems from inadequate validation of decoded trailer sizes—the library checks the compressed frame size but fails to enforce limits on the decompressed result. An attacker can craft QPACK-encoded headers with numerous unique field names or oversized values in the trailer section, forcing unbounded memory allocation and potentially crashing affected services.

  • CVE-2026-41150MEDIUM 5.3

    Mermaid, a popular JavaScript library for creating diagrams from text, contains a denial-of-service vulnerability in versions before 10.9.6 and 11.15.0. The flaw occurs when rendering Gantt charts that use the excludes attribute to block out all dates. An attacker can craft a malicious diagram that, when processed and rendered, causes the application to hang or consume excessive resources, disrupting service availability. The vulnerability only manifests during actual diagram rendering; simply parsing the diagram syntax does not trigger the issue unless the ganttDb.getTasks() function is subsequently called.

  • CVE-2026-41159MEDIUM 5.3

    Mermaid, a popular JavaScript library for creating diagrams from text, contains a CSS injection vulnerability in its configuration options. Attackers can inject malicious CSS through the fontFamily, themeCSS, and altFontFamily settings that breaks out of the intended diagram sandbox and affects the entire web page. This could enable page defacement or extraction of sensitive information through CSS selectors. The vulnerability affects versions before 10.9.6 and 11.15.0, and has been patched in those releases.

  • CVE-2026-41178MEDIUM 5.3

    OpenTelemetry-Go versions 1.41.0 and 1.43.0 contain a denial-of-service vulnerability in their baggage header parsing logic. The removal of size validation allows attackers to send oversized or malformed baggage headers that cause the application to process arbitrarily large inputs, log excessive errors, and potentially exhaust system resources. This is a network-accessible vulnerability requiring no authentication, making it exploitable by any remote actor.

  • CVE-2026-41207MEDIUM 5.3

    A vulnerability exists in Netty's binary HTTP parser (netty-incubator-codec-ohttp) where cryptographic key generation can fail silently and default to all-zero keys without raising an error. This occurs in the HKDF_expand and EVP_HPKE_CTX_export functions, which are supposed to generate random key material for encrypting HTTP responses. Instead of signaling failure, these functions return zero-filled byte arrays that are indistinguishable from legitimate keys. An attacker who understands this behavior could predict the encryption keys and decrypt sensitive response data, compromising the confidentiality of encrypted messages. The issue was resolved in version 0.0.21.Final.

  • CVE-2026-42500MEDIUM 5.3

    CVE-2026-42500 is a denial-of-service vulnerability triggered when software attempts to decode a specially crafted BMP image file with palette colors that reference invalid color table entries. The flaw causes the application to crash rather than handle the malformed data gracefully. An attacker can exploit this by distributing or hosting a malicious BMP file that, when opened or processed, crashes the affected application.

  • CVE-2026-42507MEDIUM 5.3

    CVE-2026-42507 is a moderate security issue affecting Go's net/textproto package where error messages can inadvertently expose or reflect user-supplied input. An attacker could craft malicious input that, when an error occurs, gets embedded into the error message itself. If those messages are logged, displayed to users, or forwarded to monitoring systems, the attacker's injected content appears as legitimate system output. This creates an integrity risk by allowing misleading information to be introduced into logs and alerts.

  • CVE-2026-44518MEDIUM 5.3

    liboqs, an open-source cryptographic library implementing post-quantum algorithms, contains an out-of-bounds read flaw in its XMSS and XMSS^MT signature verification routines. When a verification function receives a signature buffer shorter than expected, the code reads beyond the buffer boundary without length validation. While the out-of-bounds bytes are only used internally for hashing and cannot leak sensitive data, the read can crash the verifying process if it accesses unmapped memory, creating a denial-of-service risk. The issue is resolved in version 0.16.0.

  • CVE-2026-44545MEDIUM 5.3

    Daphne, a popular ASGI application server for Django, contains a configuration flaw that leaves WebSocket connections vulnerable to denial-of-service attacks. Versions before 4.2.2 fail to enforce limits on WebSocket message and frame sizes, allowing unauthenticated attackers to send extremely large messages that consume server memory until the application becomes unresponsive. This occurs because Daphne does not pass payload size constraints to the underlying Autobahn WebSocket library, which defaults to unlimited sizes.

  • CVE-2026-45289MEDIUM 5.3

    CloudburstMC Protocol, a library used in Minecraft Bedrock Edition servers, contained incomplete validation logic for a specific type of authentication token. This gap allowed attackers to potentially forge or manipulate authentication credentials without proper verification, compromising the integrity of server access control. The vulnerability affects publicly exposed servers running vulnerable versions of the library prior to the patched release.

  • CVE-2026-45292MEDIUM 5.3

    OpenTelemetry Java is a popular library used by applications to record performance and diagnostic data. This vulnerability affects how it processes baggage—metadata that flows across service calls in distributed systems. An attacker can send oversized baggage that causes affected services to consume excessive memory and CPU, leading to denial of service. Because baggage is automatically forwarded to downstream services, the impact spreads beyond the initial target, potentially degrading performance across your entire microservices architecture.

  • CVE-2026-45294MEDIUM 5.3

    FreeScout, a Laravel-based open-source help desk platform, leaks information about whether an email address is registered as a helpdesk agent account. An attacker can repeatedly submit email addresses to the password reset feature and observe different visual responses that reveal which accounts exist—a technique called user enumeration. This flaw affects all versions before 1.8.219 and requires no authentication or user interaction to exploit.

  • CVE-2026-45352MEDIUM 5.3

    cpp-httplib, a popular C++ HTTP library, contains a flaw in how it processes chunked HTTP transfers. When a malicious client sends a specially crafted HTTP request with a negative chunk size (like '-2'), the library's parsing logic mishandles it. Instead of rejecting the invalid value, it converts it to an extremely large number due to how C's strtoul function treats negative numbers. This causes the server to attempt allocating massive amounts of memory and reading far more data than expected, ultimately crashing the process. Applications using cpp-httplib versions before 0.43.4 are vulnerable.

  • CVE-2026-45410MEDIUM 5.3

    TREK, a collaborative travel planning application, contains a user enumeration vulnerability in its login process that allows attackers to determine whether specific email addresses have accounts in the system. The flaw stems from a timing discrepancy: when a user submits a login attempt with a valid email address, the backend takes approximately 370 milliseconds to complete its password check before denying access. For non-existent accounts, the system responds in roughly 10 milliseconds. This 14-fold difference in response time leaks account existence information without any change in HTTP status codes or error messages, making it detectable through simple response timing analysis. The issue has been resolved in version 3.0.18.

  • CVE-2026-45543MEDIUM 5.3

    A flaw in Nextcloud Forms allows collaborators who have been removed from a form to retain unauthorized read access to uploaded respondent files. This affects forms running Nextcloud versions 4.3.0 through 5.2.6. If a user previously had access to view form results, removing them as a collaborator does not fully revoke their ability to read uploaded files associated with that form. The vulnerability is limited to files uploaded within forms where the removed user previously held results-viewing permissions.

  • CVE-2026-45554MEDIUM 5.3

    NiceGUI, a Python UI framework built on FastAPI, contains a vulnerability in how it handles requests for static assets. Two specific routes can be manipulated to point to directories instead of files. When this happens, the framework throws an error that gets logged with full technical details—and these routes don't require authentication. An attacker can repeatedly trigger these errors to flood the server logs, potentially filling up disk space or overwhelming logging infrastructure. This affects NiceGUI versions before 3.12.0 and has been fixed in version 3.12.0 and later.

  • CVE-2026-45620MEDIUM 5.3

    CVE-2026-45620 is a user enumeration vulnerability in WWBN AVideo version 29.0 and earlier. The `objects/mention.json.php` endpoint lacks proper authentication controls and allows attackers to discover valid usernames on the platform without logging in. An attacker can craft requests to the endpoint and enumerate users by checking responses, potentially gathering intelligence for follow-up attacks like credential stuffing or targeted social engineering.

  • CVE-2026-46337MEDIUM 5.3

    WWBN AVideo, an open-source video platform, contains a path-traversal vulnerability in version 29.0 and earlier that allows anyone on the internet to download image files from the server without logging in. An attacker can bypass the application's permission controls to access private user profile photos, admin-uploaded thumbnails, encrypted-video poster frames, and files in neighboring directories. The vulnerability exists because the affected endpoint does not validate or restrict file paths before serving images.

  • CVE-2026-46344MEDIUM 5.3

    liboqs, an open-source cryptographic library implementing post-quantum algorithms, contains a flaw in its XMSS and XMSS^MT signature verification code. When verifying a signature, the code re-parses algorithm metadata from the public key and uses that metadata to determine how many bytes to read from the signature buffer. An attacker can craft a mismatched public key whose metadata claims a larger signature format than the buffer actually contains, causing an out-of-bounds read. While the read data is only used internally for hashing and cannot be stolen, it can crash the verification process if it reaches unmapped memory.

  • CVE-2026-46544MEDIUM 5.3

    Microsoft's UFO framework for intelligent automation has a session reuse vulnerability affecting version 3.0.1-4-ge2626659. When a client completes a task, the session remains in memory with its results. An authenticated attacker who knows a past session ID can submit a new task request reusing that ID, causing the server to return stale results from the previous session to the new requester. This is not a critical vulnerability but poses a confidentiality risk—the attacker must be authenticated and must guess or know a valid session ID, limiting real-world exploitability.

  • CVE-2026-46739MEDIUM 5.3

    Net::Statsd is a Perl library used to send metrics to statsd monitoring servers. Versions before 0.13 fail to validate metric names and values, allowing an attacker to inject arbitrary statsd commands by crafting malicious metric input. If an application uses Net::Statsd to process untrusted data—such as user-supplied values or data from external APIs—an attacker can inject additional metrics into the monitoring stream, potentially corrupting metrics, creating false alerts, or degrading visibility into system health.

  • CVE-2026-46830MEDIUM 5.3

    Oracle REST Data Services contains an information disclosure vulnerability in its Mongoapi component that allows an unauthenticated attacker to read sensitive data over the network without authentication. An attacker with network access can exploit this flaw via HTTPS to gain unauthorized visibility into data normally protected by REST Data Services, though they cannot modify or delete information. The vulnerability affects versions 24.2.0 through 26.1.0 and requires no special conditions—it's straightforward to trigger.

  • CVE-2026-46841MEDIUM 5.3

    Oracle REST Data Services versions 24.2.0 through 26.1.0 contain a network-accessible vulnerability that allows unauthenticated attackers to read sensitive data. An attacker on the network can reach the service over HTTPS without credentials and gain unauthorized access to a subset of the data REST Data Services manages. This is not a critical vulnerability—it does not enable system takeover, data modification, or service disruption—but it does represent a meaningful confidentiality risk for organizations relying on REST Data Services for data access control.

  • CVE-2026-46842MEDIUM 5.3

    Oracle REST Data Services versions 24.2.0 through 26.1.0 contain a vulnerability that allows an unauthenticated attacker to modify, add, or delete data accessible through the service over the network. The vulnerability requires no special conditions to exploit and can be triggered via standard HTTPS connections. While an attacker cannot read data or crash the service, they can alter stored information, which poses a direct integrity risk to applications relying on ORDS for data access.

  • CVE-2026-46843MEDIUM 5.3

    Oracle REST Data Services versions 24.2.0 through 26.1.0 contain a vulnerability that allows an attacker without credentials to trigger a partial denial of service over the network via HTTPS. The vulnerability is in the Core component and requires no special user interaction. An attacker can exploit this remotely to degrade availability of the REST Data Services instance, though data confidentiality and integrity are not at risk.

  • CVE-2026-47674MEDIUM 5.3

    Hono's IP-restriction middleware, a security component designed to enforce access control by allowing or denying traffic based on IP address rules, contains a flaw in how it compares incoming IP addresses against configured rules. The vulnerability exists because the middleware only performs partial normalization of IPv6 addresses before comparing them to stored rules. When an attacker sends a request using an alternative representation of an IPv6 address—such as compressed notation, explicit-zero forms, or IPv4-mapped hex notation—the middleware fails to recognize it as matching a rule, silently skipping the check. This allows traffic that should be blocked to pass through, or blocks traffic that should be allowed, depending on rule configuration. The flaw affects Hono versions prior to 4.12.21.

  • CVE-2026-47676MEDIUM 5.3

    Hono, a JavaScript web framework, contains a path handling vulnerability in versions before 4.12.21 that affects how mounted sub-applications receive requests. When URLs contain percent-encoded characters (like %C3%A9 for é), the framework strips the mount prefix incorrectly, causing the sub-application to see a mangled path. This can lead to requests being routed to unintended endpoints or exposing sensitive information through path confusion.

  • CVE-2026-47706MEDIUM 5.3

    Strawberry GraphQL versions 0.71.0 through 0.315.6 contain a denial-of-service vulnerability in the QueryDepthLimiter extension. An attacker can craft a GraphQL query with circular fragment references that causes the validation process to enter infinite recursion, crashing the server. This affects any GraphQL API built with vulnerable Strawberry versions. The issue is resolved in version 0.315.7.

  • CVE-2026-47707MEDIUM 5.3

    Strawberry GraphQL, a Python library for building GraphQL APIs, contains a flaw in its MaxAliasesLimiter security extension that allows attackers to bypass protective limits on query aliases. The vulnerability exists because the extension counts static aliases correctly but fails to account for how fragment spreads multiply and amplify those aliases during execution. An attacker can craft a malicious GraphQL query using fragment spreads to force the server to resolve far more aliases than the configured limit permits, exhausting server resources and causing a denial of service. The issue affects versions 0.172.0 through 0.315.6; version 0.315.7 and later contain the fix.

  • CVE-2026-48525MEDIUM 5.3

    PyJWT, a widely-used Python library for JSON Web Token (JWT) handling, contains a denial-of-service vulnerability in its handling of detached JWS (JSON Web Signature) tokens. When processing tokens with the unencoded-payload option enabled (RFC 7797's b64=false mode), the library decodes the Base64URL-encoded payload segment before applying detached-payload verification rules. An attacker can exploit this by sending a specially crafted token with an extremely large payload segment, forcing the library to perform unnecessary decoding and memory allocation even before signature validation occurs. This creates a resource exhaustion attack that can be triggered by unauthenticated remote clients against any application using PyJWT to verify detached JWS tokens.

  • CVE-2026-48840MEDIUM 5.3

    Exim versions 4.88 through 4.99.3 contain a memory disclosure vulnerability when deployed in certain proxy configurations. The flaw allows unauthenticated remote attackers to craft short payloads that cause the mail server to leak uninitialized stack memory back to the client. This is a confidentiality issue—an attacker gains access to sensitive data that may be in memory, but cannot modify email systems or cause service disruption directly.

  • CVE-2026-49077MEDIUM 5.3

    WP eMember, a WordPress membership plugin by Tips and Tricks HQ, contains a vulnerability that exposes sensitive system information to unauthorized users. An attacker without authentication can retrieve embedded sensitive data through network access, potentially learning details about your WordPress installation and membership infrastructure that should remain private. The vulnerability affects all versions through v10.2.2.

  • CVE-2026-49130MEDIUM 5.3

    Music Player Daemon (MPD) versions before 0.24.11 have a flaw that allows attackers to inject hidden line breaks and special characters into playlist files. By crafting a malicious XSPF playlist file (a common music playlist format), an attacker can trick MPD into including forged commands or data in its responses, potentially deceiving clients or users who rely on MPD's output. This is a network-based attack requiring no special permissions or user interaction, though the real-world impact depends on how downstream systems handle the injected content.

  • CVE-2026-45682MEDIUM 5.1

    OpenTelemetry's eBPF Instrumentation agent for Java contains a memory leak in its TLS connection state tracking. When Java applications handle repeated connection churn (connections opening and closing), the instrumentation fails to properly clean up its internal tracking queue, causing heap memory to grow indefinitely until the application runs out of memory and crashes. This affects long-running production JVMs where connection pools are regularly recycled. The issue is resolved in version 0.9.0.

  • CVE-2025-60477MEDIUM 5.0

    CVE-2025-60477 is a crash vulnerability in GPAC's MP4Box multimedia processing tool. A specially crafted file can trigger a program crash when processed by a local or authenticated user, disrupting media encoding and processing workflows. The vulnerability does not leak data or enable privilege escalation, but it can be weaponized to interrupt legitimate operations or degrade service availability.

  • CVE-2026-10010MEDIUM 5.0

    Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.

  • CVE-2026-10275MEDIUM 5.0

    A buffer overflow vulnerability exists in OpenSC versions up to 0.26.1 within the pkcs11-tool component's key generation functionality. The flaw allows an attacker to overflow a buffer during certificate writing operations, potentially enabling remote code execution or data corruption. Exploitation requires user interaction and specific conditions, making it moderately difficult to weaponize, though a proof-of-concept has already been disclosed.

  • CVE-2026-10533MEDIUM 5.0

    A vulnerability in OpenShift Container Platform allows non-privileged users to circumvent resource quota enforcement by creating pods with a never-restart policy. These pods and their associated Kubernetes events are not counted against quota limits, enabling an attacker to flood the cluster's event database (etcd) with activity. The resulting accumulation degrades API server performance across the entire cluster, affecting all users and workloads.

  • CVE-2026-43979MEDIUM 5.0

    Local Deep Research versions before 1.6.0 contain a vulnerability where user-supplied search queries and metadata are inserted directly into HTML without proper escaping before being converted to PDF. An authenticated user can inject HTML tags that trick the server into making unauthorized web requests (SSRF), bypassing existing security controls. The vulnerability requires valid credentials but poses moderate risk due to potential confidentiality impact.

  • CVE-2026-46526MEDIUM 5.0

    Local Deep Research versions before 1.6.10 contain a Server-Side Request Forgery (SSRF) vulnerability caused by inconsistent URL validation logic. The application attempts to block malicious URLs using one parsing method but actually sends requests using a different method, creating a gap that attackers can exploit. An authenticated user can craft a specially formatted URL that passes the security checks but reaches an unintended internal or restricted server when the request is actually sent.

  • CVE-2026-46561MEDIUM 5.0

    pyLoad, a popular open-source download manager, contains a vulnerability that allows authenticated users to bypass security controls designed to prevent access to internal networks. Specifically, an attacker can craft a specially designed URL that initially appears safe but redirects to a private IP address after the security check passes. This lets the attacker potentially access or interact with systems on the internal network that should be off-limits. The issue affects versions prior to 0.5.0b3.dev100 and has been resolved in that release.

  • CVE-2026-49138MEDIUM 5.0

    Nanobot versions prior to 0.2.1 contain a server-side request forgery (SSRF) vulnerability in its web_fetch tool. An attacker with login credentials can trick the application into making requests to internal or private network systems by providing a URL that redirects to a loopback address (like 127.0.0.1) or private IP range. The vulnerability exploits how the underlying httpx library automatically follows HTTP redirects—the application validates the initial URL but not the final destination after redirects are followed, allowing attackers to reach internal services that should not be accessible from the internet.

  • CVE-2026-10039MEDIUM 4.9

    The Frontend Admin plugin for WordPress contains a SQL injection vulnerability that allows authenticated administrators to extract sensitive data from the website's database. The flaw exists in how the plugin processes the 'order' parameter—it fails to properly escape user input before inserting it into database queries. An attacker with administrator privileges can craft a malicious request containing both 'order' and 'orderby' parameters to inject additional SQL commands and retrieve unauthorized information. This vulnerability affects all versions up to and including 3.28.28.

  • CVE-2026-10074MEDIUM 4.9

    DreamMaker, a product developed by Interinfo, contains a vulnerability that allows authenticated administrators or privileged users with local access to read arbitrary files from the system. An attacker with elevated privileges can exploit a path traversal flaw to access sensitive system files they shouldn't normally be able to retrieve, potentially exposing configuration data, credentials, or other protected information.

  • CVE-2026-41412MEDIUM 4.9

    alf.io is an open-source ticketing platform used by conferences and events to manage reservations. The vulnerability lies in how alf.io sandboxes custom extensions (plugins) that users can write to extend functionality. The sandbox was designed to safely run untrusted extension code, but it failed to protect file access. Specifically, extensions have access to an HTTP client tool that includes a method for uploading files. This method does not validate or restrict which files can be read—a malicious extension can read any file that the alf.io application has permission to access on the server, then send that file's contents to an attacker's server. An attacker would need to either write a malicious extension or trick an administrator into installing one, but once active, the extension can quietly exfiltrate sensitive data like configuration files, database credentials, or user records.

  • CVE-2026-44917MEDIUM 4.9

    A vulnerability in OpenStack Ironic before version 35.0.2 allows authenticated project administrators or managers to read sensitive files directly from the Ironic conductor server through a specially crafted PXE template. This is a credential-required attack where an insider with project admin or manager privileges can exploit the template processing mechanism to access files they shouldn't be able to retrieve, potentially exposing configuration secrets, credentials, or other sensitive data stored on the conductor.

  • CVE-2026-45684MEDIUM 4.9

    OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x contain a buffer handling flaw in the log enricher component. When log injection is enabled, attackers can craft a multi-segment write operation that tricks the instrumentation into reading beyond the intended buffer boundary, potentially overwriting memory. This could lead to information disclosure, data corruption, or application instability on systems using the affected versions.

  • CVE-2026-45731MEDIUM 4.9

    WWBN AVideo, an open-source video hosting platform, contains a file-read vulnerability in its database migration feature. An authenticated administrator can manipulate the migration process to read sensitive text files from the server's filesystem. This requires existing admin access, so it poses a targeted insider risk rather than a mass-exploitation threat, but it can expose configuration files, credentials, or other data to a compromised or malicious admin account.

  • CVE-2026-10057MEDIUM 4.8

    ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with elevated privileges to inject malicious JavaScript code into the application. Once injected, this code persists in the system and executes automatically whenever other users load affected pages in their browsers. This is distinct from reflected XSS because the payload remains embedded in the application, posing a sustained risk to all users who access the compromised content.

  • CVE-2026-10058MEDIUM 4.8

    ITS Intelligent SCADA System contains a stored cross-site scripting (XSS) flaw that lets high-privilege attackers inject malicious JavaScript into the system. When other users load affected pages, that injected code runs in their browsers automatically. This is a persistence threat—the malicious script stays in the system until removed, affecting anyone who accesses the compromised page.

  • CVE-2026-34127MEDIUM 4.8

    A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.

  • CVE-2026-36460MEDIUM 4.8

    Dovestones Software's ADPhonebook application before version 4.0.1.1 contains a Cross-Site Scripting (XSS) vulnerability in its administrative configuration API. An authenticated administrator can inject malicious JavaScript code into various system configuration sections, which is then stored and executed in the browsers of other users who access those settings. This requires both admin privileges and user interaction (a victim must view the affected configuration), limiting but not eliminating the risk.

  • CVE-2026-47673MEDIUM 4.8

    Hono, a JavaScript Web application framework, contains a flaw in its JWT authentication middleware that fails to enforce the Bearer scheme requirement. Prior to version 4.12.21, the jwt and jwk middlewares accept any two-part Authorization header value—regardless of whether it uses Bearer, Basic, Token, or any other scheme name—and proceed directly to JWT verification if the token is valid. This means an attacker could authenticate by presenting a valid JWT under an incorrect scheme (like Basic auth) and gain the same access as a properly formatted Bearer token request. The vulnerability is fixed in version 4.12.21.

  • CVE-2026-10070MEDIUM 4.7

    A flaw in macrozheng mall versions up to 1.0.3 allows an authenticated administrator with high privileges to bypass authorization controls on the super admin password update endpoint. An attacker with admin credentials could manipulate requests to the /admin/update/ path and gain unauthorized access to sensitive administrative functions. The vulnerability requires valid admin-level authentication and cannot be exploited anonymously from the network.

  • CVE-2026-10155MEDIUM 4.7

    A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0 within the Accounts Report Handler. An authenticated attacker can manipulate the 'dtpToDate' parameter in the accounts report search function to inject malicious SQL commands. While the vulnerability requires high privileges to exploit, successful attacks could leak sensitive financial data, modify account records, or disrupt reporting functionality. Public exploit code is available, increasing real-world risk.

  • CVE-2026-10171MEDIUM 4.7

    A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows authenticated administrators to manipulate the ID parameter in the album update functionality. An attacker with admin credentials can inject malicious SQL commands through the /Administrator/PHP/AdminUpdateAlbum.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability has been publicly disclosed and exploit code is available, increasing the likelihood of active exploitation.

  • CVE-2026-10237MEDIUM 4.7

    A SQL injection vulnerability was identified in SourceCodester Water Billing Management System version 1.0. An authenticated administrator can manipulate the ID parameter in the user management interface to inject malicious SQL commands, potentially reading or modifying sensitive database records. The vulnerability requires administrative privileges to exploit but poses a risk to data integrity and confidentiality within billing systems. Public proof-of-concept code exists, elevating the practical risk of exploitation.

  • CVE-2026-10248MEDIUM 4.7

    SourceCodester's Pharmacy Sales and Inventory System version 1.0 and earlier contains a CSV injection vulnerability in its supplier creation interface. An authenticated attacker with high privileges can inject malicious CSV formulas through the Address or Company Name fields when exporting supplier data, potentially causing data corruption, formula execution, or information disclosure when a user opens the exported file in a spreadsheet application.

  • CVE-2026-10583MEDIUM 4.7

    A server-side request forgery (SSRF) vulnerability exists in nextlevelbuilder GoClaw versions up to 3.11.3. The flaw is located in the TTS Configuration Endpoint's Import function, which fails to properly validate or restrict outbound HTTP requests. An authenticated attacker with high privileges can exploit this to make the affected server initiate requests to internal or external systems on their behalf, potentially accessing sensitive internal resources or launching further attacks. The vulnerability has been publicly disclosed.

  • CVE-2026-42329MEDIUM 4.7

    Iris, a web platform used by incident responders to collaborate and share technical details during security investigations, contains an open redirect vulnerability in versions before 2.4.28. An attacker can craft a malicious link within the application that tricks users into visiting an external website under the attacker's control. This is a social engineering risk rather than a direct system compromise—the attack depends on user interaction and targets the trust users place in links shared within their incident response platform.

  • CVE-2026-45366MEDIUM 4.7

    The @utcp/http package in typescript-utcp contains a blind Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to trick the software into making requests to internal services. The flaw stems from inconsistent validation: while manual URL registration checks that URLs are HTTPS or localhost, the tool invocation pathway skips this validation and directly uses URLs from attacker-controlled OpenAPI specifications. An attacker can host a malicious OpenAPI spec on a legitimate HTTPS endpoint that declares internal server addresses (like http://127.0.0.1:9090 or AWS metadata endpoints), and the affected software will create tools that point to those internal targets. Versions prior to 1.1.2 are vulnerable.

  • CVE-2026-45614MEDIUM 4.7

    OP-TEE, a Trusted Execution Environment for Arm systems, fails to validate that ECDH public keys lie on the correct elliptic curve before deriving shared secrets. An attacker with local access can craft approximately 30-40 malformed public keys and submit them through TEE_DeriveKey calls to leak fragments of the private key. By collecting these leaks and applying the Chinese Remainder Theorem, the attacker can reconstruct the full private key. This breaks the confidentiality of ECDH operations and affects systems relying on OP-TEE for cryptographic operations prior to version 4.11.0.

  • CVE-2026-46159MEDIUM 4.7

    A race condition in the Linux kernel's btrfs filesystem driver can leak uninitialized kernel memory to unprivileged local users. The vulnerability exists in the ioctl handler that reports storage space information. When block groups are concurrently removed by the system during the space query operation, the kernel copies more data to userspace than it actually wrote, exposing sensitive kernel memory. An attacker with local access can exploit this timing window to read information that should not be accessible.

  • CVE-2026-46187MEDIUM 4.7

    The Linux kernel's RSI wireless driver has a race condition in how it shuts down worker threads. The driver uses two different methods to stop these threads: a self-terminating approach and an external stop command. When the self-terminating method completes first and then the external stop is called, the code tries to access a thread that has already been freed from memory—a use-after-free vulnerability. This affects local users with moderate privileges and can cause a system crash or unexpected behavior.

  • CVE-2026-46194MEDIUM 4.7

    A race condition exists in the Linux kernel's F2FS file system implementation that can cause a kernel crash. When an inode is being dropped from memory, the extent node destruction process does not properly signal that no new extent nodes should be added. Meanwhile, concurrent write-back operations may attempt to insert new extent nodes, creating a collision that triggers a kernel bug check. The vulnerability affects systems using F2FS, particularly in multi-threaded I/O scenarios where inode cleanup and write-back operations overlap.

  • CVE-2026-46272MEDIUM 4.7

    CVE-2026-46272 is a race condition in the Linux kernel's CoreSight Trace Memory Controller (TMC) Embedded Trace Receiver (ETR) driver. When a system attempts to run both performance tracing (perf) and sysfs-based hardware tracing simultaneously, a timing gap between buffer allocation and hardware enablement in sysfs mode allows the perf mode to initialize its own buffer state. This causes sysfs mode to later detect the unexpected state and trigger a kernel warning, resulting in denial of service through system instability. The vulnerability exists because the sysfs enablement process was split across two separate locking regions, creating a window where perf mode could intervene.